[dnscap-users] Release 1.8.0
Jerry Lundström
jerry at dns-oarc.net
Wed Feb 7 12:48:20 UTC 2018
Hi all,
This release updates the TCP stream code in order to be able to look
at more then just the first query, for handling already ongoing TCP
connections without having seen SYN/ACK and for reassembly of the TCP
stream prior of parsing it for DNS with an additional layer of parsing
(see `reassemble_tcp_bfbparsedns`).
Updates to the Root Server Scaling Measurement (RSSM) plugin have also
been made to bring it up to date with RSSAC002v3 specification, be
able to output the YAML format described and an additional script to
merge YAML files if the interval is less then the RSSAC002v3 24 hour
period. See "Updates to the RSSM plugin" below and
`plugins/rssm/README.md`.
https://www.dns-oarc.net/files/dnscap/dnscap-1.8.0.tar.gz
5440fecc1a3f98948207e23549afe0c102b45eda5cde2a2b80ed446d88457558
Packages are available at:
https://dev.dns-oarc.net/packages/
New extended options:
- `parse_ongoing_tcp`: Start tracking TCP connections even if SYN/ACK
has not been seen
- `allow_reset_tcpstate`: Allow external reset of TCP state
- `reassemble_tcp`: Use to enable TCP stream reassembly
- `reassemble_tcp_faultreset`: Number of faults before reseting TCP
state when reassembly is enabled
- `reassemble_tcp_bfbparsedns`: Enable an experimental additional layer
of reassemble that uses `libbind` to parse the payload before accepting
it. If the DNS is invalid it will move 2 bytes within the payload and
treat it as a new payload, taking the DNS length again and restart
the process. Requires `libbind` and `reassemble_tcp`.
New extension functions for plugins:
- `DNSCAP_EXT_TCPSTATE_GETCURR`: Function to get a pointer for the
current TCP state
- `DNSCAP_EXT_TCPSTATE_RESET`: Function to reset a TCP state
New features:
- Parse additional DNS queries in TCP connections
- `-g` and the `txtout` plugin will reset TCP state (if allowed) on
failure to parse DNS
Bugfixes:
- Fix `-g` output, separate error message with a space
- Fix TCP packets wrongfully flagged as DNS when using layers.
- Fix TCP debug output when using layers, `ia_str()` is not safe to call
twice in the same `printf` because of local buffer.
- Fix exported extension functions, need to be file local
New tests for:
- Multiple DNS queries in one TCP connection
- Query over TCP without SYN
- Queries over TCP with first query missing length
- Queries over TCP with middle payloads missing
- Add test with TCP stream that missing multiple packets in the middle
Updates to the RSSM plugin (`plugins/rssm`):
- Add info about saving counts and sources
- Fix memory leak on `fopen()` errors
- Update to RSSAC002v3 specification
- New options:
- `-D` to disable forking on close
- `-Y`: Use RSSAC002v3 YAML format when writing counters, the file
will contain multiple YAML documents, one for each RSSAC002v3 metric
Used with; -S adds custom metric `dnscap-rssm-sources` and -A adds
`dnscap-rssm-aggregated-sources`
- `-n`: Set the service name to use in RSSAC002v3 YAML
- `-S`: Write source IPs into counters file with the prefix `source`
- `-A`: Write aggregated IPv6(/64) sources into counters file with
the prefix `aggregated-source`
- `-a`: Write aggregated IPv6(/64) sources to
`<name>.<timesec>.<timeusec>`
- Add `dnscap-rssm-rssac002` Perl script for merging RSSAC002v3 YAML files
- Add README.md for the plugin man-page for `dnscap-rssm-rssac002`
- Add test for YAML output and merging of YAML files
c7058c8 Use file local functions for all extensions
66b352d RSSM RSSAC002v3 YAML Tool
b09efc2 `plugins/rssm` RSSAC002v3
709aba6 Fix #89: Add additional reassembly layers that parses the
payload byte for byte for valid DNS
04fa013 Fix CID 1463944 (again)
b1cf623 RSSM saving data and forking
fb23305 Fix CID 1463944
0fca1a8 Issue #89: TCP stream reassemble
bb6428c CID 1463814: Check `ns_initparse()` for errors
a57066f Fix #88: TCP handling
Cheers,
Jerry
More information about the dnscap-users
mailing list