[dsc] DSC with pcap files

Patrick Fedick fedick at denic.de
Tue Jan 10 08:41:40 UTC 2023 

Hello,

I just got aware that you could feed pcap files into the dsc collector instead of running it on the network interface. This would have great advantages for me, so I did a few tests.

I setup a bind nameserver and sent 20000 queries over UDP within 10 seconds to it. One time a dsc collector was running on the interface the traffic came in, the other time I captured the traffic with tcpdump and fed the file afterwards into the collector. I expected identical results.

When running dsc on the network interface I see in the xml result, that it captured 40000 packets, of wich 20000 are incoming and 20000 outgoing.

When running tcpdump, tcpdump tells me, that it captured 40000 packets. When I look into the dump with wireshark, I also see 40000 packets and it looks like pretty normal dns queries and answers, nothing unusual.

But when feeding this into dsc collector, dsc only sees 32811 packets, of which 16405 are incoming and 16404 outgoing.

Why and what gets lost here?

For the tcpdump I used

     tcpdump -w /data/tcpdump/work/data.pcap -i eno12399



The dsc.conf basicaly contains the local_addresses of my nameserver and the definition of the interface:

local_address 194.0.0.53;
local_address 2001:678:2::53;
...
interface /data/tcpdump/work/data.pcap;
#interface eno12399;

everything else is default. The traffic was send to 194.0.0.53 only.


Does anyone have experience with dsc and pcap files?


Best regards,
Patrick Fedick

-- 
Patrick Fedick
DNS Services

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: fedick at denic.de
Fon: +49 69 27235-403
Fax: +49 69 27235-239
http://www.denic.de

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Thomas Keller, Martin Küchenthal, Andreas Musielak, Sebastian Röthler
Vorsitzender des Aufsichtsrats: Daniel Rink
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main

Allgemeiner Hinweis zur Erfüllung unserer Informationspflichten gemäß Art. 13,
Art. 14 DS-GVO: Informationen zur Verarbeitung personenbezogener Daten durch DENIC
finden Sie unter https://www.denic.de/datenverarbeitung-allgemein/

More information about the dsc mailing list