[dnscap-users] dnscap 1.2.0 dropping packets vs version 20160205?

Paul Vlaar paul at flairlab.nl
Wed Nov 30 08:08:11 UTC 2016 

Hi Duane,

On 30/11/16 02:22, Wessels, Duane wrote:
> Nice to hear from you :-)

Thanks :)

> First I used a simple program to just send 1,000,000 DNS queries as
> fast as it could (takes about 2 seconds) from one machine to another
> on the same LAN. These are just identical UDP queries, not real
> traffic. The receiving machine where dnscap runs is RHEL 7.

I'm running all of this on the same Ubuntu 14.04 machine. This is live
traffic for a TLD.

-snip-

> So they are about the same.

Interesting. I'd be keen to know if you get the same result when you
throw actual or recorded traffic at it. I'm now suspecting the new
version may be choking on certain queries.

I can't think of why this query:

[74] 2016-11-29 20:00:59.780750 [#14269
dnscap-20160205.20161129.200000.001788 4095] \
        [removed].42341 [removed].53  \
        dns QUERY,NOERROR,51967 \
        1 tHEFOODWorKS.inFO,IN,A 0 0 \
        1 .,4096,4096,32768,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=1,z=0] \

... wasn't recorded by 1.2.0 and everything else until:

[62] 2016-11-29 20:01:00.405206 [#11270
dnscap-1.2.0.20161129.200000.292235 4095] \
        [removed].43899 [removed].53  \
        dns QUERY,NOERROR,7779 \
        1 nS3.MazUrEK.Info,IN,A 0 0 0

The preceding query that was still recored by both versions:

[97] 2016-11-29 20:00:59.767635 [#11269
dnscap-1.2.0.20161129.200000.292235 4095] \
        [removed].63684 [removed].53  \
        dns QUERY,NOERROR,43970 \
        1 thecreperiecafe.info,IN,AAAA 0 0 \
        1 .,4096,4096,32768,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=1,z=0] \

... looks very similar to the one that was dropped.

I guess I'll have to do some more digging to figure this one out. I
still think you may need to test this with real traffic in order to
reproduce. And maybe try it on mostly stock Ubuntu 14.04 as well.

For now, I'm resorting to using version 20160205 on all the places where
I'm using dnscap.

	~paul

-- 
Paul Vlaar - FlairLab
Internet engineering, consultancy
Dutch Chamber of Commerce 63553104

More information about the dnscap-users mailing list