[dnscap-users] DNSCAP release 1.7.0
jerry at dns-oarc.net
Tue Dec 19 15:50:38 UTC 2017
This release adds IP fragmentation handling by using layers in pcap-thread
which also adds a new flag to output and modules. `DNSCAP_OUTPUT_ISLAYER`
indicates that `pkt_copy` is equal to `payload` since the layers of the
traffic have already been parsed. IP fragments are reassembled with the
`pcap_thread_ext_frag` extension that is included in pcap-thread.
Packages are available at:
New extended (`-o`) options:
- `use_layers`: Use pcap-thread layers to handle the traffic
- `defrag_ipv4`: Enabled IPv4 de-fragmentation
- `defrag_ipv6`: Enabled IPv6 de-fragmentation
- `max_ipv4_fragments`: Set maximum fragmented IPv4 packets to track
- `max_ipv4_fragments_per_packet`: Set the maximum IPv4 fragments per
- `max_ipv6_fragments`: Set maximum fragmented IPv6 packets to track
- `max_ipv6_fragments_per_packet`: Set the maximum IPv6 fragments per
Currently `-w` does not work with `use_layers` and the plugins `pcapdump`
and `royparse` will discard output with the flag `DNSCAP_OUTPUT_ISLAYER`
because they need access to the original packet.
The `rzkeychange` plugin now encodes certain flag bits in the data that
it reports for RFC8145 key tag signaling. The flags of interest are:
`DO`, `CD`, and `RD`. These are encoded in an bit-mask as a hexadecimal
value before the `_ta` component of the query name.
Other changes and bug-fixes:
- Fix #115: document `-g` output, see `OUTPUT FORMATS` `diagnostic` in
- Add test to match output from non-layers runs with those using layers
- Add test with fragmented DNS queries
- Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2
- Fix `ip->ip_len` byte order
- Fix parsing of IP packets with padding or missing parts of payload
0347f74 Add AUTHORS section in man-page
ef1b68c Fix CID 1463073
a404d08 Update pcap-thread to v3.1.0, add test for padding fixes
08402f1 Fix byte order bug. ip->ip_len must be evaluated with ntohs().
d6d2340 CBOR/CDS and formatting
85ec2d8 Fix #87: IP fragmentation reassembly
c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data.
This may be useful to find "false" key tag signals from sources
that don't actually perform DNSSEC validation.
More information about the dnscap-users