Koh-ichi Ito
kohi****@iri*****
2010年 4月 30日 (金) 15:05:41 JST
いとう@またまた教えてクンですみません (^^; ほとんど chain mail の構図ですが↓のメールを見かけました。で も www.isc.org の search では何もひっかからないし、ソースを get してきて doc/ を眺めても、どうも要領を得ない…、ってわけ なんですが、誰か追いかけていたら、どんな物なのやら教えて下さ いな。 なんか、pcap でパケットを取り込んで、それを見やすく可視化す る物らしいんですが…。 ----- 8< -------------------------------------------------- To: dns-o****@mail***** Subject: [dns-operations] [edmon****@isc*****: nmsg 0.6.2 released] From: Robert Edmonds <edmon****@isc*****> Date: Mon, 26 Apr 2010 21:37:25 -0400 Message-ID: <20100****@mycre*****> X-BeenThere: dns-o****@lists***** those that aren't on the nmsg-dev mailing list[0] might be interested in the nmsg 0.6.2 release, which includes a new DNS state tracking module whose format can be bi-directionally converted to and from pcap. [0] https://lists.isc.org/mailman/listinfo/nmsg-dev ----- Forwarded message from Robert Edmonds <edmon****@isc*****> ----- Date: Mon, 26 Apr 2010 21:29:39 -0400 From: Robert Edmonds <edmon****@isc*****> To: nmsg-****@lists***** Subject: nmsg 0.6.2 released ftp://ftp.isc.org/isc/nmsg/nmsg-0.6.2.tar.gz changes: [...] * new message module: ISC/dnsqr. this message module uses the pkt_to_payload msgmod interface and performs DNS specific processing. it is also designed to be freely convertible to and from the pcap format. for TCP and ICMP packets, ISC/dnsqr simply verifies that the packet appears to be DNS-related. for TCP, it checks if the source or destination port is 53. for ICMP, it checks if the ICMP payload contains enough of the original IP and TCP/UDP headers to determine if the payload is DNS related. DNS TCP and ICMP packets are written verbatim into an ISC/dnsqr message. for UDP packets, more advanced processing is performed. outgoing queries are cached in a query state table keyed by the tuple of <query IP, response IP, query port, response port, DNS ID>. if a response arrives matching this tuple, the q-tuple of <query name, query type, query class> is compared between the query and response and if the q-tuple matches as well, the query and response packets will be bound together into a single ISC/dnsqr message and output. the 'type' field is set to UDP_QUERY_RESPONSE. (if a response lacks a question RR, then the rcode is checked against the set of rcodes (FORMERR, SERVFAIL, NOTIMP, REFUSED). if so, the response is considered to match. for any other rcode, the full 9-tuple must match.) if a response arrives and no matching query is found in the query state table, the response is output as an ISC/dnsqr message of type UDP_UNSOLICITED_RESPONSE. if a query is outstanding for more than 30 seconds, the query is removed from the state table and output as an ISC/dnsqr message of type UDP_UNANSWERED_QUERY. the size of the query state table is also strictly bounded, and overflow will cause the oldest outstanding query to be prematurely expired. ISC/dnsqr performs its own IP reassembly, but unlike the reassembly performed by ncaptool and the ISC/ncap message module, the original IP fragments are retained in the message. this allows for bi-directional conversion to and from the pcap format. for API programmers, the virtual fields 'query' and 'response' in the ISC/dnsqr message module will return the DNS query and response messages, automatically performing IP reassembly if needed, but the original packets are still available. a virtual field 'dns' is aliased to the 'response' field for compatibility with the ISC/ncap module. the ISC/dnsqr presentation form (as printed by nmsgtool) includes full dig-style decodes of the query and response messages, if present. * examples/nmsg-dnsqr2pcap: this utility converts an ISC/dnsqr nmsg savefile into a DLT_RAW pcap savefile. [...] ----- End forwarded message ----- -- Robert Edmonds edmon****@isc***** _______________________________________________ dns-operations mailing list dns-o****@lists***** https://lists.dns-oarc.net/mailman/listinfo/dns-operations
