diff options
Diffstat (limited to '')
191 files changed, 48816 insertions, 0 deletions
diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..1bd4430 --- /dev/null +++ b/.clang-format @@ -0,0 +1,6 @@ +BasedOnStyle: webkit +IndentWidth: 4 +AlignConsecutiveAssignments: true +AlignConsecutiveDeclarations: true +AlignOperands: true +SortIncludes: false diff --git a/.copr/Makefile b/.copr/Makefile new file mode 100644 index 0000000..29ed0bc --- /dev/null +++ b/.copr/Makefile @@ -0,0 +1,23 @@ +top=.. + +all: srpm + +prereq: $(top)/rpmbuild + rpm -q git rpm-build >/dev/null || dnf -y install git rpm-build + +update-dist-tools: $(top)/dist-tools + ( cd "$(top)/dist-tools" && git pull ) + +$(top)/dist-tools: + git clone https://github.com/jelu/dist-tools.git "$(top)/dist-tools" + +$(top)/rpmbuild: + mkdir -p "$(top)"/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} + +srpm: prereq update-dist-tools + test -f .gitmodules && git submodule update --init || true + echo "$(spec)" | grep -q "develop.spec" && auto_build_number=`date --utc +%s` message="Auto build `date --utc --iso-8601=seconds`" "$(top)/dist-tools/spec-new-changelog-entry" || true + overwrite=yes nosign=yes "$(top)/dist-tools/create-source-packages" rpm + cp ../*.orig.tar.gz "$(top)/rpmbuild/SOURCES/" + echo "$(spec)" | grep -q "develop.spec" && rpmbuild -bs --define "%_topdir $(top)/rpmbuild" --undefine=dist rpm/*.spec || rpmbuild -bs --define "%_topdir $(top)/rpmbuild" --undefine=dist "$(spec)" + cp "$(top)"/rpmbuild/SRPMS/*.src.rpm "$(outdir)" diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 0000000..38cc1c4 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1 @@ +custom: https://www.dns-oarc.net/donate diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..26bcab6 --- /dev/null +++ b/.gitignore @@ -0,0 +1,36 @@ +*.o +*.lo +*.la +config.log +config.status +stamp-h1 +ar-lib +config.guess +config.sub +libtool +ltmain.sh +.deps +.libs +Makefile +Makefile.in +src/dnscap +src/dnscap.1 +autom4te.cache +Makefile.old +aclocal.m4 +compile +configure +depcomp +install-sh +missing +test-driver +config.h +config.h.in~ +m4/libtool.m4 +m4/ltoptions.m4 +m4/ltsugar.m4 +m4/ltversion.m4 +m4/lt~obsolete.m4 +build/ +config.h.in +dnscap-[0-9]*tar* diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..4d2f1bc --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "src/pcap-thread"] + path = src/pcap-thread + url = https://github.com/DNS-OARC/pcap-thread.git diff --git a/.lgtm.yml b/.lgtm.yml new file mode 100644 index 0000000..a1c94c7 --- /dev/null +++ b/.lgtm.yml @@ -0,0 +1,26 @@ +extraction: + cpp: + prepare: + packages: + - build-essential + - automake + - autoconf + - libtool + - pkg-config + - libpcap-dev + - libldns-dev + - libyaml-perl + - zlib1g-dev + - libssl-dev + after_prepare: + - git clone https://github.com/DNS-OARC/cryptopANT.git + - cd cryptopANT + - ./autogen.sh + - ./configure --prefix="$PWD/../root" + - make + - make install + - cd .. + configure: + command: + - ./autogen.sh + - ./configure --with-extra-cflags="-I $PWD/root/include" --with-extra-ldflags="-L$PWD/root/lib" diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..9b598f2 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,30 @@ +dist: xenial +addons: + apt: + sources: + - sourceline: 'ppa:dns-oarc/dnscap-pr' + update: true + packages: + - libpcap-dev + - libldns-dev + - libyaml-perl + - zlib1g-dev + - libssl-dev + - libcryptopant-dev +language: c +compiler: + - clang + - gcc +install: ./autogen.sh +script: + - ./configure --enable-warn-all + - make dist + - tar zxvf *.tar.gz + - cd dnscap-[0-9]* + - mkdir build + - cd build + - ../configure --enable-warn-all + - make + - make test + - cat src/test/test*.sh.log + - cat plugins/*/test*.sh.log diff --git a/CBOR_DNS_STREAM.md b/CBOR_DNS_STREAM.md new file mode 100644 index 0000000..a54dc63 --- /dev/null +++ b/CBOR_DNS_STREAM.md @@ -0,0 +1,399 @@ +# CBOR DNS Stream Format version 1 (CDSv1) + +This is an experimental format for representing DNS information in CBOR +with the goals to: +- Be able to stream the information +- Support incomplete, broken and/or invalid DNS +- Have close to no data quality and signature degradation +- Support additional non-DNS meta data (such as ICMP/TCP attributes) + +## Overview + +In CBOR you are expected to have one root element, most likely an array or +map. This format does not have a root element, instead you are expected to +read one CBOR array element at a time as a stream of CBOR elements with the +first array element being the stream initiator object. + +``` +[stream_init] +[message] +... +[message] +``` + +Here are some number on the compression rate compared to PCAP: + +Uncompressed | PCAP | CDS | Factor +-------------|------------|-----------|------- +client | 458373 | 133640 | 0,2915 +zonalizer | 51769844 | 9450475 | 0,1825 +large ditl | 1003931674 | 298167709 | 0,2970 +small ditl | 1651252 | 603314 | 0,3653 + +Gzipped | PCAP | CDS | Factor | F/Uncompressed +-------------|------------|-----------|---------|--------------- +client | 108136 | 45944 | 0,4248 | 0,1002 +zonalizer | 12468329 | 2485620 | 0,1993 | 0,0480 +large ditl | 327227203 | 117569598 | 0,3592 | 0,1171 +small ditl | 539323 | 253402 | 0,4698 | 0,1534 + +Xzipped | PCAP | CDS | Factor | F/Uncompressed +-------------|------------|-----------|---------|--------------- +client | 76248 | 36308 | 0,4761 | 0,0792 +zonalizer | 7894356 | 1695920 | 0,2148 | 0,0327 +large ditl | 267031412 | 86747604 | 0,3248 | 0,0864 +small ditl | 442260 | 206596 | 0,4671 | 0,1251 + +- `client` is a couple of hours of DNS from my workstation +- `zonalizer` is half a day from [Zonalizer](https://zonalizer.makeinstall.se) which continuously tests gTLDs +- `large ditl`, `small ditl` are capture from [DITL](https://www.dns-oarc.net/oarc/data/ditl) + +## Types + +- `int`: A CBOR integer (major type 0x00) +- `uint`: A CBOR integer (value >= 0, major type 0x00) +- `nint`: A CBOR negative integer (value < 0, major type 0x00), this type has special meaning see `Negative Integers` +- `simple`: A CBOR simple value (major type 0xe0) +- `bytes`: A CBOR byte string (major type 0x40) +- `string`: A CBOR UTF-8 string (major type 0x60) +- `any`: Any CBOR value +- `bool`: A CBOR boolean +- `rindex`: A CBOR negative integer that is a reverse index, see `Deduplication` + +## Special Keywords + +- `union`: Can be used to merge the given array or map into the current object +- `optional`: The attribute or object reference is optional + +## Negative Integers + +CBOR encodes negative numbers in a special way and this format uses that +for none negative number to tell them apart. + +Because of that, all negative numbers needs special decoding: + +``` +value = -value - 1 +``` + +## Objects + +The object code below uses: +- `[` and `]` to indicate the start and end of an array +- `type name` per object attribute +- `name` per object reference +- `...` to indicate a list of previous definition +- `(`, `|` and `)` to indicate list of various types that the attribute can be + +### stream_init + +The initial object in the stream. + +``` +[ + string version, + union stream_option option, + ... +] +``` + +- `version`: The version of the format +- `option`: A list of stream option objects + +### stream_option + +A stream option that can specify critical information about the stream and +how it should be decoded, see `Stream Options` for more information. + +``` +[ + uint option_type, + optional any option_value +] +``` + +- `option_type`: The type of option represented as a number +- `option_value`: The option value + +### message + +A message object that describes various DNS packets or other information. + +``` +[ + optional bool is_complete, + union timestamp timestamp, + simple message_bits, + union ip_header ip_header, + union ( icmp_message | udp_message | tcp_message | dns_message ) content +] +``` + +- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists +- `timestamp`: A timestamp object +- `message_bits`: Bitmap indicating message content + - Bit 0: 0=Not DNS 1=DNS + - Bit 1: if DNS: 0=UDP 1=TCP else: 0=ICMP/ICMPv6 1=TCP + - Bit 2: Fragmented (0=no 1=yes) + - Bit 3: Malformed (0=no 1=yes) +- `ip_header`: An IP header object +- `content`: The message content, may be an ICMP, UDP, TCP or DNS message object + +### timestamp + +The timestamp object of a message. + +``` +[ + ( uint seconds | nint diff_from_last ), + optional uint useconds + optional uint nseconds +] +``` + +- `seconds`: The seconds of a UNIX timestamp +- `diff_from_last`: The differentially from last `timestamp.seconds` +- `useconds`: The microseconds of a UNIX timestamp or if `diff_from_last` is used it will be the differentially from last `timestamp.useconds` +- `nseconds`: The nanoseconds of a UNIX timestamp or if `diff_from_last` is used it will be the differentially from last `timestamp.nseconds` + +### ip_header + +The IP header of a message. + +``` +[ + ( uint | nint ) ip_bits, + optional bytes src_addr, + optional bytes dest_addr, + optional ( uint | nint ) src_dest_port +] +``` + +- `ip_bits`: Bitmap indicating IP header content, if the type is `nint` it also indicates that it is a reverse from last, see `Deduplication` for more information + - Bit 0: address family (0=AF_INET, 1=AF_INET6) + - Bit 1: src_addr present + - Bit 2: dest_addr present + - Bit 3: port present +- `src_addr`: The source address with length specifying address family, 4 bytes is IPv4 and 16 is IPv6 +- `dest_addr`: The destination address with length specifying address family, 4 bytes is IPv4 and 16 is IPv6 +- `src_dest_port`: A combined source and destination port, see `Source And Destination Port` + +#### Source And Destination Port + +The source and destination port are combined into one value. If both source +and destination exists then the value is larger then 65535, the destination +will be the high 16 bits and source the low otherwise it will only be the +source. If the value is negative then only the destination exists. + +``` +if value > 0xffff then + src_port = value & 0xffff + dest_port = value >> 16 +else if value < 0 then + dest_port = -value - 1 +else + src_port = value +``` + +### icmp_message + +`if ip_header.ip_bits.1=0 && ip_header.ip_bits.2=0` + +``` +[ + uint type, + uint code +] +``` + +- `type`: TODO +- `code`: TODO + +### udp_message + +`if ip_header.ip_bits.1=1 && ip_header.ip_bits.2=0` + +TODO + +### tcp_message + +`if ip_header.ip_bits.2=1` + +``` +[ + uint seq_nr, + uint ack_nr, + uint tcp_bits, + uint window +] +``` + +- `seq_nr`: TODO +- `ack_nr`: TODO +- `tcp_bits`: TODO + - 0: URG + - 1: ACK + - 2: PSH + - 3: RST + - 4: SYN + - 5: FIN +- `window`: TODO + +### dns_message + +A DNS packet. + +``` +[ + optional bool is_complete, + uint id, + uint raw_dns_header, # TODO + optional nint count_bits, + optional uint qdcount, + optional uint ancount, + optional uint nscount, + optional uint arcount, + optional simple rr_bits, + optional [ + dns_question question, + ... + ], + optional [ + resource_record answer, + ... + ], + optional [ + resource_record authority, + ... + ], + optional [ + resource_record additional, + ... + ], + optional bytes malformed +] +``` + +- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists +- `id`: DNS identifier +- `raw_dns_header`: TODO +- `count_bits`: Bitmap indicating which counts are present, see `Negative Integers` and `Deduplication` + - Bit 0: qdcount present + - Bit 1: ancount present + - Bit 2: nscount present + - Bit 3: arcount present +- `qdcount`: Number of question records if different from the number of entries in `question` +- `ancount`: Number of answer resource records if different from the number of entries in `answer` +- `nscount`: Number of authority resource records if different from the number of entries in `authority` +- `arcount`: Number of additional resource records if different from the number of entries in `additional` +- `question`: The question records +- `answer`: The answer resource records +- `authority`: The authority resource records +- `additional`: The additional resource records +- `malformed`: Holds the bytes of the message that was not parsed + +### question + +A DNS question record. + +``` +[ + optional bool is_complete, + ( bytes | compressed_name | rindex ) qname, + optional uint qtype, + optional nint qclass +] +``` + +- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists +- `qname`: The QNAME as byte string, a name compression object or a reverse index, see `Deduplication` +- `qtype`: The QTYPE, see `Deduplication` +- `qclass`: The QCLASS, see `Negative Integers` and `Deduplication` + +### compressed_name + +An compressed name which has references to other labels within the same message. + +``` +[ + ( bytes label | uint label_index | nint offset | simple extension_bits ), + ... +] +``` + +- `label`: A byte string with a label part +- `label_index`: An index to the N byte string label in the message +- `offset`: The offset specified in the DNS message which could not be translated into a label index +- `extension_bits`: The extension bits if not 0b00 or 0b11 # TODO: add the extension bits + +### resource_record + +A DNS resource record. + +``` +[ + optional bool is_complete, + ( bytes | compressed_name | rindex ) name, + optional simple rr_bits, + optional uint type, + optional uint class, + optional uint ttl, + optional uint rdlength, + ( bytes | mixed_rdata ) rdata +] +``` + +- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists +- `name`: +- `rr_bits`: Bitmap indicating what is present, see `Deduplication` + - Bit 0: type + - Bit 1: class + - Bit 2: ttl + - Bit 3: rdlength # TODO: reverse index for TTL? +- `type`: The resource record type +- `class`: The resource record class +- `ttl`: The resource record ttl +- `rdlength`: The resource record rdata length +- `rdata`: The resource record data + +### mixed_rdata + +An array mixed with resource data and compressed names. + +``` +[ + ( bytes | compressed_name ) rdata_part, + ... +] +``` +- `rdata_part`: The parts of the resource records data + +## Stream Options + +Each option is specified here as OptionName(OptionNumber) and optional +OptionValue type. + +- `RLABELS(0) uint`: Indicates how many labels should be stored in the reverse label index before discarding them +- `RLABEL_MIN_SIZE(1) uint`: The minimum size a label must be to be put in the reverse label index +- `RDATA_RINDEX_SIZE(2) uint`: Indicates how many rdata should be stored in the reverse rdata index before discarding them +- `RDATA_RINDEX_MIN_SIZE(3) uint`: The minimum size a rdata must be to be put in the reverse rdata index +- `USE_RDATA_INDEX(4)`: If present then the stream uses rdata indexing +- `RDATA_INDEX_MIN_SIZE(5) uint`: The minimum size a rdata must be to be put in the rdata index + +## Deduplication + +Deduplication is done in a few different ways, data may be left out to +indicate that it is the same as the previous value, an index may be used to +indicate that it is the same as the N previous value and a reverse index +may be used to indicate that it is the N previous value looking backwards +across the stream. + +In other words, using the index deduplication you will need to build a table +of the values you come across during the decoding of the stream, this table +can grow very large. + +As an smaller alternative a reverse index can indicate often used data from +the N previous value looking back over the stream. This type of index also +reorder itself to try and put the most used data always in the index. + +TODO: details of each attribute and it's deduplication @@ -0,0 +1,796 @@ +2021-02-12 Jerry Lundström + + Release 2.0.0 + + This major release contains three backward incompatible changes, two + new command line options and a completely restructured man-page(!), + please read the change notes carefully before upgrading! + + The first backward incompatible change has to do with the removal of + libbind dependency. This library was causing segfaults on OpenBSD due to + shared (and overwritten) symbols with OpenBSD's libc. + It was replaced with LDNS and LDNS renders domain names as Fully + Qualified Domain Names (FQDN, the trailing dot!) so every output of a + domain name has been changed to a FQDN. + This also changes `-X`/`-x`, which will now match against FQDNs. + + The second backward incompatible change is that `-6` has been removed. + This was used to alter the BPF in order to "fix" it, dnscap adds + specific filters to IP and UDP headers which does not work for IPv6 + traffic. + The generated BPF has been changed to allow IPv6 to always pass, making + the option obsolete. IPv6 filtering is then done in dnscap. + + The last backward incompatible change has to do with the output format + of `-g` related to EDNS0 and is now more consistent with the rest of + the parsable output: + - No more spaces in the output + - Fix incorrect `\` and extra empty new-line + - All EDNS0 options are added after `edns0[...]` using comma separation, example: `edns0[],edns0opt[],...` + - Client Subnet format: `edns0opt[ECS,family=nn,source=nn,scope=nn,addr=...]` + - Unknown/unsupported code: `edns0opt[code=nn,codelen=nn]` + - Parsing error messages have changed, they came from libbind, now comes from LDNS + + New options: + - Add `-q` and `-Q` to filter on matched/not matched QTYPE + + Bugfixes: + - Fix memory leak in EDNS0 ECS address parsing + - `network`: Fix sonarcloud issues, potential `memcpy()` of null pointer + + Other changes: + - Fix CBOR output inclusion, LDNS is always available now + - Add macros for Apple and Windows endian functions + - Restructure and correct the man-page + + 557e5f5 man-page + 025529f v6bug, interval + 37b79e9 FQDN + ebcf434 QTYPE match, args, tests + 0cb5562 v6bug + 75f6115 Endian + aaeb213 Sonarcloud + 8685946 CBOR output + 3e26802 Sonarcloud + 30aa366 libbind + 3f94d0b Mattermost + +2020-10-22 Jerry Lundström + + Release 1.12.0 + + This release fixes the handling of `-?` option for dnscap and all plugins, + previously the handling varied between places and depending on `getopt()` + implementation an invalid option could return the wrong exit code. + + Other changes: + - Fix typo in configure help text + - `plugins/anonmask`: Fix typo in help text + - `plugins/rzkeychange`: + - Add `-D`, dry run mode, for testing + - Fix handling of `-a` and error on too many + + KNOWN ISSUES: + + On OpenBSD the system library libc exports the same symbols as libbind + does and this causes runtime warnings. Until now this has not caused any + known problems but is now also causing segfaults if the packet filter used + (BPF) includes IPv6 addresses. + On all other platforms OARC supports, these symbols are macros and in so + should not cause any problem. + + ee478c0 Known issues + 2f9d957 Tests + 3c663a2 Tests + c88efc5 rzkeychange test + f062f33 Tests + +2020-08-20 Jerry Lundström + + Release 1.11.1 + + This release fixes a lot of issues found by code analysis, adds a + explicit memory zeroing function to remove account information (read + when dropping privileges) and adds code coverage reporting. + + The `dnscap_memzero()` will use `explicit_bzero()` on FreeBSD and + OpenBSD, or `memset_s()` (if supported), otherwise it will manually + set the memory to zero. This will hopefully ensure that the memory + is zeroed as compilers can optimize out `memset()`'s that is just + before `free()`. + + The plugins exit code for the help option `-?` has been changed to 0 + to have the same as `dnscap -?`. + + d9747ee memzero + 1cf17c6 Coverage + 19c7120 Coverage + 7435676 Sonarcloud + 928e181 Sonarcloud + ca4afd0 Sonarcloud + 028f5e0 Badges + db0d6a1 LGTM + +2020-06-01 Jerry Lundström + + Release 1.11.0 + + This release includes a new plugin called `eventlog`, contributed + by Byron Darrah (@ByronDarrah), output DNS activity as log events, + including answers to A and AAAA queries. + + Other changes includes compile warning and code analysis fixes. + + 382eac4 COPR + 4c03650 Compile warn + 21d6a67 Slight change -- wording now matches usage() output. + dd19b0b Added the eventlog.so plugin... + 1ebf504 Added new dnscap plugin: evenlog.so... + f3f9aaa Compile warnings + +2020-03-02 Jerry Lundström + + Release 1.10.4 + + Fixed a bug that would not drop privileges when not specifying any + interface (which is equal to capturing on all interfaces). + Added functionality to set the supplemental groups when dropping + privileges and changing user, or clear them if that is not supported. + Other changes includes corrected man-page about '-w' and update to + documentation. + + a0285e4 drop privileges errors, initgroups/setgroups + 96336f3 daemon: Attempt to drop supplemental groups + 467a9a7 Drop privileges + de940a8 man-page -w + 187ec43 README + +2019-10-02 Jerry Lundström + + Release 1.10.3 + + Fixed plugins inclusion in deb packages for Debian and Ubuntu. + + 017ebb2 Deb packages + cf59143 COPR, spec + +2019-08-05 Jerry Lundström + + Release 1.10.2 + + Fixed bug in the handling of defragmentation configuration which lead + to the use of a local scope variable later on and caused unexpected + behavior. + + 91692b8 Frag conf + 6a74376 Package + d0d1a6d Package + +2019-07-08 Jerry Lundström + + Release 1.10.1 + + Fix various issues found by code analysis tools, a few compiler warnings + removed, undefined bit shift behavior fixed, parameter memory leaks + plugged and documentation updates. + + Fixes: + - `dump_dns`: Remove usage of `strcpy()` and use `snprintf()` instead + of `sprintf()` + - `bpft`: + - Use `text_ptr->len` to store length of generated text + - Use `memcpy()` instead of `strcat()` + - Remove unneeded `realloc()` and `strcpy()` + - `plugins/cryptopan`: Fix strict-aliasing warnings + - `network`: Rework part of `dl_pkt()` to remove usage of `strcpy()` + and use `snprintf()` instead of `sprintf()` + - `plugins/anonaes128`: Use `a6` as dest when copying v4 addresses for + readability and code analysis + - `plugins/cryptopan`: Run first pass separate to eliminate a 32bit + shift by 32 (undefined behavior) + - `plugins/cryptopant`: Fix memory leak of `keyfile` if `-k` is + specified more then once + + Documentation: + - Update `README.md` with correction to building from git and note + about PCAP on OpenBSD + - Fix #190: Update link to `libbind` source + + 074923c Funding + 5d2e84c libbind + 8ee9f2a Travis-CI + 6babd09 Fixes + bb2d1c7 README, compile warnings + 0d9cd9c LGTM, Travis-CI + +2018-12-03 Jerry Lundström + + Release 1.10.0 + + This release adds a new plugin type "filter" and 5 new plugins that can + do anonymization, deanonymization and masking of the IP addresses. + + New features: + - Check plugins for `pluginname_type()` which returns `enum plugin_type`, + if missing the plugin is counted as an "output" plugin + - New plugin type "filter" which calls `pluginname_filter()` prior of + outputting any data or calling of "output" plugins, if the new function + returns non-zero then the packet is filtered out (dropped) + - New extension `DNSCAP_EXT_SET_IADDR` that gives access to a function + for setting the from and to IP addresses both in the extracted data + and the wire + + New plugins: + - `anonaes128`: Anonymize IP addresses using AES128 + - `anonmask`: Pseudo-anonymize IP addresses by masking them + - `cryptopan`: Anonymize IP addresses using an extension to Crypto-PAn + (College of Computing, Georgia Tech) made by David Stott (Lucent) + - `cryptopant`: Anonymize IP addresses using cryptopANT, a different + implementation of Crypto-PAn made by the ANT project at USC/ISI + - `ipcrypt`: Anonymize IP addresses using ipcrypt create by + Jean-Philippe Aumasson + + Bugfixes: + - Fix changing `royparse` and `txtout` with other plugins (thanks to + Duane Wessels and Paul Hoffman) + - Free pointers to allocated strings in `text_free()` (thanks to Michał + Kępień) + - Fix IP checksum calculation + + Other changes: + - `-B` and `-E` can be used without `-w` (thanks to Duane Wessels) + - Use `pcap_findalldevs()` instead of `pcap_lookupdev()` (thanks to + Michał Kępień) + - Document and add `-?` option to all plugins + - Fix clang `scan-build` bugs and LGTM alerts + - Use `gmtime_r()` instead of `gmtime()` + - Update `pcap-thread` to v4.0.0 + + 67d8e2c Fix + fb0ed02 Plugin documentation + a2c9a6c cryptopant + 39db1ca Deanonymize, IPv6 test + afc7107 Crypto-PAn, cryptopANT + f1912cc OpenSSL, anonaes128 + f2bab62 ipcrypt, anonmask + 158b1e7 anonmask help + 60ece58 anonmask + 8f1b138 Plugin types, filter plugin, set iaddr extension, anonymization + by masking + b7d7991 IP checksum + 641a23a Free pointers to allocated strings in text_free() + 4d313bf pcap_findalldevs() + 091e0ca Use pcap_findalldevs() instead of pcap_lookupdev() + 6a7b25e Clean up use of feature test macros on Linux + cbba14c Configure, uninitialized + f228c9c Code formatting + 3fd738c man-page + 770168a Test + 714e4f5 Fix -B <begin> so that it works when reading offline pcap files. + 8675bea Test + 911fec9 Implementing test9 as a test of -B and -E command line args. + a7cc72d -B <begin> and -E <end> can work fine without -w <base>. + 04c4928 Made the same changes to txtout as were in 165a786 + 165a786 Workaround for stdio mystery causing duplicate royparse output. + +2018-02-28 Jerry Lundström + + Release 1.9.0 + + This release adds a new option to change how the Berkeley Packet Filter + is generated to include the host restrictions for all selections, + previously this restriction would only apply to specific parts. + + Additional tweaks to the RSSM plugin has been made to conform to the + RSSAC002v3 specification. One noticeable change is that the plugin now + requires the DNS to be parsed before counted, any error in the parsing + will result in the message being left out of the statistics. + + Changes: + - Fix spacing in BPF filter to look better + - Fix #146: Add `bpf_hosts_apply_all`, apply any host restriction to all + - `plugin/rssm`: + - Remove quoting of `start-period` and correctly handle empty hashes + - Issue #152, Issue #91: Parse DNS before processing RSSM counters + - `plugin/rssm/dnscap-rssm-rssac002`: Use `YAML::Dump()` for output + + 47d892b Issue #152: RSSM YAML output + d4f1466 Issue #152, Issue #91: Parse DNS before processing RSSM counters + 68fc1ff BPF, `bpf_hosts_apply_all` + +2018-02-07 Jerry Lundström + + Release 1.8.0 + + This release updates the TCP stream code in order to be able to look + at more then just the first query, for handling already ongoing TCP + connections without having seen SYN/ACK and for reassembly of the TCP + stream prior of parsing it for DNS with an additional layer of parsing + (see `reassemble_tcp_bfbparsedns`). + + Updates to the Root Server Scaling Measurement (RSSM) plugin have also + been made to bring it up to date with RSSAC002v3 specification, be + able to output the YAML format described and an additional script to + merge YAML files if the interval is less then the RSSAC002v3 24 hour + period. See "Updates to the RSSM plugin" below and + `plugins/rssm/README.md`. + + New extended options: + - `parse_ongoing_tcp`: Start tracking TCP connections even if SYN/ACK + has not been seen + - `allow_reset_tcpstate`: Allow external reset of TCP state + - `reassemble_tcp`: Use to enable TCP stream reassembly + - `reassemble_tcp_faultreset`: Number of faults before reseting TCP + state when reassembly is enabled + - `reassemble_tcp_bfbparsedns`: Enable an experimental additional layer + of reassemble that uses `libbind` to parse the payload before accepting + it. If the DNS is invalid it will move 2 bytes within the payload and + treat it as a new payload, taking the DNS length again and restart + the process. Requires `libbind` and `reassemble_tcp`. + + New extension functions for plugins: + - `DNSCAP_EXT_TCPSTATE_GETCURR`: Function to get a pointer for the + current TCP state + - `DNSCAP_EXT_TCPSTATE_RESET`: Function to reset a TCP state + + New features: + - Parse additional DNS queries in TCP connections + - `-g` and the `txtout` plugin will reset TCP state (if allowed) on + failure to parse DNS + + Bugfixes: + - Fix `-g` output, separate error message with a space + - Fix TCP packets wrongfully flagged as DNS when using layers. + - Fix TCP debug output when using layers, `ia_str()` is not safe to call + twice in the same `printf` because of local buffer. + - Fix exported extension functions, need to be file local + + New tests for: + - Multiple DNS queries in one TCP connection + - Query over TCP without SYN + - Queries over TCP with first query missing length + - Queries over TCP with middle payloads missing + - Add test with TCP stream that missing multiple packets in the middle + + Updates to the RSSM plugin (`plugins/rssm`): + - Add info about saving counts and sources + - Fix memory leak on `fopen()` errors + - Update to RSSAC002v3 specification + - New options: + - `-D` to disable forking on close + - `-Y`: Use RSSAC002v3 YAML format when writing counters, the file + will contain multiple YAML documents, one for each RSSAC002v3 metric + Used with; -S adds custom metric `dnscap-rssm-sources` and -A adds + `dnscap-rssm-aggregated-sources` + - `-n`: Set the service name to use in RSSAC002v3 YAML + - `-S`: Write source IPs into counters file with the prefix `source` + - `-A`: Write aggregated IPv6(/64) sources into counters file with + the prefix `aggregated-source` + - `-a`: Write aggregated IPv6(/64) sources to + `<name>.<timesec>.<timeusec>` + - Add `dnscap-rssm-rssac002` Perl script for merging RSSAC002v3 YAML files + - Add README.md for the plugin man-page for `dnscap-rssm-rssac002` + - Add test for YAML output and merging of YAML files + + c7058c8 Use file local functions for all extensions + 66b352d RSSM RSSAC002v3 YAML Tool + b09efc2 `plugins/rssm` RSSAC002v3 + 709aba6 Fix #89: Add additional reassembly layers that parses the + payload byte for byte for valid DNS + 04fa013 Fix CID 1463944 (again) + b1cf623 RSSM saving data and forking + fb23305 Fix CID 1463944 + 0fca1a8 Issue #89: TCP stream reassemble + bb6428c CID 1463814: Check `ns_initparse()` for errors + a57066f Fix #88: TCP handling + +2017-12-27 Jerry Lundström + + Release 1.7.1 + + The library used for parsing DNS (libbind) is unable to parse DNS + messages when there is padding at the end (the UDP/TCP payload is larger + then the DNS message). This has been fixed by trying to find the actual + DNS message size, walking all labels and RR data, and then retry parsing. + + Other changes and bug-fixes: + - Fix size when there is a VLAN to match output of `use_layers` yes/no + - Add test of VLAN matching + - Fix `hashtbl.c` building in `rssm` + - Add test with padded DNS message + + 49e5400 Fix #127: If `ns_initparse()` returns `EMSGSIZE`, try and get + actual size and reparse + 99bda0b Fix #98: VLAN + +2017-12-19 Jerry Lundström + + Release 1.7.0 + + This release adds IP fragmentation handling by using layers in pcap-thread + which also adds a new flag to output and modules. `DNSCAP_OUTPUT_ISLAYER` + indicates that `pkt_copy` is equal to `payload` since the layers of the + traffic have already been parsed. IP fragments are reassembled with the + `pcap_thread_ext_frag` extension that is included in pcap-thread. + + New extended (`-o`) options: + - `use_layers`: Use pcap-thread layers to handle the traffic + - `defrag_ipv4`: Enabled IPv4 de-fragmentation + - `defrag_ipv6`: Enabled IPv6 de-fragmentation + - `max_ipv4_fragments`: Set maximum fragmented IPv4 packets to track + - `max_ipv4_fragments_per_packet`: Set the maximum IPv4 fragments per + tracked packet + - `max_ipv6_fragments`: Set maximum fragmented IPv6 packets to track + - `max_ipv6_fragments_per_packet`: Set the maximum IPv6 fragments per + tracked packet + + Currently `-w` does not work with `use_layers` and the plugins `pcapdump` + and `royparse` will discard output with the flag `DNSCAP_OUTPUT_ISLAYER` + because they need access to the original packet. + + The `rzkeychange` plugin now encodes certain flag bits in the data that + it reports for RFC8145 key tag signaling. The flags of interest are: + `DO`, `CD`, and `RD`. These are encoded in an bit-mask as a hexadecimal + value before the `_ta` component of the query name. + + Other changes and bug-fixes: + - Fix #115: document `-g` output, see `OUTPUT FORMATS` `diagnostic` in + `dnscap(1)` man-page + - Add test to match output from non-layers runs with those using layers + - Add test with fragmented DNS queries + - Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2 + - Fix `ip->ip_len` byte order + - Fix parsing of IP packets with padding or missing parts of payload + + 0347f74 Add AUTHORS section in man-page + ef1b68c Fix CID 1463073 + 8a79f89 Layers + a404d08 Update pcap-thread to v3.1.0, add test for padding fixes + 08402f1 Fix byte order bug. ip->ip_len must be evaluated with ntohs(). + d6d2340 CBOR/CDS and formatting + 85ec2d8 Fix #87: IP fragmentation reassembly + 22bfd4a Documentation + c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data. + This may be useful to find "false" key tag signals from sources + that don't actually perform DNSSEC validation. + +2017-12-01 Jerry Lundström + + Release 1.6.0 + + New additions to the plugins: + - `rzkeychange` can now collect RFC8145 key tag signaling. Signals are + saved during the collection interval, and then sent to the specified + `-k <zone>`, one at a time, at the end of the interval. Only root zone + signals are collected. Added by Duane Wessels (@wessels). + - `royparse` is a new plugin to splits a PCAP into two streams, queries + in PCAP format and responses in ASCII format. Created by Roy Arends + (@RoyArends). + - `txtout` new option `-s` for short output, only print QTYPE and QNAME + for IN records. Added by Paul Hoffman (@paulehoffman) + - The extension interface has been extended with `DNSCAP_EXT_IA_STR` to + export the `ia_str()` function. + + Bugfixes and other changes: + - Remove duplicated hashtbl code + - `rssm`: fix bug where count in table was taken out as `uint16_t` but + was a `uint64_t` + - Handle return values from hashtbl functions + - `txtout`: removed unused `-f` options + - Change `ia_str()` to use buffers with correct sizes, thanks to + @RoyArends for spotting this! + + Commits: + 3f78a31 Add copy/author text + 1bd914d Fix CID 1462343, 1462344, 1462345 + f9bb955 Fix `fprintf()` format for message size + abedf84 Fix #105: `inet_ntop` buffers + bfdcd0d Addresses the suggestions from Jerry. + dda0996 royparse :) + 4f6520a royparse plugin finished + f1aa4f2 Fix #103: Remove `opt_f` + 32355b7 Rearrange code to keep the change smaller and fix indentation + d6612c1 Added -s to txtout for short output + 9d8d1ef Check return of `snprintf()` + 55f5aba Format code + 9f19ec3 Fixed memory leak in rzkeychange_keytagsignal() + 58b8784 Fix memory leaks and better return value checks in + rzkeychange_submit_counts() + b06659f Add server and node to keytag signal query name + 705a866 Always free response packets in rzkeychange plugin. + e802843 Implement RFC8145 key tag signal collection in rzkeychange plugin + 5fbf6d0 Added extension for ia_str() so it can be used by rzkeychange + plugin. + 3be8b8f Split `dnscap.c` into more files + e431d14 Fix #92: hashtbl + +2017-08-21 Jerry Lundström + + Release 1.5.1 + + Compatibility fixes for FreeBSD 11.1+ which is now packing `struct ip` + and for OpenBSD. + + Commits: + 17e3c92 FreeBSD is packing `struct ip`, need to `memcpy()` + f8add66 Code formatting + 38cd585 Add documentation about libbind + d1dd55b Fix #82: Update dependencies for OpenBSD + +2017-06-06 Jerry Lundström + + Release 1.5.0 + + Added support for writing gzipped PCAP if the `-W` suffix ends with + `.gz` and made `-X` work without `-x`. New inteface for plugins to + tell them what extensions are available and a new plugin `rzkeychange`. + + Plugin extensions: + - Call `plugin_extension(ext, arg)` to tell plugin what extensions exists + - Add extension for checking responder (`is_responder()`) + + The rzkeychange plugin was developed by Duane Wessels 2016 in support + of the root zone ZSK size increase. It is also being used in support of + the 2017 root KSK rollover and collects the following measurements: + - total number of responses sent + - number of responses with TC bit set + - number of responses over TCP + - number of DNSKEY responses + - number of ICMP_UNREACH_NEEDFRAG messages received + - number of ICMP_TIMXCEED_INTRANS messages received + - number of ICMP_TIMXCEED_REASS messages received + + Other fixes (author Duane Wessels): + - 232cbd0: Correct comment description for meaning of IPPROTO_AH + - 181eaa4: Add #include <sys/time.h> for struct timeval on NetBSD + + Commits: + + 1d894e2 Make -x and -X work correctly together and update man-page + 34bc54c Make the -X option work without requiring a -x option. + f43222e Fix CID 1440488, 1440489, 1440490 + aa54395 Update pcap-thread to v2.1.3 + 81174ce Prepare SPEC for OSB/COPR + 21d7468 New plugin rzkeychange and plugin extensions + 38491a3 Config header is generated by autotools + 419a8ab Small tweaks and fixes for gzip support + 1967abc updated for earlier BSD versions + f135c90 added auto gzip if the -W suffix ends with .gz + + Commits during development of rzkeychange (author Duane Wessels): + - 620828d: Add rzkeychange -z option to specify resolver IP addresses + - 1f77987: Add -p and -t options to rzkeychange plugin to configure an + alternate port and TCP. Useful for ssh tunnels. + - 2a571f1: Split ICMP time exceeded counter into two counters for time + exceeded due to TTL and another due to fragmentation + - e4ee2d3: The rzkeychange data collection plugin uses + `DNSCAP_EXT_IS_RESPONDER` extension to know if an IP address is a + "responder" or not, because when dnscap is instructed to collect ICMP + with -I, it processes all ICMP packets, not just those limited to + responders (or initiators). + - cee16b8: Add ICMP Time Exceeded to counters + - ad8a227: Counting source IPs has performance impacts. #ifdef'd out for + now add ICMP "frag needed" counts + - c25e72b: Implemented DNS queries with ldns. First there will be some + test queries to ensure the zone is reachable and configured to receive + data. Then a query naming the fields, followed by the periodic queries + delivering counts. + - fd23be7: Make report zone, server, node command line argumements mandatory + - 137789b: Adding rzkeychange plugin files + +2017-03-29 Jerry Lundström + + Release 1.4.1 + + Fixed an issue that when compiled with libpcap that had a specific + feature enabled it would result in a runtime error which could not be + worked around. + + Also fixed various compatibility issues and updated dependency + documentation for CentOS. + + Commits: + + 785d4c4 Fix compiler warnings + 2d4df8d Fix #65: Update pcap-thread to v2.1.2 + 26d3fbc Fix #64: Add missing dependency + 55e6741 Update pcap-thread to v2.1.1, fix issue with libpcap timestamp + type + c6fdb7a Fix typo and remove unused variables + +2017-02-27 Jerry Lundström + + Release 1.4.0 + + Until it can be confirmed that the threaded code works as well as the + non-threaded code it has been made optional and requires a configuration + option to enable it during compilation. + + New extended option: + - `-o pcap_buffer_size=<bytes>` can be used to increase the capture + buffer within pcap-thread/libpcap, this can help mitigate dropped + packets by the kernel during breaks (like when closing dump file). + + Commits: + + 1c6fbb2 Update copyright year + 63ef665 Suppress OpenBSD warnings about symbols + 2c99946 pcap-thread v2.0.0, disable threads, errors handling + 4cade97 Fix #56: Update pcap-thread to v1.2.2 and add test + +2016-12-23 Jerry Lundström + + Release 1.3.0 + + Rare lockup has been fixed that could happen if a signal was received + in the wrong thread at the wrong time due to `pcap_thread_stop()` + canceling and waiting on threads to join again. The handling of signals + have been improved for threaded and non-threaded operations. + + New features: + - Experimental CBOR DNS Stream format output, see `CBOR_DNS_STREAM.md` + - Extended options to specify user and group to use when dropping + privileges, see EXTENDED OPTIONS in man-page + + Commits: + + a5fa14e Signal and threads + 3868104 Use old style C comments + 7946be5 Clarify building + d5463b4 RPM spec and various automake fixes + df206bf Resource data indexing and documentation + 0e2d0fe Fix #22, fix #43: Update README + 5921d73 Add stream option RLABELS and RLABEL_MIN_SIZE + 6dd6ec1 Implement experimental CBOR DNS Stream Format + 4baf695 Fix #37: Extended options to specifty user/group to use when + dropping privileges + 61d830a Fix #35: Use `AC_HEADER_TIME` and fix warning + +2016-10-27 Jerry Lundström + + Release 1.2.0 + + Update `pcap-thread` to v1.2.0 to get the new callback queue mode which + puts that mode into using pthread conditions if all pcaps are offline and + keeps us from losing packets. + + Use `pcap_thread_dropback()` callback to get the notification when a + packet was dropped because the queue was full, indicating that we can't + process all the packets. Added this stats to the `-S` output as total + and per interface as `ptdrop`. Changed the output for each interface + to not cut of information, for example interface name was cut to + 4 characters. + + Other changes: + + - Add extended options `-o <option>=<value>` because we are running out + of short options. + - Better handling of library checks and automake rules + - New option `-F <format>` to specify the format of the output in `-w` + - Add experimental CBOR output support + - LDNS is used to parse the packets + - Tinycbor is used to construct the CBOR output + - DNS-in-JSON draft [1] for representing the objects + - Check CBOR topic in README.md for more information + - When only reading offline pcap files it will not attempt to drop + privileges and add new option `-N` to explicitly not drop privileges. + + Commits: + + f42e23f Extended options and CBOR output format + a28f498 Fix #24: Handle packet drops + 2308eaa Fix #26: Unable to drop GID to nobody, exiting. + 82d65f2 Update pcap-thread to v1.1.2 + + [1] https://datatracker.ietf.org/doc/draft-hoffman-dns-in-json/ + +2016-10-11 Jerry Lundström + + Release 1.1.0 + + The ownership of DNSCAP was transferred from ISC to DNS-OARC in + the summer of 2016 and this is the first release since that. + + This project now uses Semantic Versioning and these are the changes + since the `dnscap-20160205` release (which can also be found using + the tag `v0.0.0-20160205`). + + Highlights: + - Restructure repository and use autotools + - Compiled and tested on Debian, Ubuntu, CentOS, FreeBSD and OpenBSD + using Jenkins and Travis-CI + - Source code static analysis using Coverity Scan + - Compatibility fixes for FreeBSD, OpenBSD and OS X + - ABI change to `output()`, previous `isfrag` is now a `flags` that + represents what the packet is through a bitmask + - Use helper library `pcap-thread` when capturing to solve missing + packets during very low traffic + + New command line options: + - `-V`: Prints version and then exits + - `-M`: Enable monitor mode on interfaces + - `-D`: Enable immediate mode on interfaces + - `-W`: Allow to specify a suffix for the pcap dump file + - `-C`: Limit/rotate capture after a certain amount of bytes + + Special thanks to: + - Duane Wessels + - Paul Vixie + - Klaus Darilion + + Commits: + + bc7eb22 Update license after ownership transfer from ISC to DNS-OARC, + update contributors, add build badges and removed SuperFastHash + since apparently it was not used. + 778e457 Add `-V` for displaying version and the exiting + 71c2d79 Fix #12: Sync man-page and help text + 33576ef Swap option C and D, C for this makes more sense. Also ensure + that `capturedbytes` is zero on start. + 0077aff Correct dump trace with new `flags` + f9cbba0 Do not use dump suffix unless it set + 4dd81d6 Update the man page + 7435c49 Change new option C to D because C was already taken + 813dddb Fix -B and -E, these options are supported only once + 76f19d1 fix usage of -W + 519b64f Add -Y option to short usage instructions + 348c738 Fix -C feature: capturedbytes was not increased + 3db6f94 Improve logging + b567bef New option -C: limit/rotate capture after a certain amount + of bytes + 341abdf Add -W feature: allow to specify a suffix for the pcap dump + file, e. g.: '.pcap' + 097a3b4 Count every packet which is sent to output(), not only + the normal ones. + 75e5968 Close PCAPs after dumper_close() to have statistics still + available during dumper_close(). Otherwise we get a segfault + on shutdown. + c09d61a Add debian/ubuntu package files. + 020f2aa Forgot about the compiler warnings and fix the last + Coverity Scan issue + 00c834d More Coverity Scan fixes + ad2f230 Fix various Coverity Scan issues + 606f0cd Update pcap thread to version 1.1.1 + f065cd7 Fix #14: Add options `-M` and `-C` for monitor and + immediate mode, update help and man-page. + b872035 Update to pcap-thread version 1.1.0 + 1f30637 Update pcap_thread to v1.0.1, add travis check that dnscap + can run + b19efaa Building from Git repository instructions + b5460df Use `calloc()` instead of `malloc()` to be sure the memory + is zeroed + ae6a04d Use pcap_thread v1.0.0 + 9426a2d Update pcap_thread and add pcap stats + 820b2f2 Update pcap_thread and support offline pcaps + a47dd67 Update pcap_thread + 237a7a7 CentOS autoreconf complained + 7b5568c Use pcap_thread + 11d0388 Revert the changes on all lines that had NULL, 0 before. + 7d6a7e4 Passing IPv6 fragment payloads may not currently be safe. + Needs more work. For now pass pkt=NULL to be safe for plugins. + ea8f9a4 Make the family of output() functions future proof with a flags + bitmask. Rather than separate 'isfrag' and 'isdns' flags, + they are now set as bitmasks in a single 'flags' value passed + to output() f + 472a172 A change to the interface of the family of output() functions. + 95a6e62 timeval.* are not unsigned + d3f32de Fix #1: Use NS_*SZ + e555871 Fix compiler warnings + 3ed8f29 Fix #1 + 864cbd7 Can you change #ifdef __APPLE__ to check for the + arpa/nameser_compat.h header and include it if it exists? + 796e8ea plugin/rssm needs to include arpa/nameser_compat.h for OS X + so that the HEADER struct is declared. + daf4bd3 In plugin/txtout silence compiler warnings about int vs short + e5bc24b plugin/pcapdump needs to include arpa/nameser_compat.h for OS X + so that the HEADER struct is declared. + 0061b57 Work around configure problem detecting libresolv on Mac OS X + Without some #include files, the configure test won't find + the symbol res_mkquery() in libresolv on OS X. It is called + res_9_mkquery() + 5309655 Mac OS X doesn't have setresuid() and setresgid(). + This patch adds configure checks for setreuid() and setregid() + and will use those instead if the other versions are + not available. + d257a1c Fix compilation on FreeBSD and OpenBSD + 07b2a75 Restructure repository and move to Automake. diff --git a/CONTRIBUTORS b/CONTRIBUTORS new file mode 100644 index 0000000..08d60a6 --- /dev/null +++ b/CONTRIBUTORS @@ -0,0 +1,17 @@ +Paul Vixie (ISC) +Duane Wessels (The Measurement Factory, DNS-OARC, Verisign) +Ken Keys (CAIDA) +Sebastian Castro (CAIDA, NZRS) +Iñigo Ortiz de Urbina Cazenave (RIPE) +Kevin Brintnall +Peter Koch (DENIC) +Brad Belanger (Cogent) +Mark Santcroos +Andris Kalnozols +Robert Story (TIS Labs) +Bruce Campbell +Chris Higgens +Evan Hunt (ISC) +Stephane Bortzmeyer (Afnic) +Jerry Lundström (DNS-OARC) +Klaus Darilion @@ -0,0 +1,33 @@ +DNSCAP + +Copyright (c) 2016-2021, OARC, Inc. +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived + from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..0056327 --- /dev/null +++ b/Makefile.am @@ -0,0 +1,13 @@ +ACLOCAL_AMFLAGS = -I m4 -I src/pcap-thread/m4 + +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in \ + $(srcdir)/src/config.h.in~ \ + $(srcdir)/configure + +SUBDIRS = src plugins + +dist_doc_DATA = README.md LICENSE CONTRIBUTORS + +EXTRA_DIST = isc m4 .clang-format fmt.sh + +test: check diff --git a/README.md b/README.md new file mode 100644 index 0000000..3f86a6f --- /dev/null +++ b/README.md @@ -0,0 +1,247 @@ +# dnscap + +[![Build Status](https://travis-ci.com/DNS-OARC/dnscap.svg?branch=develop)](https://travis-ci.com/DNS-OARC/dnscap) [![Total alerts](https://img.shields.io/lgtm/alerts/g/DNS-OARC/dnscap.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/DNS-OARC/dnscap/alerts/) [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=dns-oarc%3Adnscap&metric=bugs)](https://sonarcloud.io/dashboard?id=dns-oarc%3Adnscap) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=dns-oarc%3Adnscap&metric=security_rating)](https://sonarcloud.io/dashboard?id=dns-oarc%3Adnscap) + +`dnscap` is a network capture utility designed specifically for DNS traffic. +It produces binary data in `pcap(3)` and other format. This utility is similar +to `tcpdump(1)`, but has a number of features tailored to DNS transactions +and protocol options. DNS-OARC uses `dnscap` for DITL data collections. + +Some of its features include: +- Understands both IPv4 and IPv6 +- Captures UDP, TCP, and IP fragments. +- Collect only queries, responses, or both (`-s` option) +- Collect for only certain source/destination addresses (`-a` `-z` `-A` `-Z` options) +- Periodically creates new pcap files (`-t` option) +- Spawns an upload script after closing a pcap file (`-k` option) +- Will start and stop collecting at specific times (`-B` `-E` options) + +More information may be found here: +- https://www.dns-oarc.net/tools/dnscap +- https://www.dns-oarc.net/oarc/data/ditl + +Issues should be reported here: +- https://github.com/DNS-OARC/dnscap/issues + +General support and discussion: +- Mattermost: https://chat.dns-oarc.net/community/channels/oarc-software +- mailing-list: https://lists.dns-oarc.net/mailman/listinfo/dnscap-users + +## Dependencies + +`dnscap` requires a couple of libraries beside a normal C compiling +environment with autoconf, automake, libtool and pkgconfig. + +`dnscap` has a non-optional dependency on the PCAP library and LDNS. + +To install the dependencies under Debian/Ubuntu: +``` +apt-get install -y libpcap-dev libldns-dev zlib1g-dev libyaml-perl libssl-dev +``` + +To install the dependencies under CentOS (with EPEL enabled): +``` +yum install -y libpcap-devel ldns-devel openssl-devel zlib-devel perl-YAML +``` + +For the following OS you will need to install some of the dependencies +from source or Ports, these instructions are not included. + +To install some of the dependencies under FreeBSD 10+ using `pkg`: +``` +pkg install -y libpcap ldns p5-YAML openssl-devel +``` + +To install some of the dependencies under OpenBSD 5+ using `pkg_add`: +``` +pkg_add libldns p5-YAML +``` + +NOTE: It is recommended to install the PCAP library from source/ports on +OpenBSD since the bundled version is an older and modified version. + +### Dependencies for `cryptopant.so` plugin + +For this plugin a library call `cryptopANT` is required and the original +can be found here: https://ant.isi.edu/software/cryptopANT/index.html . + +For DNS-OARC packages we build our own fork, with slight modifications to +conform across distributions, of this library which is included in the same +package repository as `dnscap`. The modifications and packaging files can be +found here: https://github.com/DNS-OARC/cryptopANT . + +## Building from source tarball + +The [source tarball from DNS-OARC](https://www.dns-oarc.net/tools/dnscap) +comes prepared with `configure`: + +``` +tar zxvf dnscap-version.tar.gz +cd dnscap-version +./configure [options] +make +make install +``` + +## Building from Git repository + +If you are building `dnscap` from it's Git repository you will first need +to initiate the Git submodules that exists and later create autoconf/automake +files, this will require a build environment with autoconf, automake, libtool +and pkg-config to be installed. + +``` +git clone https://github.com/DNS-OARC/dnscap.git +cd dnscap +git submodule update --init +./autogen.sh +./configure [options] +make +make install +``` + +### 64-bit libraries + +If you need to link against 64-bit libraries found in non-standard +locations, provide the location by setting LDFLAGS before running +configure: + +``` +$ env LDFLAGS=-L/usr/lib64 ./configure +``` + +### OpenBSD + +For OpenBSD you probably installed libpcap in `/usr/local` so you will need +to tell `configure` where to find the libraries and header files: + +``` +$ env CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure +``` + +## Plugins + +`dnscap` comes bundled with a set of plugins, see `-P` option. + +- `anonaes128.so`: Anonymize IP addresses using AES128 +- `anonmask.so`: Pseudo-anonymize IP addresses by masking them +- `cryptopan.so`: Anonymize IP addresses using an extension to Crypto-PAn (College of Computing, Georgia Tech) made by David Stott (Lucent) +- `cryptopant.so`: Anonymize IP addresses using cryptopANT, a different implementation of Crypto-PAn made by the ANT project at USC/ISI +- `ipcrypt.so`: Anonymize IP addresses using ipcrypt create by Jean-Philippe Aumasson +- `pcapdump.so`: Dump DNS into a PCAP with some filtering options +- `royparse.so`: Splits a PCAP into two streams; queries in PCAP format and responses in ASCII format +- `rssm.so`: Root Server Scaling Measurement plugin, see it's [README.md](plugins/rssm/README.md) for more information +- `rzkeychange.so`: RFC8145 key tag signal collection and reporting plugin +- `txtout.so`: Dump DNS as one-line text +- `eventlog.so`: Syslog style output for easy parsing, use with a SIEM, etc. + +There is also a `template` plugin in the source repository to help others +develop new plugins. + +## CBOR DNS Stream Format + +This is an experimental format for representing DNS information in CBOR +with the goals to: +- Be able to stream the information +- Support incomplete, broken and/or invalid DNS +- Have close to no data quality and signature degradation +- Support additional non-DNS meta data (such as ICMP/TCP attributes) + +Read [CBOR_DNS_STREAM.md](https://github.com/DNS-OARC/dnscap/blob/develop/CBOR_DNS_STREAM.md) for more information. + +To enable this output please follow the instructions below for Enabling +CBOR Output, note that this only requires Tinycbor. + +### Outputting to CBOR DNS Stream (CDS) + +To output to the CDS format you tell `dnscap` to write to a file and set +the format to CDS. CDS is a stream of CBOR objects and you can control how +many objects are kept in memory until flushed to the file by setting +`cds_cbor_size`, note that this is bytes of memory and not number of objects. +When it reaches this limit it will write the output and start on a new file. +Read `dnscap`'s man page for all CDS extended options. + +``` +src/dnscap [...] -w <file> -F cds [ -o cds_cbor_size=<bytes> ] +``` + +## CBOR + +There is experimental support for CBOR output using LDNS and Tinycbor with +a data structure described in the DNS-in-JSON draft. + +https://datatracker.ietf.org/doc/draft-hoffman-dns-in-json/ + +### Enabling CBOR Output + +To enable the CBOR output support you will need to install it's dependencies +before running `configure`, LDNS exists for most distributions but Tinycbor +is new so you need to download and compile it, you do not necessary need to +install it as shown in the example below. + +```sh +git clone https://github.com/DNS-OARC/dnscap.git +cd dnscap +git submodule update --init +git clone https://github.com/01org/tinycbor.git +cd tinycbor +git checkout v0.4.2 +make +cd .. +sh autogen.sh +CFLAGS="-I$PWD/tinycbor/src" LDFLAGS="-L$PWD/tinycbor/lib" LIBS="-ltinycbor" ./configure +make +``` + +**NOTE**: Paths in `CFLAGS` and `LDFLAGS` must be absolute. + +### CBOR to JSON + +Tinycbor comes with a tool to convert CBOR to JSON, check `bin/cbordump -h` +in the Tinycbor directory after having compiled it. + +### Outputting to CBOR + +To output to the CBOR format you tell `dnscap` to write to a file and set +the format to CBOR. Since Tinycbor constructs everything in memory there +is a limit and when it is reached it will write the output and start on a +new file. You can control the number of bytes with the extended option +`cbor_chunk_size`. + +``` +src/dnscap [...] -w <file> -F cbor [ -o cbor_chunk_size=<bytes> ] +``` + +### Additional attributes + +There is currently an additional attribute added to the CBOR object which +contains the IP information as following: + +``` +"ip": [ + <proto>, + "<source ip address>", + <source port> + "<destination ip address>", + <destination port> +] +``` + +Example: + +```json +"ip": [ + 17, + "127.0.0.1", + 34856, + "127.0.0.1", + 53 +] +``` + +### Limitations, deviations and issues + +Since this is still experimental there are of course some issues: +- RDATA is in binary format +- DNS packet are parsed by LDNS which can fail if malformed packets +- `dateSeconds` is added as a C `double` which might loose some of the time precision diff --git a/autogen.sh b/autogen.sh new file mode 100755 index 0000000..deb3713 --- /dev/null +++ b/autogen.sh @@ -0,0 +1,3 @@ +#!/bin/sh -e + +autoreconf --force --install --no-recursive --include=m4 --include=src/pcap-thread/m4 diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..f43cce5 --- /dev/null +++ b/configure.ac @@ -0,0 +1,160 @@ +# Copyright (c) 2016-2021, OARC, Inc. +# Copyright (c) 2007, The Measurement Factory, Inc. +# Copyright (c) 2007, Internet Systems Consortium, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +AC_PREREQ(2.61) +AC_INIT([dnscap], [2.0.0], [dnscap-users@dns-oarc.net], [dnscap], [https://github.com/DNS-OARC/dnscap/issues]) +AM_INIT_AUTOMAKE([-Wall -Werror foreign subdir-objects]) +AC_CONFIG_SRCDIR([src/dnscap.c]) +AC_CONFIG_HEADER([src/config.h]) +AC_CONFIG_MACRO_DIR([m4]) + +# Checks for programs. +AC_PROG_CC +AM_PROG_CC_C_O +AC_CANONICAL_HOST +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) +LT_INIT([disable-static]) + +# Check --enable-warn-all +AC_ARG_ENABLE([warn-all], [AS_HELP_STRING([--enable-warn-all], [Enable all compiler warnings])], [AX_CFLAGS_WARN_ALL()]) + +# Check --with-extra-cflags +AC_ARG_WITH([extra-cflags], [AS_HELP_STRING([--with-extra-cflags=CFLAGS], [Add extra CFLAGS])], [ + AC_MSG_NOTICE([appending extra CFLAGS... $withval]) + AS_VAR_APPEND(CFLAGS, [" $withval"]) +]) + +# Check --with-extra-ldflags +AC_ARG_WITH([extra-ldflags], [AS_HELP_STRING([--with-extra-ldflags=LDFLAGS], [Add extra LDFLAGS])], [ + AC_MSG_NOTICE([appending extra LDFLAGS... $withval]) + AS_VAR_APPEND(LDFLAGS, [" $withval"]) +]) + +# pcap_thread +AC_ARG_ENABLE(threads, + [AS_HELP_STRING([--enable-threads], + [enable the usage of threads (default disabled)])], + [AX_PCAP_THREAD], + [AX_PCAP_THREAD_PCAP]) + +# Check --enable-gcov +AC_ARG_ENABLE([gcov], [AS_HELP_STRING([--enable-gcov], [Enable coverage testing])], [ + coverage_cflags="--coverage -g -O0 -fno-inline -fno-inline-small-functions -fno-default-inline" + AC_MSG_NOTICE([enabling coverage testing... $coverage_cflags]) + AS_VAR_APPEND(CFLAGS, [" $coverage_cflags"]) +]) +AM_CONDITIONAL([ENABLE_GCOV], [test "x$enable_gcov" != "xno"]) +AM_EXTRA_RECURSIVE_TARGETS([gcov]) + +# Checks for libraries. +AC_CHECK_LIB([dl], [dlopen]) +AC_CHECK_LIB([tinycbor], [cbor_parser_init]) +AM_CONDITIONAL([HAVE_CBOR], [test "x$ac_cv_lib_tinycbor_cbor_parser_init" = "xyes"]) +AC_CHECK_LIB([z], [gzopen]) +PKG_CHECK_MODULES([libcrypto], [libcrypto], + [AC_DEFINE([HAVE_LIBCRYPTO], [1], [Define to 1 if you have libcrypto.])]) +AC_CHECK_LIB([cryptopant], [scramble_init], [], [ + AC_CHECK_LIB([cryptopANT], [scramble_init]) +]) +PKG_CHECK_MODULES([libldns], [libldns], , [ + PKG_CHECK_MODULES([libldns], [ldns]) +]) + +# Check for OS specific libraries +case "$host_os" in + # HPUX + hpux*) + AC_CHECK_LIB([hplx], [main]) + ;; + + # Solaris + solaris*) + AC_CHECK_LIB([rt], [main]) + AC_CHECK_LIB([md5], [main]) + AC_CHECK_LIB([socket], [main]) + AC_CHECK_LIB([nsl], [main]) + ;; +esac + +# Checks for header files. +AC_HEADER_RESOLV +AC_HEADER_TIME +AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h]) +AC_CHECK_HEADERS([sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h]) +AC_CHECK_HEADERS([ldns/ldns.h arpa/nameser_compat.h cbor.h cbor/cbor.h]) +AC_CHECK_HEADERS([sys/time.h]) +AC_CHECK_HEADERS([zlib.h]) +AC_CHECK_HEADERS([openssl/conf.h openssl/evp.h openssl/err.h]) +AC_CHECK_HEADERS([cryptopANT.h]) +AC_CHECK_HEADERS([endian.h sys/endian.h machine/endian.h]) + +# Checks for library functions. +AC_CHECK_FUNCS([snprintf]) +AC_CHECK_FUNCS([setreuid setresuid setregid setresgid setegid seteuid initgroups setgroups]) +AC_CHECK_FUNCS([funopen fopencookie gzopen]) +AC_CHECK_FUNCS([__assertion_failed]) + +# Check for SECCOMP +SECCOMPFLAGS= +AC_ARG_ENABLE(seccomp, AC_HELP_STRING([--enable-seccomp], [Linux seccomp-bpf sandbox])) +case "$enable_seccomp" in + yes) + AC_DEFINE_UNQUOTED([USE_SECCOMP], [1], [Define this to enable Linux seccomp-bpf sandbox.]) + SECCOMPFLAGS="-lseccomp -fPIE -fstack-protector-all -Wl,-z,relro -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2" + ;; + + *) + ;; +esac +AC_SUBST(SECCOMPFLAGS, ["$SECCOMPFLAGS"]) + +# Output Makefiles +AC_CONFIG_FILES([ + Makefile + src/Makefile + src/test/Makefile + plugins/Makefile + plugins/pcapdump/Makefile + plugins/rssm/Makefile + plugins/txtout/Makefile + plugins/rzkeychange/Makefile + plugins/royparse/Makefile + plugins/anonmask/Makefile + plugins/ipcrypt/Makefile + plugins/anonaes128/Makefile + plugins/cryptopan/Makefile + plugins/cryptopant/Makefile + plugins/eventlog/Makefile +]) +AC_OUTPUT diff --git a/contrib/cdsdump.py b/contrib/cdsdump.py new file mode 100755 index 0000000..3eee22f --- /dev/null +++ b/contrib/cdsdump.py @@ -0,0 +1,699 @@ +#!/usr/bin/env python3 +# +# Copyright (c) 2016-2021, OARC, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +import sys +import logging +import optparse +import struct +import socket +from cbor2 import CBORDecoder; + +logging.basicConfig(format='%(levelname).5s: %(module)s:%(lineno)d: ' + '%(message)s') +log = logging.getLogger(__name__) + +class SimpleValue(object): + def __init__(self, value): + self.value = value + + def get(self): + return self.value + + def __repr__(self): + return "{}".format(self.value) + +def decode_simple_value(self, fp, shareable_index=None): + return SimpleValue(struct.unpack('>B', fp.read(1))[0]) + +try: + from cbor2.types import CBORSimpleValue +except Exception: + CBORSimpleValue = SimpleValue + +class LastValues(object): + def __init__(self): + self.reset() + + def reset(self): + self.ts = None + self.src_addr4 = None + self.src_port4 = None + self.dest_addr4 = None + self.dest_port4 = None + self.src_addr6 = None + self.src_port6 = None + self.dest_addr6 = None + self.dest_port6 = None + self.rlabel = [] + self.mlabel = [] + self.rr_type = None + self.rr_class = None + self.rr_ttl = None + +last = LastValues() + +MAX_RLABELS = 255 +MIN_RLABEL_SIZE = 3 + +def get_rlabel(idx): + rlabel_idx = -idx - 1 + try: + label = last.rlabel.pop(rlabel_idx) + last.rlabel.insert(0, label) + return label + except: + raise Exception("rlabel index {} out of range".format(rlabel_idx)) + +def add_rlabel(label): + size = 0 + if isinstance(label, list): + for l in label: + if isinstance(l, str): + size += len(l) + if size < MIN_RLABEL_SIZE: + return + last.rlabel.insert(0, label) + if len(last.rlabel) > MAX_RLABELS: + last.rlabel.pop() + +def build_mlabel_label(label): + if isinstance(label, int) and label < 0: + label = get_rlabel(label) + else: + add_rlabel(label) + + if isinstance(label, str): + last.mlabel.append(label) + elif isinstance(label, list): + if len(label) and isinstance(label[0], int): + last.mlabel.append(label) + return + label = list(label) + while len(label): + last.mlabel.append(list(label)) + label.pop(0) + +def build_mlabel(rrs): + for rr in rrs: + if len(rr) and isinstance(rr[0], bool): + continue + if len(rr): + build_mlabel_label(rr[0]) + if len(rr) > 1 and isinstance(rr[len(rr)-1], list): + for l in rr[len(rr)-1]: + build_mlabel_label(l) + +def parse_label(label, lvl): + if isinstance(label, int) and label < 0: + label = get_rlabel(label) + else: + add_rlabel(label) + + if isinstance(label, bytes): + print((" " * lvl)+"label: {}".format(bytes)) + elif isinstance(label, list): + if len(label) and isinstance(label[0], int) and label[0] < 0: + dn = list(get_rlabel(label[0])) + else: + dn = list(label) + print((" " * lvl)+"clabel: {}".format(dn)) + dnstr = [] + seen_mlabel = {} + while len(dn): + while isinstance(dn[0], int): + if dn[0] in seen_mlabel: + dn = [ "{ name compression loop }" ] + break + seen_mlabel[dn[0]] = 1 + dn = list(last.mlabel[dn[0]]) + dnstr.append(dn.pop(0)) + print((" " * lvl)+"label: "+ " . ".join(dnstr)) + + else: + raise Exception("invalid label type {}".format(type(label))) + + +def parse_rrs(rrs, lvl): + for rr in rrs: + print((" " * lvl)+"rr:") + lvl+=2 + + if len(rr) and isinstance(rr[0], bool): + print((" " * lvl)+"incomplete/broken DNS RR, no support for these yet") + continue + + parse_label(rr.pop(0), lvl) + + bits = 0 + if isinstance(rr[0], CBORSimpleValue): + bits = rr.pop(0).value + print((" " * lvl)+"type (0): "+("yes" if bits & 1 else "no")) + print((" " * lvl)+"class (1): "+("yes" if bits & 1<<1 else "no")) + print((" " * lvl)+"ttl (2): "+("yes" if bits & 1<<2 else "no")) + print((" " * lvl)+"rdlength(3): "+("yes" if bits & 1<<3 else "no")) + + rr_type = None + rr_class = None + rr_ttl = None + rdlength = None + if not bits: + if len(rr) > 4: + bits = 0xff + elif len(rr) > 1: + raise Exception("invalid rr, expected none (0) or all (4) optional values but got {}".format(len(rr)-1)) + if bits & 1: + if not isinstance(rr[0], int): + raise Exception("invalid rr.type, expected int but got: {}".format(type(rr[0]))) + rr_type = rr.pop(0) + if bits & 1<<1: + if not isinstance(rr[0], int): + raise Exception("invalid rr.class, expected int but got: {}".format(type(rr[0]))) + rr_class = rr.pop(0) + if bits & 1<<2: + if not isinstance(rr[0], int): + raise Exception("invalid rr.ttl, expected int but got: {}".format(type(rr[0]))) + rr_ttl = rr.pop(0) + if bits & 1<<3: + if not isinstance(rr[0], int): + raise Exception("invalid rr.rdlength, expected int but got: {}".format(type(rr[0]))) + rdlength = rr.pop(0) + + if not rr_type: + rr_type = last.rr_type + if not rr_class: + rr_class = last.rr_class + if not rr_ttl: + rr_ttl = last.rr_ttl + + print((" " * lvl)+"type: {}".format(rr_type)) + print((" " * lvl)+"class: {}".format(rr_class)) + print((" " * lvl)+"ttl: {}".format(rr_ttl)) + if rdlength: + print((" " * lvl)+"rdlength: {}".format(rdlength)) + + if rr_type != 41: + last.rr_type = rr_type + last.rr_class = rr_class + last.rr_ttl = rr_ttl + + if isinstance(rr[0], bytes): + print((" " * lvl)+"rdata: "+"".join("{:02x}".format(byte) for byte in rr.pop(0))) + elif isinstance(rr[0], list): + rdata = [] + for i in rr.pop(0): + if isinstance(i, int) and i < 0: + i = get_rlabel(i) + elif not isinstance(i, bytes): + add_rlabel(i) + + if isinstance(i, bytes): + rdata.append("".join("{:02x}".format(byte) for byte in i)) + elif isinstance(i, list): + dn = list(i) + dnstr = [] + seen_mlabel = {} + while len(dn): + while isinstance(dn[0], int): + if dn[0] in seen_mlabel: + dn = [ "{ name compression loop }" ] + break + seen_mlabel[dn[0]] = 1 + dn = list(last.mlabel[dn[0]]) + dnstr.append(dn.pop(0)) + rdata.append("[ clabel: {} label: ".format(i) + " . ".join(dnstr) + " ]") + else: + raise Exception("invalid rr.rdata[], expected bytes|list but got: {}".format(type(i))) + + print((" " * lvl)+"rdata: "+" ".join(rdata)) + else: + raise Exception("invalid rr.rdata, expected bytes|list but got: {}".format(type(rr[0]))) + + lvl-=2 + +def parse_qrs(qrs, lvl): + for qr in qrs: + print((" " * lvl)+"qr:") + lvl+=2 + parse_label(qr.pop(0), lvl) + + rr_type = None + rr_class = None + if len(qr): + if not isinstance(qr[0], int): + raise Exception("invalid qr.type|class, expected int but got {}".format(type(qr[0]))) + if qr[0] > -1: + rr_type = qr.pop(0) + if len(qr): + if not isinstance(qr[0], int): + raise Exception("invalid qr.class, expected int but got {}".format(type(qr[0]))) + elif not qr[0] < 0: + raise Exception("invalid qr.class, expected negative int but got positive") + rr_class = -qr.pop(0) - 1 + else: + rr_class = -qr.pop(0) - 1 + + if not rr_type: + rr_type = last.rr_type + if not rr_class: + rr_class = last.rr_class + + print((" " * lvl)+"type: {}".format(rr_type)) + print((" " * lvl)+"class: {}".format(rr_class)) + + if rr_type != 41: + last.rr_type = rr_type + last.rr_class = rr_class + + lvl-=2 + +def parse_dns_message(dns, lvl): + print((" " * lvl)+"dns:") + lvl+=2 + + if isinstance(dns[0], bool): + print((" " * lvl)+"incomplete/broken DNS packet, no support for these yet") + return + + print((" " * lvl)+"header:") + lvl+=2 + id = dns.pop(0) + print((" " * lvl)+"id: {}".format(id)) + raw = dns.pop(0) + print((" " * lvl)+"raw: 0x{:04x}".format(raw)) + lvl+=2 + print((" " * lvl)+" QR: "+("yes" if raw & 1<<15 else "no")) + print((" " * lvl)+"Opcode: {}".format(((raw >> 11) & 0xf))) + print((" " * lvl)+" AA: "+("yes" if raw & 1<<10 else "no")) + print((" " * lvl)+" TC: "+("yes" if raw & 1<<9 else "no")) + print((" " * lvl)+" RD: "+("yes" if raw & 1<<8 else "no")) + print((" " * lvl)+" RA: "+("yes" if raw & 1<<7 else "no")) + print((" " * lvl)+" Z: "+("yes" if raw & 1<<6 else "no")) + print((" " * lvl)+" AD: "+("yes" if raw & 1<<5 else "no")) + print((" " * lvl)+" CD: "+("yes" if raw & 1<<4 else "no")) + print((" " * lvl)+" RCODE: {}".format(raw & 0xf)) + lvl-=2 + + bits = 0 + if isinstance(dns[0], int) and dns[0] < 0: + bits = -dns.pop(0) - 1 + print((" " * lvl)+"qdcount(0): "+("yes" if bits & 1 else "no")) + print((" " * lvl)+"ancount(1): "+("yes" if bits & 1<<1 else "no")) + print((" " * lvl)+"nscount(2): "+("yes" if bits & 1<<2 else "no")) + print((" " * lvl)+"arcount(3): "+("yes" if bits & 1<<3 else "no")) + + if not bits: + if isinstance(dns[0], int): + bits = 0xff + + if bits & 1: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.qdcount, expected int but got: {}".format(type(dns[0]))) + print((" " * lvl)+"qdcount: {}".format(dns.pop(0))) + if bits & 1<<1: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.ancount, expected int but got: {}".format(type(dns[0]))) + print((" " * lvl)+"ancount: {}".format(dns.pop(0))) + if bits & 1<<2: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.nscount, expected int but got: {}".format(type(dns[0]))) + print((" " * lvl)+"nscount: {}".format(dns.pop(0))) + if bits & 1<<3: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.arcount, expected int but got: {}".format(type(dns[0]))) + print((" " * lvl)+"arcount: {}".format(dns.pop(0))) + + bits = 0 + if isinstance(dns[0], CBORSimpleValue): + bits = dns.pop(0).value + print((" " * lvl)+"questions (0): "+("yes" if bits & 1 else "no")) + print((" " * lvl)+"answers (1): "+("yes" if bits & 1<<1 else "no")) + print((" " * lvl)+"authorities(2): "+("yes" if bits & 1<<2 else "no")) + print((" " * lvl)+"additionals(3): "+("yes" if bits & 1<<3 else "no")) + + last.mlabel = [] + rlabel = list(last.rlabel) + for n in range(4): + if len(dns) > n and isinstance(dns[n], list): + build_mlabel(dns[n]) + last.rlabel = rlabel + + if not bits: + if len(dns) > 3: + bits = 0xff + elif len(dns) > 0: + raise Exception("invalid dns.message rr's, expected none (0) or all (4) but got {}".format(len(dns))) + + if bits & 1: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.questions, expected list but got: {}".format(type(dns[0]))) + print((" " * lvl)+"questions:") + parse_qrs(dns.pop(0), lvl+2) + if bits & 1<<1: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.answers, expected list but got: {}".format(type(dns[0]))) + print((" " * lvl)+"answers:") + parse_rrs(dns.pop(0), lvl+2) + if bits & 1<<2: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.authorities, expected list but got: {}".format(type(dns[0]))) + print((" " * lvl)+"authorities:") + parse_rrs(dns.pop(0), lvl+2) + if bits & 1<<3: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.additionals, expected list but got: {}".format(type(dns[0]))) + print((" " * lvl)+"additionals:") + parse_rrs(dns.pop(0), lvl+2) + + if len(dns): + if isinstance(dns[0], bytes): + print((" " * lvl)+"malformed: "+"".join("{:02x}".format(byte) for byte in dns.pop(0))) + if len(dns): + raise Exception("invalid dns.message, garbage at end: {}".format(dns)) + +def parse_ip_header(ip_header, lvl): + print((" " * lvl)+"ip_header:") + lvl+=2 + + print((" " * lvl)+"bits:") + lvl+=2 + bits = ip_header.pop(0) + reverse = False + if isinstance(bits, int): + if bits < 0: + print((" " * lvl)+"reverse: yes") + bits = -bits - 1 + reverse = True + print((" " * lvl)+"family (0): "+("INET6" if bits & 1 else "INET")) + print((" " * lvl)+"have_src (1): "+("yes" if bits & 1<<1 else "no")) + print((" " * lvl)+"have_dest(2): "+("yes" if bits & 1<<2 else "no")) + print((" " * lvl)+"have_port(3): "+("yes" if bits & 1<<3 else "no")) + else: + raise Exception("invalid ip_header.bits, expected int but got: {}".format(type(bits))) + lvl-=2 + + src_addr = None + dest_addr = None + src_port = None + dest_port = None + + if bits & 1<<1: + src_addr = ip_header.pop(0) + if not isinstance(src_addr, bytes): + raise Exception("invalid ip_header.src_addr, expected bytes but got: {}".format(type(src_addr))) + else: + if reverse: + src_addr = last.dest_addr6 if bits & 1 else last.dest_addr4 + if not src_addr: + raise Exception("invalid ip_header.bits, expected to have last dest addr but don't") + else: + src_addr = last.src_addr6 if bits & 1 else last.src_addr4 + if not src_addr: + raise Exception("invalid ip_header.bits, expected to have last src addr but don't") + + if bits & 1<<2: + dest_addr = ip_header.pop(0) + if not isinstance(dest_addr, bytes): + raise Exception("invalid ip_header.dest_addr, expected bytes but got: {}".format(type(dest_addr))) + else: + if reverse: + dest_addr = last.src_addr6 if bits & 1 else last.src_addr4 + if not dest_addr: + raise Exception("invalid ip_header.bits, expected to have last src addr but don't") + else: + dest_addr = last.dest_addr6 if bits & 1 else last.dest_addr4 + if not dest_addr: + raise Exception("invalid ip_header.bits, expected to have last dest addr but don't") + + if bits & 1<<3: + ports = ip_header.pop(0) + if not isinstance(ports, int): + raise Exception("invalid ip_header.src_dest_port, expected int but got: {}".format(type(ports))) + if ports > 0xffff: + src_port = ports & 0xffff + dest_port = ports >> 16 + elif ports < 0: + if reverse: + src_port = last.dest_port6 if bits & 1 else last.dest_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + else: + src_port = last.src_port6 if bits & 1 else last.src_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + dest_port = -ports - 1 + else: + src_port = ports + if reverse: + dest_port = last.src_port6 if bits & 1 else last.src_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + else: + dest_port = last.dest_port6 if bits & 1 else last.dest_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + else: + if reverse: + src_port = last.dest_port6 if bits & 1 else last.dest_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + else: + src_port = last.src_port6 if bits & 1 else last.src_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + if reverse: + dest_port = last.src_port6 if bits & 1 else last.src_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + else: + dest_port = last.dest_port6 if bits & 1 else last.dest_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + + print((" " * lvl)+" src addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, src_addr)) + print((" " * lvl)+"dest addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, dest_addr)) + print((" " * lvl)+" src port: {}".format(src_port)) + print((" " * lvl)+"dest port: {}".format(dest_port)) + + if bits & 1: + last.src_addr6 = src_addr + last.dest_addr6 = dest_addr + last.src_port6 = src_port + last.dest_port6 = dest_port + else: + last.src_addr4 = src_addr + last.dest_addr4 = dest_addr + last.src_port4 = src_port + last.dest_port4 = dest_port + + +def parse_message_bits(bits, lvl): + print((" " * lvl)+"message_bits:") + lvl+=2 + dns = "no" + if isinstance(bits, int): + if bits & 1: + dns = "yes" + print((" " * lvl)+"dns (0): "+dns) + + if bits & 1<<1: + proto = "tcp" + elif dns == "yes": + proto = "udp" + else: + proto = "icmp" + print((" " * lvl)+"proto (1): "+proto) + + if bits & 1<<2: + frag = "yes" + else: + frag = "no" + print((" " * lvl)+"frag (2): "+frag) + + if bits & 1<<3: + malformed = "yes" + else: + malformed = "no" + print((" " * lvl)+"malformed(3): "+malformed) + + else: + raise Exception("invalid message_bits, expected int but got: {}".format(type(bits))) + + return 1 if dns == "yes" else 0 + +def parse_timestamp(ts, lvl): + print((" " * lvl)+"timestamp:") + lvl+=2 + + if isinstance(ts, list): + if ts[0] < 0: + if not last.ts: + raise Exception("invalid timestamp.seconds, got diff from last value but have no last value") + if not len(last.ts) == len(ts): + raise Exception("invalid timestamp.seconds, differentialy precision missmatch") + + ts[0] = last.ts[0] + ( -ts[0] - 1 ) + print((" " * lvl)+"seconds: {}".format(ts[0])) + + if len(ts) > 1: + ts[1] = last.ts[1] + ts[1] + print((" " * lvl)+"useconds: {}".format(ts[1])) + if len(ts) > 2: + ts[2] = last.ts[2] + ts[2] + print((" " * lvl)+"nseconds: {}".format(ts[2])) + else: + print((" " * lvl)+"seconds: {}".format(ts[0])) + if len(ts) > 1: + print((" " * lvl)+"useconds: {}".format(ts[1])) + if len(ts) > 2: + print((" " * lvl)+"nseconds: {}".format(ts[2])) + last.ts = ts + + elif isinstance(ts, int): + print((" " * lvl)+"seconds: {}".format(ts)) + else: + raise Exception("invalid timestamp, expected list|int but got: {}".format(type(ts))) + +def parse(cds): + print("paket:") + try: + parse_timestamp(cds.pop(0), 2) + is_dns = parse_message_bits(cds.pop(0), 2) + parse_ip_header(cds, 2) + if not is_dns: + raise Exception("not dns? huh?") + parse_dns_message(cds, 2) + except IndexError as idx: + if not str(idx) == "pop from empty list": + raise + print(" ...") + except: + raise + +def main(): + usage = '%prog [-v] [-h] <cds file...>' + parser = optparse.OptionParser(usage, version='%prog 0.01') + parser.add_option('-v', '--verbose', action='store_true', dest='verbose', + help='turn verbose mode on') + + (options, args) = parser.parse_args() + + if options.verbose == True: + log.setLevel(logging.DEBUG) + log.debug('argv: %s', sys.argv) + log.debug('options: %s', options) + log.debug('args: %s', args) + else: + log.setLevel(logging.WARNING) + + if not args: + parser.print_usage() + exit(1) + + decoder = CBORDecoder() + # if https://github.com/agronholm/cbor2/pull/5 is not merged/released yet + if 0 not in decoder.special_decoders: + decoder.special_decoders[0] = lambda self, fp, shareable_index=None: SimpleValue(0) + decoder.special_decoders[1] = lambda self, fp, shareable_index=None: SimpleValue(1) + decoder.special_decoders[2] = lambda self, fp, shareable_index=None: SimpleValue(2) + decoder.special_decoders[3] = lambda self, fp, shareable_index=None: SimpleValue(3) + decoder.special_decoders[4] = lambda self, fp, shareable_index=None: SimpleValue(4) + decoder.special_decoders[5] = lambda self, fp, shareable_index=None: SimpleValue(5) + decoder.special_decoders[6] = lambda self, fp, shareable_index=None: SimpleValue(6) + decoder.special_decoders[7] = lambda self, fp, shareable_index=None: SimpleValue(7) + decoder.special_decoders[8] = lambda self, fp, shareable_index=None: SimpleValue(8) + decoder.special_decoders[9] = lambda self, fp, shareable_index=None: SimpleValue(9) + decoder.special_decoders[10] = lambda self, fp, shareable_index=None: SimpleValue(10) + decoder.special_decoders[11] = lambda self, fp, shareable_index=None: SimpleValue(11) + decoder.special_decoders[12] = lambda self, fp, shareable_index=None: SimpleValue(12) + decoder.special_decoders[13] = lambda self, fp, shareable_index=None: SimpleValue(13) + decoder.special_decoders[14] = lambda self, fp, shareable_index=None: SimpleValue(14) + decoder.special_decoders[15] = lambda self, fp, shareable_index=None: SimpleValue(15) + decoder.special_decoders[16] = lambda self, fp, shareable_index=None: SimpleValue(16) + decoder.special_decoders[17] = lambda self, fp, shareable_index=None: SimpleValue(17) + decoder.special_decoders[18] = lambda self, fp, shareable_index=None: SimpleValue(18) + decoder.special_decoders[19] = lambda self, fp, shareable_index=None: SimpleValue(19) + decoder.special_decoders[24] = decode_simple_value + + version = None + + for f in args: + log.debug('file: %s', f) + with open(f, 'rb') as fp: + obj = None + try: + obj = decoder.decode(fp) + except Exception as e: + if e.__str__().find("index out of range") == -1: + raise + if not isinstance(obj, list): + raise Exception("Invalid element, expected an array but found: {}".format(type(obj))) + + version = obj.pop(0) + if version != "CDSv1": + raise Exception("Invalid version, expected CDSv1 but got: {}".format(version)) + + while len(obj): + opt = obj.pop(0) + if not isinstance(opt, int): + raise Exception("Invalid option, expected int but got: {}".format(type(opt))) + if opt == 0: + MAX_RLABELS = obj.pop(0) + if not isinstance(MAX_RLABELS, int) or MAX_RLABELS < 1: + raise Exception("Invalid option for maximum rlabels, got: {}".format(MAX_RLABELS)) + log.debug("Using maximum rlabels {}".format(MAX_RLABELS)) + elif opt == 1: + MIN_RLABEL_SIZE = obj.pop(0) + if not isinstance(MIN_RLABEL_SIZE, int) or MIN_RLABEL_SIZE < 1: + raise Exception("Invalid option for minimum rlabel size, got: {}".format(MIN_RLABEL_SIZE)) + log.debug("Using minimum rlabel size {}".format(MIN_RLABEL_SIZE)) + else: + raise Exception("Unknown option: {}".format(opt)) + + while True: + obj = None + try: + obj = decoder.decode(fp) + except Exception as e: + if e.__str__().find("index out of range") == -1: + raise + if obj is None: + break + if not isinstance(obj, list): + raise Exception("Invalid element, expected an array but found: {}".format(type(obj))) + parse(obj) + + last.reset() + +if __name__ == '__main__': + main() diff --git a/contrib/cdsidxchk.py b/contrib/cdsidxchk.py new file mode 100755 index 0000000..bcc1a67 --- /dev/null +++ b/contrib/cdsidxchk.py @@ -0,0 +1,797 @@ +#!/usr/bin/env python3 +# +# Copyright (c) 2016-2021, OARC, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +import sys +import logging +import optparse +import struct +from cbor2 import CBORDecoder; + +logging.basicConfig(format='%(levelname).5s: %(module)s:%(lineno)d: ' + '%(message)s') +log = logging.getLogger(__name__) + +class SimpleValue(object): + def __init__(self, value): + self.value = value + + def get(self): + return self.value + + def __repr__(self): + return "{}".format(self.value) + +def decode_simple_value(self, fp, shareable_index=None): + return SimpleValue(struct.unpack('>B', fp.read(1))[0]) + +try: + from cbor2.types import CBORSimpleValue +except Exception: + CBORSimpleValue = SimpleValue + +class LastValues(object): + def __init__(self): + self.reset() + + def reset(self): + self.ts = None + self.src_addr4 = None + self.src_port4 = None + self.dest_addr4 = None + self.dest_port4 = None + self.src_addr6 = None + self.src_port6 = None + self.dest_addr6 = None + self.dest_port6 = None + self.rlabel = [] + self.mlabel = [] + self.rr_type = None + self.rr_class = None + self.rr_ttl = None + self.labels = {} + self.label_len = {} + self.label_parts = {} + self.label_part_len = {} + self.rdata = {} + self.rdata_len = {} + + +last = LastValues() + +MAX_RLABELS = 255 +MIN_RLABEL_SIZE = 3 + +def add_label(label): + size = 0 + if isinstance(label, list): + for l in label: + if isinstance(l, str) and len(l) > 2: + if not l in last.label_parts: + last.label_parts[l] = 1 + last.label_part_len[l] = len(l) + else: + last.label_parts[l] += 1 + if not isinstance(l, int): + size += len(l) + else: + size = len(label) + if size < 3: + return + + idx = "{}".format(label) +# print(idx) + + if not idx in last.labels: + last.labels[idx] = 1 + last.label_len[idx] = size + else: + last.labels[idx] += 1 + +def add_rdata(rdata): + size = 0 + if isinstance(rdata, list): + for l in rdata: + if not isinstance(l, int): + size += len(l) + else: + size = len(rdata) + if size < 3: + return + + idx = "{}".format(rdata) +# print(idx) + if not idx in last.rdata: + last.rdata[idx] = 1 + last.rdata_len[idx] = size + else: + last.rdata[idx] += 1 + + + +def get_rlabel(idx): + rlabel_idx = -idx - 1 + try: + label = last.rlabel.pop(rlabel_idx) + last.rlabel.insert(0, label) + return label + except: + raise Exception("rlabel index {} out of range".format(rlabel_idx)) + +def add_rlabel(label): + size = 0 + if isinstance(label, list): + for l in label: + if isinstance(l, str): + size += len(l) + if size < MIN_RLABEL_SIZE: + return + last.rlabel.insert(0, label) + if len(last.rlabel) > MAX_RLABELS: + last.rlabel.pop() + +def build_mlabel_label(label): + if isinstance(label, int) and label < 0: + label = get_rlabel(label) + else: + add_rlabel(label) + + if isinstance(label, str): + last.mlabel.append(label) + elif isinstance(label, list): + if len(label) and isinstance(label[0], int): + last.mlabel.append(label) + return + label = list(label) + while len(label): + last.mlabel.append(list(label)) + label.pop(0) + +def build_mlabel(rrs): + for rr in rrs: + if len(rr) and isinstance(rr[0], bool): + continue + if len(rr): + build_mlabel_label(rr[0]) + if len(rr) > 1 and isinstance(rr[len(rr)-1], list): + for l in rr[len(rr)-1]: + build_mlabel_label(l) + +def parse_label(label, lvl): + if isinstance(label, int) and label < 0: + label = get_rlabel(label) + else: + add_rlabel(label) + add_label(label) + + if isinstance(label, bytes): + #print((" " * lvl)+"label: {}".format(bytes)) + pass + elif isinstance(label, list): + if len(label) and isinstance(label[0], int) and label[0] < 0: + dn = list(get_rlabel(label[0])) + else: + dn = list(label) + #print((" " * lvl)+"clabel: {}".format(dn)) + dnstr = [] + seen_mlabel = {} + while len(dn): + while isinstance(dn[0], int): + if dn[0] in seen_mlabel: + dn = [ "{ name compression loop }" ] + break + seen_mlabel[dn[0]] = 1 + dn = list(last.mlabel[dn[0]]) + dnstr.append(dn.pop(0)) + #print((" " * lvl)+"label: "+ " . ".join(dnstr)) + + else: + raise Exception("invalid label type {}".format(type(label))) + + +def parse_rrs(rrs, lvl): + for rr in rrs: + #print((" " * lvl)+"rr:") + lvl+=2 + + if len(rr) and isinstance(rr[0], bool): + #print((" " * lvl)+"incomplete/broken DNS RR, no support for these yet") + continue + + parse_label(rr.pop(0), lvl) + + bits = 0 + if isinstance(rr[0], CBORSimpleValue): + bits = rr.pop(0).value + #print((" " * lvl)+"type (0): "+("yes" if bits & 1 else "no")) + #print((" " * lvl)+"class (1): "+("yes" if bits & 1<<1 else "no")) + #print((" " * lvl)+"ttl (2): "+("yes" if bits & 1<<2 else "no")) + #print((" " * lvl)+"rdlength(3): "+("yes" if bits & 1<<3 else "no")) + + rr_type = None + rr_class = None + rr_ttl = None + rdlength = None + if not bits: + if len(rr) > 4: + bits = 0xff + elif len(rr) > 1: + raise Exception("invalid rr, expected none (0) or all (4) optional values but got {}".format(len(rr)-1)) + if bits & 1: + if not isinstance(rr[0], int): + raise Exception("invalid rr.type, expected int but got: {}".format(type(rr[0]))) + rr_type = rr.pop(0) + if bits & 1<<1: + if not isinstance(rr[0], int): + raise Exception("invalid rr.class, expected int but got: {}".format(type(rr[0]))) + rr_class = rr.pop(0) + if bits & 1<<2: + if not isinstance(rr[0], int): + raise Exception("invalid rr.ttl, expected int but got: {}".format(type(rr[0]))) + rr_ttl = rr.pop(0) + if bits & 1<<3: + if not isinstance(rr[0], int): + raise Exception("invalid rr.rdlength, expected int but got: {}".format(type(rr[0]))) + rdlength = rr.pop(0) + + if not rr_type: + rr_type = last.rr_type + if not rr_class: + rr_class = last.rr_class + if not rr_ttl: + rr_ttl = last.rr_ttl + + #print((" " * lvl)+"type: {}".format(rr_type)) + #print((" " * lvl)+"class: {}".format(rr_class)) + #print((" " * lvl)+"ttl: {}".format(rr_ttl)) + if rdlength: + #print((" " * lvl)+"rdlength: {}".format(rdlength)) + pass + + if rr_type != 41: + last.rr_type = rr_type + last.rr_class = rr_class + last.rr_ttl = rr_ttl + + if isinstance(rr[0], bytes): + add_rdata(rr[0]) + rr.pop(0) + #print((" " * lvl)+"rdata: "+"".join("{:02x}".format(byte) for byte in rr.pop(0))) + elif isinstance(rr[0], list): + add_rdata(rr[0]) + rdata = [] + for i in rr.pop(0): + if isinstance(i, int) and i < 0: + i = get_rlabel(i) + elif not isinstance(i, bytes): + add_rlabel(i) + add_label(i) + + if isinstance(i, bytes): + rdata.append("".join("{:02x}".format(byte) for byte in i)) + elif isinstance(i, list): + dn = list(i) + dnstr = [] + seen_mlabel = {} + while len(dn): + while isinstance(dn[0], int): + if dn[0] in seen_mlabel: + dn = [ "{ name compression loop }" ] + break + seen_mlabel[dn[0]] = 1 + dn = list(last.mlabel[dn[0]]) + dnstr.append(dn.pop(0)) + rdata.append("[ clabel: {} label: ".format(i) + " . ".join(dnstr) + " ]") + else: + raise Exception("invalid rr.rdata[], expected bytes|list but got: {}".format(type(i))) + + #print((" " * lvl)+"rdata: "+" ".join(rdata)) + else: + raise Exception("invalid rr.rdata, expected bytes|list but got: {}".format(type(rr[0]))) + + lvl-=2 + +def parse_qrs(qrs, lvl): + for qr in qrs: + #print((" " * lvl)+"qr:") + lvl+=2 + parse_label(qr.pop(0), lvl) + + rr_type = None + rr_class = None + if len(qr): + if not isinstance(qr[0], int): + raise Exception("invalid qr.type|class, expected int but got {}".format(type(qr[0]))) + if qr[0] > -1: + rr_type = qr.pop(0) + if len(qr): + if not isinstance(qr[0], int): + raise Exception("invalid qr.class, expected int but got {}".format(type(qr[0]))) + elif not qr[0] < 0: + raise Exception("invalid qr.class, expected negative int but got positive") + rr_class = -qr.pop(0) - 1 + else: + rr_class = -qr.pop(0) - 1 + + if not rr_type: + rr_type = last.rr_type + if not rr_class: + rr_class = last.rr_class + + #print((" " * lvl)+"type: {}".format(rr_type)) + #print((" " * lvl)+"class: {}".format(rr_class)) + + if rr_type != 41: + last.rr_type = rr_type + last.rr_class = rr_class + + lvl-=2 + +def parse_dns_message(dns, lvl): + #print((" " * lvl)+"dns:") + lvl+=2 + + if isinstance(dns[0], bool): + #print((" " * lvl)+"incomplete/broken DNS packet, no support for these yet") + return + + #print((" " * lvl)+"header:") + lvl+=2 + id = dns.pop(0) # lgtm [py/unused-local-variable] + #print((" " * lvl)+"id: {}".format(id)) + raw = dns.pop(0) # lgtm [py/unused-local-variable] + #print((" " * lvl)+"raw: 0x{:04x}".format(raw)) + lvl+=2 + #print((" " * lvl)+" QR: "+("yes" if raw & 1<<15 else "no")) + #print((" " * lvl)+"Opcode: {}".format(((raw >> 11) & 0xf))) + #print((" " * lvl)+" AA: "+("yes" if raw & 1<<10 else "no")) + #print((" " * lvl)+" TC: "+("yes" if raw & 1<<9 else "no")) + #print((" " * lvl)+" RD: "+("yes" if raw & 1<<8 else "no")) + #print((" " * lvl)+" RA: "+("yes" if raw & 1<<7 else "no")) + #print((" " * lvl)+" Z: "+("yes" if raw & 1<<6 else "no")) + #print((" " * lvl)+" AD: "+("yes" if raw & 1<<5 else "no")) + #print((" " * lvl)+" CD: "+("yes" if raw & 1<<4 else "no")) + #print((" " * lvl)+" RCODE: {}".format(raw & 0xf)) + lvl-=2 + + bits = 0 + if isinstance(dns[0], int) and dns[0] < 0: + bits = -dns.pop(0) - 1 + #print((" " * lvl)+"qdcount(0): "+("yes" if bits & 1 else "no")) + #print((" " * lvl)+"ancount(1): "+("yes" if bits & 1<<1 else "no")) + #print((" " * lvl)+"nscount(2): "+("yes" if bits & 1<<2 else "no")) + #print((" " * lvl)+"arcount(3): "+("yes" if bits & 1<<3 else "no")) + + if not bits: + if isinstance(dns[0], int): + bits = 0xff + + if bits & 1: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.qdcount, expected int but got: {}".format(type(dns[0]))) + dns.pop(0) + #print((" " * lvl)+"qdcount: {}".format(dns.pop(0))) + if bits & 1<<1: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.ancount, expected int but got: {}".format(type(dns[0]))) + dns.pop(0) + #print((" " * lvl)+"ancount: {}".format(dns.pop(0))) + if bits & 1<<2: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.nscount, expected int but got: {}".format(type(dns[0]))) + dns.pop(0) + #print((" " * lvl)+"nscount: {}".format(dns.pop(0))) + if bits & 1<<3: + if not isinstance(dns[0], int): + raise Exception("invalid dns.header.arcount, expected int but got: {}".format(type(dns[0]))) + dns.pop(0) + #print((" " * lvl)+"arcount: {}".format(dns.pop(0))) + + bits = 0 + if isinstance(dns[0], CBORSimpleValue): + bits = dns.pop(0).value + #print((" " * lvl)+"questions (0): "+("yes" if bits & 1 else "no")) + #print((" " * lvl)+"answers (1): "+("yes" if bits & 1<<1 else "no")) + #print((" " * lvl)+"authorities(2): "+("yes" if bits & 1<<2 else "no")) + #print((" " * lvl)+"additionals(3): "+("yes" if bits & 1<<3 else "no")) + + last.mlabel = [] + rlabel = list(last.rlabel) + for n in range(4): + if len(dns) > n and isinstance(dns[n], list): + build_mlabel(dns[n]) + last.rlabel = rlabel + + if not bits: + if len(dns) > 3: + bits = 0xff + elif len(dns) > 0: + raise Exception("invalid dns.message rr's, expected none (0) or all (4) but got {}".format(len(dns))) + + if bits & 1: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.questions, expected list but got: {}".format(type(dns[0]))) + #print((" " * lvl)+"questions:") + parse_qrs(dns.pop(0), lvl+2) + if bits & 1<<1: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.answers, expected list but got: {}".format(type(dns[0]))) + #print((" " * lvl)+"answers:") + parse_rrs(dns.pop(0), lvl+2) + if bits & 1<<2: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.authorities, expected list but got: {}".format(type(dns[0]))) + #print((" " * lvl)+"authorities:") + parse_rrs(dns.pop(0), lvl+2) + if bits & 1<<3: + if not isinstance(dns[0], list): + raise Exception("invalid dns.message.additionals, expected list but got: {}".format(type(dns[0]))) + #print((" " * lvl)+"additionals:") + parse_rrs(dns.pop(0), lvl+2) + + if len(dns): + if isinstance(dns[0], bytes): + dns.pop(0) + #print((" " * lvl)+"malformed: "+"".join("{:02x}".format(byte) for byte in dns.pop(0))) + if len(dns): + raise Exception("invalid dns.message, garbage at end: {}".format(dns)) + +def parse_ip_header(ip_header, lvl): + #print((" " * lvl)+"ip_header:") + lvl+=2 + + #print((" " * lvl)+"bits:") + lvl+=2 + bits = ip_header.pop(0) + reverse = False + if isinstance(bits, int): + if bits < 0: + #print((" " * lvl)+"reverse: yes") + bits = -bits - 1 + reverse = True + #print((" " * lvl)+"family (0): "+("INET6" if bits & 1 else "INET")) + #print((" " * lvl)+"have_src (1): "+("yes" if bits & 1<<1 else "no")) + #print((" " * lvl)+"have_dest(2): "+("yes" if bits & 1<<2 else "no")) + #print((" " * lvl)+"have_port(3): "+("yes" if bits & 1<<3 else "no")) + else: + raise Exception("invalid ip_header.bits, expected int but got: {}".format(type(bits))) + lvl-=2 + + src_addr = None + dest_addr = None + src_port = None + dest_port = None + + if bits & 1<<1: + src_addr = ip_header.pop(0) + if not isinstance(src_addr, bytes): + raise Exception("invalid ip_header.src_addr, expected bytes but got: {}".format(type(src_addr))) + else: + if reverse: + src_addr = last.dest_addr6 if bits & 1 else last.dest_addr4 + if not src_addr: + raise Exception("invalid ip_header.bits, expected to have last dest addr but don't") + else: + src_addr = last.src_addr6 if bits & 1 else last.src_addr4 + if not src_addr: + raise Exception("invalid ip_header.bits, expected to have last src addr but don't") + + if bits & 1<<2: + dest_addr = ip_header.pop(0) + if not isinstance(dest_addr, bytes): + raise Exception("invalid ip_header.dest_addr, expected bytes but got: {}".format(type(dest_addr))) + else: + if reverse: + dest_addr = last.src_addr6 if bits & 1 else last.src_addr4 + if not dest_addr: + raise Exception("invalid ip_header.bits, expected to have last src addr but don't") + else: + dest_addr = last.dest_addr6 if bits & 1 else last.dest_addr4 + if not dest_addr: + raise Exception("invalid ip_header.bits, expected to have last dest addr but don't") + + if bits & 1<<3: + ports = ip_header.pop(0) + if not isinstance(ports, int): + raise Exception("invalid ip_header.src_dest_port, expected int but got: {}".format(type(ports))) + if ports > 0xffff: + src_port = ports & 0xffff + dest_port = ports >> 16 + elif ports < 0: + if reverse: + src_port = last.dest_port6 if bits & 1 else last.dest_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + else: + src_port = last.src_port6 if bits & 1 else last.src_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + dest_port = -ports - 1 + else: + src_port = ports + if reverse: + dest_port = last.src_port6 if bits & 1 else last.src_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + else: + dest_port = last.dest_port6 if bits & 1 else last.dest_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + else: + if reverse: + src_port = last.dest_port6 if bits & 1 else last.dest_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + else: + src_port = last.src_port6 if bits & 1 else last.src_port4 + if src_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + if reverse: + dest_port = last.src_port6 if bits & 1 else last.src_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last src port but don't") + else: + dest_port = last.dest_port6 if bits & 1 else last.dest_port4 + if dest_port is None: + raise Exception("invalid ip_header.bits, expected to have last dest port but don't") + + #print((" " * lvl)+" src addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, src_addr)) + #print((" " * lvl)+"dest addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, dest_addr)) + #print((" " * lvl)+" src port: {}".format(src_port)) + #print((" " * lvl)+"dest port: {}".format(dest_port)) + + if bits & 1: + last.src_addr6 = src_addr + last.dest_addr6 = dest_addr + last.src_port6 = src_port + last.dest_port6 = dest_port + else: + last.src_addr4 = src_addr + last.dest_addr4 = dest_addr + last.src_port4 = src_port + last.dest_port4 = dest_port + + +def parse_message_bits(bits, lvl): + #print((" " * lvl)+"message_bits:") + lvl+=2 + dns = "no" + if isinstance(bits, int): + # if bits & 1: + # dns = "yes" + # #print((" " * lvl)+"dns (0): "+dns) + # + # if bits & 1<<1: + # proto = "tcp" + # elif dns == "yes": + # proto = "udp" + # else: + # proto = "icmp" + # #print((" " * lvl)+"proto (1): "+proto) + # + # if bits & 1<<2: + # frag = "yes" + # else: + # frag = "no" + # #print((" " * lvl)+"frag (2): "+frag) + # + # if bits & 1<<3: + # malformed = "yes" + # else: + # malformed = "no" + # #print((" " * lvl)+"malformed(3): "+malformed) + pass + + else: + raise Exception("invalid message_bits, expected int but got: {}".format(type(bits))) + + return 1 if dns == "yes" else 0 + +def parse_timestamp(ts, lvl): + #print((" " * lvl)+"timestamp:") + lvl+=2 + + if isinstance(ts, list): + if ts[0] < 0: + if not last.ts: + raise Exception("invalid timestamp.seconds, got diff from last value but have no last value") + if not len(last.ts) == len(ts): + raise Exception("invalid timestamp.seconds, differentialy precision missmatch") + + ts[0] = last.ts[0] + ( -ts[0] - 1 ) + #print((" " * lvl)+"seconds: {}".format(ts[0])) + + if len(ts) > 1: + ts[1] = last.ts[1] + ts[1] + #print((" " * lvl)+"useconds: {}".format(ts[1])) + if len(ts) > 2: + ts[2] = last.ts[2] + ts[2] + #print((" " * lvl)+"nseconds: {}".format(ts[2])) + else: + #print((" " * lvl)+"seconds: {}".format(ts[0])) + if len(ts) > 1: + #print((" " * lvl)+"useconds: {}".format(ts[1])) + pass + if len(ts) > 2: + #print((" " * lvl)+"nseconds: {}".format(ts[2])) + pass + last.ts = ts + + elif isinstance(ts, int): + #print((" " * lvl)+"seconds: {}".format(ts)) + pass + else: + raise Exception("invalid timestamp, expected list|int but got: {}".format(type(ts))) + +def parse(cds): + #print("paket:") + try: + parse_timestamp(cds.pop(0), 2) + is_dns = parse_message_bits(cds.pop(0), 2) + parse_ip_header(cds, 2) + if not is_dns: + raise Exception("not dns? huh?") + parse_dns_message(cds, 2) + except IndexError as idx: + if not str(idx) == "pop from empty list": + raise + #print(" ...") + except: + raise + +def main(): + usage = '%prog [-v] [-h] <cds file...>' + parser = optparse.OptionParser(usage, version='%prog 0.01') + parser.add_option('-v', '--verbose', action='store_true', dest='verbose', + help='turn verbose mode on') + + (options, args) = parser.parse_args() + + if options.verbose == True: + log.setLevel(logging.DEBUG) + log.debug('argv: %s', sys.argv) + log.debug('options: %s', options) + log.debug('args: %s', args) + else: + log.setLevel(logging.WARNING) + + if not args: + parser.print_usage() + exit(1) + + decoder = CBORDecoder() + # if https://github.com/agronholm/cbor2/pull/5 is not merged/released yet + if 0 not in decoder.special_decoders: + decoder.special_decoders[0] = lambda self, fp, shareable_index=None: SimpleValue(0) + decoder.special_decoders[1] = lambda self, fp, shareable_index=None: SimpleValue(1) + decoder.special_decoders[2] = lambda self, fp, shareable_index=None: SimpleValue(2) + decoder.special_decoders[3] = lambda self, fp, shareable_index=None: SimpleValue(3) + decoder.special_decoders[4] = lambda self, fp, shareable_index=None: SimpleValue(4) + decoder.special_decoders[5] = lambda self, fp, shareable_index=None: SimpleValue(5) + decoder.special_decoders[6] = lambda self, fp, shareable_index=None: SimpleValue(6) + decoder.special_decoders[7] = lambda self, fp, shareable_index=None: SimpleValue(7) + decoder.special_decoders[8] = lambda self, fp, shareable_index=None: SimpleValue(8) + decoder.special_decoders[9] = lambda self, fp, shareable_index=None: SimpleValue(9) + decoder.special_decoders[10] = lambda self, fp, shareable_index=None: SimpleValue(10) + decoder.special_decoders[11] = lambda self, fp, shareable_index=None: SimpleValue(11) + decoder.special_decoders[12] = lambda self, fp, shareable_index=None: SimpleValue(12) + decoder.special_decoders[13] = lambda self, fp, shareable_index=None: SimpleValue(13) + decoder.special_decoders[14] = lambda self, fp, shareable_index=None: SimpleValue(14) + decoder.special_decoders[15] = lambda self, fp, shareable_index=None: SimpleValue(15) + decoder.special_decoders[16] = lambda self, fp, shareable_index=None: SimpleValue(16) + decoder.special_decoders[17] = lambda self, fp, shareable_index=None: SimpleValue(17) + decoder.special_decoders[18] = lambda self, fp, shareable_index=None: SimpleValue(18) + decoder.special_decoders[19] = lambda self, fp, shareable_index=None: SimpleValue(19) + decoder.special_decoders[24] = decode_simple_value + + version = None + + for f in args: + log.debug('file: %s', f) + with open(f, 'rb') as fp: + obj = None + try: + obj = decoder.decode(fp) + except Exception as e: + if e.__str__().find("index out of range") == -1: + raise + if not isinstance(obj, list): + raise Exception("Invalid element, expected an array but found: {}".format(type(obj))) + + version = obj.pop(0) + if version != "CDSv1": + raise Exception("Invalid version, expected CDSv1 but got: {}".format(version)) + + while len(obj): + opt = obj.pop(0) + if not isinstance(opt, int): + raise Exception("Invalid option, expected int but got: {}".format(type(opt))) + if opt == 0: + MAX_RLABELS = obj.pop(0) + if not isinstance(MAX_RLABELS, int) or MAX_RLABELS < 1: + raise Exception("Invalid option for maximum rlabels, got: {}".format(MAX_RLABELS)) + log.debug("Using maximum rlabels {}".format(MAX_RLABELS)) + elif opt == 1: + MIN_RLABEL_SIZE = obj.pop(0) + if not isinstance(MIN_RLABEL_SIZE, int) or MIN_RLABEL_SIZE < 1: + raise Exception("Invalid option for minimum rlabel size, got: {}".format(MIN_RLABEL_SIZE)) + log.debug("Using minimum rlabel size {}".format(MIN_RLABEL_SIZE)) + else: + raise Exception("Unknown option: {}".format(opt)) + + while True: + obj = None + try: + obj = decoder.decode(fp) + except Exception as e: + if e.__str__().find("index out of range") == -1: + raise + if obj is None: + break + if not isinstance(obj, list): + raise Exception("Invalid element, expected an array but found: {}".format(type(obj))) + parse(obj) + + log.debug("unique labels: {} parts: {} rdata: {}".format(len(last.labels), len(last.label_parts), len(last.rdata))) + + n = 0 + e = 0 + for l in last.labels: +# print("{}: {}".format(l, last.labels[l])) + if last.labels[l] > 1: + n += last.label_len[l] * ( last.labels[l] - 1 ) + e += 2 * ( last.labels[l] - 1 ) + log.debug("reduce labels: {} - {}".format(n, e)) + + n = 0 + e = 0 + for l in last.label_parts: +# print("{}: {}".format(l, last.label_parts[l])) + if last.label_parts[l] > 1: + n += last.label_part_len[l] * ( last.label_parts[l] - 1 ) + e += 2 * ( last.label_parts[l] - 1 ) + log.debug("reduce label parts: {} - {}".format(n, e)) + + n = 0 + e = 0 + for l in last.rdata: + if last.rdata[l] > 1: + n += last.rdata_len[l] * ( last.rdata[l] - 1 ) + e += 2 * ( last.rdata[l] - 1 ) +# print("{}: {}".format(l, last.rdata[l])) + log.debug("reduce rdata: {} - {}".format(n, e)) + + last.reset() + +if __name__ == '__main__': + main() @@ -0,0 +1,9 @@ +#!/bin/sh + +clang-format \ + -style=file \ + -i \ + src/*.c \ + src/*.h \ + `find plugins -type f -name '*.c'` \ + `find plugins -type f -name '*.h'` diff --git a/isc/assertions.h b/isc/assertions.h new file mode 100644 index 0000000..68925e7 --- /dev/null +++ b/isc/assertions.h @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2004, 2005, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 1997-2001 Internet Software Consortium. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * $Id: assertions.h,v 1.5 2008/11/14 02:36:51 marka Exp $ + */ + +#ifndef ASSERTIONS_H +#define ASSERTIONS_H 1 + +typedef enum { + assert_require, assert_ensure, assert_insist, assert_invariant +} assertion_type; + +typedef void (*assertion_failure_callback)(const char *, int, assertion_type, + const char *, int); + +/* coverity[+kill] */ +extern assertion_failure_callback __assertion_failed; +void set_assertion_failure_callback(assertion_failure_callback f); +const char *assertion_type_to_text(assertion_type type); + +#if defined(CHECK_ALL) || defined(__COVERITY__) +#define CHECK_REQUIRE 1 +#define CHECK_ENSURE 1 +#define CHECK_INSIST 1 +#define CHECK_INVARIANT 1 +#endif + +#if defined(CHECK_NONE) && !defined(__COVERITY__) +#define CHECK_REQUIRE 0 +#define CHECK_ENSURE 0 +#define CHECK_INSIST 0 +#define CHECK_INVARIANT 0 +#endif + +#ifndef CHECK_REQUIRE +#define CHECK_REQUIRE 1 +#endif + +#ifndef CHECK_ENSURE +#define CHECK_ENSURE 1 +#endif + +#ifndef CHECK_INSIST +#define CHECK_INSIST 1 +#endif + +#ifndef CHECK_INVARIANT +#define CHECK_INVARIANT 1 +#endif + +#if CHECK_REQUIRE != 0 +#define REQUIRE(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_require, \ + #cond, 0), 0))) +#define REQUIRE_ERR(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_require, \ + #cond, 1), 0))) +#else +#define REQUIRE(cond) ((void) (cond)) +#define REQUIRE_ERR(cond) ((void) (cond)) +#endif /* CHECK_REQUIRE */ + +#if CHECK_ENSURE != 0 +#define ENSURE(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \ + #cond, 0), 0))) +#define ENSURE_ERR(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \ + #cond, 1), 0))) +#else +#define ENSURE(cond) ((void) (cond)) +#define ENSURE_ERR(cond) ((void) (cond)) +#endif /* CHECK_ENSURE */ + +#if CHECK_INSIST != 0 +#define INSIST(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \ + #cond, 0), 0))) +#define INSIST_ERR(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \ + #cond, 1), 0))) +#else +#define INSIST(cond) ((void) (cond)) +#define INSIST_ERR(cond) ((void) (cond)) +#endif /* CHECK_INSIST */ + +#if CHECK_INVARIANT != 0 +#define INVARIANT(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \ + #cond, 0), 0))) +#define INVARIANT_ERR(cond) \ + ((void) ((cond) || \ + ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \ + #cond, 1), 0))) +#else +#define INVARIANT(cond) ((void) (cond)) +#define INVARIANT_ERR(cond) ((void) (cond)) +#endif /* CHECK_INVARIANT */ +#endif /* ASSERTIONS_H */ +/*! \file */ diff --git a/isc/list.h b/isc/list.h new file mode 100644 index 0000000..c5ac35f --- /dev/null +++ b/isc/list.h @@ -0,0 +1,117 @@ +/* + * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC") + * Copyright (c) 1997,1999 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef LIST_H +#define LIST_H 1 + +#define LIST(type) struct { type *head, *tail; } +#define INIT_LIST(list) \ + do { (list).head = NULL; (list).tail = NULL; } while (0) + +#define LINK(type) struct { type *prev, *next; } +#define INIT_LINK_TYPE(elt, link, type) \ + do { \ + (elt)->link.prev = (type *)(-1); \ + (elt)->link.next = (type *)(-1); \ + } while (0) +#define INIT_LINK(elt, link) \ + INIT_LINK_TYPE(elt, link, void) +#define LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1) && \ + (void *)((elt)->link.next) != (void *)(-1)) + +#define HEAD(list) ((list).head) +#define TAIL(list) ((list).tail) +#define EMPTY(list) ((list).head == NULL) + +#define PREPEND(list, elt, link) \ + do { \ + INSIST(!LINKED(elt, link));\ + if ((list).head != NULL) \ + (list).head->link.prev = (elt); \ + else \ + (list).tail = (elt); \ + (elt)->link.prev = NULL; \ + (elt)->link.next = (list).head; \ + (list).head = (elt); \ + } while (0) + +#define APPEND(list, elt, link) \ + do { \ + INSIST(!LINKED(elt, link));\ + if ((list).tail != NULL) \ + (list).tail->link.next = (elt); \ + else \ + (list).head = (elt); \ + (elt)->link.prev = (list).tail; \ + (elt)->link.next = NULL; \ + (list).tail = (elt); \ + } while (0) + +#define UNLINK_TYPE(list, elt, link, type) \ + do { \ + INSIST(LINKED(elt, link));\ + if ((elt)->link.next != NULL) \ + (elt)->link.next->link.prev = (elt)->link.prev; \ + else { \ + INSIST((list).tail == (elt)); \ + (list).tail = (elt)->link.prev; \ + } \ + if ((elt)->link.prev != NULL) \ + (elt)->link.prev->link.next = (elt)->link.next; \ + else { \ + INSIST((list).head == (elt)); \ + (list).head = (elt)->link.next; \ + } \ + INIT_LINK_TYPE(elt, link, type); \ + } while (0) +#define UNLINK(list, elt, link) \ + UNLINK_TYPE(list, elt, link, void) + +#define PREV(elt, link) ((elt)->link.prev) +#define NEXT(elt, link) ((elt)->link.next) + +#define INSERT_BEFORE(list, before, elt, link) \ + do { \ + INSIST(!LINKED(elt, link));\ + if ((before)->link.prev == NULL) \ + PREPEND(list, elt, link); \ + else { \ + (elt)->link.prev = (before)->link.prev; \ + (before)->link.prev = (elt); \ + (elt)->link.prev->link.next = (elt); \ + (elt)->link.next = (before); \ + } \ + } while (0) + +#define INSERT_AFTER(list, after, elt, link) \ + do { \ + INSIST(!LINKED(elt, link));\ + if ((after)->link.next == NULL) \ + APPEND(list, elt, link); \ + else { \ + (elt)->link.next = (after)->link.next; \ + (after)->link.next = (elt); \ + (elt)->link.next->link.prev = (elt); \ + (elt)->link.prev = (after); \ + } \ + } while (0) + +#define ENQUEUE(list, elt, link) APPEND(list, elt, link) +#define DEQUEUE(list, elt, link) UNLINK(list, elt, link) + +#endif /* LIST_H */ +/*! \file */ diff --git a/m4/.placeholder b/m4/.placeholder new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/m4/.placeholder diff --git a/m4/ax_append_flag.m4 b/m4/ax_append_flag.m4 new file mode 100644 index 0000000..dd6d8b6 --- /dev/null +++ b/m4/ax_append_flag.m4 @@ -0,0 +1,50 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_append_flag.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE]) +# +# DESCRIPTION +# +# FLAG is appended to the FLAGS-VARIABLE shell variable, with a space +# added in between. +# +# If FLAGS-VARIABLE is not specified, the current language's flags (e.g. +# CFLAGS) is used. FLAGS-VARIABLE is not changed if it already contains +# FLAG. If FLAGS-VARIABLE is unset in the shell, it is set to exactly +# FLAG. +# +# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> +# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 8 + +AC_DEFUN([AX_APPEND_FLAG], +[dnl +AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_SET_IF +AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])]) +AS_VAR_SET_IF(FLAGS,[ + AS_CASE([" AS_VAR_GET(FLAGS) "], + [*" $1 "*], [AC_RUN_LOG([: FLAGS already contains $1])], + [ + AS_VAR_APPEND(FLAGS,[" $1"]) + AC_RUN_LOG([: FLAGS="$FLAGS"]) + ]) + ], + [ + AS_VAR_SET(FLAGS,[$1]) + AC_RUN_LOG([: FLAGS="$FLAGS"]) + ]) +AS_VAR_POPDEF([FLAGS])dnl +])dnl AX_APPEND_FLAG diff --git a/m4/ax_cflags_warn_all.m4 b/m4/ax_cflags_warn_all.m4 new file mode 100644 index 0000000..094577e --- /dev/null +++ b/m4/ax_cflags_warn_all.m4 @@ -0,0 +1,122 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_cflags_warn_all.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_CFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])] +# AX_CXXFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])] +# AX_FCFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])] +# +# DESCRIPTION +# +# Try to find a compiler option that enables most reasonable warnings. +# +# For the GNU compiler it will be -Wall (and -ansi -pedantic) The result +# is added to the shellvar being CFLAGS, CXXFLAGS, or FCFLAGS by default. +# +# Currently this macro knows about the GCC, Solaris, Digital Unix, AIX, +# HP-UX, IRIX, NEC SX-5 (Super-UX 10), Cray J90 (Unicos 10.0.0.8), and +# Intel compilers. For a given compiler, the Fortran flags are much more +# experimental than their C equivalents. +# +# - $1 shell-variable-to-add-to : CFLAGS, CXXFLAGS, or FCFLAGS +# - $2 add-value-if-not-found : nothing +# - $3 action-if-found : add value to shellvariable +# - $4 action-if-not-found : nothing +# +# NOTE: These macros depend on AX_APPEND_FLAG. +# +# LICENSE +# +# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de> +# Copyright (c) 2010 Rhys Ulerich <rhys.ulerich@gmail.com> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see <https://www.gnu.org/licenses/>. +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 16 + +AC_DEFUN([AX_FLAGS_WARN_ALL],[dnl +AS_VAR_PUSHDEF([FLAGS],[_AC_LANG_PREFIX[]FLAGS])dnl +AS_VAR_PUSHDEF([VAR],[ac_cv_[]_AC_LANG_ABBREV[]flags_warn_all])dnl +AC_CACHE_CHECK([m4_ifval($1,$1,FLAGS) for maximum warnings], +VAR,[VAR="no, unknown" +ac_save_[]FLAGS="$[]FLAGS" +for ac_arg dnl +in "-warn all % -warn all" dnl Intel + "-pedantic % -Wall" dnl GCC + "-xstrconst % -v" dnl Solaris C + "-std1 % -verbose -w0 -warnprotos" dnl Digital Unix + "-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" dnl AIX + "-ansi -ansiE % -fullwarn" dnl IRIX + "+ESlit % +w1" dnl HP-UX C + "-Xc % -pvctl[,]fullmsg" dnl NEC SX-5 (Super-UX 10) + "-h conform % -h msglevel 2" dnl Cray C (Unicos) + # +do FLAGS="$ac_save_[]FLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'` + AC_COMPILE_IFELSE([AC_LANG_PROGRAM], + [VAR=`echo $ac_arg | sed -e 's,.*% *,,'` ; break]) +done +FLAGS="$ac_save_[]FLAGS" +]) +AS_VAR_POPDEF([FLAGS])dnl +AX_REQUIRE_DEFINED([AX_APPEND_FLAG]) +case ".$VAR" in + .ok|.ok,*) m4_ifvaln($3,$3) ;; + .|.no|.no,*) m4_default($4,[m4_ifval($2,[AX_APPEND_FLAG([$2], [$1])])]) ;; + *) m4_default($3,[AX_APPEND_FLAG([$VAR], [$1])]) ;; +esac +AS_VAR_POPDEF([VAR])dnl +])dnl AX_FLAGS_WARN_ALL +dnl implementation tactics: +dnl the for-argument contains a list of options. The first part of +dnl these does only exist to detect the compiler - usually it is +dnl a global option to enable -ansi or -extrawarnings. All other +dnl compilers will fail about it. That was needed since a lot of +dnl compilers will give false positives for some option-syntax +dnl like -Woption or -Xoption as they think of it is a pass-through +dnl to later compile stages or something. The "%" is used as a +dnl delimiter. A non-option comment can be given after "%%" marks +dnl which will be shown but not added to the respective C/CXXFLAGS. + +AC_DEFUN([AX_CFLAGS_WARN_ALL],[dnl +AC_LANG_PUSH([C]) +AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4]) +AC_LANG_POP([C]) +]) + +AC_DEFUN([AX_CXXFLAGS_WARN_ALL],[dnl +AC_LANG_PUSH([C++]) +AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4]) +AC_LANG_POP([C++]) +]) + +AC_DEFUN([AX_FCFLAGS_WARN_ALL],[dnl +AC_LANG_PUSH([Fortran]) +AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4]) +AC_LANG_POP([Fortran]) +]) diff --git a/m4/ax_require_defined.m4 b/m4/ax_require_defined.m4 new file mode 100644 index 0000000..17c3eab --- /dev/null +++ b/m4/ax_require_defined.m4 @@ -0,0 +1,37 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_require_defined.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_REQUIRE_DEFINED(MACRO) +# +# DESCRIPTION +# +# AX_REQUIRE_DEFINED is a simple helper for making sure other macros have +# been defined and thus are available for use. This avoids random issues +# where a macro isn't expanded. Instead the configure script emits a +# non-fatal: +# +# ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found +# +# It's like AC_REQUIRE except it doesn't expand the required macro. +# +# Here's an example: +# +# AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG]) +# +# LICENSE +# +# Copyright (c) 2014 Mike Frysinger <vapier@gentoo.org> +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 2 + +AC_DEFUN([AX_REQUIRE_DEFINED], [dnl + m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])]) +])dnl AX_REQUIRE_DEFINED diff --git a/m4/dl.sh b/m4/dl.sh new file mode 100755 index 0000000..6f12c04 --- /dev/null +++ b/m4/dl.sh @@ -0,0 +1,8 @@ +#!/bin/sh -e + +m4_files="ax_append_flag.m4 ax_cflags_warn_all.m4 ax_require_defined.m4" + +for ax in $m4_files; do + rm -f "$ax" + wget -O "$ax" "http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/$ax" +done diff --git a/plugins/Makefile.am b/plugins/Makefile.am new file mode 100644 index 0000000..7a6880c --- /dev/null +++ b/plugins/Makefile.am @@ -0,0 +1,6 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in + +SUBDIRS = pcapdump rssm txtout rzkeychange royparse anonmask ipcrypt \ + anonaes128 cryptopan cryptopant eventlog + +EXTRA_DIST = template diff --git a/plugins/anonaes128/Makefile.am b/plugins/anonaes128/Makefile.am new file mode 100644 index 0000000..2e9df57 --- /dev/null +++ b/plugins/anonaes128/Makefile.am @@ -0,0 +1,24 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) $(libcrypto_CFLAGS) + +pkglib_LTLIBRARIES = anonaes128.la +anonaes128_la_SOURCES = anonaes128.c +anonaes128_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS) + +TESTS = test1.sh test2.sh test3.sh test4.sh + +EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold +CLEANFILES += test1.out test2.out test3.out test3.pcap.20181127.155200.414188 \ + test4.tmp + +if ENABLE_GCOV +gcov-local: + for src in $(anonaes128_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/anonaes128/anonaes128.c b/plugins/anonaes128/anonaes128.c new file mode 100644 index 0000000..340bb71 --- /dev/null +++ b/plugins/anonaes128/anonaes128.c @@ -0,0 +1,344 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> + +#include "dnscap_common.h" + +#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H) +#include <openssl/conf.h> +#include <openssl/evp.h> +#include <openssl/err.h> +#define USE_OPENSSL 1 +#endif + +static set_iaddr_t anonaes128_set_iaddr = 0; + +static logerr_t* logerr; +static int only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0; +static unsigned char key[16]; +static unsigned char iv[16]; +#ifdef USE_OPENSSL +static EVP_CIPHER_CTX* ctx = 0; +#endif + +enum plugin_type anonaes128_type() +{ + return plugin_filter; +} + +void usage(const char* msg) +{ + fprintf(stderr, "anonaes128.so usage error: %s\n", msg); + exit(1); +} + +void anonaes128_usage() +{ + fprintf(stderr, + "\nanonaes128.so options:\n" + "\t-? print these instructions and exit\n" + "\t-k <key> A 16 character long key\n" + "\t-K <file> Read the 16 first bytes from file and use as key\n" + "\t-i <key> A 16 character long Initialisation Vector (IV)\n" + "\t-I <file> Read the 16 first bytes from file and use as IV\n" + "\t-D Decrypt IPv6 addresses\n" + "\t-c Only en/de-crypt clients (port != 53)\n" + "\t-s Only en/de-crypt servers (port == 53)\n" + "\t-p <port> Set port for -c/-s, default 53\n" + "\t-4 Encrypt IPv4 addresses, not default or recommended\n"); +} + +void anonaes128_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_SET_IADDR: + anonaes128_set_iaddr = (set_iaddr_t)arg; + break; + } +} + +void anonaes128_getopt(int* argc, char** argv[]) +{ + int c, got_key = 0, got_iv = 0; + unsigned long ul; + char* p; + + while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4")) != EOF) { + switch (c) { + case 'k': + if (strlen(optarg) != 16) { + usage("key must be 16 characters long"); + } + memcpy(key, optarg, 16); + got_key = 1; + break; + case 'K': { + int fd; + ssize_t r; + if ((fd = open(optarg, O_RDONLY)) < 0) { + perror("open()"); + usage("unable to open key file"); + } + if ((r = read(fd, key, 16)) < 0) { + perror("read()"); + usage("unable to read from key file"); + } + if (r != 16) { + usage("unable to read 16 bytes from key file"); + } + close(fd); + got_key = 1; + break; + } + case 'i': + if (strlen(optarg) != 16) { + usage("IV must be 16 characters long"); + } + memcpy(iv, optarg, 16); + got_iv = 1; + break; + case 'I': { + int fd; + ssize_t r; + if ((fd = open(optarg, O_RDONLY)) < 0) { + perror("open()"); + usage("unable to open IV file"); + } + if ((r = read(fd, iv, 16)) < 0) { + perror("read()"); + usage("unable to read from IV file"); + } + if (r != 16) { + usage("unable to read 16 bytes from IV file"); + } + close(fd); + got_iv = 1; + break; + } + case 'D': + decrypt = 1; + break; + case 'c': + only_clients = 1; + break; + case 's': + only_servers = 1; + break; + case 'p': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("port must be an integer 1..65535"); + dns_port = (unsigned)ul; + break; + case '4': + encrypt_v4 = 1; + break; + case '?': + anonaes128_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + + if (!got_key || !got_iv) { + usage("must have key (-k/-K) and IV (-i/-I)"); + } + if (decrypt && encrypt_v4) { + usage("decryption (-D) can not be done for IPv4 addresses (-4)"); + } + +#ifdef USE_OPENSSL + if (!(ctx = EVP_CIPHER_CTX_new())) { + usage("unable to create openssl cipher context"); + } + if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, iv, decrypt ? 0 : 1)) { + unsigned long e = ERR_get_error(); + fprintf(stderr, "%s:%s:%s", ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e)); + usage("unable to initialize AES128 cipher"); + } + EVP_CIPHER_CTX_set_padding(ctx, 0); +#else + usage("no openssl support built in, can't encrypt IP addresses"); +#endif + + if (only_clients && only_servers) { + usage("-c and -s options are mutually exclusive"); + } +} + +int anonaes128_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + return 0; +} + +void anonaes128_stop() +{ +#ifdef USE_OPENSSL + EVP_CIPHER_CTX_free(ctx); + ctx = 0; +#endif +} + +int anonaes128_open(my_bpftimeval ts) +{ + return 0; +} + +int anonaes128_close(my_bpftimeval ts) +{ + return 0; +} + +int anonaes128_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ +#ifdef USE_OPENSSL + unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH]; + int outlen = 0; + + for (;;) { + if (only_clients && sport == dns_port) { + from = 0; + break; + } + if (only_servers && sport != dns_port) { + from = 0; + break; + } + + switch (from->af) { + case AF_INET6: + if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&from->u.a6, 16)) { + logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + logerr("anonaes128.so: error en/de-crypted output is not 16 bytes"); + exit(1); + } + memcpy(&from->u.a6, outbuf, 16); + break; + case AF_INET: + if (encrypt_v4) { + memcpy(((uint8_t*)&from->u.a6) + 4, &from->u.a4, 4); + memcpy(((uint8_t*)&from->u.a6) + 8, &from->u.a4, 4); + memcpy(((uint8_t*)&from->u.a6) + 12, &from->u.a4, 4); + + if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&from->u.a6, 16)) { + logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + logerr("anonaes128.so: error en/de-crypted output is not 16 bytes"); + exit(1); + } + memcpy(&from->u.a4, outbuf, 4); + break; + } + default: + from = 0; + break; + } + break; + } + + for (;;) { + if (only_clients && dport == dns_port) { + to = 0; + break; + } + if (only_servers && dport != dns_port) { + to = 0; + break; + } + + switch (to->af) { + case AF_INET6: + if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&to->u.a6, 16)) { + logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + logerr("anonaes128.so: error en/de-crypted output is not 16 bytes"); + exit(1); + } + memcpy(&to->u.a6, outbuf, 16); + break; + case AF_INET: + if (encrypt_v4) { + memcpy(((uint8_t*)&to->u.a6) + 4, &to->u.a4, 4); + memcpy(((uint8_t*)&to->u.a6) + 8, &to->u.a4, 4); + memcpy(((uint8_t*)&to->u.a6) + 12, &to->u.a4, 4); + + if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&to->u.a6, 16)) { + logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + logerr("anonaes128.so: error en/de-crypted output is not 16 bytes"); + exit(1); + } + memcpy(&to->u.a4, outbuf, 4); + break; + } + default: + to = 0; + break; + } + break; + } + + if (anonaes128_set_iaddr && (from || to)) { + anonaes128_set_iaddr(from, to); + } +#endif + return 0; +} diff --git a/plugins/anonaes128/test1.gold b/plugins/anonaes128/test1.gold new file mode 100644 index 0000000..8bd4844 --- /dev/null +++ b/plugins/anonaes128/test1.gold @@ -0,0 +1,2146 @@ +anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I) +anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I) +anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I) +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [207.109.225.214].53199 [38.134.79.111].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [207.109.225.214].57822 [38.134.79.111].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [207.109.225.214].40043 [38.134.79.111].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [207.109.225.214].37953 [38.134.79.111].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [207.109.225.214].48658 [38.134.79.111].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [207.109.225.214].40953 [38.134.79.111].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [207.109.225.214].45174 [38.134.79.111].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [207.109.225.214].33916 [38.134.79.111].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [207.109.225.214].43559 [38.134.79.111].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [207.109.225.214].54859 [38.134.79.111].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [207.109.225.214].58176 [38.134.79.111].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [207.109.225.214].41266 [38.134.79.111].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [207.109.225.214].34607 [38.134.79.111].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [207.109.225.214].60437 [38.134.79.111].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [207.109.225.214].37149 [38.134.79.111].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [207.109.225.214].53820 [38.134.79.111].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [207.109.225.214].52368 [38.134.79.111].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [207.109.225.214].47637 [38.134.79.111].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [207.109.225.214].34426 [38.134.79.111].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [207.109.225.214].41059 [38.134.79.111].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [207.109.225.214].51181 [38.134.79.111].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [207.109.225.214].32976 [38.134.79.111].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [207.109.225.214].53467 [38.134.79.111].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [207.109.225.214].41532 [38.134.79.111].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [207.109.225.214].44982 [38.134.79.111].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [207.109.225.214].40224 [38.134.79.111].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [207.109.225.214].45658 [38.134.79.111].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [207.109.225.214].60457 [38.134.79.111].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [207.109.225.214].59762 [38.134.79.111].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [207.109.225.214].56022 [38.134.79.111].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [207.109.225.214].37669 [38.134.79.111].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [207.109.225.214].42978 [38.134.79.111].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [207.109.225.214].49829 [38.134.79.111].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [207.109.225.214].50599 [38.134.79.111].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [207.109.225.214].44980 [38.134.79.111].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [207.109.225.214].60063 [38.134.79.111].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [207.109.225.214].42042 [38.134.79.111].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [207.109.225.214].60469 [38.134.79.111].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [207.109.225.214].45703 [38.134.79.111].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [207.109.225.214].33507 [38.134.79.111].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [207.109.225.214].46798 [38.134.79.111].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [38.134.79.111].53 [207.109.225.214].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [207.109.225.214].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [207.109.225.214].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [207.109.225.214].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [207.109.225.214].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [207.109.225.214].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [207.109.225.214].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [207.109.225.214].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [207.109.225.214].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [207.109.225.214].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [207.109.225.214].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [207.109.225.214].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [207.109.225.214].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [207.109.225.214].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [207.109.225.214].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [207.109.225.214].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [207.109.225.214].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [207.109.225.214].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [207.109.225.214].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [207.109.225.214].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [207.109.225.214].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [207.109.225.214].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [207.109.225.214].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [207.109.225.214].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [207.109.225.214].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [207.109.225.214].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [207.109.225.214].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [207.109.225.214].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [207.109.225.214].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [207.109.225.214].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [207.109.225.214].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [207.109.225.214].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [207.109.225.214].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [207.109.225.214].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [207.109.225.214].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [207.109.225.214].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [207.109.225.214].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [207.109.225.214].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [207.109.225.214].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [207.109.225.214].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [207.109.225.214].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [207.109.225.214].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.8].53 [207.109.225.214].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [38.134.79.111].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [38.134.79.111].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [38.134.79.111].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [38.134.79.111].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [38.134.79.111].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [38.134.79.111].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [38.134.79.111].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [38.134.79.111].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [38.134.79.111].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [38.134.79.111].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [38.134.79.111].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [38.134.79.111].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [38.134.79.111].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [38.134.79.111].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [38.134.79.111].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [38.134.79.111].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [38.134.79.111].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [38.134.79.111].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [38.134.79.111].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [38.134.79.111].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [38.134.79.111].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [38.134.79.111].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [38.134.79.111].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [38.134.79.111].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [38.134.79.111].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [38.134.79.111].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [38.134.79.111].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [38.134.79.111].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [38.134.79.111].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [38.134.79.111].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [38.134.79.111].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [38.134.79.111].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [38.134.79.111].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [38.134.79.111].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [38.134.79.111].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [38.134.79.111].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [38.134.79.111].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [38.134.79.111].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [38.134.79.111].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [38.134.79.111].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [38.134.79.111].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [38.134.79.111].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +anonaes128.so usage error: -c and -s options are mutually exclusive diff --git a/plugins/anonaes128/test1.sh b/plugins/anonaes128/test1.sh new file mode 100755 index 0000000..296bcd5 --- /dev/null +++ b/plugins/anonaes128/test1.sh @@ -0,0 +1,26 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonaes128.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonaes128 plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i "some 16-byte key" 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -s 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c -s 2>>test1.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test1.out test1.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out + rm test1.out.old +fi + +diff test1.out "$srcdir/test1.gold" diff --git a/plugins/anonaes128/test2.gold b/plugins/anonaes128/test2.gold new file mode 100644 index 0000000..29b4a52 --- /dev/null +++ b/plugins/anonaes128/test2.gold @@ -0,0 +1,33 @@ +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/anonaes128/test2.sh b/plugins/anonaes128/test2.sh new file mode 100755 index 0000000..ff21327 --- /dev/null +++ b/plugins/anonaes128/test2.sh @@ -0,0 +1,30 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonaes128.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonaes128 plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" 2>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -c 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -s 2>>test2.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test2.out test2.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out + rm test2.out.old +fi + +# TODO: Remove when #133 is fixed +cat test2.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new +mv test2.new test2.out + +diff test2.out "$srcdir/test2.gold" diff --git a/plugins/anonaes128/test3.gold b/plugins/anonaes128/test3.gold new file mode 100644 index 0000000..a3d589d --- /dev/null +++ b/plugins/anonaes128/test3.gold @@ -0,0 +1,11 @@ +[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/anonaes128/test3.sh b/plugins/anonaes128/test3.sh new file mode 100755 index 0000000..09fb116 --- /dev/null +++ b/plugins/anonaes128/test3.sh @@ -0,0 +1,29 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonaes128.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonaes128 plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns6.pcap-dist -w test3.pcap -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" 2>test3.out +../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -D -k "some 16-byte key" -i "some 16-byte key" 2>>test3.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test3.out test3.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out + rm test3.out.old +fi + +# TODO: Remove when #133 is fixed +cat test3.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new +mv test3.new test3.out + +diff test3.out "$srcdir/test3.gold" diff --git a/plugins/anonaes128/test4.sh b/plugins/anonaes128/test4.sh new file mode 100755 index 0000000..3d51818 --- /dev/null +++ b/plugins/anonaes128/test4.sh @@ -0,0 +1,24 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonaes128.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonaes128 plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i tooshort +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -K "$srcdir/test4.sh" -I "$srcdir/test4.sh" +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K does_not_exist +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I does_not_exist +rm -f test4.tmp +touch test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -D -4 -k "some 16-byte key" -i "some 16-byte key" diff --git a/plugins/anonmask/Makefile.am b/plugins/anonmask/Makefile.am new file mode 100644 index 0000000..48f5a10 --- /dev/null +++ b/plugins/anonmask/Makefile.am @@ -0,0 +1,23 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) + +pkglib_LTLIBRARIES = anonmask.la +anonmask_la_SOURCES = anonmask.c +anonmask_la_LDFLAGS = -module -avoid-version + +TESTS = test1.sh test2.sh test3.sh + +EXTRA_DIST = $(TESTS) test1.gold test2.gold +CLEANFILES += test1.out test2.out + +if ENABLE_GCOV +gcov-local: + for src in $(anonmask_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/anonmask/anonmask.c b/plugins/anonmask/anonmask.c new file mode 100644 index 0000000..ca3dc0d --- /dev/null +++ b/plugins/anonmask/anonmask.c @@ -0,0 +1,244 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <netinet/in.h> +#include <sys/socket.h> + +#include "dnscap_common.h" + +static set_iaddr_t anonmask_set_iaddr = 0; + +static logerr_t* logerr; +static int only_clients = 0, only_servers = 0, mask_port = 53, mask_v4 = 24, mask_v6 = 48; +static struct in_addr in4 = { INADDR_ANY }; +static struct in6_addr in6 = IN6ADDR_ANY_INIT; +static uint32_t* in6p = (uint32_t*)&in6; + +enum plugin_type anonmask_type() +{ + return plugin_filter; +} + +void usage(const char* msg) +{ + fprintf(stderr, "anonmask.so usage error: %s\n", msg); + exit(1); +} + +void anonmask_usage() +{ + fprintf(stderr, + "\nanonmask.so options:\n" + "\t-? print these instructions and exit\n" + "\t-c Only mask clients (port != 53)\n" + "\t-s Only mask servers (port == 53)\n" + "\t-p <port> Set port for -c/-s masking, default 53\n" + "\t-4 <netmask> The /mask for IPv4 addresses, default /24\n" + "\t-6 <netmask> The /mask for IPv6 addresses, default /48\n"); +} + +void anonmask_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_SET_IADDR: + anonmask_set_iaddr = (set_iaddr_t)arg; + break; + } +} + +void anonmask_getopt(int* argc, char** argv[]) +{ + int c; + unsigned long ul; + char* p; + + while ((c = getopt(*argc, *argv, "?csp:4:6:")) != EOF) { + switch (c) { + case 'c': + only_clients = 1; + break; + case 's': + only_servers = 1; + break; + case 'p': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("port must be an integer 1..65535"); + mask_port = (unsigned)ul; + break; + case '4': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul > 31U) + usage("IPv4 mask must be an integer 0..31"); + mask_v4 = (unsigned)ul; + break; + case '6': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul > 127U) + usage("IPv6 mask must be an integer 0..127"); + mask_v6 = (unsigned)ul; + break; + case '?': + anonmask_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + + if (only_clients && only_servers) { + usage("-c and -s options are mutually exclusive"); + } + + if (mask_v4) { + in4.s_addr = htonl(0xffffffff << (32 - mask_v4)); + } + + if (mask_v6) { + if (mask_v6 <= 32) { + in6p[0] = htonl(0xffffffff << (32 - mask_v6)); + } else if (mask_v6 <= 64) { + in6p[0] = 0xffffffff; + in6p[1] = htonl(0xffffffff << (64 - mask_v6)); + } else if (mask_v6 <= 96) { + in6p[0] = 0xffffffff; + in6p[1] = 0xffffffff; + in6p[2] = htonl(0xffffffff << (96 - mask_v6)); + } else { + in6p[0] = 0xffffffff; + in6p[1] = 0xffffffff; + in6p[2] = 0xffffffff; + in6p[3] = htonl(0xffffffff << (128 - mask_v6)); + } + } +} + +int anonmask_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + return 0; +} + +void anonmask_stop() +{ +} + +int anonmask_open(my_bpftimeval ts) +{ + return 0; +} + +int anonmask_close(my_bpftimeval ts) +{ + return 0; +} + +int anonmask_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ + uint32_t* p6; + + for (;;) { + if (only_clients && sport == mask_port) { + from = 0; + break; + } + if (only_servers && sport != mask_port) { + from = 0; + break; + } + + switch (from->af) { + case AF_INET: + from->u.a4.s_addr &= in4.s_addr; + break; + case AF_INET6: + p6 = (uint32_t*)&from->u.a6; + p6[0] &= in6p[0]; + p6[1] &= in6p[1]; + p6[2] &= in6p[2]; + p6[3] &= in6p[3]; + break; + default: + from = 0; + break; + } + break; + } + + for (;;) { + if (only_clients && dport == mask_port) { + to = 0; + break; + } + if (only_servers && dport != mask_port) { + to = 0; + break; + } + + switch (to->af) { + case AF_INET: + to->u.a4.s_addr &= in4.s_addr; + break; + case AF_INET6: + p6 = (uint32_t*)&to->u.a6; + p6[0] &= in6p[0]; + p6[1] &= in6p[1]; + p6[2] &= in6p[2]; + p6[3] &= in6p[3]; + break; + default: + to = 0; + break; + } + break; + } + + if (anonmask_set_iaddr && (from || to)) { + anonmask_set_iaddr(from, to); + } + + return 0; +} diff --git a/plugins/anonmask/test1.gold b/plugins/anonmask/test1.gold new file mode 100644 index 0000000..d6dde5a --- /dev/null +++ b/plugins/anonmask/test1.gold @@ -0,0 +1,2857 @@ +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.0].53199 [8.8.8.0].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.0].57822 [8.8.8.0].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.0].40043 [8.8.8.0].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.0].37953 [8.8.8.0].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.0].48658 [8.8.8.0].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.0].40953 [8.8.8.0].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.0].45174 [8.8.8.0].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.0].33916 [8.8.8.0].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.0].43559 [8.8.8.0].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.0].54859 [8.8.8.0].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.0].58176 [8.8.8.0].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.0].41266 [8.8.8.0].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.0].34607 [8.8.8.0].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.0].60437 [8.8.8.0].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.0].37149 [8.8.8.0].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.0].53820 [8.8.8.0].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.0].52368 [8.8.8.0].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.0].47637 [8.8.8.0].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.0].34426 [8.8.8.0].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.0].41059 [8.8.8.0].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.0].51181 [8.8.8.0].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.0].32976 [8.8.8.0].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.0].53467 [8.8.8.0].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.0].41532 [8.8.8.0].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.0].44982 [8.8.8.0].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.0].40224 [8.8.8.0].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.0].45658 [8.8.8.0].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.0].60457 [8.8.8.0].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.0].59762 [8.8.8.0].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.0].56022 [8.8.8.0].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.0].37669 [8.8.8.0].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.0].42978 [8.8.8.0].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.0].49829 [8.8.8.0].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.0].50599 [8.8.8.0].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.0].44980 [8.8.8.0].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.0].60063 [8.8.8.0].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.0].42042 [8.8.8.0].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.0].60469 [8.8.8.0].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.0].45703 [8.8.8.0].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.0].33507 [8.8.8.0].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.0].46798 [8.8.8.0].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.0].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.0].53199 [8.8.0.0].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.0].57822 [8.8.0.0].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.0].40043 [8.8.0.0].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.0].37953 [8.8.0.0].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.0].48658 [8.8.0.0].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.0].40953 [8.8.0.0].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.0].45174 [8.8.0.0].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.0].33916 [8.8.0.0].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.0].43559 [8.8.0.0].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.0].54859 [8.8.0.0].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.0].58176 [8.8.0.0].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.0].41266 [8.8.0.0].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.0].34607 [8.8.0.0].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.0].60437 [8.8.0.0].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.0].37149 [8.8.0.0].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.0].53820 [8.8.0.0].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.0].52368 [8.8.0.0].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.0].47637 [8.8.0.0].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.0].34426 [8.8.0.0].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.0].41059 [8.8.0.0].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.0].51181 [8.8.0.0].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.0].32976 [8.8.0.0].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.0].53467 [8.8.0.0].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.0].41532 [8.8.0.0].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.0].44982 [8.8.0.0].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.0].40224 [8.8.0.0].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.0].45658 [8.8.0.0].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.0].60457 [8.8.0.0].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.0].59762 [8.8.0.0].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.0].56022 [8.8.0.0].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.0].37669 [8.8.0.0].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.0].42978 [8.8.0.0].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.0].49829 [8.8.0.0].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.0].50599 [8.8.0.0].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.0].44980 [8.8.0.0].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.0].60063 [8.8.0.0].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.0].42042 [8.8.0.0].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.0].60469 [8.8.0.0].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.0].45703 [8.8.0.0].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.0].33507 [8.8.0.0].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.0].46798 [8.8.0.0].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.0.0].53 [172.17.0.0].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.0].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.0].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.0].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.0].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.0].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.0].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.0].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.0].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.0].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.0].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.0].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.0].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.0].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.0].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.0].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.0].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.0].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.0].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.0].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.0].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.0].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.0].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.0].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.0].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.0].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.0].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.0].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.0].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.0].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.0].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.0].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.0].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.0].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.0].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.0].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.0].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.0].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.0].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.0].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.0].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.0].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.0].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.0].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [8.8.8.0].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [8.8.8.0].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [8.8.8.0].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [8.8.8.0].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.0].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.0].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.0].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [8.8.8.0].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [8.8.8.0].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [8.8.8.0].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [8.8.8.0].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [8.8.8.0].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [8.8.8.0].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [8.8.8.0].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [8.8.8.0].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [8.8.8.0].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [8.8.8.0].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [8.8.8.0].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [8.8.8.0].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [8.8.8.0].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [8.8.8.0].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [8.8.8.0].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [8.8.8.0].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [8.8.8.0].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [8.8.8.0].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [8.8.8.0].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [8.8.8.0].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [8.8.8.0].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [8.8.8.0].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [8.8.8.0].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [8.8.8.0].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [8.8.8.0].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [8.8.8.0].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [8.8.8.0].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [8.8.8.0].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [8.8.8.0].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [8.8.8.0].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [8.8.8.0].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [8.8.8.0].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [8.8.8.0].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.0].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +anonmask.so usage error: -c and -s options are mutually exclusive diff --git a/plugins/anonmask/test1.sh b/plugins/anonmask/test1.sh new file mode 100755 index 0000000..a15a9bb --- /dev/null +++ b/plugins/anonmask/test1.sh @@ -0,0 +1,24 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonmask.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonmask plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 16 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c -s 2>>test1.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test1.out test1.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out + rm test1.out.old +fi + +diff test1.out "$srcdir/test1.gold" diff --git a/plugins/anonmask/test2.gold b/plugins/anonmask/test2.gold new file mode 100644 index 0000000..ac84f76 --- /dev/null +++ b/plugins/anonmask/test2.gold @@ -0,0 +1,77 @@ +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0::].51972 [2001:4860:4860::].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::].53 [2a01:3f0::].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:300::].51972 [2001:4800::].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4800::].53 [2a01:300::].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0::].51972 [2001:4860::].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860::].53 [2a01:3f0::].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::].51972 [2001:4860:4860::].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::].53 [2a01:3f0:0:57::].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::].51972 [2001:4860:4860::].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::].53 [2a01:3f0:0:57::].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0::].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0::].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/anonmask/test2.sh b/plugins/anonmask/test2.sh new file mode 100755 index 0000000..7a155c5 --- /dev/null +++ b/plugins/anonmask/test2.sh @@ -0,0 +1,34 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonmask.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonmask plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" 2>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 24 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 32 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 64 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 96 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -c 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -s 2>>test2.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test2.out test2.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out + rm test2.out.old +fi + +# TODO: Remove when #133 is fixed +cat test2.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new +mv test2.new test2.out + +diff test2.out "$srcdir/test2.gold" diff --git a/plugins/anonmask/test3.sh b/plugins/anonmask/test3.sh new file mode 100755 index 0000000..b5018d8 --- /dev/null +++ b/plugins/anonmask/test3.sh @@ -0,0 +1,16 @@ +#!/bin/sh -xe + +plugin=`find . -name 'anonmask.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the anonmask plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 99 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -6 999 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0 +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 diff --git a/plugins/cryptopan/Makefile.am b/plugins/cryptopan/Makefile.am new file mode 100644 index 0000000..0215742 --- /dev/null +++ b/plugins/cryptopan/Makefile.am @@ -0,0 +1,24 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) $(libcrypto_CFLAGS) + +pkglib_LTLIBRARIES = cryptopan.la +cryptopan_la_SOURCES = cryptopan.c +cryptopan_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS) + +TESTS = test1.sh test2.sh test3.sh test4.sh + +EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold +CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \ + test3.pcap.20181127.155200.414188 test4.tmp + +if ENABLE_GCOV +gcov-local: + for src in $(cryptopan_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/cryptopan/cryptopan.c b/plugins/cryptopan/cryptopan.c new file mode 100644 index 0000000..2e439af --- /dev/null +++ b/plugins/cryptopan/cryptopan.c @@ -0,0 +1,475 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Crypto-PAn encryption based on submitted extension by David Stott (Lucent) + * https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/lucent.shtml + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> + +#include "dnscap_common.h" + +#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H) +#include <openssl/conf.h> +#include <openssl/evp.h> +#include <openssl/err.h> +#define USE_OPENSSL 1 +#endif + +static set_iaddr_t cryptopan_set_iaddr = 0; + +static logerr_t* logerr; +static int only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v6 = 0, decrypt = 0; +static unsigned char key[16]; +static unsigned char iv[16]; +static unsigned char pad[16]; +#ifdef USE_OPENSSL +static EVP_CIPHER_CTX* ctx = 0; +#endif + +enum plugin_type cryptopan_type() +{ + return plugin_filter; +} + +void usage(const char* msg) +{ + fprintf(stderr, "cryptopan.so usage error: %s\n", msg); + exit(1); +} + +void cryptopan_usage() +{ + fprintf(stderr, + "\ncryptopan.so options:\n" + "\t-? print these instructions and exit\n" + "\t-k <key> A 16 character long key\n" + "\t-K <file> Read the 16 first bytes from file and use as key\n" + "\t-i <key> A 16 character long Initialisation Vector (IV)\n" + "\t-I <file> Read the 16 first bytes from file and use as IV\n" + "\t-a <key> A 16 character long padding\n" + "\t-A <file> Read the 16 first bytes from file and use as padding\n" + "\t-D Decrypt IP addresses\n" + "\t-c Only en/de-crypt clients (port != 53)\n" + "\t-s Only en/de-crypt servers (port == 53)\n" + "\t-p <port> Set port for -c/-s, default 53\n" + "\t-6 En/de-crypt IPv6 addresses, not default or recommended\n"); +} + +void cryptopan_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_SET_IADDR: + cryptopan_set_iaddr = (set_iaddr_t)arg; + break; + } +} + +void cryptopan_getopt(int* argc, char** argv[]) +{ + int c, got_key = 0, got_iv = 0, got_pad = 0; + unsigned long ul; + char* p; + + while ((c = getopt(*argc, *argv, "?k:K:i:I:a:A:Dcsp:6")) != EOF) { + switch (c) { + case 'k': + if (strlen(optarg) != 16) { + usage("key must be 16 characters long"); + } + memcpy(key, optarg, 16); + got_key = 1; + break; + case 'K': { + int fd; + ssize_t r; + if ((fd = open(optarg, O_RDONLY)) < 0) { + perror("open()"); + usage("unable to open key file"); + } + if ((r = read(fd, key, 16)) < 0) { + perror("read()"); + usage("unable to read from key file"); + } + if (r != 16) { + usage("unable to read 16 bytes from key file"); + } + close(fd); + got_key = 1; + break; + } + case 'i': + if (strlen(optarg) != 16) { + usage("IV must be 16 characters long"); + } + memcpy(iv, optarg, 16); + got_iv = 1; + break; + case 'I': { + int fd; + ssize_t r; + if ((fd = open(optarg, O_RDONLY)) < 0) { + perror("open()"); + usage("unable to open IV file"); + } + if ((r = read(fd, iv, 16)) < 0) { + perror("read()"); + usage("unable to read from IV file"); + } + if (r != 16) { + usage("unable to read 16 bytes from IV file"); + } + close(fd); + got_iv = 1; + break; + } + case 'a': + if (strlen(optarg) != 16) { + usage("padding must be 16 characters long"); + } + memcpy(pad, optarg, 16); + got_pad = 1; + break; + case 'A': { + int fd; + ssize_t r; + if ((fd = open(optarg, O_RDONLY)) < 0) { + perror("open()"); + usage("unable to open padding file"); + } + if ((r = read(fd, pad, 16)) < 0) { + perror("read()"); + usage("unable to read from padding file"); + } + if (r != 16) { + usage("unable to read 16 bytes from padding file"); + } + close(fd); + got_pad = 1; + break; + } + case 'D': + decrypt = 1; + break; + case 'c': + only_clients = 1; + break; + case 's': + only_servers = 1; + break; + case 'p': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("port must be an integer 1..65535"); + dns_port = (unsigned)ul; + break; + case '6': + encrypt_v6 = 1; + break; + case '?': + cryptopan_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + + if (!got_key || !got_iv || !got_pad) { + usage("must have key (-k/-K), IV (-i/-I) and padding (-a/-A)"); + } + +#ifdef USE_OPENSSL + if (!(ctx = EVP_CIPHER_CTX_new())) { + usage("unable to create openssl cipher context"); + } + if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, iv, 1)) { + unsigned long e = ERR_get_error(); + fprintf(stderr, "%s:%s:%s\n", ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e)); + usage("unable to initialize AES128 cipher"); + } + EVP_CIPHER_CTX_set_padding(ctx, 0); + { + unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH]; + int outlen = 0; + + if (!EVP_CipherUpdate(ctx, outbuf, &outlen, pad, 16)) { + fprintf(stderr, "cryptopan.so: error encrypting padding: %s\n", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + fprintf(stderr, "cryptopan.so: error encrypted padding is not 16 bytes\n"); + exit(1); + } + memcpy(&pad, outbuf, 16); + } +#else + usage("no openssl support built in, can't encrypt IP addresses"); +#endif + + if (only_clients && only_servers) { + usage("-c and -s options are mutually exclusive"); + } +} + +int cryptopan_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + return 0; +} + +void cryptopan_stop() +{ +#ifdef USE_OPENSSL + EVP_CIPHER_CTX_free(ctx); + ctx = 0; +#endif +} + +int cryptopan_open(my_bpftimeval ts) +{ + return 0; +} + +int cryptopan_close(my_bpftimeval ts) +{ + return 0; +} + +#ifdef USE_OPENSSL +struct input { + union { + unsigned char input[16]; + uint32_t ui32; + } u; +}; +struct output { + union { + unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH]; + uint32_t ui32; + } u; +}; +static inline void _encrypt(uint32_t* in) +{ + struct input input; + struct output output; + int outlen = 0, pos; + uint32_t orig, result = 0, pad4b, mask = 0; + + memcpy(input.u.input, pad, 16); + orig = ntohl(*in); + memcpy(&pad4b, pad, 4); + + // First pass with padding only + + input.u.ui32 = htonl(pad4b); + + if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) { + fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n"); + exit(1); + } + + result |= ntohl(output.u.ui32) & 0x80000000; + mask >>= 1; + mask |= 0x80000000; + + for (pos = 1; pos < 32; pos++) { + input.u.ui32 = htonl(((pad4b << pos) | (pad4b >> (32 - pos))) ^ (orig & mask)); + + if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) { + fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n"); + exit(1); + } + + result |= (ntohl(output.u.ui32) & 0x80000000) >> pos; + mask >>= 1; + mask |= 0x80000000; + } + + *in = htonl(result ^ orig); +} + +static inline void _decrypt(uint32_t* in) +{ + struct input input; + struct output output; + int outlen = 0, pos; + uint32_t orig, pad4b, mask = 0; + + memcpy(input.u.input, pad, 16); + orig = ntohl(*in); + memcpy(&pad4b, pad, 4); + + // First pass with padding only + + input.u.ui32 = htonl(pad4b); + + if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) { + fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n"); + exit(1); + } + + orig ^= ntohl(output.u.ui32) & 0x80000000; + mask >>= 1; + mask |= 0x80000000; + + for (pos = 1; pos < 32; pos++) { + input.u.ui32 = htonl(((pad4b << pos) | (pad4b >> (32 - pos))) ^ (orig & mask)); + + if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) { + fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error())); + exit(1); + } + if (outlen != 16) { + fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n"); + exit(1); + } + + orig ^= (ntohl(output.u.ui32) & 0x80000000) >> pos; + mask >>= 1; + mask |= 0x80000000; + } + + *in = htonl(orig); +} +#endif + +int cryptopan_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ +#ifdef USE_OPENSSL + for (;;) { + if (only_clients && sport == dns_port) { + from = 0; + break; + } + if (only_servers && sport != dns_port) { + from = 0; + break; + } + + switch (from->af) { + case AF_INET: + decrypt ? _decrypt((uint32_t*)&from->u.a4) : _encrypt((uint32_t*)&from->u.a4); + break; + case AF_INET6: + if (encrypt_v6) { + if (decrypt) { + _decrypt((uint32_t*)&from->u.a6); + _decrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling] + _decrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling] + _decrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling] + } else { + _encrypt((uint32_t*)&from->u.a6); + _encrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling] + _encrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling] + _encrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling] + } + break; + } + default: + from = 0; + break; + } + break; + } + + for (;;) { + if (only_clients && dport == dns_port) { + to = 0; + break; + } + if (only_servers && dport != dns_port) { + to = 0; + break; + } + + switch (to->af) { + case AF_INET: + decrypt ? _decrypt((uint32_t*)&to->u.a4) : _encrypt((uint32_t*)&to->u.a4); + break; + case AF_INET6: + if (encrypt_v6) { + if (decrypt) { + _decrypt((uint32_t*)&to->u.a6); + _decrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling] + _decrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling] + _decrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling] + } else { + _encrypt((uint32_t*)&to->u.a6); + _encrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling] + _encrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling] + _encrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling] + } + break; + } + default: + to = 0; + break; + } + break; + } + + if (cryptopan_set_iaddr && (from || to)) { + cryptopan_set_iaddr(from, to); + } +#endif + return 0; +} diff --git a/plugins/cryptopan/test1.gold b/plugins/cryptopan/test1.gold new file mode 100644 index 0000000..71bbba1 --- /dev/null +++ b/plugins/cryptopan/test1.gold @@ -0,0 +1,2147 @@ +cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A) +cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A) +cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A) +cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A) +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [137.205.188.255].53199 [44.76.218.44].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [137.205.188.255].57822 [44.76.218.44].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [137.205.188.255].40043 [44.76.218.44].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [137.205.188.255].37953 [44.76.218.44].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [137.205.188.255].48658 [44.76.218.44].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [137.205.188.255].40953 [44.76.218.44].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [137.205.188.255].45174 [44.76.218.44].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [137.205.188.255].33916 [44.76.218.44].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [137.205.188.255].43559 [44.76.218.44].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [137.205.188.255].54859 [44.76.218.44].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [137.205.188.255].58176 [44.76.218.44].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [137.205.188.255].41266 [44.76.218.44].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [137.205.188.255].34607 [44.76.218.44].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [137.205.188.255].60437 [44.76.218.44].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [137.205.188.255].37149 [44.76.218.44].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [137.205.188.255].53820 [44.76.218.44].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [137.205.188.255].52368 [44.76.218.44].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [137.205.188.255].47637 [44.76.218.44].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [137.205.188.255].34426 [44.76.218.44].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [137.205.188.255].41059 [44.76.218.44].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [137.205.188.255].51181 [44.76.218.44].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [137.205.188.255].32976 [44.76.218.44].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [137.205.188.255].53467 [44.76.218.44].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [137.205.188.255].41532 [44.76.218.44].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [137.205.188.255].44982 [44.76.218.44].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [137.205.188.255].40224 [44.76.218.44].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [137.205.188.255].45658 [44.76.218.44].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [137.205.188.255].60457 [44.76.218.44].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [137.205.188.255].59762 [44.76.218.44].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [137.205.188.255].56022 [44.76.218.44].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [137.205.188.255].37669 [44.76.218.44].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [137.205.188.255].42978 [44.76.218.44].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [137.205.188.255].49829 [44.76.218.44].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [137.205.188.255].50599 [44.76.218.44].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [137.205.188.255].44980 [44.76.218.44].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [137.205.188.255].60063 [44.76.218.44].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [137.205.188.255].42042 [44.76.218.44].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [137.205.188.255].60469 [44.76.218.44].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [137.205.188.255].45703 [44.76.218.44].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [137.205.188.255].33507 [44.76.218.44].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [137.205.188.255].46798 [44.76.218.44].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [44.76.218.44].53 [137.205.188.255].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [137.205.188.255].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [137.205.188.255].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [137.205.188.255].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [137.205.188.255].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [137.205.188.255].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [137.205.188.255].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [137.205.188.255].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [137.205.188.255].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [137.205.188.255].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [137.205.188.255].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [137.205.188.255].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [137.205.188.255].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [137.205.188.255].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [137.205.188.255].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [137.205.188.255].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [137.205.188.255].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [137.205.188.255].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [137.205.188.255].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [137.205.188.255].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [137.205.188.255].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [137.205.188.255].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [137.205.188.255].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [137.205.188.255].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [137.205.188.255].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [137.205.188.255].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [137.205.188.255].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [137.205.188.255].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [137.205.188.255].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [137.205.188.255].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [137.205.188.255].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [137.205.188.255].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [137.205.188.255].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [137.205.188.255].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [137.205.188.255].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [137.205.188.255].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [137.205.188.255].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [137.205.188.255].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [137.205.188.255].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [137.205.188.255].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [137.205.188.255].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [137.205.188.255].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.8].53 [137.205.188.255].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [44.76.218.44].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [44.76.218.44].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [44.76.218.44].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [44.76.218.44].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [44.76.218.44].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [44.76.218.44].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [44.76.218.44].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [44.76.218.44].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [44.76.218.44].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [44.76.218.44].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [44.76.218.44].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [44.76.218.44].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [44.76.218.44].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [44.76.218.44].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [44.76.218.44].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [44.76.218.44].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [44.76.218.44].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [44.76.218.44].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [44.76.218.44].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [44.76.218.44].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [44.76.218.44].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [44.76.218.44].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [44.76.218.44].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [44.76.218.44].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [44.76.218.44].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [44.76.218.44].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [44.76.218.44].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [44.76.218.44].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [44.76.218.44].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [44.76.218.44].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [44.76.218.44].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [44.76.218.44].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [44.76.218.44].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [44.76.218.44].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [44.76.218.44].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [44.76.218.44].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [44.76.218.44].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [44.76.218.44].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [44.76.218.44].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [44.76.218.44].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [44.76.218.44].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [44.76.218.44].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +cryptopan.so usage error: -c and -s options are mutually exclusive diff --git a/plugins/cryptopan/test1.sh b/plugins/cryptopan/test1.sh new file mode 100755 index 0000000..b499f12 --- /dev/null +++ b/plugins/cryptopan/test1.sh @@ -0,0 +1,27 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopan.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopan plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i "some 16-byte key" 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a "some 16-byte key" 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c -s 2>>test1.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test1.out test1.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out + rm test1.out.old +fi + +diff test1.out "$srcdir/test1.gold" diff --git a/plugins/cryptopan/test2.gold b/plugins/cryptopan/test2.gold new file mode 100644 index 0000000..d7d5e63 --- /dev/null +++ b/plugins/cryptopan/test2.gold @@ -0,0 +1,33 @@ +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/cryptopan/test2.sh b/plugins/cryptopan/test2.sh new file mode 100755 index 0000000..3f41fc4 --- /dev/null +++ b/plugins/cryptopan/test2.sh @@ -0,0 +1,30 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopan.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopan plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test2.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test2.out test2.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out + rm test2.out.old +fi + +# TODO: Remove when #133 is fixed +cat test2.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new +mv test2.new test2.out + +diff test2.out "$srcdir/test2.gold" diff --git a/plugins/cryptopan/test3.gold b/plugins/cryptopan/test3.gold new file mode 100644 index 0000000..afd1d7d --- /dev/null +++ b/plugins/cryptopan/test3.gold @@ -0,0 +1,725 @@ +[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/cryptopan/test3.sh b/plugins/cryptopan/test3.sh new file mode 100755 index 0000000..48dc90f --- /dev/null +++ b/plugins/cryptopan/test3.sh @@ -0,0 +1,32 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopan.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopan plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>test3.out +../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -6 2>>test3.out +../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -D 2>>test3.out +../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -6 -D 2>>test3.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test3.out test3.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out + rm test3.out.old +fi + +# TODO: Remove when #133 is fixed +cat test3.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new +mv test3.new test3.out + +diff test3.out "$srcdir/test3.gold" diff --git a/plugins/cryptopan/test4.sh b/plugins/cryptopan/test4.sh new file mode 100755 index 0000000..499a86c --- /dev/null +++ b/plugins/cryptopan/test4.sh @@ -0,0 +1,26 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopan.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopan plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i tooshort +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a tooshort +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K "$srcdir/test4.sh" -I "$srcdir/test4.sh" -A "$srcdir/test4.sh" +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K does_not_exist +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I does_not_exist +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -A does_not_exist +rm -f test4.tmp +touch test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -A test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 diff --git a/plugins/cryptopant/Makefile.am b/plugins/cryptopant/Makefile.am new file mode 100644 index 0000000..3aaa44a --- /dev/null +++ b/plugins/cryptopant/Makefile.am @@ -0,0 +1,24 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) $(libcrypto_CFLAGS) + +pkglib_LTLIBRARIES = cryptopant.la +cryptopant_la_SOURCES = cryptopant.c +cryptopant_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS) + +TESTS = test1.sh test2.sh test3.sh test4.sh + +EXTRA_DIST = $(TESTS) test1.gold keyfile test2.gold test3.gold +CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \ + test3.pcap.20181127.155200.414188 + +if ENABLE_GCOV +gcov-local: + for src in $(cryptopant_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/cryptopant/cryptopant.c b/plugins/cryptopant/cryptopant.c new file mode 100644 index 0000000..6fb34ed --- /dev/null +++ b/plugins/cryptopant/cryptopant.c @@ -0,0 +1,241 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <sys/socket.h> + +#include "dnscap_common.h" + +#if defined(HAVE_LIBCRYPTOPANT) && defined(HAVE_CRYPTOPANT_H) +#include <cryptopANT.h> +#define USE_CRYPTOPANT 1 +#endif + +static set_iaddr_t cryptopant_set_iaddr = 0; + +static logerr_t* logerr; +static int only_clients = 0, only_servers = 0, dns_port = 53, pass4 = 0, pass6 = 0, decrypt = 0; + +enum plugin_type cryptopant_type() +{ + return plugin_filter; +} + +void usage(const char* msg) +{ + fprintf(stderr, "cryptopant.so usage error: %s\n", msg); + exit(1); +} + +void cryptopant_usage() +{ + fprintf(stderr, + "\ncryptopant.so options:\n" + "\t-? print these instructions and exit\n" + "\t-k <file> Keyfile to use (generated by scramble_ips -G)\n" + "\t-4 <num> pass <num> higher bits of IPv4 through unchanged\n" + "\t-6 <num> pass <num> higher bits of IPv6 through unchanged\n" + "\t-D Decrypt IP addresses\n" + "\t-c Only encrypt clients (port != 53)\n" + "\t-s Only encrypt servers (port == 53)\n" + "\t-p <port> Set port for -c/-s, default 53\n"); +} + +void cryptopant_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_SET_IADDR: + cryptopant_set_iaddr = (set_iaddr_t)arg; + break; + } +} + +void cryptopant_getopt(int* argc, char** argv[]) +{ + int c; + unsigned long ul; + char * p, *keyfile = 0; + + while ((c = getopt(*argc, *argv, "?k:4:6:Dcsp:")) != EOF) { + switch (c) { + case 'k': + if (keyfile) { + free(keyfile); + } + keyfile = strdup(optarg); + break; + case '4': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul > 31U) + usage("pass IPv4 bits must be an integer 0..31"); + pass4 = (unsigned)ul; + break; + case '6': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul > 127U) + usage("pass IPv6 bits must be an integer 0..127"); + pass6 = (unsigned)ul; + break; + case 'D': + decrypt = 1; + break; + case 'c': + only_clients = 1; + break; + case 's': + only_servers = 1; + break; + case 'p': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("port must be an integer 1..65535"); + dns_port = (unsigned)ul; + break; + case '?': + cryptopant_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + +#ifdef USE_CRYPTOPANT + if (!keyfile) { + usage("must have a -k keyfile"); + } + + if (scramble_init_from_file(keyfile, SCRAMBLE_NONE, SCRAMBLE_NONE, 0)) { + usage("unable to initialize cryptopANT"); + } +#else + usage("no cryptopANT support built in, can't encrypt IP addresses"); +#endif + + if (only_clients && only_servers) { + usage("-c and -s options are mutually exclusive"); + } + + if (keyfile) { + free(keyfile); + } +} + +int cryptopant_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + return 0; +} + +void cryptopant_stop() +{ +} + +int cryptopant_open(my_bpftimeval ts) +{ + return 0; +} + +int cryptopant_close(my_bpftimeval ts) +{ + return 0; +} + +int cryptopant_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ +#ifdef USE_CRYPTOPANT + for (;;) { + if (only_clients && sport == dns_port) { + from = 0; + break; + } + if (only_servers && sport != dns_port) { + from = 0; + break; + } + + switch (from->af) { + case AF_INET: + from->u.a4.s_addr = decrypt ? unscramble_ip4(from->u.a4.s_addr, pass4) : scramble_ip4(from->u.a4.s_addr, pass4); + break; + case AF_INET6: + decrypt ? unscramble_ip6(&from->u.a6, pass6) : scramble_ip6(&from->u.a6, pass6); + break; + default: + from = 0; + break; + } + break; + } + + for (;;) { + if (only_clients && dport == dns_port) { + to = 0; + break; + } + if (only_servers && dport != dns_port) { + to = 0; + break; + } + + switch (to->af) { + case AF_INET: + to->u.a4.s_addr = decrypt ? unscramble_ip4(to->u.a4.s_addr, pass4) : scramble_ip4(to->u.a4.s_addr, pass4); + break; + case AF_INET6: + decrypt ? unscramble_ip6(&to->u.a6, pass6) : scramble_ip6(&to->u.a6, pass6); + break; + default: + to = 0; + break; + } + break; + } + + if (cryptopant_set_iaddr && (from || to)) { + cryptopant_set_iaddr(from, to); + } +#endif + return 0; +} diff --git a/plugins/cryptopant/keyfile b/plugins/cryptopant/keyfile new file mode 100644 index 0000000..66e6f5c --- /dev/null +++ b/plugins/cryptopant/keyfile @@ -0,0 +1 @@ +02:02:cd6adc7b7dcaf5b926c657190ab7e05a:1df8f74f976ad7ff7a443ce7d2e2ce44235fa2a7080107b19a6785698064f121::54d9e7a215dbd120f70f054a176ca398 diff --git a/plugins/cryptopant/test1.gold b/plugins/cryptopant/test1.gold new file mode 100644 index 0000000..2201d4f --- /dev/null +++ b/plugins/cryptopant/test1.gold @@ -0,0 +1,2858 @@ +cryptopant.so usage error: must have a -k keyfile +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [143.24.244.213].53199 [108.201.214.210].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [143.24.244.213].57822 [108.201.214.210].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [143.24.244.213].40043 [108.201.214.210].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [143.24.244.213].37953 [108.201.214.210].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [143.24.244.213].48658 [108.201.214.210].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [143.24.244.213].40953 [108.201.214.210].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [143.24.244.213].45174 [108.201.214.210].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [143.24.244.213].33916 [108.201.214.210].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [143.24.244.213].43559 [108.201.214.210].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [143.24.244.213].54859 [108.201.214.210].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [143.24.244.213].58176 [108.201.214.210].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [143.24.244.213].41266 [108.201.214.210].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [143.24.244.213].34607 [108.201.214.210].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [143.24.244.213].60437 [108.201.214.210].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [143.24.244.213].37149 [108.201.214.210].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [143.24.244.213].53820 [108.201.214.210].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [143.24.244.213].52368 [108.201.214.210].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [143.24.244.213].47637 [108.201.214.210].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [143.24.244.213].34426 [108.201.214.210].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [143.24.244.213].41059 [108.201.214.210].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [143.24.244.213].51181 [108.201.214.210].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [143.24.244.213].32976 [108.201.214.210].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [143.24.244.213].53467 [108.201.214.210].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [143.24.244.213].41532 [108.201.214.210].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [143.24.244.213].44982 [108.201.214.210].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [143.24.244.213].40224 [108.201.214.210].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [143.24.244.213].45658 [108.201.214.210].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [143.24.244.213].60457 [108.201.214.210].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [143.24.244.213].59762 [108.201.214.210].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [143.24.244.213].56022 [108.201.214.210].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [143.24.244.213].37669 [108.201.214.210].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [143.24.244.213].42978 [108.201.214.210].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [143.24.244.213].49829 [108.201.214.210].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [143.24.244.213].50599 [108.201.214.210].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [143.24.244.213].44980 [108.201.214.210].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [143.24.244.213].60063 [108.201.214.210].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [143.24.244.213].42042 [108.201.214.210].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [143.24.244.213].60469 [108.201.214.210].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [143.24.244.213].45703 [108.201.214.210].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [143.24.244.213].33507 [108.201.214.210].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [143.24.244.213].46798 [108.201.214.210].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [108.201.214.210].53 [143.24.244.213].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.24.244.213].53199 [8.201.214.210].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.24.244.213].57822 [8.201.214.210].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.24.244.213].40043 [8.201.214.210].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.24.244.213].37953 [8.201.214.210].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.24.244.213].48658 [8.201.214.210].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.24.244.213].40953 [8.201.214.210].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.24.244.213].45174 [8.201.214.210].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.24.244.213].33916 [8.201.214.210].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.24.244.213].43559 [8.201.214.210].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.24.244.213].54859 [8.201.214.210].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.24.244.213].58176 [8.201.214.210].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.24.244.213].41266 [8.201.214.210].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.24.244.213].34607 [8.201.214.210].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.24.244.213].60437 [8.201.214.210].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.24.244.213].37149 [8.201.214.210].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.24.244.213].53820 [8.201.214.210].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.24.244.213].52368 [8.201.214.210].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.24.244.213].47637 [8.201.214.210].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.24.244.213].34426 [8.201.214.210].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.24.244.213].41059 [8.201.214.210].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.24.244.213].51181 [8.201.214.210].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.24.244.213].32976 [8.201.214.210].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.24.244.213].53467 [8.201.214.210].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.24.244.213].41532 [8.201.214.210].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.24.244.213].44982 [8.201.214.210].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.24.244.213].40224 [8.201.214.210].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.24.244.213].45658 [8.201.214.210].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.24.244.213].60457 [8.201.214.210].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.24.244.213].59762 [8.201.214.210].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.24.244.213].56022 [8.201.214.210].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.24.244.213].37669 [8.201.214.210].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.24.244.213].42978 [8.201.214.210].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.24.244.213].49829 [8.201.214.210].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.24.244.213].50599 [8.201.214.210].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.24.244.213].44980 [8.201.214.210].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.24.244.213].60063 [8.201.214.210].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.24.244.213].42042 [8.201.214.210].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.24.244.213].60469 [8.201.214.210].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.24.244.213].45703 [8.201.214.210].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.24.244.213].33507 [8.201.214.210].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.24.244.213].46798 [8.201.214.210].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.201.214.210].53 [172.24.244.213].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [143.24.244.213].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [143.24.244.213].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [143.24.244.213].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [143.24.244.213].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [143.24.244.213].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [143.24.244.213].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [143.24.244.213].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [143.24.244.213].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [143.24.244.213].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [143.24.244.213].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [143.24.244.213].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [143.24.244.213].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [143.24.244.213].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [143.24.244.213].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [143.24.244.213].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [143.24.244.213].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [143.24.244.213].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [143.24.244.213].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [143.24.244.213].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [143.24.244.213].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [143.24.244.213].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [143.24.244.213].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [143.24.244.213].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [143.24.244.213].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [143.24.244.213].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [143.24.244.213].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [143.24.244.213].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [143.24.244.213].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [143.24.244.213].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [143.24.244.213].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [143.24.244.213].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [143.24.244.213].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [143.24.244.213].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [143.24.244.213].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [143.24.244.213].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [143.24.244.213].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [143.24.244.213].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [143.24.244.213].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [143.24.244.213].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [143.24.244.213].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [143.24.244.213].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.8].53 [143.24.244.213].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [108.201.214.210].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [108.201.214.210].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [108.201.214.210].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [108.201.214.210].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [108.201.214.210].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [108.201.214.210].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [108.201.214.210].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [108.201.214.210].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [108.201.214.210].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [108.201.214.210].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [108.201.214.210].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [108.201.214.210].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [108.201.214.210].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [108.201.214.210].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [108.201.214.210].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [108.201.214.210].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [108.201.214.210].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [108.201.214.210].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [108.201.214.210].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [108.201.214.210].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [108.201.214.210].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [108.201.214.210].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [108.201.214.210].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [108.201.214.210].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [108.201.214.210].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [108.201.214.210].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [108.201.214.210].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [108.201.214.210].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [108.201.214.210].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [108.201.214.210].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [108.201.214.210].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [108.201.214.210].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [108.201.214.210].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [108.201.214.210].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [108.201.214.210].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [108.201.214.210].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [108.201.214.210].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [108.201.214.210].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [108.201.214.210].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [108.201.214.210].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [108.201.214.210].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [108.201.214.210].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +cryptopant.so usage error: -c and -s options are mutually exclusive diff --git a/plugins/cryptopant/test1.sh b/plugins/cryptopant/test1.sh new file mode 100755 index 0000000..cb632cf --- /dev/null +++ b/plugins/cryptopant/test1.sh @@ -0,0 +1,31 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopant.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopant plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out || true +if grep -q "no cryptopANT support built in" test1.out 2>/dev/null; then + echo "No cryptopANT support, skipping tests" + exit 0 +fi + +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -4 8 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c -s 2>>test1.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test1.out test1.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out + rm test1.out.old +fi + +diff test1.out "$srcdir/test1.gold" diff --git a/plugins/cryptopant/test2.gold b/plugins/cryptopant/test2.gold new file mode 100644 index 0000000..60525e4 --- /dev/null +++ b/plugins/cryptopant/test2.gold @@ -0,0 +1,33 @@ +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3a0:52c7:8483:3fd2:892c:443c:197e].51972 [2001:48e7:eb7b:8330:a6b3:e29f:c7a1:a114].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:48e7:eb7b:8330:a6b3:e29f:c7a1:a114].53 [2a01:3a0:52c7:8483:3fd2:892c:443c:197e].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [f97c:c1a0:52c7:8483:3fd2:892c:443c:197e].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [f97c:c1a0:52c7:8483:3fd2:892c:443c:197e].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [f29a:ede7:eb7b:8330:a6b3:e29f:c7a1:a114].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [f29a:ede7:eb7b:8330:a6b3:e29f:c7a1:a114].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/cryptopant/test2.sh b/plugins/cryptopant/test2.sh new file mode 100755 index 0000000..9d50269 --- /dev/null +++ b/plugins/cryptopant/test2.sh @@ -0,0 +1,37 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopant.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopant plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" 2>test2.out || true +if grep -q "no cryptopANT support built in" test2.out 2>/dev/null; then + echo "No cryptopANT support, skipping tests" + exit 0 +fi + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" 2>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -6 24 2>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test2.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test2.out test2.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out + rm test2.out.old +fi + +# TODO: Remove when #133 is fixed +cat test2.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new +mv test2.new test2.out + +diff test2.out "$srcdir/test2.gold" diff --git a/plugins/cryptopant/test3.gold b/plugins/cryptopant/test3.gold new file mode 100644 index 0000000..afd1d7d --- /dev/null +++ b/plugins/cryptopant/test3.gold @@ -0,0 +1,725 @@ +[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/cryptopant/test3.sh b/plugins/cryptopant/test3.sh new file mode 100755 index 0000000..1ebb524 --- /dev/null +++ b/plugins/cryptopant/test3.sh @@ -0,0 +1,38 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopant.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopant plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test3.out || true +if grep -q "no cryptopANT support built in" test3.out 2>/dev/null; then + echo "No cryptopANT support, skipping tests" + exit 0 +fi + +../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "$srcdir/keyfile" 2>test3.out +../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "$srcdir/keyfile" 2>>test3.out +../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "$srcdir/keyfile" -D 2>>test3.out +../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "$srcdir/keyfile" -D 2>>test3.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test3.out test3.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out + rm test3.out.old +fi + +# TODO: Remove when #133 is fixed +cat test3.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new +mv test3.new test3.out + +diff test3.out "$srcdir/test3.gold" diff --git a/plugins/cryptopant/test4.sh b/plugins/cryptopant/test4.sh new file mode 100755 index 0000000..986d120 --- /dev/null +++ b/plugins/cryptopant/test4.sh @@ -0,0 +1,22 @@ +#!/bin/sh -xe + +plugin=`find . -name 'cryptopant.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the cryptopant plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +# ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out || true +# if grep -q "no cryptopANT support built in" test1.out 2>/dev/null; then +# echo "No cryptopANT support, skipping tests" +# exit 0 +# fi + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 99 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -6 999 diff --git a/plugins/eventlog/Makefile.am b/plugins/eventlog/Makefile.am new file mode 100644 index 0000000..e29af63 --- /dev/null +++ b/plugins/eventlog/Makefile.am @@ -0,0 +1,22 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) + +pkglib_LTLIBRARIES = eventlog.la +eventlog_la_SOURCES = eventlog.c +eventlog_la_LDFLAGS = -module -avoid-version + +TESTS = test1.sh +EXTRA_DIST = $(TESTS) +CLEANFILES += test1.out *.pcap-dist + +if ENABLE_GCOV +gcov-local: + for src in $(eventlog_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/eventlog/eventlog.c b/plugins/eventlog/eventlog.c new file mode 100644 index 0000000..93d0d15 --- /dev/null +++ b/plugins/eventlog/eventlog.c @@ -0,0 +1,425 @@ +/* eventlog.c + * + * Byron Darrah - May 20, 2020 + * Version 1.0 + * + * This is a plugin for dnscap, based on the txtout plugin. + * + * This plugin generates one line of output for each packet, with a human- + * readable timestamp, and includes the results of A and AAAA queries (which + * is either a list of IP addresses, or an NXDOMAIN flag). + * + * Below is the original copyright notice from txtout.c. + */ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <netinet/in.h> +#include <ctype.h> +#include <errno.h> +#include <arpa/inet.h> +#include <arpa/nameser.h> +#include <ldns/ldns.h> + +#include "dnscap_common.h" + +static logerr_t* logerr; +static char* opt_o = NULL; +static int opt_s = 0; +static FILE* out = 0; +static int opt_t = 0; +static char* opt_n = NULL; + +output_t eventlog_output; + +void eventlog_usage() +{ + fprintf(stderr, + "\neventlog.so options:\n" + " -? print these instructions and exit\n" + " -o <arg> output file name\n" + " -s short output, only QTYPE/QNAME for IN\n" + " -t prefix event messages with DNS packet timestamp\n" + " -n <arg> include name with each event message\n\n" + "Produces a line of text per packet suitable for event logging,\n" + "including IP addresses from query responses.\n"); +} + +void eventlog_getopt(int* argc, char** argv[]) +{ + /* + * The "getopt" function will be called from the parent to + * process plugin options. + */ + int c; + while ((c = getopt(*argc, *argv, "?so:tn:")) != EOF) { + switch (c) { + case 'o': + if (opt_o) + free(opt_o); + opt_o = strdup(optarg); + break; + case 's': + opt_s = 1; + break; + case 't': + opt_t = 1; + break; + case 'n': + opt_n = strdup(optarg); + break; + case '?': + eventlog_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } +} + +int eventlog_start(logerr_t* a_logerr) +{ + /* + * The "start" function is called once, when the program + * starts. It is used to initialize the plugin. If the + * plugin wants to write debugging and or error messages, + * it should save the a_logerr pointer passed from the + * parent code. + */ + logerr = a_logerr; + if (opt_o) { + out = fopen(opt_o, "a"); + if (0 == out) { + logerr("%s: %s\n", opt_o, strerror(errno)); + exit(1); + } + } else { + out = stdout; + } + setbuf(out, 0); + + if (opt_t) { + time_t curtime; + char time_text[25]; + struct tm res; + curtime = time(NULL); + if (strftime(time_text, 25, "%G %m/%d %T", localtime_r(&curtime, &res)) > 0) { + fprintf(out, "%s ", time_text); + } else { + fprintf(out, "**ERROR reading time** "); + } + } + if (opt_n) { + fprintf(out, "%s ", opt_n); + } + fprintf(out, "DNS event logging started.\n"); + + return 0; +} + +void eventlog_stop() +{ + /* + * The "start" function is called once, when the program + * is exiting normally. It might be used to clean up state, + * free memory, etc. + */ + if (out != stdout) + fclose(out); +} + +int eventlog_open(my_bpftimeval ts) +{ + /* + * The "open" function is called at the start of each + * collection interval, which might be based on a period + * of time or a number of packets. In the original code, + * this is where we opened an output pcap file. + */ + return 0; +} + +int eventlog_close(my_bpftimeval ts) +{ + /* + * The "close" function is called at the end of each + * collection interval, which might be based on a period + * of time or on a number of packets. In the original code + * this is where we closed an output pcap file. + */ + return 0; +} + +ia_str_t ia_str = 0; +tcpstate_getcurr_t tcpstate_getcurr = 0; +tcpstate_reset_t tcpstate_reset = 0; + +void eventlog_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_IA_STR: + ia_str = (ia_str_t)arg; + break; + case DNSCAP_EXT_TCPSTATE_GETCURR: + tcpstate_getcurr = (tcpstate_getcurr_t)arg; + break; + case DNSCAP_EXT_TCPSTATE_RESET: + tcpstate_reset = (tcpstate_reset_t)arg; + break; + } +} + +static void eventlog_output_ipbytes(size_t len, const uint8_t* data) +{ + + /* If there are 4 bytes, print them as an IPv4 address. */ + if (len == 4) { + fprintf(out, "%u.%u.%u.%u", data[0], data[1], data[2], data[3]); + } + + /* If there are 16 bytes, print them as an IPv6 address. */ + else if (len == 16) { + /* If there are 16 bytes, print them as an IPv6 address. */ + fprintf(out, "%x:%x:%x:%x:%x:%x:%x:%x", + ((unsigned int)data[0]) << 8 | data[1], + ((unsigned int)data[2]) << 8 | data[3], + ((unsigned int)data[4]) << 8 | data[5], + ((unsigned int)data[6]) << 8 | data[7], + ((unsigned int)data[8]) << 8 | data[9], + ((unsigned int)data[10]) << 8 | data[11], + ((unsigned int)data[12]) << 8 | data[13], + ((unsigned int)data[14]) << 8 | data[15]); + } +} + +void eventlog_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, unsigned olen, + const u_char* payload, unsigned payloadlen) +{ + + /* Do not output anything if there is no DNS info to report. */ + if (!(flags & DNSCAP_OUTPUT_ISDNS)) { + return; + } + ldns_pkt* pkt; + if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) { + if (tcpstate_getcurr && tcpstate_reset) + tcpstate_reset(tcpstate_getcurr(), ""); + return; + } + ldns_buffer* buf = ldns_buffer_new(512); + if (!buf) { + logerr("out of memmory\n"); + exit(1); + } + + /* + * Output the packet timestamp + */ + if (opt_t) { + char time_text[25]; + struct tm res; + if (strftime(time_text, 25, "%G %m/%d %T", localtime_r(&ts.tv_sec, &res)) > 0) { + fprintf(out, "%s ", time_text); + } else { + fprintf(out, "**ERROR reading packet time** "); + } + } + if (opt_n) { + fprintf(out, "%s ", opt_n); + } + + /* + * Short output, only print QTYPE and QNAME for IN records + */ + if (opt_s) { + ldns_rr_list* qds = ldns_pkt_question(pkt); + if (qds) { + ldns_rr* qd = ldns_rr_list_rr(qds, 0); + + if (qd && ldns_rr_get_class(qd) == LDNS_RR_CLASS_IN) { + if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) { + fprintf(out, "%s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, "ERR"); + } + + ldns_buffer_clear(buf); + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) { + fprintf(out, " %s\n", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, "ERR\n"); + } + } + } + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + return; + } + + /* + * IP Stuff + */ + fprintf(out, "src=%s spt=%u ", ia_str(from), sport); + fprintf(out, "dst=%s dpt=%u ", ia_str(to), dport); + switch (proto) { + case 17: + fprintf(out, "proto=UDP"); + break; + case 6: + fprintf(out, "proto=TCP"); + break; + default: + fprintf(out, "proto=%hhu", proto); + break; + } + + /* + * DNS Header + */ + fprintf(out, " mid=%u", ldns_pkt_id(pkt)); + fprintf(out, " op=%u", ldns_pkt_get_opcode(pkt)); + fprintf(out, " fl=|"); + if (ldns_pkt_qr(pkt)) + fprintf(out, "QR|"); + if (ldns_pkt_aa(pkt)) + fprintf(out, "AA|"); + if (ldns_pkt_tc(pkt)) + fprintf(out, "TC|"); + if (ldns_pkt_rd(pkt)) + fprintf(out, "RD|"); + if (ldns_pkt_ra(pkt)) + fprintf(out, "RA|"); + if (ldns_pkt_ad(pkt)) + fprintf(out, "AD|"); + if (ldns_pkt_cd(pkt)) + fprintf(out, "CD|"); + switch (ldns_pkt_get_rcode(pkt)) { + case LDNS_RCODE_NOERROR: + fprintf(out, " rc=OK"); + break; + case LDNS_RCODE_NXDOMAIN: + fprintf(out, " rc=NXDOMAIN"); + break; + case LDNS_RCODE_SERVFAIL: + fprintf(out, " rc=SRVFAIL"); + break; + default: + fprintf(out, " rc=%u", ldns_pkt_get_rcode(pkt)); + break; + } + + ldns_rr_list* qds = ldns_pkt_question(pkt); + ldns_rr* qd; + if (qds && (qd = ldns_rr_list_rr(qds, 0))) { + if (ldns_rr_class2buffer_str(buf, ldns_rr_get_class(qd)) == LDNS_STATUS_OK) { + fprintf(out, " cl=%s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, " **ERROR parsing response record**\n"); + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + return; + } + + ldns_buffer_clear(buf); + if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) { + fprintf(out, " tp=%s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, " **ERROR parsing response record**\n"); + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + return; + } + + ldns_buffer_clear(buf); + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) { + fprintf(out, " name=%s\n", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, " **ERROR parsing response record**\n"); + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + return; + } + } + + /* output the query answers */ + ldns_rr_list* ans = ldns_pkt_answer(pkt); + if (ans) { + const char* delim = " ans="; + size_t i, n; + for (i = 0, n = ldns_rr_list_rr_count(ans); i < n; i++) { + ldns_rr* rr = ldns_rr_list_rr(ans, i); + + if (rr) { + switch (ldns_rr_get_type(rr)) { + case LDNS_RR_TYPE_A: + case LDNS_RR_TYPE_AAAA: { + ldns_rdf* rdf = ldns_rr_rdf(rr, 0); + if (rdf) { + fprintf(out, "%s", delim); + delim = ","; + eventlog_output_ipbytes(ldns_rdf_size(rdf), ldns_rdf_data(rdf)); + continue; + } + break; + } + default: + continue; + } + } + + fprintf(out, " **ERROR parsing response record**\n"); + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + return; + } + } + + /* + * Done + */ + fprintf(out, "\n"); + ldns_pkt_free(pkt); + ldns_buffer_free(buf); +} diff --git a/plugins/eventlog/test1.sh b/plugins/eventlog/test1.sh new file mode 100755 index 0000000..7dda20e --- /dev/null +++ b/plugins/eventlog/test1.sh @@ -0,0 +1,22 @@ +#!/bin/sh -xe + +plugin=`find . -name 'eventlog.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the eventlog plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist +ln -fs "$srcdir/../../src/test/dnso1tcp.pcap" dnso1tcp.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -o test1.out -o test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -t +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -n test +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" +../../src/dnscap -T -r dnso1tcp.pcap-dist -g -P "$plugin" diff --git a/plugins/ipcrypt/Makefile.am b/plugins/ipcrypt/Makefile.am new file mode 100644 index 0000000..64effb7 --- /dev/null +++ b/plugins/ipcrypt/Makefile.am @@ -0,0 +1,24 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) + +pkglib_LTLIBRARIES = ipcrypt.la +ipcrypt_la_SOURCES = ipcrypt.c +ipcrypt_la_LDFLAGS = -module -avoid-version + +TESTS = test1.sh test2.sh test3.sh test4.sh + +EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold +CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \ + test3.pcap.20181127.155200.414188 test4.tmp + +if ENABLE_GCOV +gcov-local: + for src in $(ipcrypt_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/ipcrypt/ipcrypt.c b/plugins/ipcrypt/ipcrypt.c new file mode 100644 index 0000000..2fadcf4 --- /dev/null +++ b/plugins/ipcrypt/ipcrypt.c @@ -0,0 +1,351 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> + +#include "dnscap_common.h" + +static set_iaddr_t ipcrypt_set_iaddr = 0; + +static logerr_t* logerr; +static int only_clients = 0, only_servers = 0, dns_port = 53, iterations = 1, encrypt_v6 = 0, decrypt = 0; +static uint8_t key[16]; + +/* + * ipcrypt based on Python and Go code at https://github.com/veorq/ipcrypt + * by Jean-Philippe Aumasson jeanphilippe.aumasson@gmail.com + */ + +static inline uint8_t rotl(uint8_t b, int r) +{ + return (b << r) | (b >> (8 - r)); +} + +static inline void permute_fwd(uint8_t* state) +{ + state[0] += state[1]; + state[2] += state[3]; + state[1] = rotl(state[1], 2) ^ state[0]; + state[3] = rotl(state[3], 5) ^ state[2]; + // state[1] ^= state[0]; + // state[3] ^= state[2]; + state[0] = rotl(state[0], 4) + state[3]; + // state[0] += state[3]; + state[2] += state[1]; + state[1] = rotl(state[1], 3) ^ state[2]; + state[3] = rotl(state[3], 7) ^ state[0]; + // state[1] ^= state[2]; + // state[3] ^= state[0]; + state[2] = rotl(state[2], 4); +} + +static inline void permute_bwd(uint8_t* state) +{ + state[2] = rotl(state[2], 4); + state[1] ^= state[2]; + state[3] ^= state[0]; + state[1] = rotl(state[1], 5); + state[3] = rotl(state[3], 1); + state[0] -= state[3]; + state[2] -= state[1]; + state[0] = rotl(state[0], 4); + state[1] ^= state[0]; + state[3] ^= state[2]; + state[1] = rotl(state[1], 6); + state[3] = rotl(state[3], 3); + state[0] -= state[1]; + state[2] -= state[3]; +} + +static inline void xor4(uint8_t* x, uint8_t* y) +{ + *(uint32_t*)x ^= *(uint32_t*)y; + // x[0] ^= y[0]; + // x[1] ^= y[1]; + // x[2] ^= y[2]; + // x[3] ^= y[3]; +} + +static inline void _encrypt(uint8_t* ip) +{ + int i = iterations; + for (; i; i--) { + xor4(ip, key); + permute_fwd(ip); + xor4(ip, &key[4]); + permute_fwd(ip); + xor4(ip, &key[8]); + permute_fwd(ip); + xor4(ip, &key[12]); + } +} + +static inline void _decrypt(uint8_t* ip) +{ + int i = iterations; + for (; i; i--) { + xor4(ip, &key[12]); + permute_bwd(ip); + xor4(ip, &key[8]); + permute_bwd(ip); + xor4(ip, &key[4]); + permute_bwd(ip); + xor4(ip, key); + } +} + +enum plugin_type ipcrypt_type() +{ + return plugin_filter; +} + +void usage(const char* msg) +{ + fprintf(stderr, "ipcrypt.so usage error: %s\n", msg); + exit(1); +} + +void ipcrypt_usage() +{ + fprintf(stderr, + "\nipcrypt.so options:\n" + "\t-? print these instructions and exit\n" + "\t-k <key> A 16 character long key\n" + "\t-f <file> Read the 16 first bytes from file and use as key\n" + "\t-D Decrypt IP addresses\n" + "\t-c Only en/de-crypt clients (port != 53)\n" + "\t-s Only en/de-crypt servers (port == 53)\n" + "\t-p <port> Set port for -c/-s, default 53\n" + "\t-i <num> Number of en/de-cryption iterations, default 1\n" + "\t-6 En/de-crypt IPv6 addresses, not default or recommended\n"); +} + +void ipcrypt_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_SET_IADDR: + ipcrypt_set_iaddr = (set_iaddr_t)arg; + break; + } +} + +void ipcrypt_getopt(int* argc, char** argv[]) +{ + int c, got_key = 0; + unsigned long ul; + char* p; + + while ((c = getopt(*argc, *argv, "?k:f:Dcsp:i:6")) != EOF) { + switch (c) { + case 'k': + if (strlen(optarg) != 16) { + usage("key must be 16 characters long"); + } + memcpy(key, optarg, 16); + got_key = 1; + break; + case 'f': { + int fd; + ssize_t r; + if ((fd = open(optarg, O_RDONLY)) < 0) { + perror("open()"); + usage("unable to open key file"); + } + if ((r = read(fd, key, 16)) < 0) { + perror("read()"); + usage("unable to read from key file"); + } + if (r != 16) { + usage("unable to read 16 bytes from key file"); + } + close(fd); + got_key = 1; + break; + } + case 'D': + decrypt = 1; + break; + case 'c': + only_clients = 1; + break; + case 's': + only_servers = 1; + break; + case 'p': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("port must be an integer 1..65535"); + dns_port = (unsigned)ul; + break; + case 'i': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("iterations must be an integer 1..65535"); + iterations = (unsigned)ul; + break; + case '6': + encrypt_v6 = 1; + break; + case '?': + ipcrypt_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + + if (!got_key) { + usage("must have -k <key> or -f <file>"); + } + + if (only_clients && only_servers) { + usage("-c and -s options are mutually exclusive"); + } +} + +int ipcrypt_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + return 0; +} + +void ipcrypt_stop() +{ +} + +int ipcrypt_open(my_bpftimeval ts) +{ + return 0; +} + +int ipcrypt_close(my_bpftimeval ts) +{ + return 0; +} + +int ipcrypt_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ + for (;;) { + if (only_clients && sport == dns_port) { + from = 0; + break; + } + if (only_servers && sport != dns_port) { + from = 0; + break; + } + + switch (from->af) { + case AF_INET: + decrypt ? _decrypt((uint8_t*)&from->u.a4) : _encrypt((uint8_t*)&from->u.a4); + break; + case AF_INET6: + if (encrypt_v6) { + if (decrypt) { + _decrypt((uint8_t*)&from->u.a6); + _decrypt(((uint8_t*)&from->u.a6) + 4); + _decrypt(((uint8_t*)&from->u.a6) + 8); + _decrypt(((uint8_t*)&from->u.a6) + 12); + } else { + _encrypt((uint8_t*)&from->u.a6); + _encrypt(((uint8_t*)&from->u.a6) + 4); + _encrypt(((uint8_t*)&from->u.a6) + 8); + _encrypt(((uint8_t*)&from->u.a6) + 12); + } + break; + } + default: + from = 0; + break; + } + break; + } + + for (;;) { + if (only_clients && dport == dns_port) { + to = 0; + break; + } + if (only_servers && dport != dns_port) { + to = 0; + break; + } + + switch (to->af) { + case AF_INET: + decrypt ? _decrypt((uint8_t*)&to->u.a4) : _encrypt((uint8_t*)&to->u.a4); + break; + case AF_INET6: + if (encrypt_v6) { + if (decrypt) { + _decrypt((uint8_t*)&to->u.a6); + _decrypt(((uint8_t*)&to->u.a6) + 4); + _decrypt(((uint8_t*)&to->u.a6) + 8); + _decrypt(((uint8_t*)&to->u.a6) + 12); + } else { + _encrypt((uint8_t*)&to->u.a6); + _encrypt(((uint8_t*)&to->u.a6) + 4); + _encrypt(((uint8_t*)&to->u.a6) + 8); + _encrypt(((uint8_t*)&to->u.a6) + 12); + } + break; + } + default: + to = 0; + break; + } + break; + } + + if (ipcrypt_set_iaddr && (from || to)) { + ipcrypt_set_iaddr(from, to); + } + + return 0; +} diff --git a/plugins/ipcrypt/test1.gold b/plugins/ipcrypt/test1.gold new file mode 100644 index 0000000..040d875 --- /dev/null +++ b/plugins/ipcrypt/test1.gold @@ -0,0 +1,2144 @@ +ipcrypt.so usage error: must have -k <key> or -f <file> +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [66.11.55.236].53199 [46.48.51.50].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [66.11.55.236].57822 [46.48.51.50].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [66.11.55.236].40043 [46.48.51.50].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [66.11.55.236].37953 [46.48.51.50].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [66.11.55.236].48658 [46.48.51.50].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [66.11.55.236].40953 [46.48.51.50].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [66.11.55.236].45174 [46.48.51.50].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [66.11.55.236].33916 [46.48.51.50].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [66.11.55.236].43559 [46.48.51.50].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [66.11.55.236].54859 [46.48.51.50].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [66.11.55.236].58176 [46.48.51.50].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [66.11.55.236].41266 [46.48.51.50].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [66.11.55.236].34607 [46.48.51.50].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [66.11.55.236].60437 [46.48.51.50].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [66.11.55.236].37149 [46.48.51.50].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [66.11.55.236].53820 [46.48.51.50].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [66.11.55.236].52368 [46.48.51.50].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [66.11.55.236].47637 [46.48.51.50].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [66.11.55.236].34426 [46.48.51.50].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [66.11.55.236].41059 [46.48.51.50].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [66.11.55.236].51181 [46.48.51.50].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [66.11.55.236].32976 [46.48.51.50].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [66.11.55.236].53467 [46.48.51.50].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [66.11.55.236].41532 [46.48.51.50].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [66.11.55.236].44982 [46.48.51.50].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [66.11.55.236].40224 [46.48.51.50].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [66.11.55.236].45658 [46.48.51.50].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [66.11.55.236].60457 [46.48.51.50].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [66.11.55.236].59762 [46.48.51.50].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [66.11.55.236].56022 [46.48.51.50].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [66.11.55.236].37669 [46.48.51.50].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [66.11.55.236].42978 [46.48.51.50].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [66.11.55.236].49829 [46.48.51.50].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [66.11.55.236].50599 [46.48.51.50].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [66.11.55.236].44980 [46.48.51.50].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [66.11.55.236].60063 [46.48.51.50].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [66.11.55.236].42042 [46.48.51.50].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [66.11.55.236].60469 [46.48.51.50].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [66.11.55.236].45703 [46.48.51.50].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [66.11.55.236].33507 [46.48.51.50].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [66.11.55.236].46798 [46.48.51.50].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [46.48.51.50].53 [66.11.55.236].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [66.11.55.236].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [66.11.55.236].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [66.11.55.236].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [66.11.55.236].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [66.11.55.236].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [66.11.55.236].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [66.11.55.236].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [66.11.55.236].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [66.11.55.236].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [66.11.55.236].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [66.11.55.236].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [66.11.55.236].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [66.11.55.236].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [66.11.55.236].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [66.11.55.236].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [66.11.55.236].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [66.11.55.236].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [66.11.55.236].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [66.11.55.236].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [66.11.55.236].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [66.11.55.236].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [66.11.55.236].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [66.11.55.236].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [66.11.55.236].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [66.11.55.236].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [66.11.55.236].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [66.11.55.236].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [66.11.55.236].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [66.11.55.236].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [66.11.55.236].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [66.11.55.236].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [66.11.55.236].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [66.11.55.236].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [66.11.55.236].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [66.11.55.236].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [66.11.55.236].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [66.11.55.236].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [66.11.55.236].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [66.11.55.236].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [66.11.55.236].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [66.11.55.236].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.8].53 [66.11.55.236].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [46.48.51.50].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [46.48.51.50].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [46.48.51.50].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [46.48.51.50].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [46.48.51.50].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [46.48.51.50].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [46.48.51.50].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [46.48.51.50].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [46.48.51.50].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [46.48.51.50].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [46.48.51.50].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [46.48.51.50].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [46.48.51.50].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [46.48.51.50].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [46.48.51.50].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [46.48.51.50].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [46.48.51.50].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [46.48.51.50].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [46.48.51.50].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [46.48.51.50].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [46.48.51.50].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [46.48.51.50].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [46.48.51.50].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [46.48.51.50].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [46.48.51.50].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [46.48.51.50].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [46.48.51.50].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [46.48.51.50].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [46.48.51.50].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [46.48.51.50].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [46.48.51.50].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [46.48.51.50].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [46.48.51.50].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [46.48.51.50].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [46.48.51.50].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [46.48.51.50].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [46.48.51.50].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [46.48.51.50].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [46.48.51.50].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [46.48.51.50].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [46.48.51.50].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [46.48.51.50].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +ipcrypt.so usage error: -c and -s options are mutually exclusive diff --git a/plugins/ipcrypt/test1.sh b/plugins/ipcrypt/test1.sh new file mode 100755 index 0000000..3be7107 --- /dev/null +++ b/plugins/ipcrypt/test1.sh @@ -0,0 +1,24 @@ +#!/bin/sh -xe + +plugin=`find . -name 'ipcrypt.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the ipcrypt plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c 2>>test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -s 2>>test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c -s 2>>test1.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test1.out test1.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out + rm test1.out.old +fi + +diff test1.out "$srcdir/test1.gold" diff --git a/plugins/ipcrypt/test2.gold b/plugins/ipcrypt/test2.gold new file mode 100644 index 0000000..3118c84 --- /dev/null +++ b/plugins/ipcrypt/test2.gold @@ -0,0 +1,33 @@ +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/ipcrypt/test2.sh b/plugins/ipcrypt/test2.sh new file mode 100755 index 0000000..7b99122 --- /dev/null +++ b/plugins/ipcrypt/test2.sh @@ -0,0 +1,30 @@ +#!/bin/sh -xe + +plugin=`find . -name 'ipcrypt.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the ipcrypt plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" 2>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -c 2>>test2.out +../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -s 2>>test2.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test2.out test2.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out + rm test2.out.old +fi + +# TODO: Remove when #133 is fixed +cat test2.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new +mv test2.new test2.out + +diff test2.out "$srcdir/test2.gold" diff --git a/plugins/ipcrypt/test3.gold b/plugins/ipcrypt/test3.gold new file mode 100644 index 0000000..afd1d7d --- /dev/null +++ b/plugins/ipcrypt/test3.gold @@ -0,0 +1,725 @@ +[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/plugins/ipcrypt/test3.sh b/plugins/ipcrypt/test3.sh new file mode 100755 index 0000000..860f272 --- /dev/null +++ b/plugins/ipcrypt/test3.sh @@ -0,0 +1,32 @@ +#!/bin/sh -xe + +plugin=`find . -name 'ipcrypt.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the ipcrypt plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist +ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist + +../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "some 16-byte key" 2>test3.out +../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "some 16-byte key" -6 2>>test3.out +../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "some 16-byte key" -D 2>>test3.out +../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "some 16-byte key" -6 -D 2>>test3.out + +osrel=`uname -s` +if [ "$osrel" = "OpenBSD" ]; then + mv test3.out test3.out.old + grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out + rm test3.out.old +fi + +# TODO: Remove when #133 is fixed +cat test3.out | \ + sed 's%,CLASS4096,OPT,%,4096,4096,%' | \ + sed 's%,CLASS512,OPT,%,512,512,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \ + sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new +mv test3.new test3.out + +diff test3.out "$srcdir/test3.gold" diff --git a/plugins/ipcrypt/test4.sh b/plugins/ipcrypt/test4.sh new file mode 100755 index 0000000..e92abf1 --- /dev/null +++ b/plugins/ipcrypt/test4.sh @@ -0,0 +1,21 @@ +#!/bin/sh -xe + +plugin=`find . -name 'ipcrypt.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the ipcrypt plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -f does_not_exist +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i 0 +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0 +rm -f test4.tmp +touch test4.tmp +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -f test4.tmp + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 -i 1 -f "$srcdir/test4.sh" diff --git a/plugins/pcapdump/Makefile.am b/plugins/pcapdump/Makefile.am new file mode 100644 index 0000000..bfbf8a4 --- /dev/null +++ b/plugins/pcapdump/Makefile.am @@ -0,0 +1,22 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) + +pkglib_LTLIBRARIES = pcapdump.la +pcapdump_la_SOURCES = pcapdump.c +pcapdump_la_LDFLAGS = -module -avoid-version + +TESTS = test1.sh +EXTRA_DIST = $(TESTS) +CLEANFILES += test1.out* *.pcap-dist + +if ENABLE_GCOV +gcov-local: + for src in $(pcapdump_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/pcapdump/pcapdump.c b/plugins/pcapdump/pcapdump.c new file mode 100644 index 0000000..ff70fe3 --- /dev/null +++ b/plugins/pcapdump/pcapdump.c @@ -0,0 +1,262 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <pcap.h> +#include <stdarg.h> +#include <errno.h> +#include <assert.h> +#include <sys/wait.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <arpa/nameser.h> + +#if HAVE_ARPA_NAMESER_COMPAT_H +#include <arpa/nameser_compat.h> +#endif + +#include "dnscap_common.h" + +#define SNAPLEN 65536 +#define THOUSAND 1000 +#define MILLION (THOUSAND * THOUSAND) + +output_t pcapdump_output; + +static logerr_t* logerr = 0; +char* dump_base = 0; +static int to_stdout = 0; +static int dbg_lvl = 0; +static char* dumpname = 0; +static char* dumpnamepart = 0; +static pcap_t* pcap_dead = 0; +static pcap_dumper_t* dumper = 0; +static char* kick_cmd = 0; +static int flush = 0; +static int dir_wanted = DIR_INITIATE | DIR_RESPONSE; + +void pcapdump_usage() +{ + fprintf(stderr, + "\npcapdump.so options:\n" + "\t-? print these instructions and exit\n" + "\t-d increase debugging\n" + "\t-f flush output on every packet\n" + "\t-k <cmd> kick off <cmd> when each dump closes\n" + "\t-s [ir] select sides: initiations, responses\n" + "\t-w <base> dump to <base>.<timesec>.<timeusec>\n"); +} + +void pcapdump_getopt(int* argc, char** argv[]) +{ + int c; + int u; + const char* p; + while ((c = getopt(*argc, *argv, "?dfk:s:w:")) != EOF) { + switch (c) { + case 'd': + dbg_lvl++; + break; + case 'f': + flush = 1; + break; + case 'k': + if (kick_cmd) + free(kick_cmd); + kick_cmd = strdup(optarg); + break; + case 's': + u = 0; + for (p = optarg; *p; p++) + switch (*p) { + case 'i': + u |= DIR_INITIATE; + break; + case 'r': + u |= DIR_RESPONSE; + break; + default: + fprintf(stderr, "-s takes only [ir]\n"); + pcapdump_usage(); + break; + } + dir_wanted = u; + break; + case 'w': + if (!strcmp(optarg, "-")) + to_stdout = 1; + else { + if (dump_base) + free(dump_base); + dump_base = strdup(optarg); + } + break; + case '?': + pcapdump_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + if (!to_stdout && !dump_base) { + fprintf(stderr, "-w basename argument is required\n"); + pcapdump_usage(); + exit(1); + } + if (to_stdout && kick_cmd) { + fprintf(stderr, "Can't use -k when dumping to stdout\n"); + pcapdump_usage(); + exit(1); + } +} + +int pcapdump_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + pcap_dead = pcap_open_dead(DLT_RAW, SNAPLEN); + return 0; +} + +void pcapdump_stop() +{ + pcap_close(pcap_dead); + pcap_dead = 0; +} + +int pcapdump_open(my_bpftimeval ts) +{ + const char* t = NULL; + if (to_stdout) { + t = "-"; + } else { + char sbuf[64]; + struct tm tm; + while (ts.tv_usec >= MILLION) { + ts.tv_sec++; + ts.tv_usec -= MILLION; + } + gmtime_r((time_t*)&ts.tv_sec, &tm); + strftime(sbuf, 64, "%Y%m%d.%H%M%S", &tm); + if (asprintf(&dumpname, "%s.%s.%06lu", + dump_base, sbuf, (u_long)ts.tv_usec) + < 0 + || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) { + logerr("asprintf: %s", strerror(errno)); + return 1; + } + t = dumpnamepart; + } + dumper = pcap_dump_open(pcap_dead, t); + if (dumper == NULL) { + logerr("pcap dump open: %s", pcap_geterr(pcap_dead)); + return 1; + } + return 0; +} + +int pcapdump_close(my_bpftimeval ts) +{ + int ret = 0; +#if 0 + if (print_pcap_stats) + do_pcap_stats(); +#endif + pcap_dump_close(dumper); + dumper = 0; + if (to_stdout) { + assert(dumpname == 0); + assert(dumpnamepart == 0); + if (dbg_lvl >= 1) + logerr("breaking"); + ret = 0; + } else { + char* cmd = NULL; + if (dbg_lvl >= 1) + logerr("closing %s", dumpname); + if (rename(dumpnamepart, dumpname)) { + logerr("rename: %s", strerror(errno)); + return 1; + } + if (kick_cmd != NULL) + if (asprintf(&cmd, "%s %s &", kick_cmd, dumpname) < 0) { + logerr("asprintf: %s", strerror(errno)); + cmd = NULL; + } + free(dumpnamepart); + dumpnamepart = NULL; + free(dumpname); + dumpname = NULL; + if (cmd != NULL) { + int x = system(cmd); + if (x) { + logerr("system %s returned %d", cmd, x); + } + free(cmd); + } + if (kick_cmd == NULL) + ret = 0; + } + return ret; +} + +void pcapdump_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, const u_char* payload, const unsigned payloadlen) +{ + struct pcap_pkthdr h; + if (flags & DNSCAP_OUTPUT_ISLAYER) + return; + if (flags & DNSCAP_OUTPUT_ISDNS) { + HEADER* dns = (HEADER*)payload; + if (0 == dns->qr && 0 == (dir_wanted & DIR_INITIATE)) + return; + if (1 == dns->qr && 0 == (dir_wanted & DIR_RESPONSE)) + return; + } + memset(&h, 0, sizeof h); + h.ts = ts; + h.len = h.caplen = olen; + pcap_dump((u_char*)dumper, &h, pkt_copy); + if (flush) + pcap_dump_flush(dumper); +} diff --git a/plugins/pcapdump/test1.sh b/plugins/pcapdump/test1.sh new file mode 100755 index 0000000..bcf2fdb --- /dev/null +++ b/plugins/pcapdump/test1.sh @@ -0,0 +1,16 @@ +#!/bin/sh -xe + +plugin=`find . -name 'pcapdump.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the pcapdump plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -w test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -f -w test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -s r -w test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -s i -w test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X diff --git a/plugins/royparse/Makefile.am b/plugins/royparse/Makefile.am new file mode 100644 index 0000000..795a277 --- /dev/null +++ b/plugins/royparse/Makefile.am @@ -0,0 +1,22 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) + +pkglib_LTLIBRARIES = royparse.la +royparse_la_SOURCES = royparse.c +royparse_la_LDFLAGS = -module -avoid-version + +TESTS = test1.sh +EXTRA_DIST = $(TESTS) +CLEANFILES += test1.out* *.pcap-dist + +if ENABLE_GCOV +gcov-local: + for src in $(royparse_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/royparse/royparse.c b/plugins/royparse/royparse.c new file mode 100644 index 0000000..83e26a6 --- /dev/null +++ b/plugins/royparse/royparse.c @@ -0,0 +1,272 @@ +/* + * Author Roy Arends + * + * Copyright (c) 2017-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <netinet/in.h> + +#include "dnscap_common.h" + +#include <errno.h> +#include <arpa/inet.h> +#include <arpa/nameser.h> +#include <pcap.h> +#include <ldns/ldns.h> + +static logerr_t* logerr; +static char* opt_q = 0; +static char* opt_r = 0; + +pcap_t* pcap; +pcap_dumper_t* q_out = 0; +static FILE* r_out = 0; + +output_t royparse_output; +ia_str_t royparse_ia_str = 0; + +void royparse_usage() +{ + fprintf(stderr, + "\nroyparse splits a pcap into two streams: queries in pcap format and responses in ASCII format.\n" + "\nroyparse.so options:\n" + "\t-? print these instructions and exit\n" + "\t-q <arg> query pcap stream output file name (default: no output)\n" + "\t-r <arg> royparse output file name (default: stdout)\n"); +} + +void royparse_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_IA_STR: + royparse_ia_str = (ia_str_t)arg; + break; + } +} + +void royparse_getopt(int* argc, char** argv[]) +{ + int c; + + while ((c = getopt(*argc, *argv, "?q:r:")) != EOF) { + switch (c) { + case 'q': + if (opt_q) + free(opt_q); + opt_q = strdup(optarg); + break; + case 'r': + if (opt_r) + free(opt_r); + opt_r = strdup(optarg); + break; + case '?': + royparse_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } +} + +int royparse_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + + if (opt_q) { + pcap = pcap_open_dead(DLT_RAW, 65535); + q_out = pcap_dump_open(pcap, opt_q); + if (q_out == 0) { + logerr("%s: %s\n", opt_q, strerror(errno)); + exit(1); + } + } + if (opt_r) { + r_out = fopen(opt_r, "w"); + if (r_out == 0) { + logerr("%s: %s\n", opt_r, strerror(errno)); + exit(1); + } + } else { + r_out = stdout; + } + setbuf(r_out, 0); + + return 0; +} + +void royparse_stop() +{ + if (q_out != 0) { + pcap_close(pcap); + pcap_dump_close(q_out); + } + if (r_out != stdout) + fclose(r_out); +} + +int royparse_open(my_bpftimeval ts) +{ + return 0; +} + +int royparse_close(my_bpftimeval ts) +{ + return 0; +} + +void royparse_normalize(char* str) +{ + /* + * The "normalize" function converts upper case characters to lower case, + * and replaces the space and comma characters with a question mark. + */ + + for (; *str; str++) { + if (('A' <= *str) && (*str <= 'Z')) { + *str |= 32; + } else if ((*str == ',') || (*str == ' ')) { + *str = '?'; + } + } +} + +void royparse_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, unsigned olen, + const u_char* payload, unsigned payloadlen) +{ + if (flags & DNSCAP_OUTPUT_ISDNS) { + ldns_buffer* buf = ldns_buffer_new(512); + if (!buf) { + logerr("out of memmory\n"); + exit(1); + } + + ldns_pkt* pkt; + if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) { + fprintf(r_out, "ERR\n"); + ldns_buffer_free(buf); + return; + } + if (ldns_pkt_qr(pkt) && sport == 53) { + fprintf(r_out, "%cD_", ldns_pkt_rd(pkt) ? 'R' : 'N'); + + switch (ldns_pkt_get_opcode(pkt)) { + case LDNS_PACKET_QUERY: + fprintf(r_out, "QUERY"); + break; + case LDNS_PACKET_NOTIFY: + fprintf(r_out, "NOTIFY"); + break; + case LDNS_PACKET_UPDATE: + fprintf(r_out, "UPDATE"); + break; + default: + fprintf(r_out, "ELSE"); + } + + fprintf(r_out, "_%u_%cA_", ldns_pkt_ancount(pkt) ? 1 : 0, ldns_pkt_aa(pkt) ? 'A' : 'N'); + + switch (ldns_pkt_get_rcode(pkt)) { + case LDNS_RCODE_NOERROR: + fprintf(r_out, "NOERROR"); + break; + case LDNS_RCODE_FORMERR: + fprintf(r_out, "FORMERR"); + break; + case LDNS_RCODE_NXDOMAIN: + fprintf(r_out, "NXDOMAIN"); + break; + case LDNS_RCODE_NOTIMPL: + fprintf(r_out, "NOTIMP"); + break; + case LDNS_RCODE_REFUSED: + fprintf(r_out, "REFUSED"); + break; + case LDNS_RCODE_NOTAUTH: + fprintf(r_out, "NOTAUTH"); + break; + default: + fprintf(r_out, "ELSE"); + } + + fprintf(r_out, " %s,", royparse_ia_str(to)); + + ldns_rr_list* qds = ldns_pkt_question(pkt); + ldns_rr* qd; + if (qds && (qd = ldns_rr_list_rr(qds, 0))) { + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) { + royparse_normalize((char*)ldns_buffer_begin(buf)); + fprintf(r_out, "%s%s,%u", (char*)ldns_buffer_begin(buf), + ((char*)ldns_buffer_begin(buf))[0] == '.' ? "" : ".", + ldns_rr_get_type(qd)); + } else { + fprintf(r_out, "ERR,ERR"); + } + } else + fprintf(r_out, ","); + + fprintf(r_out, ",%zu,%s%s%s%s", ldns_pkt_size(pkt), ldns_pkt_id(pkt) < 256 ? "-L" : "", + ldns_pkt_tc(pkt) ? "-TC" : "", + ldns_pkt_ad(pkt) ? "-AD" : "", + ldns_pkt_cd(pkt) ? "-CD" : ""); + if (ldns_pkt_edns(pkt)) { + fprintf(r_out, "-%c", ldns_pkt_edns_do(pkt) ? 'D' : 'E'); + } + fprintf(r_out, "\n"); + } else if (opt_q != 0 && !ldns_pkt_qr(pkt) && dport == 53) { + struct pcap_pkthdr h; + if (flags & DNSCAP_OUTPUT_ISLAYER) { + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + return; + } + memset(&h, 0, sizeof h); + h.ts = ts; + h.len = h.caplen = olen; + pcap_dump((u_char*)q_out, &h, pkt_copy); + } + ldns_pkt_free(pkt); + ldns_buffer_free(buf); + } +} diff --git a/plugins/royparse/test1.sh b/plugins/royparse/test1.sh new file mode 100755 index 0000000..ec07886 --- /dev/null +++ b/plugins/royparse/test1.sh @@ -0,0 +1,15 @@ +#!/bin/sh -xe + +plugin=`find . -name 'royparse.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the royparse plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -q test1.out +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -r test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X diff --git a/plugins/rssm/.gitignore b/plugins/rssm/.gitignore new file mode 100644 index 0000000..7d3ffec --- /dev/null +++ b/plugins/rssm/.gitignore @@ -0,0 +1 @@ +hashtbl.c diff --git a/plugins/rssm/Makefile.am b/plugins/rssm/Makefile.am new file mode 100644 index 0000000..08e4429 --- /dev/null +++ b/plugins/rssm/Makefile.am @@ -0,0 +1,42 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = $(srcdir)/hashtbl.c \ + hashtbl.c *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) \ + $(libldns_CFLAGS) + +pkglib_LTLIBRARIES = rssm.la +rssm_la_SOURCES = rssm.c +nodist_rssm_la_SOURCES = hashtbl.c +BUILT_SOURCES = hashtbl.c +rssm_la_LDFLAGS = -module -avoid-version $(libldns_LIBS) +TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh +EXTRA_DIST = $(TESTS) test1.gold test2.gold dnscap-rssm-rssac002.1.in \ + test3.gold test5.gold +dist_bin_SCRIPTS = dnscap-rssm-rssac002 +man1_MANS = dnscap-rssm-rssac002.1 +CLEANFILES += test1.20161020.152301.075993 test2.out $(man1_MANS) \ + test3.20181127.155200.414188 test4.*20161020.152301.075993 \ + test5.20180110.112241.543825 + +if ENABLE_GCOV +gcov-local: + for src in $(rssm_la_SOURCES) $(nodist_rssm_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif + +hashtbl.c: $(top_srcdir)/src/hashtbl.c + cp $(top_srcdir)/src/hashtbl.c ./ + +$(srcdir)/hashtbl.c: $(top_srcdir)/src/hashtbl.c + cp $(top_srcdir)/src/hashtbl.c $(srcdir)/ + +dnscap-rssm-rssac002.1: dnscap-rssm-rssac002.1.in Makefile + sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \ + -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \ + -e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \ + < $(srcdir)/dnscap-rssm-rssac002.1.in > dnscap-rssm-rssac002.1 diff --git a/plugins/rssm/README.md b/plugins/rssm/README.md new file mode 100644 index 0000000..98fbde4 --- /dev/null +++ b/plugins/rssm/README.md @@ -0,0 +1,41 @@ +# Root Server Scaling Measurement (RSSM) plugin + +This plugin collects data as described by the [RSSAC002v3 specification](https://www.icann.org/en/system/files/files/rssac-002-measurements-root-06jun16-en.pdf) +which has been created by [ICANN Root Server System Advisory Committee](https://www.icann.org/groups/rssac) (RSSAC). + +## Additions + +As the RSSAC002v3 specification states that measurements should be saved per +24 hours interval, this plugin produces additional metrics that can be used +to compile the 24 hours measurements allowing for variable time between +output generation. + +Metric `dnscap-rssm-sources` has a hash entry called `sources` which lists +IP addresses and the number of times they appeared. + +Metric `dnscap-rssm-aggregated-sources` has a hash entry called `aggregated-sources` +which lists the aggregated IPv6 addresses by a /64 net and the number of times +it has appeared. + +## Merge Tool + +The Perl script `dnscap-rssm-rssac002` is included and installed with `dnscap` +and can be used to multiple combine RSSM plugin RSSAC002v3 YAML output files +into one file. + +The script will merge and remove metric specific to this plugin and replace +others to fill in correct values for the new time period. The earliest +`start-period` found will be used for all metrics. + +**NOTE** no parsing of `start-period` is performed, it is up to the operator +to only give input files related to the same 24 hour period. + +Options: +- `--no-recompile`: Disabled the combining of metrics and the removal of + metrics specific to this plugin +- `--keep-dnscap-rssm`: Do the combining but keep the metrics specific to + this plugin +- `--sort`: Output will always start with `version:`, `service:`, + `start-period:` and `metric:`, rest of the values are not ordered by label. + This option enabled sorting of them, which is not required by the + specification but may help in debugging and testing cases. diff --git a/plugins/rssm/dnscap-rssm-rssac002 b/plugins/rssm/dnscap-rssm-rssac002 new file mode 100755 index 0000000..f7eaaf6 --- /dev/null +++ b/plugins/rssm/dnscap-rssm-rssac002 @@ -0,0 +1,209 @@ +#!/usr/bin/env perl +# +# Copyright (c) 2018-2021, OARC, Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. Neither the name of the copyright holder nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. + +use strict; +use warnings; +use YAML; + +unless (scalar @ARGV > 1) { + print "usage: dnscap-rssm-rssac002 [--no-recompile|--keep-dnscap-rssm|--sort] <YAML files to merge...>\n"; + exit(1); +} + +my %service = (); +my $earliest_start_period; +my $recompile = 1; +my $keep_dnscap_rssm = 0; +my $sort = 0; + +foreach my $file (@ARGV) { + if ($file eq '--no-recompile') { + $recompile = 0; + next; + } elsif ($file eq '--keep-dnscap-rssm') { + $keep_dnscap_rssm = 1; + next; + } elsif ($file eq '--sort') { + $sort = 1; + next; + } + foreach my $doc (YAML::LoadFile($file)) { + my $version = delete $doc->{version}; + my $service = delete $doc->{service}; + my $start_period = delete $doc->{'start-period'}; + my $metric = delete $doc->{metric}; + unless ($version) { + die "$file: not valid RSSAC002 YAML, missing version"; + } + unless ($service) { + die "$file: not valid RSSAC002 YAML, missing service"; + } + unless ($start_period) { + die "$file: not valid RSSAC002 YAML, missing start-period"; + } + unless ($metric) { + die "$file: not valid RSSAC002 YAML, missing metric"; + } + unless ($version eq 'rssac002v3') { + die "$file: unsupported RSSAC002 version $version"; + } + + push(@{$service{$service}->{$metric}}, $doc); + + if (!$earliest_start_period or $start_period lt $earliest_start_period) { + $earliest_start_period = $start_period; + } + } +} + +foreach my $service (keys %service) { + foreach my $metric (keys %{$service{$service}}) { + my %doc = (); + foreach (@{$service{$service}->{$metric}}) { + eval { + merge(\%doc, $_); + }; + if ($@) { + die "service $service metric $metric: $@"; + } + } + $service{$service}->{$metric} = \%doc; + } +} + +if ($recompile) { + foreach my $service (keys %service) { + my ($ipv4, $ipv6, $aggregated) = (0, 0, 0); + my $metric; + + if ($keep_dnscap_rssm) { + $metric = $service{$service}->{'dnscap-rssm-sources'}; + } else { + $metric = delete $service{$service}->{'dnscap-rssm-sources'}; + } + if ($metric) { + if (ref($metric->{sources}) eq 'HASH') { + foreach my $ip (keys %{$metric->{sources}}) { + if ($ip =~ /:/o) { + $ipv6++; + } else { + $ipv4++; + } + } + } + } + + if ($keep_dnscap_rssm) { + $metric = $service{$service}->{'dnscap-rssm-aggregated-sources'}; + } else { + $metric = delete $service{$service}->{'dnscap-rssm-aggregated-sources'}; + } + if ($metric) { + if (ref($metric->{'aggregated-sources'}) eq 'HASH') { + my @keys = keys %{$metric->{'aggregated-sources'}}; + $aggregated += scalar @keys; + } + } + + $service{$service}->{'unique-sources'} = { + 'num-sources-ipv4' => $ipv4, + 'num-sources-ipv6' => $ipv6, + 'num-sources-ipv6-aggregate' => $aggregated, + }; + } +} + +if ($sort) { + my $first = 1; + $YAML::SortKeys = 1; + foreach my $service (sort keys %service) { + foreach my $metric (sort keys %{$service{$service}}) { + if ($first) { + $first = 0; + } else { + print "\n"; + } + print YAML::Dump({ + version => "rssac002v3", + service => $service, + 'start-period' => $earliest_start_period, + metric => $metric, + %{ $service{$service}->{$metric} }, + }); + } + } +} else { + my $first = 1; + $YAML::SortKeys = 0; + foreach my $service (keys %service) { + foreach my $metric (keys %{$service{$service}}) { + if ($first) { + $first = 0; + } else { + print "\n"; + } + print YAML::Dump({ + version => "rssac002v3", + service => $service, + 'start-period' => $earliest_start_period, + metric => $metric, + %{ $service{$service}->{$metric} }, + }); + } + } +} + +sub merge { + my ( $doc, $measurements ) = @_; + + foreach my $key (keys %$measurements) { + if (ref($doc->{$key}) eq 'HASH') { + unless (ref($measurements->{$key}) eq 'HASH') { + die "invalid measurement types for key $key: not a hash"; + } + eval { + merge($doc->{$key}, $measurements->{$key}); + }; + die $@ if ($@); + next; + } + if (defined($doc->{$key})) { + if (defined($measurements->{$key}) and $measurements->{$key} ne '') { + $doc->{$key} += $measurements->{$key}; + } + } else { + $doc->{$key} = $measurements->{$key}; + } + } +} diff --git a/plugins/rssm/dnscap-rssm-rssac002.1.in b/plugins/rssm/dnscap-rssm-rssac002.1.in new file mode 100644 index 0000000..a625d9b --- /dev/null +++ b/plugins/rssm/dnscap-rssm-rssac002.1.in @@ -0,0 +1,98 @@ +.\" Copyright (c) 2017-2021, OARC, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. Neither the name of the copyright holder nor the names of its +.\" contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.TH dnscap-rssm-rssac002 1 "dnscap-v@PACKAGE_VERSION@" "dnscap RSSAC002v3 Tool" +.SH NAME +dnscap-rssm-rssac002 \- Combine RSSAC002v3 YAML files +.SH SYNOPSIS +.B dnscap-rssm-rssac002 +[ +.B \--no-recompile +.B \--keep-dnscap-rssm +.B \--sort +] +.I files... +.SH DESCRIPTION +This Perl script will merge and remove metric specific to this plugin and +replace others to fill in correct values for the new time period. +The earliest +.I start-period +found will be used for all metrics. +.LP +.B NOTE +no parsing of +.I start-period +is performed, it is up to the operator to only give input files related +to the same 24 hour period. +.SH OPTIONS +.TP +.B \--no-recompile +Disabled the combining of metrics and the removal of metrics specific to +this plugin. +.TP +.B \--keep-dnscap-rssm +Do the combining but keep the metrics specific to this plugin. +.TP +.B \--sort +Output will always start with +.IR version: , +.IR service: , +.I start-period: +and +.IR metric: , +rest of the values are not ordered by label. +This option enabled sorting of them, which is not required by the +specification but may help in debugging and testing cases. +.SH SEE ALSO +.BR dnscap (1) +.SH AUTHORS +Jerry Lundström, DNS-OARC +.LP +Maintained by DNS-OARC +.LP +.RS +.I https://www.dns-oarc.net/ +.RE +.LP +.SH BUGS +For issues and feature requests please use: +.LP +.RS +\fI@PACKAGE_URL@\fP +.RE +.LP +For question and help please use: +.LP +.RS +\fI@PACKAGE_BUGREPORT@\fP +.RE +.LP diff --git a/plugins/rssm/rssm.c b/plugins/rssm/rssm.c new file mode 100644 index 0000000..45b0ec9 --- /dev/null +++ b/plugins/rssm/rssm.c @@ -0,0 +1,696 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <memory.h> +#include <stdarg.h> +#include <errno.h> +#include <assert.h> +#include <sys/wait.h> +#include <netinet/in.h> +#include <arpa/inet.h> + +#include <arpa/nameser.h> +#if HAVE_ARPA_NAMESER_COMPAT_H +#include <arpa/nameser_compat.h> +#endif + +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/ip6.h> + +#include <ldns/ldns.h> + +#include "dnscap_common.h" + +#include "hashtbl.h" + +static logerr_t* logerr; +static my_bpftimeval open_ts; +static my_bpftimeval close_ts; +#define COUNTS_PREFIX_DEFAULT "rssm" +static char* counts_prefix = 0; +static char* sources_prefix = 0; +static char* aggregated_prefix = 0; +static int dont_fork_on_close = 0; +static int sources_into_counters = 0; +static int aggregated_into_counters = 0; +static char* service_name = 0; +static int rssac002v3_yaml = 0; + +output_t rssm_output; + +#define MAX_SIZE_INDEX 4096 +#define MSG_SIZE_SHIFT 4 +#define MAX_TBL_ADDRS 2000000 +#define MAX_TBL_ADDRS2 200000 +#define MAX_RCODE (1 << 12) + +typedef struct { + hashtbl* tbl; + iaddr addrs[MAX_TBL_ADDRS]; + uint64_t count[MAX_TBL_ADDRS]; + unsigned int num_addrs; +} my_hashtbl; + +typedef struct { + hashtbl* tbl; + iaddr addrs[MAX_TBL_ADDRS2]; + uint64_t count[MAX_TBL_ADDRS2]; + unsigned int num_addrs; +} my_hashtbl2; + +struct { + uint64_t dns_udp_queries_received_ipv4; + uint64_t dns_udp_queries_received_ipv6; + uint64_t dns_tcp_queries_received_ipv4; + uint64_t dns_tcp_queries_received_ipv6; + uint64_t dns_udp_responses_sent_ipv4; + uint64_t dns_udp_responses_sent_ipv6; + uint64_t dns_tcp_responses_sent_ipv4; + uint64_t dns_tcp_responses_sent_ipv6; + uint64_t udp_query_size[MAX_SIZE_INDEX]; + uint64_t tcp_query_size[MAX_SIZE_INDEX]; + uint64_t udp_response_size[MAX_SIZE_INDEX]; + uint64_t tcp_response_size[MAX_SIZE_INDEX]; + uint64_t rcodes[MAX_RCODE]; + my_hashtbl sources; + my_hashtbl2 aggregated; + uint64_t num_ipv4_sources; + uint64_t num_ipv6_sources; +} counts; + +static unsigned int +iaddr_hash(const void* key) +{ + const iaddr* ia = (const iaddr*)key; + + if (AF_INET == ia->af) + return ia->u.a4.s_addr >> 8; + else if (AF_INET6 == ia->af) { + uint16_t* h = (uint16_t*)&ia->u; + return h[2] + h[3] + h[4]; + } else + return 0; +} + +static int +iaddr_cmp(const void* _a, const void* _b) +{ + const iaddr *a = (const iaddr*)_a, *b = (const iaddr*)_b; + + if (a->af == b->af) { + if (AF_INET == a->af) + return memcmp(&a->u.a4.s_addr, &b->u.a4.s_addr, sizeof(a->u.a4.s_addr)); + if (AF_INET6 == a->af) + return memcmp(&a->u.a6.s6_addr, &b->u.a6.s6_addr, sizeof(a->u.a6.s6_addr)); + return 0; + } + if (a->af < b->af) + return -1; + return 1; +} + +ia_str_t ia_str = 0; + +void rssm_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_IA_STR: + ia_str = (ia_str_t)arg; + break; + } +} + +void rssm_usage() +{ + fprintf(stderr, + "\nrssm.so options:\n" + "\t-? print these instructions and exit\n" + "\t-w <name> write basic counters to <name>.<timesec>.<timeusec>\n" + "\t-Y use RSSAC002v3 YAML format when writing counters, the\n" + "\t file will contain multiple YAML documents, one for each\n" + "\t RSSAC002v3 metric\n" + "\t Used with; -S adds custom metric \"dnscap-rssm-sources\"\n" + "\t and -A adds \"dnscap-rssm-aggregated-sources\"\n" + "\t-n <name> the service name to use in RSSAC002v3 YAML\n" + "\t-S write source IPs into counters file with the prefix\n" + "\t \"source\" or ...\n" + "\t-s <name> write source IPs to <name>.<timesec>.<timeusec>\n" + "\t-A write aggregated IPv6(/64) sources into counters file\n" + "\t with the prefix \"aggregated-source\" or ...\n" + "\t-a <name> write aggregated IPv6(/64) sources to\n" + "\t <name>.<timesec>.<timeusec>\n" + "\t-D don't fork on close\n"); +} + +void rssm_getopt(int* argc, char** argv[]) +{ + int c; + while ((c = getopt(*argc, *argv, "?w:Yn:Ss:Aa:D")) != EOF) { + switch (c) { + case 'w': + if (counts_prefix) + free(counts_prefix); + counts_prefix = strdup(optarg); + break; + case 'Y': + rssac002v3_yaml = 1; + break; + case 'n': + if (service_name) + free(service_name); + service_name = strdup(optarg); + break; + case 'S': + sources_into_counters = 1; + break; + case 's': + if (sources_prefix) + free(sources_prefix); + sources_prefix = strdup(optarg); + break; + case 'A': + aggregated_into_counters = 1; + break; + case 'a': + if (aggregated_prefix) + free(aggregated_prefix); + aggregated_prefix = strdup(optarg); + break; + case 'D': + dont_fork_on_close = 1; + break; + case '?': + rssm_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + if (sources_into_counters && sources_prefix) { + fprintf(stderr, "rssm: -S and -s can not be used at the same time!\n"); + rssm_usage(); + exit(1); + } + if (aggregated_into_counters && aggregated_prefix) { + fprintf(stderr, "rssm: -A and -a can not be used at the same time!\n"); + rssm_usage(); + exit(1); + } + if (rssac002v3_yaml && !service_name) { + fprintf(stderr, "rssm: service name (-n) needed for RSSAC002v3 YAML (-Y) output!\n"); + rssm_usage(); + exit(1); + } +} + +int rssm_start(logerr_t* a_logerr) +{ + logerr = a_logerr; + return 0; +} + +void rssm_stop() +{ +} + +int rssm_open(my_bpftimeval ts) +{ + open_ts = ts; + if (counts.sources.tbl) + hash_destroy(counts.sources.tbl); + if (counts.aggregated.tbl) + hash_destroy(counts.aggregated.tbl); + memset(&counts, 0, sizeof(counts)); + if (!(counts.sources.tbl = hash_create(65536, iaddr_hash, iaddr_cmp, 0))) { + return -1; + } + if (!(counts.aggregated.tbl = hash_create(4096, iaddr_hash, iaddr_cmp, 0))) { + return -1; + } + return 0; +} + +void rssm_save_counts(const char* sbuf) +{ + FILE* fp; + int i; + char* tbuf = 0; + i = asprintf(&tbuf, "%s.%s.%06lu", counts_prefix ? counts_prefix : COUNTS_PREFIX_DEFAULT, sbuf, (u_long)open_ts.tv_usec); + if (i < 1 || !tbuf) { + logerr("asprintf: out of memory"); + return; + } + fprintf(stderr, "rssm: saving counts in %s\n", tbuf); + fp = fopen(tbuf, "w"); + if (!fp) { + logerr("%s: %s", sbuf, strerror(errno)); + free(tbuf); + return; + } + if (rssac002v3_yaml) { + char tz[21]; + struct tm tm; + + gmtime_r((time_t*)&open_ts.tv_sec, &tm); + if (!strftime(tz, sizeof(tz), "%Y-%m-%dT%H:%M:%SZ", &tm)) { + logerr("rssm: strftime failed"); + fclose(fp); + free(tbuf); + return; + } + + fprintf(fp, "---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: traffic-volume\n", service_name, tz); + fprintf(fp, "dns-udp-queries-received-ipv4: %" PRIu64 "\n", counts.dns_udp_queries_received_ipv4); + fprintf(fp, "dns-udp-queries-received-ipv6: %" PRIu64 "\n", counts.dns_udp_queries_received_ipv6); + fprintf(fp, "dns-tcp-queries-received-ipv4: %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv4); + fprintf(fp, "dns-tcp-queries-received-ipv6: %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv6); + fprintf(fp, "dns-udp-responses-sent-ipv4: %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv4); + fprintf(fp, "dns-udp-responses-sent-ipv6: %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv6); + fprintf(fp, "dns-tcp-responses-sent-ipv4: %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv4); + fprintf(fp, "dns-tcp-responses-sent-ipv6: %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv6); + + fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: traffic-sizes\n", service_name, tz); + i = 0; + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.udp_query_size[i]) { + break; + } + } + if (i < MAX_SIZE_INDEX) { + fprintf(fp, "udp-request-sizes:\n"); + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.udp_query_size[i]) { + fprintf(fp, " %d-%d: %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.udp_query_size[i]); + } + } + } else { + fprintf(fp, "udp-request-sizes: {}\n"); + } + i = 0; + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.udp_response_size[i]) { + break; + } + } + if (i < MAX_SIZE_INDEX) { + fprintf(fp, "udp-response-sizes:\n"); + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.udp_response_size[i]) { + fprintf(fp, " %d-%d: %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.udp_response_size[i]); + } + } + } else { + fprintf(fp, "udp-response-sizes: {}\n"); + } + i = 0; + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.tcp_query_size[i]) { + break; + } + } + if (i < MAX_SIZE_INDEX) { + fprintf(fp, "tcp-request-sizes:\n"); + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.tcp_query_size[i]) { + fprintf(fp, " %d-%d: %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.tcp_query_size[i]); + } + } + } else { + fprintf(fp, "tcp-request-sizes: {}\n"); + } + i = 0; + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.tcp_response_size[i]) { + break; + } + } + if (i < MAX_SIZE_INDEX) { + fprintf(fp, "tcp-response-sizes:\n"); + for (; i < MAX_SIZE_INDEX; i++) { + if (counts.tcp_response_size[i]) { + fprintf(fp, " %d-%d: %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.tcp_response_size[i]); + } + } + } else { + fprintf(fp, "tcp-response-sizes: {}\n"); + } + + fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: rcode-volume\n", service_name, tz); + for (i = 0; i < MAX_RCODE; i++) { + if (counts.rcodes[i]) { + fprintf(fp, "%d: %" PRIu64 "\n", i, counts.rcodes[i]); + } + } + + fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: unique-sources\n", service_name, tz); + fprintf(fp, "num-sources-ipv4: %" PRIu64 "\n", counts.num_ipv4_sources); + fprintf(fp, "num-sources-ipv6: %" PRIu64 "\n", counts.num_ipv6_sources); + fprintf(fp, "num-sources-ipv6-aggregate: %u\n", counts.aggregated.num_addrs); + + if (sources_into_counters) { + fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: dnscap-rssm-sources\n", service_name, tz); + if (counts.sources.num_addrs) { + fprintf(fp, "sources:\n"); + for (i = 0; i < counts.sources.num_addrs; i++) { + fprintf(fp, " %s: %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]); + } + } else { + fprintf(fp, "sources: {}\n"); + } + } + + if (aggregated_into_counters) { + fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: dnscap-rssm-aggregated-sources\n", service_name, tz); + if (counts.aggregated.num_addrs) { + fprintf(fp, "aggregated-sources:\n"); + for (i = 0; i < counts.aggregated.num_addrs; i++) { + fprintf(fp, " %s: %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]); + } + } else { + fprintf(fp, "aggregated-sources: {}\n"); + } + } + } else { + fprintf(fp, "first-packet-time %ld\n", (long)open_ts.tv_sec); + fprintf(fp, "last-packet-time %ld\n", (long)close_ts.tv_sec); + fprintf(fp, "dns-udp-queries-received-ipv4 %" PRIu64 "\n", counts.dns_udp_queries_received_ipv4); + fprintf(fp, "dns-udp-queries-received-ipv6 %" PRIu64 "\n", counts.dns_udp_queries_received_ipv6); + fprintf(fp, "dns-tcp-queries-received-ipv4 %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv4); + fprintf(fp, "dns-tcp-queries-received-ipv6 %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv6); + fprintf(fp, "dns-udp-responses-sent-ipv4 %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv4); + fprintf(fp, "dns-udp-responses-sent-ipv6 %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv6); + fprintf(fp, "dns-tcp-responses-sent-ipv4 %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv4); + fprintf(fp, "dns-tcp-responses-sent-ipv6 %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv6); + for (i = 0; i < MAX_SIZE_INDEX; i++) + if (counts.udp_query_size[i]) + fprintf(fp, "dns-udp-query-size %d-%d %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.udp_query_size[i]); + for (i = 0; i < MAX_SIZE_INDEX; i++) + if (counts.tcp_query_size[i]) + fprintf(fp, "dns-tcp-query-size %d-%d %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.tcp_query_size[i]); + for (i = 0; i < MAX_SIZE_INDEX; i++) + if (counts.udp_response_size[i]) + fprintf(fp, "dns-udp-response-size %d-%d %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.udp_response_size[i]); + for (i = 0; i < MAX_SIZE_INDEX; i++) + if (counts.tcp_response_size[i]) + fprintf(fp, "dns-tcp-response-size %d-%d %" PRIu64 "\n", + i << MSG_SIZE_SHIFT, + ((i + 1) << MSG_SIZE_SHIFT) - 1, + counts.tcp_response_size[i]); + for (i = 0; i < MAX_RCODE; i++) + if (counts.rcodes[i]) + fprintf(fp, "dns-rcode %d %" PRIu64 "\n", + i, counts.rcodes[i]); + fprintf(fp, "num-sources %u\n", counts.sources.num_addrs); + if (sources_into_counters) { + for (i = 0; i < counts.sources.num_addrs; i++) { + fprintf(fp, "source %s %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]); + } + } + if (aggregated_into_counters) { + for (i = 0; i < counts.aggregated.num_addrs; i++) { + fprintf(fp, "aggregated-source %s %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]); + } + } + } + fclose(fp); + fprintf(stderr, "rssm: done\n"); + free(tbuf); +} + +void rssm_save_sources(const char* sbuf) +{ + FILE* fp; + char* tbuf = 0; + int i; + i = asprintf(&tbuf, "%s.%s.%06lu", sources_prefix, sbuf, (u_long)open_ts.tv_usec); + if (i < 1 || !tbuf) { + logerr("asprintf: out of memory"); + return; + } + fprintf(stderr, "rssm: saving %u sources in %s\n", counts.sources.num_addrs, tbuf); + fp = fopen(tbuf, "w"); + if (!fp) { + logerr("%s: %s", tbuf, strerror(errno)); + free(tbuf); + return; + } + for (i = 0; i < counts.sources.num_addrs; i++) { + fprintf(fp, "%s %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]); + } + fclose(fp); + fprintf(stderr, "rssm: done\n"); + free(tbuf); +} + +void rssm_save_aggregated(const char* sbuf) +{ + FILE* fp; + char* tbuf = 0; + int i; + i = asprintf(&tbuf, "%s.%s.%06lu", aggregated_prefix, sbuf, (u_long)open_ts.tv_usec); + if (i < 1 || !tbuf) { + logerr("asprintf: out of memory"); + return; + } + fprintf(stderr, "rssm: saving %u aggregated in %s\n", counts.aggregated.num_addrs, tbuf); + fp = fopen(tbuf, "w"); + if (!fp) { + logerr("%s: %s", tbuf, strerror(errno)); + free(tbuf); + return; + } + for (i = 0; i < counts.aggregated.num_addrs; i++) { + fprintf(fp, "%s %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]); + } + fclose(fp); + fprintf(stderr, "rssm: done\n"); + free(tbuf); +} + +/* + * Fork a separate process so that we don't block the main dnscap. Use double-fork + * to avoid zombies for the main dnscap process. + */ +int rssm_close(my_bpftimeval ts) +{ + char sbuf[265]; + pid_t pid; + struct tm tm; + + if (dont_fork_on_close) { + struct tm tm; + gmtime_r((time_t*)&open_ts.tv_sec, &tm); + strftime(sbuf, sizeof(sbuf), "%Y%m%d.%H%M%S", &tm); + close_ts = ts; + rssm_save_counts(sbuf); + if (sources_prefix) + rssm_save_sources(sbuf); + if (aggregated_prefix) + rssm_save_aggregated(sbuf); + return 0; + } + + pid = fork(); + if (pid < 0) { + logerr("rssm.so: fork: %s", strerror(errno)); + return 1; + } else if (pid) { + /* parent */ + waitpid(pid, NULL, 0); + return 0; + } + /* 1st gen child continues */ + pid = fork(); + if (pid < 0) { + logerr("rssm.so: fork: %s", strerror(errno)); + return 1; + } else if (pid) { + /* 1st gen child exits */ + exit(0); + } + /* grandchild (2nd gen) continues */ + gmtime_r((time_t*)&open_ts.tv_sec, &tm); + strftime(sbuf, sizeof(sbuf), "%Y%m%d.%H%M%S", &tm); + close_ts = ts; + rssm_save_counts(sbuf); + if (sources_prefix) + rssm_save_sources(sbuf); + if (aggregated_prefix) + rssm_save_aggregated(sbuf); + exit(0); +} + +static void +find_or_add(iaddr ia) +{ + uint64_t* c = hash_find(&ia, counts.sources.tbl); + if (c) { + (*c)++; + } else { + if (counts.sources.num_addrs == MAX_TBL_ADDRS) + return; + counts.sources.addrs[counts.sources.num_addrs] = ia; + if (hash_add(&counts.sources.addrs[counts.sources.num_addrs], &counts.sources.count[counts.sources.num_addrs], counts.sources.tbl)) { + logerr("rssm.so: unable to add address to hash"); + return; + } + counts.sources.count[counts.sources.num_addrs]++; + counts.sources.num_addrs++; + if (ia.af == AF_INET) { + counts.num_ipv4_sources++; + } else { + counts.num_ipv6_sources++; + } + } + + if (ia.af == AF_INET6) { + iaddr v6agg = ia; + + memset(((uint8_t*)&v6agg.u.a6) + 8, 0, 8); + c = hash_find(&v6agg, counts.aggregated.tbl); + if (c) { + (*c)++; + } else { + if (counts.aggregated.num_addrs == MAX_TBL_ADDRS2) + return; + counts.aggregated.addrs[counts.aggregated.num_addrs] = v6agg; + if (hash_add(&counts.aggregated.addrs[counts.aggregated.num_addrs], &counts.aggregated.count[counts.aggregated.num_addrs], counts.aggregated.tbl)) { + logerr("rssm.so: unable to add aggregated address to hash"); + return; + } + counts.aggregated.count[counts.aggregated.num_addrs]++; + counts.aggregated.num_addrs++; + } + } +} + +void rssm_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ + unsigned dnslen; + ldns_pkt* pkt = 0; + + if (!(flags & DNSCAP_OUTPUT_ISDNS)) + return; + + if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) { + return; + } + + dnslen = payloadlen >> MSG_SIZE_SHIFT; + if (dnslen >= MAX_SIZE_INDEX) + dnslen = MAX_SIZE_INDEX - 1; + + if (!ldns_pkt_qr(pkt)) { + find_or_add(from); + if (IPPROTO_UDP == proto) { + counts.udp_query_size[dnslen]++; + } else if (IPPROTO_TCP == proto) { + counts.tcp_query_size[dnslen]++; + } + if (AF_INET == from.af) { + if (IPPROTO_UDP == proto) { + counts.dns_udp_queries_received_ipv4++; + } else if (IPPROTO_TCP == proto) { + counts.dns_tcp_queries_received_ipv4++; + } + } else if (AF_INET6 == from.af) { + if (IPPROTO_UDP == proto) { + counts.dns_udp_queries_received_ipv6++; + } else if (IPPROTO_TCP == proto) { + counts.dns_tcp_queries_received_ipv6++; + } + } + } else { + uint16_t rcode = ldns_pkt_get_rcode(pkt); + if (IPPROTO_UDP == proto) { + counts.udp_response_size[dnslen]++; + } else if (IPPROTO_TCP == proto) { + counts.tcp_response_size[dnslen]++; + } + if (AF_INET == from.af) { + if (IPPROTO_UDP == proto) { + counts.dns_udp_responses_sent_ipv4++; + } else if (IPPROTO_TCP == proto) { + counts.dns_tcp_responses_sent_ipv4++; + } + } else if (AF_INET6 == from.af) { + if (IPPROTO_UDP == proto) { + counts.dns_udp_responses_sent_ipv6++; + } else if (IPPROTO_TCP == proto) { + counts.dns_tcp_responses_sent_ipv6++; + } + } + if (ldns_pkt_arcount(pkt)) { + rcode |= ((uint16_t)ldns_pkt_edns_extended_rcode(pkt) << 4); + } + counts.rcodes[rcode]++; + } + + ldns_pkt_free(pkt); +} diff --git a/plugins/rssm/test1.gold b/plugins/rssm/test1.gold new file mode 100644 index 0000000..86957d0 --- /dev/null +++ b/plugins/rssm/test1.gold @@ -0,0 +1,58 @@ +--- +version: rssac002v3 +service: test1 +start-period: 2016-10-20T15:23:01Z +metric: traffic-volume +dns-udp-queries-received-ipv4: 41 +dns-udp-queries-received-ipv6: 0 +dns-tcp-queries-received-ipv4: 0 +dns-tcp-queries-received-ipv6: 0 +dns-udp-responses-sent-ipv4: 41 +dns-udp-responses-sent-ipv6: 0 +dns-tcp-responses-sent-ipv4: 0 +dns-tcp-responses-sent-ipv6: 0 + +--- +version: rssac002v3 +service: test1 +start-period: 2016-10-20T15:23:01Z +metric: traffic-sizes +udp-request-sizes: + 16-31: 24 + 32-47: 17 +udp-response-sizes: + 176-191: 24 + 256-271: 17 +tcp-request-sizes: {} +tcp-response-sizes: {} + +--- +version: rssac002v3 +service: test1 +start-period: 2016-10-20T15:23:01Z +metric: rcode-volume +0: 41 + +--- +version: rssac002v3 +service: test1 +start-period: 2016-10-20T15:23:01Z +metric: unique-sources +num-sources-ipv4: 1 +num-sources-ipv6: 0 +num-sources-ipv6-aggregate: 0 + +--- +version: rssac002v3 +service: test1 +start-period: 2016-10-20T15:23:01Z +metric: dnscap-rssm-sources +sources: + 172.17.0.10: 41 + +--- +version: rssac002v3 +service: test1 +start-period: 2016-10-20T15:23:01Z +metric: dnscap-rssm-aggregated-sources +aggregated-sources: {} diff --git a/plugins/rssm/test1.sh b/plugins/rssm/test1.sh new file mode 100755 index 0000000..d43b947 --- /dev/null +++ b/plugins/rssm/test1.sh @@ -0,0 +1,11 @@ +#!/bin/sh -xe + +plugin=`find . -name 'rssm.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the RSSM plugin" + exit 1 +fi + +../../src/dnscap -N -T -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -w test1 -Y -n test1 -A -S -D + +diff test1.20161020.152301.075993 "$srcdir/test1.gold" diff --git a/plugins/rssm/test2.gold b/plugins/rssm/test2.gold new file mode 100644 index 0000000..85625c0 --- /dev/null +++ b/plugins/rssm/test2.gold @@ -0,0 +1,43 @@ +--- +0: 123 +metric: rcode-volume +service: test1 +start-period: 2016-10-20T15:23:01Z +version: rssac002v3 + +--- +metric: traffic-sizes +service: test1 +start-period: 2016-10-20T15:23:01Z +tcp-request-sizes: {} +tcp-response-sizes: {} +udp-request-sizes: + 16-31: 72 + 32-47: 51 +udp-response-sizes: + 176-191: 72 + 256-271: 51 +version: rssac002v3 + +--- +dns-tcp-queries-received-ipv4: 0 +dns-tcp-queries-received-ipv6: 0 +dns-tcp-responses-sent-ipv4: 0 +dns-tcp-responses-sent-ipv6: 0 +dns-udp-queries-received-ipv4: 123 +dns-udp-queries-received-ipv6: 0 +dns-udp-responses-sent-ipv4: 123 +dns-udp-responses-sent-ipv6: 0 +metric: traffic-volume +service: test1 +start-period: 2016-10-20T15:23:01Z +version: rssac002v3 + +--- +metric: unique-sources +num-sources-ipv4: 1 +num-sources-ipv6: 0 +num-sources-ipv6-aggregate: 0 +service: test1 +start-period: 2016-10-20T15:23:01Z +version: rssac002v3 diff --git a/plugins/rssm/test2.sh b/plugins/rssm/test2.sh new file mode 100755 index 0000000..11f44af --- /dev/null +++ b/plugins/rssm/test2.sh @@ -0,0 +1,5 @@ +#!/bin/sh -xe + +"$srcdir"/dnscap-rssm-rssac002 --sort "$srcdir/test1.gold" "$srcdir/test1.gold" "$srcdir/test1.gold" > test2.out + +diff test2.out "$srcdir/test2.gold" diff --git a/plugins/rssm/test3.gold b/plugins/rssm/test3.gold new file mode 100644 index 0000000..237af89 --- /dev/null +++ b/plugins/rssm/test3.gold @@ -0,0 +1,57 @@ +--- +version: rssac002v3 +service: test3 +start-period: 2018-11-27T15:52:00Z +metric: traffic-volume +dns-udp-queries-received-ipv4: 0 +dns-udp-queries-received-ipv6: 1 +dns-tcp-queries-received-ipv4: 0 +dns-tcp-queries-received-ipv6: 0 +dns-udp-responses-sent-ipv4: 0 +dns-udp-responses-sent-ipv6: 1 +dns-tcp-responses-sent-ipv4: 0 +dns-tcp-responses-sent-ipv6: 0 + +--- +version: rssac002v3 +service: test3 +start-period: 2018-11-27T15:52:00Z +metric: traffic-sizes +udp-request-sizes: + 32-47: 1 +udp-response-sizes: + 48-63: 1 +tcp-request-sizes: {} +tcp-response-sizes: {} + +--- +version: rssac002v3 +service: test3 +start-period: 2018-11-27T15:52:00Z +metric: rcode-volume +0: 1 + +--- +version: rssac002v3 +service: test3 +start-period: 2018-11-27T15:52:00Z +metric: unique-sources +num-sources-ipv4: 0 +num-sources-ipv6: 1 +num-sources-ipv6-aggregate: 1 + +--- +version: rssac002v3 +service: test3 +start-period: 2018-11-27T15:52:00Z +metric: dnscap-rssm-sources +sources: + 2a01:3f0:0:57::245: 1 + +--- +version: rssac002v3 +service: test3 +start-period: 2018-11-27T15:52:00Z +metric: dnscap-rssm-aggregated-sources +aggregated-sources: + 2a01:3f0:0:57::: 1 diff --git a/plugins/rssm/test3.sh b/plugins/rssm/test3.sh new file mode 100755 index 0000000..60b2e8a --- /dev/null +++ b/plugins/rssm/test3.sh @@ -0,0 +1,11 @@ +#!/bin/sh -xe + +plugin=`find . -name 'rssm.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the RSSM plugin" + exit 1 +fi + +../../src/dnscap -N -T -r "$srcdir/../../src/test/dns6.pcap" -P "$plugin" -w test3 -Y -n test3 -A -S -D + +diff test3.20181127.155200.414188 "$srcdir/test3.gold" diff --git a/plugins/rssm/test4.sh b/plugins/rssm/test4.sh new file mode 100755 index 0000000..3c28711 --- /dev/null +++ b/plugins/rssm/test4.sh @@ -0,0 +1,14 @@ +#!/bin/sh -xe + +plugin=`find . -name 'rssm.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the RSSM plugin" + exit 1 +fi + +../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -? +! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -X +! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -s s -s s -S +! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -a a -a a -A +! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -Y +../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -D -w test4 -w test4 -n n -n n -s test4.src -a test4.agg diff --git a/plugins/rssm/test5.gold b/plugins/rssm/test5.gold new file mode 100644 index 0000000..acaa7cd --- /dev/null +++ b/plugins/rssm/test5.gold @@ -0,0 +1,58 @@ +--- +version: rssac002v3 +service: test5 +start-period: 2018-01-10T11:22:41Z +metric: traffic-volume +dns-udp-queries-received-ipv4: 0 +dns-udp-queries-received-ipv6: 0 +dns-tcp-queries-received-ipv4: 41 +dns-tcp-queries-received-ipv6: 0 +dns-udp-responses-sent-ipv4: 0 +dns-udp-responses-sent-ipv6: 0 +dns-tcp-responses-sent-ipv4: 41 +dns-tcp-responses-sent-ipv6: 0 + +--- +version: rssac002v3 +service: test5 +start-period: 2018-01-10T11:22:41Z +metric: traffic-sizes +udp-request-sizes: {} +udp-response-sizes: {} +tcp-request-sizes: + 16-31: 24 + 32-47: 17 +tcp-response-sizes: + 32-47: 24 + 128-143: 17 + +--- +version: rssac002v3 +service: test5 +start-period: 2018-01-10T11:22:41Z +metric: rcode-volume +0: 41 + +--- +version: rssac002v3 +service: test5 +start-period: 2018-01-10T11:22:41Z +metric: unique-sources +num-sources-ipv4: 1 +num-sources-ipv6: 0 +num-sources-ipv6-aggregate: 0 + +--- +version: rssac002v3 +service: test5 +start-period: 2018-01-10T11:22:41Z +metric: dnscap-rssm-sources +sources: + 172.17.0.8: 41 + +--- +version: rssac002v3 +service: test5 +start-period: 2018-01-10T11:22:41Z +metric: dnscap-rssm-aggregated-sources +aggregated-sources: {} diff --git a/plugins/rssm/test5.sh b/plugins/rssm/test5.sh new file mode 100755 index 0000000..4b93df5 --- /dev/null +++ b/plugins/rssm/test5.sh @@ -0,0 +1,11 @@ +#!/bin/sh -xe + +plugin=`find . -name 'rssm.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the RSSM plugin" + exit 1 +fi + +../../src/dnscap -N -T -r "$srcdir/../../src/test/dnso1tcp.pcap" -P "$plugin" -w test5 -Y -n test5 -A -S -D + +diff test5.20180110.112241.543825 "$srcdir/test5.gold" diff --git a/plugins/rzkeychange/Makefile.am b/plugins/rzkeychange/Makefile.am new file mode 100644 index 0000000..869eba6 --- /dev/null +++ b/plugins/rzkeychange/Makefile.am @@ -0,0 +1,23 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) \ + $(libldns_CFLAGS) + +pkglib_LTLIBRARIES = rzkeychange.la +rzkeychange_la_SOURCES = rzkeychange.c +rzkeychange_la_LDFLAGS = -module -avoid-version $(libldns_LIBS) + +TESTS = test1.sh +EXTRA_DIST = $(TESTS) +CLEANFILES += *.pcap-dist + +if ENABLE_GCOV +gcov-local: + for src in $(rzkeychange_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/rzkeychange/rzkeychange.c b/plugins/rzkeychange/rzkeychange.c new file mode 100644 index 0000000..4f14c40 --- /dev/null +++ b/plugins/rzkeychange/rzkeychange.c @@ -0,0 +1,470 @@ +/* + * Author Duane Wessels + */ + +#define _GNU_SOURCE +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <memory.h> +#include <time.h> +#include <stdarg.h> +#include <errno.h> +#include <assert.h> +#include <sys/wait.h> + +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> + +#include <arpa/nameser.h> + +#include <netinet/in_systm.h> +#include <netinet/ip.h> +#include <netinet/ip6.h> +#include <netinet/ip_icmp.h> + +#include <ldns/ldns.h> + +#include "dnscap_common.h" + +static logerr_t* logerr = 0; +static my_bpftimeval open_ts = { 0, 0 }; +static my_bpftimeval clos_ts = { 0, 0 }; +static char* report_zone = 0; +static char* report_server = 0; +static char* report_node = 0; +static char* keytag_zone = 0; +static unsigned short resolver_port = 0; +static unsigned int resolver_use_tcp = 0; +static ldns_resolver* res; + +static int dry_run = 0; + +output_t rzkeychange_output; +is_responder_t rzkeychange_is_responder = 0; +ia_str_t rzkeychange_ia_str = 0; + +#define MAX_KEY_TAG_SIGNALS 500 +static unsigned int num_key_tag_signals; +struct { + iaddr addr; + uint8_t flags; + const char* signal; +} key_tag_signals[MAX_KEY_TAG_SIGNALS]; + +#define KEYTAG_FLAG_DO 1 +#define KEYTAG_FLAG_CD 2 +#define KEYTAG_FLAG_RD 4 + +struct { + uint64_t dnskey; + uint64_t tc_bit; + uint64_t tcp; + uint64_t icmp_unreach_frag; + uint64_t icmp_timxceed_reass; + uint64_t icmp_timxceed_intrans; + uint64_t total; +} counts; + +#define MAX_NAMESERVERS 10 +static unsigned int num_ns_addrs = 0; +static char* ns_addrs[MAX_NAMESERVERS]; + +void rzkeychange_usage() +{ + fprintf(stderr, + "\nrzkeychange.so options:\n" + "\t-? print these instructions and exit\n" + "\t-D dry run, just print queries\n" + "\t-z <zone> Report counters to DNS zone <zone> (required)\n" + "\t-s <server> Data is from server <server> (required)\n" + "\t-n <node> Data is from site/node <node> (required)\n" + "\t-k <zone> Report RFC 8145 key tag signals to <zone>\n" + "\t-a <addr> Send DNS queries to this addr\n" + "\t-p <port> Send DNS queries to this port\n" + "\t-t Use TCP for DNS queries\n"); +} + +void rzkeychange_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_IS_RESPONDER: + rzkeychange_is_responder = (is_responder_t)arg; + break; + case DNSCAP_EXT_IA_STR: + rzkeychange_ia_str = (ia_str_t)arg; + break; + } +} + +void rzkeychange_getopt(int* argc, char** argv[]) +{ + int c; + while ((c = getopt(*argc, *argv, "?a:k:n:p:s:tz:D")) != EOF) { + switch (c) { + case 'n': + if (report_node) + free(report_node); + report_node = strdup(optarg); + if (!report_node) { + fprintf(stderr, "strdup() out of memory\n"); + exit(1); + } + break; + case 's': + if (report_server) + free(report_server); + report_server = strdup(optarg); + if (!report_server) { + fprintf(stderr, "strdup() out of memory\n"); + exit(1); + } + break; + case 'z': + if (report_zone) + free(report_zone); + report_zone = strdup(optarg); + if (!report_zone) { + fprintf(stderr, "strdup() out of memory\n"); + exit(1); + } + break; + case 'k': + if (keytag_zone) + free(keytag_zone); + keytag_zone = strdup(optarg); + if (!keytag_zone) { + fprintf(stderr, "strdup() out of memory\n"); + exit(1); + } + break; + case 'a': + if (num_ns_addrs < MAX_NAMESERVERS) { + ns_addrs[num_ns_addrs] = strdup(optarg); + if (!ns_addrs[num_ns_addrs]) { + fprintf(stderr, "strdup() out of memory\n"); + exit(1); + } + num_ns_addrs++; + } else { + fprintf(stderr, "too many nameservers\n"); + exit(1); + } + break; + case 'p': + resolver_port = strtoul(optarg, 0, 10); + break; + case 't': + resolver_use_tcp = 1; + break; + case 'D': + dry_run = 1; + break; + case '?': + rzkeychange_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } + if (!report_zone || !report_server || !report_node) { + rzkeychange_usage(); + exit(1); + } +} + +ldns_pkt* +dns_query(const char* name, ldns_rr_type type) +{ + fprintf(stderr, "%s\n", name); + if (dry_run) { + return 0; + } + + ldns_rdf* domain = ldns_dname_new_frm_str(name); + if (0 == domain) { + fprintf(stderr, "bad query name: '%s'\n", name); + exit(1); + } + ldns_pkt* pkt = ldns_resolver_query(res, + domain, + type, + LDNS_RR_CLASS_IN, + LDNS_RD); + ldns_rdf_deep_free(domain); + return pkt; +} + +static void +add_resolver_nameserver(const char* s) +{ + ldns_rdf* nsaddr; + fprintf(stderr, "adding nameserver '%s' to resolver config\n", s); + if (strchr(s, ':')) + nsaddr = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_AAAA, s); + else + nsaddr = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, s); + if (!nsaddr) { + logerr("rzkeychange.so: invalid IP address '%s'", s); + exit(1); + } + assert(LDNS_STATUS_OK == ldns_resolver_push_nameserver(res, nsaddr)); +} + +int rzkeychange_start(logerr_t* a_logerr) +{ + ldns_pkt* pkt; + struct timeval to; + char qname[256]; + logerr = a_logerr; + if (LDNS_STATUS_OK != ldns_resolver_new_frm_file(&res, NULL)) { + fprintf(stderr, "Failed to initialize ldns resolver\n"); + exit(1); + } + if (num_ns_addrs) { + unsigned int i; + ldns_resolver_set_nameserver_count(res, 0); + for (i = 0; i < num_ns_addrs; i++) + add_resolver_nameserver(ns_addrs[i]); + } + if (0 == ldns_resolver_nameserver_count(res)) + add_resolver_nameserver("127.0.0.1"); + if (resolver_port) + ldns_resolver_set_port(res, resolver_port); + if (resolver_use_tcp) + ldns_resolver_set_usevc(res, 1); + + if (dry_run) { + return 0; + } + + fprintf(stderr, "Testing reachability of zone '%s'\n", report_zone); + pkt = dns_query(report_zone, LDNS_RR_TYPE_TXT); + if (!pkt) { + fprintf(stderr, "Test of zone '%s' failed\n", report_zone); + exit(1); + } + if (0 != ldns_pkt_get_rcode(pkt)) { + fprintf(stderr, "Query to zone '%s' returned rcode %d\n", report_zone, ldns_pkt_get_rcode(pkt)); + exit(1); + } + fprintf(stderr, "Success.\n"); + if (pkt) + ldns_pkt_free(pkt); + /* + * For all subsequent queries we don't actually care about the response + * and don't wait to wait very long for it so the timeout is set really low. + */ + to.tv_sec = 0; + to.tv_usec = 500000; + ldns_resolver_set_timeout(res, to); + snprintf(qname, sizeof(qname), "ts-elapsed-tot-dnskey-tcp-tc-unreachfrag-texcfrag-texcttl.%s.%s.%s", report_node, report_server, report_zone); + pkt = dns_query(qname, LDNS_RR_TYPE_TXT); + if (pkt) + ldns_pkt_free(pkt); + return 0; +} + +void rzkeychange_stop() +{ +} + +int rzkeychange_open(my_bpftimeval ts) +{ + open_ts = clos_ts.tv_sec ? clos_ts : ts; + memset(&counts, 0, sizeof(counts)); + memset(&key_tag_signals, 0, sizeof(key_tag_signals)); + num_key_tag_signals = 0; + return 0; +} + +void rzkeychange_submit_counts(void) +{ + char qname[256]; + ldns_pkt* pkt; + double elapsed = (double)clos_ts.tv_sec - (double)open_ts.tv_sec + 0.000001 * clos_ts.tv_usec - 0.000001 * open_ts.tv_usec; //NOSONAR + int k; + + k = snprintf(qname, sizeof(qname), "%lu-%u-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 ".%s.%s.%s", + (u_long)open_ts.tv_sec, + (unsigned int)(elapsed + 0.5), + counts.total, + counts.dnskey, + counts.tcp, + counts.tc_bit, + counts.icmp_unreach_frag, + counts.icmp_timxceed_reass, + counts.icmp_timxceed_intrans, + report_node, + report_server, + report_zone); + + if (k < sizeof(qname)) { + pkt = dns_query(qname, LDNS_RR_TYPE_TXT); + if (pkt) + ldns_pkt_free(pkt); + } + + if (keytag_zone != 0) { + unsigned int i; + + for (i = 0; i < num_key_tag_signals; i++) { + char* s = strdup(rzkeychange_ia_str(key_tag_signals[i].addr)); + char* t; + + if (0 == s) { + /* + * Apparently out of memory. This function is called in + * a child process which will exit right after this we + * break from the loop and return from this function. + */ + break; + } + + for (t = s; *t; t++) + if (*t == '.' || *t == ':') + *t = '-'; + + k = snprintf(qname, sizeof(qname), "%lu.%s.%hhx.%s.%s.%s.%s", + (u_long)open_ts.tv_sec, + s, + key_tag_signals[i].flags, + key_tag_signals[i].signal, + report_node, + report_server, + keytag_zone); + free(s); + + if (k >= sizeof(qname)) + continue; // qname was truncated in snprintf() + + pkt = dns_query(qname, LDNS_RR_TYPE_TXT); + if (pkt) + ldns_pkt_free(pkt); + } + } +} + +/* + * Fork a separate process so that we don't block the main dnscap. Use + * double-fork to avoid zombies for the main dnscap process. + */ +int rzkeychange_close(my_bpftimeval ts) +{ + pid_t pid; + pid = fork(); + if (pid < 0) { + logerr("rzkeychange.so: fork: %s", strerror(errno)); + return 1; + } else if (pid) { + /* parent */ + waitpid(pid, NULL, 0); + return 0; + } + /* 1st gen child continues */ + pid = fork(); + if (pid < 0) { + logerr("rzkeychange.so: fork: %s", strerror(errno)); + return 1; + } else if (pid) { + /* 1st gen child exits */ + exit(0); + } + /* grandchild (2nd gen) continues */ + clos_ts = ts; + rzkeychange_submit_counts(); + exit(0); +} + +void rzkeychange_keytagsignal(const ldns_pkt* pkt, const ldns_rr* question_rr, iaddr addr) +{ + ldns_rdf* qn; + char* qn_str = 0; + if (LDNS_RR_TYPE_NULL != ldns_rr_get_type(question_rr)) + return; + if (num_key_tag_signals == MAX_KEY_TAG_SIGNALS) + return; + qn = ldns_rr_owner(question_rr); + if (qn == 0) + return; + qn_str = ldns_rdf2str(qn); + if (qn_str == 0) + return; + if (0 != strncasecmp(qn_str, "_ta-", 4)) + goto keytagsignal_done; + qn_str[strlen(qn_str) - 1] = 0; // ldns always adds terminating dot + if (strchr(qn_str, '.')) // dont want non-root keytag signals + goto keytagsignal_done; + key_tag_signals[num_key_tag_signals].addr = addr; + key_tag_signals[num_key_tag_signals].signal = strdup(qn_str); + assert(key_tag_signals[num_key_tag_signals].signal); + if (ldns_pkt_rd(pkt)) + key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_RD; + if (ldns_pkt_cd(pkt)) + key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_CD; + if (ldns_pkt_edns_do(pkt)) + key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_DO; + num_key_tag_signals++; +keytagsignal_done: + if (qn_str) + free(qn_str); +} + +void rzkeychange_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ + ldns_pkt* pkt = 0; + ldns_rr_list* question_rr_list = 0; + ldns_rr* question_rr = 0; + if (!(flags & DNSCAP_OUTPUT_ISDNS)) { + if (IPPROTO_ICMP == proto && payloadlen >= 4) { + struct icmp* icmp; + if (rzkeychange_is_responder && !rzkeychange_is_responder(to)) + goto done; + icmp = (void*)payload; + if (ICMP_UNREACH == icmp->icmp_type) { + if (ICMP_UNREACH_NEEDFRAG == icmp->icmp_code) + counts.icmp_unreach_frag++; + } else if (ICMP_TIMXCEED == icmp->icmp_type) { + if (ICMP_TIMXCEED_INTRANS == icmp->icmp_code) + counts.icmp_timxceed_intrans++; + else if (ICMP_TIMXCEED_REASS == icmp->icmp_code) + counts.icmp_timxceed_reass++; + } + } + goto done; + } + if (LDNS_STATUS_OK != ldns_wire2pkt(&pkt, payload, payloadlen)) + return; + if (0 == ldns_pkt_qr(pkt)) + goto done; + counts.total++; + if (IPPROTO_UDP == proto) { + if (0 != ldns_pkt_tc(pkt)) + counts.tc_bit++; + } else if (IPPROTO_TCP == proto) { + counts.tcp++; + } + if (LDNS_PACKET_QUERY != ldns_pkt_get_opcode(pkt)) + goto done; + question_rr_list = ldns_pkt_question(pkt); + if (0 == question_rr_list) + goto done; + question_rr = ldns_rr_list_rr(question_rr_list, 0); + if (0 == question_rr) + goto done; + if (LDNS_RR_CLASS_IN == ldns_rr_get_class(question_rr)) + if (LDNS_RR_TYPE_DNSKEY == ldns_rr_get_type(question_rr)) + counts.dnskey++; + if (keytag_zone != 0) + rzkeychange_keytagsignal(pkt, question_rr, to); // 'to' here because plugin should be processing responses +done: + ldns_pkt_free(pkt); +} diff --git a/plugins/rzkeychange/test1.sh b/plugins/rzkeychange/test1.sh new file mode 100755 index 0000000..de066e3 --- /dev/null +++ b/plugins/rzkeychange/test1.sh @@ -0,0 +1,21 @@ +#!/bin/sh -xe + +plugin=`find . -name 'rzkeychange.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the rzkeychange plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -n text -n text +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s text -s text +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -z text -z text +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k text -k text +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 7 -a 8 -a 9 -a 10 -a 11 + +# LDNS resolver needs /etc/resolv.conf +test -f /etc/resolv.conf || exit 0 +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -D -t -p 5353 -a 127.0.0.1 -n n -s s -z example.com -k k diff --git a/plugins/template/Makefile.am b/plugins/template/Makefile.am new file mode 100644 index 0000000..2cc0d7e --- /dev/null +++ b/plugins/template/Makefile.am @@ -0,0 +1,22 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) + +pkglib_LTLIBRARIES = template.la +template_la_SOURCES = template.c +template_la_LDFLAGS = -module -avoid-version + +TESTS = test1.sh +EXTRA_DIST = $(TESTS) +CLEANFILES += *.pcap-dist + +if ENABLE_GCOV +gcov-local: + for src in $(template_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/template/template.c b/plugins/template/template.c new file mode 100644 index 0000000..6abf23c --- /dev/null +++ b/plugins/template/template.c @@ -0,0 +1,147 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <netinet/in.h> + +#include "dnscap_common.h" + +static logerr_t* logerr; +static int opt_f = 0; +static const char* opt_x = 0; + +output_t template_output; + +void template_usage() +{ + fprintf(stderr, + "\ntemplate.so options:\n" + "\t-? print these instructions and exit\n" + "\t-f flag option\n" + "\t-x <arg> option with argument\n"); +} + +void template_getopt(int* argc, char** argv[]) +{ + /* + * The "getopt" function will be called from the parent to + * process plugin options. + */ + int c; + while ((c = getopt(*argc, *argv, "?fx:")) != EOF) { + switch (c) { + case 'f': + opt_f = 1; + break; + case 'x': + opt_x = strdup(optarg); + break; + case '?': + template_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } +} + +int template_start(logerr_t* a_logerr) +{ + /* + * The "start" function is called once, when the program + * starts. It is used to initialize the plugin. If the + * plugin wants to write debugging and or error messages, + * it should save the a_logerr pointer passed from the + * parent code. + */ + logerr = a_logerr; + return 0; +} + +void template_stop() +{ + /* + * The "start" function is called once, when the program + * is exiting normally. It might be used to clean up state, + * free memory, etc. + */ +} + +int template_open(my_bpftimeval ts) +{ + /* + * The "open" function is called at the start of each + * collection interval, which might be based on a period + * of time or a number of packets. In the original code, + * this is where we opened an output pcap file. + */ + return 0; +} + +int template_close(my_bpftimeval ts) +{ + /* + * The "close" function is called at the end of each + * collection interval, which might be based on a period + * of time or on a number of packets. In the original code + * this is where we closed an output pcap file. + */ + return 0; +} + +void template_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ + /* + * Here you can "process" a packet. The function is named + * "output" because in the original code this is where + * packets were outputted. + * + * if flags & PCAP_OUTPUT_ISDNS != 0 then payload is the start of a DNS message. + * + * if flags & PCAP_OUTPUT_ISFRAG != 0 then the packet is a fragment. + * + * if flags & PCAP_OUTPUT_ISLAYER != 0 then the pkt_copy is the same as payload. + */ +} diff --git a/plugins/template/test1.sh b/plugins/template/test1.sh new file mode 100755 index 0000000..3cb518f --- /dev/null +++ b/plugins/template/test1.sh @@ -0,0 +1,13 @@ +#!/bin/sh -xe + +plugin=`find . -name 'template.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the template plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X diff --git a/plugins/txtout/Makefile.am b/plugins/txtout/Makefile.am new file mode 100644 index 0000000..c802b92 --- /dev/null +++ b/plugins/txtout/Makefile.am @@ -0,0 +1,22 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in +CLEANFILES = *.gcda *.gcno *.gcov + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir)/src \ + -I$(top_srcdir)/isc \ + $(SECCOMPFLAGS) $(libldns_CFLAGS) + +pkglib_LTLIBRARIES = txtout.la +txtout_la_SOURCES = txtout.c +txtout_la_LDFLAGS = -module -avoid-version $(libldns_LIBS) + +TESTS = test1.sh +EXTRA_DIST = $(TESTS) +CLEANFILES += test1.out *.pcap-dist + +if ENABLE_GCOV +gcov-local: + for src in $(txtout_la_SOURCES); do \ + gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/plugins/txtout/test1.sh b/plugins/txtout/test1.sh new file mode 100755 index 0000000..c862e46 --- /dev/null +++ b/plugins/txtout/test1.sh @@ -0,0 +1,15 @@ +#!/bin/sh -xe + +plugin=`find . -name 'txtout.so' | head -n 1` +if [ -z "$plugin" ]; then + echo "Unable to find the txtout plugin" + exit 1 +fi + +ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist + +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -? +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s +../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -o test1.out +! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X diff --git a/plugins/txtout/txtout.c b/plugins/txtout/txtout.c new file mode 100644 index 0000000..37249b9 --- /dev/null +++ b/plugins/txtout/txtout.c @@ -0,0 +1,299 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <netinet/in.h> +#include <ctype.h> +#include <errno.h> +#include <arpa/inet.h> +#include <arpa/nameser.h> +#include <resolv.h> +#include <ldns/ldns.h> + +#include "dnscap_common.h" + +static logerr_t* logerr; +static char* opt_o = 0; +static int opt_s = 0; +static FILE* out = 0; + +output_t txtout_output; + +void txtout_usage() +{ + fprintf(stderr, + "\ntxtout.so options:\n" + "\t-? print these instructions and exit\n" + "\t-o <arg> output file name\n" + "\t-s short output, only QTYPE/QNAME for IN\n"); +} + +void txtout_getopt(int* argc, char** argv[]) +{ + /* + * The "getopt" function will be called from the parent to + * process plugin options. + */ + int c; + while ((c = getopt(*argc, *argv, "?so:")) != EOF) { + switch (c) { + case 'o': + if (opt_o) + free(opt_o); + opt_o = strdup(optarg); + break; + case 's': + opt_s = 1; + break; + case '?': + txtout_usage(); + if (!optopt || optopt == '?') { + exit(0); + } + // fallthrough + default: + exit(1); + } + } +} + +int txtout_start(logerr_t* a_logerr) +{ + /* + * The "start" function is called once, when the program + * starts. It is used to initialize the plugin. If the + * plugin wants to write debugging and or error messages, + * it should save the a_logerr pointer passed from the + * parent code. + */ + logerr = a_logerr; + if (opt_o) { + out = fopen(opt_o, "w"); + if (0 == out) { + logerr("%s: %s\n", opt_o, strerror(errno)); + exit(1); + } + } else { + out = stdout; + } + setbuf(out, 0); + return 0; +} + +void txtout_stop() +{ + /* + * The "start" function is called once, when the program + * is exiting normally. It might be used to clean up state, + * free memory, etc. + */ + if (out != stdout) + fclose(out); +} + +int txtout_open(my_bpftimeval ts) +{ + /* + * The "open" function is called at the start of each + * collection interval, which might be based on a period + * of time or a number of packets. In the original code, + * this is where we opened an output pcap file. + */ + return 0; +} + +int txtout_close(my_bpftimeval ts) +{ + /* + * The "close" function is called at the end of each + * collection interval, which might be based on a period + * of time or on a number of packets. In the original code + * this is where we closed an output pcap file. + */ + return 0; +} + +ia_str_t ia_str = 0; +tcpstate_getcurr_t tcpstate_getcurr = 0; +tcpstate_reset_t tcpstate_reset = 0; + +void txtout_extension(int ext, void* arg) +{ + switch (ext) { + case DNSCAP_EXT_IA_STR: + ia_str = (ia_str_t)arg; + break; + case DNSCAP_EXT_TCPSTATE_GETCURR: + tcpstate_getcurr = (tcpstate_getcurr_t)arg; + break; + case DNSCAP_EXT_TCPSTATE_RESET: + tcpstate_reset = (tcpstate_reset_t)arg; + break; + } +} + +void txtout_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, unsigned olen, + const u_char* payload, unsigned payloadlen) +{ + /* + * Short output, only print QTYPE and QNAME for IN records + */ + if (opt_s) { + if (flags & DNSCAP_OUTPUT_ISDNS) { + ldns_pkt* pkt; + + if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) { + if (tcpstate_getcurr && tcpstate_reset) + tcpstate_reset(tcpstate_getcurr(), ""); + return; + } + + ldns_rr_list* qds = ldns_pkt_question(pkt); + if (qds) { + ldns_rr* qd = ldns_rr_list_rr(qds, 0); + + if (qd && ldns_rr_get_class(qd) == LDNS_RR_CLASS_IN) { + ldns_buffer* buf = ldns_buffer_new(512); + if (!buf) { + logerr("out of memmory\n"); + exit(1); + } + + if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) { + fprintf(out, "%s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, "ERR"); + } + + ldns_buffer_clear(buf); + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) { + fprintf(out, " %s\n", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, "ERR\n"); + } + ldns_buffer_free(buf); + } + } + ldns_pkt_free(pkt); + } + return; + } + + /* + * IP Stuff + */ + fprintf(out, "%10ld.%06ld", (long)ts.tv_sec, (long)ts.tv_usec); + fprintf(out, " %s %u", ia_str(from), sport); + fprintf(out, " %s %u", ia_str(to), dport); + fprintf(out, " %hhu", proto); + + if (flags & DNSCAP_OUTPUT_ISDNS) { + ldns_pkt* pkt; + + if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) { + if (tcpstate_getcurr && tcpstate_reset) + tcpstate_reset(tcpstate_getcurr(), ""); + fprintf(out, "\n"); + return; + } + + /* + * DNS Header + */ + fprintf(out, " %u", ldns_pkt_id(pkt)); + fprintf(out, " %u", ldns_pkt_get_opcode(pkt)); + fprintf(out, " %u", ldns_pkt_get_rcode(pkt)); + fprintf(out, " |"); + if (ldns_pkt_qr(pkt)) + fprintf(out, "QR|"); + if (ldns_pkt_aa(pkt)) + fprintf(out, "AA|"); + if (ldns_pkt_tc(pkt)) + fprintf(out, "TC|"); + if (ldns_pkt_rd(pkt)) + fprintf(out, "RD|"); + if (ldns_pkt_ra(pkt)) + fprintf(out, "RA|"); + if (ldns_pkt_ad(pkt)) + fprintf(out, "AD|"); + if (ldns_pkt_cd(pkt)) + fprintf(out, "CD|"); + + ldns_rr_list* qds = ldns_pkt_question(pkt); + if (qds) { + ldns_rr* qd = ldns_rr_list_rr(qds, 0); + + if (qd) { + ldns_buffer* buf = ldns_buffer_new(512); + if (!buf) { + logerr("out of memmory\n"); + exit(1); + } + + if (ldns_rr_class2buffer_str(buf, ldns_rr_get_class(qd)) == LDNS_STATUS_OK) { + fprintf(out, " %s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, " ERR"); + } + + ldns_buffer_clear(buf); + if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) { + fprintf(out, " %s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, " ERR"); + } + + ldns_buffer_clear(buf); + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) { + fprintf(out, " %s", (char*)ldns_buffer_begin(buf)); + } else { + fprintf(out, "ERR"); + } + ldns_buffer_free(buf); + } + } + ldns_pkt_free(pkt); + } + /* + * Done + */ + fprintf(out, "\n"); +} diff --git a/rpm/dnscap.spec b/rpm/dnscap.spec new file mode 100644 index 0000000..3aab83f --- /dev/null +++ b/rpm/dnscap.spec @@ -0,0 +1,605 @@ +Name: dnscap +Version: 2.0.0 +Release: 1%{?dist} +Summary: Network capture utility designed specifically for DNS traffic +Group: Productivity/Networking/DNS/Utilities + +License: BSD-3-Clause +URL: https://www.dns-oarc.net/tools/dnscap +# Source needs to be generated by dist-tools/create-source-packages, see +# https://github.com/jelu/dist-tools +Source0: https://www.dns-oarc.net/files/dnscap/%{name}-%{version}.tar.gz?/%{name}_%{version}.orig.tar.gz + +BuildRequires: libpcap-devel +BuildRequires: ldns-devel +BuildRequires: openssl-devel +BuildRequires: zlib-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: libtool +BuildRequires: perl-YAML +BuildRequires: cryptopant-devel +BuildRequires: pkgconfig + +%description +dnscap is a network capture utility designed specifically for DNS +traffic. It produces binary data in pcap(3) format. This utility +is similar to tcpdump(1), but has a number of features tailored +to DNS transactions and protocol options. + + +%prep +%setup -q -n %{name}_%{version} + + +%build +sh autogen.sh +%configure +make %{?_smp_mflags} + + +%check +make test + + +%install +rm -rf $RPM_BUILD_ROOT +make install DESTDIR=$RPM_BUILD_ROOT + + +%clean +rm -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root) +%{_bindir}/* +%{_datadir}/doc/* +%{_mandir}/man1/* +%{_libdir}/* + + +%changelog +* Fri Feb 12 2021 Jerry Lundström <lundstrom.jerry@gmail.com> 2.0.0-1 +- Release 2.0.0 + * This major release contains three backward incompatible changes, two + new command line options and a completely restructured man-page(!), + please read the change notes carefully before upgrading! + * The first backward incompatible change has to do with the removal of + libbind dependency. This library was causing segfaults on OpenBSD due to + shared (and overwritten) symbols with OpenBSD's libc. + It was replaced with LDNS and LDNS renders domain names as Fully + Qualified Domain Names (FQDN, the trailing dot!) so every output of a + domain name has been changed to a FQDN. + This also changes `-X`/`-x`, which will now match against FQDNs. + * The second backward incompatible change is that `-6` has been removed. + This was used to alter the BPF in order to "fix" it, dnscap adds + specific filters to IP and UDP headers which does not work for IPv6 + traffic. + The generated BPF has been changed to allow IPv6 to always pass, making + the option obsolete. IPv6 filtering is then done in dnscap. + * The last backward incompatible change has to do with the output format + of `-g` related to EDNS0 and is now more consistent with the rest of + the parsable output: + - No more spaces in the output + - Fix incorrect `\` and extra empty new-line + - All EDNS0 options are added after `edns0[...]` using comma separation, example: `edns0[],edns0opt[],...` + - Client Subnet format: `edns0opt[ECS,family=nn,source=nn,scope=nn,addr=...]` + - Unknown/unsupported code: `edns0opt[code=nn,codelen=nn]` + - Parsing error messages have changed, they came from libbind, now comes from LDNS + * New options: + - Add `-q` and `-Q` to filter on matched/not matched QTYPE + * Bugfixes: + - Fix memory leak in EDNS0 ECS address parsing + - `network`: Fix sonarcloud issues, potential `memcpy()` of null pointer + * Other changes: + - Fix CBOR output inclusion, LDNS is always available now + - Add macros for Apple and Windows endian functions + - Restructure and correct the man-page + * Commits: + 557e5f5 man-page + 025529f v6bug, interval + 37b79e9 FQDN + ebcf434 QTYPE match, args, tests + 0cb5562 v6bug + 75f6115 Endian + aaeb213 Sonarcloud + 8685946 CBOR output + 3e26802 Sonarcloud + 30aa366 libbind + 3f94d0b Mattermost +* Thu Oct 22 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.12.0-1 +- Release 1.12.0 + * This release fixes the handling of `-?` option for dnscap and all plugins, + previously the handling varied between places and depending on `getopt()` + implementation an invalid option could return the wrong exit code. + * Other changes: + - Fix typo in configure help text + - `plugins/anonmask`: Fix typo in help text + - `plugins/rzkeychange`: + - Add `-D`, dry run mode, for testing + - Fix handling of `-a` and error on too many + * KNOWN ISSUES: + On OpenBSD the system library libc exports the same symbols as libbind + does and this causes runtime warnings. Until now this has not caused any + known problems but is now also causing segfaults if the packet filter used + (BPF) includes IPv6 addresses. + On all other platforms OARC supports, these symbols are macros and in so + should not cause any problem. + * Commits: + ee478c0 Known issues + 2f9d957 Tests + 3c663a2 Tests + c88efc5 rzkeychange test + f062f33 Tests +* Thu Aug 20 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.11.1-1 +- Release 1.11.1 + * This release fixes a lot of issues found by code analysis, adds a + explicit memory zeroing function to remove account information (read + when dropping privileges) and adds code coverage reporting. + * The `dnscap_memzero()` will use `explicit_bzero()` on FreeBSD and + OpenBSD, or `memset_s()` (if supported), otherwise it will manually + set the memory to zero. This will hopefully ensure that the memory + is zeroed as compilers can optimize out `memset()`'s that is just + before `free()`. + * The plugins exit code for the help option `-?` has been changed to 0 + to have the same as `dnscap -?`. + * Commits: + d9747ee memzero + 1cf17c6 Coverage + 19c7120 Coverage + 7435676 Sonarcloud + 928e181 Sonarcloud + ca4afd0 Sonarcloud + 028f5e0 Badges + db0d6a1 LGTM +* Mon Jun 01 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.11.0-1 +- Release 1.11.0 + * This release includes a new plugin called `eventlog`, contributed + by Byron Darrah (@ByronDarrah), output DNS activity as log events, + including answers to A and AAAA queries. + * Other changes includes compile warning and code analysis fixes. + * Commits: + 382eac4 COPR + 4c03650 Compile warn + 21d6a67 Slight change -- wording now matches usage() output. + dd19b0b Added the eventlog.so plugin... + 1ebf504 Added new dnscap plugin: evenlog.so... + f3f9aaa Compile warnings +* Mon Mar 02 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.4-1 +- Release 1.10.4 + * Fixed a bug that would not drop privileges when not specifying any + interface (which is equal to capturing on all interfaces). + * Added functionality to set the supplemental groups when dropping + privileges and changing user, or clear them if that is not supported. + * Other changes includes corrected man-page about '-w' and update to + documentation. + * Commits: + a0285e4 drop privileges errors, initgroups/setgroups + 96336f3 daemon: Attempt to drop supplemental groups + 467a9a7 Drop privileges + de940a8 man-page -w + 187ec43 README +* Wed Oct 02 2019 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.3-1 +- Release 1.10.3 + * Fixed plugins inclusion in deb packages for Debian and Ubuntu. + * Commits: + 017ebb2 Deb packages + cf59143 COPR, spec +* Mon Aug 05 2019 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.2-1 +- Release 1.10.2 + * Fixed bug in the handling of defragmentation configuration which lead + to the use of a local scope variable later on and caused unexpected + behavior. + * Commits: + 91692b8 Frag conf + 6a74376 Package + d0d1a6d Package +* Mon Jul 08 2019 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.1-1 +- Release 1.10.1 + * Fix various issues found by code analysis tools, a few compiler warnings + removed, undefined bit shift behavior fixed, parameter memory leaks + plugged and documentation updates. + * Fixes: + - `dump_dns`: Remove usage of `strcpy()` and use `snprintf()` instead + of `sprintf()` + - `bpft`: + - Use `text_ptr->len` to store length of generated text + - Use `memcpy()` instead of `strcat()` + - Remove unneeded `realloc()` and `strcpy()` + - `plugins/cryptopan`: Fix strict-aliasing warnings + - `network`: Rework part of `dl_pkt()` to remove usage of `strcpy()` + and use `snprintf()` instead of `sprintf()` + - `plugins/anonaes128`: Use `a6` as dest when copying v4 addresses for + readability and code analysis + - `plugins/cryptopan`: Run first pass separate to eliminate a 32bit + shift by 32 (undefined behavior) + - `plugins/cryptopant`: Fix memory leak of `keyfile` if `-k` is + specified more then once + * Documentation: + - Update `README.md` with correction to building from git and note + about PCAP on OpenBSD + - Fix #190: Update link to `libbind` source + * Commits: + 074923c Funding + 5d2e84c libbind + 8ee9f2a Travis-CI + 6babd09 Fixes + bb2d1c7 README, compile warnings + 0d9cd9c LGTM, Travis-CI +* Mon Dec 03 2018 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.0-1 +- Release 1.10.0 + * This release adds a new plugin type "filter" and 5 new plugins that can + do anonymization, deanonymization and masking of the IP addresses. + * New features: + - Check plugins for `pluginname_type()` which returns `enum plugin_type`, + if missing the plugin is counted as an "output" plugin + - New plugin type "filter" which calls `pluginname_filter()` prior of + outputting any data or calling of "output" plugins, if the new function + returns non-zero then the packet is filtered out (dropped) + - New extension `DNSCAP_EXT_SET_IADDR` that gives access to a function + for setting the from and to IP addresses both in the extracted data + and the wire + * New plugins: + - `anonaes128`: Anonymize IP addresses using AES128 + - `anonmask`: Pseudo-anonymize IP addresses by masking them + - `cryptopan`: Anonymize IP addresses using an extension to Crypto-PAn + (College of Computing, Georgia Tech) made by David Stott (Lucent) + - `cryptopant`: Anonymize IP addresses using cryptopANT, a different + implementation of Crypto-PAn made by the ANT project at USC/ISI + - `ipcrypt`: Anonymize IP addresses using ipcrypt create by + Jean-Philippe Aumasson + * Bugfixes: + - Fix changing `royparse` and `txtout` with other plugins (thanks to + Duane Wessels and Paul Hoffman) + - Free pointers to allocated strings in `text_free()` (thanks to Michał + Kępień) + - Fix IP checksum calculation + * Other changes: + - `-B` and `-E` can be used without `-w` (thanks to Duane Wessels) + - Use `pcap_findalldevs()` instead of `pcap_lookupdev()` (thanks to + Michał Kępień) + - Document and add `-?` option to all plugins + - Fix clang `scan-build` bugs and LGTM alerts + - Use `gmtime_r()` instead of `gmtime()` + - Update `pcap-thread` to v4.0.0 + * Commits: + 67d8e2c Fix + fb0ed02 Plugin documentation + a2c9a6c cryptopant + 39db1ca Deanonymize, IPv6 test + afc7107 Crypto-PAn, cryptopANT + f1912cc OpenSSL, anonaes128 + f2bab62 ipcrypt, anonmask + 158b1e7 anonmask help + 60ece58 anonmask + 8f1b138 Plugin types, filter plugin, set iaddr extension, anonymization + by masking + b7d7991 IP checksum + 641a23a Free pointers to allocated strings in text_free() + 4d313bf pcap_findalldevs() + 091e0ca Use pcap_findalldevs() instead of pcap_lookupdev() + 6a7b25e Clean up use of feature test macros on Linux + cbba14c Configure, uninitialized + f228c9c Code formatting + 3fd738c man-page + 770168a Test + 714e4f5 Fix -B <begin> so that it works when reading offline pcap files. + 8675bea Test + 911fec9 Implementing test9 as a test of -B and -E command line args. + a7cc72d -B <begin> and -E <end> can work fine without -w <base>. + 04c4928 Made the same changes to txtout as were in 165a786 + 165a786 Workaround for stdio mystery causing duplicate royparse output. +* Wed Feb 28 2018 Jerry Lundström <lundstrom.jerry@gmail.com> 1.9.0-1 +- Release 1.9.0 + * This release adds a new option to change how the Berkeley Packet Filter + is generated to include the host restrictions for all selections, + previously this restriction would only apply to specific parts. + * Additional tweaks to the RSSM plugin has been made to conform to the + RSSAC002v3 specification. One noticeable change is that the plugin now + requires the DNS to be parsed before counted, any error in the parsing + will result in the message being left out of the statistics. + * Changes: + - Fix spacing in BPF filter to look better + - Fix #146: Add `bpf_hosts_apply_all`, apply any host restriction to all + - `plugin/rssm`: + - Remove quoting of `start-period` and correctly handle empty hashes + - Issue #152, Issue #91: Parse DNS before processing RSSM counters + - `plugin/rssm/dnscap-rssm-rssac002`: Use `YAML::Dump()` for output + * Commits: + 47d892b Issue #152: RSSM YAML output + d4f1466 Issue #152, Issue #91: Parse DNS before processing RSSM counters + 68fc1ff BPF, `bpf_hosts_apply_all` +* Wed Feb 07 2018 Jerry Lundström <lundstrom.jerry@gmail.com> 1.8.0-1 +- Release 1.8.0 + * This release updates the TCP stream code in order to be able to look + at more then just the first query, for handling already ongoing TCP + connections without having seen SYN/ACK and for reassembly of the TCP + stream prior of parsing it for DNS with an additional layer of parsing + (see `reassemble_tcp_bfbparsedns`). + * Updates to the Root Server Scaling Measurement (RSSM) plugin have also + been made to bring it up to date with RSSAC002v3 specification, be + able to output the YAML format described and an additional script to + merge YAML files if the interval is less then the RSSAC002v3 24 hour + period. See "Updates to the RSSM plugin" below and + `plugins/rssm/README.md`. + * New extended options: + - `parse_ongoing_tcp`: Start tracking TCP connections even if SYN/ACK + has not been seen + - `allow_reset_tcpstate`: Allow external reset of TCP state + - `reassemble_tcp`: Use to enable TCP stream reassembly + - `reassemble_tcp_faultreset`: Number of faults before reseting TCP + state when reassembly is enabled + - `reassemble_tcp_bfbparsedns`: Enable an experimental additional layer + of reassemble that uses `libbind` to parse the payload before accepting + it. If the DNS is invalid it will move 2 bytes within the payload and + treat it as a new payload, taking the DNS length again and restart + the process. Requires `libbind` and `reassemble_tcp`. + * New extension functions for plugins: + - `DNSCAP_EXT_TCPSTATE_GETCURR`: Function to get a pointer for the + current TCP state + - `DNSCAP_EXT_TCPSTATE_RESET`: Function to reset a TCP state + * New features: + - Parse additional DNS queries in TCP connections + - `-g` and the `txtout` plugin will reset TCP state (if allowed) on + failure to parse DNS + * Bugfixes: + - Fix `-g` output, separate error message with a space + - Fix TCP packets wrongfully flagged as DNS when using layers. + - Fix TCP debug output when using layers, `ia_str()` is not safe to call + twice in the same `printf` because of local buffer. + - Fix exported extension functions, need to be file local + * New tests for: + - Multiple DNS queries in one TCP connection + - Query over TCP without SYN + - Queries over TCP with first query missing length + - Queries over TCP with middle payloads missing + - Add test with TCP stream that missing multiple packets in the middle + * Updates to the RSSM plugin (`plugins/rssm`): + - Add info about saving counts and sources + - Fix memory leak on `fopen()` errors + - Update to RSSAC002v3 specification + - New options: + - `-D` to disable forking on close + - `-Y`: Use RSSAC002v3 YAML format when writing counters, the file + will contain multiple YAML documents, one for each RSSAC002v3 metric + Used with; -S adds custom metric `dnscap-rssm-sources` and -A adds + `dnscap-rssm-aggregated-sources` + - `-n`: Set the service name to use in RSSAC002v3 YAML + - `-S`: Write source IPs into counters file with the prefix `source` + - `-A`: Write aggregated IPv6(/64) sources into counters file with + the prefix `aggregated-source` + - `-a`: Write aggregated IPv6(/64) sources to + `<name>.<timesec>.<timeusec>` + - Add `dnscap-rssm-rssac002` Perl script for merging RSSAC002v3 YAML files + - Add README.md for the plugin man-page for `dnscap-rssm-rssac002` + - Add test for YAML output and merging of YAML files + * Commits: + c7058c8 Use file local functions for all extensions + 66b352d RSSM RSSAC002v3 YAML Tool + b09efc2 `plugins/rssm` RSSAC002v3 + 709aba6 Fix #89: Add additional reassembly layers that parses the + payload byte for byte for valid DNS + 04fa013 Fix CID 1463944 (again) + b1cf623 RSSM saving data and forking + fb23305 Fix CID 1463944 + 0fca1a8 Issue #89: TCP stream reassemble + bb6428c CID 1463814: Check `ns_initparse()` for errors + a57066f Fix #88: TCP handling +* Wed Dec 27 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.7.1-1 +- Release 1.7.1 + * The library used for parsing DNS (libbind) is unable to parse DNS + messages when there is padding at the end (the UDP/TCP payload is larger + then the DNS message). This has been fixed by trying to find the actual + DNS message size, walking all labels and RR data, and then retry parsing. + * Other changes and bug-fixes: + - Fix size when there is a VLAN to match output of `use_layers` yes/no + - Add test of VLAN matching + - Fix `hashtbl.c` building in `rssm` + - Add test with padded DNS message + * Commits: + 49e5400 Fix #127: If `ns_initparse()` returns `EMSGSIZE`, try and get + actual size and reparse + 99bda0b Fix #98: VLAN +* Tue Dec 19 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.7.0-1 +- Release 1.7.0 + * This release adds IP fragmentation handling by using layers in pcap-thread + which also adds a new flag to output and modules. `DNSCAP_OUTPUT_ISLAYER` + indicates that `pkt_copy` is equal to `payload` since the layers of the + traffic have already been parsed. IP fragments are reassembled with the + `pcap_thread_ext_frag` extension that is included in pcap-thread. + * New extended (`-o`) options: + - `use_layers`: Use pcap-thread layers to handle the traffic + - `defrag_ipv4`: Enabled IPv4 de-fragmentation + - `defrag_ipv6`: Enabled IPv6 de-fragmentation + - `max_ipv4_fragments`: Set maximum fragmented IPv4 packets to track + - `max_ipv4_fragments_per_packet`: Set the maximum IPv4 fragments per + tracked packet + - `max_ipv6_fragments`: Set maximum fragmented IPv6 packets to track + - `max_ipv6_fragments_per_packet`: Set the maximum IPv6 fragments per + tracked packet + * Currently `-w` does not work with `use_layers` and the plugins `pcapdump` + and `royparse` will discard output with the flag `DNSCAP_OUTPUT_ISLAYER` + because they need access to the original packet. + * The `rzkeychange` plugin now encodes certain flag bits in the data that + it reports for RFC8145 key tag signaling. The flags of interest are: + `DO`, `CD`, and `RD`. These are encoded in an bit-mask as a hexadecimal + value before the `_ta` component of the query name. + * Other changes and bug-fixes: + - Fix #115: document `-g` output, see `OUTPUT FORMATS` `diagnostic` in + `dnscap(1)` man-page + - Add test to match output from non-layers runs with those using layers + - Add test with fragmented DNS queries + - Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2 + - Fix `ip->ip_len` byte order + - Fix parsing of IP packets with padding or missing parts of payload + * Commits: + 0347f74 Add AUTHORS section in man-page + ef1b68c Fix CID 1463073 + 8a79f89 Layers + a404d08 Update pcap-thread to v3.1.0, add test for padding fixes + 08402f1 Fix byte order bug. ip->ip_len must be evaluated with ntohs(). + d6d2340 CBOR/CDS and formatting + 85ec2d8 Fix #87: IP fragmentation reassembly + 22bfd4a Documentation + c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data. + This may be useful to find "false" key tag signals from sources + that don't actually perform DNSSEC validation. +* Fri Dec 01 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.6.0-1 +- Release 1.6.0 + * New additions to the plugins: + - `rzkeychange` can now collect RFC8145 key tag signaling. Signals are + saved during the collection interval, and then sent to the specified + `-k <zone>`, one at a time, at the end of the interval. Only root zone + signals are collected. Added by Duane Wessels (@wessels). + - `royparse` is a new plugin to splits a PCAP into two streams, queries + in PCAP format and responses in ASCII format. Created by Roy Arends + (@RoyArends). + - `txtout` new option `-s` for short output, only print QTYPE and QNAME + for IN records. Added by Paul Hoffman (@paulehoffman) + - The extension interface has been extended with `DNSCAP_EXT_IA_STR` to + export the `ia_str()` function. + * Bugfixes and other changes: + - Remove duplicated hashtbl code + - `rssm`: fix bug where count in table was taken out as `uint16_t` but + was a `uint64_t` + - Handle return values from hashtbl functions + - `txtout`: removed unused `-f` options + - Change `ia_str()` to use buffers with correct sizes, thanks to + @RoyArends for spotting this! + * Commits: + 3f78a31 Add copy/author text + 1bd914d Fix CID 1462343, 1462344, 1462345 + f9bb955 Fix `fprintf()` format for message size + abedf84 Fix #105: `inet_ntop` buffers + bfdcd0d Addresses the suggestions from Jerry. + dda0996 royparse :) + 4f6520a royparse plugin finished + f1aa4f2 Fix #103: Remove `opt_f` + 32355b7 Rearrange code to keep the change smaller and fix indentation + d6612c1 Added -s to txtout for short output + 9d8d1ef Check return of `snprintf()` + 55f5aba Format code + 9f19ec3 Fixed memory leak in rzkeychange_keytagsignal() + 58b8784 Fix memory leaks and better return value checks in + rzkeychange_submit_counts() + b06659f Add server and node to keytag signal query name + 705a866 Always free response packets in rzkeychange plugin. + e802843 Implement RFC8145 key tag signal collection in rzkeychange plugin + 5fbf6d0 Added extension for ia_str() so it can be used by rzkeychange + plugin. + 3be8b8f Split `dnscap.c` into more files + e431d14 Fix #92: hashtbl +* Mon Aug 21 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.5.1-1 +- Release 1.5.1 + * Compatibility fixes for FreeBSD 11.1+ which is now packing `struct ip` + and for OpenBSD. + * Commits: + 17e3c92 FreeBSD is packing `struct ip`, need to `memcpy()` + f8add66 Code formatting + 38cd585 Add documentation about libbind + d1dd55b Fix #82: Update dependencies for OpenBSD +* Tue Jun 06 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.5.0-1 +- Release 1.5.0 + * Added support for writing gzipped PCAP if the `-W` suffix ends with + `.gz` and made `-X` work without `-x`. New inteface for plugins to + tell them what extensions are available and a new plugin `rzkeychange`. + * Plugin extensions: + - Call `plugin_extension(ext, arg)` to tell plugin what extensions exists + - Add extension for checking responder (`is_responder()`) + * The rzkeychange plugin was developed by Duane Wessels 2016 in support + of the root zone ZSK size increase. It is also being used in support of + the 2017 root KSK rollover and collects the following measurements: + - total number of responses sent + - number of responses with TC bit set + - number of responses over TCP + - number of DNSKEY responses + - number of ICMP_UNREACH_NEEDFRAG messages received + - number of ICMP_TIMXCEED_INTRANS messages received + - number of ICMP_TIMXCEED_REASS messages received + * Other fixes (author Duane Wessels): + - 232cbd0: Correct comment description for meaning of IPPROTO_AH + - 181eaa4: Add #include <sys/time.h> for struct timeval on NetBSD + * Commits: + 1d894e2 Make -x and -X work correctly together and update man-page + 34bc54c Make the -X option work without requiring a -x option. + f43222e Fix CID 1440488, 1440489, 1440490 + aa54395 Update pcap-thread to v2.1.3 + 81174ce Prepare SPEC for OSB/COPR + 21d7468 New plugin rzkeychange and plugin extensions + 38491a3 Config header is generated by autotools + 419a8ab Small tweaks and fixes for gzip support + 1967abc updated for earlier BSD versions + f135c90 added auto gzip if the -W suffix ends with .gz + * Commits during development of rzkeychange (author Duane Wessels): + - 620828d: Add rzkeychange -z option to specify resolver IP addresses + - 1f77987: Add -p and -t options to rzkeychange plugin to configure an + alternate port and TCP. Useful for ssh tunnels. + - 2a571f1: Split ICMP time exceeded counter into two counters for time + exceeded due to TTL and another due to fragmentation + - e4ee2d3: The rzkeychange data collection plugin uses + `DNSCAP_EXT_IS_RESPONDER` extension to know if an IP address is a + "responder" or not, because when dnscap is instructed to collect ICMP + with -I, it processes all ICMP packets, not just those limited to + responders (or initiators). + - cee16b8: Add ICMP Time Exceeded to counters + - ad8a227: Counting source IPs has performance impacts. #ifdef'd out for + now add ICMP "frag needed" counts + - c25e72b: Implemented DNS queries with ldns. First there will be some + test queries to ensure the zone is reachable and configured to receive + data. Then a query naming the fields, followed by the periodic queries + delivering counts. + - fd23be7: Make report zone, server, node command line argumements mandatory + - 137789b: Adding rzkeychange plugin files +* Wed Mar 29 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.4.1-1 +- Release 1.4.1 + * Fixed an issue that when compiled with libpcap that had a specific + feature enabled it would result in a runtime error which could not be + worked around. + * Also fixed various compatibility issues and updated dependency + documentation for CentOS. + * Commits: + 785d4c4 Fix compiler warnings + 2d4df8d Fix #65: Update pcap-thread to v2.1.2 + 26d3fbc Fix #64: Add missing dependency + 55e6741 Update pcap-thread to v2.1.1, fix issue with libpcap timestamp + type + c6fdb7a Fix typo and remove unused variables +* Mon Feb 27 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.4.0-1 +- Release 1.4.0 + * Until it can be confirmed that the threaded code works as well as the + non-threaded code it has been made optional and requires a configuration + option to enable it during compilation. + * New extended option: + - `-o pcap_buffer_size=<bytes>` can be used to increase the capture + buffer within pcap-thread/libpcap, this can help mitigate dropped + packets by the kernel during breaks (like when closing dump file). + * Commits: + 1c6fbb2 Update copyright year + 63ef665 Suppress OpenBSD warnings about symbols + 2c99946 pcap-thread v2.0.0, disable threads, errors handling + 4cade97 Fix #56: Update pcap-thread to v1.2.2 and add test +* Fri Dec 23 2016 Jerry Lundström <lundstrom.jerry@gmail.com> 1.3.0-1 +- Release 1.3.0 + * Rare lockup has been fixed that could happen if a signal was received + in the wrong thread at the wrong time due to `pcap_thread_stop()` + canceling and waiting on threads to join again. The handling of signals + have been improved for threaded and non-threaded operations. + * New features: + - Experimental CBOR DNS Stream format output, see `CBOR_DNS_STREAM.md` + - Extended options to specify user and group to use when dropping + privileges, see EXTENDED OPTIONS in man-page + * Commits: + a5fa14e Signal and threads + 3868104 Use old style C comments + 7946be5 Clarify building + d5463b4 RPM spec and various automake fixes + df206bf Resource data indexing and documentation + 0e2d0fe Fix #22, fix #43: Update README + 5921d73 Add stream option RLABELS and RLABEL_MIN_SIZE + 6dd6ec1 Implement experimental CBOR DNS Stream Format + 4baf695 Fix #37: Extended options to specifty user/group to use when + dropping privileges + 61d830a Fix #35: Use `AC_HEADER_TIME` and fix warning +* Thu Dec 15 2016 Jerry Lundström <lundstrom.jerry@gmail.com> 1.2.0-1 +- Initial package diff --git a/sonar-project.properties.local b/sonar-project.properties.local new file mode 100644 index 0000000..5322ee1 --- /dev/null +++ b/sonar-project.properties.local @@ -0,0 +1 @@ +sonar.coverage.exclusions=src/hashtbl.c, src/dump_cbor.c, src/dump_cds.c, src/assert.c diff --git a/src/Makefile.am b/src/Makefile.am new file mode 100644 index 0000000..e194d95 --- /dev/null +++ b/src/Makefile.am @@ -0,0 +1,42 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/config.h.in +CLEANFILES = dnscap.1 *.gcda *.gcno *.gcov + +SUBDIRS = test + +AM_CFLAGS = -I$(srcdir) \ + -I$(top_srcdir) \ + $(SECCOMPFLAGS) \ + $(PTHREAD_CFLAGS) \ + $(libcrypto_CFLAGS) \ + $(libldns_CFLAGS) + +EXTRA_DIST = dnscap.1.in + +bin_PROGRAMS = dnscap + +dnscap_SOURCES = args.c assert.c bpft.c daemon.c dnscap.c dump_cbor.c \ + dump_cds.c dump_dns.c dumper.c endpoint.c hashtbl.c iaddr.c log.c \ + network.c options.c pcaps.c sig.c tcpstate.c tcpreasm.c memzero.c \ + pcap-thread/pcap_thread.c pcap-thread/pcap_thread_ext_frag.c +dist_dnscap_SOURCES = args.h bpft.h daemon.h dnscap_common.h dnscap.h \ + dump_cbor.h dump_cds.h dump_dns.h dumper.h endpoint.h hashtbl.h iaddr.h \ + log.h network.h options.h pcaps.h sig.h tcpstate.h tcpreasm.h memzero.h \ + endian_compat.h \ + pcap-thread/pcap_thread.h pcap-thread/pcap_thread_ext_frag.h +dnscap_LDADD = $(PTHREAD_LIBS) $(libcrypto_LIBS) $(libldns_LIBS) + +man1_MANS = dnscap.1 + +dnscap.1: dnscap.1.in Makefile + sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \ + -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \ + -e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \ + -e 's,[@]pkglibdir[@],$(pkglibdir),g' \ + < $(srcdir)/dnscap.1.in > dnscap.1 + +if ENABLE_GCOV +gcov-local: + for src in $(dnscap_SOURCES); do \ + gcov -l -r -s "$(srcdir)" "$$src"; \ + done +endif diff --git a/src/args.c b/src/args.c new file mode 100644 index 0000000..a7dd500 --- /dev/null +++ b/src/args.c @@ -0,0 +1,843 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "args.h" +#include "endpoint.h" +#include "iaddr.h" +#include "log.h" +#include "tcpstate.h" +#include "network.h" + +#include <ldns/ldns.h> + +/* + * OpenBSD and Debian Stretch i386 need file local functions for export + * to loaded modules, so use this for all platforms. + */ +void* _tcpstate_getcurr(void) +{ + return (void*)tcpstate_getcurr(); +} + +void _tcpstate_reset(void* tcpstate, const char* msg) +{ + tcpstate_reset((tcpstate_ptr)tcpstate, msg); +} + +const char* _ia_str(iaddr ia) +{ + return ia_str(ia); +} + +extern struct ip6_hdr* network_ipv6; +extern struct ip* network_ip; +extern struct udphdr* network_udp; + +void set_iaddr(iaddr* from, iaddr* to) +{ + if (from) { + switch (from->af) { + case AF_INET: + if (network_ip) { + memcpy(&network_ip->ip_src, &from->u.a4, sizeof(struct in_addr)); + } + break; + case AF_INET6: + if (network_ipv6) { + memcpy(&network_ipv6->ip6_src, &from->u.a6, sizeof(struct in6_addr)); + } + break; + default: + from = 0; + break; + } + } + if (to) { + switch (to->af) { + case AF_INET: + if (network_ip) { + memcpy(&network_ip->ip_dst, &to->u.a4, sizeof(struct in_addr)); + } + break; + case AF_INET6: + if (network_ipv6) { + memcpy(&network_ipv6->ip6_dst, &to->u.a6, sizeof(struct in6_addr)); + } + break; + default: + to = 0; + break; + } + } + if (from || to) { + if (network_ip) { + network_ip->ip_sum = 0; + network_ip->ip_sum = ~in_checksum((u_char*)network_ip, sizeof *network_ip); + } + if (network_udp) { + network_udp->uh_sum = 0; + } + } +} + +#ifdef __linux__ +extern char* strptime(const char*, const char*, struct tm*); +#endif + +time_t xtimegm(struct tm* tmp) +{ +#if defined(__SVR4) && defined(__sun) + char tz[3] = "TZ="; + putenv((char*)tz); + return mktime(tmp); +#else + return timegm(tmp); +#endif +} + +void usage(const char* msg) +{ + struct plugin* p; + + fprintf(stderr, "%s: usage error: %s\n", ProgramName, msg); + fprintf(stderr, "\n"); + + help_1(); + + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) + if (p->usage) + (*p->usage)(); + + fprintf(stderr, + "\nnote: the -? or -\\? option will display full help text\n"); + + exit(1); +} + +void help_1(void) +{ + fprintf(stderr, "%s: version %s\n\n", ProgramName, PACKAGE_VERSION); + fprintf(stderr, + "usage: %s\n" + " [-?VbNpd1gfTI" +#ifdef USE_SECCOMP + "y" +#endif + "SMD] [-o option=value]+\n" + " [-i <if>]+ [-r <file>]+ [-l <vlan>]+ [-L <vlan>]+\n" + " [-u <port>] [-m [qun]] [-e [nytfsxir]] [-h [ir]] [-s [ir]]\n" + " [-a <host>]+ [-z <host>]+ [-A <host>]+ [-Z <host>]+ [-Y <host>]+\n" + " [-w <base> [-W <suffix>] [-k <cmd>] -F <format>]\n" + " [-t <lim>] [-c <lim>] [-C <lim>]\n" + " [-x <pat>]+ [-X <pat>]+\n" + " [-B <datetime>] [-E <datetime>]\n" + " [-U <str>] [-q <num|str>] [-Q <num|str>]\n" + " [-P plugin.so <plugin options...>]\n", + ProgramName); +} + +void help_2(void) +{ + help_1(); + fprintf(stderr, + "\noptions:\n" + " -? or -\\? print these instructions and exit\n" + " -V print version and exit\n" + " -o opt=val extended options, see man page for list of options\n" + " -b run in background as daemon\n" + " -N do not attempt to drop privileges, this is implicit\n" + " if only reading offline pcap files\n" + " -p do not put interface in promiscuous mode\n" + " -d dump verbose trace information to stderr, specify multiple\n" + " times to increase debugging\n" + " -1 flush output on every packet\n" + " -g dump packets dig-style on stderr\n" + " -f include fragmented packets\n" + " -T include TCP packets (DNS header filters will inspect only the\n" + " first DNS header, and the result will apply to all messages\n" + " in the TCP stream; DNS payload filters will not be applied.)\n" + " -I include ICMP and ICMPv6 packets\n" + " -i <if> select this live interface(s)\n" + " -r <file> read this pcap file\n" + " -l <vlan> select only these vlan(s) (4095 for all)\n" + " -L <vlan> select these vlan(s) and non-VLAN frames (4095 for all)\n" + " -u <port> dns port (default: 53)\n" + " -m [qun] select messages: query, update, notify\n" + " -e [nytfsxir] select error/response code\n" + " n = no error\n" + " y = any error\n" + " t = truncated response\n" + " f = format error (rcode 1)\n" + " s = server failure (rcode 2)\n" + " x = nxdomain (rcode 3)\n" + " i = not implemented (rcode 4)\n" + " r = refused (rcode 5)\n" + " -h [ir] hide initiators and/or responders\n" + " -s [ir] select sides: initiations, responses\n" + " -a <host> want messages from these initiator(s)\n" + " -z <host> want messages from these responder(s)\n" + " -A <host> want messages NOT to/from these initiator(s)\n" + " -Z <host> want messages NOT to/from these responder(s)\n" + " -Y <host> drop responses from these responder(s)\n" + " -w <base> dump to <base>.<timesec>.<timeusec>\n" + " -W <suffix> add suffix to dump file name, e.g. '.pcap'\n" + " -k <cmd> kick off <cmd> when each dump closes\n" + " -F <format> dump format: pcap (default), cbor, cds\n" + " -t <lim> close dump or exit every/after <lim> secs\n" + " -c <lim> close dump or exit every/after <lim> pkts\n" + " -C <lim> close dump or exit every/after <lim> bytes captured\n" + " -x <pat> select messages matching regex <pat>\n" + " -X <pat> select messages not matching regex <pat>\n" +#ifdef USE_SECCOMP + " -y enable seccomp-bpf\n" +#endif + " -S show summarized statistics\n" + " -B <datetime> begin collecting at this date and time\n" + " -E <datetime> end collecting at this date and time\n" + " -M set monitor mode on interfaces\n" + " -D set immediate mode on interfaces\n" + " -U <str> append 'and <str>' to the pcap filter\n" + " -q <num|str> select messages based on QTYPE\n" + " -Q <num|str> filter out messages based on QTYPE\n" + " -P <plugin.so> load plugin, any argument after this is sent to the plugin!\n"); +} + +void check_gzip() +{ + char* dot = strrchr(dump_suffix, '.'); + if (dot) { + wantgzip = (strcmp(dot, ".gz") == 0) ? TRUE : FALSE; + } + +#if !(HAVE_GZOPEN && (HAVE_FUNOPEN || HAVE_FOPENCOOKIE)) + if (wantgzip) { + fprintf(stderr, "error: gzip compression requested but not supported\n"); + exit(1); + } +#endif +} + +int is_responder(iaddr ia) +{ + if (EMPTY(responders)) + return 1; + if (ep_present(&responders, ia)) + return 1; + return 0; +} + +void parse_args(int argc, char* argv[]) +{ + mypcap_ptr mypcap; + unsigned long ul; + vlan_ptr vlan; + unsigned u; + int ch; + char * p, *match_qtype_arg = 0; + + if ((p = strrchr(argv[0], '/')) == NULL) + ProgramName = argv[0]; + else + ProgramName = p + 1; + INIT_LIST(vlans_incl); + INIT_LIST(vlans_excl); + INIT_LIST(mypcaps); + INIT_LIST(initiators); + INIT_LIST(responders); + INIT_LIST(not_initiators); + INIT_LIST(not_responders); + INIT_LIST(drop_responders); + INIT_LIST(myregexes); + INIT_LIST(plugins); + while ((ch = getopt(argc, argv, + "a:bc:de:fgh:i:k:l:m:o:pr:s:t:u:w:x:yz:q:" + "A:B:C:DE:F:IL:MNP:STU:VW:X:Y:Z:Q:1?")) + != EOF) { + switch (ch) { + case 'o': + if (option_parse(&options, optarg)) { + fprintf(stderr, "%s: unknown or invalid extended -o option: %s\n", ProgramName, optarg); + exit(1); + } + break; + case 'b': + background = TRUE; + break; + case 'N': + dont_drop_privileges = TRUE; + break; + case 'p': + promisc = FALSE; + break; + case 'd': + dumptrace++; + break; + case '1': + flush = TRUE; + break; + case 'g': + preso = TRUE; + break; + case 'f': + wantfrags = TRUE; + break; + case 'I': + wanticmp = TRUE; + break; + case 'V': + printf("%s version %s\n", ProgramName, PACKAGE_VERSION); + exit(0); + case 'i': + if (pcap_offline != NULL) + usage("-i makes no sense after -r"); + mypcap = calloc(1, sizeof *mypcap); + assert(mypcap != NULL); + INIT_LINK(mypcap, link); + mypcap->name = strdup(optarg); + assert(mypcap->name != NULL); + APPEND(mypcaps, mypcap, link); + break; + case 'r': + if (!EMPTY(mypcaps)) + usage("-r makes no sense after -i"); + pcap_offline = calloc(1, sizeof *pcap_offline); + assert(pcap_offline != NULL); + INIT_LINK(pcap_offline, link); + pcap_offline->name = strdup(optarg); + assert(pcap_offline->name != NULL); + APPEND(mypcaps, pcap_offline, link); + only_offline_pcaps = TRUE; + break; + case 'l': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul > MAX_VLAN) + usage("-l vlan must be an integer 0..4095"); + vlan = calloc(1, sizeof *vlan); + assert(vlan != NULL); + INIT_LINK(vlan, link); + vlan->vlan = (unsigned)ul; + APPEND(vlans_excl, vlan, link); + if (0 == ul) + fprintf(stderr, "Warning: previous versions of %s " + "interpreted 0 as all VLANs. " + "If you want all VLANs now you must " + "specify %u.\n", + ProgramName, MAX_VLAN); + break; + case 'L': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul > MAX_VLAN) + usage("-L vlan must be an integer 0..4095"); + vlan = calloc(1, sizeof *vlan); + assert(vlan != NULL); + INIT_LINK(vlan, link); + vlan->vlan = (unsigned)ul; + APPEND(vlans_incl, vlan, link); + if (0 == ul) + fprintf(stderr, "Warning: previous versions of %s " + "interpreted 0 as all VLANs. " + "If you want all VLANs now you must " + "specify %u.\n", + ProgramName, MAX_VLAN); + break; + case 'T': + wanttcp = TRUE; + break; + case 'u': + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("port must be an integer 1..65535"); + dns_port = (unsigned)ul; + break; + case 'm': + u = 0; + for (p = optarg; *p; p++) + switch (*p) { + case 'q': + u |= MSG_QUERY; + break; + case 'u': + u |= MSG_UPDATE; + break; + case 'n': + u |= MSG_NOTIFY; + break; + default: + usage("-m takes only [qun]"); + } + msg_wanted = u; + break; + case 's': + u = 0; + for (p = optarg; *p; p++) + switch (*p) { + case 'i': + u |= DIR_INITIATE; + break; + case 'r': + u |= DIR_RESPONSE; + break; + default: + usage("-s takes only [ir]"); + } + dir_wanted = u; + break; + case 'h': + u = 0; + for (p = optarg; *p; p++) + switch (*p) { + case 'i': + u |= END_INITIATOR; + break; + case 'r': + u |= END_RESPONDER; + break; + default: + usage("-h takes only [ir]"); + } + end_hide = u; + break; + case 'e': + u = 0; + for (p = optarg; *p; p++) + switch (*p) { + case 'n': + u |= ERR_NO; + break; + case 'y': + u |= ERR_YES; + break; + case 't': + u |= ERR_TRUNC; + break; + case 'f': + u |= ERR_FORMERR; + break; + case 's': + u |= ERR_SERVFAIL; + break; + case 'x': + u |= ERR_NXDOMAIN; + break; + case 'i': + u |= ERR_NOTIMPL; + break; + case 'r': + u |= ERR_REFUSED; + break; + default: + usage("-e takes only [nytfsxir]"); + } + err_wanted = u; + break; + case 'a': + endpoint_arg(&initiators, optarg); + break; + case 'z': + endpoint_arg(&responders, optarg); + break; + case 'A': + endpoint_arg(¬_initiators, optarg); + break; + case 'Z': + endpoint_arg(¬_responders, optarg); + break; + case 'Y': + endpoint_arg(&drop_responders, optarg); + break; + case 'w': + dump_base = optarg; + if (strcmp(optarg, "-") == 0) + dump_type = to_stdout; + else + dump_type = to_file; + break; + case 'W': + if (dump_suffix) + free(dump_suffix); + dump_suffix = strdup(optarg); + check_gzip(); + break; + case 'k': + if (dump_type != to_file) + usage("-k depends on -w" + " (note: can't be stdout)"); + kick_cmd = optarg; + break; + case 'F': + if (!strcmp(optarg, "pcap")) { + options.dump_format = pcap; + } else if (!strcmp(optarg, "cbor")) { + options.dump_format = cbor; + } else if (!strcmp(optarg, "cds")) { + options.dump_format = cds; + } else { + usage("invalid output format for -F"); + } + break; + case 't': + ul = strtoul(optarg, &p, 0); + if (*p != '\0') + usage("argument to -t must be an integer"); + limit_seconds = (unsigned)ul; + break; + case 'c': + ul = strtoul(optarg, &p, 0); + if (*p != '\0') + usage("argument to -c must be an integer"); + limit_packets = (unsigned)ul; + break; + case 'C': + ul = strtoul(optarg, &p, 0); + if (*p != '\0') + usage("argument to -C must be an integer"); + limit_pcapfilesize = (unsigned)ul; + break; + case 'x': + /* FALLTHROUGH */ + case 'X': { + int i; + myregex_ptr myregex = calloc(1, sizeof *myregex); + assert(myregex != NULL); + INIT_LINK(myregex, link); + myregex->str = strdup(optarg); + i = regcomp(&myregex->reg, myregex->str, REGEX_CFLAGS); + if (i != 0) { + regerror(i, &myregex->reg, + errbuf, sizeof errbuf); + usage(errbuf); + } + myregex->not = (ch == 'X'); + APPEND(myregexes, myregex, link); + } break; + case 'B': { + struct tm tm; + memset(&tm, '\0', sizeof(tm)); + if (NULL == strptime(optarg, "%F %T", &tm)) + usage("-B arg must have format YYYY-MM-DD HH:MM:SS"); + start_time = xtimegm(&tm); + } break; + case 'E': { + struct tm tm; + memset(&tm, '\0', sizeof(tm)); + if (NULL == strptime(optarg, "%F %T", &tm)) + usage("-E arg must have format YYYY-MM-DD HH:MM:SS"); + stop_time = xtimegm(&tm); + } break; + case 'S': + print_pcap_stats = TRUE; + break; + case 'P': { + char* fn = strdup(optarg); + char* t; + char sn[256]; + struct plugin* p = calloc(1, sizeof(*p)); + assert(p != NULL); + INIT_LINK(p, link); + t = strrchr(fn, '/'); + p->name = strdup(t ? t + 1 : fn); + if ((t = strstr(p->name, ".so"))) + *t = 0; + p->handle = dlopen(fn, RTLD_NOW); + if (!p->handle) { + logerr("%s: %s", fn, dlerror()); + exit(1); + } + snprintf(sn, sizeof(sn), "%s_type", p->name); + p->type = dlsym(p->handle, sn); + if (p->type) { + p->pt = (*p->type)(); + switch (p->pt) { + case plugin_output: + case plugin_filter: + break; + default: + logerr("invalid plugin type for plugin '%s'", p->name); + exit(1); + } + } else { + p->pt = plugin_output; + } + snprintf(sn, sizeof(sn), "%s_start", p->name); + p->start = dlsym(p->handle, sn); + snprintf(sn, sizeof(sn), "%s_stop", p->name); + p->stop = dlsym(p->handle, sn); + snprintf(sn, sizeof(sn), "%s_open", p->name); + p->open = dlsym(p->handle, sn); + snprintf(sn, sizeof(sn), "%s_close", p->name); + p->close = dlsym(p->handle, sn); + snprintf(sn, sizeof(sn), "%s_output", p->name); + p->output = dlsym(p->handle, sn); + if (p->pt == plugin_output && !p->output) { + logerr("%s", dlerror()); + exit(1); + } + snprintf(sn, sizeof(sn), "%s_filter", p->name); + p->filter = dlsym(p->handle, sn); + if (p->pt == plugin_filter && !p->filter) { + logerr("%s", dlerror()); + exit(1); + } + snprintf(sn, sizeof(sn), "%s_usage", p->name); + p->usage = dlsym(p->handle, sn); + snprintf(sn, sizeof(sn), "%s_extension", p->name); + p->extension = dlsym(p->handle, sn); + if (p->extension) { + (*p->extension)(DNSCAP_EXT_IS_RESPONDER, (void*)is_responder); + (*p->extension)(DNSCAP_EXT_IA_STR, (void*)_ia_str); + (*p->extension)(DNSCAP_EXT_TCPSTATE_GETCURR, (void*)_tcpstate_getcurr); + (*p->extension)(DNSCAP_EXT_TCPSTATE_RESET, (void*)_tcpstate_reset); + (*p->extension)(DNSCAP_EXT_SET_IADDR, (void*)set_iaddr); + } + snprintf(sn, sizeof(sn), "%s_getopt", p->name); + p->getopt = dlsym(p->handle, sn); + if (p->getopt) + (*p->getopt)(&argc, &argv); + APPEND(plugins, p, link); + if (dumptrace) + fprintf(stderr, "Plugin '%s' loaded\n", p->name); + free(fn); + } break; + case 'U': + if (extra_bpf) + free(extra_bpf); + extra_bpf = strdup(optarg); + break; + case 'y': +#ifdef USE_SECCOMP + use_seccomp = TRUE; + break; +#else + usage("-y: seccomp-bpf not enabled"); +#endif + case 'M': + monitor_mode = TRUE; + break; + case 'D': + immediate_mode = TRUE; + break; + case 'q': { + if (nmatch_qtype) { + usage("-q and -Q can't be used together"); + } + free(match_qtype_arg); // fix clang scan-build + match_qtype_arg = strdup(optarg); + match_qtype = ldns_get_rr_type_by_name(optarg); + if (!match_qtype) { + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("-q QTYPE must be a valid type or an integer 1..65535"); + match_qtype = (ldns_rr_type)ul; + } + break; + } + case 'Q': { + if (match_qtype) { + usage("-q and -Q can't be used together"); + } + free(match_qtype_arg); // fix clang scan-build + match_qtype_arg = strdup(optarg); + nmatch_qtype = ldns_get_rr_type_by_name(optarg); + if (!nmatch_qtype) { + ul = strtoul(optarg, &p, 0); + if (*p != '\0' || ul < 1U || ul > 65535U) + usage("-Q QTYPE must be a valid type or an integer 1..65535"); + nmatch_qtype = (ldns_rr_type)ul; + } + break; + } + case '?': + if (!optopt || optopt == '?') { + help_2(); + options_free(&options); + exit(0); + } + // fallthrough + default: + usage("unrecognized command line option"); + } + } + assert(msg_wanted != 0U); + assert(err_wanted != 0U); + if (dump_type != nowhere && options.use_layers) + usage("use_layers is only compatible with -g so far"); + if (dump_type == nowhere && !preso && EMPTY(plugins)) + usage("without -w or -g, there would be no output"); + if (end_hide != 0U && wantfrags) + usage("the -h and -f options are incompatible"); + if (!EMPTY(vlans_incl) && !EMPTY(vlans_excl)) + usage("the -L and -l options are mutually exclusive"); + if (background && (dumptrace || preso)) + usage("the -b option is incompatible with -d and -g"); + if (dumptrace >= 1) { + endpoint_ptr ep; + const char* sep; + myregex_ptr mr; + + fprintf(stderr, "%s: version %s\n", ProgramName, PACKAGE_VERSION); + fprintf(stderr, + "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, C %zu, %sq %s\n", + ProgramName, + (msg_wanted & MSG_QUERY) != 0 ? 'Q' : '.', + (msg_wanted & MSG_UPDATE) != 0 ? 'U' : '.', + (msg_wanted & MSG_NOTIFY) != 0 ? 'N' : '.', + (dir_wanted & DIR_INITIATE) != 0 ? 'I' : '.', + (dir_wanted & DIR_RESPONSE) != 0 ? 'R' : '.', + (end_hide & END_INITIATOR) != 0 ? 'I' : '.', + (end_hide & END_RESPONDER) != 0 ? 'R' : '.', + (err_wanted & ERR_NO) != 0 ? 'N' : '.', + (err_wanted & ERR_YES) == ERR_YES ? 'Y' : '.', + (err_wanted & ERR_TRUNC) != 0 ? 't' : '.', + (err_wanted & ERR_FORMERR) != 0 ? 'f' : '.', + (err_wanted & ERR_SERVFAIL) != 0 ? 's' : '.', + (err_wanted & ERR_NXDOMAIN) != 0 ? 'x' : '.', + (err_wanted & ERR_NOTIMPL) != 0 ? 'i' : '.', + (err_wanted & ERR_REFUSED) != 0 ? 'r' : '.', + limit_seconds, limit_packets, limit_pcapfilesize, + nmatch_qtype ? "!" : "", match_qtype_arg); + sep = "\tinit"; + for (ep = HEAD(initiators); + ep != NULL; + ep = NEXT(ep, link)) { + fprintf(stderr, "%s %s", sep, ia_str(ep->ia)); + sep = ""; + } + if (!EMPTY(initiators)) + fprintf(stderr, "\n"); + sep = "\tresp"; + for (ep = HEAD(responders); + ep != NULL; + ep = NEXT(ep, link)) { + fprintf(stderr, "%s %s", sep, ia_str(ep->ia)); + sep = ""; + } + if (!EMPTY(responders)) + fprintf(stderr, "\n"); + sep = "\t!init"; + for (ep = HEAD(not_initiators); + ep != NULL; + ep = NEXT(ep, link)) { + fprintf(stderr, "%s %s", sep, ia_str(ep->ia)); + sep = ""; + } + if (!EMPTY(not_initiators)) + fprintf(stderr, "\n"); + sep = "\t!resp"; + for (ep = HEAD(not_responders); + ep != NULL; + ep = NEXT(ep, link)) { + fprintf(stderr, "%s %s", sep, ia_str(ep->ia)); + sep = ""; + } + if (!EMPTY(not_responders)) + fprintf(stderr, "\n"); + sep = "\t!dropresp"; + for (ep = HEAD(drop_responders); + ep != NULL; + ep = NEXT(ep, link)) { + fprintf(stderr, "%s %s", sep, ia_str(ep->ia)); + sep = ""; + } + if (!EMPTY(drop_responders)) + fprintf(stderr, "\n"); + if (!EMPTY(myregexes)) { + fprintf(stderr, "%s: pat:", ProgramName); + for (mr = HEAD(myregexes); + mr != NULL; + mr = NEXT(mr, link)) + fprintf(stderr, " %s/%s/", + mr->not ? "!" : "", mr->str); + fprintf(stderr, "\n"); + } + } + if (EMPTY(mypcaps)) { + pcap_if_t* pcapdev = 0; + int res; + res = pcap_findalldevs(&pcapdev, errbuf); + if (res == -1) { + fprintf(stderr, "%s: pcap_findalldevs: %s\n", + ProgramName, errbuf); + exit(1); + } else if (pcapdev == NULL) { + fprintf(stderr, "%s: pcap_findalldevs: no devices found\n", + ProgramName); + exit(1); + } + mypcap = calloc(1, sizeof *mypcap); + assert(mypcap != NULL); + INIT_LINK(mypcap, link); + mypcap->name = strdup(pcapdev->name); + APPEND(mypcaps, mypcap, link); + pcap_freealldevs(pcapdev); + } + if (start_time && stop_time && start_time >= stop_time) + usage("start time must be before stop time"); + + if (options.dump_format == cbor) { + if (!have_cbor_support()) { + usage("no built in cbor support"); + } + cbor_set_size(options.cbor_chunk_size); + } else if (options.dump_format == cds) { + if (!have_cds_support()) { + usage("no built in cds support"); + } + cds_set_cbor_size(options.cds_cbor_size); + cds_set_message_size(options.cds_message_size); + cds_set_max_rlabels(options.cds_max_rlabels); + cds_set_min_rlabel_size(options.cds_min_rlabel_size); + if (options.cds_use_rdata_index && options.cds_use_rdata_rindex) { + usage("can't use both CDS rdata index and rindex"); + } + cds_set_use_rdata_index(options.cds_use_rdata_index); + cds_set_use_rdata_rindex(options.cds_use_rdata_rindex); + cds_set_rdata_index_min_size(options.cds_rdata_index_min_size); + cds_set_rdata_rindex_min_size(options.cds_rdata_rindex_min_size); + cds_set_rdata_rindex_size(options.cds_rdata_rindex_size); + } + + if (!options.use_layers && (options.defrag_ipv4 || options.defrag_ipv6)) { + usage("can't defragment IP packets without use_layers=yes"); + } + + if (options.reassemble_tcp_bfbparsedns) { + if (!options.reassemble_tcp) { + usage("can't do byte for byte parsing of DNS without reassemble_tcp=yes"); + } + } + + free(match_qtype_arg); +} diff --git a/src/args.h b/src/args.h new file mode 100644 index 0000000..6f3ab61 --- /dev/null +++ b/src/args.h @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_args_h +#define __dnscap_args_h + +time_t xtimegm(struct tm* tmp); +void usage(const char* msg); +void help_1(void); +void help_2(void); +void check_gzip(); +int is_responder(iaddr ia); +void parse_args(int argc, char* argv[]); + +#endif /* __dnscap_args_h */ diff --git a/src/assert.c b/src/assert.c new file mode 100644 index 0000000..32f2e3b --- /dev/null +++ b/src/assert.c @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "dnscap.h" + +#if !HAVE___ASSERTION_FAILED +static void my_assertion_failed(const char* file, int line, assertion_type type, const char* msg, int something) __attribute__((noreturn)); +#endif + +#if !HAVE___ASSERTION_FAILED +static void +my_assertion_failed(const char* file, int line, assertion_type type, const char* msg, int something) +{ + (void)type; + (void)something; + fprintf(stderr, "assertion failed: %s(%d): %s\n", file, line, msg); + abort(); +} + +assertion_failure_callback __assertion_failed = my_assertion_failed; +#endif diff --git a/src/bpft.c b/src/bpft.c new file mode 100644 index 0000000..e810910 --- /dev/null +++ b/src/bpft.c @@ -0,0 +1,233 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "bpft.h" +#include "iaddr.h" + +#include <ldns/ldns.h> + +void prepare_bpft(void) +{ + unsigned udp10_mbs, udp10_mbc, udp11_mbc; //udp11_mbs + text_list bpfl; + text_ptr text; + size_t len; + char* p; + + /* Prepare the must-be-set and must-be-clear tests. */ + udp10_mbs = udp10_mbc = udp11_mbc = 0U; // udp11_mbs + if ((dir_wanted & DIR_INITIATE) != 0) { + if ((dir_wanted & DIR_RESPONSE) == 0) + udp10_mbc |= UDP10_QR_MASK; + } else if ((dir_wanted & DIR_RESPONSE) != 0) { + udp10_mbs |= UDP10_QR_MASK; + } + if ((msg_wanted & MSG_UPDATE) != 0) { + if ((msg_wanted & (MSG_QUERY | MSG_NOTIFY)) == 0) + udp10_mbs |= (LDNS_PACKET_UPDATE << UDP10_OP_SHIFT); + } else if ((msg_wanted & MSG_NOTIFY) != 0) { + if ((msg_wanted & (MSG_QUERY | MSG_UPDATE)) == 0) + udp10_mbs |= (LDNS_PACKET_NOTIFY << UDP10_OP_SHIFT); + } else if ((msg_wanted & MSG_QUERY) != 0) { + udp10_mbc |= UDP10_OP_MASK; + } + if (err_wanted == ERR_NO) { + udp10_mbc |= UDP10_TC_MASK; + udp11_mbc |= UDP11_RC_MASK; + } + + /* + * Model + * (vlan) and (transport) + * (vlan) and ((icmp) or (frags) or (dns)) + * (vlan) and ((icmp) or (frags) or ((ports) and (hosts))) + * (vlan) and ((icmp) or (frags) or (((tcp) or (udp)) and (hosts))) + * [(vlan) and] ( [(icmp) or] [(frags) or] ( ( [(tcp) or] (udp) ) [and (hosts)] ) ) + */ + + /* Make a BPF program to do early course kernel-level filtering. */ + INIT_LIST(bpfl); + len = 0; + if (!EMPTY(vlans_excl)) + len += text_add(&bpfl, "vlan and ("); /* vlan and ( transports ... */ + else + len += text_add(&bpfl, "("); /* ( transports ... */ + if (wanticmp) { + len += text_add(&bpfl, " ( ip proto 1 or ip proto 58 ) or"); + } + if (wantfrags) { + len += text_add(&bpfl, " ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or"); + } + len += text_add(&bpfl, " ("); /* ( dns ... */ + len += text_add(&bpfl, " ("); /* ( ports ... */ + if (wanttcp) { + len += text_add(&bpfl, " ( tcp port %d ) or", dns_port); + /* tcp packets can be filtered by initiators/responders, but + * not mbs/mbc. */ + } + len += text_add(&bpfl, " ( udp port %d and ( ip6 or ( ip", dns_port); + + if (udp10_mbc != 0) + len += text_add(&bpfl, " and udp[10] & 0x%x = 0", + udp10_mbc); + if (udp10_mbs != 0) + len += text_add(&bpfl, " and udp[10] & 0x%x = 0x%x", + udp10_mbs, udp10_mbs); + if (udp11_mbc != 0) + len += text_add(&bpfl, " and udp[11] & 0x%x = 0", + udp11_mbc); + /* Dead code, udp11_mbs never set + if (udp11_mbs != 0) + len += text_add(&bpfl, " and udp[11] & 0x%x = 0x%x", + udp11_mbs, udp11_mbs); +*/ + + if (err_wanted != ERR_NO) { + len += text_add(&bpfl, " and ("); + if ((err_wanted & ERR_TRUNC) != 0) { + len += text_add(&bpfl, " udp[10] & 0x%x = 0x%x or", UDP10_TC_MASK, UDP10_TC_MASK); + } + len += text_add(&bpfl, " 0x%x << (udp[11] & 0xf) & 0x%x != 0 )", ERR_RCODE_BASE, err_wanted); + } + + len += text_add(&bpfl, " )))"); /* ... udp 53 ) */ + len += text_add(&bpfl, " )"); /* ... ports ) */ + if (options.bpf_hosts_apply_all) { + len += text_add(&bpfl, " )"); /* ... dns ) */ + len += text_add(&bpfl, " )"); /* ... transport ) */ + } + if (!EMPTY(initiators) || !EMPTY(responders)) { + const char* or = "or", *lp = "(", *sep; + endpoint_ptr ep; + + len += text_add(&bpfl, " and host"); + sep = lp; + for (ep = HEAD(initiators); + ep != NULL; + ep = NEXT(ep, link)) { + len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia)); + sep = or ; + } + for (ep = HEAD(responders); + ep != NULL; + ep = NEXT(ep, link)) { + len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia)); + sep = or ; + } + len += text_add(&bpfl, " )"); + } + if (!EMPTY(not_initiators) || !EMPTY(not_responders)) { + const char* or = "or", *lp = "(", *sep; + endpoint_ptr ep; + + len += text_add(&bpfl, " and not host"); + sep = lp; + for (ep = HEAD(not_initiators); + ep != NULL; + ep = NEXT(ep, link)) { + len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia)); + sep = or ; + } + for (ep = HEAD(not_responders); + ep != NULL; + ep = NEXT(ep, link)) { + len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia)); + sep = or ; + } + len += text_add(&bpfl, " )"); + } + if (!options.bpf_hosts_apply_all) { + len += text_add(&bpfl, " )"); /* ... dns ) */ + len += text_add(&bpfl, " )"); /* ... transport ) */ + } + if (extra_bpf) + len += text_add(&bpfl, " and ( %s )", extra_bpf); + + bpft = calloc(len + 1, sizeof(char)); + assert(bpft != NULL); + p = bpft; + for (text = HEAD(bpfl); text != NULL; text = NEXT(text, link)) { + memcpy(p, text->text, text->len); + p += text->len; + } + text_free(&bpfl); + if (!EMPTY(vlans_incl)) { + char* bpft_vlan; + + len = (2 * len) + 64; /* add enough for the extra in snprintf() below */ + bpft_vlan = calloc(len, sizeof(char)); + assert(bpft_vlan != NULL); + + snprintf(bpft_vlan, len, "( %s ) or ( vlan and ( %s ) )", bpft, bpft); + free(bpft); + bpft = bpft_vlan; + } + if (dumptrace >= 1) + fprintf(stderr, "%s: \"%s\"\n", ProgramName, bpft); +} + +size_t text_add(text_list* list, const char* fmt, ...) +{ + text_ptr text; + va_list ap; + int len; + + text = calloc(1, sizeof *text); + assert(text != NULL); + INIT_LINK(text, link); + va_start(ap, fmt); + len = vasprintf(&text->text, fmt, ap); + assert(len >= 0); + va_end(ap); + text->len = len; + APPEND(*list, text, link); + return (text->len); +} + +void text_free(text_list* list) +{ + text_ptr at, text; + + for (at = HEAD(*list); at;) { + text = at; + at = NEXT(text, link); + + UNLINK(*list, text, link); + free(text->text); + assert(text != (void*)-1); + free(text); + } +} diff --git a/src/bpft.h b/src/bpft.h new file mode 100644 index 0000000..88a272c --- /dev/null +++ b/src/bpft.h @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_bpft_h +#define __dnscap_bpft_h + +void prepare_bpft(void); + +size_t text_add(text_list* list, const char* fmt, ...); +void text_free(text_list* list); + +#endif /* __dnscap_bpft_h */ diff --git a/src/daemon.c b/src/daemon.c new file mode 100644 index 0000000..67ef86e --- /dev/null +++ b/src/daemon.c @@ -0,0 +1,250 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "daemon.h" +#include "log.h" +#include "memzero.h" + +void drop_privileges(void) +{ + struct rlimit rss; + struct passwd pwd; + struct passwd* result = 0; + size_t pwdBufSize; + char* pwdBuf; + unsigned int s; + uid_t oldUID = getuid(); + uid_t oldGID = getgid(); + uid_t dropUID; + gid_t dropGID; + const char* user; + struct group* grp = 0; + + /* + * Security: getting UID and GUID for nobody + */ + pwdBufSize = sysconf(_SC_GETPW_R_SIZE_MAX); + if (pwdBufSize == -1) + pwdBufSize = 16384; + + pwdBuf = calloc(pwdBufSize, sizeof(char)); + if (pwdBuf == NULL) { + fprintf(stderr, "unable to allocate buffer for pwdBuf\n"); + exit(1); + } + + user = options.user ? options.user : DROPTOUSER; + if (options.group) { + if (!(grp = getgrnam(options.group))) { + if (errno) { + fprintf(stderr, "Unable to get group %s: %s\n", options.group, strerror(errno)); + } else { + fprintf(stderr, "Group %s not found, existing.\n", options.group); + } + exit(1); + } + } + + s = getpwnam_r(user, &pwd, pwdBuf, pwdBufSize, &result); + if (result == NULL) { + if (s == 0) { + fprintf(stderr, "User %s not found, exiting.\n", user); + exit(1); + } else { + fprintf(stderr, "issue with getpwnnam_r call, exiting.\n"); + exit(1); + } + } + + dropUID = pwd.pw_uid; + dropGID = grp ? grp->gr_gid : pwd.pw_gid; + dnscap_memzero(pwdBuf, pwdBufSize); + free(pwdBuf); + + /* + * Security section: setting memory limit and dropping privileges to nobody + */ + getrlimit(RLIMIT_DATA, &rss); + if (mem_limit_set) { + rss.rlim_cur = mem_limit; + rss.rlim_max = mem_limit; + if (setrlimit(RLIMIT_DATA, &rss) == -1) { + fprintf(stderr, "Unable to set the memory limit, exiting\n"); + exit(1); + } + } + +#if HAVE_SETRESGID + if (setresgid(dropGID, dropGID, dropGID) < 0) { + fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno)); + exit(1); + } +#elif HAVE_SETREGID + if (setregid(dropGID, dropGID) < 0) { + fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno)); + exit(1); + } +#elif HAVE_SETEGID + if (setegid(dropGID) < 0) { + fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno)); + exit(1); + } +#endif + +#if HAVE_INITGROUPS + if (initgroups(pwd.pw_name, dropGID) < 0) { + fprintf(stderr, "Unable to init supplemental groups for %s: %s\n", user, strerror(errno)); + exit(1); + } +#elif HAVE_SETGROUPS + if (setgroups(0, NULL) < 0) { + fprintf(stderr, "Unable to drop supplemental groups: %s\n", strerror(errno)); + exit(1); + } +#endif + +#if HAVE_SETRESUID + if (setresuid(dropUID, dropUID, dropUID) < 0) { + fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno)); + exit(1); + } +#elif HAVE_SETREUID + if (setreuid(dropUID, dropUID) < 0) { + fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno)); + exit(1); + } +#elif HAVE_SETEUID + if (seteuid(dropUID) < 0) { + fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno)); + exit(1); + } +#endif + + /* + * Testing if privileges are dropped + */ + if (oldGID != getgid() && (setgid(oldGID) == 1 && setegid(oldGID) != 1)) { + fprintf(stderr, "Able to restore back to root, exiting.\n"); + fprintf(stderr, "currentUID:%u currentGID:%u\n", getuid(), getgid()); + exit(1); + } + if ((oldUID != getuid() && getuid() == 0) && (setuid(oldUID) != 1 && seteuid(oldUID) != 1)) { + fprintf(stderr, "Able to restore back to root, exiting.\n"); + fprintf(stderr, "currentUID:%u currentGID:%u\n", getgid(), getgid()); + exit(1); + } + +#ifdef USE_SECCOMP + if (use_seccomp == FALSE) { + return; + } + +#if 0 + /* + * Setting SCMP_ACT_TRAP means the process will get + * a SIGSYS signal when a bad syscall is executed + * This is for debugging and should be monitored. + */ + + scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP); +#endif + + /* + * SCMP_ACT_KILL tells the kernel to kill the process + * when a syscall we did not filter on is called. + * This should be uncommented in production. + */ + scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); + + if (ctx == NULL) { + fprintf(stderr, "Unable to create seccomp-bpf context\n"); + exit(1); + } + + int r = 0; + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(uname), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0); + r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0); + + if (r != 0) { + fprintf(stderr, "Unable to apply seccomp-bpf filter\n"); + seccomp_release(ctx); + exit(1); + } + + r = seccomp_load(ctx); + + if (r < 0) { + seccomp_release(ctx); + fprintf(stderr, "Unable to load seccomp-bpf filter\n"); + exit(1); + } +#endif +} + +void daemonize(void) +{ + pid_t pid; +#ifdef TIOCNOTTY + int i; +#endif + if ((pid = fork()) < 0) { + logerr("fork failed: %s", strerror(errno)); + exit(1); + } else if (pid > 0) + exit(0); + openlog("dnscap", 0, LOG_DAEMON); + if (setsid() < 0) { + logerr("setsid failed: %s", strerror(errno)); + exit(1); + } +#ifdef TIOCNOTTY + if ((i = open("/dev/tty", O_RDWR)) >= 0) { + ioctl(i, TIOCNOTTY, NULL); + close(i); + } +#endif + logerr("Backgrounded as pid %u", getpid()); +} diff --git a/src/daemon.h b/src/daemon.h new file mode 100644 index 0000000..dc4fcc1 --- /dev/null +++ b/src/daemon.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_daemon_h +#define __dnscap_daemon_h + +void drop_privileges(void); +void daemonize(void); + +#endif /* __dnscap_daemon_h */ diff --git a/src/dnscap.1.in b/src/dnscap.1.in new file mode 100644 index 0000000..82a44fd --- /dev/null +++ b/src/dnscap.1.in @@ -0,0 +1,1011 @@ +.\" Copyright (c) 2016-2021, OARC, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. Neither the name of the copyright holder nor the names of its +.\" contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.TH dnscap 1 "@PACKAGE_VERSION@" "dnscap" +.SH NAME +dnscap \- DNS network traffic capture utility +.SH SYNOPSIS +.SY dnscap +.OP \-?VbNpd1g6fTIySMD +.OP \-o option=value +.OP \-i if +.OP \-r file +.OP \-l vlan +.OP \-L vlan +.OP \-u port +.OP \-m [qun] +.OP \-e [nytfsxir] +.OP \-h [ir] +.OP \-s [ir] +.OP \-a host +.OP \-z host +.OP \-A host +.OP \-Z host +.OP \-Y host +.OP \-w base +.OP \-W suffix +.OP \-k cmd +.OP \-t lim +.OP \-c lim +.OP \-C lim +.OP \-x pat +.OP \-X pat +.OP \-B datetime +.OP \-E datetime +.OP \-U str +.OP \-q num|str +.OP \-Q num|str +.OP \-P "plugin.so ..." +.SY dnscap +.BR \-g " ..." +.SY dnscap +.BR \-w " ..." +.YS +.SH DESCRIPTION +.B dnscap +is a network capture utility designed specifically for DNS traffic. +It normally produces binary data in +.BR pcap (3) +format, either on standard output or from files. +This utility is similar to +.BR tcpdump (1), +but has finer grained packet recognition tailored to DNS transactions and +protocol options. +.B dnscap +is expected to be used for gathering continuous research or audit traces. +.SH OPTIONS +.B dnscap +has a large array of command line options and extended options +.RB ( \-o +.IR option=value ), +and to make it easier to understand their usage they are categorized. +.IP \(bu +.I GENERIC +section shows how to display help and version, and enable debugging. +.IP \(bu +.I RUNTIME +section handles sandbox, privileges, start/stop and other runtime actions. +.IP \(bu +.I INPUT +section deals with what interface to capture on, how to do it or if you want +to read from a file. +.IP \(bu +.I OUTPUT +section gives you options to do packet dumps, or get a diagnostic output, +and to set limits or run external actions on intervals. +.IP \(bu +.I NETWORK +section tweaks how and what is captured on the network and the individual +layers. +.IP \(bu +.I DNS +section lets you do filtering and modifications on the DNS message, along +with pattern matching on the domain names. +.IP \(bu +Lastly, +.I PLUGINS +section gives you an overview on how +.B dnscap +can be extended by plugins and which plugins are bundled. +.RE + +The only required options are +.B \-g +and +.BR \-w , +at least one of them must be supplied to run. + +If neither +.B \-r +or +.B \-i +is used then the default is to capture on the first or all interfaces +(depends on system, see +.B \-i +for more information). +.\" +.\" +.\" +.SS GENERIC +.TP +.B \-? +Display short form help text about command line options and exit. +.TP +.B \-V +Print version and exit. +.TP +.B \-d +Tells a verbose story of options and patterns chosen, files opened, and so on. +Multiple +.B \-d +options can be given to increase verbosity and frequency of trace messages. +.\" +.\" +.\" +.SS RUNTIME +.TP +.B \-y +Enable Linux seccomp\-bpf sandbox if available (compile option). +.TP +.B \-b +Run in background as daemon and drop privileges, using +.IR set*uid() , +.I set*gid() +functions, unless options +.B \-N +is given or only reading from files. +.TP +.BI "\-o user" =... +Specify the user to drop privileges to (default nobody). +.TP +.BI "\-o group" =... +Specify the group to drop privileges to (default nobody). +.TP +.B \-N +Do not attempt to drop privileges, this is implicit if only reading +offline pcap files. +.TP +.B \-S +Print stats counters on standard error when closed the packet dump file +(see +.BR \-w ). +.TP +.BI "\-B " datetime +Start collecting at a specific time. +.I datetime +should be specified as "YYYY\-MM\-DD HH:MM:SS". +The program will +.BR sleep (3) +until the start time, or it will skip all packets related to an earlier +time if used with an offline +.BR pcap (3) +file, and then begin capturing/processing packets. +.TP +.BI "\-E " datetime +Stop collecting at a specific time. +.I datetime +should be specified as "YYYY\-MM\-DD HH:MM:SS". +.B dnscap +will exit when it sees a packet (live or offline +.BR pcap (3) +file) with timestamp greater or equal to it. +.\" +.\" +.\" +.SS INPUT +.TP +.BI "\-r " file +Select an offline +.BR pcap (3) +file produced by this utility or by +.BR tcpdump (1) +(or simiar tools) as the input packet source. +Can be given as "\-" to indicate standard input. +.TP +.BI "\-i " if +Select an interface to be monitored. +On BSD systems, the default is the first interface that was configured at +system boot time. +On Linux systems, the default is to monitor all interfaces. +More than one interface may be selected which will cause output to be +interleaved from all selected interfaces. +.TP +.B \-p +Asks that the interface not be put into promiscuous mode. +Note that even without this option, the interface could be in promiscuous +mode for some other reason. +.TP +.B \-M +Enable monitor mode on interfaces. +.TP +.B \-D +Enable immediate mode on interfaces. + +Option +.BR \-p , +.B \-M +and +.B \-D +are libpcap specific options, see +.BR pcap (3) +for more information on their meaning. +.TP +.BI "\-o " pcap_buffer_size=num +Set the +.BR pcap (3) +buffer size to +.I num +bytes when capturing packets. +This can be used to increase the buffer so that packets are not missed/dropped +while processing or rotating packet dumps. +.TP +.BI "\-o " use_layers=yes +Enable pcap\-thread layers, this will let pcap\-thread parse the network layers +and call back with UDP, TCP or ICMP traffic. + +This options is required for IP defragmentation (see +.BI "\-o " defrag_ipv4=yes +and +.B \-o +.IR defrag_ipv6=yes ), +TCP reassembly (see +.B \-o +.IR reassemble_tcp=yes ) +and parsing ongoing TCP sessions (see +.B \-o +.IR parse_ongoing_tcp=yes ). +.\" +.\" +.\" +.SS OUTPUT +For details on the diagnostic output and the different dump formats that +exists, please see OUTPUT FORMATS below. +Some formats have their own extended options, these are also listed in that +section. +.TP +.BI "\-o " dump_format=format +Specify the output +.I format +to use. +Default is +.IR pcap . +.TP +.B \-g +Produce diagnostic output to standard error, showing the presentation form +of DNS messages which passed through all of the filters. +If +.B \-w +is also used, then every message will be dumped in both binary and +presentation form. +.TP +.BI "\-w " base +Dump the captured packets to successive binary files in +.BR pcap (3) +format with DLT_RAW datalink type. +Each file will have a name like "%s.%s.%06u" where the first %s is +.IR base , +second %s is the time as hours, minutes and seconds (%H%M%S), and %06u is +the microseconds. +The argument "\-" may be given to send the binary output to standard output. + +By default, +.B dnscap +will close its packet dump file only when interrupted. +You can change that behavior with options +.BR \-t , +.BR \-c , +and +.BR \-C . +.TP +.BI "\-W " suffix +The provided suffix is added to the dump file name, e. g.: ".pcap". +If the suffix ends with ".gz" then files will be automatically gzip +compressed. +If gzip compression is requested but not supported (i.e. because of lack of +system support) an error will be generated. +.TP +.B \-1 +Flush the output after every packet. +Mostly this is useful when the packet dump is standard output, and has been +piped to +.BR tcpdump (1). +.TP +.BI "\-t " lim +Set a time interval, specified in seconds. +When writing to a file, the packet dump file will be closed and reopened +(creating a new dump file) when time() % +.I lim +is zero. +Note that the first file will usually be shorter than +.I lim +seconds. +If the packet dump file is standard output or if +.B \-g +is used, then +.B dnscap +will exit after the first interval. +.TP +.BI "\-c " lim +Set a size limit, measured in packets. +When writing to a file, the packet dump file will be closed when +.I lim +number of packets has been written. +If option +.B \-k +is +.I "not used" +(see below) or the packet dump file is standard output, or if +.B \-g +is used, then +.B dnscap +will exit after reaching the limit. +.TP +.BI "\-C " lim +Set a size limit, measured in bytes. +When writing to a file, the packet dump file will be closed when +.I lim +number of bytes (or larger then) has been written. +If option +.B \-k +is +.I "not used" +or the packet dump file is standard output, or if +.B \-g +is used, then +.B dnscap +will exit after reaching the limit. + +When using the above options +.BR \-t , +.BR \-c , +and +.B \-C +together, the order of applying them are +.I 1) +time interval, +.I 2) +number of packets and +.I 3) +number of bytes. +.TP +.BI "\-k " cmd +After each dump file specified by +.B \-w +is closed, this command will be executed in a non\-blocking subprocess with +the file name as its one argument. +This can be used to submit the finished file to other processing systems. + +If this option is used together with +.B \-c +or +.B \-C +and the output is a packet dump file, then it will be reopened (creating +a new dump file) before continuing. +.\" +.\" +.\" +.SS NETWORK +.TP +.BI "\-U " str +Append "and +.IR str """" +to the BPF/pcap filter. +.TP +.BI "\-o " bpf_hosts_apply_all=yes +This changes the BPF generation so that any host restriction will come +after ICMP, fragments, ports or DNS section to allow it to apply for ICMP +and fragments also. +The default behavior is to only apply hosts to the ports or DNS section. +.TP +.B \-6 +Used to suppress the use of packet filter patterns that cause problems when +processing IPv6 packets. +As of version 2.0.0 this option is deprecated and filters have been reworked +to only match IPv4 packets, IPv6 filtering are processed at a higher level. +.TP +.B \-f +Selects fragments (which could include unrelated flows since fragments do not +contain port numbers), and includes fragments in the binary output. +Necessary if you intend to do IP Reassembly. +Note that all fragments will be collected, not just those using the DNS port +number, since fragments don't have port numbers. +Beware this option if you also handle a lot of NFS traffic. +.TP +.B \-T +Selects TCP packets. +SYN, FIN, and RST packets are collected if they pass the layer 2, port, and +host filters (although hosts need not be in the correct direction); they are +not tested against filter options that require a DNS header such as +.BR \-m , +.BR \-s , +or +.BR \-e . +All DNS messages in the stream is captured if it passes all filter options. + +Each TCP packet with payload will be tagged as DNS, unless +.BI "\-o " reassemble_tcp=yes +is used, with the support of having the DNS length arrive before the message +in an own packet. +Ongoing TCP connections can be inspected by using +.B \-o +.IR parse_ongoing_tcp=yes . +TCP packets are processed as they arrive so missing, unaligned data or DNS +message split over multiple packets will produce parsing errors. +Using extended option +.BI "\-o " allow_reset_tcpstate=yes +may allow +.B dnscap +to recover from these scenarios. +.TP +.B \-I +Select ICMP and ICMPv6 packets. +.TP +.BI "\-l " vlan +Captures only 802.1Q encapsulated packets, and selects specific vlans to be +monitored. +Can be specified more than once to select multiple vlans. +VLAN id 4095 can be used to specify all vlans. +.TP +.BI "\-L " vlan +Captures 802.1Q encapsulated packets matching the specified vlans AND +packets without VLAN tags. +Can be specified more than one to select multiple vlans. +VLAN id 4095 can be used to specify all vlans. +.TP +.BI "\-u " port +Capture only packets on this UDP port, and treat as DNS traffic. +The default port is 53. +Note that there is no way to select multiple UDP ports, as would be +necessary to capture both DNS (port 53) and mDNS (port 5353) traffic. + +.TP +.BI "\-o " defrag_ipv4=yes +.TQ +.BI "\-o " defrag_ipv6=yes +Enable IPv4/IPv6 defragmentation in pcap-thread, requires +.B \-o +.IR use_layers=yes . + +When enabled, the following options are also available: +.RS +.TP +.BI "\-o " max_ipv4_fragments=num +Set the maximum fragmented IPv4 packets +.RI ( num ) +to track for reassembly, if the limit is reach then all other fragmented +packets will not be reassembled. +.TP +.BI "\-o " max_ipv4_fragments_per_packet=num +Set the maximum fragments +.RI ( num ) +per tracked IPv4 packet to keep for reassembly. +.TP +.BI "\-o " max_ipv6_fragments=num +Set the maximum fragmented IPv6 packets +.RI ( num ) +to track for reassembly, if the limit is reach then all other fragmented +packets will not be reassembled. +.TP +.BI "\-o " max_ipv6_fragments_per_packet=num +Set the maximum fragments +.RI ( num ) +per tracked IPv6 packet to keep for reassembly. +.RE +.TP +.BI "\-o " parse_ongoing_tcp=yes +.B dnscap +will normally not look at TCP unless it sees the start of it. +This enables state tracking when a new TCP stream is found but no SYN/ACK +has been seen. +Each TCP packet with payload will be tagged as DNS. +.TP +.BI "\-o " allow_reset_tcpstate=yes +Allow the TCP state to be reseted, this is used in diagnostic output and +plugins when parsing the DNS in a TCP packet fails to try and recover from +missing or unaligned data. +.TP +.BI "\-o " reassemble_tcp=yes +Enable reassembly of TCP packets, this will not parse each packet as an own +DNS message but will store TCP segments until they can be reassembled. +It will expect the DNS message length to come first and then wait for the +full length of data to arrive until passing to outputs and plugins. + +Since the number of saved segments are limited and fixed, if the TCP steam +becomes corrupt then processing may stop. +Recovering from this can be done by enabling +.Ar allow_reset_tcpstate=yes +which will reset state and free all saved segments to try and start over. +.TP +.BI "\-o " reassemble_tcp_faultreset=num +This controls the number of faults +.RI ( num ) +that can happen before the state is reseted (as described above), faults +are if the segments buffer are full or if the sequence is outside the +TCP window. +The default is zero which means it will reset the state as soon as the +segment buffer is full. +.TP +.BI "\-o " reassemble_tcp_bfbparsedns=yes +Enable an additional layer (experimental) of reassembly that uses LDNS to +parse the payload before accepting it. +If the DNS is invalid it will move 2 bytes within the payload and treat it +as a new payload, taking the DNS length again and restart the process. +.\" +.\" +.\" +.SS DNS +.TP +.BI "\-m " [qun] +Capture only messages of designated types; +.IR q uery, +.IR u pdate, +and +.IR n otify). +Multiple types can be given at the same time, for example +.B "\-m qn" +will select query and notify messages. +Multiple +.B \-m +can not be used to specify multiple types. +Default is query. +.TP +.BI "\-e " [nytfsxir] +Among responses, consider nonzero DNS TC or DNS RCODE to indicate an error, +and select only responses which do not have +.RI ( n ), +or which have +.RI ( y ), +these conditions. +The default is to only select non\-errors among responses. +If both non\-error and error responses are to be selected, specify both the +.I n +and +.I y +options here. + +To be more specific, use one or more condition\-specific options, as follows: +.RS +.TP +.B n +no error +.TP +.B y +some error +.TP +.B t +truncated response (TC bit) +.TP +.B f +format error (rcode 1) +.TP +.B s +server failure (rcode 2) +.TP +.B x +no such name (rcode 3) +.TP +.B i +not implemented (rcode 4) +.TP +.B r +refusal (rcode 5) +.RE +.TP +.BI "\-h " ir +Hide +.IR i nitiator +or +.IR r esponder +of each captured transaction. +Hiding an initiator means wiping out the address and port number. +Hiding a responder means to wipe out the address only. +This wiping occurs on the copy of the packet sent to the +.BR pcap (3) +dump output, and both the IP and UDP checksums will be recomputed in that case. +.TP +.BI "\-s " ir +Select messages which are +.IR i nitiations +and/or +.IR r esponses. +This is done by checking the DNS header flag QR and source/destination port +against the DNS port (see +.BR \-u ). +Default is both. +.TP +.BI "\-a " host +Capture only transactions having these initiators. +Can be specified more than once to select multiple initiators. +If a host name is used, then all of that host's addresses whether IPv4 or +IPv6 are added to the recognition pattern. +.TP +.BI "\-z " host +Capture only transactions having these responders. +Can be specified more than once to select multiple responders. +If a host name is used, then all of that host's addresses whether IPv4 or +IPv6 are added to the recognition pattern. +.TP +.BI "\-A " host +Capture only transactions NOT having these initiators. +.TP +.BI "\-Z " host +Capture only transactions NOT having these responders. +.TP +.BI "\-Y " host +Drop responses having these responders. +Similar to +.B \-Z +in spirit. +However, +.B \-Y +applies only to responses and does not cause any additions to the BPF filter +string. +.TP +.BI "\-x " pat +If one or more +.B \-x +options are provided, then DNS messages will only be selected if the +printable representation of the QNAME or any RR matches at least one of the +provided +.I pat +patterns. +.TP +.BI "\-X " pat +If one or more +.B \-X +options are provided, then DNS messages matching these patterns will not +be selected. + +If both options are used then the message must first be matched by +.B \-x +and then not matched by all +.B \-X +regex. +See +.BR regex (3) +and +.BR re_format (7) +for more information about extended regular expression syntax. +.TP +.BI "\-q " num|str +Only select DNS messages where QTYPE matches the specified type. +Can not be used together with +.BR \-Q . +.TP +.BI "\-Q " num|str +Only select DNS messages where QTYPE does not matches the specified type. +Can not be used together with +.BR \-q . +.\" +.\" +.\" +.SS PLUGINS +.TP +.BI "\-P " "/path/to/plugin.so ..." +Load and use the specified plugin, full path to plugin must be supplied. +Any options given after this are sent to the plugin. + +Once a double dash, "\-\-", is encountered after +.BR \-P , +processing of the command line options will go back to +.BR dnscap . + +Using this you can chain and use multiple plugins at once: + +.EX + \-P /path/to/plugin_one.so \-a opt \-\- \-P /path/to/plugin_two.so \-b opt +.EE + +To show the plugins option help, run it with +.BR \-? : + +.EX + \-P /path/to/plugin_one.so \-? +.EE + +Plugins are loaded, executed and given the packets to process in the +order given on command line. + +These bundled plugins are installed in @pkglibdir@: +.RS +.TP +.B anonaes128.so +Anonymize IP addresses using AES128. +.TP +.B anonmask.so +Pseudo\-anonymize IP addresses by masking them. +.TP +.B cryptopan.so +Anonymize IP addresses using an extension to Crypto\-PAn (College of +Computing, Georgia Tech) made by David Stott (Lucent). +.TP +.B cryptopant.so +Anonymize IP addresses using cryptopANT, a different implementation of +Crypto\-PAn made by the ANT project at USC/ISI. +.TP +.B eventlog.so +Output DNS activity as log events, including IP addresses from query responses. +.TP +.B ipcrypt.so +Anonymize IP addresses using ipcrypt create by Jean\-Philippe Aumasson. +.TP +.B pcapdump.so +Dump DNS into a PCAP with some filtering options. +.TP +.B royparse.so +Splits a PCAP into two streams; queries in PCAP format and responses in +ASCII format. +.TP +.B rssm.so +Root Server Scaling Measurement plugin. +.TP +.B rzkeychange.so +RFC8145 key tag signal collection and reporting plugin. +.TP +.B txtout.so +Dump DNS as one\-line text. +.RE +.\" +.\" +.\" +.SH OUTPUT FORMATS +Beside diagnostic and PCAP output, other output formats might be available +depending on compile time support. + +Recognized formats are: +.TP +.B cbor +Uses tinycbor library to write CBOR objects that are based on DNS\-in\-JSON +draft by Paul Hoffman. +.TP +.B cds +CBOR DNS Stream format, see +.I https://github.com/DNS\-OARC/dnscap/blob/master/CBOR_DNS_STREAM.md +for details and below for all extended options related to this format. +.TP +.B pcap +This uses the pcap library to output the captured DNS packets. (default) +.TP +.B diagnostic +This is the output produced by +.BR \-g , +and is meant to be parse\-able. +It is broken up into multiple lines with a backslash at the end to indicate +that the line continues on the next. + +First line contains packet and capturing information: + +.EX + [<pktsize>] <date> <timestamp> [<pktnum> <file|interface> <vlanid>] +.EE + +Second line shows IP information or if the packet is a fragment: + +.EX + [<srcip>].<srcport> \-> [<dstip>].<dstport> +.EE +.EX + ;: [<srcip>] \-> [<dstip>] (frag) +.EE + +If the packet contains DNS information then the next line will show the DNS +header information: + +.EX + dns <opcode>,<rcode>,<id>,<flags> +.EE + +Next are the 4 sections of the DNS, each section is prefixed by the number +of records and each record and section are separated by space. +Below are a few example, first is just a query, second has just one answer +and the last has also authority and additional records. + +.EX + 1 example.com.,IN,A 0 0 0 +.EE + +.EX + 1 example.com.,IN,A \\ + 1 example.com.,IN,A,47,127.0.0.1 0 0 +.EE + +.EX + 1 example.com.,IN,A \\ + 1 example.com.,IN,A,263,127.0.0.1 \\ + 4 example.com.,IN,NS,157794,ns1.example.com. \\ + example.com.,IN,NS,157794,ns4.example.com. \\ + example.com.,IN,NS,157794,ns3.example.com. \\ + example.com.,IN,NS,157794,ns2.example.com. \\ + 4 ns2.example.com.,IN,A,157794,127.0.0.1 \\ + ns1.example.com.,IN,A,331796,127.0.0.1 \\ + ns3.example.com.,IN,A,157794,127.0.0.1 \\ + ns4.example.com.,IN,A,157794,127.0.0.1 +.EE + +Each DNS record contains the following: + +.EX + <fqdn>,<class>,<type>[,<ttl>[,<additional information>]] +.EE + +Additional information will be displayed for SOA, A, AAAA, MX, NS, PTR, +CNAME and OPT records containing EDNS0. +.SS CBOR +.TP +.BI "\-o " cbor_chunk_size=bytes +Specify the number of +.I bytes +of CBOR to construct before flushing the output, must be a non zero +positive number. +.SS CBOR DNS STREAM (CDS) +.TP +.BI "\-o " cds_cbor_size=bytes +Number of +.I bytes +of memory to use before flushing to file. +.TP +.BI "\-o " cds_message_size=bytes +Number of +.I bytes +of memory to use for each DNS packet. +.TP +.BI "\-o " cds_max_rlabels=num +Number of labels +.RI ( num ) +to keep in the reverse label index. +.TP +.BI "\-o " cds_min_rlabel_size=num +The minimum size of a label +.RI ( num ) +to be able to use the reverse label index. +.TP +.BI "\-o " cds_use_rdata_index=yes +Use the resource data index, default is no. +.TP +.BI "\-o " cds_rdata_index_min_size=num +The minimum size of the data +.RI ( num ) +to be able to use the resource data index. +.TP +.BI "\-o " cds_use_rdata_rindex=yes +Use the resource data reverse index, default is no. +.TP +.BI "\-o " cds_rdata_rindex_size=num +Number of resource data +.RI ( num ) +to keep in the resource data reverse index. +.TP +.BI "\-o " cds_rdata_rindex_min_size=num +The minimum size of the data +.RI ( num ) +to be able to use the resource data reverse index. +.SH EXAMPLES +In +.BR dnscap 's +simplest form, the output can be piped to +.BR tcpdump (1) +as in: + +.EX + dnscap -w - | tcpdump -r - +.EE + +You can safely add the +.B \-d +option since the diagnostic output resulting from +.B \-d +goes to standard error rather than standard output. + +The more interesting use for +.B dnscap +is long term or continuous data collection. +Assuming a shell script called +.I dnscap-upload +whose function is to transfer a +.BR pcap (3) +format file to an analytics system and then remove the local copy of it, +then a name server operating system startup could invoke +.B dnscap +for continuous DNS auditing using a command like: + +.EX + dnscap -m qun -h i -z f.root-servers.net \\ + -w /var/local/dnscaps/f-root -t 1800 \\ + -k /usr/local/sbin/dnscap-upload +.EE + +This will capture all query, update and notify messages where the responder +is f.root-servers.net and the initiators will be hidden. +The dump files will be saved in /var/local/dnscaps/ on a 30 minute (1800 +seconds) interval. +After each interval the +.I dnscap-upload +script will be executed. + +A bizarre but actual example which combines almost all features of +.B dnscap +is: + +.EX + dnscap -d -w - -1 -i em0 -l 0 -x ^7 | \\ + dnscap -d -r - -X spamhaus -g -l 0 +.EE + +Here, we're looking for all messages having a QNAME or RR beginning with the +decimal digit "7", but we don't want to see anything containing "spamhaus". +The interface is tagged, and since only one interface is selected, the output +stream from the first +.B dnscap +will also be tagged, thus we need +.BI "\-l " 0 +on both +.B dnscap +commands. +.SH COMPATIBILITY NOTES +If +.B dnscap +produces no output, it's probably due to some kind of bug in the kernel's +.BR bpf (4) +module or in the +.BR pcap (3) +library. + +You may need the +.BI "\-l " 0 +, +.BI "\-l " 4095 +or +.BI "\-L " 4095 +options. + +To diagnose "no output", use the +.B \-d +and +.B \-g +options to find out what BPF program is being internally generated, and +then cut/paste this BPF program and use +.BR tcpdump (1) +to see if it likewise produces no output. + +You can also run +.BR tcpdump (1) +with +.B \-e +to see the link-level headers in order to see if the traffic is encapsulated. +.SH SEE ALSO +.BR tcpdump (1), +.BR pcap (3), +.BR regex (3), +.BR bpf (4), +.BR re_format (7) +.SH AUTHORS +.B dnscap +was written by Paul Vixie (ISC) with help from Duane Wessels, +Kevin Brintnall, and others too numerous to mention. +It's currently maintained by Jerry Lundström, DNS\-OARC. +.LP +.RS +.I https://www.dns\-oarc.net/ +.RE +.LP +.SH BUGS +For issues and feature requests please use: +.LP +.RS +\fI@PACKAGE_URL@\fP +.RE +.LP +For question and help please use: +.LP +.RS +\fI@PACKAGE_BUGREPORT@\fP +.RE +.LP diff --git a/src/dnscap.c b/src/dnscap.c new file mode 100644 index 0000000..56e1ac1 --- /dev/null +++ b/src/dnscap.c @@ -0,0 +1,249 @@ +/* dnscap - DNS capture utility + * + * By Paul Vixie (ISC) and Duane Wessels (Measurement Factory), 2007. + */ + +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "dnscap.h" +#include "args.h" +#include "bpft.h" +#include "pcaps.h" +#include "dumper.h" +#include "daemon.h" +#include "log.h" +#include "sig.h" + +#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H) +#include <openssl/conf.h> +#include <openssl/evp.h> +#include <openssl/err.h> +#define INIT_OPENSSL 1 +#endif + +plugin_list plugins; +const char* ProgramName = "amnesia"; +int dumptrace = 0; +int flush = FALSE; +vlan_list vlans_excl; +vlan_list vlans_incl; +unsigned msg_wanted = MSG_QUERY; +unsigned dir_wanted = DIR_INITIATE | DIR_RESPONSE; +unsigned end_hide = 0U; +unsigned err_wanted = ERR_NO | ERR_YES; /* accept all by default */ +tcpstate_list tcpstates; +int tcpstate_count = 0; +endpoint_list initiators, not_initiators; +endpoint_list responders, not_responders; +endpoint_list drop_responders; /* drops only responses from these hosts */ +myregex_list myregexes; +mypcap_list mypcaps; +mypcap_ptr pcap_offline = NULL; +const char* dump_base = NULL; +char* dump_suffix = 0; +char* extra_bpf = NULL; +enum dump_type dump_type = nowhere; +enum dump_state dump_state = dumper_closed; +const char* kick_cmd = NULL; +unsigned limit_seconds = 0U; +time_t next_interval = 0; +unsigned limit_packets = 0U; +size_t limit_pcapfilesize = 0U; +pcap_t* pcap_dead; +pcap_dumper_t* dumper; +time_t dumpstart; +unsigned msgcount; +size_t capturedbytes = 0; +char * dumpname, *dumpnamepart; +char* bpft; +unsigned dns_port = DNS_PORT; +int promisc = TRUE; +int monitor_mode = FALSE; +int immediate_mode = FALSE; +int background = FALSE; +char errbuf[PCAP_ERRBUF_SIZE]; +int wantgzip = 0; +int wantfrags = FALSE; +int wanticmp = FALSE; +int wanttcp = FALSE; +int preso = FALSE; +#ifdef USE_SECCOMP +int use_seccomp = FALSE; +#endif +int main_exit = FALSE; +int alarm_set = FALSE; +time_t start_time = 0; +time_t stop_time = 0; +int print_pcap_stats = FALSE; +uint64_t pcap_drops = 0; +my_bpftimeval last_ts = { 0, 0 }; +unsigned long long mem_limit = (unsigned)MEM_MAX; /* process memory limit */ +int mem_limit_set = 1; /* TODO: Should be configurable */ +const char DROPTOUSER[] = "nobody"; +pcap_thread_t pcap_thread = PCAP_THREAD_T_INIT; +int only_offline_pcaps = FALSE; +int dont_drop_privileges = FALSE; +options_t options = OPTIONS_T_DEFAULTS; + +ldns_rr_type match_qtype = 0, nmatch_qtype = 0; + +int main(int argc, char* argv[]) +{ + struct plugin* p; + struct timeval now; + +#ifdef INIT_OPENSSL + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + OPENSSL_config(0); +#endif +#endif + + parse_args(argc, argv); + gettimeofday(&now, 0); + if (!only_offline_pcaps && start_time) { + if (now.tv_sec < start_time) { + char when[100]; + struct tm tm; + gmtime_r(&start_time, &tm); + strftime(when, sizeof when, "%F %T", &tm); + fprintf(stderr, "Sleeping for %d seconds until %s UTC\n", + (int)(start_time - now.tv_sec), when); + sleep(start_time - now.tv_sec); + fprintf(stderr, "Awake.\n"); + } + } + prepare_bpft(); + open_pcaps(); + if (dump_type == to_stdout) { + if (dumper_open(now)) { + fprintf(stderr, "%s: dumper_open() to stdout failed\n", ProgramName); + exit(1); + } + } + INIT_LIST(tcpstates); + + if (!dont_drop_privileges && !only_offline_pcaps) { + drop_privileges(); + } + + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) { + if (p->start) + if (0 != (*p->start)(logerr)) { + logerr("%s_start returned non-zero", p->name); + exit(1); + } + } + if (dump_type == nowhere) + dumpstart = time(NULL); + if (background) + daemonize(); + +#if HAVE_PTHREAD + /* + * Defer signal setup until we have dropped privileges and daemonized, + * otherwise signals might not reach us because different threads + * are running under different users/access + */ + { + sigset_t set; + int err; + pthread_t thread; + + sigfillset(&set); + if ((err = pthread_sigmask(SIG_BLOCK, &set, 0))) { + logerr("pthread_sigmask: %s", strerror(err)); + exit(1); + } + + sigemptyset(&set); + sigaddset(&set, SIGHUP); + sigaddset(&set, SIGINT); + sigaddset(&set, SIGALRM); + sigaddset(&set, SIGTERM); + sigaddset(&set, SIGQUIT); + + if ((err = pthread_create(&thread, 0, &sigthread, (void*)&set))) { + logerr("pthread_create: %s", strerror(err)); + exit(1); + } + } +#else + { + sigset_t set; + + sigfillset(&set); + sigdelset(&set, SIGHUP); + sigdelset(&set, SIGINT); + sigdelset(&set, SIGALRM); + sigdelset(&set, SIGTERM); + sigdelset(&set, SIGQUIT); + + if (sigprocmask(SIG_BLOCK, &set, 0)) { + logerr("sigprocmask: %s", strerror(errno)); + exit(1); + } + } + + setsig(SIGHUP, TRUE); + setsig(SIGINT, TRUE); + setsig(SIGALRM, FALSE); + setsig(SIGTERM, TRUE); + setsig(SIGQUIT, TRUE); +#endif + + while (!main_exit) + poll_pcaps(); + /* close PCAPs after dumper_close() to have statistics still available during dumper_close() */ + if (dumper_opened == dump_state) + (void)dumper_close(last_ts); + close_pcaps(); + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) { + if (p->stop) + (*p->stop)(); + } + options_free(&options); + +#ifdef INIT_OPENSSL + EVP_cleanup(); + CRYPTO_cleanup_all_ex_data(); + ERR_free_strings(); +#endif + + return 0; +} diff --git a/src/dnscap.h b/src/dnscap.h new file mode 100644 index 0000000..dd03ddd --- /dev/null +++ b/src/dnscap.h @@ -0,0 +1,441 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __dnscap_dnscap_h +#define __dnscap_dnscap_h + +#ifdef __linux__ +#define _GNU_SOURCE +#endif + +#include <sys/param.h> +#include <sys/types.h> +#include <sys/select.h> +#include <sys/socket.h> +#include <sys/fcntl.h> /* for open() */ +#include <sys/ioctl.h> /* for TIOCNOTTY */ +#include <stdarg.h> +#include <syslog.h> +#include <dlfcn.h> +#include <sys/stat.h> +#include <sys/resource.h> +#if HAVE_PTHREAD +#include <pthread.h> +#endif + +#ifdef __linux__ +#define __FAVOR_BSD +#include <net/ethernet.h> +#ifdef USE_SECCOMP +#include <seccomp.h> +#endif +#endif + +#ifdef __FreeBSD__ +#include <net/ethernet.h> +#endif + +#ifdef __NetBSD__ +#include <net/ethertypes.h> +#include <net/if.h> +#include <net/if_ether.h> +#endif + +#ifdef __OpenBSD__ +#include <net/ethertypes.h> +#include <net/if.h> +#include <netinet/in.h> +#include <netinet/in_var.h> +#include <netinet/if_ether.h> +#endif + +#ifdef __APPLE__ +#include <net/ethernet.h> +#include <net/bpf.h> +#endif + +#ifdef __hpux +#include <net/if.h> +#include <netinet/if_ether.h> +#define ETHER_HDR_LEN ETHER_HLEN +#define __BIT_TYPES_DEFINED +#define __HPLX +#endif + +#ifdef __SVR4 +#include <stdarg.h> +#include <net/if.h> +#include <net/if_arp.h> +#include <netinet/if_ether.h> +#include "snprintf.h" +#define IP_OFFMASK 0x1fff +#define u_int32_t uint32_t +#ifndef ETHER_HDR_LEN +#define ETHER_HDR_LEN 14 +#endif +#endif + +#ifndef MY_BPFTIMEVAL +#define MY_BPFTIMEVAL timeval +#endif + +#include <netinet/in_systm.h> +#include <netinet/in.h> +#include <netinet/ip.h> +#include <netinet/ip6.h> +#include <netinet/udp.h> +#include <netinet/tcp.h> +#include <arpa/nameser.h> +#if HAVE_ARPA_NAMESER_COMPAT_H +#include <arpa/nameser_compat.h> +#endif +#include <arpa/inet.h> + +#include <assert.h> +#include <errno.h> +#include <netdb.h> +#include <pcap.h> +#include <regex.h> +#include <signal.h> +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <pwd.h> +#include <grp.h> + +#if HAVE_ZLIB_H +#include <zlib.h> +#endif + +#include <ldns/ldns.h> + +#ifndef IPV6_VERSION +#define IPV6_VERSION 0x60 +#endif +#ifndef IPV6_VERSION_MASK +#define IPV6_VERSION_MASK 0xf0 +#endif + +#define UDP10_QR_MASK 0x80 +#define UDP10_QR_SHIFT 7 +#define UDP10_OP_MASK 0x78 +#define UDP10_OP_SHIFT 3 +#define UDP10_AA_MASK 0x04 +#define UDP10_AA_SHIFT 2 +#define UDP10_TC_MASK 0x02 +#define UDP10_TC_SHIFT 1 +#define UDP10_RD_MASK 0x01 +#define UDP10_RD_SHIFT 0 + +#define UDP11_RC_MASK 0x0f +#define UDP11_RC_SHIFT 0 + +#define MSG_QUERY 0x0001 +#define MSG_UPDATE 0x0002 +#define MSG_NOTIFY 0x0004 + +#define ERR_TRUNC 0x0001 +#define ERR_RCODE_BASE 0x0002 +#define ERR_NO (ERR_RCODE_BASE << 0) +#define ERR_FORMERR (ERR_RCODE_BASE << 1) +#define ERR_SERVFAIL (ERR_RCODE_BASE << 2) +#define ERR_NXDOMAIN (ERR_RCODE_BASE << 3) +#define ERR_NOTIMPL (ERR_RCODE_BASE << 4) +#define ERR_REFUSED (ERR_RCODE_BASE << 5) +#define ERR_YES (0xffffffff & ~ERR_NO) + +#define END_INITIATOR 0x0001 +#define END_RESPONDER 0x0002 + +#define HIDE_INET "\177\177\177\177" +#define HIDE_INET6 "\177\177\177\177\177\177\177\177" \ + "\177\177\177\177\177\177\177\177" +#define HIDE_PORT 54321 + +#ifndef ETHERTYPE_VLAN +#define ETHERTYPE_VLAN 0x8100 +#endif +#ifndef ETHERTYPE_IPV6 +#define ETHERTYPE_IPV6 0x86DD +#endif + +#define THOUSAND 1000 +#define MILLION (THOUSAND * THOUSAND) +#define MAX_VLAN 4095 +#define DNS_PORT 53 +#define TO_MS 1 +#define SNAPLEN 65536 +#define TRUE 1 +#define FALSE 0 +#define REGEX_CFLAGS (REG_EXTENDED | REG_ICASE | REG_NOSUB | REG_NEWLINE) +#define MAX_TCP_WINDOW (0xFFFF << 14) +#define MEM_MAX 20000000000 /* SETTING MAX MEMORY USAGE TO 2GB */ + +#define ISC_CHECK_NONE 1 +#include "isc/list.h" +#include "isc/assertions.h" + +#include "dnscap_common.h" + +#include "dump_dns.h" +#include "dump_cbor.h" +#include "dump_cds.h" +#include "options.h" +#include "pcap-thread/pcap_thread.h" + +struct text { + LINK(struct text) + link; + size_t len; + char* text; +}; +typedef struct text* text_ptr; +typedef LIST(struct text) text_list; +#define text_size(len) (sizeof(struct text) + len) + +struct mypcap { + LINK(struct mypcap) + link; + const char* name; + struct pcap_stat ps0, ps1; + uint64_t drops; +}; +typedef struct mypcap* mypcap_ptr; +typedef LIST(struct mypcap) mypcap_list; + +struct vlan { + LINK(struct vlan) + link; + unsigned vlan; +}; +typedef struct vlan* vlan_ptr; +typedef LIST(struct vlan) vlan_list; + +#define MAX_TCP_WINDOW_SIZE (0xFFFF << 14) +#define MAX_TCP_MSGS 8 +#define MAX_TCP_SEGS 8 +#define MAX_TCP_HOLES 8 +#define MAX_TCP_DNS_MSG 8 + +typedef struct tcphole tcphole_t; +typedef struct tcp_msgbuf tcp_msgbuf_t; +typedef struct tcp_segbuf tcp_segbuf_t; +typedef struct tcpdnsmsg tcpdnsmsg_t; +typedef struct tcpreasm tcpreasm_t; + +struct tcphole { + uint16_t start; + uint16_t len; +}; + +struct tcp_msgbuf { + uint32_t seq; + uint16_t dnslen; + tcphole_t hole[MAX_TCP_HOLES]; + int holes; + u_char buf[]; +}; + +struct tcp_segbuf { + uint32_t seq; + uint16_t len; + u_char buf[]; +}; + +struct tcpdnsmsg { + size_t segments_seen; + uint16_t dnslen; + u_char dnspkt[]; +}; + +struct tcpreasm { + uint32_t seq_start; + size_t msgbufs; + u_char dnslen_buf[2]; + u_char dnslen_bytes_seen_mask; + tcp_msgbuf_t* msgbuf[MAX_TCP_MSGS]; + tcp_segbuf_t* segbuf[MAX_TCP_SEGS]; + size_t segments_seen; + size_t dnsmsgs; + tcpdnsmsg_t* dnsmsg[MAX_TCP_DNS_MSG]; + uint32_t seq_bfb; + tcp_segbuf_t* bfb_seg[MAX_TCP_SEGS]; + u_char* bfb_buf; + size_t bfb_at; +}; + +struct tcpstate { + LINK(struct tcpstate) + link; + iaddr saddr; + iaddr daddr; + uint16_t sport; + uint16_t dport; + uint32_t start; /* seq# of tcp payload start */ + uint32_t maxdiff; /* maximum (seq# - start) */ + uint16_t dnslen; + time_t last_use; + uint32_t lastdns; + uint32_t currseq; + size_t currlen; + + tcpreasm_t* reasm; + size_t reasm_faults; +}; +typedef struct tcpstate* tcpstate_ptr; +typedef LIST(struct tcpstate) tcpstate_list; + +struct endpoint { + LINK(struct endpoint) + link; + iaddr ia; +}; +typedef struct endpoint* endpoint_ptr; +typedef LIST(struct endpoint) endpoint_list; + +struct myregex { + LINK(struct myregex) + link; + regex_t reg; + char* str; + int not ; +}; +typedef struct myregex* myregex_ptr; +typedef LIST(struct myregex) myregex_list; + +struct plugin { + LINK(struct plugin) + link; + + char* name; + void* handle; + enum plugin_type pt; + + type_t(*type); + int (*start)(logerr_t*); + void (*stop)(); + int (*open)(my_bpftimeval); + int (*close)(); + output_t(*output); + filter_t(*filter); + void (*getopt)(int*, char**[]); + void (*usage)(); + void (*extension)(int, void*); +}; +typedef LIST(struct plugin) plugin_list; + +enum dump_type { + nowhere, + to_stdout, + to_file +}; +enum dump_state { + dumper_opened, + dumper_closed +}; + +extern plugin_list plugins; +extern const char* ProgramName; +extern char* dump_suffix; +extern int wantgzip; + +extern plugin_list plugins; +extern const char* ProgramName; +extern int dumptrace; +extern int flush; +extern vlan_list vlans_excl; +extern vlan_list vlans_incl; +extern unsigned msg_wanted; +extern unsigned dir_wanted; +extern unsigned end_hide; +extern unsigned err_wanted; +extern tcpstate_list tcpstates; +extern int tcpstate_count; +extern endpoint_list initiators, not_initiators; +extern endpoint_list responders, not_responders; +extern endpoint_list drop_responders; +extern myregex_list myregexes; +extern mypcap_list mypcaps; +extern mypcap_ptr pcap_offline; +extern const char* dump_base; +extern char* dump_suffix; +extern char* extra_bpf; +extern enum dump_type dump_type; +extern enum dump_state dump_state; +extern const char* kick_cmd; +extern unsigned limit_seconds; +extern time_t next_interval; +extern unsigned limit_packets; +extern size_t limit_pcapfilesize; +extern pcap_t* pcap_dead; +extern pcap_dumper_t* dumper; +extern time_t dumpstart; +extern unsigned msgcount; +extern size_t capturedbytes; +extern char * dumpname, *dumpnamepart; +extern char* bpft; +extern unsigned dns_port; +extern int promisc; +extern int monitor_mode; +extern int immediate_mode; +extern int background; +extern char errbuf[PCAP_ERRBUF_SIZE]; +extern int wantgzip; +extern int wantfrags; +extern int wanticmp; +extern int wanttcp; +extern int preso; +#ifdef USE_SECCOMP +extern int use_seccomp; +#endif +extern int main_exit; +extern int alarm_set; +extern time_t start_time; +extern time_t stop_time; +extern int print_pcap_stats; +extern uint64_t pcap_drops; +extern my_bpftimeval last_ts; +extern unsigned long long mem_limit; +extern int mem_limit_set; +extern const char DROPTOUSER[]; +extern pcap_thread_t pcap_thread; +extern int only_offline_pcaps; +extern int dont_drop_privileges; +extern options_t options; + +extern ldns_rr_type match_qtype, nmatch_qtype; + +#endif /* __dnscap_dnscap_h */ diff --git a/src/dnscap_common.h b/src/dnscap_common.h new file mode 100644 index 0000000..db1b88b --- /dev/null +++ b/src/dnscap_common.h @@ -0,0 +1,158 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __dnscap_dnscap_common_h +#define __dnscap_dnscap_common_h + +#include <netinet/in.h> +#include <sys/types.h> + +#ifdef TIME_WITH_SYS_TIME +#include <sys/time.h> +#include <time.h> +#else +#ifdef HAVE_SYS_TIME_H +#include <sys/time.h> +#else +#include <time.h> +#endif +#endif + +/* + * setup MY_BPFTIMEVAL as the timeval structure that bpf packets + * will be assoicated with packets from libpcap + */ +#ifndef MY_BPFTIMEVAL +#define MY_BPFTIMEVAL timeval +#endif +typedef struct MY_BPFTIMEVAL my_bpftimeval; + +/* + * Structure to contain IP addresses + */ +typedef struct { + int af; + union { + struct in_addr a4; + struct in6_addr a6; + } u; +} iaddr; + +/* + * Prototype for the plugin "type" function + * + * output - Will run plugin's "output" function last when outputting (default + * and same behavior before the existens of a plugin type) + * filter - Will run plugin's "filter" function before outputting and won't + * output if the return of that function is non-zero. + */ +enum plugin_type { + plugin_output, + plugin_filter, +}; +typedef enum plugin_type type_t(void); + +/* + * plugins can call the logerr() function in the main dnscap + * process. + */ +typedef int logerr_t(const char* fmt, ...); + +/* + * Prototype for the plugin "output" function + */ +typedef void output_t(const char* descr, + iaddr from, + iaddr to, + uint8_t proto, + unsigned flags, + unsigned sport, + unsigned dport, + my_bpftimeval ts, + const u_char* pkt_copy, + const unsigned olen, + const u_char* payload, + const unsigned payloadlen); + +/* + * Prototype for the plugin "filter" function + */ +typedef int filter_t(const char* descr, + iaddr* from, + iaddr* to, + uint8_t proto, + unsigned flags, + unsigned sport, + unsigned dport, + my_bpftimeval ts, + const u_char* pkt_copy, + const unsigned olen, + const u_char* payload, + const unsigned payloadlen); + +/* + * Extensions + */ + +#define DNSCAP_EXT_IS_RESPONDER 1 +typedef int (*is_responder_t)(iaddr ia); + +#define DNSCAP_EXT_IA_STR 2 +typedef const char* (*ia_str_t)(iaddr ia); + +#define DNSCAP_EXT_TCPSTATE_GETCURR 3 +typedef void* (*tcpstate_getcurr_t)(void); + +#define DNSCAP_EXT_TCPSTATE_RESET 4 +typedef void (*tcpstate_reset_t)(void* tcpstate, const char* msg); + +#define DNSCAP_EXT_SET_IADDR 5 +typedef void (*set_iaddr_t)(iaddr* from, iaddr* to); + +/* + * Flags + */ + +#define DNSCAP_OUTPUT_ISFRAG (1 << 0) +#define DNSCAP_OUTPUT_ISDNS (1 << 1) +#define DNSCAP_OUTPUT_ISLAYER (1 << 2) + +/* + * Direction + */ + +#define DIR_INITIATE 0x0001 +#define DIR_RESPONSE 0x0002 + +#endif /* __dnscap_dnscap_common_h */ diff --git a/src/dump_cbor.c b/src/dump_cbor.c new file mode 100644 index 0000000..1d2d848 --- /dev/null +++ b/src/dump_cbor.c @@ -0,0 +1,680 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + DNS-in-JSON + - generally naming convention + - compressedNAME.length is there a point here? isn't the length in the + compressed data itself? Maybe have compressedNAME as just the data + of the compressed name + - 2.5 Additional Message Object Members + - IP stuff: + - ipProtocol: num + - sourceIpAddress: string + - sourcePort: num + - destinationIpAddress: string + - destinationPort: num + or + - ip: [ ipProtocol, sourceIpAddress, sourcePort, destinationIpAddress, destinationPort ] + - dateNanoFractions as addition to dateSeconds, specify the fraction of + nano seconds separatly to have better precision. +*/ + +#include "config.h" + +#include "dump_cbor.h" +#include "dnscap.h" +#include "iaddr.h" + +#if HAVE_LIBTINYCBOR + +#include <ldns/ldns.h> +#if HAVE_CBOR_CBOR_H +#include <cbor/cbor.h> +#endif +#if HAVE_CBOR_H +#include <cbor.h> +#endif + +static uint8_t* cbor_buf = 0; +static size_t cbor_size = 128 * 1024; +/*static size_t cbor_size = 1024;*/ +static size_t cbor_reserve = 64 * 1024; +static CborEncoder cbor_root, cbor_pkts; +/*static cbor_stringref_t *cbor_stringrefs = 0;*/ +/*static size_t cbor_stringref_size = 8192;*/ +static int cbor_flushed = 1; + +int cbor_set_size(size_t size) +{ + if (!size) { + return DUMP_CBOR_EINVAL; + } + + cbor_size = size; + + return DUMP_CBOR_OK; +} + +int cbor_set_reserve(size_t reserve) +{ + if (!reserve) { + return DUMP_CBOR_EINVAL; + } + + cbor_reserve = reserve; + + return DUMP_CBOR_OK; +} + +#define append_cbor(func, name, type) \ + CborError func(CborEncoder* encoder, type value, int* should_flush) \ + { \ + CborError err; \ + uint8_t* ptr = encoder->data.ptr; \ + err = name(encoder, value); \ + if (err == CborErrorOutOfMemory && !*should_flush) { \ + *should_flush = 1; \ + encoder->data.ptr = ptr; \ + encoder->end = cbor_buf + cbor_size + cbor_reserve; \ + err = name(encoder, value); \ + } \ + return err; \ + } + +static append_cbor(append_cbor_text_stringz, cbor_encode_text_stringz, const char*); +static append_cbor(append_cbor_boolean, cbor_encode_boolean, bool); +static append_cbor(append_cbor_int, cbor_encode_int, int64_t); +static append_cbor(append_cbor_uint, cbor_encode_uint, uint64_t); +static append_cbor(append_cbor_double, cbor_encode_double, double); + +static CborError append_cbor_bytes(CborEncoder* encoder, uint8_t* bytes, size_t length, int* should_flush) +{ + CborError err; + uint8_t* ptr = encoder->data.ptr; + err = cbor_encode_byte_string(encoder, bytes, length); + if (err == CborErrorOutOfMemory && !*should_flush) { + *should_flush = 1; + encoder->data.ptr = ptr; + encoder->end = cbor_buf + cbor_size + cbor_reserve; + err = cbor_encode_byte_string(encoder, bytes, length); + } + return err; +} + +/*CborError append_cbor_text_stringz2(CborEncoder *encoder, const char *value, int *should_flush) {*/ +/* CborError err;*/ +/* uint8_t *ptr = encoder->data.ptr;*/ +/* err = cbor_encode_byte_string(encoder, bytes, length);*/ +/* if (err == CborErrorOutOfMemory && !*should_flush) {*/ +/* *should_flush = 1;*/ +/* encoder->data.ptr = ptr;*/ +/* encoder->end = cbor_buf + cbor_size + cbor_reserve;*/ +/* err = cbor_encode_byte_string(encoder, bytes, length);*/ +/* }*/ +/* return err;*/ +/*}*/ + +#define append_cbor_container(func, name) \ + CborError func(CborEncoder* encoder, CborEncoder* container, size_t length, int* should_flush) \ + { \ + CborError err; \ + uint8_t* ptr = encoder->data.ptr; \ + err = name(encoder, container, length); \ + if (err == CborErrorOutOfMemory && !*should_flush) { \ + *should_flush = 1; \ + encoder->data.ptr = ptr; \ + encoder->end = cbor_buf + cbor_size + cbor_reserve; \ + err = name(encoder, container, length); \ + } \ + return err; \ + } + +static append_cbor_container(append_cbor_array, cbor_encoder_create_array); +static append_cbor_container(append_cbor_map, cbor_encoder_create_map); + +static CborError close_cbor_container(CborEncoder* encoder, CborEncoder* container, int* should_flush) +{ + CborError err; + uint8_t* ptr = encoder->data.ptr; + err = cbor_encoder_close_container_checked(encoder, container); + if (err == CborErrorOutOfMemory && !*should_flush) { + *should_flush = 1; + encoder->data.ptr = ptr; + encoder->end = cbor_buf + cbor_size + cbor_reserve; + err = cbor_encoder_close_container_checked(encoder, container); + } + return err; +} + +static CborError cbor_ldns_rr_list(CborEncoder* encoder, ldns_rr_list* list, size_t count, int* should_flush) +{ + CborError cbor_err = CborNoError; + size_t n; + ldns_buffer* dname; + char* dname_str; + + if (!encoder) { + return CborErrorInternalError; + } + if (!list) { + return CborErrorInternalError; + } + if (!count) { + return CborErrorInternalError; + } + if (!should_flush) { + return CborErrorInternalError; + } + + for (n = 0; cbor_err == CborNoError && n < count; n++) { + CborEncoder cbor_rr; + uint8_t* rdata_bytes; + ldns_buffer* rdata; + ldns_rr* rr = ldns_rr_list_rr(list, n); + size_t rd_count; + + if (!rr) { + return CborErrorInternalError; + } + rd_count = ldns_rr_rd_count(rr); + + if (!(dname = ldns_buffer_new(512))) { + return CborErrorOutOfMemory; + } + if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) { + ldns_buffer_free(dname); + return CborErrorInternalError; + } + ldns_buffer_write_u8(dname, 0); + if (!(dname_str = ldns_buffer_export(dname))) { + ldns_buffer_free(dname); + return CborErrorOutOfMemory; + } + + if (cbor_err == CborNoError) + cbor_err = append_cbor_map(encoder, &cbor_rr, CborIndefiniteLength, should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "NAME", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, dname_str, should_flush); + free(dname_str); + ldns_buffer_free(dname); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "CLASS", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_get_class(rr), should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "TYPE", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_get_type(rr), should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "TTL", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_ttl(rr), should_flush); + + if (rd_count == 1) { + if (!(rdata = ldns_buffer_new(64 * 1024))) { + return CborErrorOutOfMemory; + } + if (ldns_rdf2buffer_wire(rdata, ldns_rr_rdf(rr, 0)) != LDNS_STATUS_OK) { + ldns_buffer_free(rdata); + return CborErrorInternalError; + } + if (!(rdata_bytes = ldns_buffer_export(rdata))) { + ldns_buffer_free(rdata); + return CborErrorOutOfMemory; + } + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "RDLENGTH", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor_rr, ldns_buffer_position(rdata), should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "RDATA", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_bytes(&cbor_rr, rdata_bytes, ldns_buffer_position(rdata), should_flush); + free(rdata_bytes); + ldns_buffer_free(rdata); + } else if (rd_count > 1) { + size_t n2; + CborEncoder rr_set; + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor_rr, "rrSet", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_array(&cbor_rr, &rr_set, CborIndefiniteLength, should_flush); + for (n2 = 0; n2 < rd_count; n2++) { + if (!(rdata = ldns_buffer_new(64 * 1024))) { + return CborErrorOutOfMemory; + } + if (ldns_rdf2buffer_wire(rdata, ldns_rr_rdf(rr, n2)) != LDNS_STATUS_OK) { + ldns_buffer_free(rdata); + return CborErrorInternalError; + } + if (!(rdata_bytes = ldns_buffer_export(rdata))) { + ldns_buffer_free(rdata); + return CborErrorOutOfMemory; + } + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&rr_set, "RDLENGTH", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&rr_set, ldns_buffer_position(rdata), should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&rr_set, "RDATA", should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_bytes(&rr_set, rdata_bytes, ldns_buffer_position(rdata), should_flush); + free(rdata_bytes); + ldns_buffer_free(rdata); + } + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor_rr, &rr_set, should_flush); + } + + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(encoder, &cbor_rr, should_flush); + } + + return cbor_err; +} + +int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen) +{ + ldns_pkt* pkt = 0; + ldns_status ldns_rc; + + if (!payload) { + return DUMP_CBOR_EINVAL; + } + if (!payloadlen) { + return DUMP_CBOR_EINVAL; + } + + /* if (!cbor_stringrefs) {*/ + /* cbor_stringrefs = calloc(1, cbor_stringref_size);*/ + /* }*/ + if (!cbor_buf) { + if (!(cbor_buf = calloc(1, cbor_size + cbor_reserve))) { + return DUMP_CBOR_ENOMEM; + } + } + if (cbor_flushed) { + CborError cbor_err; + + cbor_encoder_init(&cbor_root, cbor_buf, cbor_size, 0); + /* cbor_err = cbor_encode_tag(&cbor_root, 256);*/ + /* if (cbor_err == CborNoError)*/ + cbor_err = cbor_encoder_create_array(&cbor_root, &cbor_pkts, CborIndefiniteLength); + if (cbor_err != CborNoError) { + fprintf(stderr, "cbor init error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err)); + return DUMP_CBOR_ECBOR; + } + cbor_flushed = 0; + } + + ldns_rc = ldns_wire2pkt(&pkt, payload, payloadlen); + + if (ldns_rc != LDNS_STATUS_OK) { + fprintf(stderr, "ldns error [%d]: %s\n", ldns_rc, ldns_get_errorstr_by_id(ldns_rc)); + return DUMP_CBOR_ELDNS; + } + if (!pkt) { + return DUMP_CBOR_ELDNS; + } + + CborEncoder cbor, ip; + CborError cbor_err = CborNoError; + int should_flush = 0; + + cbor_err = append_cbor_map(&cbor_pkts, &cbor, CborIndefiniteLength, &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "dateSeconds", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_double(&cbor, (double)ts.tv_sec + ((double)ts.tv_usec / 1000000), &should_flush); + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "dateNanoFractions", &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, ts.tv_usec * 1000, &should_flush);*/ + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "ip", &should_flush); + /* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, proto, &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "sourceIpAddress", &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, ia_str(from), &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "sourcePort", &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, sport, &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "destinationIpAddress", &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, ia_str(to), &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "destinationPort", &should_flush);*/ + /* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, dport, &should_flush);*/ + + if (cbor_err == CborNoError) + cbor_err = append_cbor_array(&cbor, &ip, CborIndefiniteLength, &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&ip, proto, &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&ip, ia_str(from), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&ip, sport, &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&ip, ia_str(to), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&ip, dport, &should_flush); + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor, &ip, &should_flush); + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "ID", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_id(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "QR", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_qr(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "Opcode", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_get_opcode(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "AA", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_aa(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "TC", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_tc(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "RD", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_rd(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "RA", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_ra(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "AD", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_ad(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "CD", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_boolean(&cbor, ldns_pkt_cd(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "RCODE", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_get_rcode(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "QDCOUNT", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_qdcount(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "ANCOUNT", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_ancount(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "NSCOUNT", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_nscount(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "ARCOUNT", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_pkt_arcount(pkt), &should_flush); + + /* questionRRs */ + + if (ldns_pkt_qdcount(pkt) > 0) { + ldns_rr_list* list = ldns_pkt_question(pkt); + ldns_rr* rr; + size_t n, qdcount = ldns_pkt_qdcount(pkt); + ldns_buffer* dname; + char* dname_str; + + if (!list) { + ldns_pkt_free(pkt); + return DUMP_CBOR_ELDNS; + } + rr = ldns_rr_list_rr(list, 0); + if (!rr) { + ldns_pkt_free(pkt); + return DUMP_CBOR_ELDNS; + } + + if (!(dname = ldns_buffer_new(512))) { + ldns_pkt_free(pkt); + return DUMP_CBOR_ENOMEM; + } + if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) { + ldns_buffer_free(dname); + ldns_pkt_free(pkt); + return DUMP_CBOR_ELDNS; + } + ldns_buffer_write_u8(dname, 0); + if (!(dname_str = ldns_buffer_export(dname))) { + ldns_buffer_free(dname); + ldns_pkt_free(pkt); + return DUMP_CBOR_ENOMEM; + } + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "QNAME", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, dname_str, &should_flush); + free(dname_str); + ldns_buffer_free(dname); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "QCLASS", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_rr_get_class(rr), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "QTYPE", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&cbor, ldns_rr_get_type(rr), &should_flush); + + if (qdcount > 1) { + CborEncoder queries; + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "questionRRs", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_array(&cbor, &queries, CborIndefiniteLength, &should_flush); + for (n = 1; cbor_err == CborNoError && n < qdcount; n++) { + CborEncoder query; + + rr = ldns_rr_list_rr(list, n); + if (!rr) { + ldns_pkt_free(pkt); + return DUMP_CBOR_ELDNS; + } + + if (!(dname = ldns_buffer_new(512))) { + ldns_pkt_free(pkt); + return DUMP_CBOR_ENOMEM; + } + if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) { + ldns_buffer_free(dname); + ldns_pkt_free(pkt); + return DUMP_CBOR_ELDNS; + } + ldns_buffer_write_u8(dname, 0); + if (!(dname_str = ldns_buffer_export(dname))) { + ldns_buffer_free(dname); + ldns_pkt_free(pkt); + return DUMP_CBOR_ENOMEM; + } + + if (cbor_err == CborNoError) + cbor_err = append_cbor_map(&queries, &query, CborIndefiniteLength, &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&query, "NAME", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&query, dname_str, &should_flush); + free(dname_str); + ldns_buffer_free(dname); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&query, "CLASS", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&query, ldns_rr_get_class(rr), &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&query, "TYPE", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_uint(&query, ldns_rr_get_type(rr), &should_flush); + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&queries, &query, &should_flush); + } + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor, &queries, &should_flush); + } + } + + /* answerRRs */ + + if (ldns_pkt_ancount(pkt) > 0) { + CborEncoder cbor_rrs; + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "answerRRs", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush); + cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_answer(pkt), ldns_pkt_ancount(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush); + } + + /* authorityRRs */ + + if (ldns_pkt_nscount(pkt) > 0) { + CborEncoder cbor_rrs; + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "authorityRRs", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush); + cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_authority(pkt), ldns_pkt_nscount(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush); + } + + /* additionalRRs */ + + if (ldns_pkt_arcount(pkt) > 0) { + CborEncoder cbor_rrs; + + if (cbor_err == CborNoError) + cbor_err = append_cbor_text_stringz(&cbor, "additionalRRs", &should_flush); + if (cbor_err == CborNoError) + cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush); + cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_additional(pkt), ldns_pkt_arcount(pkt), &should_flush); + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush); + } + + ldns_pkt_free(pkt); + + if (cbor_err == CborNoError) + cbor_err = close_cbor_container(&cbor_pkts, &cbor, &should_flush); + + if (cbor_err != CborNoError) { + fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err)); + return DUMP_CBOR_ECBOR; + } + + if (should_flush) { + if ((cbor_err = cbor_encoder_close_container_checked(&cbor_root, &cbor_pkts)) != CborNoError) { + fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err)); + return DUMP_CBOR_ECBOR; + } + + fprintf(stderr, "cbor output: %lu bytes\n", cbor_encoder_get_buffer_size(&cbor_root, cbor_buf)); + + cbor_flushed = 1; + return DUMP_CBOR_FLUSH; + } + + return DUMP_CBOR_OK; +} + +int dump_cbor(FILE* fp) +{ + CborError cbor_err; + + if (!fp) { + return DUMP_CBOR_EINVAL; + } + + if ((cbor_err = cbor_encoder_close_container_checked(&cbor_root, &cbor_pkts)) != CborNoError) { + fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err)); + return DUMP_CBOR_ECBOR; + } + + fprintf(stderr, "cbor output: %lu bytes\n", cbor_encoder_get_buffer_size(&cbor_root, cbor_buf)); + + if (fwrite(cbor_buf, cbor_encoder_get_buffer_size(&cbor_root, cbor_buf), 1, fp) != 1) { + return DUMP_CBOR_EWRITE; + } + + return DUMP_CBOR_OK; +} + +int have_cbor_support() +{ + return 1; +} + +#else /* HAVE_LIBTINYCBOR */ + +int cbor_set_size(size_t size) +{ + return DUMP_CBOR_ENOSUP; +} + +int cbor_set_reserve(size_t reserve) +{ + return DUMP_CBOR_ENOSUP; +} + +int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen) +{ + return DUMP_CBOR_ENOSUP; +} + +int dump_cbor(FILE* fp) +{ + return DUMP_CBOR_ENOSUP; +} + +int have_cbor_support() +{ + return 0; +} + +#endif diff --git a/src/dump_cbor.h b/src/dump_cbor.h new file mode 100644 index 0000000..cbe8f3f --- /dev/null +++ b/src/dump_cbor.h @@ -0,0 +1,65 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap_common.h" + +#include <stdio.h> + +#ifndef __dnscap_dump_cbor_h +#define __dnscap_dump_cbor_h + +#define DUMP_CBOR_OK 0 +#define DUMP_CBOR_EINVAL 1 +#define DUMP_CBOR_ENOMEM 2 +#define DUMP_CBOR_ECBOR 3 +#define DUMP_CBOR_ELDNS 4 +#define DUMP_CBOR_EWRITE 5 +#define DUMP_CBOR_FLUSH 6 +#define DUMP_CBOR_ENOSUP 7 + +/* +typedef struct cbor_stringref cbor_stringref_t; +struct cbor_stringref { + char *string; + size_t ref; +}; +*/ + +int cbor_set_size(size_t size); +int cbor_set_reserve(size_t reserve); +int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen); +int dump_cbor(FILE* fp); +int have_cbor_support(); + +#endif /* __dnscap_dump_cbor_h */ diff --git a/src/dump_cds.c b/src/dump_cds.c new file mode 100644 index 0000000..e151d35 --- /dev/null +++ b/src/dump_cds.c @@ -0,0 +1,1962 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "dump_cds.h" +#include "dnscap.h" +#include "hashtbl.h" +#include "iaddr.h" + +#if HAVE_LIBTINYCBOR + +#include <stdlib.h> +#if HAVE_CBOR_CBOR_H +#include <cbor/cbor.h> +#endif +#if HAVE_CBOR_H +#include <cbor.h> +#endif +#include <assert.h> + +#define need8(v, p, l, d) \ + if (l < 1) { \ + if (sizeof(d) > 1) \ + fprintf(stderr, "cds need 1B/8b, had %lu: %s\n", l, d); \ + return 1; \ + } \ + v = *p; \ + p += 1; \ + l -= 1 + +#define need16(v, p, l, d) \ + if (l < 2) { \ + if (sizeof(d) > 1) \ + fprintf(stderr, "cds need 2B/16b, had %lu: %s\n", l, d); \ + return 1; \ + } \ + v = (*p << 8) + *(p + 1); \ + p += 2; \ + l -= 2 + +#define need32(v, p, l, d) \ + if (l < 4) { \ + if (sizeof(d) > 1) \ + fprintf(stderr, "cds need 4B/32b, had %lu: %s\n", l, d); \ + return 1; \ + } \ + v = (*p << 24) + (*(p + 1) << 16) + (*(p + 2) << 8) + *(p + 3); \ + p += 4; \ + l -= 4 + +#define need64(v, p, l, d) \ + if (l < 8) { \ + if (sizeof(d) > 1) \ + fprintf(stderr, "cds need 8B/64b, had %lu: %s\n", l, d); \ + return 1; \ + } \ + v = (*p << 56) + (*(p + 1) << 48) + (*(p + 2) << 40) + (*(p + 3) << 32) + (*(p + 4) << 24) + (*(p + 5) << 16) + (*(p + 6) << 8) + *(p + 7); \ + p += 8; \ + l -= 8 + +#define needxb(b, x, p, l, d) \ + if (l < x) { \ + if (sizeof(d) > 1) \ + fprintf(stderr, "cds need %d bytes, had %lu: %s\n", x, l, d); \ + return 1; \ + } \ + memcpy(b, p, x); \ + p += x; \ + l -= x + +#define advancexb(x, p, l, d) \ + if (l < x) { \ + if (sizeof(d) > 1) \ + fprintf(stderr, "cds needed to advance %d bytes, had %lu: %s\n", x, l, d); \ + return 1; \ + } \ + p += x; \ + l -= x + +static uint8_t* cbor_buf = 0; +static uint8_t* cbor_buf_p = 0; +static size_t cbor_size = 1024 * 1024; +static uint8_t* message_buf = 0; +static size_t message_size = 64 * 1024; +static int cbor_flushed = 1; +static hashtbl* rdata_tbl = 0; +static size_t MAX_RLABELS = CDS_DEFAULT_MAX_RLABELS; +static size_t MIN_RLABEL_SIZE = CDS_DEFAULT_MIN_RLABEL_SIZE; +static int use_rdata_index = 0; +static int use_rdata_rindex = 0; +static size_t RDATA_RINDEX_SIZE = CDS_DEFAULT_RDATA_RINDEX_SIZE; +static size_t RDATA_RINDEX_MIN_SIZE = CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE; +static size_t RDATA_INDEX_MIN_SIZE = CDS_DEFAULT_RDATA_INDEX_MIN_SIZE; + +struct rdata; +struct rdata { + struct rdata* prev; + struct rdata* next; + uint8_t* data; + size_t len; + size_t idx; +}; + +struct last { + my_bpftimeval ts; + ip_header_t ip; + + uint16_t dns_type; + uint16_t dns_class; + uint32_t dns_ttl; + + dns_rlabel_t* dns_rlabel; + dns_rlabel_t* dns_rlabel_last; + size_t dns_rlabels; + + size_t rdata_index; + size_t rdata_num; + struct rdata* rdata; + struct rdata* rdata_last; +}; +static struct last last; + +/* + * Set/Get + */ + +int cds_set_cbor_size(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + cbor_size = size; + if (message_size > cbor_size) { + message_size = cbor_size; + } + + return DUMP_CDS_OK; +} + +int cds_set_message_size(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + message_size = size; + if (message_size > cbor_size) { + message_size = cbor_size; + } + + return DUMP_CDS_OK; +} + +int cds_set_max_rlabels(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + MAX_RLABELS = size; + + return DUMP_CDS_OK; +} + +int cds_set_min_rlabel_size(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + MIN_RLABEL_SIZE = size; + + return DUMP_CDS_OK; +} + +int cds_set_use_rdata_index(int use) +{ + use_rdata_index = use ? 1 : 0; + + return DUMP_CDS_OK; +} + +int cds_set_use_rdata_rindex(int use) +{ + use_rdata_rindex = use ? 1 : 0; + + return DUMP_CDS_OK; +} + +int cds_set_rdata_index_min_size(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + RDATA_INDEX_MIN_SIZE = size; + + return DUMP_CDS_OK; +} + +int cds_set_rdata_rindex_min_size(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + RDATA_RINDEX_MIN_SIZE = size; + + return DUMP_CDS_OK; +} + +int cds_set_rdata_rindex_size(size_t size) +{ + if (!size) { + return DUMP_CDS_EINVAL; + } + + RDATA_RINDEX_SIZE = size; + + return DUMP_CDS_OK; +} + +/* + * DNS + */ + +static int check_dns_label(size_t* labels, uint8_t** p, size_t* l) +{ + uint8_t len; + + while (1) { + need8(len, *p, *l, ""); + *labels += 1; + + if ((len & 0xc0) == 0xc0) { + advancexb(1, *p, *l, ""); + break; + } else if (len & 0xc0) { + break; + } else if (len) { + advancexb(len, *p, *l, ""); + } else { + break; + } + } + + return 0; +} + +static unsigned int rdata_hash(const void* _item) +{ + const struct rdata* item = (const struct rdata*)_item; + size_t n, o, p; + unsigned int key = 0; + + for (n = 0, o = 0, p = 0; n < item->len; n++) { + p |= item->data[n] << (o * 8); + o++; + if (o > 3) { + key ^= p; + p = 0; + o = 0; + } + } + if (o) { + key ^= p; + } + + return key; +} + +static int rdata_cmp(const void* _a, const void* _b) +{ + const struct rdata *a = (const struct rdata*)_a, *b = (const struct rdata*)_b; + + if (a->len == b->len) { + return memcmp(a->data, b->data, a->len); + } else if (a->len < b->len) + return -1; + return 1; +} + +static void rdata_free(void* d) +{ + struct rdata* item = (struct rdata*)d; + + if (item) { + if (item->data) { + free(item->data); + } + free(item); + } +} + +static int rdata_add(uint8_t* p, size_t len) +{ + struct rdata* key; + + if (len < RDATA_INDEX_MIN_SIZE) + return 1; + + if (!(key = calloc(1, sizeof(struct rdata)))) { + return 0; + } + if (!(key->data = calloc(1, len))) { + free(key); + return 0; + } + + key->len = len; + memcpy(key->data, p, len); + key->idx = last.rdata_index++; + + /* printf("rdata_add %u: ", rdata_hash(key));*/ + /* {*/ + /* size_t n = len;*/ + /* uint8_t* x = p;*/ + /* while (n--) {*/ + /* printf("%02x", *x);*/ + /* x++;*/ + /* }*/ + /* }*/ + /* printf("\n");*/ + hash_add(key, key, rdata_tbl); + + return 0; +} + +static size_t rdata_find(uint8_t* p, size_t len, size_t* found) +{ + struct rdata key; + struct rdata* r; + + if (len < RDATA_INDEX_MIN_SIZE) + return 1; + + key.data = p; + key.len = len; + + /* printf("rdata_find %u: ", rdata_hash(&key));*/ + /* {*/ + /* size_t n = len;*/ + /* uint8_t* x = p;*/ + /* while (n--) {*/ + /* printf("%02x", *x);*/ + /* x++;*/ + /* }*/ + /* }*/ + /* printf("\n");*/ + + if ((r = hash_find(&key, rdata_tbl))) { + /* printf("rdata found %lu at %lu\n", len, found->idx);*/ + *found = r->idx; + return 0; + } + + return 1; +} + +int rdata_find2(uint8_t* p, size_t len, size_t* found) +{ + struct rdata* r = last.rdata; + size_t n = 0; + + if (len < RDATA_RINDEX_MIN_SIZE) + return 1; + + while (r) { + if (r->len == len && !memcmp(p, r->data, len)) { + break; + } + r = r->next; + n++; + } + if (r) { + /* printf("rdata found at %lu: ", n);*/ + /* {*/ + /* size_t n = len;*/ + /* uint8_t* x = p;*/ + /* while (n--) {*/ + /* printf("%02x", *x);*/ + /* x++;*/ + /* }*/ + /* }*/ + /* printf("\n");*/ + + if (last.rdata != r) { + struct rdata *prev = r->prev, *next = r->next; + + if (prev) { + prev->next = next; + } + if (next) { + next->prev = prev; + } + + r->prev = 0; + r->next = last.rdata; + last.rdata->prev = r; + last.rdata = r; + } + + *found = n; + return 0; + } + + return 1; +} + +int rdata_add2(uint8_t* p, size_t len) +{ + struct rdata* r; + + if (len < RDATA_RINDEX_MIN_SIZE) + return 1; + + if (!(r = calloc(1, sizeof(struct rdata)))) { + return -1; + } + if (!(r->data = calloc(1, len))) { + free(r); + return -1; + } + + r->len = len; + memcpy(r->data, p, len); + + /* printf("rdata_add: ");*/ + /* {*/ + /* size_t n = len;*/ + /* uint8_t* x = p;*/ + /* while (n--) {*/ + /* printf("%02x", *x);*/ + /* x++;*/ + /* }*/ + /* }*/ + /* printf("\n");*/ + + if (last.rdata) { + last.rdata->prev = r; + } + r->next = last.rdata; + last.rdata = r; + last.rdata_num++; + + if (last.rdata_last) { + if (last.rdata_num >= RDATA_RINDEX_SIZE) { + r = last.rdata_last; + + last.rdata_last = r->prev; + last.rdata_last->next = 0; + last.rdata_num--; + free(r->data); + free(r); + } + } else { + last.rdata_last = r; + } + + return 0; +} + +static int parse_dns_rr(char is_q, dns_rr_t* rr, size_t expected_rrs, size_t* actual_rrs, uint8_t** p, size_t* l) +{ + uint8_t len; + uint8_t* p2; + size_t l2, idx; + dns_label_t* label; + size_t num_labels, offset; + + while (expected_rrs--) { + /* first pass check number of labels */ + p2 = *p; + l2 = *l; + + if (check_dns_label(&(rr->labels), &p2, &l2)) { + if (!rr->labels) { + fprintf(stderr, "cds no labels\n"); + return 1; + } + } + + /* second pass, allocate labels and fill */ + if (!(rr->label = calloc(rr->labels, sizeof(dns_label_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + + *actual_rrs += 1; + + label = rr->label; + rr->have_labels = 1; + + while (1) { + need8(len, *p, *l, "name length"); + + if ((len & 0xc0) == 0xc0) { + label->offset_p = *p; + need8(label->offset, *p, *l, "name offset"); + label->offset |= (len & 0x3f) << 8; + label->have_offset = 1; + label->is_complete = 1; + break; + } else if (len & 0xc0) { + label->extension_bits = len; + label->have_extension_bits = 1; + label->is_complete = 1; + break; + } else if (len) { + label->size = len; + label->have_size = 1; + label->label = *p; + advancexb(len, *p, *l, "name label"); + label->have_label = 1; + } else { + label->have_size = 1; + label->is_complete = 1; + break; + } + + label->is_complete = 1; + label++; + } + + need16(rr->type, *p, *l, "type"); + rr->have_type = 1; + need16(rr->class, *p, *l, "class"); + rr->have_class = 1; + + if (!is_q) { + need32(rr->ttl, *p, *l, "ttl"); + rr->have_ttl = 1; + need16(rr->rdlength, *p, *l, "rdlength"); + rr->have_rdlength = 1; + rr->rdata = *p; + advancexb(rr->rdlength, *p, *l, "rdata"); + + if (use_rdata_index) { + if (!rdata_find(rr->rdata, rr->rdlength, &(rr->rdata_index))) { + rr->have_rdata_index = 1; + } else { + rdata_add(rr->rdata, rr->rdlength); + } + } else if (use_rdata_rindex) { + if (!rdata_find2(rr->rdata, rr->rdlength, &(rr->rdata_rindex))) { + rr->have_rdata_rindex = 1; + } else { + rdata_add2(rr->rdata, rr->rdlength); + } + } + + num_labels = offset = 0; + switch (rr->type) { + case 2: /* NS */ + case 3: /* MD */ + case 4: /* MF */ + case 5: /* CNAME */ + case 7: /* MB */ + case 8: /* MG */ + case 9: /* MR */ + case 12: /* PTR */ + case 30: /* NXT */ + case 39: /* DNAME */ + case 47: /* NSEC */ + case 249: /* TKEY */ + case 250: /* TSIG */ + num_labels = 1; + break; + + case 6: /* SOA */ + case 14: /* MINFO */ + case 17: /* RP */ + case 58: /* TALINK */ + num_labels = 2; + break; + + case 15: /* MX */ + case 18: /* AFSDB */ + case 21: /* RT */ + case 36: /* KX */ + case 107: /* LP */ + num_labels = 1; + offset = 2; + break; + + case 26: /* PX */ + num_labels = 2; + offset = 2; + break; + + case 24: /* SIG */ + case 46: /* RRSIG */ + num_labels = 1; + offset = 18; + break; + + case 33: /* SRV */ + num_labels = 1; + offset = 6; + break; + + case 35: /* NAPTR */ + num_labels = 1; + p2 = *p; + l2 = *l; + advancexb(2, p2, l2, "naptr int16 #1"); + advancexb(2, p2, l2, "naptr int16 #2"); + need8(len, p2, l2, "naptr str len #1"); + advancexb(len, p2, l2, "naptr str #1"); + need8(len, p2, l2, "naptr str len #2"); + advancexb(len, p2, l2, "naptr str #2"); + need8(len, p2, l2, "naptr str len #3"); + advancexb(len, p2, l2, "naptr str #3"); + offset = p2 - *p; + break; + + case 55: /* HIP TODO */ + break; + } + + if (num_labels) { + dns_rdata_t* rdata; + + rr->mixed_rdatas = num_labels + (offset ? 1 : 0) + 1; + if (!(rr->mixed_rdata = calloc(rr->mixed_rdatas, sizeof(dns_rdata_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + + p2 = rr->rdata; + l2 = rr->rdlength; + rdata = rr->mixed_rdata; + rr->have_mixed_rdata = 1; + + if (offset) { + rdata->rdata_len = offset; + rdata->rdata = p2; + advancexb((int)offset, p2, l2, "mixed rdata"); + rdata->have_rdata = 1; + rdata->is_complete = 1; + rdata++; + } + while (num_labels--) { + uint8_t* p3; + size_t l3; + + /* first pass check number of rdata labels */ + + p3 = p2; + l3 = l2; + + if (check_dns_label(&(rdata->labels), &p3, &l3)) { + if (!rdata->labels) { + fprintf(stderr, "cds mixed rdata no labels\n"); + return 1; + } + } + + /* second pass, allocate mixed rdata */ + if (!(rdata->label = calloc(rdata->labels, sizeof(dns_label_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + + label = rdata->label; + rdata->have_labels = 1; + while (1) { + need8(len, p2, l2, "name length"); + + if ((len & 0xc0) == 0xc0) { + label->offset_p = p2; + need8(label->offset, p2, l2, "name offset"); + label->offset |= (len & 0x3f) << 8; + label->have_offset = 1; + label->is_complete = 1; + break; + } else if (len & 0xc0) { + label->extension_bits = len; + label->have_extension_bits = 1; + label->is_complete = 1; + break; + } else if (len) { + label->size = len; + label->have_size = 1; + label->label = p2; + advancexb(len, p2, l2, "name label"); + label->have_label = 1; + } else { + label->have_size = 1; + label->is_complete = 1; + break; + } + + label->is_complete = 1; + label++; + } + rdata->is_complete = 1; + rdata++; + } + if (l2) { + /*printf("last rdata %lu\n", l2);*/ + rdata->rdata_len = l2; + rdata->rdata = p2; + advancexb((int)l2, p2, l2, "mixed rdata"); + rdata->have_rdata = 1; + rdata->is_complete = 1; + } else { + rr->mixed_rdatas--; + } + } + rr->have_rdata = 1; + } + + rr->is_complete = 1; + rr++; + } + + return 0; +} + +int print_cbor = 0; + +static int parse_dns(dns_t* dns, uint8_t** p, size_t* l) +{ + int ret; + + need16(dns->id, *p, *l, "dns id"); + dns->have_id = 1; + need16(dns->raw, *p, *l, "raw dns bits"); + dns->have_raw = 1; + need16(dns->qdcount, *p, *l, "qdcount"); + dns->have_qdcount = 1; + need16(dns->ancount, *p, *l, "ancount"); + dns->have_ancount = 1; + need16(dns->nscount, *p, *l, "nscount"); + dns->have_nscount = 1; + need16(dns->arcount, *p, *l, "arcount"); + dns->have_arcount = 1; + + dns->header_is_complete = 1; + + if (dns->qdcount) { + if (!(dns->question = calloc(dns->qdcount, sizeof(dns_rr_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + ret = parse_dns_rr(1, dns->question, dns->qdcount, &(dns->questions), p, l); + /*if (ret) printf("qr %d\n", ret);*/ + if (ret > -1 && dns->questions) { + dns->have_questions = 1; + } + if (ret) { + return ret; + } + } + + if (dns->ancount) { + if (!(dns->answer = calloc(dns->ancount, sizeof(dns_rr_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + ret = parse_dns_rr(0, dns->answer, dns->ancount, &(dns->answers), p, l); + /*if (ret) printf("an %d\n", ret);*/ + if (ret > -1 && dns->answers) { + dns->have_answers = 1; + } + if (ret) { + return ret; + } + } + + if (dns->nscount) { + if (!(dns->authority = calloc(dns->nscount, sizeof(dns_rr_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + ret = parse_dns_rr(0, dns->authority, dns->nscount, &(dns->authorities), p, l); + /*if (ret) { printf("ns %d %lu\n", ret, dns->authorities);*/ + /*{*/ + /* size_t n;*/ + /* for (n = 0; n < dns->authorities; n++) {*/ + /* printf("%lu %d\n", n, dns->authority[n].is_complete);*/ + /* if (!dns->authority[n].is_complete) print_cbor = 1;*/ + /* }*/ + /*} }*/ + if (ret > -1 && dns->authorities) { + dns->have_authorities = 1; + } + if (ret) { + return ret; + } + } + + if (dns->arcount) { + if (!(dns->additional = calloc(dns->arcount, sizeof(dns_rr_t)))) { + fprintf(stderr, "cds out of memory\n"); + return -1; + } + ret = parse_dns_rr(0, dns->additional, dns->arcount, &(dns->additionals), p, l); + /*if (ret) printf("ar %d\n", ret);*/ + if (ret > -1 && dns->additionals) { + dns->have_additionals = 1; + } + if (ret) { + return ret; + } + } + + return 0; +} + +static CborError encode_label(CborEncoder* encoder, dns_label_t* label, size_t labels) +{ + CborError cbor_err = CborNoError; + CborEncoder array; + + if (labels && label[labels - 1].have_size && !label[labels - 1].size) { + labels--; + } + + cbor_err = cbor_encoder_create_array(encoder, &array, labels); + while (labels--) { + if (label->have_offset) { + if (label->have_n_offset) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&array, label->n_offset); + } else { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&array, label->offset); + } + } else if (label->have_extension_bits) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_simple_value(&array, label->extension_bits >> 6); + } else if (label->have_label) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_text_string(&array, (const char*)label->label, label->size); + } else { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_null(&array); + } + + label++; + } + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(encoder, &array); + + return cbor_err; +} + +/* + * OUTPUT + */ + +int print_label(dns_label_t* label, size_t labels) +{ + size_t n; + + for (n = 0; n < labels; n++) { + if (label[n].have_offset) { + if (label[n].have_n_offset) { + printf(" %lu", label[n].n_offset); + } else { + printf(" %d", -label[n].offset); + } + } else if (label[n].have_extension_bits) { + printf(" %x", label[n].extension_bits); + } else if (label[n].have_label) { + printf(" %.*s", label[n].size, label[n].label); + } else { + printf(" $"); + } + } + return 0; +} + +int print_rlabel(dns_rlabel_t* label) +{ + size_t n; + + for (n = 0; n < label->labels; n++) { + if (label->label[n].size) { + printf(" %.*s", label->label[n].size, label->label[n].label); + } else if (label->label[n].have_n_offset) { + printf(" %lu", label->label[n].n_offset); + } else { + printf(" $"); + } + } + return 0; +} + +int dns_rlabel_add(dns_label_t* label, size_t labels) +{ + dns_rlabel_t* copy; + size_t n, size = 0; + + for (n = 0; n < labels; n++) { + if ((label[n].have_offset && !label[n].have_n_offset) + || label[n].have_extension_bits) { + return 1; + } + if (label[n].have_size) { + size += label[n].size; + } + } + /*printf("label size: %lu\n", size);*/ + if (size < MIN_RLABEL_SIZE) { + return 1; + } + + if (!(copy = calloc(1, sizeof(dns_rlabel_t)))) { + return -1; + } + + assert(labels <= CDS_RLABEL_T_LABELS); + copy->labels = labels; + + for (n = 0; n < labels; n++) { + if (label[n].have_n_offset) { + copy->label[n].have_n_offset = 1; + copy->label[n].n_offset = label[n].n_offset; + continue; + } + if (label[n].size) { + assert(label[n].size <= CDS_RLABEL_LABEL_T_LABEL); + + copy->label[n].size = label[n].size; + memcpy(&(copy->label[n].label), label[n].label, label[n].size); + } + } + + /*printf("add"); print_label(label, labels); printf("\n");*/ + + if (last.dns_rlabel) { + last.dns_rlabel->prev = copy; + } + copy->next = last.dns_rlabel; + last.dns_rlabel = copy; + last.dns_rlabels++; + if (last.dns_rlabel_last) { + if (last.dns_rlabels >= MAX_RLABELS) { + dns_rlabel_t* remove = last.dns_rlabel_last; + + /*printf("remove %p %p\n", remove, remove->prev);*/ + + last.dns_rlabel_last = remove->prev; + last.dns_rlabel_last->next = 0; + free(remove); + last.dns_rlabels--; + } + } else { + last.dns_rlabel_last = copy; + } + + return 0; +} + +static size_t dns_rlabel_find(dns_label_t* label, size_t labels, size_t* rlabel_idx) +{ + size_t n, n2, size = 0; + dns_rlabel_t* rlabel; + + for (n = 0; n < labels; n++) { + if ((label[n].have_offset && !label[n].have_n_offset) + || label[n].have_extension_bits) { + return 1; + } + if (label[n].have_size) { + size += label[n].size; + } + } + /*printf("label size: %lu\n", size);*/ + if (size < MIN_RLABEL_SIZE) { + return 1; + } + + /*printf("find"); print_label(label, labels); printf("\n");*/ + + n = 0; + rlabel = last.dns_rlabel; + while (rlabel) { + if (rlabel->labels == labels) { + /*printf("check"); print_rlabel(rlabel); printf("\n");*/ + + for (n2 = 0; n2 < labels; n2++) { + /*printf("%d %lu <> %d %lu\n", label[n2].have_n_offset, label[n2].n_offset, rlabel->label[n2].have_n_offset, rlabel->label[n2].n_offset);*/ + if (label[n2].have_n_offset + || rlabel->label[n2].have_n_offset) { + if (label[n2].n_offset == rlabel->label[n2].n_offset) + continue; + } else if (label[n2].size == rlabel->label[n2].size + && !memcmp(label[n2].label, rlabel->label[n2].label, label[n2].size)) { + continue; + } + break; + } + + if (n2 == labels) { + /*printf("found at %lu: ", n); print_rlabel(rlabel); printf("\n");*/ + break; + } + } + rlabel = rlabel->next; + n++; + } + if (rlabel) { + if (last.dns_rlabel != rlabel) { + dns_rlabel_t *prev = rlabel->prev, *next = rlabel->next; + + if (prev) { + prev->next = next; + } + if (next) { + next->prev = prev; + } + + rlabel->prev = 0; + rlabel->next = last.dns_rlabel; + last.dns_rlabel->prev = rlabel; + last.dns_rlabel = rlabel; + } + + *rlabel_idx = n; + return 0; + } + + return 1; +} + +static void free_rdata(dns_rdata_t* rdata) +{ + if (rdata->label) { + free(rdata->label); + } +} + +static void free_rr(dns_rr_t* rr) +{ + size_t n; + + if (rr->label) { + free(rr->label); + } + for (n = 0; n < rr->mixed_rdatas; n++) { + free_rdata(&(rr->mixed_rdata[n])); + } + if (rr->mixed_rdata) { + free(rr->mixed_rdata); + } +} + +static void free_dns(dns_t* dns) +{ + size_t n; + + for (n = 0; n < dns->questions; n++) { + free_rr(&(dns->question[n])); + } + for (n = 0; n < dns->answers; n++) { + free_rr(&(dns->answer[n])); + } + for (n = 0; n < dns->authorities; n++) { + free_rr(&(dns->authority[n])); + } + for (n = 0; n < dns->additionals; n++) { + free_rr(&(dns->additional[n])); + } +} + +void dns_rr_build_offset(dns_rr_t* rr_list, size_t count, uint16_t* offset, size_t offsets, size_t* n_offset, const u_char* payload) +{ + dns_rr_t* rrp; + size_t rr, n, n2; + + for (rr = 0; rr < count && *n_offset < offsets; rr++) { + rrp = &(rr_list[rr]); + + for (n = 0; n < rrp->labels && *n_offset < offsets; n++) { + if (rrp->label[n].size) { + rrp->label[n].offset = rrp->label[n].label - payload - 1; + offset[*n_offset] = rrp->label[n].offset; + *n_offset += 1; + } else if (rrp->label[n].have_offset) { + offset[*n_offset] = rrp->label[n].offset_p - payload - 1; + *n_offset += 1; + } + + /* printf("%u %u %u %.*s\n",*/ + /* rrp->label[n].size,*/ + /* rrp->label[n].extension_bits,*/ + /* rrp->label[n].offset,*/ + /* rrp->label[n].size ? rrp->label[n].size : 0,*/ + /* rrp->label[n].size ? (char*)rrp->label[n].label : ""*/ + /* );*/ + } + for (n = 0; n < rrp->mixed_rdatas && *n_offset < offsets; n++) { + for (n2 = 0; n2 < rrp->mixed_rdata[n].labels; n2++) { + if (rrp->mixed_rdata[n].label[n2].size) { + rrp->mixed_rdata[n].label[n2].offset = rrp->mixed_rdata[n].label[n2].label - payload - 1; + offset[*n_offset] = rrp->mixed_rdata[n].label[n2].offset; + *n_offset += 1; + } else if (rrp->mixed_rdata[n].label[n2].have_offset) { + offset[*n_offset] = rrp->mixed_rdata[n].label[n2].offset_p - payload - 1; + *n_offset += 1; + } + + /* printf(" %u %u %u %.*s\n",*/ + /* rrp->mixed_rdata[n].label[n2].size,*/ + /* rrp->mixed_rdata[n].label[n2].extension_bits,*/ + /* rrp->mixed_rdata[n].label[n2].offset,*/ + /* rrp->mixed_rdata[n].label[n2].size ? rrp->mixed_rdata[n].label[n2].size : 0,*/ + /* rrp->mixed_rdata[n].label[n2].size ? (char*)rrp->mixed_rdata[n].label[n2].label : ""*/ + /* );*/ + } + } + } +} + +void dns_rr_set_offset(dns_rr_t* rr_list, size_t count, uint16_t* offset, size_t n_offset) +{ + dns_rr_t* rrp; + size_t rr, n, n2, n3; + + for (rr = 0; rr < count; rr++) { + rrp = &(rr_list[rr]); + + for (n = 0; n < rrp->labels; n++) { + if (!rrp->label[n].size && rrp->label[n].offset) { + for (n3 = 0; n3 < n_offset; n3++) { + if (rrp->label[n].offset == offset[n3]) { + /* printf("%u => %lu\n", rrp->label[n].offset, n3);*/ + rrp->label[n].n_offset = n3; + rrp->label[n].have_n_offset = 1; + break; + } + } + } + } + for (n = 0; n < rrp->mixed_rdatas; n++) { + for (n2 = 0; n2 < rrp->mixed_rdata[n].labels; n2++) { + if (!rrp->mixed_rdata[n].label[n2].size && rrp->mixed_rdata[n].label[n2].offset) { + for (n3 = 0; n3 < n_offset; n3++) { + if (rrp->mixed_rdata[n].label[n2].offset == offset[n3]) { + /* printf("%u => %lu\n", rrp->mixed_rdata[n].label[n2].offset, n3);*/ + rrp->mixed_rdata[n].label[n2].n_offset = n3; + rrp->mixed_rdata[n].label[n2].have_n_offset = 1; + break; + } + } + } + } + } + } +} + +void dns_rr_build_rlabel(dns_rr_t* rr_list, size_t count) +{ + dns_rr_t* rrp; + size_t rr, n; + + for (rr = 0; rr < count; rr++) { + rrp = &(rr_list[rr]); + + if (rrp->labels) { + if (!dns_rlabel_find(rrp->label, rrp->labels, &(rrp->rlabel_idx))) { + rrp->have_rlabel_idx = 1; + } else { + dns_rlabel_add(rrp->label, rrp->labels); + } + } + + for (n = 0; n < rrp->mixed_rdatas; n++) { + if (rrp->mixed_rdata[n].labels) { + if (!dns_rlabel_find(rrp->mixed_rdata[n].label, rrp->mixed_rdata[n].labels, &(rrp->mixed_rdata[n].rlabel_idx))) { + rrp->mixed_rdata[n].have_rlabel_idx = 1; + } else { + dns_rlabel_add(rrp->mixed_rdata[n].label, rrp->mixed_rdata[n].labels); + } + } + } + } +} + +CborError dns_build_rrs(CborEncoder* message, dns_rr_t* rr_list, size_t count) +{ + CborError cbor_err = CborNoError; + CborEncoder rrs; + dns_rr_t* rr = rr_list; + size_t n = count; + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_create_array(message, &rrs, n); + while (n--) { + CborEncoder item; + if (!(rr->have_type && rr->type == 41)) { + if (rr->have_type && rr->type == last.dns_type) { + rr->have_type = 0; + } + if (rr->have_class && rr->class == last.dns_class) { + rr->have_class = 0; + } + if (rr->have_ttl && rr->ttl == last.dns_ttl) { + rr->have_ttl = 0; + } + } + if (rr->have_rdlength && rr->have_rdata) { + rr->have_rdlength = 0; + } + + rr->bits = rr->have_type + | rr->have_class << 1 + | rr->have_ttl << 2 + | rr->have_rdlength << 3; + if (rr->bits && rr->bits != 0xf) { + rr->have_bits = 1; + } + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_create_array(&rrs, &item, + (rr->is_complete ? 0 : 1) + rr->have_labels + + rr->have_bits + rr->have_type + rr->have_class + rr->have_ttl + rr->have_rdlength + + rr->have_rdata); + if (!rr->is_complete) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_boolean(&item, false); + } + if (rr->have_labels) { + if (rr->have_rlabel_idx) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&item, rr->rlabel_idx); + } else { + if (cbor_err == CborNoError) + cbor_err = encode_label(&item, rr->label, rr->labels); + } + } + if (rr->have_bits && cbor_err == CborNoError) + cbor_err = cbor_encode_simple_value(&item, rr->bits); + if (rr->have_type && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&item, rr->type); + if (rr->have_class && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&item, rr->class); + if (rr->have_ttl && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&item, rr->ttl); + if (rr->have_rdlength && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&item, rr->rdlength); + if (rr->have_rdata_index) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&item, rr->rdata_index); + } else if (rr->have_rdata_rindex) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&item, rr->rdata_rindex); + } else if (rr->have_mixed_rdata) { + CborEncoder rdatas; + size_t n2 = rr->mixed_rdatas; + dns_rdata_t* rdata = rr->mixed_rdata; + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_create_array(&item, &rdatas, rr->mixed_rdatas); + while (n2--) { + if (rdata->have_labels) { + if (rdata->have_rlabel_idx) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&rdatas, rdata->rlabel_idx); + } else { + if (cbor_err == CborNoError) + cbor_err = encode_label(&rdatas, rdata->label, rdata->labels); + } + } else if (rdata->have_rdata) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&rdatas, rdata->rdata, rdata->rdata_len); + } + + rdata++; + } + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&item, &rdatas); + } else if (rr->have_rdata && cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&item, rr->rdata, rr->rdlength); + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&rrs, &item); + + if (!(rr->have_type && rr->type == 41)) { + if (rr->have_type) { + last.dns_type = rr->type; + } + if (rr->have_class) { + last.dns_class = rr->class; + } + if (rr->have_ttl) { + last.dns_ttl = rr->ttl; + } + } + rr++; + } + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(message, &rrs); + + return cbor_err; +} + +int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen) +{ + CborEncoder cbor, message; + CborError cbor_err = CborNoError; + ip_header_t ip; + dns_t dns; + uint8_t* malformed = 0; + size_t malformed_size = 0; + size_t dns_parts = 0; + + if (!payload) { + return DUMP_CDS_EINVAL; + } + if (!payloadlen) { + return DUMP_CDS_EINVAL; + } + + if (!cbor_buf) { + memset(&last, 0, sizeof(last)); + if (!(cbor_buf = calloc(1, cbor_size + message_size))) { + return DUMP_CDS_ENOMEM; + } + } + if (!cbor_buf_p) { + cbor_buf_p = cbor_buf; + } + if (!message_buf) { + if (!(message_buf = calloc(1, message_size))) { + return DUMP_CDS_ENOMEM; + } + } + if (cbor_flushed) { + dns_rlabel_t* rlabel; + struct rdata* r; + + cbor_buf_p = cbor_buf; + while ((rlabel = last.dns_rlabel)) { + last.dns_rlabel = rlabel->next; + free(rlabel); + } + while ((r = last.rdata)) { + last.rdata = r->next; + rdata_free(r); + } + memset(&last, 0, sizeof(last)); + if (rdata_tbl) { + hash_free(rdata_tbl); + rdata_tbl = 0; + } + + cbor_encoder_init(&cbor, message_buf, message_size, 0); + cbor_err = cbor_encoder_create_array(&cbor, &message, 5 + (use_rdata_index ? 3 : 0) + (use_rdata_rindex ? 4 : 0)); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_text_stringz(&message, "CDSv1"); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, CDS_OPTION_RLABELS); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, MAX_RLABELS); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, CDS_OPTION_RLABEL_MIN_SIZE); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, MIN_RLABEL_SIZE); + if (use_rdata_index) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, CDS_OPTION_USE_RDATA_INDEX); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, CDS_OPTION_RDATA_INDEX_MIN_SIZE); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, RDATA_INDEX_MIN_SIZE); + } else if (use_rdata_rindex) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, CDS_OPTION_RDATA_RINDEX_SIZE); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, RDATA_RINDEX_SIZE); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, CDS_OPTION_RDATA_RINDEX_MIN_SIZE); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, RDATA_RINDEX_MIN_SIZE); + } + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&cbor, &message); + if (cbor_err != CborNoError) { + fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err)); + return DUMP_CDS_ECBOR; + } + + /* *cbor_buf_p = 0x9f;*/ + /* cbor_buf_p++;*/ + + if ((cbor_size - (cbor_buf_p - cbor_buf)) < cbor_encoder_get_buffer_size(&cbor, message_buf)) { + return DUMP_CDS_EBUF; + } + memcpy(cbor_buf_p, message_buf, cbor_encoder_get_buffer_size(&cbor, message_buf)); + cbor_buf_p += cbor_encoder_get_buffer_size(&cbor, message_buf); + + cbor_flushed = 0; + } + if (!rdata_tbl) { + if (!(rdata_tbl = hash_create(64 * 1024, rdata_hash, rdata_cmp, rdata_free))) { + return DUMP_CDS_ENOMEM; + } + } + + /* + * IP Header + */ + + memset(&ip, 0, sizeof(ip_header_t)); + + /* fill ip */ + if (from.af == AF_INET6) { + ip.is_v6 = 1; + memcpy(&(ip.src_addr6), &(from.u.a6), sizeof(struct in6_addr)); + memcpy(&(ip.dest_addr6), &(to.u.a6), sizeof(struct in6_addr)); + ip.src_port6 = sport; + ip.dest_port6 = dport; + } else { + memcpy(&(ip.src_addr4), &(from.u.a4), sizeof(struct in_addr)); + memcpy(&(ip.dest_addr4), &(to.u.a4), sizeof(struct in_addr)); + ip.src_port4 = sport; + ip.dest_port4 = dport; + } + + /* deduplicate */ + { + int dedup = 0; + ip_header_t reverse; + + reverse = ip; + + /* check last.ip */ + if (ip.is_v6) { + if (!memcmp(&(ip.src_addr6), &(last.ip.src_addr6), sizeof(struct in6_addr))) + dedup++; + else + ip.have_src_addr = 1; + + if (!memcmp(&(ip.dest_addr6), &(last.ip.dest_addr6), sizeof(struct in6_addr))) + dedup++; + else + ip.have_dest_addr = 1; + + if (ip.src_port6 == last.ip.src_port6) + dedup++; + else + ip.have_src_port = 1; + + if (ip.dest_port6 == last.ip.dest_port6) + dedup++; + else + ip.have_dest_port = 1; + } else { + if (!memcmp(&(ip.src_addr4), &(last.ip.src_addr4), sizeof(struct in_addr))) + dedup++; + else + ip.have_src_addr = 1; + + if (!memcmp(&(ip.dest_addr4), &(last.ip.dest_addr4), sizeof(struct in_addr))) + dedup++; + else + ip.have_dest_addr = 1; + + if (ip.src_port4 == last.ip.src_port4) + dedup++; + else + ip.have_src_port = 1; + + if (ip.dest_port4 == last.ip.dest_port4) + dedup++; + else + ip.have_dest_port = 1; + } + + /* check reverse last.ip */ + if (ip.is_v6) { + if (!memcmp(&(ip.src_addr6), &(last.ip.dest_addr6), sizeof(struct in6_addr))) + dedup--; + else + reverse.have_src_addr = 1; + + if (!memcmp(&(ip.dest_addr6), &(last.ip.src_addr6), sizeof(struct in6_addr))) + dedup--; + else + reverse.have_dest_addr = 1; + + if (ip.src_port6 == last.ip.dest_port6) + dedup--; + else + reverse.have_src_port = 1; + + if (ip.dest_port6 == last.ip.src_port6) + dedup--; + else + reverse.have_dest_port = 1; + } else { + if (!memcmp(&(ip.src_addr4), &(last.ip.dest_addr4), sizeof(struct in_addr))) + dedup--; + else + reverse.have_src_addr = 1; + + if (!memcmp(&(ip.dest_addr4), &(last.ip.src_addr4), sizeof(struct in_addr))) + dedup--; + else + reverse.have_dest_addr = 1; + + if (ip.src_port4 == last.ip.dest_port4) + dedup--; + else + reverse.have_src_port = 1; + + if (ip.dest_port4 == last.ip.src_port4) + dedup--; + else + reverse.have_dest_port = 1; + } + + if (dedup < 0) { + ip = reverse; + ip.is_reverse = 1; + /*fprintf(stderr, "reverse of last ip ");*/ + } + /*fprintf(stderr, "v6:%d src:%d dest:%d sport:%d dport:%d\n", ip.is_v6, ip.have_src_addr, ip.have_dest_addr, ip.have_src_port, ip.have_dest_port);*/ + + ip.bits = ip.is_v6 + | ip.have_src_addr << 1 + | ip.have_dest_addr << 2 + | (ip.have_src_port | ip.have_dest_port) << 3; + + if (ip.is_v6) { + last.ip.src_addr6 = ip.src_addr6; + last.ip.dest_addr6 = ip.dest_addr6; + last.ip.src_port6 = ip.src_port6; + last.ip.dest_port6 = ip.dest_port6; + } else { + last.ip.src_addr4 = ip.src_addr4; + last.ip.dest_addr4 = ip.dest_addr4; + last.ip.src_port4 = ip.src_port4; + last.ip.dest_port4 = ip.dest_port4; + } + } + + /* + * DNS Message + */ + + if (flags & DNSCAP_OUTPUT_ISDNS) { + uint8_t* p = (uint8_t*)payload; + size_t l = payloadlen, rr, n, n2, n3; + int ret; + dns_rr_t* rrp; + + size_t n_offset = 0; + uint16_t offset[256]; /* TODO: Handle offsets better */ + + memset(&dns, 0, sizeof(dns)); + ret = parse_dns(&dns, &p, &l); + + if (ret < 0) { + free_dns(&dns); + return DUMP_CDS_ENOMEM; + } else if (ret > 0) { + malformed = p; + malformed_size = l; + } + + if (dns.have_qdcount && dns.qdcount == dns.questions) { + dns.have_qdcount = 0; + } + if (dns.have_ancount && dns.ancount == dns.answers) { + dns.have_ancount = 0; + } + if (dns.have_nscount && dns.nscount == dns.authorities) { + dns.have_nscount = 0; + } + if (dns.have_arcount && dns.arcount == dns.additionals) { + dns.have_arcount = 0; + } + + dns.cnt_bits = dns.have_qdcount + | dns.have_ancount << 1 + | dns.have_nscount << 2 + | dns.have_arcount << 3; + if (dns.cnt_bits && dns.cnt_bits != 0xf) { + dns.have_cnt_bits = 1; + } + + dns.rr_bits = dns.have_questions + | dns.have_answers << 1 + | dns.have_authorities << 2 + | dns.have_additionals << 3; + if (dns.rr_bits && dns.rr_bits != 0xf) { + dns.have_rr_bits = 1; + } + + dns_rr_build_offset(dns.question, dns.questions, &offset[0], sizeof(offset), &n_offset, payload); + dns_rr_build_offset(dns.answer, dns.answers, &offset[0], sizeof(offset), &n_offset, payload); + dns_rr_build_offset(dns.authority, dns.authorities, &offset[0], sizeof(offset), &n_offset, payload); + dns_rr_build_offset(dns.additional, dns.additionals, &offset[0], sizeof(offset), &n_offset, payload); + + /* for (n = 0; n < n_offset; n++) {*/ + /* printf("%lu: %u\n", n, offset[n]);*/ + /* }*/ + + dns_rr_set_offset(dns.question, dns.questions, &offset[0], n_offset); + dns_rr_set_offset(dns.answer, dns.answers, &offset[0], n_offset); + dns_rr_set_offset(dns.authority, dns.authorities, &offset[0], n_offset); + dns_rr_set_offset(dns.additional, dns.additionals, &offset[0], n_offset); + + dns_rr_build_rlabel(dns.question, dns.questions); + dns_rr_build_rlabel(dns.answer, dns.answers); + dns_rr_build_rlabel(dns.authority, dns.authorities); + dns_rr_build_rlabel(dns.additional, dns.additionals); + } + + /* + * CBOR + */ + + cbor_encoder_init(&cbor, message_buf, message_size, 0); + cbor_err = cbor_encoder_create_array(&cbor, &message, + /* timestamp */ + 1 + /* message bits */ + + 1 + /* ip header */ + + 1 + ip.have_src_addr + ip.have_dest_addr + (ip.have_src_port | ip.have_dest_port) + /* dns message */ + + dns.have_id + dns.have_raw + + dns.have_cnt_bits + dns.have_qdcount + dns.have_ancount + dns.have_nscount + dns.have_arcount + + dns.have_rr_bits + dns.have_questions + dns.have_answers + dns.have_authorities + dns.have_additionals + + (malformed ? 1 : 0)); + + /* + * Encode timestamp + */ + + { + CborEncoder timestamp; + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_create_array(&message, ×tamp, 2); + if (last.ts.tv_sec && last.ts.tv_sec <= ts.tv_sec) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(×tamp, ts.tv_sec - last.ts.tv_sec); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_int(×tamp, ts.tv_usec - last.ts.tv_usec); + } else { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(×tamp, ts.tv_sec); + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(×tamp, ts.tv_usec); + } + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&message, ×tamp); + + last.ts = ts; + } + + /* + * Encode message bits + */ + + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, + (flags & DNSCAP_OUTPUT_ISDNS ? 1 : 0) + + (flags & DNSCAP_OUTPUT_ISDNS ? proto == IPPROTO_TCP ? 1 << 1 : 0 + : 0) + + (flags & DNSCAP_OUTPUT_ISFRAG ? 1 << 2 : 0) + + (malformed ? 1 << 3 : 0)); + + /* + * Encode IP Header + */ + + if (ip.is_reverse) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&message, ip.bits); + } else { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, ip.bits); + } + + if (ip.is_v6) { + if (ip.have_src_addr && cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.src_addr6), sizeof(struct in6_addr)); + if (ip.have_dest_addr && cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.dest_addr6), sizeof(struct in6_addr)); + if (ip.have_src_port && ip.have_dest_port) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, (ip.dest_port6 << 16) | ip.src_port6); + } else if (ip.have_src_port) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, ip.src_port6); + } else if (ip.have_dest_port) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&message, ip.dest_port6); + } + } else { + if (ip.have_src_addr && cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.src_addr4), sizeof(struct in_addr)); + if (ip.have_dest_addr && cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.dest_addr4), sizeof(struct in_addr)); + if (ip.have_src_port && ip.have_dest_port) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, (ip.dest_port4 << 16) | ip.src_port4); + } else if (ip.have_src_port) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, ip.src_port4); + } else if (ip.have_dest_port) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&message, ip.dest_port4); + } + } + + /* + * Encode DNS Message + */ + if (flags & DNSCAP_OUTPUT_ISDNS && !dns.header_is_complete) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_boolean(&message, false); + } + if (dns.have_id && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, dns.id); + if (dns.have_raw && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, dns.raw); + if (dns.have_cnt_bits && cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&message, dns.cnt_bits); + if (dns.have_qdcount && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, dns.qdcount); + if (dns.have_ancount && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, dns.ancount); + if (dns.have_nscount && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, dns.nscount); + if (dns.have_arcount && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&message, dns.arcount); + if (dns.have_rr_bits && cbor_err == CborNoError) + cbor_err = cbor_encode_simple_value(&message, dns.rr_bits); + if (dns.have_questions) { + CborEncoder rrs; + dns_rr_t* rr = dns.question; + size_t n = dns.questions; + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_create_array(&message, &rrs, n); + while (n--) { + CborEncoder item; + + if (rr->have_type && rr->type == last.dns_type) { + rr->have_type = 0; + } + if (rr->have_class && rr->class == last.dns_class) { + rr->have_class = 0; + } + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_create_array(&rrs, &item, + (rr->is_complete ? 0 : 1) + rr->have_labels + rr->have_type + rr->have_class); + if (!rr->is_complete) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_boolean(&item, false); + } + if (rr->have_labels) { + if (rr->have_rlabel_idx) { + if (cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&item, rr->rlabel_idx); + } else { + if (cbor_err == CborNoError) + cbor_err = encode_label(&item, rr->label, rr->labels); + } + } + if (rr->have_type && cbor_err == CborNoError) + cbor_err = cbor_encode_uint(&item, rr->type); + if (rr->have_class && cbor_err == CborNoError) + cbor_err = cbor_encode_negative_int(&item, rr->class); + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&rrs, &item); + + if (rr->have_type) { + last.dns_type = rr->type; + } + if (rr->have_class) { + last.dns_class = rr->class; + } + + rr++; + } + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&message, &rrs); + } + if (dns.have_answers && cbor_err == CborNoError) + cbor_err = dns_build_rrs(&message, dns.answer, dns.answers); + if (dns.have_authorities && cbor_err == CborNoError) + cbor_err = dns_build_rrs(&message, dns.authority, dns.authorities); + if (dns.have_additionals && cbor_err == CborNoError) + cbor_err = dns_build_rrs(&message, dns.additional, dns.additionals); + + /* + * Encode malformed + */ + + if (malformed && cbor_err == CborNoError) + cbor_err = cbor_encode_byte_string(&message, (uint8_t*)malformed, malformed_size); + + /* + * Close + */ + + free_dns(&dns); + + if (cbor_err == CborNoError) + cbor_err = cbor_encoder_close_container_checked(&cbor, &message); + if (cbor_err != CborNoError) { + fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err)); + return DUMP_CDS_ECBOR; + } + + /* if (print_cbor>1)*/ + /* {*/ + /* uint8_t* p = message_buf;*/ + /* size_t s = cbor_encoder_get_buffer_size(&cbor, message_buf);*/ + + /* while (s--) {*/ + /* printf("%02x", *p++);*/ + /* }*/ + /* printf("\n");*/ + /* }*/ + + if (((cbor_size + message_size) - (cbor_buf_p - cbor_buf)) < cbor_encoder_get_buffer_size(&cbor, message_buf)) { + return DUMP_CDS_EBUF; + } + memcpy(cbor_buf_p, message_buf, cbor_encoder_get_buffer_size(&cbor, message_buf)); + cbor_buf_p += cbor_encoder_get_buffer_size(&cbor, message_buf); + + if (cbor_buf_p < (cbor_buf + cbor_size)) { + return DUMP_CDS_OK; + } + + cbor_flushed = 1; + return DUMP_CDS_FLUSH; +} + +int dump_cds(FILE* fp) +{ + CborError cbor_err; + + if (!fp) { + return DUMP_CDS_EINVAL; + } + + /* *cbor_buf_p = 0xff;*/ + /* cbor_buf_p++;*/ + + /* fprintf(stderr, "cds output: %lu bytes\n", cbor_buf_p - cbor_buf);*/ + + if (fwrite(cbor_buf, cbor_buf_p - cbor_buf, 1, fp) != 1) { + return DUMP_CDS_EWRITE; + } + + return DUMP_CDS_OK; +} + +int have_cds_support() +{ + return 1; +} + +#else /* HAVE_LIBTINYCBOR */ + +int cds_set_cbor_size(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_message_size(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_max_rlabels(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_min_rlabel_size(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_use_rdata_index(int use) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_use_rdata_rindex(int use) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_rdata_index_min_size(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_rdata_rindex_min_size(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int cds_set_rdata_rindex_size(size_t size) +{ + return DUMP_CDS_ENOSUP; +} + +int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen) +{ + return DUMP_CDS_ENOSUP; +} + +int dump_cds(FILE* fp) +{ + return DUMP_CDS_ENOSUP; +} + +int have_cds_support() +{ + return 0; +} + +#endif diff --git a/src/dump_cds.h b/src/dump_cds.h new file mode 100644 index 0000000..a972e59 --- /dev/null +++ b/src/dump_cds.h @@ -0,0 +1,218 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap_common.h" + +#include <sys/socket.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#include <stdio.h> + +#ifndef __dnscap_dump_cds_h +#define __dnscap_dump_cds_h + +#define DUMP_CDS_OK 0 +#define DUMP_CDS_EINVAL 1 +#define DUMP_CDS_ENOMEM 2 +#define DUMP_CDS_ECBOR 3 +#define DUMP_CDS_ELDNS 4 +#define DUMP_CDS_EWRITE 5 +#define DUMP_CDS_FLUSH 6 +#define DUMP_CDS_ENOSUP 7 +#define DUMP_CDS_EBUF 8 + +#define CDS_OPTION_RLABELS 0 +#define CDS_OPTION_RLABEL_MIN_SIZE 1 +#define CDS_OPTION_RDATA_RINDEX_SIZE 2 +#define CDS_OPTION_RDATA_RINDEX_MIN_SIZE 3 +#define CDS_OPTION_USE_RDATA_INDEX 4 +#define CDS_OPTION_RDATA_INDEX_MIN_SIZE 5 + +#define CDS_DEFAULT_MAX_RLABELS 255 +#define CDS_DEFAULT_MIN_RLABEL_SIZE 3 +#define CDS_DEFAULT_RDATA_INDEX_MIN_SIZE 5 +#define CDS_DEFAULT_RDATA_RINDEX_SIZE 255 +#define CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE 5 + +typedef struct ip_header ip_header_t; +struct ip_header { + unsigned short is_v6 : 1; + unsigned short is_reverse : 1; + unsigned short have_src_addr : 1; + unsigned short have_src_port : 1; + unsigned short have_dest_addr : 1; + unsigned short have_dest_port : 1; + + uint8_t bits; + struct in_addr src_addr4; + uint16_t src_port4; + struct in6_addr src_addr6; + uint16_t src_port6; + struct in_addr dest_addr4; + uint16_t dest_port4; + struct in6_addr dest_addr6; + uint16_t dest_port6; +}; + +typedef struct dns_label dns_label_t; +struct dns_label { + unsigned short is_complete : 1; + unsigned short have_size : 1; + unsigned short have_extension_bits : 1; + unsigned short have_offset : 1; + unsigned short have_label : 1; + unsigned short have_n_offset : 1; + + uint8_t size; + uint8_t extension_bits; + uint16_t offset; + uint8_t* offset_p; + uint8_t* label; + size_t n_offset; +}; + +#define CDS_RLABEL_LABEL_T_LABEL 64 + +typedef struct dns_rlabel_label dns_rlabel_label_t; +struct dns_rlabel_label { + unsigned short have_n_offset : 1; + + uint8_t size; + uint8_t label[CDS_RLABEL_LABEL_T_LABEL]; + size_t n_offset; +}; + +#define CDS_RLABEL_T_LABELS 256 + +typedef struct dns_rlabel dns_rlabel_t; +struct dns_rlabel { + dns_rlabel_t* next; + dns_rlabel_t* prev; + + uint8_t labels; + dns_rlabel_label_t label[CDS_RLABEL_T_LABELS]; +}; + +typedef struct dns_rdata dns_rdata_t; +struct dns_rdata { + unsigned short is_complete : 1; + unsigned short have_labels : 1; + unsigned short have_rlabel_idx : 1; + unsigned short have_rdata : 1; + + size_t rdata_len; + uint8_t* rdata; + size_t labels; + dns_label_t* label; + size_t rlabel_idx; +}; + +typedef struct dns_rr dns_rr_t; +struct dns_rr { + unsigned short is_complete : 1; + unsigned short have_labels : 1; + unsigned short have_rlabel_idx : 1; + unsigned short have_bits : 1; + unsigned short have_type : 1; + unsigned short have_class : 1; + unsigned short have_ttl : 1; + unsigned short have_rdlength : 1; + unsigned short have_rdata : 1; + unsigned short have_mixed_rdata : 1; + unsigned short have_rdata_index : 1; + unsigned short have_rdata_rindex : 1; + + size_t labels; + dns_label_t* label; + size_t rlabel_idx; + uint8_t bits; + uint16_t type; + uint16_t class; + uint32_t ttl; + uint16_t rdlength; + uint8_t* rdata; + size_t mixed_rdatas; + dns_rdata_t* mixed_rdata; + size_t rdata_index; + size_t rdata_rindex; +}; + +typedef struct dns dns_t; +struct dns { + unsigned short header_is_complete : 1; + unsigned short have_id : 1; + unsigned short have_raw : 1; + unsigned short have_cnt_bits : 1; + unsigned short have_qdcount : 1; + unsigned short have_ancount : 1; + unsigned short have_nscount : 1; + unsigned short have_arcount : 1; + unsigned short have_rr_bits : 1; + unsigned short have_questions : 1; + unsigned short have_answers : 1; + unsigned short have_authorities : 1; + unsigned short have_additionals : 1; + + int id; + uint16_t raw; + uint8_t cnt_bits; + uint16_t qdcount; + uint16_t ancount; + uint16_t nscount; + uint16_t arcount; + uint8_t rr_bits; + size_t questions; + dns_rr_t* question; + size_t answers; + dns_rr_t* answer; + size_t authorities; + dns_rr_t* authority; + size_t additionals; + dns_rr_t* additional; +}; + +int cds_set_cbor_size(size_t size); +int cds_set_message_size(size_t size); +int cds_set_max_rlabels(size_t size); +int cds_set_min_rlabel_size(size_t size); +int cds_set_use_rdata_index(int use); +int cds_set_use_rdata_rindex(int use); +int cds_set_rdata_index_min_size(size_t size); +int cds_set_rdata_rindex_min_size(size_t size); +int cds_set_rdata_rindex_size(size_t size); +int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen); +int dump_cds(FILE* fp); +int have_cds_support(); + +#endif /* __dnscap_dump_cds_h */ diff --git a/src/dump_dns.c b/src/dump_dns.c new file mode 100644 index 0000000..e03e33f --- /dev/null +++ b/src/dump_dns.c @@ -0,0 +1,319 @@ +/* dump_dns.c - library function to emit decoded dns message on a FILE. + * + * By: Paul Vixie, ISC, October 2007 + */ + +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "dnscap_common.h" + +#include "dump_dns.h" +#include "network.h" +#include "tcpstate.h" +#include "endian_compat.h" + +#include <ldns/ldns.h> +#include <netinet/in.h> + +static inline uint16_t _need16(const void* ptr) +{ + uint16_t v; + memcpy(&v, ptr, sizeof(v)); + return be16toh(v); +} + +static void dump_dns_rr(ldns_rr* rr, FILE* trace, ldns_buffer* lbuf, bool qsect) +{ + size_t rdlen, i; + ldns_rdf* rdf; + + // owner + ldns_buffer_clear(lbuf); + if (ldns_rdf2buffer_str(lbuf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, "%s", (char*)ldns_buffer_begin(lbuf)); + + // class + ldns_buffer_clear(lbuf); + if (ldns_rr_class2buffer_str(lbuf, ldns_rr_get_class(rr)) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf)); + + // type + ldns_buffer_clear(lbuf); + if (ldns_rr_type2buffer_str(lbuf, ldns_rr_get_type(rr)) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf)); + + if (qsect) + return; + + fprintf(trace, ",%u", ldns_rr_ttl(rr)); + switch (ldns_rr_get_type(rr)) { + case LDNS_RR_TYPE_SOA: + for (i = 0; i < 2; i++) { + if (!(rdf = ldns_rr_rdf(rr, i))) { + goto error; + } + ldns_buffer_clear(lbuf); + if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf)); + } + for (; i < 7; i++) { + if (!(rdf = ldns_rr_rdf(rr, i))) { + goto error; + } + ldns_buffer_clear(lbuf); + if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf)); + } + break; + + case LDNS_RR_TYPE_A: + case LDNS_RR_TYPE_AAAA: + case LDNS_RR_TYPE_MX: + if (!(rdf = ldns_rr_rdf(rr, 0))) { + goto error; + } + ldns_buffer_clear(lbuf); + if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf)); + break; + + case LDNS_RR_TYPE_NS: + case LDNS_RR_TYPE_PTR: + case LDNS_RR_TYPE_CNAME: + if (!(rdf = ldns_rr_rdf(rr, 0))) { + goto error; + } + ldns_buffer_clear(lbuf); + if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) { + goto error; + } + fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf)); + break; + + default: + goto error; + } + return; + +error: + for (rdlen = 0, i = 0, rdf = ldns_rr_rdf(rr, i); rdf; rdf = ldns_rr_rdf(rr, ++i)) { + rdlen += ldns_rdf_size(rdf); + } + fprintf(trace, ",[%zu]", rdlen); +} + +static void dump_dns_sect(ldns_rr_list* rrs, FILE* trace, const char* endline, ldns_buffer* lbuf, bool qsect, bool ansect, ldns_pkt* pkt) +{ + size_t rrnum, rrmax; + const char* sep; + + if (ansect && ldns_pkt_edns(pkt)) { + rrmax = ldns_rr_list_rr_count(rrs); + fprintf(trace, " %s%zu", endline, rrmax + 1); + sep = ""; + for (rrnum = 0; rrnum < rrmax; rrnum++) { + fprintf(trace, " %s", sep); + dump_dns_rr(ldns_rr_list_rr(rrs, rrnum), trace, lbuf, qsect); + sep = endline; + } + ldns_rdf* edns_data = ldns_pkt_edns_data(pkt); + fprintf(trace, " %s.,%u,%u,0,edns0[len=%zu,UDP=%u,ver=%u,rcode=%u,DO=%u,z=%u]", + sep, ldns_pkt_edns_udp_size(pkt), ldns_pkt_edns_udp_size(pkt), + edns_data ? ldns_rdf_size(edns_data) : 0, + ldns_pkt_edns_udp_size(pkt), + ldns_pkt_edns_version(pkt), + ldns_pkt_edns_extended_rcode(pkt), + ldns_pkt_edns_do(pkt) ? 1 : 0, + ldns_pkt_edns_z(pkt)); + if (edns_data) { + size_t len = ldns_rdf_size(edns_data); + uint8_t* d = ldns_rdf_data(edns_data); + + while (len >= 4) { + uint16_t opcode = _need16(d); + uint16_t oplen = _need16(d + 2); + len -= 4; + d += 4; + + if (oplen > len) { + break; + } + switch (opcode) { + case 8: { + if (oplen >= 4) { + uint16_t family = _need16(d); + uint8_t source_prefix_len = *(d + 2), scope_prefix_len = *(d + 3); + char addr[(INET_ADDRSTRLEN < INET6_ADDRSTRLEN ? INET6_ADDRSTRLEN : INET_ADDRSTRLEN) + 1] = { 0 }; + struct in_addr in4 = { .s_addr = INADDR_ANY }; + struct in6_addr in6 = IN6ADDR_ANY_INIT; + void* in = 0; + int af; + + switch (family) { + case 1: { + memcpy(&in4.s_addr, d + 4, oplen - 4 > sizeof(in4.s_addr) ? sizeof(in4.s_addr) : oplen - 4); + in = &in4; + af = AF_INET; + break; + } + case 2: { + memcpy(&in6.s6_addr, d + 4, oplen - 4 > sizeof(in6.s6_addr) ? sizeof(in6.s6_addr) : oplen - 4); + in = &in6; + af = AF_INET6; + break; + } + default: + break; + } + + fprintf(trace, ",edns0opt[ECS,family=%u,source=%u,scope=%u,", family, source_prefix_len, scope_prefix_len); + + if (!in || !inet_ntop(af, in, addr, sizeof(addr) - 1)) { + fprintf(trace, "addr=INVALID]"); + } else { + fprintf(trace, "addr=%s]", addr); + } + + break; + } + } + + default: + fprintf(trace, ",edns0opt[code=%u,codelen=%u]", opcode, oplen); + break; + } + + len -= oplen; + d += oplen; + } + } + return; + } + + rrmax = ldns_rr_list_rr_count(rrs); + if (rrmax == 0) { + fputs(" 0", trace); + return; + } + fprintf(trace, " %s%zu", endline, rrmax); + sep = ""; + for (rrnum = 0; rrnum < rrmax; rrnum++) { + fprintf(trace, " %s", sep); + dump_dns_rr(ldns_rr_list_rr(rrs, rrnum), trace, lbuf, qsect); + sep = endline; + } +} + +void dump_dns(const u_char* payload, size_t paylen, FILE* trace, const char* endline) +{ + const char* sep; + tcpstate_ptr tcpstate; + ldns_pkt* pkt = 0; + ldns_buffer* lbuf = 0; + ldns_status ret; + + fprintf(trace, " %sdns ", endline); + if ((ret = ldns_wire2pkt(&pkt, payload, paylen)) != LDNS_STATUS_OK) { + /* DNS message may have padding, try get actual size */ + size_t dnslen = calcdnslen(payload, paylen); + if (dnslen > 0 && dnslen < paylen) { + if ((ret = ldns_wire2pkt(&pkt, payload, dnslen)) != LDNS_STATUS_OK) { + fputs(ldns_get_errorstr_by_id(ret), trace); + if ((tcpstate = tcpstate_getcurr())) + tcpstate_reset(tcpstate, strerror(errno)); + return; + } + } else { + fputs(ldns_get_errorstr_by_id(ret), trace); + if ((tcpstate = tcpstate_getcurr())) + tcpstate_reset(tcpstate, strerror(errno)); + return; + } + } + + if (!(lbuf = ldns_buffer_new(512))) { + fprintf(stderr, "%s: out of memory", ProgramName); + exit(1); + } + + if (ldns_pkt_opcode2buffer_str(lbuf, ldns_pkt_get_opcode(pkt)) != LDNS_STATUS_OK) { + fprintf(stderr, "%s: unable to covert opcode to str", ProgramName); + exit(1); + } + fprintf(trace, "%s,", (char*)ldns_buffer_begin(lbuf)); + ldns_buffer_clear(lbuf); + if (ldns_pkt_rcode2buffer_str(lbuf, ldns_pkt_get_rcode(pkt)) != LDNS_STATUS_OK) { + fprintf(stderr, "%s: unable to covert rcode to str", ProgramName); + exit(1); + } + fprintf(trace, "%s,%u,", (char*)ldns_buffer_begin(lbuf), ldns_pkt_id(pkt)); + + sep = ""; +#define FLAG(t, f) \ + if (f) { \ + fprintf(trace, "%s%s", sep, t); \ + sep = "|"; \ + } + FLAG("qr", ldns_pkt_qr(pkt)); + FLAG("aa", ldns_pkt_aa(pkt)); + FLAG("tc", ldns_pkt_tc(pkt)); + FLAG("rd", ldns_pkt_rd(pkt)); + FLAG("ra", ldns_pkt_ra(pkt)); + FLAG("z", LDNS_Z_WIRE(payload)); + FLAG("ad", ldns_pkt_ad(pkt)); + FLAG("cd", ldns_pkt_cd(pkt)); +#undef FLAG + dump_dns_sect(ldns_pkt_question(pkt), trace, endline, lbuf, true, false, 0); + dump_dns_sect(ldns_pkt_answer(pkt), trace, endline, lbuf, false, false, 0); + dump_dns_sect(ldns_pkt_authority(pkt), trace, endline, lbuf, false, false, 0); + dump_dns_sect(ldns_pkt_additional(pkt), trace, endline, lbuf, false, true, pkt); + + ldns_buffer_free(lbuf); + ldns_pkt_free(pkt); +} diff --git a/src/dump_dns.h b/src/dump_dns.h new file mode 100644 index 0000000..14c01a9 --- /dev/null +++ b/src/dump_dns.h @@ -0,0 +1,47 @@ +/* dump_dns.c - library function to emit decoded dns message on a FILE. + * + * By: Paul Vixie, ISC, October 2007 + */ + +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __dnscap_dump_dns_h +#define __dnscap_dump_dns_h + +#include <stdio.h> + +void dump_dns(const u_char* payload, size_t paylen, FILE* trace, const char* endline); + +#endif // __dnscap_dump_dns_h diff --git a/src/dumper.c b/src/dumper.c new file mode 100644 index 0000000..b5458f5 --- /dev/null +++ b/src/dumper.c @@ -0,0 +1,399 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "dumper.h" +#include "iaddr.h" +#include "log.h" +#include "pcaps.h" + +/* + * when flags & DNSCAP_OUTPUT_ISDNS, payload points to a DNS packet + */ +void output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen) +{ + struct plugin* p; + + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) { + if (p->filter && (*p->filter)(descr, &from, &to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen)) { + if (dumptrace >= 3) { + fprintf(stderr, "filtered: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n", + capturedbytes, + proto, + flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no", + flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no", + olen, + payloadlen); + } + return; + } + } + + msgcount++; + capturedbytes += olen; + + if (dumptrace >= 3) { + fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n", + capturedbytes, + proto, + flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no", + flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no", + olen, + payloadlen); + } + + /* Output stage. */ + if (preso) { + fputs(descr, stderr); + if (flags & DNSCAP_OUTPUT_ISFRAG) { + fprintf(stderr, ";: [%s] ", ia_str(from)); + fprintf(stderr, "-> [%s] (frag)\n", ia_str(to)); + } else { + fprintf(stderr, "\t[%s].%u ", ia_str(from), sport); + fprintf(stderr, "[%s].%u ", ia_str(to), dport); + if ((flags & DNSCAP_OUTPUT_ISDNS) && payload) + dump_dns(payload, payloadlen, stderr, "\\\n\t"); + } + putc('\n', stderr); + } + if (dump_type != nowhere) { + if (options.dump_format == pcap) { + struct pcap_pkthdr h; + + memset(&h, 0, sizeof h); + h.ts = ts; + h.len = h.caplen = olen; + pcap_dump((u_char*)dumper, &h, pkt_copy); + if (flush) + pcap_dump_flush(dumper); + } else if (options.dump_format == cbor && (flags & DNSCAP_OUTPUT_ISDNS) && payload) { + int ret = output_cbor(from, to, proto, flags, sport, dport, ts, payload, payloadlen); + + if (ret == DUMP_CBOR_FLUSH) { + if (dumper_close(ts)) { + fprintf(stderr, "%s: dumper_close() failed\n", ProgramName); + exit(1); + } + if (dumper_open(ts)) { + fprintf(stderr, "%s: dumper_open() failed\n", ProgramName); + exit(1); + } + } else if (ret != DUMP_CBOR_OK) { + fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret); + exit(1); + } + } else if (options.dump_format == cds) { + int ret = output_cds(from, to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen); + + if (ret == DUMP_CDS_FLUSH) { + if (dumper_close(ts)) { + fprintf(stderr, "%s: dumper_close() failed\n", ProgramName); + exit(1); + } + if (dumper_open(ts)) { + fprintf(stderr, "%s: dumper_open() failed\n", ProgramName); + exit(1); + } + } else if (ret != DUMP_CDS_OK) { + fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret); + exit(1); + } + } + } + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) + if (p->output) + (*p->output)(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen); + return; +} + +int dumper_open(my_bpftimeval ts) +{ + const char* t = NULL; + struct plugin* p; + + assert(dump_state == dumper_closed); + + while (ts.tv_usec >= MILLION) { + ts.tv_sec++; + ts.tv_usec -= MILLION; + } + if (limit_seconds != 0U) + next_interval = ts.tv_sec + - (ts.tv_sec % limit_seconds) + + limit_seconds; + + if (dump_type == to_stdout) { + t = "-"; + } else if (dump_type == to_file) { + char sbuf[64]; + struct tm tm; + + gmtime_r((time_t*)&ts.tv_sec, &tm); + strftime(sbuf, 64, "%Y%m%d.%H%M%S", &tm); + if (asprintf(&dumpname, "%s.%s.%06lu%s", + dump_base, sbuf, + (u_long)ts.tv_usec, dump_suffix ? dump_suffix : "") + < 0 + || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) { + logerr("asprintf: %s", strerror(errno)); + return (TRUE); + } + t = dumpnamepart; + } + if (NULL != t) { + if (options.dump_format == pcap) { + dumper = dnscap_pcap_dump_open(pcap_dead, t); + if (dumper == NULL) { + logerr("pcap dump open: %s", + pcap_geterr(pcap_dead)); + return (TRUE); + } + } + } + dumpstart = ts.tv_sec; + if (limit_seconds != 0U) { + struct timeval now; + u_int seconds; + time_t targ; + + gettimeofday(&now, NULL); + while (now.tv_usec >= MILLION) { + now.tv_sec++; + now.tv_usec -= MILLION; + } + targ = (((now.tv_sec + (limit_seconds / 2)) + / limit_seconds) + + 1) + * limit_seconds; + assert(targ > now.tv_sec); + seconds = targ - now.tv_sec; + if (next_interval == 0) { + alarm(seconds); + alarm_set = TRUE; + } + } + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) { + int x; + if (!p->open) + continue; + x = (*p->open)(ts); + if (0 == x) + continue; + logerr("%s_open returned %d", p->name, x); + } + dump_state = dumper_opened; + return (FALSE); +} + +int dumper_close(my_bpftimeval ts) +{ + int ret = FALSE; + struct plugin* p; + + assert(dump_state == dumper_opened); + + if (print_pcap_stats) + do_pcap_stats(); + + if (alarm_set) { + alarm(0); + alarm_set = FALSE; + } + + if (options.dump_format == pcap) { + if (dumper) { + pcap_dump_close(dumper); + dumper = FALSE; + } + } else if (options.dump_format == cbor) { + int ret; + + if (dump_type == to_stdout) { + ret = dump_cbor(stdout); + + if (ret != DUMP_CBOR_OK) { + fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret); + exit(1); + } + } else if (dump_type == to_file) { + FILE* fp; + + if (!(fp = fopen(dumpnamepart, "w"))) { + fprintf(stderr, "%s: fopen(%s) failed: %s\n", ProgramName, dumpnamepart, strerror(errno)); + exit(1); + } + ret = dump_cbor(fp); + fclose(fp); + if (ret != DUMP_CBOR_OK) { + fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret); + exit(1); + } + } + } else if (options.dump_format == cds) { + int ret; + + if (dump_type == to_stdout) { + ret = dump_cds(stdout); + + if (ret != DUMP_CDS_OK) { + fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret); + exit(1); + } + } else if (dump_type == to_file) { + FILE* fp; + + if (!(fp = fopen(dumpnamepart, "w"))) { + fprintf(stderr, "%s: fopen(%s) failed: %s\n", ProgramName, dumpnamepart, strerror(errno)); + exit(1); + } + ret = dump_cds(fp); + fclose(fp); + if (ret != DUMP_CDS_OK) { + fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret); + exit(1); + } + } + } + + if (dump_type == to_stdout) { + assert(dumpname == NULL); + assert(dumpnamepart == NULL); + if (dumptrace >= 1) + fprintf(stderr, "%s: breaking\n", ProgramName); + ret = TRUE; + } else if (dump_type == to_file) { + char* cmd = NULL; + ; + + if (dumptrace >= 1) + fprintf(stderr, "%s: closing %s\n", + ProgramName, dumpname); + if (rename(dumpnamepart, dumpname)) { + logerr("rename: %s", strerror(errno)); + return ret; + } + if (kick_cmd != NULL) + if (asprintf(&cmd, "%s %s &", kick_cmd, dumpname) < 0) { + logerr("asprintf: %s", strerror(errno)); + cmd = NULL; + } + free(dumpnamepart); + dumpnamepart = NULL; + free(dumpname); + dumpname = NULL; + if (cmd != NULL) { + int x = system(cmd); + if (x) + logerr("system: \"%s\" returned %d", cmd, x); + free(cmd); + } + if (kick_cmd == NULL && options.dump_format != cbor && options.dump_format != cds) + ret = TRUE; + } + for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) { + int x; + if (!p->close) + continue; + x = (*p->close)(ts); + if (x) + logerr("%s_close returned %d", p->name, x); + } + dump_state = dumper_closed; + return (ret); +} + +#if HAVE_ZLIB_H +#if HAVE_FUNOPEN +static int +gzip_cookie_write(void* cookie, const char* buf, int size) +{ + return gzwrite((gzFile)cookie, (voidpc)buf, (unsigned)size); +} +#elif HAVE_FOPENCOOKIE +static ssize_t +gzip_cookie_write(void* cookie, const char* buf, size_t size) +{ + return gzwrite((gzFile)cookie, (voidpc)buf, (unsigned)size); +} +#endif + +static int +gzip_cookie_close(void* cookie) +{ + return gzclose((gzFile)cookie); +} +#endif /* HAVE_ZLIB_H */ + +pcap_dumper_t* dnscap_pcap_dump_open(pcap_t* pcap, const char* path) +{ +#if HAVE_ZLIB_H +#if HAVE_GZOPEN + if (wantgzip) { + FILE* fp = NULL; + gzFile z = gzopen(path, "w"); + if (z == NULL) { + perror("gzopen"); + return NULL; + } + +#if HAVE_FUNOPEN + fp = funopen(z, NULL, gzip_cookie_write, NULL, gzip_cookie_close); + if (fp == NULL) { + perror("funopen"); + return NULL; + } +#elif HAVE_FOPENCOOKIE + { + static cookie_io_functions_t cookiefuncs = { + NULL, gzip_cookie_write, NULL, gzip_cookie_close + }; + + fp = fopencookie(z, "w", cookiefuncs); + if (fp == NULL) { + perror("fopencookie"); + return NULL; + } + } +#endif + return pcap_dump_fopen(pcap, fp); + } +#endif /* HAVE_GZOPEN */ +#endif /* HAVE_ZLIB_H */ + + return pcap_dump_open(pcap, path); +} diff --git a/src/dumper.h b/src/dumper.h new file mode 100644 index 0000000..f447f5c --- /dev/null +++ b/src/dumper.h @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_dumper_h +#define __dnscap_dumper_h + +void output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags, + unsigned sport, unsigned dport, my_bpftimeval ts, + const u_char* pkt_copy, const unsigned olen, + const u_char* payload, const unsigned payloadlen); + +int dumper_open(my_bpftimeval ts); +int dumper_close(my_bpftimeval ts); + +pcap_dumper_t* dnscap_pcap_dump_open(pcap_t* pcap, const char* path); + +#endif /* __dnscap_dumper_h */ diff --git a/src/endian_compat.h b/src/endian_compat.h new file mode 100644 index 0000000..6c49625 --- /dev/null +++ b/src/endian_compat.h @@ -0,0 +1,108 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __dnscap_endian_compat_h +#define __dnscap_endian_compat_h + +#ifdef HAVE_ENDIAN_H +#include <endian.h> +#else +#ifdef HAVE_SYS_ENDIAN_H +#include <sys/endian.h> +#else +#ifdef HAVE_MACHINE_ENDIAN_H +#include <machine/endian.h> +#endif +#endif +#endif + +#ifdef __APPLE__ +#include <libkern/OSByteOrder.h> +#define htobe16(x) OSSwapHostToBigInt16(x) +#define htole16(x) OSSwapHostToLittleInt16(x) +#define be16toh(x) OSSwapBigToHostInt16(x) +#define le16toh(x) OSSwapLittleToHostInt16(x) +#define htobe32(x) OSSwapHostToBigInt32(x) +#define htole32(x) OSSwapHostToLittleInt32(x) +#define be32toh(x) OSSwapBigToHostInt32(x) +#define le32toh(x) OSSwapLittleToHostInt32(x) +#define htobe64(x) OSSwapHostToBigInt64(x) +#define htole64(x) OSSwapHostToLittleInt64(x) +#define be64toh(x) OSSwapBigToHostInt64(x) +#define le64toh(x) OSSwapLittleToHostInt64(x) +#define __BYTE_ORDER BYTE_ORDER +#define __BIG_ENDIAN BIG_ENDIAN +#define __LITTLE_ENDIAN LITTLE_ENDIAN +#define __PDP_ENDIAN PDP_ENDIAN +#endif + +#if defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__) +#include <winsock2.h> +#include <sys/param.h> +#if BYTE_ORDER == LITTLE_ENDIAN +#define htobe16(x) htons(x) +#define htole16(x) (x) +#define be16toh(x) ntohs(x) +#define le16toh(x) (x) +#define htobe32(x) htonl(x) +#define htole32(x) (x) +#define be32toh(x) ntohl(x) +#define le32toh(x) (x) +#define htobe64(x) htonll(x) +#define htole64(x) (x) +#define be64toh(x) ntohll(x) +#define le64toh(x) (x) +#elif BYTE_ORDER == BIG_ENDIAN +#define htobe16(x) (x) +#define htole16(x) __builtin_bswap16(x) +#define be16toh(x) (x) +#define le16toh(x) __builtin_bswap16(x) +#define htobe32(x) (x) +#define htole32(x) __builtin_bswap32(x) +#define be32toh(x) (x) +#define le32toh(x) __builtin_bswap32(x) +#define htobe64(x) (x) +#define htole64(x) __builtin_bswap64(x) +#define be64toh(x) (x) +#define le64toh(x) __builtin_bswap64(x) +#else +#error "byte order not supported" +#endif +#define __BYTE_ORDER BYTE_ORDER +#define __BIG_ENDIAN BIG_ENDIAN +#define __LITTLE_ENDIAN LITTLE_ENDIAN +#define __PDP_ENDIAN PDP_ENDIAN +#endif + +#endif diff --git a/src/endpoint.c b/src/endpoint.c new file mode 100644 index 0000000..da37fe3 --- /dev/null +++ b/src/endpoint.c @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "endpoint.h" +#include "args.h" +#include "iaddr.h" + +void endpoint_arg(endpoint_list* list, const char* arg) +{ + struct addrinfo* ai; + iaddr ia; + void* p; + + if (inet_pton(AF_INET6, arg, &ia.u.a6) > 0) { + ia.af = AF_INET6; + endpoint_add(list, ia); + } else if (inet_pton(AF_INET, arg, &ia.u.a4) > 0) { + ia.af = AF_INET; + endpoint_add(list, ia); + } else if (getaddrinfo(arg, NULL, NULL, &ai) == 0) { + struct addrinfo* a; + + for (a = ai; a != NULL; a = a->ai_next) { + if (a->ai_socktype != SOCK_DGRAM) + continue; + switch (a->ai_family) { + case PF_INET: + ia.af = AF_INET; + p = &((struct sockaddr_in*)a->ai_addr) + ->sin_addr; + memcpy(&ia.u.a4, p, sizeof ia.u.a4); + break; + case PF_INET6: + ia.af = AF_INET6; + p = &((struct sockaddr_in6*)a->ai_addr) + ->sin6_addr; + memcpy(&ia.u.a6, p, sizeof ia.u.a6); + break; + default: + continue; + } + endpoint_add(list, ia); + } + freeaddrinfo(ai); + } else + usage("invalid host address"); +} + +void endpoint_add(endpoint_list* list, iaddr ia) +{ + endpoint_ptr ep; + + ep = calloc(1, sizeof *ep); + assert(ep != NULL); + INIT_LINK(ep, link); + ep->ia = ia; + APPEND(*list, ep, link); +} + +int ep_present(const endpoint_list* list, iaddr ia) +{ + endpoint_ptr ep; + + for (ep = HEAD(*list); + ep != NULL; + ep = NEXT(ep, link)) + if (ia_equal(ia, ep->ia)) + return TRUE; + return (FALSE); +} diff --git a/src/endpoint.h b/src/endpoint.h new file mode 100644 index 0000000..9136ca9 --- /dev/null +++ b/src/endpoint.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_endpoint_h +#define __dnscap_endpoint_h + +void endpoint_arg(endpoint_list* list, const char* arg); +void endpoint_add(endpoint_list* list, iaddr ia); +int ep_present(const endpoint_list* list, iaddr ia); + +#endif /* __dnscap_endpoint_h */ diff --git a/src/hashtbl.c b/src/hashtbl.c new file mode 100644 index 0000000..62e1a9e --- /dev/null +++ b/src/hashtbl.c @@ -0,0 +1,161 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "hashtbl.h" + +#include <unistd.h> +#include <stdlib.h> +#include <assert.h> + +hashtbl* hash_create(unsigned int N, hashkey_func hasher, hashkeycmp_func cmp, hashfree_func datafree) +{ + hashtbl* new; + + assert(N); + assert(hasher); + assert(cmp); + + if ((new = calloc(1, sizeof(hashtbl)))) { + new->modulus = N; + new->hasher = hasher; + new->keycmp = cmp; + new->datafree = datafree; + + if (!(new->items = calloc(N, sizeof(hashitem*)))) { + free(new); + return 0; + } + } + + return new; +} + +int hash_add(const void* key, void* data, hashtbl* tbl) +{ + hashitem* new, **I; + unsigned int slot; + + if (!key || !tbl) { + return HASHTBL_EARGS; + } + + new = calloc(1, sizeof(hashitem)); + if (!new) { + return HASHTBL_ENOMEM; + } + + new->key = key; + new->data = data; + slot = tbl->hasher(key) % tbl->modulus; + + for (I = &tbl->items[slot]; *I; I = &(*I)->next) + ; + *I = new; + + return 0; +} + +void* hash_find(const void* key, hashtbl* tbl) +{ + unsigned int slot; + hashitem* i; + + if (!key || !tbl) { + return NULL; + } + + slot = tbl->hasher(key) % tbl->modulus; + + for (i = tbl->items[slot]; i; i = i->next) { + if (!tbl->keycmp(key, i->key)) + return i->data; + } + + return NULL; +} + +void hash_remove(const void* key, hashtbl* tbl) +{ + hashitem **I, *i; + int slot; + + if (!key || !tbl) { + return; + } + + slot = tbl->hasher(key) % tbl->modulus; + + for (I = &tbl->items[slot]; *I; I = &(*I)->next) { + if (!tbl->keycmp(key, (*I)->key)) { + i = *I; + *I = (*I)->next; + if (tbl->datafree) + tbl->datafree(i->data); + free(i); + break; + } + } +} + +void hash_free(hashtbl* tbl) +{ + hashitem *i, *next; + int slot; + + if (!tbl) { + return; + } + + for (slot = 0; slot < tbl->modulus; slot++) { + for (i = tbl->items[slot]; i;) { + next = i->next; + if (tbl->datafree) + tbl->datafree(i->data); + free(i); + i = next; + } + tbl->items[slot] = 0; + } +} + +void hash_destroy(hashtbl* tbl) +{ + if (!tbl) { + return; + } + + hash_free(tbl); + free(tbl->items); + free(tbl); +} diff --git a/src/hashtbl.h b/src/hashtbl.h new file mode 100644 index 0000000..03eae65 --- /dev/null +++ b/src/hashtbl.h @@ -0,0 +1,70 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __dnscap_hashtbl_h +#define __dnscap_hashtbl_h + +#define HASHTBL_EARGS -1 +#define HASHTBL_ENOMEM -2 + +typedef struct hashitem hashitem; + +struct hashitem { + const void* key; + void* data; + hashitem* next; +}; + +typedef unsigned int (*hashkey_func)(const void* key); +typedef int (*hashkeycmp_func)(const void* a, const void* b); +typedef void (*hashfree_func)(void* data); + +typedef struct hashtbl hashtbl; +struct hashtbl { + unsigned int modulus; + hashitem** items; + + hashkey_func hasher; + hashkeycmp_func keycmp; + hashfree_func datafree; +}; + +hashtbl* hash_create(unsigned int N, hashkey_func hasher, hashkeycmp_func cmp, hashfree_func datafree); +int hash_add(const void* key, void* data, hashtbl* tbl); +void* hash_find(const void* key, hashtbl* tbl); +void hash_remove(const void* key, hashtbl* tbl); +void hash_free(hashtbl* tbl); +void hash_destroy(hashtbl* tbl); + +#endif // __dnscap_hashtbl_h diff --git a/src/iaddr.c b/src/iaddr.c new file mode 100644 index 0000000..2c5cbeb --- /dev/null +++ b/src/iaddr.c @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "iaddr.h" + +const char* ia_str(iaddr ia) +{ + static char inet[INET_ADDRSTRLEN], inet6[INET6_ADDRSTRLEN]; + + switch (ia.af) { + case AF_INET: + if (inet_ntop(ia.af, &ia.u, inet, sizeof(inet))) + return inet; + return "255.255.255.255"; + case AF_INET6: + if (inet_ntop(ia.af, &ia.u, inet6, sizeof(inet6))) + return inet6; + return "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"; + } + + return "UNKNOWN"; +} + +int ia_equal(iaddr x, iaddr y) +{ + if (x.af != y.af) + return FALSE; + switch (x.af) { + case AF_INET: + return (x.u.a4.s_addr == y.u.a4.s_addr); + case AF_INET6: + return (memcmp(&x.u.a6.s6_addr, &y.u.a6.s6_addr, sizeof(x.u.a6.s6_addr)) == 0); + } + return FALSE; +} diff --git a/src/iaddr.h b/src/iaddr.h new file mode 100644 index 0000000..0c255bd --- /dev/null +++ b/src/iaddr.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_iaddr_h +#define __dnscap_iaddr_h + +const char* ia_str(iaddr ia); +int ia_equal(iaddr x, iaddr y); + +#endif /* __dnscap_iaddr_h */ diff --git a/src/log.c b/src/log.c new file mode 100644 index 0000000..a82d040 --- /dev/null +++ b/src/log.c @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "log.h" + +int logerr(const char* fmt, ...) +{ + va_list ap; + int x = 1; + va_start(ap, fmt); + if (background) + vsyslog(LOG_NOTICE, fmt, ap); + else { + x = vfprintf(stderr, fmt, ap); + fputc('\n', stderr); + } + va_end(ap); + return x; +} diff --git a/src/log.h b/src/log.h new file mode 100644 index 0000000..7bee5b1 --- /dev/null +++ b/src/log.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_log_h +#define __dnscap_log_h + +int logerr(const char* fmt, ...); + +#endif /* __dnscap_log_h */ diff --git a/src/memzero.c b/src/memzero.c new file mode 100644 index 0000000..98a3c0b --- /dev/null +++ b/src/memzero.c @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#if defined(__FreeBSD__) +#include <strings.h> +#elif defined(__OpenBSD__) +#include <string.h> +#else +#ifndef __STDC_WANT_LIB_EXT1__ +#define __STDC_WANT_LIB_EXT1__ 1 +#endif +#include <string.h> +#endif + +void dnscap_memzero(void* const pnt, const size_t len) +{ +#if defined(__FreeBSD__) || defined(__OpenBSD__) + explicit_bzero(pnt, len); +#elif defined(__STDC_LIB_EXT1__) + memset_s(pnt, 0, len); +#else + volatile unsigned char* volatile pnt_ = (volatile unsigned char* volatile)pnt; + size_t i = (size_t)0U; + + while (i < len) { + pnt_[i++] = 0U; + } +#endif +} diff --git a/src/memzero.h b/src/memzero.h new file mode 100644 index 0000000..e25d81c --- /dev/null +++ b/src/memzero.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __dnscap_memzero_h +#define __dnscap_memzero_h + +void dnscap_memzero(void* const pnt, const size_t len); + +#endif /* __dnscap_memzero_h */ diff --git a/src/network.c b/src/network.c new file mode 100644 index 0000000..d0a4242 --- /dev/null +++ b/src/network.c @@ -0,0 +1,1834 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "network.h" +#include "iaddr.h" +#include "log.h" +#include "pcaps.h" +#include "dumper.h" +#include "endpoint.h" +#include "tcpstate.h" +#include "tcpreasm.h" +#include "endian_compat.h" + +#include <ldns/ldns.h> + +struct ip6_hdr* network_ipv6 = 0; +struct ip* network_ip = 0; +struct udphdr* network_udp = 0; + +extern tcpstate_ptr _curr_tcpstate; /* from tcpstate.c */ + +static inline uint16_t _need16(const void* ptr) +{ + uint16_t v; + memcpy(&v, ptr, sizeof(v)); + return be16toh(v); +} + +static inline uint32_t _need32(const void* ptr) +{ + uint32_t v; + memcpy(&v, ptr, sizeof(v)); + return be32toh(v); +} + +static int skip_vlan(unsigned vlan) +{ + if (!EMPTY(vlans_excl)) { + vlan_ptr vl; + + for (vl = HEAD(vlans_excl); vl != NULL; vl = NEXT(vl, link)) { + if (vl->vlan == vlan || vl->vlan == MAX_VLAN) + break; + } + + /* + * If there is no VLAN matching the packet, skip it + */ + if (vl == NULL) + return 1; + } else if (!EMPTY(vlans_incl)) { + vlan_ptr vl; + + for (vl = HEAD(vlans_incl); vl != NULL; vl = NEXT(vl, link)) { + if (vl->vlan == vlan || vl->vlan == MAX_VLAN) + break; + } + + /* + * If there is no VLAN matching the packet, and the packet is tagged, skip it + */ + if (vl == NULL && vlan != MAX_VLAN) + return 1; + } + + return 0; +} + +void layer_pkt(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + mypcap_ptr mypcap = (mypcap_ptr)user; + size_t len; + unsigned vlan; + const pcap_thread_packet_t *prevpkt, *firstpkt = packet; + char descr[200]; + + if (!mypcap) + return; + if (!packet) + return; + + while (firstpkt->have_prevpkt) { + if (firstpkt->have_pkthdr) + break; + firstpkt = firstpkt->prevpkt; + } + if (!firstpkt->have_pkthdr) + return; + + if (only_offline_pcaps && start_time != 0 && firstpkt->pkthdr.ts.tv_sec < start_time) + return; + + len = firstpkt->pkthdr.caplen; + + last_ts = firstpkt->pkthdr.ts; + if (stop_time != 0 && firstpkt->pkthdr.ts.tv_sec >= stop_time) { + breakloop_pcaps(); + main_exit = TRUE; + } + + if (main_exit) + return; + + /* If ever SNAPLEN wasn't big enough, we have no recourse. */ + if (firstpkt->pkthdr.len != firstpkt->pkthdr.caplen) + return; + + vlan = MAX_VLAN; + for (prevpkt = packet; prevpkt; prevpkt = prevpkt->prevpkt) { + if (prevpkt->have_ieee802hdr) { + /* TODO: Only match first found VLAN or all? */ + vlan = prevpkt->ieee802hdr.vid; + len -= 4; + break; + } + if (!prevpkt->have_prevpkt) + break; + } + if (skip_vlan(vlan)) { + return; + } + + descr[0] = 0; + if (preso) { + char when[100]; + struct tm tm; + time_t t; + + /* + * Reduce `len` to report same captured length as `dl_pkt` + */ + for (prevpkt = packet; len && prevpkt; prevpkt = prevpkt->prevpkt) { + if (prevpkt->have_nullhdr) { + if (len > sizeof(prevpkt->nullhdr)) + len -= sizeof(prevpkt->nullhdr); + else + len = 0; + } + if (prevpkt->have_loophdr) { + if (len > sizeof(prevpkt->loophdr)) + len -= sizeof(prevpkt->loophdr); + else + len = 0; + } + if (prevpkt->have_ethhdr) { + if (len > sizeof(prevpkt->ethhdr)) + len -= sizeof(prevpkt->ethhdr); + else + len = 0; + } + if (prevpkt->have_linux_sll) { + if (len > sizeof(prevpkt->linux_sll)) + len -= sizeof(prevpkt->linux_sll); + else + len = 0; + } + + if (!prevpkt->have_prevpkt) + break; + } + + t = (time_t)firstpkt->pkthdr.ts.tv_sec; + gmtime_r(&t, &tm); + strftime(when, sizeof(when), "%Y-%m-%d %T", &tm); + + if (vlan != MAX_VLAN) { + snprintf(descr, sizeof(descr), "[%lu] %s.%06lu [#%ld %s (vlan %u) %u] \\\n", + (u_long)len, + when, + (u_long)firstpkt->pkthdr.ts.tv_usec, + (long)msgcount, + mypcap->name ? mypcap->name : "\"some interface\"", + vlan, + vlan); + } else { + snprintf(descr, sizeof(descr), "[%lu] %s.%06lu [#%ld %s %u] \\\n", + (u_long)len, + when, + (u_long)firstpkt->pkthdr.ts.tv_usec, + (long)msgcount, + mypcap->name ? mypcap->name : "\"some interface\"", + vlan); + } + } + + if (next_interval != 0 && firstpkt->pkthdr.ts.tv_sec >= next_interval) { + if (preso) + goto breakloop; + if (dumper_opened == dump_state) + dumper_close(firstpkt->pkthdr.ts); + if (dump_type == to_stdout) + goto breakloop; + } + if (dumper_closed == dump_state && dumper_open(firstpkt->pkthdr.ts)) + goto breakloop; + + network_pkt2(descr, firstpkt->pkthdr.ts, packet, payload, length); + + if (limit_packets != 0U && msgcount == limit_packets) { + if (preso) + goto breakloop; + if (dumper_opened == dump_state && dumper_close(firstpkt->pkthdr.ts)) + goto breakloop; + msgcount = 0; + } + + if (limit_pcapfilesize != 0U && capturedbytes >= limit_pcapfilesize) { + if (preso) { + goto breakloop; + } + if (dumper_opened == dump_state && dumper_close(firstpkt->pkthdr.ts)) { + goto breakloop; + } + capturedbytes = 0; + } + + return; +breakloop: + breakloop_pcaps(); + main_exit = TRUE; +} + +void dl_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt) +{ + mypcap_ptr mypcap = (mypcap_ptr)user; + size_t len = hdr->caplen; + unsigned etype, vlan, pf; + char descr[512]; + + if (only_offline_pcaps && start_time != 0 && hdr->ts.tv_sec < start_time) + return; + + last_ts = hdr->ts; + if (stop_time != 0 && hdr->ts.tv_sec >= stop_time) { + breakloop_pcaps(); + main_exit = TRUE; + } + + if (main_exit) + return; + + /* If ever SNAPLEN wasn't big enough, we have no recourse. */ + if (hdr->len != hdr->caplen) + return; + + /* Data link. */ + vlan = MAX_VLAN; /* MAX_VLAN (0xFFF) is reserved and shouldn't appear on the wire */ + switch (dlt) { + case DLT_NULL: { + uint32_t x; + + if (len < 4) + return; + x = _need32(pkt); + if (x == PF_INET) + etype = ETHERTYPE_IP; + else if (x == PF_INET6) + etype = ETHERTYPE_IPV6; + else + return; + pkt += 4; + len -= 4; + break; + } + case DLT_LOOP: { + uint32_t x; + + if (len < 4) + return; + x = _need32(pkt); + if (x == PF_INET) + etype = ETHERTYPE_IP; + else if (x == PF_INET6) + etype = ETHERTYPE_IPV6; + else + return; + pkt += 4; + len -= 4; + break; + } + case DLT_RAW: { + if (len < 1) + return; + switch (*(const uint8_t*)pkt >> 4) { + case 4: + etype = ETHERTYPE_IP; + break; + case 6: + etype = ETHERTYPE_IPV6; + break; + default: + return; + } + break; + } + case DLT_EN10MB: { + const struct ether_header* ether; + + if (len < ETHER_HDR_LEN) + return; + ether = (const struct ether_header*)pkt; + etype = ntohs(ether->ether_type); + pkt += ETHER_HDR_LEN; + len -= ETHER_HDR_LEN; + if (etype == ETHERTYPE_VLAN) { + if (len < 4) + return; + vlan = _need16(pkt) & 0xFFF; + pkt += 2; + len -= 2; + etype = _need16(pkt); + pkt += 2; + len -= 2; + } + break; + } +#ifdef DLT_LINUX_SLL + case DLT_LINUX_SLL: { + if (len < 16) + return; + etype = _need16(&pkt[14]); + pkt += 16; + len -= 16; + break; + } +#endif + default: + return; + } + + if (!EMPTY(vlans_excl)) { + vlan_ptr vl; + + for (vl = HEAD(vlans_excl); + vl != NULL; + vl = NEXT(vl, link)) + if (vl->vlan == vlan || vl->vlan == MAX_VLAN) + break; + /* + * If there is no VLAN matching the packet, skip it + */ + if (vl == NULL) + return; + } else if (!EMPTY(vlans_incl)) { + vlan_ptr vl; + + for (vl = HEAD(vlans_incl); + vl != NULL; + vl = NEXT(vl, link)) + if (vl->vlan == vlan || vl->vlan == MAX_VLAN) + break; + /* + * If there is no VLAN matching the packet, and the packet is tagged, skip it + */ + if (vl == NULL && vlan != MAX_VLAN) + return; + } + + switch (etype) { + case ETHERTYPE_IP: + pf = PF_INET; + break; + case ETHERTYPE_IPV6: + pf = PF_INET6; + break; + default: + return; + } + + if (preso) { + char when[100], via[100]; + const char* viap; + struct tm tm; + time_t t; + + t = (time_t)hdr->ts.tv_sec; + gmtime_r(&t, &tm); + strftime(when, sizeof when, "%Y-%m-%d %T", &tm); + if (vlan != MAX_VLAN) { + snprintf(via, sizeof(via), "%s (vlan %u)", mypcap->name ? mypcap->name : "\"some interface\"", vlan); + viap = via; + } else if (mypcap->name) { + viap = mypcap->name; + } else { + viap = "\"some interface\""; + } + snprintf(descr, sizeof(descr), "[%lu] %s.%06lu [#%ld %s %u] \\\n", + (u_long)len, when, (u_long)hdr->ts.tv_usec, (long)msgcount, viap, vlan); + } else { + descr[0] = '\0'; + } + + if (next_interval != 0 && hdr->ts.tv_sec >= next_interval) { + if (preso) + goto breakloop; + if (dumper_opened == dump_state) + dumper_close(hdr->ts); + if (dump_type == to_stdout) + goto breakloop; + } + if (dumper_closed == dump_state && dumper_open(hdr->ts)) + goto breakloop; + + network_pkt(descr, hdr->ts, pf, pkt, len); + + if (limit_packets != 0U && msgcount == limit_packets) { + if (preso) + goto breakloop; + if (dumper_opened == dump_state && dumper_close(hdr->ts)) + goto breakloop; + msgcount = 0; + } + + if (limit_pcapfilesize != 0U && capturedbytes >= limit_pcapfilesize) { + if (preso) { + goto breakloop; + } + if (dumper_opened == dump_state && dumper_close(hdr->ts)) { + goto breakloop; + } + capturedbytes = 0; + } + + return; +breakloop: + breakloop_pcaps(); + main_exit = TRUE; +} + +void network_pkt2(const char* descr, my_bpftimeval ts, const pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + u_char pkt_copy[SNAPLEN], *pkt = pkt_copy; + const u_char* dnspkt = 0; + unsigned proto, sport, dport; + iaddr from, to, initiator, responder; + int response, m; + unsigned flags = DNSCAP_OUTPUT_ISLAYER; + tcpstate_ptr tcpstate = NULL; + size_t len, dnslen = 0; + HEADER dns; + ldns_pkt* lpkt = 0; + + /* Make a writable copy of the packet and use that copy from now on. */ + if (length > SNAPLEN) + return; + memcpy(pkt, payload, len = length); + + /* Network. */ + sport = dport = 0; + if (packet->have_iphdr) { + if (dumptrace >= 4) + fprintf(stderr, "processing IPv4 packet: len=%zu\n", length); + + memset(&from, 0, sizeof from); + from.af = AF_INET; + memcpy(&from.u.a4, &(packet->iphdr.ip_src), sizeof(struct in_addr)); + memset(&to, 0, sizeof to); + to.af = AF_INET; + memcpy(&to.u.a4, &(packet->iphdr.ip_dst), sizeof(struct in_addr)); + } else if (packet->have_ip6hdr) { + if (dumptrace >= 4) + fprintf(stderr, "processing IPv6 packet: len=%zu\n", length); + + memset(&from, 0, sizeof from); + from.af = AF_INET6; + memcpy(&from.u.a6, &(packet->ip6hdr.ip6_src), sizeof(struct in6_addr)); + memset(&to, 0, sizeof to); + to.af = AF_INET6; + memcpy(&to.u.a6, &(packet->ip6hdr.ip6_dst), sizeof(struct in6_addr)); + } else { + if (dumptrace >= 4) + fprintf(stderr, "processing unknown packet: len=%zu\n", length); + from.af = AF_UNSPEC; + to.af = AF_UNSPEC; + } + + /* Transport. */ + if (packet->have_icmphdr) { + output(descr, from, to, IPPROTO_ICMP, flags, sport, dport, ts, pkt_copy, length, pkt, len); + return; + } else if (packet->have_icmpv6hdr) { + output(descr, from, to, IPPROTO_ICMPV6, flags, sport, dport, ts, pkt_copy, length, pkt, len); + return; + } else if (packet->have_udphdr) { + proto = IPPROTO_UDP; + sport = packet->udphdr.uh_sport; + dport = packet->udphdr.uh_dport; + dnspkt = payload; + dnslen = length; + flags |= DNSCAP_OUTPUT_ISDNS; + } else if (packet->have_tcphdr) { + uint32_t seq = packet->tcphdr.th_seq; + + proto = IPPROTO_TCP; + sport = packet->tcphdr.th_sport; + dport = packet->tcphdr.th_dport; + + /* + * TCP processing. + * + * We need to capture enough to allow a later analysis to + * reassemble the TCP stream, but we don't want to keep all + * the state required to do reassembly here. + * When we get a SYN, we don't yet know if the DNS message + * will pass the filters, so we always output it, and also + * generate a tcpstate to keep track of the stream. (An + * alternative would be to store the SYN packet on the + * tcpstate and not output it until a later packet passes the + * filter, but that would require more memory and would + * reorder packets in the pcap output.) + * When we get the _first_ DNS header on the stream, then we + * can apply the DNS header filters; if the packet passes, we + * output the packet and keep the tcpstate; if it fails, we + * discard the packet and the tcpstate. + * When we get any other packet with DNS payload, we output it + * only if there is a corresponding tcpstate indicating that + * the header passed the filters. + * Packets with no TCP payload (e.g., packets containing only + * an ACK) are discarded, since they carry no DNS information + * and are not needed for stream reassembly. + * FIN packets are always output to match the SYN, even if the + * DNS header failed the filter, to be friendly to later + * analysis programs that allocate state for each SYN. + * -- kkeys@caida.org + */ + + tcpstate = tcpstate_find(from, to, sport, dport, ts.tv_sec); + if (dumptrace >= 3) { + fprintf(stderr, "%s: tcp pkt: %lu.%06lu [%4lu] %15s -> ", + ProgramName, + (u_long)ts.tv_sec, + (u_long)ts.tv_usec, + (u_long)len, + ia_str(from)); + fprintf(stderr, "%15s; ", ia_str(to)); + + if (tcpstate) + fprintf(stderr, "want=%08x; ", tcpstate->start); + else + fprintf(stderr, "no state; "); + + fprintf(stderr, "seq=%08x; ", seq); + } + if (packet->tcphdr.th_flags & (TH_FIN | TH_RST)) { + if (dumptrace >= 3) + fprintf(stderr, "FIN|RST\n"); + + /* Always output FIN and RST segments. */ + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0); + _curr_tcpstate = 0; + + /* End of stream; deallocate the tcpstate. */ + if (tcpstate) { + UNLINK(tcpstates, tcpstate, link); + if (tcpstate->reasm) { + tcpreasm_free(tcpstate->reasm); + } + free(tcpstate); + tcpstate_count--; + } + return; + } + if (packet->tcphdr.th_flags & TH_SYN) { + if (dumptrace >= 3) + fprintf(stderr, "SYN\n"); + + if (tcpstate) { + if (tcpstate->start == seq + 1) { + /* repeated SYN */ + } else { + /* Assume existing state is stale and recycle it. */ + + /* + * Disabled because warning may scare user, and + * there's nothing else we can do anyway. + */ + + /* + if (ts.tv_sec - tcpstate->last_use < MAX_TCP_IDLE_TIME) + fprintf(stderr, "warning: recycling state for " + "duplicate tcp stream after only %ld " + "seconds idle\n", + (u_long)(ts.tv_sec - tcpstate->last_use)); + */ + } + } else { + /* create new tcpstate */ + tcpstate = tcpstate_new(from, to, sport, dport); + } + tcpstate->last_use = ts.tv_sec; + tcpstate->start = seq + 1; /* add 1 for the SYN */ + tcpstate->maxdiff = 1; + tcpstate->dnslen = 0; + tcpstate->lastdns = 0; + + /* Always output SYN segments. */ + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0); + _curr_tcpstate = 0; + + return; + } + if (options.parse_ongoing_tcp && !tcpstate && len) { + tcpstate = tcpstate_new(from, to, sport, dport); + tcpstate->last_use = ts.tv_sec; + tcpstate->start = seq; + tcpstate->maxdiff = 0; + tcpstate->dnslen = 0; + tcpstate->lastdns = seq; + } + if (tcpstate && options.reassemble_tcp) { + if (!tcpstate->reasm) { + if (!(tcpstate->reasm = calloc(1, sizeof(tcpreasm_t)))) { + logerr("out of memory, TCP reassembly failed"); + return; + } + tcpstate->reasm->seq_start = tcpstate->start; + tcpstate->reasm->seq_bfb = tcpstate->start; + } + if (options.allow_reset_tcpstate) { + if (tcpstate->reasm_faults > options.reassemble_tcp_faultreset) { + if (dumptrace >= 3) + fprintf(stderr, "fault reset "); + tcpstate_reset(tcpstate, "too many reassembly faults"); + tcpstate->reasm->seq_start = seq; + tcpstate->reasm->seq_bfb = seq; + tcpstate->reasm_faults = 0; + } + if (dumptrace >= 3) + fprintf(stderr, "reassemble\n"); + if (pcap_handle_tcp_segment(pkt, len, seq, tcpstate)) { + tcpstate->reasm_faults++; + } + } else { + if (dumptrace >= 3) + fprintf(stderr, "reassemble\n"); + (void)pcap_handle_tcp_segment(pkt, len, seq, tcpstate); + } + } else if (tcpstate) { + uint32_t seqdiff = seq - tcpstate->start; + + tcpstate->currseq = seq; + tcpstate->currlen = len; + + if (options.allow_reset_tcpstate && tcpstate->lastdns && seq > tcpstate->lastdns + 2) { + /* + * seq received is beyond where we expect next DNS message + * to be, reset tcpstate and continue + */ + tcpstate->maxdiff = 0; + tcpstate->dnslen = 0; + tcpstate->lastdns = seq; + } + + if (dumptrace >= 3) + fprintf(stderr, "diff=%08x; lastdns=%08x; ", seqdiff, tcpstate->lastdns); + + if (tcpstate->lastdns && seq == tcpstate->lastdns && len > 2) { + if (dumptrace >= 3) + fprintf(stderr, "+len+hdr\n"); + dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + dnspkt = pkt + 2; + if (dnslen > len - 2) + dnslen = len - 2; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->maxdiff = (uint32_t)len; + tcpstate->lastdns = seq + 2 + tcpstate->dnslen; + } else if (tcpstate->lastdns && seq == tcpstate->lastdns && len == 2) { + if (dumptrace >= 3) + fprintf(stderr, "+len\n"); + tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + tcpstate->maxdiff = (uint32_t)len; + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0); + _curr_tcpstate = 0; + return; + } else if (tcpstate->lastdns && ((seq == tcpstate->lastdns && len == 1) || seqdiff == 1)) { + tcpstate_discard(tcpstate, NULL); + return; + } else if (tcpstate->lastdns && seq == tcpstate->lastdns + 2) { + if (dumptrace >= 3) + fprintf(stderr, "+hdr\n"); + tcpstate->maxdiff = seqdiff + (uint32_t)len; + dnslen = tcpstate->dnslen; + dnspkt = pkt; + if (dnslen == 0) /* we never received it */ + dnslen = len; + if (dnslen > len) + dnslen = len; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->lastdns = seq + tcpstate->dnslen; + } else if (seqdiff == 0 && len > 2) { + if (dumptrace >= 3) + fprintf(stderr, "len+hdr\n"); + + /* + * This is the first segment of the stream, and + * contains the dnslen and dns header, so we can + * filter on it. + */ + dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + dnspkt = pkt + 2; + if (dnslen > len - 2) + dnslen = len - 2; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->maxdiff = (uint32_t)len; + tcpstate->lastdns = seq + 2 + tcpstate->dnslen; + } else if (seqdiff == 0 && len == 2) { + if (dumptrace >= 3) + fprintf(stderr, "len\n"); + + /* + * This is the first segment of the stream, but only + * contains the dnslen. + */ + tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + tcpstate->maxdiff = (uint32_t)len; + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0); + _curr_tcpstate = 0; + return; + } else if ((seqdiff == 0 && len == 1) || seqdiff == 1) { + /* shouldn't happen */ + tcpstate_discard(tcpstate, NULL); + return; + } else if (seqdiff == 2) { + if (dumptrace >= 3) + fprintf(stderr, "hdr\n"); + + /* + * This is not the first segment, but it does contain + * the first dns header, so we can filter on it. + */ + tcpstate->maxdiff = seqdiff + (uint32_t)len; + dnslen = tcpstate->dnslen; + dnspkt = pkt; + if (dnslen == 0) /* we never received it */ + dnslen = len; + if (dnslen > len) + dnslen = len; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->lastdns = seq + tcpstate->dnslen; + } else if (seqdiff > tcpstate->maxdiff + MAX_TCP_WINDOW) { + if (dumptrace >= 3) + fprintf(stderr, "out of window\n"); + + /* This segment is outside the window. */ + return; + } else if (len == 0) { + if (dumptrace >= 3) + fprintf(stderr, "empty\n"); + + /* No payload (e.g., an ACK) */ + return; + } else { + if (dumptrace >= 3) + fprintf(stderr, "keep\n"); + + /* non-first */ + if (tcpstate->maxdiff < seqdiff + (uint32_t)len) + tcpstate->maxdiff = seqdiff + (uint32_t)len; + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0); + _curr_tcpstate = 0; + return; + } + } else { + if (dumptrace >= 3) + fprintf(stderr, "no state\n"); + + /* + * There is no state for this stream. Either we never saw + * a SYN for this stream, or we have already decided to + * discard this stream. + */ + return; + } + } else { + return; + } + + for (m = 0; m < MAX_TCP_DNS_MSG; m++) { + if (tcpstate && tcpstate->reasm) { + if (!tcpstate->reasm->dnsmsg[m]) + continue; + dnslen = tcpstate->reasm->dnsmsg[m]->dnslen; + dnspkt = tcpstate->reasm->dnsmsg[m]->dnspkt; + flags |= DNSCAP_OUTPUT_ISDNS; + if (tcpstate->reasm->dnsmsg[m]->segments_seen > 1) { + /* emulate dnslen in own packet */ + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0); + _curr_tcpstate = 0; + } + } + + /* Application. */ + if (!dnspkt) { + tcpstate_discard(tcpstate, "no dns"); + return; + } + if (dnslen < sizeof dns) { + tcpstate_discard(tcpstate, "too small"); + return; + } + memcpy(&dns, dnspkt, sizeof dns); + + /* Policy filtering. */ + if (dns.qr == 0 && dport == dns_port) { + if ((dir_wanted & DIR_INITIATE) == 0) { + tcpstate_discard(tcpstate, "unwanted dir=i"); + return; + } + initiator = from; + responder = to; + response = FALSE; + } else if (dns.qr != 0 && sport == dns_port) { + if ((dir_wanted & DIR_RESPONSE) == 0) { + tcpstate_discard(tcpstate, "unwanted dir=r"); + return; + } + initiator = to; + responder = from; + response = TRUE; + } else { + tcpstate_discard(tcpstate, "unwanted direction/port"); + return; + } + if ((!EMPTY(initiators) && !ep_present(&initiators, initiator)) || (!EMPTY(responders) && !ep_present(&responders, responder))) { + tcpstate_discard(tcpstate, "unwanted host"); + return; + } + if ((!EMPTY(not_initiators) && ep_present(¬_initiators, initiator)) || (!EMPTY(not_responders) && ep_present(¬_responders, responder))) { + tcpstate_discard(tcpstate, "missing required host"); + return; + } + if (!(((msg_wanted & MSG_QUERY) != 0 && dns.opcode == LDNS_PACKET_QUERY) || ((msg_wanted & MSG_UPDATE) != 0 && dns.opcode == LDNS_PACKET_UPDATE) || ((msg_wanted & MSG_NOTIFY) != 0 && dns.opcode == LDNS_PACKET_NOTIFY))) { + tcpstate_discard(tcpstate, "unwanted opcode"); + return; + } + if (response) { + int match_tc = (dns.tc != 0 && err_wanted & ERR_TRUNC); + int match_rcode = err_wanted & (ERR_RCODE_BASE << dns.rcode); + + if (!match_tc && !match_rcode) { + tcpstate_discard(tcpstate, "unwanted error code"); + return; + } + if (!EMPTY(drop_responders) && ep_present(&drop_responders, responder)) { + tcpstate_discard(tcpstate, "dropped response due to -Y"); + return; + } + } + if (!EMPTY(myregexes) || match_qtype || nmatch_qtype) { + if (ldns_wire2pkt(&lpkt, dnspkt, dnslen) != LDNS_STATUS_OK) { + /* DNS message may have padding, try get actual size */ + size_t dnslen2 = calcdnslen(dnspkt, dnslen); + if (dnslen2 > 0 && dnslen2 < dnslen) { + if (ldns_wire2pkt(&lpkt, dnspkt, dnslen2) != LDNS_STATUS_OK) { + tcpstate_discard(tcpstate, "failed parse"); + return; + } + } else { + tcpstate_discard(tcpstate, "failed parse"); + return; + } + } + } + if (match_qtype || nmatch_qtype) { + ldns_rr_list* rrs = ldns_pkt_question(lpkt); + if (!rrs) { + ldns_pkt_free(lpkt); + tcpstate_discard(tcpstate, "failed to get list of questions"); + return; + } + /* Look at each RR in the section (or each QNAME in + the question section). */ + size_t i, n; + for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) { + ldns_rr* rr = ldns_rr_list_rr(rrs, i); + if (!rr) { + ldns_pkt_free(lpkt); + tcpstate_discard(tcpstate, "failed to get question"); + return; + } + + if (match_qtype && ldns_rr_get_type(rr) != match_qtype) { + ldns_pkt_free(lpkt); + tcpstate_discard(tcpstate, "qtype not match"); + return; + } else if (nmatch_qtype && ldns_rr_get_type(rr) == nmatch_qtype) { + ldns_pkt_free(lpkt); + tcpstate_discard(tcpstate, "!qtype match"); + return; + } + } + } + if (!EMPTY(myregexes)) { + int match, negmatch; + ldns_buffer* buf = ldns_buffer_new(512); + + if (!buf) { + fprintf(stderr, "%s: out of memory", ProgramName); + exit(1); + } + + match = -1; + negmatch = -1; + /* Look at each section of the message: + question, answer, authority, additional */ + ldns_rr_list* rrs = ldns_pkt_all(lpkt); + if (!rrs) { + ldns_pkt_free(lpkt); + ldns_buffer_free(buf); + tcpstate_discard(tcpstate, "failed to get list of RRs"); + return; + } + /* Look at each RR in the section (or each QNAME in + the question section). */ + size_t i, n; + for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) { + ldns_rr* rr = ldns_rr_list_rr(rrs, i); + if (!rr) { + ldns_rr_list_free(rrs); + ldns_pkt_free(lpkt); + ldns_buffer_free(buf); + tcpstate_discard(tcpstate, "failed to get RR"); + return; + } + + ldns_buffer_clear(buf); + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) { + ldns_rr_list_free(rrs); + ldns_pkt_free(lpkt); + ldns_buffer_free(buf); + tcpstate_discard(tcpstate, "failed to get RR"); + return; + } + + myregex_ptr myregex; + for (myregex = HEAD(myregexes); + myregex != NULL; + myregex = NEXT(myregex, link)) { + if (myregex->not ) { + if (negmatch < 0) + negmatch = 0; + } else { + if (match < 0) + match = 0; + } + + if (regexec(&myregex->reg, (char*)ldns_buffer_begin(buf), 0, NULL, 0) == 0) { + if (myregex->not ) + negmatch++; + else + match++; + + if (dumptrace >= 2) + fprintf(stderr, + "; \"%s\" %s~ /%s/ %d %d\n", + (char*)ldns_buffer_begin(buf), + myregex->not ? "!" : "", + myregex->str, + match, + negmatch); + } + } + } + ldns_rr_list_free(rrs); + ldns_buffer_free(buf); + + /* + * Fail if any negative matching or if no match, match can be -1 which + * indicates that there are only negative matching + */ + if (negmatch > 0 || match == 0) { + ldns_pkt_free(lpkt); + tcpstate_discard(tcpstate, "failed regex match"); + return; + } + } + if (lpkt) { + ldns_pkt_free(lpkt); + } + + /* + * TODO: Policy hiding. + */ + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, dnspkt, dnslen); + _curr_tcpstate = 0; + + if (tcpstate && tcpstate->reasm) { + free(tcpstate->reasm->dnsmsg[m]); + tcpstate->reasm->dnsmsg[m] = 0; + tcpstate->reasm->dnsmsgs--; + } else + break; + } +} + +void network_pkt(const char* descr, my_bpftimeval ts, unsigned pf, + const u_char* opkt, size_t olen) +{ + u_char pkt_copy[SNAPLEN], *pkt = pkt_copy; + const u_char* dnspkt = 0; + unsigned proto, sport, dport; + iaddr from, to, initiator, responder; + struct ip6_hdr* ipv6; + int response, m; + unsigned flags = 0; + struct udphdr* udp = NULL; + struct tcphdr* tcp = NULL; + tcpstate_ptr tcpstate = NULL; + struct ip* ip; + size_t len, dnslen = 0; + HEADER dns; + ldns_pkt* lpkt = 0; + + if (dumptrace >= 4) + fprintf(stderr, "processing %s packet: len=%zu\n", (pf == PF_INET ? "IPv4" : (pf == PF_INET6 ? "IPv6" : "unknown")), olen); + + /* Make a writable copy of the packet and use that copy from now on. */ + memcpy(pkt, opkt, len = olen); + + /* Network. */ + ip = NULL; + ipv6 = NULL; + sport = dport = 0; + switch (pf) { + case PF_INET: { + unsigned offset; + + if (len < sizeof *ip) + return; + network_ip = ip = (void*)pkt; + network_ipv6 = 0; + if (ip->ip_v != IPVERSION) + goto network_pkt_end; + proto = ip->ip_p; + memset(&from, 0, sizeof from); + from.af = AF_INET; + memcpy(&from.u.a4, &ip->ip_src, sizeof(struct in_addr)); + memset(&to, 0, sizeof to); + to.af = AF_INET; + memcpy(&to.u.a4, &ip->ip_dst, sizeof(struct in_addr)); + offset = ip->ip_hl << 2; + if (len > ntohs(ip->ip_len)) /* small IP packets have L2 padding */ + len = ntohs(ip->ip_len); + if (len <= (size_t)offset) + goto network_pkt_end; + pkt += offset; + len -= offset; + offset = ntohs(ip->ip_off); + if ((offset & IP_MF) != 0 || (offset & IP_OFFMASK) != 0) { + if (wantfrags) { + flags |= DNSCAP_OUTPUT_ISFRAG; + output(descr, from, to, ip->ip_p, flags, sport, dport, ts, pkt_copy, olen, NULL, 0); + goto network_pkt_end; + } + goto network_pkt_end; + } + break; + } + case PF_INET6: { + uint16_t payload_len; + uint8_t nexthdr; + unsigned offset; + + if (len < sizeof *ipv6) + return; + network_ipv6 = ipv6 = (void*)pkt; + network_ip = 0; + if ((ipv6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) + goto network_pkt_end; + + nexthdr = ipv6->ip6_nxt; + offset = sizeof(struct ip6_hdr); + payload_len = ntohs(ipv6->ip6_plen); + + memset(&from, 0, sizeof from); + from.af = AF_INET6; + memcpy(&from.u.a6, &ipv6->ip6_src, sizeof(struct in6_addr)); + memset(&to, 0, sizeof to); + to.af = AF_INET6; + memcpy(&to.u.a6, &ipv6->ip6_dst, sizeof(struct in6_addr)); + + while (nexthdr == IPPROTO_ROUTING || /* routing header */ + nexthdr == IPPROTO_HOPOPTS || /* Hop-by-Hop opts */ + nexthdr == IPPROTO_FRAGMENT || /* fragmentation hdr */ + nexthdr == IPPROTO_DSTOPTS || /* destination opts */ + nexthdr == IPPROTO_AH || /* destination opts */ + nexthdr == IPPROTO_ESP) /* encap sec payload */ + { + struct { + uint8_t nexthdr; + uint8_t length; + } ext_hdr; + uint16_t ext_hdr_len; + + /* Catch broken packets */ + if ((offset + sizeof ext_hdr) > len) + goto network_pkt_end; + + /* Cannot handle fragments. */ + if (nexthdr == IPPROTO_FRAGMENT) { + if (wantfrags) { + flags |= DNSCAP_OUTPUT_ISFRAG; + output(descr, from, to, IPPROTO_FRAGMENT, flags, sport, dport, ts, pkt_copy, olen, NULL, 0); + goto network_pkt_end; + } + goto network_pkt_end; + } + + memcpy(&ext_hdr, (u_char*)ipv6 + offset, + sizeof ext_hdr); + nexthdr = ext_hdr.nexthdr; + ext_hdr_len = (8 * (ntohs(ext_hdr.length) + 1)); + + if (ext_hdr_len > payload_len) + goto network_pkt_end; + + offset += ext_hdr_len; + payload_len -= ext_hdr_len; + } + + if ((offset + payload_len) > len || payload_len == 0) + goto network_pkt_end; + + proto = nexthdr; + pkt += offset; + len -= offset; + break; + } + default: + goto network_pkt_end; + } + + /* Transport. */ + switch (proto) { + case IPPROTO_ICMP: + case IPPROTO_ICMPV6: + network_udp = 0; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, pkt, len); + goto network_pkt_end; + case IPPROTO_UDP: { + if (len < sizeof *udp) + goto network_pkt_end; + network_udp = udp = (void*)pkt; + switch (from.af) { + case AF_INET: + case AF_INET6: + sport = ntohs(udp->uh_sport); + dport = ntohs(udp->uh_dport); + break; + default: + abort(); + } + pkt += sizeof *udp; + len -= sizeof *udp; + dnspkt = pkt; + dnslen = len; + flags |= DNSCAP_OUTPUT_ISDNS; + break; + } + case IPPROTO_TCP: { + network_udp = 0; + + /* TCP processing. + * We need to capture enough to allow a later analysis to + * reassemble the TCP stream, but we don't want to keep all + * the state required to do reassembly here. + * When we get a SYN, we don't yet know if the DNS message + * will pass the filters, so we always output it, and also + * generate a tcpstate to keep track of the stream. (An + * alternative would be to store the SYN packet on the + * tcpstate and not output it until a later packet passes the + * filter, but that would require more memory and would + * reorder packets in the pcap output.) + * When we get the _first_ DNS header on the stream, then we + * can apply the DNS header filters; if the packet passes, we + * output the packet and keep the tcpstate; if it fails, we + * discard the packet and the tcpstate. + * When we get any other packet with DNS payload, we output it + * only if there is a corresponding tcpstate indicating that + * the header passed the filters. + * Packets with no TCP payload (e.g., packets containing only + * an ACK) are discarded, since they carry no DNS information + * and are not needed for stream reassembly. + * FIN packets are always output to match the SYN, even if the + * DNS header failed the filter, to be friendly to later + * analysis programs that allocate state for each SYN. + * -- kkeys@caida.org + */ + unsigned offset; + uint32_t seq; + if (!wanttcp) + goto network_pkt_end; + if (len < sizeof *tcp) + goto network_pkt_end; + tcp = (void*)pkt; + switch (from.af) { + case AF_INET: + case AF_INET6: + sport = ntohs(tcp->th_sport); + dport = ntohs(tcp->th_dport); + seq = ntohl(tcp->th_seq); + break; + default: + abort(); + } + offset = tcp->th_off * 4; + pkt += offset; + len -= offset; + + tcpstate = tcpstate_find(from, to, sport, dport, ts.tv_sec); + if (dumptrace >= 3) { + fprintf(stderr, "%s: tcp pkt: %lu.%06lu [%4lu] ", ProgramName, + (u_long)ts.tv_sec, (u_long)ts.tv_usec, (u_long)len); + fprintf(stderr, "%15s -> ", ia_str(from)); + fprintf(stderr, "%15s; ", ia_str(to)); + if (tcpstate) + fprintf(stderr, "want=%08x; ", tcpstate->start); + else + fprintf(stderr, "no state; "); + fprintf(stderr, "seq=%08x; ", seq); + } + if (tcp->th_flags & (TH_FIN | TH_RST)) { + /* Always output FIN and RST segments. */ + if (dumptrace >= 3) + fprintf(stderr, "FIN|RST\n"); + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, + pkt_copy, olen, NULL, 0); + _curr_tcpstate = 0; + /* End of stream; deallocate the tcpstate. */ + if (tcpstate) { + UNLINK(tcpstates, tcpstate, link); + if (tcpstate->reasm) { + tcpreasm_free(tcpstate->reasm); + } + free(tcpstate); + tcpstate_count--; + } + goto network_pkt_end; + } + if (tcp->th_flags & TH_SYN) { + if (dumptrace >= 3) + fprintf(stderr, "SYN\n"); + if (tcpstate) { +#if 0 + /* Disabled because warning may scare user, and + * there's nothing else we can do anyway. */ + if (tcpstate->start == seq + 1) { + /* repeated SYN */ + } else { + /* Assume existing state is stale and recycle it. */ + if (ts.tv_sec - tcpstate->last_use < MAX_TCP_IDLE_TIME) + fprintf(stderr, "warning: recycling state for " + "duplicate tcp stream after only %ld " + "seconds idle\n", + (u_long)(ts.tv_sec - tcpstate->last_use)); + } +#endif + } else { + /* create new tcpstate */ + tcpstate = tcpstate_new(from, to, sport, dport); + } + tcpstate->last_use = ts.tv_sec; + tcpstate->start = seq + 1; /* add 1 for the SYN */ + tcpstate->maxdiff = 1; + tcpstate->dnslen = 0; + tcpstate->lastdns = 0; + + /* Always output SYN segments. */ + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, NULL, 0); + _curr_tcpstate = 0; + + goto network_pkt_end; + } + if (options.parse_ongoing_tcp && !tcpstate && len) { + tcpstate = tcpstate_new(from, to, sport, dport); + tcpstate->last_use = ts.tv_sec; + tcpstate->start = seq; + tcpstate->maxdiff = 0; + tcpstate->dnslen = 0; + tcpstate->lastdns = seq; + } + if (tcpstate && options.reassemble_tcp) { + if (!tcpstate->reasm) { + if (!(tcpstate->reasm = calloc(1, sizeof(tcpreasm_t)))) { + logerr("out of memory, TCP reassembly failed"); + goto network_pkt_end; + } + tcpstate->reasm->seq_start = tcpstate->start; + tcpstate->reasm->seq_bfb = tcpstate->start; + } + if (options.allow_reset_tcpstate) { + if (tcpstate->reasm_faults > options.reassemble_tcp_faultreset) { + if (dumptrace >= 3) + fprintf(stderr, "fault reset "); + tcpstate_reset(tcpstate, "too many reassembly faults"); + tcpstate->reasm->seq_start = seq; + tcpstate->reasm->seq_bfb = seq; + tcpstate->reasm_faults = 0; + } + if (dumptrace >= 3) + fprintf(stderr, "reassemble\n"); + if (pcap_handle_tcp_segment(pkt, len, seq, tcpstate)) { + tcpstate->reasm_faults++; + } + } else { + if (dumptrace >= 3) + fprintf(stderr, "reassemble\n"); + (void)pcap_handle_tcp_segment(pkt, len, seq, tcpstate); + } + } else if (tcpstate) { + uint32_t seqdiff = seq - tcpstate->start; + tcpstate->currseq = seq; + tcpstate->currlen = len; + if (options.allow_reset_tcpstate && tcpstate->lastdns && seq > tcpstate->lastdns + 2) { + /* + * seq received is beyond where we expect next DNS message + * to be, reset tcpstate and continue + */ + tcpstate->maxdiff = 0; + tcpstate->dnslen = 0; + tcpstate->lastdns = seq; + } + if (dumptrace >= 3) + fprintf(stderr, "diff=%08x; lastdns=%08x; ", seqdiff, tcpstate->lastdns); + if (tcpstate->lastdns && seq == tcpstate->lastdns && len > 2) { + if (dumptrace >= 3) + fprintf(stderr, "+len+hdr\n"); + dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + dnspkt = pkt + 2; + if (dnslen > len - 2) + dnslen = len - 2; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->maxdiff = (uint32_t)len; + tcpstate->lastdns = seq + 2 + tcpstate->dnslen; + } else if (tcpstate->lastdns && seq == tcpstate->lastdns && len == 2) { + if (dumptrace >= 3) + fprintf(stderr, "+len\n"); + tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + tcpstate->maxdiff = (uint32_t)len; + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, + pkt_copy, olen, NULL, 0); + _curr_tcpstate = 0; + goto network_pkt_end; + } else if (tcpstate->lastdns && ((seq == tcpstate->lastdns && len == 1) || seqdiff == 1)) { + tcpstate_discard(tcpstate, NULL); + goto network_pkt_end; + } else if (tcpstate->lastdns && seq == tcpstate->lastdns + 2) { + if (dumptrace >= 3) + fprintf(stderr, "+hdr\n"); + tcpstate->maxdiff = seqdiff + (uint32_t)len; + dnslen = tcpstate->dnslen; + dnspkt = pkt; + if (dnslen == 0) /* we never received it */ + dnslen = len; + if (dnslen > len) + dnslen = len; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->lastdns = seq + tcpstate->dnslen; + } else if (seqdiff == 0 && len > 2) { + /* This is the first segment of the stream, and + * contains the dnslen and dns header, so we can + * filter on it. */ + if (dumptrace >= 3) + fprintf(stderr, "len+hdr\n"); + dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + dnspkt = pkt + 2; + if (dnslen > len - 2) + dnslen = len - 2; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->maxdiff = (uint32_t)len; + tcpstate->lastdns = seq + 2 + tcpstate->dnslen; + } else if (seqdiff == 0 && len == 2) { + /* This is the first segment of the stream, but only + * contains the dnslen. */ + if (dumptrace >= 3) + fprintf(stderr, "len\n"); + tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0); + tcpstate->maxdiff = (uint32_t)len; + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, + pkt_copy, olen, NULL, 0); + _curr_tcpstate = 0; + goto network_pkt_end; + } else if ((seqdiff == 0 && len == 1) || seqdiff == 1) { + /* shouldn't happen */ + tcpstate_discard(tcpstate, NULL); + goto network_pkt_end; + } else if (seqdiff == 2) { + /* This is not the first segment, but it does contain + * the first dns header, so we can filter on it. */ + if (dumptrace >= 3) + fprintf(stderr, "hdr\n"); + tcpstate->maxdiff = seqdiff + (uint32_t)len; + dnslen = tcpstate->dnslen; + dnspkt = pkt; + if (dnslen == 0) /* we never received it */ + dnslen = len; + if (dnslen > len) + dnslen = len; + flags |= DNSCAP_OUTPUT_ISDNS; + tcpstate->lastdns = seq + tcpstate->dnslen; + } else if (seqdiff > tcpstate->maxdiff + MAX_TCP_WINDOW) { + /* This segment is outside the window. */ + if (dumptrace >= 3) + fprintf(stderr, "out of window\n"); + goto network_pkt_end; + } else if (len == 0) { + /* No payload (e.g., an ACK) */ + if (dumptrace >= 3) + fprintf(stderr, "empty\n"); + goto network_pkt_end; + } else { + /* non-first */ + if (dumptrace >= 3) + fprintf(stderr, "keep\n"); + if (tcpstate->maxdiff < seqdiff + (uint32_t)len) + tcpstate->maxdiff = seqdiff + (uint32_t)len; + + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, + pkt_copy, olen, NULL, 0); + _curr_tcpstate = 0; + goto network_pkt_end; + } + } else { + if (dumptrace >= 3) + fprintf(stderr, "no state\n"); + /* There is no state for this stream. Either we never saw + * a SYN for this stream, or we have already decided to + * discard this stream. */ + goto network_pkt_end; + } + break; + } + default: + goto network_pkt_end; + } + + for (m = 0; m < MAX_TCP_DNS_MSG; m++) { + if (tcpstate && tcpstate->reasm) { + if (!tcpstate->reasm->dnsmsg[m]) + continue; + dnslen = tcpstate->reasm->dnsmsg[m]->dnslen; + dnspkt = tcpstate->reasm->dnsmsg[m]->dnspkt; + flags |= DNSCAP_OUTPUT_ISDNS; + if (tcpstate->reasm->dnsmsg[m]->segments_seen > 1) { + /* emulate dnslen in own packet */ + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, + pkt_copy, olen, NULL, 0); + _curr_tcpstate = 0; + } + } + + /* Application. */ + if (!dnspkt) { + tcpstate_discard(tcpstate, "no dns"); + goto network_pkt_end; + } + if (dnslen < sizeof dns) { + tcpstate_discard(tcpstate, "too small"); + goto network_pkt_end; + } + memcpy(&dns, dnspkt, sizeof dns); + + /* Policy filtering. */ + if (dns.qr == 0 && dport == dns_port) { + if ((dir_wanted & DIR_INITIATE) == 0) { + tcpstate_discard(tcpstate, "unwanted dir=i"); + goto network_pkt_end; + } + initiator = from; + responder = to; + response = FALSE; + } else if (dns.qr != 0 && sport == dns_port) { + if ((dir_wanted & DIR_RESPONSE) == 0) { + tcpstate_discard(tcpstate, "unwanted dir=r"); + goto network_pkt_end; + } + initiator = to; + responder = from; + response = TRUE; + } else { + tcpstate_discard(tcpstate, "unwanted direction/port"); + goto network_pkt_end; + } + if ((!EMPTY(initiators) && !ep_present(&initiators, initiator)) || (!EMPTY(responders) && !ep_present(&responders, responder))) { + tcpstate_discard(tcpstate, "unwanted host"); + goto network_pkt_end; + } + if ((!EMPTY(not_initiators) && ep_present(¬_initiators, initiator)) || (!EMPTY(not_responders) && ep_present(¬_responders, responder))) { + tcpstate_discard(tcpstate, "missing required host"); + goto network_pkt_end; + } + if (!(((msg_wanted & MSG_QUERY) != 0 && dns.opcode == LDNS_PACKET_QUERY) || ((msg_wanted & MSG_UPDATE) != 0 && dns.opcode == LDNS_PACKET_UPDATE) || ((msg_wanted & MSG_NOTIFY) != 0 && dns.opcode == LDNS_PACKET_NOTIFY))) { + tcpstate_discard(tcpstate, "unwanted opcode"); + goto network_pkt_end; + } + if (response) { + int match_tc = (dns.tc != 0 && err_wanted & ERR_TRUNC); + int match_rcode = err_wanted & (ERR_RCODE_BASE << dns.rcode); + + if (!match_tc && !match_rcode) { + tcpstate_discard(tcpstate, "unwanted error code"); + goto network_pkt_end; + } + if (!EMPTY(drop_responders) && ep_present(&drop_responders, responder)) { + tcpstate_discard(tcpstate, "dropped response due to -Y"); + goto network_pkt_end; + } + } + if (!EMPTY(myregexes) || match_qtype || nmatch_qtype) { + if (ldns_wire2pkt(&lpkt, dnspkt, dnslen) != LDNS_STATUS_OK) { + /* DNS message may have padding, try get actual size */ + size_t dnslen2 = calcdnslen(dnspkt, dnslen); + if (dnslen2 > 0 && dnslen2 < dnslen) { + if (ldns_wire2pkt(&lpkt, dnspkt, dnslen2) != LDNS_STATUS_OK) { + tcpstate_discard(tcpstate, "failed parse"); + goto network_pkt_end; + } + } else { + tcpstate_discard(tcpstate, "failed parse"); + goto network_pkt_end; + } + } + } + if (match_qtype || nmatch_qtype) { + ldns_rr_list* rrs = ldns_pkt_question(lpkt); + if (!rrs) { + tcpstate_discard(tcpstate, "failed to get list of questions"); + goto network_pkt_end; + } + /* Look at each RR in the section (or each QNAME in + the question section). */ + size_t i, n; + for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) { + ldns_rr* rr = ldns_rr_list_rr(rrs, i); + if (!rr) { + tcpstate_discard(tcpstate, "failed to get question"); + goto network_pkt_end; + } + + if (match_qtype && ldns_rr_get_type(rr) != match_qtype) { + tcpstate_discard(tcpstate, "qtype not match"); + goto network_pkt_end; + } else if (nmatch_qtype && ldns_rr_get_type(rr) == nmatch_qtype) { + tcpstate_discard(tcpstate, "!qtype match"); + goto network_pkt_end; + } + } + } + if (!EMPTY(myregexes)) { + int match, negmatch; + ldns_buffer* buf = ldns_buffer_new(512); + + if (!buf) { + fprintf(stderr, "%s: out of memory", ProgramName); + exit(1); + } + + match = -1; + negmatch = -1; + /* Look at each section of the message: + question, answer, authority, additional */ + ldns_rr_list* rrs = ldns_pkt_all(lpkt); + if (!rrs) { + ldns_buffer_free(buf); + tcpstate_discard(tcpstate, "failed to get list of RRs"); + goto network_pkt_end; + } + /* Look at each RR in the section (or each QNAME in + the question section). */ + size_t i, n; + for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) { + ldns_rr* rr = ldns_rr_list_rr(rrs, i); + if (!rr) { + ldns_rr_list_free(rrs); + ldns_buffer_free(buf); + tcpstate_discard(tcpstate, "failed to get RR"); + goto network_pkt_end; + } + + ldns_buffer_clear(buf); + if (ldns_rdf2buffer_str(buf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) { + ldns_rr_list_free(rrs); + ldns_buffer_free(buf); + tcpstate_discard(tcpstate, "failed to get RR"); + goto network_pkt_end; + } + + myregex_ptr myregex; + for (myregex = HEAD(myregexes); + myregex != NULL; + myregex = NEXT(myregex, link)) { + if (myregex->not ) { + if (negmatch < 0) + negmatch = 0; + } else { + if (match < 0) + match = 0; + } + + if (regexec(&myregex->reg, (char*)ldns_buffer_begin(buf), 0, NULL, 0) == 0) { + if (myregex->not ) + negmatch++; + else + match++; + + if (dumptrace >= 2) + fprintf(stderr, + "; \"%s\" %s~ /%s/ %d %d\n", + (char*)ldns_buffer_begin(buf), + myregex->not ? "!" : "", + myregex->str, + match, + negmatch); + } + } + } + ldns_rr_list_free(rrs); + ldns_buffer_free(buf); + + /* + * Fail if any negative matching or if no match, match can be -1 which + * indicates that there are only negative matching + */ + if (negmatch > 0 || match == 0) { + tcpstate_discard(tcpstate, "failed regex match"); + goto network_pkt_end; + } + } + + /* Policy hiding. */ + if (end_hide != 0) { + switch (from.af) { + case AF_INET: { + void * init_addr, *resp_addr; + uint16_t* init_port; + + if (dns.qr == 0) { + init_addr = (void*)&ip->ip_src; + resp_addr = (void*)&ip->ip_dst; + init_port = tcp ? &tcp->th_sport : &udp->uh_sport; + } else { + init_addr = (void*)&ip->ip_dst; + resp_addr = (void*)&ip->ip_src; + init_port = tcp ? &tcp->th_dport : &udp->uh_dport; + } + + if ((end_hide & END_INITIATOR) != 0) { + memcpy(init_addr, HIDE_INET, sizeof(struct in_addr)); + *init_port = htons(HIDE_PORT); + } + if ((end_hide & END_RESPONDER) != 0) + memcpy(resp_addr, HIDE_INET, sizeof(struct in_addr)); + + ip->ip_sum = 0; + ip->ip_sum = ~in_checksum((u_char*)ip, sizeof *ip); + if (udp) + udp->uh_sum = 0U; + break; + } + case AF_INET6: { + void * init_addr, *resp_addr; + uint16_t* init_port; + + if (dns.qr == 0) { + init_addr = (void*)&ipv6->ip6_src; + resp_addr = (void*)&ipv6->ip6_dst; + init_port = tcp ? &tcp->th_sport : &udp->uh_sport; + } else { + init_addr = (void*)&ipv6->ip6_dst; + resp_addr = (void*)&ipv6->ip6_src; + init_port = tcp ? &tcp->th_dport : &udp->uh_dport; + } + + if ((end_hide & END_INITIATOR) != 0) { + memcpy(init_addr, HIDE_INET6, sizeof(struct in6_addr)); + *init_port = htons(HIDE_PORT); + } + if ((end_hide & END_RESPONDER) != 0) + memcpy(resp_addr, HIDE_INET6, sizeof(struct in6_addr)); + + if (udp) + udp->uh_sum = 0U; + break; + } + default: + abort(); + } + } + _curr_tcpstate = tcpstate; + output(descr, from, to, proto, flags, sport, dport, ts, + pkt_copy, olen, dnspkt, dnslen); + _curr_tcpstate = 0; + + if (tcpstate && tcpstate->reasm) { + free(tcpstate->reasm->dnsmsg[m]); + tcpstate->reasm->dnsmsg[m] = 0; + tcpstate->reasm->dnsmsgs--; + } else + break; + } + +network_pkt_end: + network_ip = 0; + network_ipv6 = 0; + if (lpkt) { + ldns_pkt_free(lpkt); + } +} + +uint16_t in_checksum(const u_char* ptr, size_t len) +{ + unsigned sum = 0, top; + + /* Main body. */ + while (len >= 2) { + sum += *(const uint16_t*)ptr; + ptr += 2; + len -= 2; + } + + /* Leftover octet? */ + if (len != 0) + sum += *ptr; + + /* Leftover carries? */ + while ((top = (sum >> 16)) != 0) + sum = ((uint16_t)sum) + top; + + /* Caller should ~ this result. */ + return ((uint16_t)sum); +} + +static size_t calcrr(int q, const u_char* p, size_t l, size_t t) +{ + while (l < t) { + if ((p[l] & 0xc0) == 0xc0) { + l += 2; + } else if (p[l] & 0xc0) { + l += 1; + } else if (p[l]) { + l += p[l]; + } else { + break; + } + } + l += 4; /* type + class */ + if (q) + return l; + l += 6; /* ttl + rdlength */ + if (l < t) { + l += (p[l - 2] << 8) + p[l - 1]; /* rdata */ + } + return l; +} + +size_t calcdnslen(const u_char* dnspkt, size_t dnslen) +{ + HEADER dns; + size_t n, len; + + if (dnslen > 65535 || dnslen < sizeof(dns)) { + return 0; + } + memcpy(&dns, dnspkt, sizeof dns); + len = sizeof(dns); + + for (n = 0; len < dnslen && n < dns.qdcount; n++) { + len = calcrr(1, dnspkt, len, dnslen); + } + for (n = 0; len < dnslen && n < dns.ancount; n++) { + len = calcrr(0, dnspkt, len, dnslen); + } + for (n = 0; len < dnslen && n < dns.nscount; n++) { + len = calcrr(0, dnspkt, len, dnslen); + } + for (n = 0; len < dnslen && n < dns.arcount; n++) { + len = calcrr(0, dnspkt, len, dnslen); + } + if (len < dnslen) + return len; + return dnslen; +} diff --git a/src/network.h b/src/network.h new file mode 100644 index 0000000..9d5c7de --- /dev/null +++ b/src/network.h @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_network_h +#define __dnscap_network_h + +tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t); +tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport); +void dl_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt); +void discard(tcpstate_ptr tcpstate, const char* msg); +void network_pkt(const char* descr, my_bpftimeval ts, unsigned pf, const u_char* opkt, size_t olen); +uint16_t in_checksum(const u_char* ptr, size_t len); + +void layer_pkt(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length); +void network_pkt2(const char* descr, my_bpftimeval ts, const pcap_thread_packet_t* packet, const u_char* payload, size_t length); + +size_t calcdnslen(const u_char* dnspkt, size_t dnslen); + +#endif /* __dnscap_network_h */ diff --git a/src/options.c b/src/options.c new file mode 100644 index 0000000..1eee2cf --- /dev/null +++ b/src/options.c @@ -0,0 +1,248 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "options.h" + +#include <string.h> +#include <stdlib.h> + +#include <stdio.h> + +#define have(a) option_length == (sizeof(a) - 1) && !strncmp(option, a, (sizeof(a) - 1)) + +int option_parse(options_t* options, const char* option) +{ + const char* argument; + int option_length; + char* p; + size_t s; + + if (!options) { + return -1; + } + if (!option) { + return -1; + } + + if (!(argument = strchr(option, '='))) { + return -2; + } + argument++; + if (!*argument) { + return -2; + } + option_length = argument - option - 1; + if (option_length < 1) { + return -2; + } + + if (have("cbor_chunk_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cbor_chunk_size = s; + return 0; + } + } else if (have("cds_cbor_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_cbor_size = s; + return 0; + } + } else if (have("cds_message_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_message_size = s; + return 0; + } + } else if (have("cds_max_rlabels")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_max_rlabels = s; + return 0; + } + } else if (have("cds_min_rlabel_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_min_rlabel_size = s; + return 0; + } + } else if (have("cds_use_rdata_index")) { + if (!strcmp(argument, "yes")) { + options->cds_use_rdata_index = 1; + return 0; + } + } else if (have("cds_rdata_index_min_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_rdata_index_min_size = s; + return 0; + } + } else if (have("cds_use_rdata_rindex")) { + if (!strcmp(argument, "yes")) { + options->cds_use_rdata_rindex = 1; + return 0; + } + } else if (have("cds_rdata_rindex_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_rdata_rindex_size = s; + return 0; + } + } else if (have("cds_rdata_rindex_min_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->cds_rdata_rindex_min_size = s; + return 0; + } + } else if (have("dump_format")) { + if (!strcmp(argument, "pcap")) { + options->dump_format = pcap; + return 0; + } else if (!strcmp(argument, "cbor")) { + options->dump_format = cbor; + return 0; + } else if (!strcmp(argument, "cds")) { + options->dump_format = cds; + return 0; + } + } else if (have("user")) { + if (options->user) { + free(options->user); + } + if ((options->user = strdup(argument))) { + return 0; + } + } else if (have("group")) { + if (options->group) { + free(options->group); + } + if ((options->group = strdup(argument))) { + return 0; + } + } else if (have("pcap_buffer_size")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->pcap_buffer_size = s; + return 0; + } + } else if (have("use_layers")) { + if (!strcmp(argument, "yes")) { + options->use_layers = 1; + return 0; + } + } else if (have("defrag_ipv4")) { + if (!strcmp(argument, "yes")) { + options->defrag_ipv4 = 1; + return 0; + } + } else if (have("max_ipv4_fragments")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->max_ipv4_fragments = s; + return 0; + } + } else if (have("max_ipv4_fragments_per_packet")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->max_ipv4_fragments_per_packet = s; + return 0; + } + } else if (have("defrag_ipv6")) { + if (!strcmp(argument, "yes")) { + options->defrag_ipv6 = 1; + return 0; + } + } else if (have("max_ipv6_fragments")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->max_ipv6_fragments = s; + return 0; + } + } else if (have("max_ipv6_fragments_per_packet")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->max_ipv6_fragments_per_packet = s; + return 0; + } + } else if (have("parse_ongoing_tcp")) { + if (!strcmp(argument, "yes")) { + options->parse_ongoing_tcp = 1; + return 0; + } + } else if (have("allow_reset_tcpstate")) { + if (!strcmp(argument, "yes")) { + options->allow_reset_tcpstate = 1; + return 0; + } + } else if (have("reassemble_tcp")) { + if (!strcmp(argument, "yes")) { + options->reassemble_tcp = 1; + return 0; + } + } else if (have("reassemble_tcp_faultreset")) { + s = strtoul(argument, &p, 0); + if (p && !*p && s > 0) { + options->reassemble_tcp_faultreset = s; + return 0; + } + } else if (have("reassemble_tcp_bfbparsedns")) { + if (!strcmp(argument, "yes")) { + options->reassemble_tcp_bfbparsedns = 1; + return 0; + } + } else if (have("bpf_hosts_apply_all")) { + if (!strcmp(argument, "yes")) { + options->bpf_hosts_apply_all = 1; + return 0; + } + } + + return 1; +} + +void options_free(options_t* options) +{ + if (options) { + if (options->user) { + free(options->user); + options->user = 0; + } + if (options->group) { + free(options->group); + options->group = 0; + } + } +} diff --git a/src/options.h b/src/options.h new file mode 100644 index 0000000..e46dd06 --- /dev/null +++ b/src/options.h @@ -0,0 +1,121 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/types.h> + +#include "dump_cds.h" + +#ifndef __dnscap_options_h +#define __dnscap_options_h + +typedef enum dump_format dump_format_t; +enum dump_format { + pcap, + cbor, + cds +}; + +/* clang-format off */ + +#define OPTIONS_T_DEFAULTS { \ + 1024 * 1024, \ +\ + 1024 * 1024, \ + 64 * 1024, \ + CDS_DEFAULT_MAX_RLABELS, \ + CDS_DEFAULT_MIN_RLABEL_SIZE, \ + 0, \ + CDS_DEFAULT_RDATA_INDEX_MIN_SIZE, \ + 0, \ + CDS_DEFAULT_RDATA_RINDEX_SIZE, \ + CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE, \ +\ + pcap, \ +\ + 0, \ + 0, \ +\ + 0, \ +\ + 0, 0, 0, 0, 0, 0, 0, \ +\ + 0, 0, 0, 0, 0, \ +\ + 0 \ +} + +/* clang-format on */ + +typedef struct options options_t; +struct options { + size_t cbor_chunk_size; + + size_t cds_cbor_size; + size_t cds_message_size; + size_t cds_max_rlabels; + size_t cds_min_rlabel_size; + int cds_use_rdata_index; + size_t cds_rdata_index_min_size; + int cds_use_rdata_rindex; + size_t cds_rdata_rindex_size; + size_t cds_rdata_rindex_min_size; + + dump_format_t dump_format; + + char* user; + char* group; + + size_t pcap_buffer_size; + + int use_layers; + int defrag_ipv4; + size_t max_ipv4_fragments; + size_t max_ipv4_fragments_per_packet; + int defrag_ipv6; + size_t max_ipv6_fragments; + size_t max_ipv6_fragments_per_packet; + + int parse_ongoing_tcp; + int allow_reset_tcpstate; + int reassemble_tcp; + size_t reassemble_tcp_faultreset; + int reassemble_tcp_bfbparsedns; + + int bpf_hosts_apply_all; +}; + +int option_parse(options_t* options, const char* option); +void options_free(options_t* options); + +#endif /* __dnscap_options_h */ diff --git a/src/pcap-thread/m4/ax_pcap_thread.m4 b/src/pcap-thread/m4/ax_pcap_thread.m4 new file mode 100644 index 0000000..8831822 --- /dev/null +++ b/src/pcap-thread/m4/ax_pcap_thread.m4 @@ -0,0 +1,15 @@ +AC_DEFUN([AX_PCAP_THREAD_PCAP], [ + AC_HEADER_TIME + AC_CHECK_LIB([pcap], [pcap_open_live], [], AC_MSG_ERROR([libpcap not found])) + AC_CHECK_HEADER([pcap/pcap.h], [], [AC_MSG_ERROR([libpcap header not found])]) + AC_CHECK_HEADERS([endian.h sys/endian.h machine/endian.h sys/time.h]) + AC_CHECK_FUNCS([pcap_create pcap_set_tstamp_precision pcap_set_immediate_mode]) + AC_CHECK_FUNCS([pcap_set_tstamp_type pcap_setdirection sched_yield]) + AC_CHECK_FUNCS([pcap_open_offline_with_tstamp_precision pcap_activate]) + AC_CHECK_TYPES([pcap_direction_t], [], [], [[#include <pcap/pcap.h>]]) +]) + +AC_DEFUN([AX_PCAP_THREAD], [ + AX_PTHREAD + AX_PCAP_THREAD_PCAP +]) diff --git a/src/pcap-thread/m4/ax_pthread.m4 b/src/pcap-thread/m4/ax_pthread.m4 new file mode 100644 index 0000000..4c4051e --- /dev/null +++ b/src/pcap-thread/m4/ax_pthread.m4 @@ -0,0 +1,485 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_pthread.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) +# +# DESCRIPTION +# +# This macro figures out how to build C programs using POSIX threads. It +# sets the PTHREAD_LIBS output variable to the threads library and linker +# flags, and the PTHREAD_CFLAGS output variable to any special C compiler +# flags that are needed. (The user can also force certain compiler +# flags/libs to be tested by setting these environment variables.) +# +# Also sets PTHREAD_CC to any special C compiler that is needed for +# multi-threaded programs (defaults to the value of CC otherwise). (This +# is necessary on AIX to use the special cc_r compiler alias.) +# +# NOTE: You are assumed to not only compile your program with these flags, +# but also to link with them as well. For example, you might link with +# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS +# +# If you are only building threaded programs, you may wish to use these +# variables in your default LIBS, CFLAGS, and CC: +# +# LIBS="$PTHREAD_LIBS $LIBS" +# CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +# CC="$PTHREAD_CC" +# +# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant +# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to +# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). +# +# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the +# PTHREAD_PRIO_INHERIT symbol is defined when compiling with +# PTHREAD_CFLAGS. +# +# ACTION-IF-FOUND is a list of shell commands to run if a threads library +# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it +# is not found. If ACTION-IF-FOUND is not specified, the default action +# will define HAVE_PTHREAD. +# +# Please let the authors know if this macro fails on any platform, or if +# you have any other suggestions or comments. This macro was based on work +# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help +# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by +# Alejandro Forero Cuervo to the autoconf macro repository. We are also +# grateful for the helpful feedback of numerous users. +# +# Updated for Autoconf 2.68 by Daniel Richard G. +# +# LICENSE +# +# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu> +# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG> +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see <http://www.gnu.org/licenses/>. +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 23 + +AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) +AC_DEFUN([AX_PTHREAD], [ +AC_REQUIRE([AC_CANONICAL_HOST]) +AC_REQUIRE([AC_PROG_CC]) +AC_REQUIRE([AC_PROG_SED]) +AC_LANG_PUSH([C]) +ax_pthread_ok=no + +# We used to check for pthread.h first, but this fails if pthread.h +# requires special compiler flags (e.g. on Tru64 or Sequent). +# It gets checked for in the link test anyway. + +# First of all, check if the user has set any of the PTHREAD_LIBS, +# etcetera environment variables, and if threads linking works using +# them: +if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then + ax_pthread_save_CC="$CC" + ax_pthread_save_CFLAGS="$CFLAGS" + ax_pthread_save_LIBS="$LIBS" + AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) + AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) + AC_MSG_RESULT([$ax_pthread_ok]) + if test "x$ax_pthread_ok" = "xno"; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi + CC="$ax_pthread_save_CC" + CFLAGS="$ax_pthread_save_CFLAGS" + LIBS="$ax_pthread_save_LIBS" +fi + +# We must check for the threads library under a number of different +# names; the ordering is very important because some systems +# (e.g. DEC) have both -lpthread and -lpthreads, where one of the +# libraries is broken (non-POSIX). + +# Create a list of thread flags to try. Items starting with a "-" are +# C compiler flags, and other items are library names, except for "none" +# which indicates that we try without any flags at all, and "pthread-config" +# which is a program returning the flags for the Pth emulation library. + +ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + +# The ordering *is* (sometimes) important. Some notes on the +# individual items follow: + +# pthreads: AIX (must check this before -lpthread) +# none: in case threads are in libc; should be tried before -Kthread and +# other compiler flags to prevent continual compiler warnings +# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 +# (Note: HP C rejects this with "bad form for `-t' option") +# -pthreads: Solaris/gcc (Note: HP C also rejects) +# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +# doesn't hurt to check since this sometimes defines pthreads and +# -D_REENTRANT too), HP C (must be checked before -lpthread, which +# is present but should not be used directly; and before -mthreads, +# because the compiler interprets this as "-mt" + "-hreads") +# -mthreads: Mingw32/gcc, Lynx/gcc +# pthread: Linux, etcetera +# --thread-safe: KAI C++ +# pthread-config: use pthread-config program (for GNU Pth library) + +case $host_os in + + freebsd*) + + # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) + # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) + + ax_pthread_flags="-kthread lthread $ax_pthread_flags" + ;; + + hpux*) + + # From the cc(1) man page: "[-mt] Sets various -D flags to enable + # multi-threading and also sets -lpthread." + + ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" + ;; + + openedition*) + + # IBM z/OS requires a feature-test macro to be defined in order to + # enable POSIX threads at all, so give the user a hint if this is + # not set. (We don't define these ourselves, as they can affect + # other portions of the system API in unpredictable ways.) + + AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], + [ +# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) + AX_PTHREAD_ZOS_MISSING +# endif + ], + [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) + ;; + + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based + # tests will erroneously succeed. (N.B.: The stubs are missing + # pthread_cleanup_push, or rather a function called by this macro, + # so we could check for that, but who knows whether they'll stub + # that too in a future libc.) So we'll check first for the + # standard Solaris way of linking pthreads (-mt -lpthread). + + ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags" + ;; +esac + +# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) + +AS_IF([test "x$GCC" = "xyes"], + [ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"]) + +# The presence of a feature test macro requesting re-entrant function +# definitions is, on some systems, a strong hint that pthreads support is +# correctly enabled + +case $host_os in + darwin* | hpux* | linux* | osf* | solaris*) + ax_pthread_check_macro="_REENTRANT" + ;; + + aix*) + ax_pthread_check_macro="_THREAD_SAFE" + ;; + + *) + ax_pthread_check_macro="--" + ;; +esac +AS_IF([test "x$ax_pthread_check_macro" = "x--"], + [ax_pthread_check_cond=0], + [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) + +# Are we compiling with Clang? + +AC_CACHE_CHECK([whether $CC is Clang], + [ax_cv_PTHREAD_CLANG], + [ax_cv_PTHREAD_CLANG=no + # Note that Autoconf sets GCC=yes for Clang as well as GCC + if test "x$GCC" = "xyes"; then + AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], + [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ +# if defined(__clang__) && defined(__llvm__) + AX_PTHREAD_CC_IS_CLANG +# endif + ], + [ax_cv_PTHREAD_CLANG=yes]) + fi + ]) +ax_pthread_clang="$ax_cv_PTHREAD_CLANG" + +ax_pthread_clang_warning=no + +# Clang needs special handling, because older versions handle the -pthread +# option in a rather... idiosyncratic way + +if test "x$ax_pthread_clang" = "xyes"; then + + # Clang takes -pthread; it has never supported any other flag + + # (Note 1: This will need to be revisited if a system that Clang + # supports has POSIX threads in a separate library. This tends not + # to be the way of modern systems, but it's conceivable.) + + # (Note 2: On some systems, notably Darwin, -pthread is not needed + # to get POSIX threads support; the API is always present and + # active. We could reasonably leave PTHREAD_CFLAGS empty. But + # -pthread does define _REENTRANT, and while the Darwin headers + # ignore this macro, third-party headers might not.) + + PTHREAD_CFLAGS="-pthread" + PTHREAD_LIBS= + + ax_pthread_ok=yes + + # However, older versions of Clang make a point of warning the user + # that, in an invocation where only linking and no compilation is + # taking place, the -pthread option has no effect ("argument unused + # during compilation"). They expect -pthread to be passed in only + # when source code is being compiled. + # + # Problem is, this is at odds with the way Automake and most other + # C build frameworks function, which is that the same flags used in + # compilation (CFLAGS) are also used in linking. Many systems + # supported by AX_PTHREAD require exactly this for POSIX threads + # support, and in fact it is often not straightforward to specify a + # flag that is used only in the compilation phase and not in + # linking. Such a scenario is extremely rare in practice. + # + # Even though use of the -pthread flag in linking would only print + # a warning, this can be a nuisance for well-run software projects + # that build with -Werror. So if the active version of Clang has + # this misfeature, we search for an option to squash it. + + AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], + [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], + [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown + # Create an alternate version of $ac_link that compiles and + # links in two steps (.c -> .o, .o -> exe) instead of one + # (.c -> exe), because the warning occurs only in the second + # step + ax_pthread_save_ac_link="$ac_link" + ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' + ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"` + ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" + ax_pthread_save_CFLAGS="$CFLAGS" + for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do + AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) + CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" + ac_link="$ax_pthread_save_ac_link" + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], + [ac_link="$ax_pthread_2step_ac_link" + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], + [break]) + ]) + done + ac_link="$ax_pthread_save_ac_link" + CFLAGS="$ax_pthread_save_CFLAGS" + AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) + ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" + ]) + + case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in + no | unknown) ;; + *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; + esac + +fi # $ax_pthread_clang = yes + +if test "x$ax_pthread_ok" = "xno"; then +for ax_pthread_try_flag in $ax_pthread_flags; do + + case $ax_pthread_try_flag in + none) + AC_MSG_CHECKING([whether pthreads work without any flags]) + ;; + + -mt,pthread) + AC_MSG_CHECKING([whether pthreads work with -mt -lpthread]) + PTHREAD_CFLAGS="-mt" + PTHREAD_LIBS="-lpthread" + ;; + + -*) + AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) + PTHREAD_CFLAGS="$ax_pthread_try_flag" + ;; + + pthread-config) + AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) + AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) + AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) + PTHREAD_LIBS="-l$ax_pthread_try_flag" + ;; + esac + + ax_pthread_save_CFLAGS="$CFLAGS" + ax_pthread_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we + # need a special flag -Kthread to make this header compile.) + # We check for pthread_join because it is in -lpthread on IRIX + # while pthread_create is in libc. We check for pthread_attr_init + # due to DEC craziness with -lpthreads. We check for + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. + + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h> +# if $ax_pthread_check_cond +# error "$ax_pthread_check_macro must be defined" +# endif + static void routine(void *a) { a = 0; } + static void *start_routine(void *a) { return a; }], + [pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); + pthread_join(th, 0); + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */])], + [ax_pthread_ok=yes], + []) + + CFLAGS="$ax_pthread_save_CFLAGS" + LIBS="$ax_pthread_save_LIBS" + + AC_MSG_RESULT([$ax_pthread_ok]) + AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" +done +fi + +# Various other checks: +if test "x$ax_pthread_ok" = "xyes"; then + ax_pthread_save_CFLAGS="$CFLAGS" + ax_pthread_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. + AC_CACHE_CHECK([for joinable pthread attribute], + [ax_cv_PTHREAD_JOINABLE_ATTR], + [ax_cv_PTHREAD_JOINABLE_ATTR=unknown + for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>], + [int attr = $ax_pthread_attr; return attr /* ; */])], + [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], + []) + done + ]) + AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ + test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ + test "x$ax_pthread_joinable_attr_defined" != "xyes"], + [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], + [$ax_cv_PTHREAD_JOINABLE_ATTR], + [Define to necessary symbol if this constant + uses a non-standard name on your system.]) + ax_pthread_joinable_attr_defined=yes + ]) + + AC_CACHE_CHECK([whether more special flags are required for pthreads], + [ax_cv_PTHREAD_SPECIAL_FLAGS], + [ax_cv_PTHREAD_SPECIAL_FLAGS=no + case $host_os in + solaris*) + ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" + ;; + esac + ]) + AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ + test "x$ax_pthread_special_flags_added" != "xyes"], + [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" + ax_pthread_special_flags_added=yes]) + + AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], + [ax_cv_PTHREAD_PRIO_INHERIT], + [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]], + [[int i = PTHREAD_PRIO_INHERIT;]])], + [ax_cv_PTHREAD_PRIO_INHERIT=yes], + [ax_cv_PTHREAD_PRIO_INHERIT=no]) + ]) + AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ + test "x$ax_pthread_prio_inherit_defined" != "xyes"], + [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) + ax_pthread_prio_inherit_defined=yes + ]) + + CFLAGS="$ax_pthread_save_CFLAGS" + LIBS="$ax_pthread_save_LIBS" + + # More AIX lossage: compile with *_r variant + if test "x$GCC" != "xyes"; then + case $host_os in + aix*) + AS_CASE(["x/$CC"], + [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], + [#handle absolute path differently from PATH based program lookup + AS_CASE(["x$CC"], + [x/*], + [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], + [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) + ;; + esac + fi +fi + +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + +AC_SUBST([PTHREAD_LIBS]) +AC_SUBST([PTHREAD_CFLAGS]) +AC_SUBST([PTHREAD_CC]) + +# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +if test "x$ax_pthread_ok" = "xyes"; then + ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) + : +else + ax_pthread_ok=no + $2 +fi +AC_LANG_POP +])dnl AX_PTHREAD diff --git a/src/pcap-thread/pcap_thread.c b/src/pcap-thread/pcap_thread.c new file mode 100644 index 0000000..8acdcbe --- /dev/null +++ b/src/pcap-thread/pcap_thread.c @@ -0,0 +1,3818 @@ +/* + * Author Jerry Lundström <jerry@dns-oarc.net> + * Copyright (c) 2016-2017, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "pcap_thread.h" + +#include <errno.h> +#include <stdlib.h> +#include <string.h> +#include <sys/select.h> + +#ifndef PCAP_THREAD_LAYER_TRACE +#define PCAP_THREAD_LAYER_TRACE 0 +#endif + +/* + * Forward declares for layer callbacks + */ + +static void pcap_thread_callback(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt); +static void pcap_thread_callback_linux_sll(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_ether(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_null(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_loop(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_ieee802(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_gre(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_ip(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_ipv4(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_ipv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_icmp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_icmpv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_udp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); +static void pcap_thread_callback_tcp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length); + +/* + * Version + */ + +static const char* _version = PCAP_THREAD_VERSION_STR; + +const char* pcap_thread_version_str(void) +{ + return _version; +} + +int pcap_thread_version_major(void) +{ + return PCAP_THREAD_VERSION_MAJOR; +} + +int pcap_thread_version_minor(void) +{ + return PCAP_THREAD_VERSION_MINOR; +} + +int pcap_thread_version_patch(void) +{ + return PCAP_THREAD_VERSION_PATCH; +} + +/* + * Create/Free + */ + +static pcap_thread_t _pcap_thread_defaults = PCAP_THREAD_T_INIT; + +pcap_thread_t* pcap_thread_create(void) +{ + pcap_thread_t* pcap_thread = calloc(1, sizeof(pcap_thread_t)); + if (pcap_thread) { + memcpy(pcap_thread, &_pcap_thread_defaults, sizeof(pcap_thread_t)); + } + + return pcap_thread; +} + +void pcap_thread_free(pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return; + } + + pcap_thread_close(pcap_thread); + if (pcap_thread->filter) { + free(pcap_thread->filter); + } + free(pcap_thread); +} + +/* + * Get/Set + */ + +int pcap_thread_use_threads(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->use_threads; +} + +int pcap_thread_set_use_threads(pcap_thread_t* pcap_thread, const int use_threads) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->use_threads = use_threads; + + return PCAP_THREAD_OK; +} + +int pcap_thread_use_layers(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->use_layers; +} + +int pcap_thread_set_use_layers(pcap_thread_t* pcap_thread, const int use_layers) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->use_layers = use_layers; + + return PCAP_THREAD_OK; +} + +pcap_thread_queue_mode_t pcap_thread_queue_mode(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->queue_mode; +} + +int pcap_thread_set_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t queue_mode) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + switch (queue_mode) { + case PCAP_THREAD_QUEUE_MODE_COND: + case PCAP_THREAD_QUEUE_MODE_DIRECT: + break; + case PCAP_THREAD_QUEUE_MODE_YIELD: + case PCAP_THREAD_QUEUE_MODE_WAIT: + case PCAP_THREAD_QUEUE_MODE_DROP: + return PCAP_THREAD_EOBSOLETE; + default: + return PCAP_THREAD_EINVAL; + } + + pcap_thread->queue_mode = queue_mode; + + return PCAP_THREAD_OK; +} + +struct timeval pcap_thread_queue_wait(const pcap_thread_t* pcap_thread) +{ + static struct timeval tv = { 0, 0 }; + return tv; +} + +int pcap_thread_set_queue_wait(pcap_thread_t* pcap_thread, const struct timeval queue_wait) +{ + return PCAP_THREAD_EOBSOLETE; +} + +pcap_thread_queue_mode_t pcap_thread_callback_queue_mode(const pcap_thread_t* pcap_thread) +{ + return PCAP_THREAD_EOBSOLETE; +} + +int pcap_thread_set_callback_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t callback_queue_mode) +{ + return PCAP_THREAD_EOBSOLETE; +} + +struct timeval pcap_thread_callback_queue_wait(const pcap_thread_t* pcap_thread) +{ + static struct timeval tv = { 0, 0 }; + return tv; +} + +int pcap_thread_set_callback_queue_wait(pcap_thread_t* pcap_thread, const struct timeval callback_queue_wait) +{ + return PCAP_THREAD_EOBSOLETE; +} + +int pcap_thread_snapshot(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->snapshot; +} + +int pcap_thread_snaplen(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->snaplen; +} + +int pcap_thread_set_snaplen(pcap_thread_t* pcap_thread, const int snaplen) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->snaplen = snaplen; + + return PCAP_THREAD_OK; +} + +int pcap_thread_promiscuous(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->promiscuous; +} + +int pcap_thread_set_promiscuous(pcap_thread_t* pcap_thread, const int promiscuous) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->promiscuous = promiscuous; + + return PCAP_THREAD_OK; +} + +int pcap_thread_monitor(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->monitor; +} + +int pcap_thread_set_monitor(pcap_thread_t* pcap_thread, const int monitor) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->monitor = monitor; + + return PCAP_THREAD_OK; +} + +int pcap_thread_timeout(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->timeout; +} + +int pcap_thread_set_timeout(pcap_thread_t* pcap_thread, const int timeout) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->timeout = timeout; + + return PCAP_THREAD_OK; +} + +int pcap_thread_buffer_size(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->buffer_size; +} + +int pcap_thread_set_buffer_size(pcap_thread_t* pcap_thread, const int buffer_size) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->buffer_size = buffer_size; + + return PCAP_THREAD_OK; +} + +int pcap_thread_timestamp_type(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->timestamp_type; +} + +int pcap_thread_set_timestamp_type(pcap_thread_t* pcap_thread, const int timestamp_type) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->have_timestamp_type = 1; + pcap_thread->timestamp_type = timestamp_type; + + return PCAP_THREAD_OK; +} + +int pcap_thread_timestamp_precision(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->timestamp_precision; +} + +int pcap_thread_set_timestamp_precision(pcap_thread_t* pcap_thread, const int timestamp_precision) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->have_timestamp_precision = 1; + pcap_thread->timestamp_precision = timestamp_precision; + + return PCAP_THREAD_OK; +} + +int pcap_thread_immediate_mode(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->immediate_mode; +} + +int pcap_thread_set_immediate_mode(pcap_thread_t* pcap_thread, const int immediate_mode) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->immediate_mode = immediate_mode; + + return PCAP_THREAD_OK; +} + +pcap_direction_t pcap_thread_direction(const pcap_thread_t* pcap_thread) +{ +#ifdef HAVE_PCAP_DIRECTION_T + if (!pcap_thread) { + return -1; + } + + return pcap_thread->direction; +#else + return 0; +#endif +} + +int pcap_thread_set_direction(pcap_thread_t* pcap_thread, const pcap_direction_t direction) +{ +#ifdef HAVE_PCAP_DIRECTION_T + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->have_direction = 1; + pcap_thread->direction = direction; + + return PCAP_THREAD_OK; +#else + return PCAP_THREAD_ENODIR; +#endif +} + +const char* pcap_thread_filter(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return 0; + } + + return pcap_thread->filter; +} + +int pcap_thread_set_filter(pcap_thread_t* pcap_thread, const char* filter, const size_t filter_len) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!filter) { + return PCAP_THREAD_EINVAL; + } + if (!filter_len) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->filter) { + free(pcap_thread->filter); + } + if (!(pcap_thread->filter = strndup(filter, filter_len))) { + return PCAP_THREAD_ENOMEM; + } + pcap_thread->filter_len = filter_len; + + return PCAP_THREAD_OK; +} + +int pcap_thread_clear_filter(pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->filter) { + free(pcap_thread->filter); + pcap_thread->filter = 0; + pcap_thread->filter_len = 0; + } + + return PCAP_THREAD_OK; +} + +int pcap_thread_filter_errno(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->filter_errno; +} + +int pcap_thread_filter_optimize(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->filter_optimize; +} + +int pcap_thread_set_filter_optimize(pcap_thread_t* pcap_thread, const int filter_optimize) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->filter_optimize = filter_optimize; + + return PCAP_THREAD_OK; +} + +bpf_u_int32 pcap_thread_filter_netmask(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->filter_netmask; +} + +int pcap_thread_set_filter_netmask(pcap_thread_t* pcap_thread, const bpf_u_int32 filter_netmask) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->filter_netmask = filter_netmask; + + return PCAP_THREAD_OK; +} + +struct timeval pcap_thread_timedrun(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + static struct timeval tv = { 0, 0 }; + return tv; + } + + return pcap_thread->timedrun; +} + +int pcap_thread_set_timedrun(pcap_thread_t* pcap_thread, const struct timeval timedrun) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->timedrun = timedrun; + + return PCAP_THREAD_OK; +} + +struct timeval pcap_thread_timedrun_to(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + static struct timeval tv = { 0, 0 }; + return tv; + } + + return pcap_thread->timedrun_to; +} + +int pcap_thread_set_timedrun_to(pcap_thread_t* pcap_thread, const struct timeval timedrun_to) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->timedrun_to = timedrun_to; + + return PCAP_THREAD_OK; +} + +pcap_thread_activate_mode_t pcap_thread_activate_mode(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return PCAP_THREAD_DEFAULT_ACTIVATE_MODE; + } + + return pcap_thread->activate_mode; +} + +int pcap_thread_set_activate_mode(pcap_thread_t* pcap_thread, const pcap_thread_activate_mode_t activate_mode) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->activate_mode = activate_mode; + + return PCAP_THREAD_OK; +} + +int pcap_thread_was_stopped(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + + return pcap_thread->was_stopped; +} + +/* + * Queue + */ + +size_t pcap_thread_queue_size(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return -1; + } + + return pcap_thread->queue_size; +} + +int pcap_thread_set_queue_size(pcap_thread_t* pcap_thread, const size_t queue_size) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!queue_size) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->queue_size = queue_size; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback(pcap_thread_t* pcap_thread, pcap_thread_callback_t callback) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback = callback; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_dropback(pcap_thread_t* pcap_thread, pcap_thread_callback_t dropback) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->dropback = dropback; + + return PCAP_THREAD_OK; +} + +/* + * Layers + */ + +int pcap_thread_set_callback_linux_sll(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_linux_sll) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_linux_sll = callback_linux_sll; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ether(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ether) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ether = callback_ether; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_null(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_null) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_null = callback_null; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_loop(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_loop) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_loop = callback_loop; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ieee802(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ieee802) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ieee802 = callback_ieee802; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_gre(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_gre) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_gre = callback_gre; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ip(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ip) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ip = callback_ip; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ipv4(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv4) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ipv4 = callback_ipv4; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ipv4_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv4_frag) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!callback_ipv4_frag.new + || !callback_ipv4_frag.free + || !callback_ipv4_frag.reassemble + || !callback_ipv4_frag.release) { + if (callback_ipv4_frag.new + || callback_ipv4_frag.free + || callback_ipv4_frag.reassemble + || callback_ipv4_frag.release) { + return PCAP_THREAD_EINVAL; + } + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ipv4_frag = callback_ipv4_frag; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ipv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv6) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ipv6 = callback_ipv6; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_ipv6_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv6_frag) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!callback_ipv6_frag.new + || !callback_ipv6_frag.free + || !callback_ipv6_frag.reassemble + || !callback_ipv6_frag.release) { + if (callback_ipv6_frag.new + || callback_ipv6_frag.free + || callback_ipv6_frag.reassemble + || callback_ipv6_frag.release) { + return PCAP_THREAD_EINVAL; + } + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_ipv6_frag = callback_ipv6_frag; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_icmp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmp) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_icmp = callback_icmp; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_icmpv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmpv6) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_icmpv6 = callback_icmpv6; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_udp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_udp) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_udp = callback_udp; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_tcp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6) { + return PCAP_THREAD_ELAYERCB; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_tcp = callback_tcp; + + return PCAP_THREAD_OK; +} + +int pcap_thread_set_callback_invalid(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_invalid) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + pcap_thread->callback_invalid = callback_invalid; + + return PCAP_THREAD_OK; +} + +#define need4x2(v1, v2, p, l) \ + if (l < 1) { \ + break; \ + } \ + v1 = (*p) >> 4; \ + v2 = (*p) & 0xf; \ + p += 1; \ + l -= 1 + +#define need8(v, p, l) \ + if (l < 1) { \ + break; \ + } \ + v = *p; \ + p += 1; \ + l -= 1 + +#define need16(v, p, l) \ + if (l < 2) { \ + break; \ + } \ + v = (*p << 8) + *(p + 1); \ + p += 2; \ + l -= 2 + +#define need32(v, p, l) \ + if (l < 4) { \ + break; \ + } \ + v = (*p << 24) + (*(p + 1) << 16) + (*(p + 2) << 8) + *(p + 3); \ + p += 4; \ + l -= 4 + +#define needxb(b, x, p, l) \ + if (l < x) { \ + break; \ + } \ + memcpy(b, p, x); \ + p += x; \ + l -= x + +#define advancexb(x, p, l) \ + if (l < x) { \ + break; \ + } \ + p += x; \ + l -= x + +#if PCAP_THREAD_LAYER_TRACE +#define layer_trace(msg) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__) +#define layer_tracef(msg, args...) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__, args) +#else +#define layer_trace(msg) +#define layer_tracef(msg, args...) +#endif + +static void pcap_thread_callback(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + size_t length; + pcap_thread_packet_t packet; + const u_char* orig = pkt; + size_t origlength; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!pkthdr) { + return; + } + if (!pkt) { + return; + } + if (!name) { + return; + } + + memset(&packet, 0, sizeof(packet)); + packet.name = name; + packet.dlt = dlt; + packet.pkthdr = *pkthdr; + packet.have_pkthdr = 1; + length = pkthdr->caplen; + origlength = length; + + layer_tracef("packet, length %lu", length); + + switch (dlt) { + case DLT_NULL: + layer_trace("dlt_null"); + { + uint8_t hdr[4]; + + packet.state = PCAP_THREAD_PACKET_INVALID_NULL; + need8(hdr[0], pkt, length); + need8(hdr[1], pkt, length); + need8(hdr[2], pkt, length); + need8(hdr[3], pkt, length); + packet.state = PCAP_THREAD_PACKET_OK; + + /* + * The header for null is in host byte order but may not be + * in the same endian as host if coming from a savefile + */ + + if (pcaplist->is_offline && pcap_is_swapped(pcaplist->pcap)) { +#if __BYTE_ORDER == __LITTLE_ENDIAN + packet.nullhdr.family = hdr[3] + (hdr[2] << 8) + (hdr[1] << 16) + (hdr[0] << 24); +#elif __BYTE_ORDER == __BIG_ENDIAN + packet.nullhdr.family = hdr[0] + (hdr[1] << 8) + (hdr[2] << 16) + (hdr[3] << 24); +#else +#error "Please fix <endian.h>" +#endif + } else { +#if __BYTE_ORDER == __LITTLE_ENDIAN + packet.nullhdr.family = hdr[0] + (hdr[1] << 8) + (hdr[2] << 16) + (hdr[3] << 24); +#elif __BYTE_ORDER == __BIG_ENDIAN + packet.nullhdr.family = hdr[3] + (hdr[2] << 8) + (hdr[1] << 16) + (hdr[0] << 24); +#else +#error "Please fix <endian.h>" +#endif + } + packet.have_nullhdr = 1; + + if (pcaplist->pcap_thread->callback_null) + pcaplist->pcap_thread->callback_null(pcaplist->user, &packet, pkt, length); + else + pcap_thread_callback_null((void*)pcaplist, &packet, pkt, length); + return; + } + break; + + case DLT_EN10MB: + layer_trace("dlt_en10mb"); + packet.state = PCAP_THREAD_PACKET_INVALID_ETHER; + needxb(packet.ethhdr.ether_dhost, sizeof(packet.ethhdr.ether_dhost), pkt, length); + needxb(packet.ethhdr.ether_shost, sizeof(packet.ethhdr.ether_shost), pkt, length); + need16(packet.ethhdr.ether_type, pkt, length); + packet.state = PCAP_THREAD_PACKET_OK; + packet.have_ethhdr = 1; + + if (pcaplist->pcap_thread->callback_ether) + pcaplist->pcap_thread->callback_ether(pcaplist->user, &packet, pkt, length); + else + pcap_thread_callback_ether((void*)pcaplist, &packet, pkt, length); + return; + + case DLT_LOOP: + layer_trace("dlt_loop"); + packet.state = PCAP_THREAD_PACKET_INVALID_LOOP; + need32(packet.loophdr.family, pkt, length); + packet.state = PCAP_THREAD_PACKET_OK; + packet.have_loophdr = 1; + + if (pcaplist->pcap_thread->callback_loop) + pcaplist->pcap_thread->callback_loop(pcaplist->user, &packet, pkt, length); + else + pcap_thread_callback_loop((void*)pcaplist, &packet, pkt, length); + return; + + case DLT_RAW: +#ifdef DLT_IPV4 + case DLT_IPV4: +#endif +#ifdef DLT_IPV6 + case DLT_IPV6: +#endif + layer_trace("dlt_raw/ipv4/ipv6"); + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, &packet, pkt, length); + else + pcap_thread_callback_ip((void*)pcaplist, &packet, pkt, length); + return; + + case DLT_LINUX_SLL: + layer_trace("dlt_linux_sll"); + packet.state = PCAP_THREAD_PACKET_INVALID_LINUX_SLL; + need16(packet.linux_sll.packet_type, pkt, length); + need16(packet.linux_sll.arp_hardware, pkt, length); + need16(packet.linux_sll.link_layer_address_length, pkt, length); + needxb(packet.linux_sll.link_layer_address, 8, pkt, length); + need16(packet.linux_sll.ether_type, pkt, length); + packet.state = PCAP_THREAD_PACKET_OK; + packet.have_linux_sll = 1; + + if (pcaplist->pcap_thread->callback_linux_sll) + pcaplist->pcap_thread->callback_linux_sll(pcaplist->user, &packet, pkt, length); + else + pcap_thread_callback_linux_sll((void*)pcaplist, &packet, pkt, length); + return; + + /* TODO: These might be interesting to implement + case DLT_IPNET: + case DLT_PKTAP: + */ + + default: + packet.state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet.state == PCAP_THREAD_PACKET_OK) + packet.state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, &packet, orig, origlength); + } +} + +static void pcap_thread_callback_linux_sll(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_linux_sll) { + layer_trace("have_linux_sll"); + switch (packet->linux_sll.ether_type) { + case 0x8100: /* 802.1q */ + case 0x88a8: /* 802.1ad */ + case 0x9100: /* 802.1 QinQ non-standard */ + if (packet->have_ieee802hdr) + break; + + { + uint16_t tci; + + packet->state = PCAP_THREAD_PACKET_INVALID_IEEE802; + need16(tci, payload, length); + packet->ieee802hdr.pcp = (tci & 0xe000) >> 13; + packet->ieee802hdr.dei = (tci & 0x1000) >> 12; + packet->ieee802hdr.vid = tci & 0x0fff; + need16(packet->ieee802hdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_ieee802hdr = 1; + } + + if (pcaplist->pcap_thread->callback_ieee802) + pcaplist->pcap_thread->callback_ieee802(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ieee802((void*)pcaplist, packet, payload, length); + return; + + case ETHERTYPE_IP: + case ETHERTYPE_IPV6: + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ip((void*)pcaplist, packet, payload, length); + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_ether(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_ethhdr) { + layer_trace("have_ethhdr"); + switch (packet->ethhdr.ether_type) { + case 0x8100: /* 802.1q */ + case 0x88a8: /* 802.1ad */ + case 0x9100: /* 802.1 QinQ non-standard */ + if (packet->have_ieee802hdr) + break; + + { + uint16_t tci; + + packet->state = PCAP_THREAD_PACKET_INVALID_IEEE802; + need16(tci, payload, length); + packet->ieee802hdr.pcp = (tci & 0xe000) >> 13; + packet->ieee802hdr.dei = (tci & 0x1000) >> 12; + packet->ieee802hdr.vid = tci & 0x0fff; + need16(packet->ieee802hdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_ieee802hdr = 1; + } + + if (pcaplist->pcap_thread->callback_ieee802) + pcaplist->pcap_thread->callback_ieee802(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ieee802((void*)pcaplist, packet, payload, length); + return; + + case ETHERTYPE_IP: + case ETHERTYPE_IPV6: + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ip((void*)pcaplist, packet, payload, length); + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_null(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_nullhdr) { + layer_trace("have_nullhdr"); + + /* From libpcap link types documentation: + * containing a value of 2 for IPv4 packets, a value of either 24, 28, + * or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23 + * for IPX packets. All of the IPv6 values correspond to IPv6 packets; + * code reading files should check for all of them. + */ + + switch (packet->nullhdr.family) { + case 2: + case 24: + case 28: + case 30: + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ip((void*)pcaplist, packet, payload, length); + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_loop(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_loophdr) { + layer_trace("have_loophdr"); + + /* From libpcap link types documentation: + * containing a value of 2 for IPv4 packets, a value of either 24, 28, + * or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23 + * for IPX packets. All of the IPv6 values correspond to IPv6 packets; + * code reading files should check for all of them. + */ + + switch (packet->loophdr.family) { + case 2: + case 24: + case 28: + case 30: + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ip((void*)pcaplist, packet, payload, length); + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_ieee802(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_ieee802hdr) { + layer_trace("have_ieee802hdr"); + + switch (packet->ieee802hdr.ether_type) { + case 0x88a8: /* 802.1ad */ + case 0x9100: /* 802.1 QinQ non-standard */ + { + pcap_thread_packet_t ieee802pkt; + uint16_t tci; + + memset(&ieee802pkt, 0, sizeof(ieee802pkt)); + ieee802pkt.prevpkt = packet; + ieee802pkt.have_prevpkt = 1; + + packet->state = PCAP_THREAD_PACKET_INVALID_IEEE802; + need16(tci, payload, length); + ieee802pkt.ieee802hdr.pcp = (tci & 0xe000) >> 13; + ieee802pkt.ieee802hdr.dei = (tci & 0x1000) >> 12; + ieee802pkt.ieee802hdr.vid = tci & 0x0fff; + need16(ieee802pkt.ieee802hdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + ieee802pkt.have_ieee802hdr = 1; + + if (pcaplist->pcap_thread->callback_ieee802) + pcaplist->pcap_thread->callback_ieee802(pcaplist->user, &ieee802pkt, payload, length); + else + pcap_thread_callback_ieee802((void*)pcaplist, &ieee802pkt, payload, length); + return; + } + + case ETHERTYPE_IP: + case ETHERTYPE_IPV6: + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ip((void*)pcaplist, packet, payload, length); + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_gre(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_grehdr) { + pcap_thread_packet_t grepkt; + + layer_trace("have_grehdr"); + + memset(&grepkt, 0, sizeof(grepkt)); + grepkt.prevpkt = packet; + grepkt.have_prevpkt = 1; + + for (;;) { + packet->state = PCAP_THREAD_PACKET_INVALID_GRE; + if (packet->grehdr.gre_flags & 0x1) { + need16(packet->gre.checksum, payload, length); + } + if (packet->grehdr.gre_flags & 0x4) { + need16(packet->gre.key, payload, length); + } + if (packet->grehdr.gre_flags & 0x8) { + need16(packet->gre.sequence, payload, length); + } + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_gre = 1; + + switch (packet->grehdr.ether_type) { + case ETHERTYPE_IP: + case ETHERTYPE_IPV6: + if (pcaplist->pcap_thread->callback_ip) + pcaplist->pcap_thread->callback_ip(pcaplist->user, &grepkt, payload, length); + else + pcap_thread_callback_ip((void*)pcaplist, &grepkt, payload, length); + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_ip(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (!packet->have_iphdr && !packet->have_ip6hdr) { + layer_trace("checking for ip"); + + for (;;) { + packet->state = PCAP_THREAD_PACKET_INVALID_IP; + need4x2(packet->iphdr.ip_v, packet->iphdr.ip_hl, payload, length); + if (packet->iphdr.ip_v == 4) { + packet->state = PCAP_THREAD_PACKET_INVALID_IPV4; + need8(packet->iphdr.ip_tos, payload, length); + need16(packet->iphdr.ip_len, payload, length); + need16(packet->iphdr.ip_id, payload, length); + need16(packet->iphdr.ip_off, payload, length); + need8(packet->iphdr.ip_ttl, payload, length); + need8(packet->iphdr.ip_p, payload, length); + need16(packet->iphdr.ip_sum, payload, length); + needxb(&(packet->iphdr.ip_src.s_addr), 4, payload, length); + needxb(&(packet->iphdr.ip_dst.s_addr), 4, payload, length); + + /* TODO: IPv4 options */ + + if (packet->iphdr.ip_hl < 5) + break; + if (packet->iphdr.ip_hl > 5) { + advancexb((packet->iphdr.ip_hl - 5) * 4, payload, length); + } + + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_iphdr = 1; + + if (pcaplist->pcap_thread->callback_ipv4) + pcaplist->pcap_thread->callback_ipv4(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ipv4((void*)pcaplist, packet, payload, length); + return; + } else if (packet->iphdr.ip_v == 6) { + /* + * Clear IPv4 headers and reverse reading one byte + */ + packet->iphdr.ip_v = 0; + packet->iphdr.ip_hl = 0; + payload--; + length++; + + packet->state = PCAP_THREAD_PACKET_INVALID_IPV6; + need32(packet->ip6hdr.ip6_flow, payload, length); + need16(packet->ip6hdr.ip6_plen, payload, length); + need8(packet->ip6hdr.ip6_nxt, payload, length); + need8(packet->ip6hdr.ip6_hlim, payload, length); + needxb(&(packet->ip6hdr.ip6_src), 16, payload, length); + needxb(&(packet->ip6hdr.ip6_dst), 16, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_ip6hdr = 1; + + if (pcaplist->pcap_thread->callback_ipv6) + pcaplist->pcap_thread->callback_ipv6(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_ipv6((void*)pcaplist, packet, payload, length); + return; + } + + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_ipv4(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + int release_frag = 0; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_iphdr) { + layer_trace("have_iphdr"); + + for (;;) { + /* Check reported length for missing payload or padding */ + if (packet->iphdr.ip_len < (packet->iphdr.ip_hl * 4)) { + layer_trace("ip_len < ip header"); + packet->state = PCAP_THREAD_PACKET_INVALID_IPV4; + break; + } + if (length < (packet->iphdr.ip_len - (packet->iphdr.ip_hl * 4))) { + layer_trace("length < (ip_len - ip header)"); + packet->state = PCAP_THREAD_PACKET_INVALID_IPV4; + break; + } + if (length > (packet->iphdr.ip_len - (packet->iphdr.ip_hl * 4))) { + layer_trace("have_ippadding"); + packet->ippadding = length - (packet->iphdr.ip_len - (packet->iphdr.ip_hl * 4)); + packet->have_ippadding = 1; + length -= packet->ippadding; + } + + /* Check if packet wants more fragments or has an offset */ + if (packet->iphdr.ip_off & 0x2000 || packet->iphdr.ip_off & 0x1fff) { + layer_trace("is_v4_frag"); + + if (pcaplist->pcap_thread->callback_ipv4_frag.reassemble) { + pcap_thread_packet_t* whole_packet = 0; + const u_char* whole_payload = 0; + size_t whole_length = 0; + + packet->state = pcaplist->pcap_thread->callback_ipv4_frag.reassemble(pcaplist->ipv4_frag_ctx, packet, payload, length, &whole_packet, &whole_payload, &whole_length); + + /* Defragmentation failed some how, we return packet as invalid */ + if (packet->state != PCAP_THREAD_PACKET_OK) { + break; + } + + /* No whole/defragmented packet return, need more */ + if (!whole_packet || !whole_payload || !whole_length) { + return; + } + + layer_tracef("v4_reasm %p %p %lu", whole_packet, whole_payload, whole_length); + + packet = whole_packet; + payload = whole_payload; + length = whole_length; + release_frag = 1; + } else { + /* + * Mark packet as fragment and send it to the next user + * layer (if any) or return it as invalid. + */ + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + + switch (packet->iphdr.ip_p) { + case IPPROTO_GRE: + layer_trace("ipproto_gre frag"); + + if (!(packet->iphdr.ip_off & 0x1fff)) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_GREHDR; + need16(packet->grehdr.gre_flags, payload, length); + need16(packet->grehdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_grehdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_gre) { + pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length); + return; + } + break; + + case IPPROTO_ICMP: + layer_trace("ipproto_icmp frag"); + + if (!(packet->iphdr.ip_off & 0x1fff)) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_ICMPHDR; + need8(packet->icmphdr.type, payload, length); + need8(packet->icmphdr.code, payload, length); + need16(packet->icmphdr.checksum, payload, length); + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_icmphdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_icmp) { + pcaplist->pcap_thread->callback_icmp(pcaplist->user, packet, payload, length); + return; + } + break; + + case IPPROTO_UDP: + layer_trace("ipproto_udp frag"); + + if (!(packet->iphdr.ip_off & 0x1fff)) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR; + need16(packet->udphdr.uh_sport, payload, length); + need16(packet->udphdr.uh_dport, payload, length); + need16(packet->udphdr.uh_ulen, payload, length); + need16(packet->udphdr.uh_sum, payload, length); + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_udphdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_udp) { + pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length); + return; + } + break; + + case IPPROTO_TCP: + layer_trace("ipproto_tcp frag"); + + if (!(packet->iphdr.ip_off & 0x1fff)) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR; + need16(packet->tcphdr.th_sport, payload, length); + need16(packet->tcphdr.th_dport, payload, length); + need32(packet->tcphdr.th_seq, payload, length); + need32(packet->tcphdr.th_ack, payload, length); + need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length); + need8(packet->tcphdr.th_flags, payload, length); + need16(packet->tcphdr.th_win, payload, length); + need16(packet->tcphdr.th_sum, payload, length); + need16(packet->tcphdr.th_urp, payload, length); + if (packet->tcphdr.th_off > 5) { + packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4; + needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length); + packet->have_tcpopts = 1; + } + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_tcphdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_tcp) { + pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length); + return; + } + break; + + default: + break; + } + break; + } + } + + switch (packet->iphdr.ip_p) { + case IPPROTO_GRE: + layer_trace("ipproto_gre"); + + if (packet->have_grehdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_GRE; + need16(packet->grehdr.gre_flags, payload, length); + need16(packet->grehdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_grehdr = 1; + + if (pcaplist->pcap_thread->callback_gre) + pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_gre((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length); + } + return; + + case IPPROTO_ICMP: + layer_trace("ipproto_icmp"); + + if (packet->have_icmphdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_ICMP; + need8(packet->icmphdr.type, payload, length); + need8(packet->icmphdr.code, payload, length); + need16(packet->icmphdr.checksum, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_icmphdr = 1; + + if (pcaplist->pcap_thread->callback_icmp) + pcaplist->pcap_thread->callback_icmp(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_icmp((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length); + } + return; + + case IPPROTO_UDP: + layer_trace("ipproto_udp"); + + if (packet->have_udphdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_UDP; + need16(packet->udphdr.uh_sport, payload, length); + need16(packet->udphdr.uh_dport, payload, length); + need16(packet->udphdr.uh_ulen, payload, length); + need16(packet->udphdr.uh_sum, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_udphdr = 1; + + if (pcaplist->pcap_thread->callback_udp) + pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_udp((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length); + } + return; + + case IPPROTO_TCP: + layer_trace("ipproto_tcp"); + + if (packet->have_tcphdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_TCP; + need16(packet->tcphdr.th_sport, payload, length); + need16(packet->tcphdr.th_dport, payload, length); + need32(packet->tcphdr.th_seq, payload, length); + need32(packet->tcphdr.th_ack, payload, length); + need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length); + need8(packet->tcphdr.th_flags, payload, length); + need16(packet->tcphdr.th_win, payload, length); + need16(packet->tcphdr.th_sum, payload, length); + need16(packet->tcphdr.th_urp, payload, length); + if (packet->tcphdr.th_off > 5) { + packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4; + needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length); + packet->have_tcpopts = 1; + } + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_tcphdr = 1; + + if (pcaplist->pcap_thread->callback_tcp) + pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_tcp((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length); + } + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + if (release_frag) + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, payload, length); + else + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length); + } +} + +static void pcap_thread_callback_ipv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + int release_frag = 0; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + if (packet->have_ip6hdr) { + struct ip6_ext ext; + size_t already_advanced = 0; + + layer_trace("have_ip6hdr"); + + /* Check reported length for missing payload or padding */ + if (length < packet->ip6hdr.ip6_plen) { + layer_trace("length < ip6_plen"); + packet->state = PCAP_THREAD_PACKET_INVALID_IPV6; + if (pcaplist->pcap_thread->callback_invalid) { + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } + return; + } + if (length > packet->ip6hdr.ip6_plen) { + layer_trace("have_ip6padding"); + packet->ip6padding = length - packet->ip6hdr.ip6_plen; + packet->have_ip6padding = 1; + length -= packet->ip6padding; + } + + ext.ip6e_nxt = packet->ip6hdr.ip6_nxt; + ext.ip6e_len = 0; + while (ext.ip6e_nxt != IPPROTO_NONE + && ext.ip6e_nxt != IPPROTO_GRE + && ext.ip6e_nxt != IPPROTO_ICMPV6 + && ext.ip6e_nxt != IPPROTO_UDP + && ext.ip6e_nxt != IPPROTO_TCP) { + packet->state = PCAP_THREAD_PACKET_INVALID_IPV6HDR; + + /* + * Advance to the start of next header, this may not be needed + * if it's the first header or if the header is supported. + */ + if (ext.ip6e_len) { + if (ext.ip6e_len < already_advanced) { + /* Header length is invalid */ + layer_trace("ip6hdr invalid"); + break; + } + /* Advance if not already there */ + else if (ext.ip6e_len > already_advanced) { + advancexb((ext.ip6e_len - already_advanced) * 8, payload, length); + } + already_advanced = 0; + } else if (already_advanced) { + /* Already advanced but header has no length */ + layer_trace("ip6hdr already advanced"); + break; + } + + /* TODO: Store IPv6 headers? */ + + /* Handle supported headers */ + if (ext.ip6e_nxt == IPPROTO_FRAGMENT) { + if (packet->have_ip6frag) { + layer_trace("dup ip6frag"); + break; + } + layer_trace("ip6frag"); + need8(ext.ip6e_nxt, payload, length); + need8(packet->ip6frag.ip6f_reserved, payload, length); + need16(packet->ip6frag.ip6f_offlg, payload, length); + need32(packet->ip6frag.ip6f_ident, payload, length); + packet->have_ip6frag = 1; + ext.ip6e_len = 1; + already_advanced = 1; + } else if (ext.ip6e_nxt == IPPROTO_ROUTING) { + struct ip6_rthdr rthdr; + struct in6_addr rt[255]; + + if (packet->have_ip6rtdst) { + layer_trace("dup ip6rtdst"); + break; + } + need8(ext.ip6e_nxt, payload, length); + need8(ext.ip6e_len, payload, length); + need8(rthdr.ip6r_type, payload, length); + need8(rthdr.ip6r_segleft, payload, length); + if (!rthdr.ip6r_type) { + if (rthdr.ip6r_segleft > ext.ip6e_len) + break; + for (rthdr.ip6r_len = 0; rthdr.ip6r_len < ext.ip6e_len; rthdr.ip6r_len++, already_advanced += 2) { + needxb(&rt[rthdr.ip6r_len], 16, payload, length); + } + if (!rthdr.ip6r_len || rthdr.ip6r_len != ext.ip6e_len) { + break; + } + if (rthdr.ip6r_segleft) { + packet->ip6rtdst = rt[rthdr.ip6r_segleft]; + packet->have_ip6rtdst = 1; + } + } + } else { + /* Nonsupported header */ + layer_trace("ip6hdr?"); + need8(ext.ip6e_nxt, payload, length); + need8(ext.ip6e_len, payload, length); + } + + packet->state = PCAP_THREAD_PACKET_OK; + + if (!ext.ip6e_len) + break; + } + + for (; packet->state == PCAP_THREAD_PACKET_OK;) { + if (packet->have_ip6frag) { + packet->ip6frag_payload = ext.ip6e_nxt; + + layer_trace("is_v6_frag"); + + if (pcaplist->pcap_thread->callback_ipv6_frag.reassemble) { + pcap_thread_packet_t* whole_packet = 0; + const u_char* whole_payload = 0; + size_t whole_length = 0; + + packet->state = pcaplist->pcap_thread->callback_ipv6_frag.reassemble(pcaplist->ipv6_frag_ctx, packet, payload, length, &whole_packet, &whole_payload, &whole_length); + + /* Defragmentation failed some how, we return packet as invalid */ + if (packet->state != PCAP_THREAD_PACKET_OK) { + break; + } + + /* No whole/defragmented packet return, need more */ + if (!whole_packet || !whole_payload || !whole_length) { + return; + } + + layer_tracef("v6_reasm %p %p %lu", whole_packet, whole_payload, whole_length); + + packet = whole_packet; + payload = whole_payload; + length = whole_length; + release_frag = 1; + } else { + /* + * Mark packet as fragment and send it to the next user + * layer (if any) or return it as invalid. + */ + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + + switch (ext.ip6e_nxt) { + case IPPROTO_GRE: + layer_trace("ipproto_gre frag"); + + if (!packet->ip6frag.ip6f_offlg) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_GREHDR; + need16(packet->grehdr.gre_flags, payload, length); + need16(packet->grehdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_grehdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_gre) { + pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length); + return; + } + break; + + case IPPROTO_ICMPV6: + layer_trace("ipproto_icmpv6 frag"); + + if (!packet->ip6frag.ip6f_offlg) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_ICMPV6HDR; + need8(packet->icmpv6hdr.icmp6_type, payload, length); + need8(packet->icmpv6hdr.icmp6_code, payload, length); + need16(packet->icmpv6hdr.icmp6_cksum, payload, length); + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_icmpv6hdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_icmpv6) { + pcaplist->pcap_thread->callback_icmpv6(pcaplist->user, packet, payload, length); + return; + } + break; + + case IPPROTO_UDP: + layer_trace("ipproto_udp frag"); + + if (!packet->ip6frag.ip6f_offlg) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR; + need16(packet->udphdr.uh_sport, payload, length); + need16(packet->udphdr.uh_dport, payload, length); + need16(packet->udphdr.uh_ulen, payload, length); + need16(packet->udphdr.uh_sum, payload, length); + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_udphdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_udp) { + pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length); + return; + } + break; + + case IPPROTO_TCP: + layer_trace("ipproto_tcp frag"); + + if (!packet->ip6frag.ip6f_offlg) { + for (;;) { + packet->state = PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR; + need16(packet->tcphdr.th_sport, payload, length); + need16(packet->tcphdr.th_dport, payload, length); + need32(packet->tcphdr.th_seq, payload, length); + need32(packet->tcphdr.th_ack, payload, length); + need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length); + need8(packet->tcphdr.th_flags, payload, length); + need16(packet->tcphdr.th_win, payload, length); + need16(packet->tcphdr.th_sum, payload, length); + need16(packet->tcphdr.th_urp, payload, length); + if (packet->tcphdr.th_off > 5) { + packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4; + needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length); + packet->have_tcpopts = 1; + } + packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT; + packet->have_tcphdr = 1; + break; + } + } + + if (pcaplist->pcap_thread->callback_tcp) { + pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length); + return; + } + break; + + default: + break; + } + break; + } + } + + switch (ext.ip6e_nxt) { + case IPPROTO_GRE: + if (packet->have_grehdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_GRE; + need16(packet->grehdr.gre_flags, payload, length); + need16(packet->grehdr.ether_type, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_grehdr = 1; + + if (pcaplist->pcap_thread->callback_gre) + pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_gre((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length); + } + return; + + case IPPROTO_ICMPV6: + layer_trace("ipproto_icmpv6"); + + if (packet->have_icmpv6hdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_ICMPV6; + need8(packet->icmpv6hdr.icmp6_type, payload, length); + need8(packet->icmpv6hdr.icmp6_code, payload, length); + need16(packet->icmpv6hdr.icmp6_cksum, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_icmpv6hdr = 1; + + if (pcaplist->pcap_thread->callback_icmpv6) + pcaplist->pcap_thread->callback_icmpv6(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_icmpv6((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length); + } + return; + + case IPPROTO_UDP: + if (packet->have_udphdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_UDP; + need16(packet->udphdr.uh_sport, payload, length); + need16(packet->udphdr.uh_dport, payload, length); + need16(packet->udphdr.uh_ulen, payload, length); + need16(packet->udphdr.uh_sum, payload, length); + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_udphdr = 1; + + if (pcaplist->pcap_thread->callback_udp) + pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_udp((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length); + } + return; + + case IPPROTO_TCP: + if (packet->have_tcphdr) + break; + + packet->state = PCAP_THREAD_PACKET_INVALID_TCP; + need16(packet->tcphdr.th_sport, payload, length); + need16(packet->tcphdr.th_dport, payload, length); + need32(packet->tcphdr.th_seq, payload, length); + need32(packet->tcphdr.th_ack, payload, length); + need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length); + need8(packet->tcphdr.th_flags, payload, length); + need16(packet->tcphdr.th_win, payload, length); + need16(packet->tcphdr.th_sum, payload, length); + need16(packet->tcphdr.th_urp, payload, length); + if (packet->tcphdr.th_off > 5) { + packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4; + needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length); + packet->have_tcpopts = 1; + } + packet->state = PCAP_THREAD_PACKET_OK; + packet->have_tcphdr = 1; + + if (pcaplist->pcap_thread->callback_tcp) + pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length); + else + pcap_thread_callback_tcp((void*)pcaplist, packet, payload, length); + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length); + } + return; + + default: + packet->state = PCAP_THREAD_PACKET_UNSUPPORTED; + break; + } + break; + } + } + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + if (release_frag) + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, payload, length); + else + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } + + if (release_frag) { + pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length); + } +} + +static void pcap_thread_callback_icmp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + /* TODO: Higher layer support? */ + packet->state = PCAP_THREAD_PACKET_UNPROCESSED; + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_icmpv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + /* TODO: Higher layer support? */ + packet->state = PCAP_THREAD_PACKET_UNPROCESSED; + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_udp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + /* TODO: Higher layer support? */ + packet->state = PCAP_THREAD_PACKET_UNPROCESSED; + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +static void pcap_thread_callback_tcp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user; + const u_char* orig = payload; + size_t origlength = length; + + if (!pcaplist) { + return; + } + if (!pcaplist->pcap_thread) { + return; + } + if (!packet) { + return; + } + if (!payload) { + return; + } + if (!length) { + return; + } + + /* TODO: Higher layer support? */ + packet->state = PCAP_THREAD_PACKET_UNPROCESSED; + + if (pcaplist->pcap_thread->callback_invalid) { + if (packet->state == PCAP_THREAD_PACKET_OK) + packet->state = PCAP_THREAD_PACKET_INVALID; + pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength); + } +} + +/* + * Open/Close + */ + +static pcap_thread_pcaplist_t _pcaplist_defaults = PCAP_THREAD_PCAPLIST_T_INIT; + +int pcap_thread_open(pcap_thread_t* pcap_thread, const char* device, void* user) +{ + pcap_t* pcap; + pcap_thread_pcaplist_t* pcaplist; + int snapshot; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!device) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + if (!(pcaplist = malloc(sizeof(pcap_thread_pcaplist_t)))) { + return PCAP_THREAD_ENOMEM; + } + memcpy(pcaplist, &_pcaplist_defaults, sizeof(pcap_thread_pcaplist_t)); + if (!(pcaplist->name = strdup(device))) { + free(pcaplist); + return PCAP_THREAD_ENOMEM; + } + +#ifdef HAVE_PCAP_CREATE + if (!(pcap = pcap_create(pcaplist->name, pcap_thread->errbuf))) { + free(pcaplist->name); + free(pcaplist); + return PCAP_THREAD_EPCAP; + } + + if (pcap_thread->monitor) { + pcap_thread->status = pcap_can_set_rfmon(pcap); + if (pcap_thread->status == 0) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + return PCAP_THREAD_ENOMON; + } + if (pcap_thread->status != 1) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_can_set_rfmon()"); + return PCAP_THREAD_EPCAP; + } + } + +#ifdef HAVE_PCAP_SET_TSTAMP_PRECISION + if (pcap_thread->have_timestamp_precision && (pcap_thread->status = pcap_set_tstamp_precision(pcap, pcap_thread->timestamp_precision))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_tstamp_precision()"); + return PCAP_THREAD_EPCAP; + } +#endif +#ifdef HAVE_PCAP_SET_IMMEDIATE_MODE + if (pcap_thread->immediate_mode && (pcap_thread->status = pcap_set_immediate_mode(pcap, 1))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_immediate_mode()"); + return PCAP_THREAD_EPCAP; + } +#endif + + if (pcap_thread->monitor && (pcap_thread->status = pcap_set_rfmon(pcap, 1))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_rfmon()"); + return PCAP_THREAD_EPCAP; + } + if (pcap_thread->snaplen && (pcap_thread->status = pcap_set_snaplen(pcap, pcap_thread->snaplen))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_snaplen()"); + return PCAP_THREAD_EPCAP; + } + if (pcap_thread->promiscuous && (pcap_thread->status = pcap_set_promisc(pcap, pcap_thread->promiscuous))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_promisc()"); + return PCAP_THREAD_EPCAP; + } + if (pcap_thread->timeout && (pcap_thread->status = pcap_set_timeout(pcap, pcap_thread->timeout))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_timeout()"); + return PCAP_THREAD_EPCAP; + } + if (pcap_thread->buffer_size && (pcap_thread->status = pcap_set_buffer_size(pcap, pcap_thread->buffer_size))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_buffer_size()"); + return PCAP_THREAD_EPCAP; + } + +#ifdef HAVE_PCAP_SET_TSTAMP_TYPE + if (pcap_thread->have_timestamp_type && (pcap_thread->status = pcap_set_tstamp_type(pcap, pcap_thread->timestamp_type))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_tstamp_type()"); + return PCAP_THREAD_EPCAP; + } +#endif + + if (pcap_thread->activate_mode == PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE) { + if ((pcap_thread->status = pcap_activate(pcap))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_activate()"); + return PCAP_THREAD_EPCAP; + } + +#ifdef HAVE_PCAP_SETDIRECTION +#ifdef HAVE_PCAP_DIRECTION_T + if (pcap_thread->have_direction && (pcap_thread->status = pcap_setdirection(pcap, pcap_thread->direction))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setdirection()"); + return PCAP_THREAD_EPCAP; + } +#endif +#endif + } +#else /* HAVE_PCAP_CREATE */ + if (!(pcap = pcap_open_live(pcaplist->name, pcap_thread->snaplen, pcap_thread->promiscuous, pcap_thread->timeout, pcap_thread->errbuf))) { + free(pcaplist->name); + free(pcaplist); + return PCAP_THREAD_EPCAP; + } +#endif + + if (pcap_thread->activate_mode == PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE) { + if (pcap_thread->filter) { + if ((pcap_thread->status = pcap_compile(pcap, &(pcaplist->bpf), pcap_thread->filter, pcap_thread->filter_optimize, pcap_thread->filter_netmask))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_compile()"); + return PCAP_THREAD_EPCAP; + } + pcaplist->have_bpf = 1; + pcap_thread->filter_errno = 0; + errno = 0; + if ((pcap_thread->status = pcap_setfilter(pcap, &(pcaplist->bpf)))) { + pcap_freecode(&(pcaplist->bpf)); + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setfilter()"); + return PCAP_THREAD_EPCAP; + } + pcap_thread->filter_errno = errno; + } + + if ((snapshot = pcap_snapshot(pcap)) < 0) { + pcap_thread->status = snapshot; + if (pcaplist->have_bpf) + pcap_freecode(&(pcaplist->bpf)); + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_snapshot()"); + return PCAP_THREAD_EPCAP; + } + if (snapshot > pcap_thread->snapshot) { + pcap_thread->snapshot = snapshot; + } + } + + pcaplist->pcap = pcap; + pcaplist->user = user; + if (pcap_thread->callback_ipv4_frag.new) { + pcaplist->ipv4_frag_ctx = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, user); + pcaplist->have_ipv4_frag_ctx = 1; + } + if (pcap_thread->callback_ipv6_frag.new) { + pcaplist->ipv6_frag_ctx = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, user); + pcaplist->have_ipv6_frag_ctx = 1; + } + if (pcap_thread->pcaplist) { + pcaplist->next = pcap_thread->pcaplist; + } + pcap_thread->pcaplist = pcaplist; + + return PCAP_THREAD_OK; +} + +int pcap_thread_open_offline(pcap_thread_t* pcap_thread, const char* file, void* user) +{ + pcap_t* pcap; + pcap_thread_pcaplist_t* pcaplist; + int snapshot; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!file) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + if (!(pcaplist = malloc(sizeof(pcap_thread_pcaplist_t)))) { + return PCAP_THREAD_ENOMEM; + } + memcpy(pcaplist, &_pcaplist_defaults, sizeof(pcap_thread_pcaplist_t)); + pcaplist->is_offline = 1; + if (!(pcaplist->name = strdup(file))) { + free(pcaplist); + return PCAP_THREAD_ENOMEM; + } + +#ifdef HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION + if (pcap_thread->have_timestamp_precision) { + if (!(pcap = pcap_open_offline_with_tstamp_precision(pcaplist->name, pcap_thread->timestamp_precision, pcap_thread->errbuf))) { + free(pcaplist->name); + free(pcaplist); + return PCAP_THREAD_EPCAP; + } + } else +#endif + { + if (!(pcap = pcap_open_offline(pcaplist->name, pcap_thread->errbuf))) { + free(pcaplist->name); + free(pcaplist); + return PCAP_THREAD_EPCAP; + } + } + + if (pcap_thread->filter) { + if ((pcap_thread->status = pcap_compile(pcap, &(pcaplist->bpf), pcap_thread->filter, pcap_thread->filter_optimize, pcap_thread->filter_netmask))) { + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_compile()"); + return PCAP_THREAD_EPCAP; + } + pcaplist->have_bpf = 1; + pcap_thread->filter_errno = 0; + errno = 0; + if ((pcap_thread->status = pcap_setfilter(pcap, &(pcaplist->bpf)))) { + pcap_freecode(&(pcaplist->bpf)); + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setfilter()"); + return PCAP_THREAD_EPCAP; + } + pcap_thread->filter_errno = errno; + } + + if ((snapshot = pcap_snapshot(pcap)) < 0) { + pcap_thread->status = snapshot; + if (pcaplist->have_bpf) + pcap_freecode(&(pcaplist->bpf)); + pcap_close(pcap); + free(pcaplist->name); + free(pcaplist); + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_snapshot()"); + return PCAP_THREAD_EPCAP; + } + if (snapshot > pcap_thread->snapshot) { + pcap_thread->snapshot = snapshot; + } + + pcaplist->pcap = pcap; + pcaplist->user = user; + if (pcap_thread->callback_ipv4_frag.new) { + pcaplist->ipv4_frag_ctx = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, user); + pcaplist->have_ipv4_frag_ctx = 1; + } + if (pcap_thread->callback_ipv6_frag.new) { + pcaplist->ipv6_frag_ctx = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, user); + pcaplist->have_ipv6_frag_ctx = 1; + } + if (pcap_thread->pcaplist) { + pcaplist->next = pcap_thread->pcaplist; + } + pcap_thread->pcaplist = pcaplist; + + return PCAP_THREAD_OK; +} + +int pcap_thread_add(pcap_thread_t* pcap_thread, const char* name, pcap_t* pcap, void* user) +{ + (void)pcap_thread; + (void)name; + (void)pcap; + (void)user; + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + return PCAP_THREAD_EOBSOLETE; +} + +int pcap_thread_activate(pcap_thread_t* pcap_thread) +{ + pcap_thread_pcaplist_t* pcaplist; + int snapshot; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + pcap_thread->filter_errno = 0; + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + if (pcaplist->is_offline) { + continue; + } + +#ifdef HAVE_PCAP_ACTIVATE + if ((pcap_thread->status = pcap_activate(pcaplist->pcap))) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_activate()"); + return PCAP_THREAD_EPCAP; + } +#endif + +#ifdef HAVE_PCAP_SETDIRECTION +#ifdef HAVE_PCAP_DIRECTION_T + if (pcap_thread->have_direction && (pcap_thread->status = pcap_setdirection(pcaplist->pcap, pcap_thread->direction))) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setdirection()"); + return PCAP_THREAD_EPCAP; + } +#endif +#endif + + if (pcap_thread->filter) { + if (pcaplist->have_bpf) + pcap_freecode(&(pcaplist->bpf)); + if ((pcap_thread->status = pcap_compile(pcaplist->pcap, &(pcaplist->bpf), pcap_thread->filter, pcap_thread->filter_optimize, pcap_thread->filter_netmask))) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_compile()"); + return PCAP_THREAD_EPCAP; + } + pcaplist->have_bpf = 1; + errno = 0; + if ((pcap_thread->status = pcap_setfilter(pcaplist->pcap, &(pcaplist->bpf)))) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setfilter()"); + return PCAP_THREAD_EPCAP; + } + if (errno && !pcap_thread->filter_errno) + pcap_thread->filter_errno = errno; + } + + if ((snapshot = pcap_snapshot(pcaplist->pcap)) < 0) { + pcap_thread->status = snapshot; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_snapshot()"); + return PCAP_THREAD_EPCAP; + } + if (snapshot > pcap_thread->snapshot) { + pcap_thread->snapshot = snapshot; + } + } + + return PCAP_THREAD_OK; +} + +int pcap_thread_close(pcap_thread_t* pcap_thread) +{ + pcap_thread_pcaplist_t* pcaplist; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + while (pcap_thread->pcaplist) { + pcaplist = pcap_thread->pcaplist; + pcap_thread->pcaplist = pcaplist->next; + + if (pcap_thread->callback_ipv4_frag.free && pcaplist->have_ipv4_frag_ctx) { + pcap_thread->callback_ipv4_frag.free(pcaplist->ipv4_frag_ctx); + } + if (pcap_thread->callback_ipv6_frag.free && pcaplist->have_ipv6_frag_ctx) { + pcap_thread->callback_ipv6_frag.free(pcaplist->ipv6_frag_ctx); + } + + if (pcaplist->pcap) { + pcap_close(pcaplist->pcap); + } + if (pcaplist->have_bpf) { + pcap_freecode(&(pcaplist->bpf)); + } + if (pcaplist->name) { + free(pcaplist->name); + } + free(pcaplist); + } + pcap_thread->step = 0; + +#ifdef HAVE_PTHREAD + if (pcap_thread->pkthdr) { + free(pcap_thread->pkthdr); + pcap_thread->pkthdr = 0; + } + if (pcap_thread->pkt) { + free(pcap_thread->pkt); + pcap_thread->pkt = 0; + } + if (pcap_thread->pcaplist_pkt) { + free(pcap_thread->pcaplist_pkt); + pcap_thread->pcaplist_pkt = 0; + } +#endif + + return PCAP_THREAD_OK; +} + +/* + * Engine + */ + +#ifdef HAVE_PTHREAD +static void _callback(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt) +{ + pcap_thread_pcaplist_t* pcaplist; + pcap_thread_t* pcap_thread; + + pthread_testcancel(); + + if (!user) { + return; + } + pcaplist = (pcap_thread_pcaplist_t*)user; + + if (!pcaplist->pcap_thread) { + pcaplist->running = 0; + return; + } + pcap_thread = pcaplist->pcap_thread; + + if (pkthdr->caplen > pcap_thread->snapshot) { + if (pcap_thread->dropback) { + pcap_thread->dropback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } + return; + } + + if (pcap_thread->queue_mode == PCAP_THREAD_QUEUE_MODE_DIRECT) { + if (pcap_thread->callback) { + pcap_thread->callback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } else if (pcaplist->layer_callback) { + pcaplist->layer_callback((void*)pcaplist, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } else if (pcap_thread->dropback) { + pcap_thread->dropback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } + return; + } + + if (pthread_mutex_lock(&(pcap_thread->mutex))) { + if (pcap_thread->dropback) { + pcap_thread->dropback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } + return; + } + + while (pcaplist->running && pcap_thread->running) { + if (pcap_thread->pkts < pcap_thread->queue_size) { + pcap_thread->pcaplist_pkt[pcap_thread->write_pos] = pcaplist; + memcpy(&(pcap_thread->pkthdr[pcap_thread->write_pos]), pkthdr, sizeof(struct pcap_pkthdr)); + memcpy(&(pcap_thread->pkt[pcap_thread->write_pos * pcap_thread->snapshot]), pkt, pkthdr->caplen); + pcap_thread->write_pos++; + if (pcap_thread->write_pos == pcap_thread->queue_size) { + pcap_thread->write_pos = 0; + } + pcap_thread->pkts++; + + pthread_cond_signal(&(pcap_thread->have_packets)); + break; + } + + if (pthread_cond_wait(&(pcap_thread->can_write), &(pcap_thread->mutex))) { + pcaplist->running = 0; + pcap_breakloop(pcaplist->pcap); + return; + } + continue; + } + + if (pthread_mutex_unlock(&(pcap_thread->mutex))) { + pcaplist->running = 0; + pcap_breakloop(pcaplist->pcap); + return; + } +} + +static void* _thread(void* vp) +{ + pcap_thread_pcaplist_t* pcaplist; + int ret = 0; + + /*pthread_detach(pthread_self());*/ + + if (!vp) { + return 0; + } + pcaplist = (pcap_thread_pcaplist_t*)vp; + + if (!pcaplist->pcap_thread) { + pcaplist->running = 0; + return 0; + } + + /* + * pcap_loop() might return -2 to indicate pcap_breakloop() was called + * but we do not need to act on that because either this thread has + * been cancelled or running has been cleared + */ + while (pcaplist->running) { + pthread_testcancel(); + ret = pcap_loop(pcaplist->pcap, -1, _callback, (u_char*)pcaplist); + if (ret == -1) { + /* TODO: Store pcap_loop() error */ + break; + } + if (!ret) + break; + } + + pcaplist->running = 0; + + pthread_mutex_lock(&(pcaplist->pcap_thread->mutex)); + pthread_cond_signal(&(pcaplist->pcap_thread->have_packets)); + pthread_mutex_unlock(&(pcaplist->pcap_thread->mutex)); + + return 0; +} +#endif + +static void _callback2(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt) +{ + pcap_thread_pcaplist_t* pcaplist; + + if (!user) { + return; + } + pcaplist = (pcap_thread_pcaplist_t*)user; + + if (!pcaplist->pcap_thread) { + pcaplist->running = 0; + return; + } + if (pcaplist->pcap_thread->callback) { + pcaplist->pcap_thread->callback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } else if (pcaplist->layer_callback) { + pcaplist->layer_callback((void*)pcaplist, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } else { + pcaplist->running = 0; + } +} + +int pcap_thread_run(pcap_thread_t* pcap_thread) +{ + pcap_thread_pcaplist_t* pcaplist; + int run = 1, timedrun = 0; + struct timeval start = { 0, 0 }; + struct timespec end = { 0, 0 }; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!pcap_thread->pcaplist) { + return PCAP_THREAD_NOPCAPS; + } + if (!pcap_thread->callback && !pcap_thread->use_layers) { + return PCAP_THREAD_NOCALLBACK; + } + if (pcap_thread->use_layers + && !(pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp)) { + return PCAP_THREAD_NOCALLBACK; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + if (pcap_thread->timedrun.tv_sec || pcap_thread->timedrun.tv_usec) { + timedrun = 1; + if (gettimeofday(&start, 0)) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "gettimeofday()"); + return PCAP_THREAD_ERRNO; + } + + end.tv_sec = start.tv_sec + pcap_thread->timedrun.tv_sec + + ((start.tv_usec + pcap_thread->timedrun.tv_usec) / 1000000); + end.tv_nsec = ((start.tv_usec + pcap_thread->timedrun.tv_usec) % 1000000) * 1000; + } else if (pcap_thread->timedrun_to.tv_sec) { + timedrun = 1; + + end.tv_sec = pcap_thread->timedrun_to.tv_sec; + end.tv_nsec = pcap_thread->timedrun_to.tv_usec * 1000; + } + +#ifdef HAVE_PTHREAD + if (pcap_thread->use_threads) { + int err, all_offline; + + switch (pcap_thread->queue_mode) { + case PCAP_THREAD_QUEUE_MODE_COND: + case PCAP_THREAD_QUEUE_MODE_DIRECT: + if ((err = pthread_mutex_lock(&(pcap_thread->mutex)))) { + errno = err; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_mutex_lock()"); + return PCAP_THREAD_ERRNO; + } + break; + case PCAP_THREAD_QUEUE_MODE_WAIT: + case PCAP_THREAD_QUEUE_MODE_YIELD: + case PCAP_THREAD_QUEUE_MODE_DROP: + return PCAP_THREAD_EOBSOLETE; + default: + return PCAP_THREAD_EINVAL; + } + + if (pcap_thread->running) { + pthread_mutex_unlock(&(pcap_thread->mutex)); + return PCAP_THREAD_ERUNNING; + } + + if (pcap_thread->pkthdr) { + free(pcap_thread->pkthdr); + } + if (!(pcap_thread->pkthdr = calloc(pcap_thread->queue_size, sizeof(struct pcap_pkthdr)))) { + pthread_mutex_unlock(&(pcap_thread->mutex)); + return PCAP_THREAD_ENOMEM; + } + + if (pcap_thread->pkt) { + free(pcap_thread->pkt); + } + if (!(pcap_thread->pkt = calloc(pcap_thread->queue_size, pcap_thread->snapshot))) { + pthread_mutex_unlock(&(pcap_thread->mutex)); + return PCAP_THREAD_ENOMEM; + } + + if (pcap_thread->pcaplist_pkt) { + free(pcap_thread->pcaplist_pkt); + } + if (!(pcap_thread->pcaplist_pkt = calloc(pcap_thread->queue_size, sizeof(pcap_thread_pcaplist_t*)))) { + pthread_mutex_unlock(&(pcap_thread->mutex)); + return PCAP_THREAD_ENOMEM; + } + + pcap_thread->read_pos = 0; + pcap_thread->write_pos = 0; + pcap_thread->pkts = 0; + + all_offline = 1; + for (pcaplist = pcap_thread->pcaplist; all_offline && pcaplist; pcaplist = pcaplist->next) { + if (!pcaplist->is_offline) { + all_offline = 0; + break; + } + } + + pcap_thread->running = 1; + pcap_thread->was_stopped = 0; + err = PCAP_THREAD_OK; + + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + pcaplist->pcap_thread = pcap_thread; + if (pcap_thread->use_layers) { + pcaplist->layer_callback = &pcap_thread_callback; + } + if (pcap_thread->callback_ipv4_frag.new && !pcaplist->have_ipv4_frag_ctx) { + pcaplist->ipv4_frag_ctx = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, pcaplist->user); + pcaplist->have_ipv4_frag_ctx = 1; + } + if (pcap_thread->callback_ipv6_frag.new && !pcaplist->have_ipv6_frag_ctx) { + pcaplist->ipv6_frag_ctx = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, pcaplist->user); + pcaplist->have_ipv6_frag_ctx = 1; + } + pcaplist->running = 1; + + if ((err = pthread_create(&(pcaplist->thread), 0, _thread, (void*)pcaplist))) { + errno = err; + err = PCAP_THREAD_ERRNO; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_create()"); + break; + } + } + + while (err == PCAP_THREAD_OK && run && pcap_thread->running) { + while (pcap_thread->pkts) { + if (!pcap_thread->pcaplist_pkt[pcap_thread->read_pos]) { + err = PCAP_THREAD_ENOPCAPLIST; + break; + } + + if (pcap_thread->callback) { + pcap_thread->callback( + pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->user, + &(pcap_thread->pkthdr[pcap_thread->read_pos]), + &(pcap_thread->pkt[pcap_thread->read_pos * pcap_thread->snapshot]), + pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->name, + pcap_datalink(pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->pcap)); + } else { + pcap_thread_callback( + (void*)pcap_thread->pcaplist_pkt[pcap_thread->read_pos], + &(pcap_thread->pkthdr[pcap_thread->read_pos]), + &(pcap_thread->pkt[pcap_thread->read_pos * pcap_thread->snapshot]), + pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->name, + pcap_datalink(pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->pcap)); + } + + pcap_thread->pcaplist_pkt[pcap_thread->read_pos] = 0; + pcap_thread->read_pos++; + if (pcap_thread->read_pos == pcap_thread->queue_size) { + pcap_thread->read_pos = 0; + } + pcap_thread->pkts--; + } + + if (err != PCAP_THREAD_OK) + break; + + if ((err = pthread_cond_broadcast(&(pcap_thread->can_write)))) { + errno = err; + err = PCAP_THREAD_ERRNO; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_cond_broadcast()"); + break; + } + + run = 0; + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + if (pcaplist->running) { + run = 1; + } + } + if (!run) + break; + + if (timedrun) { + struct timeval now; + + if (gettimeofday(&now, 0)) { + err = PCAP_THREAD_ERRNO; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "gettimeofday()"); + break; + } + + if (now.tv_sec > end.tv_sec + || (now.tv_sec == end.tv_sec && (now.tv_usec * 1000) >= end.tv_nsec)) { + break; + } + + err = pthread_cond_timedwait(&(pcap_thread->have_packets), &(pcap_thread->mutex), &end); + if (err == ETIMEDOUT) { + err = PCAP_THREAD_OK; + } else if (err) { + errno = err; + err = PCAP_THREAD_ERRNO; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_cond_timedwait()"); + break; + } + } else { + if ((err = pthread_cond_wait(&(pcap_thread->have_packets), &(pcap_thread->mutex)))) { + errno = err; + err = PCAP_THREAD_ERRNO; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_cond_wait()"); + break; + } + } + } + + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + pcaplist->running = 0; + pcap_breakloop(pcaplist->pcap); + if (pcaplist->thread) { + pthread_cancel(pcaplist->thread); + } + } + + pthread_mutex_unlock(&(pcap_thread->mutex)); + + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + if (pcaplist->thread) { + pthread_join(pcaplist->thread, 0); + pcaplist->thread = 0; + } + } + + pcap_thread->running = 0; + return err; + } else +#endif + { + fd_set fds, rfds; + int max_fd = 0; + struct timeval t1, t2; + + pcap_thread->running = 1; + pcap_thread->was_stopped = 0; + + FD_ZERO(&fds); + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + int fd = pcap_get_selectable_fd(pcaplist->pcap); + + FD_SET(fd, &fds); + if (fd > max_fd) + max_fd = fd; + + if (!pcaplist->is_offline && (pcap_thread->status = pcap_setnonblock(pcaplist->pcap, 1, pcap_thread->errbuf))) { + pcap_thread->running = 0; + return PCAP_THREAD_EPCAP; + } + pcaplist->pcap_thread = pcap_thread; + if (pcap_thread->use_layers) { + pcaplist->layer_callback = &pcap_thread_callback; + } + if (pcap_thread->callback_ipv4_frag.new && !pcaplist->have_ipv4_frag_ctx) { + pcaplist->ipv4_frag_ctx = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, pcaplist->user); + pcaplist->have_ipv4_frag_ctx = 1; + } + if (pcap_thread->callback_ipv6_frag.new && !pcaplist->have_ipv6_frag_ctx) { + pcaplist->ipv6_frag_ctx = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, pcaplist->user); + pcaplist->have_ipv6_frag_ctx = 1; + } + pcaplist->running = 1; + } + + t1.tv_sec = pcap_thread->timeout / 1000; + t1.tv_usec = (pcap_thread->timeout % 1000) * 1000; + max_fd++; + while (run) { + rfds = fds; + t2 = t1; + if (timedrun) { + struct timeval now; + struct timeval diff; + + if (gettimeofday(&now, 0)) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "gettimeofday()"); + pcap_thread->running = 0; + return PCAP_THREAD_ERRNO; + } + if (now.tv_sec > end.tv_sec + || (now.tv_sec == end.tv_sec && (now.tv_usec * 1000) >= end.tv_nsec)) { + break; + } + + if (end.tv_sec > now.tv_sec) { + diff.tv_sec = end.tv_sec - now.tv_sec - 1; + diff.tv_usec = 1000000 - now.tv_usec; + diff.tv_usec += end.tv_nsec / 1000; + if (diff.tv_usec > 1000000) { + diff.tv_sec += diff.tv_usec / 1000000; + diff.tv_usec %= 1000000; + } + } else { + diff.tv_sec = 0; + if (end.tv_sec == now.tv_sec && (end.tv_nsec / 1000) > now.tv_usec) { + diff.tv_usec = (end.tv_nsec / 1000) - now.tv_usec; + } else { + diff.tv_usec = 0; + } + } + + if (diff.tv_sec < t1.tv_sec || (diff.tv_sec == t1.tv_sec && diff.tv_usec < t1.tv_usec)) { + t2 = diff; + } + } + if (select(max_fd, &rfds, 0, 0, &t2) == -1) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "select()"); + pcap_thread->running = 0; + return PCAP_THREAD_ERRNO; + } + + run = 0; + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + int packets; + + if (!pcaplist->running) { + continue; + } else { + run = 1; + } + + packets = pcap_dispatch(pcaplist->pcap, -1, _callback2, (u_char*)pcaplist); + if (packets == -1) { + pcap_thread->status = -1; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_dispatch()"); + pcap_thread->running = 0; + return PCAP_THREAD_EPCAP; + } else if (packets == -2 || (pcaplist->is_offline && !packets)) { + pcaplist->running = 0; + } + } + } + + pcap_thread->running = 0; + } + + return PCAP_THREAD_OK; +} + +int pcap_thread_next(pcap_thread_t* pcap_thread) +{ + const u_char* pkt; + struct pcap_pkthdr pkthdr; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!pcap_thread->callback && !pcap_thread->use_layers) { + return PCAP_THREAD_NOCALLBACK; + } + if (pcap_thread->use_layers + && !(pcap_thread->callback_linux_sll + || pcap_thread->callback_ether + || pcap_thread->callback_null + || pcap_thread->callback_loop + || pcap_thread->callback_ieee802 + || pcap_thread->callback_gre + || pcap_thread->callback_ip + || pcap_thread->callback_ipv4 + || pcap_thread->callback_ipv6 + || pcap_thread->callback_icmp + || pcap_thread->callback_icmpv6 + || pcap_thread->callback_udp + || pcap_thread->callback_tcp)) { + return PCAP_THREAD_NOCALLBACK; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + if (!pcap_thread->pcaplist) { + return PCAP_THREAD_NOPCAPS; + } + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + if (!pcap_thread->step) { + pcap_thread->step = pcap_thread->pcaplist; + } + if (!pcap_thread->step) { + return PCAP_THREAD_OK; + } + + pcap_thread->step->pcap_thread = pcap_thread; + if (pcap_thread->callback_ipv4_frag.new && !pcap_thread->step->have_ipv4_frag_ctx) { + pcap_thread->step->ipv4_frag_ctx = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, pcap_thread->step->user); + pcap_thread->step->have_ipv4_frag_ctx = 1; + } + if (pcap_thread->callback_ipv6_frag.new && !pcap_thread->step->have_ipv6_frag_ctx) { + pcap_thread->step->ipv6_frag_ctx = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, pcap_thread->step->user); + pcap_thread->step->have_ipv6_frag_ctx = 1; + } + + if (!(pkt = pcap_next(pcap_thread->step->pcap, &pkthdr))) { + pcap_thread->status = -1; + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_next()"); + return PCAP_THREAD_EPCAP; + } + if (pcap_thread->callback) { + pcap_thread->callback(pcap_thread->step->user, &pkthdr, pkt, pcap_thread->step->name, pcap_datalink(pcap_thread->step->pcap)); + } else { + pcap_thread_callback((void*)pcap_thread->step, &pkthdr, pkt, pcap_thread->step->name, pcap_datalink(pcap_thread->step->pcap)); + } + pcap_thread->step = pcap_thread->step->next; + + return PCAP_THREAD_OK; +} + +int pcap_thread_next_reset(pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (pcap_thread->running) { + return PCAP_THREAD_ERUNNING; + } + if (!pcap_thread->pcaplist) { + return PCAP_THREAD_NOPCAPS; + } + + pcap_thread->step = 0; + + return PCAP_THREAD_OK; +} + +int pcap_thread_stop(pcap_thread_t* pcap_thread) +{ + pcap_thread_pcaplist_t* pcaplist; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!pcap_thread->pcaplist) { + return PCAP_THREAD_NOPCAPS; + } + + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + pcaplist->running = 0; + pcap_breakloop(pcaplist->pcap); + } + pcap_thread->running = 0; + pcap_thread->was_stopped = 1; + +#ifdef HAVE_PTHREAD + pthread_cond_broadcast(&(pcap_thread->have_packets)); + pthread_cond_broadcast(&(pcap_thread->can_write)); +#endif + + return PCAP_THREAD_OK; +} + +/* + * Stats + */ + +int pcap_thread_stats(pcap_thread_t* pcap_thread, pcap_thread_stats_callback_t callback, u_char* user) +{ + pcap_thread_pcaplist_t* pcaplist; + struct pcap_stat stats; + + if (!pcap_thread) { + return PCAP_THREAD_EINVAL; + } + if (!callback) { + return PCAP_THREAD_NOCALLBACK; + } + if (!pcap_thread->pcaplist) { + return PCAP_THREAD_NOPCAPS; + } + + if (pcap_thread->errbuf[0]) { + memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf)); + } + pcap_thread->status = 0; + + for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) { + if (pcaplist->is_offline) + continue; + if ((pcap_thread->status = pcap_stats(pcaplist->pcap, &stats))) { + PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_stats()"); + return PCAP_THREAD_EPCAP; + } + callback(user, &stats, pcaplist->name, pcap_datalink(pcaplist->pcap)); + } + + return PCAP_THREAD_OK; +} + +/* + * Error handling + */ + +int pcap_thread_status(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return 0; + } + + return pcap_thread->status; +} + +const char* pcap_thread_errbuf(const pcap_thread_t* pcap_thread) +{ + if (!pcap_thread) { + return 0; + } + + return pcap_thread->errbuf; +} + +const char* pcap_thread_strerr(int error) +{ + switch (error) { + case PCAP_THREAD_OK: + return 0; + case PCAP_THREAD_EPCAP: + return PCAP_THREAD_EPCAP_STR; + case PCAP_THREAD_ENOMEM: + return PCAP_THREAD_ENOMEM_STR; + case PCAP_THREAD_ENOMON: + return PCAP_THREAD_ENOMON_STR; + case PCAP_THREAD_ENODIR: + return PCAP_THREAD_ENODIR_STR; + case PCAP_THREAD_EINVAL: + return PCAP_THREAD_EINVAL_STR; + case PCAP_THREAD_EWOULDBLOCK: + return PCAP_THREAD_EWOULDBLOCK_STR; + case PCAP_THREAD_NOPCAPS: + return PCAP_THREAD_NOPCAPS_STR; + case PCAP_THREAD_NOCALLBACK: + return PCAP_THREAD_NOCALLBACK_STR; + case PCAP_THREAD_ERRNO: + return PCAP_THREAD_ERRNO_STR; + case PCAP_THREAD_NOYIELD: + return PCAP_THREAD_NOYIELD_STR; + case PCAP_THREAD_EOBSOLETE: + return PCAP_THREAD_EOBSOLETE_STR; + case PCAP_THREAD_ERUNNING: + return PCAP_THREAD_ERUNNING_STR; + case PCAP_THREAD_ENOPCAPLIST: + return PCAP_THREAD_ENOPCAPLIST_STR; + case PCAP_THREAD_ELAYERCB: + return PCAP_THREAD_ELAYERCB_STR; + } + return "UNKNOWN"; +} diff --git a/src/pcap-thread/pcap_thread.h b/src/pcap-thread/pcap_thread.h new file mode 100644 index 0000000..ce43b5a --- /dev/null +++ b/src/pcap-thread/pcap_thread.h @@ -0,0 +1,640 @@ +/* + * Author Jerry Lundström <jerry@dns-oarc.net> + * Copyright (c) 2016-2017, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __pcap_thread_h +#define __pcap_thread_h + +#ifdef HAVE_PTHREAD +#include <pthread.h> +#endif +#include <pcap/pcap.h> +#include <sys/socket.h> +#ifdef TIME_WITH_SYS_TIME +#include <sys/time.h> +#include <time.h> +#else +#ifdef HAVE_SYS_TIME_H +#include <sys/time.h> +#else +#include <time.h> +#endif +#endif +#include <sys/types.h> +#include <netinet/in.h> +#include <net/if_arp.h> +#include <netinet/if_ether.h> +#include <netinet/ip.h> +#include <netinet/ip6.h> +#ifdef HAVE_ENDIAN_H +#include <endian.h> +#endif +#ifdef HAVE_SYS_ENDIAN_H +#include <sys/endian.h> +#endif +#ifdef HAVE_MACHINE_ENDIAN_H +#include <machine/endian.h> +#endif + +#ifndef __BYTE_ORDER +#if defined(BYTE_ORDER) +#define __BYTE_ORDER BYTE_ORDER +#elif defined(_BYTE_ORDER) +#define __BYTE_ORDER _BYTE_ORDER +#else +#error "No endian byte order define, please fix" +#endif +#endif +#ifndef __LITTLE_ENDIAN +#if defined(LITTLE_ENDIAN) +#define __LITTLE_ENDIAN LITTLE_ENDIAN +#elif defined(_LITTLE_ENDIAN) +#define __LITTLE_ENDIAN _LITTLE_ENDIAN +#else +#error "No little endian define, please fix" +#endif +#endif +#ifndef __BIG_ENDIAN +#if defined(BIG_ENDIAN) +#define __BIG_ENDIAN BIG_ENDIAN +#elif defined(_BIG_ENDIAN) +#define __BIG_ENDIAN _BIG_ENDIAN +#else +#error "No big endian define, please fix" +#endif +#endif + +#ifndef PCAP_NETMASK_UNKNOWN +#define PCAP_NETMASK_UNKNOWN 0xffffffff +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +/* clang-format off */ + +#define PCAP_THREAD_VERSION_STR "4.0.0" +#define PCAP_THREAD_VERSION_MAJOR 4 +#define PCAP_THREAD_VERSION_MINOR 0 +#define PCAP_THREAD_VERSION_PATCH 0 + +#define PCAP_THREAD_DEFAULT_TIMEOUT 1000 +#define PCAP_THREAD_DEFAULT_QUEUE_SIZE 64 +#define PCAP_THREAD_DEFAULT_QUEUE_MODE PCAP_THREAD_QUEUE_MODE_COND +#define PCAP_THREAD_DEFAULT_ACTIVATE_MODE PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE + +#define PCAP_THREAD_OK 0 +#define PCAP_THREAD_EPCAP 1 +#define PCAP_THREAD_ENOMEM 2 +#define PCAP_THREAD_ENOMON 3 +#define PCAP_THREAD_ENODIR 4 +#define PCAP_THREAD_EINVAL 5 +#define PCAP_THREAD_EWOULDBLOCK 6 +#define PCAP_THREAD_NOPCAPS 7 +#define PCAP_THREAD_NOCALLBACK 8 +#define PCAP_THREAD_ERRNO 9 +#define PCAP_THREAD_NOYIELD 10 +#define PCAP_THREAD_EOBSOLETE 11 +#define PCAP_THREAD_ERUNNING 12 +#define PCAP_THREAD_ENOPCAPLIST 13 +#define PCAP_THREAD_ELAYERCB 14 + +#define PCAP_THREAD_EPCAP_STR "libpcap error" +#define PCAP_THREAD_ENOMEM_STR "out of memory" +#define PCAP_THREAD_ENOMON_STR "monitor mode requested but not supported" +#define PCAP_THREAD_ENODIR_STR "direction specified but not supported" +#define PCAP_THREAD_EINVAL_STR "invalid argument" +#define PCAP_THREAD_EWOULDBLOCK_STR "nonblocking pcap can not be added" +#define PCAP_THREAD_NOPCAPS_STR "nothing to capture on" +#define PCAP_THREAD_NOCALLBACK_STR "no callback set" +#define PCAP_THREAD_ERRNO_STR "system error, check errno" +#define PCAP_THREAD_NOYIELD_STR "queue more yield requested but not supported" +#define PCAP_THREAD_EOBSOLETE_STR "obsolete function or feature" +#define PCAP_THREAD_ERUNNING_STR "pcap thread are running, can not complete task" +#define PCAP_THREAD_ENOPCAPLIST_STR "no internal reference to the pcap that captured the packet" +#define PCAP_THREAD_ELAYERCB_STR "layer callback already set in lower or higher segment" + +/* clang-format on */ + +struct pcap_thread_linux_sll { + uint16_t packet_type; + uint16_t arp_hardware; + uint16_t link_layer_address_length; + uint8_t link_layer_address[8]; + uint16_t ether_type; +}; +struct pcap_thread_null_hdr { + uint32_t family; +}; +struct pcap_thread_loop_hdr { + uint32_t family; +}; +struct pcap_thread_ieee802_hdr { + uint16_t tpid; + unsigned short pcp : 3; + unsigned short dei : 1; + unsigned short vid : 12; + uint16_t ether_type; +}; +struct pcap_thread_gre_hdr { + uint16_t gre_flags; + uint16_t ether_type; +}; +struct pcap_thread_gre { + uint16_t checksum; + uint16_t key; + uint16_t sequence; +}; +typedef enum pcap_thread_packet_state pcap_thread_packet_state_t; +enum pcap_thread_packet_state { + PCAP_THREAD_PACKET_OK = 0, + PCAP_THREAD_PACKET_INVALID, + PCAP_THREAD_PACKET_UNSUPPORTED, + PCAP_THREAD_PACKET_UNPROCESSED, + PCAP_THREAD_PACKET_INVALID_ETHER, + PCAP_THREAD_PACKET_INVALID_LINUX_SLL, + PCAP_THREAD_PACKET_INVALID_NULL, + PCAP_THREAD_PACKET_INVALID_LOOP, + PCAP_THREAD_PACKET_INVALID_IEEE802, + PCAP_THREAD_PACKET_INVALID_GRE, + PCAP_THREAD_PACKET_INVALID_IP, + PCAP_THREAD_PACKET_INVALID_IPV4, + PCAP_THREAD_PACKET_INVALID_IPV6, + PCAP_THREAD_PACKET_INVALID_IPV6HDR, + PCAP_THREAD_PACKET_INVALID_ICMP, + PCAP_THREAD_PACKET_INVALID_ICMPV6, + PCAP_THREAD_PACKET_INVALID_UDP, + PCAP_THREAD_PACKET_INVALID_TCP, + PCAP_THREAD_PACKET_IS_FRAGMENT, + PCAP_THREAD_PACKET_INVALID_FRAGMENT, + PCAP_THREAD_PACKET_ENOMEM, + PCAP_THREAD_PACKET_EMUTEX, + PCAP_THREAD_PACKET_FRAGMENTED_GREHDR, + PCAP_THREAD_PACKET_FRAGMENTED_ICMPHDR, + PCAP_THREAD_PACKET_FRAGMENTED_ICMPV6HDR, + PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR, + PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR +}; + +typedef struct pcap_thread_packet pcap_thread_packet_t; +struct pcap_thread_packet { + unsigned short have_prevpkt : 1; + unsigned short have_pkthdr : 1; + unsigned short have_linux_sll : 1; + unsigned short have_ethhdr : 1; + unsigned short have_nullhdr : 1; + unsigned short have_loophdr : 1; + unsigned short have_ieee802hdr : 1; + unsigned short have_grehdr : 1; + unsigned short have_gre : 1; + unsigned short have_iphdr : 1; + unsigned short have_ip6hdr : 1; + unsigned short have_ip6frag : 1; + unsigned short have_ip6rtdst : 1; + unsigned short have_icmphdr : 1; + unsigned short have_icmpv6hdr : 1; + unsigned short have_udphdr : 1; + unsigned short have_tcphdr : 1; + unsigned short have_tcpopts : 1; + unsigned short have_ippadding : 1; + unsigned short have_ip6padding : 1; + + const char* name; + int dlt; + pcap_thread_packet_t* prevpkt; + struct pcap_pkthdr pkthdr; + struct pcap_thread_linux_sll linux_sll; + struct ether_header ethhdr; + struct pcap_thread_null_hdr nullhdr; + struct pcap_thread_loop_hdr loophdr; + struct pcap_thread_ieee802_hdr ieee802hdr; + struct pcap_thread_gre_hdr grehdr; + struct pcap_thread_gre gre; + struct ip iphdr; + struct ip6_hdr ip6hdr; + struct ip6_frag ip6frag; + uint8_t ip6frag_payload; + struct in6_addr ip6rtdst; + struct { + u_int8_t type; + u_int8_t code; + u_int16_t checksum; + } icmphdr; + struct { + u_int8_t icmp6_type; + u_int8_t icmp6_code; + u_int16_t icmp6_cksum; + } icmpv6hdr; + struct { + union { + struct { + u_int16_t uh_sport; + u_int16_t uh_dport; + u_int16_t uh_ulen; + u_int16_t uh_sum; + }; + struct { + u_int16_t source; + u_int16_t dest; + u_int16_t len; + u_int16_t check; + }; + }; + } udphdr; + struct { + union { + struct { + u_int16_t th_sport; + u_int16_t th_dport; + u_int32_t th_seq; + u_int32_t th_ack; +#if __BYTE_ORDER == __LITTLE_ENDIAN + u_int8_t th_x2 : 4; + u_int8_t th_off : 4; +#endif +#if __BYTE_ORDER == __BIG_ENDIAN + u_int8_t th_off : 4; + u_int8_t th_x2 : 4; +#endif + u_int8_t th_flags; + u_int16_t th_win; + u_int16_t th_sum; + u_int16_t th_urp; + }; + struct { + u_int16_t source; + u_int16_t dest; + u_int32_t seq; + u_int32_t ack_seq; +#if __BYTE_ORDER == __LITTLE_ENDIAN + u_int16_t res1 : 4; + u_int16_t doff : 4; + u_int16_t fin : 1; + u_int16_t syn : 1; + u_int16_t rst : 1; + u_int16_t psh : 1; + u_int16_t ack : 1; + u_int16_t urg : 1; + u_int16_t res2 : 2; +#elif __BYTE_ORDER == __BIG_ENDIAN + u_int16_t doff : 4; + u_int16_t res1 : 4; + u_int16_t res2 : 2; + u_int16_t urg : 1; + u_int16_t ack : 1; + u_int16_t psh : 1; + u_int16_t rst : 1; + u_int16_t syn : 1; + u_int16_t fin : 1; +#endif + u_int16_t window; + u_int16_t check; + u_int16_t urg_ptr; + }; + }; + } tcphdr; + u_int8_t tcpopts[64]; + size_t tcpopts_len; + + size_t ippadding; + size_t ip6padding; + + pcap_thread_packet_state_t state; +}; + +typedef enum pcap_thread_queue_mode pcap_thread_queue_mode_t; +typedef struct pcap_thread pcap_thread_t; +typedef void (*pcap_thread_callback_t)(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt); +typedef void (*pcap_thread_layer_callback_t)(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length); +typedef void (*pcap_thread_stats_callback_t)(u_char* user, const struct pcap_stat* stats, const char* name, int dlt); +#ifndef HAVE_PCAP_DIRECTION_T +typedef int pcap_direction_t; +#endif +typedef struct pcap_thread_pcaplist pcap_thread_pcaplist_t; +typedef enum pcap_thread_activate_mode pcap_thread_activate_mode_t; + +enum pcap_thread_queue_mode { + PCAP_THREAD_QUEUE_MODE_COND, + PCAP_THREAD_QUEUE_MODE_WAIT, + PCAP_THREAD_QUEUE_MODE_YIELD, + PCAP_THREAD_QUEUE_MODE_DROP, + PCAP_THREAD_QUEUE_MODE_DIRECT +}; + +enum pcap_thread_activate_mode { + PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE, + PCAP_THREAD_ACTIVATE_MODE_DELAYED +}; + +#ifdef HAVE_PCAP_DIRECTION_T +#define PCAP_THREAD_T_INIT_DIRECTION_T 0, +#else +#define PCAP_THREAD_T_INIT_DIRECTION_T +#endif + +#ifdef HAVE_PTHREAD +#define PCAP_THREAD_T_INIT_QUEUE PTHREAD_COND_INITIALIZER, PTHREAD_COND_INITIALIZER, PTHREAD_MUTEX_INITIALIZER, \ + 0, 0, 0, 0, 0, 0, +#else +#define PCAP_THREAD_T_INIT_QUEUE +#endif + +#ifdef PCAP_TSTAMP_PRECISION_MICRO +#define PCAP_THREAD_T_INIT_PRECISION PCAP_TSTAMP_PRECISION_MICRO +#else +#define PCAP_THREAD_T_INIT_PRECISION 0 +#endif + +typedef void* (*pcap_thread_layer_callback_frag_new_t)(void* conf, u_char* user); +typedef void (*pcap_thread_layer_callback_frag_free_t)(void* ctx); +typedef pcap_thread_packet_state_t (*pcap_thread_layer_callback_frag_reassemble_t)(void* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length); +typedef void (*pcap_thread_layer_callback_frag_release_t)(void* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length); + +/* clang-format off */ +#define PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT { \ + 0, 0, 0, 0, 0, \ +} +/* clang-format on */ + +typedef struct pcap_thread_layer_callback_frag pcap_thread_layer_callback_frag_t; +struct pcap_thread_layer_callback_frag { + void* conf; + pcap_thread_layer_callback_frag_new_t new; + pcap_thread_layer_callback_frag_free_t free; + pcap_thread_layer_callback_frag_reassemble_t reassemble; + pcap_thread_layer_callback_frag_release_t release; +}; + +/* clang-format off */ +#define PCAP_THREAD_T_INIT { \ + 0, 0, 0, 0, \ + 0, 1, 0, PCAP_THREAD_DEFAULT_QUEUE_MODE, PCAP_THREAD_DEFAULT_QUEUE_SIZE, \ + PCAP_THREAD_T_INIT_QUEUE \ + 0, 0, 0, 0, PCAP_THREAD_DEFAULT_TIMEOUT, \ + 0, 0, PCAP_THREAD_T_INIT_PRECISION, 0, \ + PCAP_THREAD_T_INIT_DIRECTION_T \ + 0, 0, 0, 1, PCAP_NETMASK_UNKNOWN, \ + 0, 0, \ + 0, "", 0, 0, \ + { 0, 0 }, { 0, 0 }, \ + PCAP_THREAD_DEFAULT_ACTIVATE_MODE, \ + 0, 0, 0, 0, 0, 0, 0, 0, PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT, 0, PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT, 0, 0, 0, 0, \ + 0 \ +} +/* clang-format on */ + +struct pcap_thread { + unsigned short have_timestamp_precision : 1; + unsigned short have_timestamp_type : 1; + unsigned short have_direction : 1; + unsigned short was_stopped : 1; + + int running; + int use_threads; + int use_layers; + pcap_thread_queue_mode_t queue_mode; + size_t queue_size; + +#ifdef HAVE_PTHREAD + pthread_cond_t have_packets; + pthread_cond_t can_write; + pthread_mutex_t mutex; + + struct pcap_pkthdr* pkthdr; + u_char* pkt; + pcap_thread_pcaplist_t** pcaplist_pkt; + size_t read_pos; + size_t write_pos; + size_t pkts; +#endif + + int snapshot; + int snaplen; + int promiscuous; + int monitor; + int timeout; + + int buffer_size; + int timestamp_type; + int timestamp_precision; + int immediate_mode; + +#ifdef HAVE_PCAP_DIRECTION_T + pcap_direction_t direction; +#endif + + char* filter; + size_t filter_len; + int filter_errno; + int filter_optimize; + bpf_u_int32 filter_netmask; + + pcap_thread_callback_t callback; + pcap_thread_callback_t dropback; + + int status; + char errbuf[PCAP_ERRBUF_SIZE]; + pcap_thread_pcaplist_t* pcaplist; + pcap_thread_pcaplist_t* step; + + struct timeval timedrun; + struct timeval timedrun_to; + + pcap_thread_activate_mode_t activate_mode; + + pcap_thread_layer_callback_t callback_linux_sll; + pcap_thread_layer_callback_t callback_ether; + pcap_thread_layer_callback_t callback_null; + pcap_thread_layer_callback_t callback_loop; + pcap_thread_layer_callback_t callback_ieee802; + pcap_thread_layer_callback_t callback_gre; + pcap_thread_layer_callback_t callback_ip; + pcap_thread_layer_callback_t callback_ipv4; + pcap_thread_layer_callback_frag_t callback_ipv4_frag; + pcap_thread_layer_callback_t callback_ipv6; + pcap_thread_layer_callback_frag_t callback_ipv6_frag; + pcap_thread_layer_callback_t callback_icmp; + pcap_thread_layer_callback_t callback_icmpv6; + pcap_thread_layer_callback_t callback_udp; + pcap_thread_layer_callback_t callback_tcp; + + pcap_thread_layer_callback_t callback_invalid; +}; + +#define PCAP_THREAD_SET_ERRBUF(x, y) strncpy(x->errbuf, y, sizeof(x->errbuf) - 1) + +#ifdef HAVE_PTHREAD +#define PCAP_THREAD_PCAPLIST_T_INIT_THREAD 0, +#else +#define PCAP_THREAD_PCAPLIST_T_INIT_THREAD +#endif + +/* clang-format off */ +#define PCAP_THREAD_PCAPLIST_T_INIT { \ + 0, 0, 0, \ + 0, 0, 0, 0, 0, 0, 0, 0, \ + 0, \ + PCAP_THREAD_PCAPLIST_T_INIT_THREAD \ + { 0, 0 }, \ + 0, \ +} +/* clang-format on */ + +struct pcap_thread_pcaplist { + unsigned short have_bpf : 1; + unsigned short have_ipv4_frag_ctx : 1; + unsigned short have_ipv6_frag_ctx : 1; + + pcap_thread_pcaplist_t* next; + char* name; + pcap_t* pcap; + void* user; + int running; + int is_offline; + void* ipv4_frag_ctx; + void* ipv6_frag_ctx; + + pcap_thread_t* pcap_thread; + +#ifdef HAVE_PTHREAD + pthread_t thread; +#endif + + struct bpf_program bpf; + + pcap_thread_callback_t layer_callback; +}; + +const char* pcap_thread_version_str(void); + +int pcap_thread_version_major(void); +int pcap_thread_version_minor(void); +int pcap_thread_version_patch(void); + +pcap_thread_t* pcap_thread_create(void); +void pcap_thread_free(pcap_thread_t* pcap_thread); + +int pcap_thread_use_threads(const pcap_thread_t* pcap_thread); +int pcap_thread_set_use_threads(pcap_thread_t* pcap_thread, const int use_threads); +int pcap_thread_use_layers(const pcap_thread_t* pcap_thread); +int pcap_thread_set_use_layers(pcap_thread_t* pcap_thread, const int use_layers); +pcap_thread_queue_mode_t pcap_thread_queue_mode(const pcap_thread_t* pcap_thread); +int pcap_thread_set_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t queue_mode); +struct timeval pcap_thread_queue_wait(const pcap_thread_t* pcap_thread); +int pcap_thread_set_queue_wait(pcap_thread_t* pcap_thread, const struct timeval queue_wait); +pcap_thread_queue_mode_t pcap_thread_callback_queue_mode(const pcap_thread_t* pcap_thread); +int pcap_thread_set_callback_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t callback_queue_mode); +struct timeval pcap_thread_callback_queue_wait(const pcap_thread_t* pcap_thread); +int pcap_thread_set_callback_queue_wait(pcap_thread_t* pcap_thread, const struct timeval callback_queue_wait); +int pcap_thread_snapshot(const pcap_thread_t* pcap_thread); +int pcap_thread_snaplen(const pcap_thread_t* pcap_thread); +int pcap_thread_set_snaplen(pcap_thread_t* pcap_thread, const int snaplen); +int pcap_thread_promiscuous(const pcap_thread_t* pcap_thread); +int pcap_thread_set_promiscuous(pcap_thread_t* pcap_thread, const int promiscuous); +int pcap_thread_monitor(const pcap_thread_t* pcap_thread); +int pcap_thread_set_monitor(pcap_thread_t* pcap_thread, const int monitor); +int pcap_thread_timeout(const pcap_thread_t* pcap_thread); +int pcap_thread_set_timeout(pcap_thread_t* pcap_thread, const int timeout); +int pcap_thread_buffer_size(const pcap_thread_t* pcap_thread); +int pcap_thread_set_buffer_size(pcap_thread_t* pcap_thread, const int buffer_size); +int pcap_thread_timestamp_type(const pcap_thread_t* pcap_thread); +int pcap_thread_set_timestamp_type(pcap_thread_t* pcap_thread, const int timestamp_type); +int pcap_thread_timestamp_precision(const pcap_thread_t* pcap_thread); +int pcap_thread_set_timestamp_precision(pcap_thread_t* pcap_thread, const int timestamp_precision); +int pcap_thread_immediate_mode(const pcap_thread_t* pcap_thread); +int pcap_thread_set_immediate_mode(pcap_thread_t* pcap_thread, const int immediate_mode); +pcap_direction_t pcap_thread_direction(const pcap_thread_t* pcap_thread); +int pcap_thread_set_direction(pcap_thread_t* pcap_thread, const pcap_direction_t direction); +const char* pcap_thread_filter(const pcap_thread_t* pcap_thread); +int pcap_thread_set_filter(pcap_thread_t* pcap_thread, const char* filter, const size_t filter_len); +int pcap_thread_clear_filter(pcap_thread_t* pcap_thread); +int pcap_thread_filter_errno(const pcap_thread_t* pcap_thread); +int pcap_thread_filter_optimize(const pcap_thread_t* pcap_thread); +int pcap_thread_set_filter_optimize(pcap_thread_t* pcap_thread, const int filter_optimize); +bpf_u_int32 pcap_thread_filter_netmask(const pcap_thread_t* pcap_thread); +int pcap_thread_set_filter_netmask(pcap_thread_t* pcap_thread, const bpf_u_int32 filter_netmask); +struct timeval pcap_thread_timedrun(const pcap_thread_t* pcap_thread); +int pcap_thread_set_timedrun(pcap_thread_t* pcap_thread, const struct timeval timedrun); +struct timeval pcap_thread_timedrun_to(const pcap_thread_t* pcap_thread); +int pcap_thread_set_timedrun_to(pcap_thread_t* pcap_thread, const struct timeval timedrun_to); +pcap_thread_activate_mode_t pcap_thread_activate_mode(const pcap_thread_t* pcap_thread); +int pcap_thread_set_activate_mode(pcap_thread_t* pcap_thread, const pcap_thread_activate_mode_t activate_mode); +int pcap_thread_was_stopped(const pcap_thread_t* pcap_thread); + +size_t pcap_thread_queue_size(const pcap_thread_t* pcap_thread); +int pcap_thread_set_queue_size(pcap_thread_t* pcap_thread, const size_t queue_size); + +int pcap_thread_set_callback(pcap_thread_t* pcap_thread, pcap_thread_callback_t callback); +int pcap_thread_set_dropback(pcap_thread_t* pcap_thread, pcap_thread_callback_t dropback); + +int pcap_thread_set_callback_linux_sll(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_linux_sll); +int pcap_thread_set_callback_ether(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ether); +int pcap_thread_set_callback_null(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_null); +int pcap_thread_set_callback_loop(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_loop); +int pcap_thread_set_callback_ieee802(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ieee802); +int pcap_thread_set_callback_gre(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_gre); +int pcap_thread_set_callback_ip(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ip); +int pcap_thread_set_callback_ipv4(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv4); +int pcap_thread_set_callback_ipv4_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv4_frag); +int pcap_thread_set_callback_ipv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv6); +int pcap_thread_set_callback_ipv6_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv6_frag); +int pcap_thread_set_callback_icmp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmp); +int pcap_thread_set_callback_icmpv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmpv6); +int pcap_thread_set_callback_udp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_udp); +int pcap_thread_set_callback_tcp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp); +int pcap_thread_set_callback_invalid(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp); + +int pcap_thread_open(pcap_thread_t* pcap_thread, const char* device, void* user); +int pcap_thread_open_offline(pcap_thread_t* pcap_thread, const char* file, void* user); +int pcap_thread_add(pcap_thread_t* pcap_thread, const char* name, pcap_t* pcap, void* user); +int pcap_thread_activate(pcap_thread_t* pcap_thread); +int pcap_thread_close(pcap_thread_t* pcap_thread); + +int pcap_thread_run(pcap_thread_t* pcap_thread); +int pcap_thread_next(pcap_thread_t* pcap_thread); +int pcap_thread_next_reset(pcap_thread_t* pcap_thread); +int pcap_thread_stop(pcap_thread_t* pcap_thread); + +int pcap_thread_stats(pcap_thread_t* pcap_thread, pcap_thread_stats_callback_t callback, u_char* user); + +int pcap_thread_status(const pcap_thread_t* pcap_thread); +const char* pcap_thread_errbuf(const pcap_thread_t* pcap_thread); +const char* pcap_thread_strerr(int error); + +#ifdef __cplusplus +} +#endif + +#endif /* __pcap_thread_h */ diff --git a/src/pcap-thread/pcap_thread_ext_frag.c b/src/pcap-thread/pcap_thread_ext_frag.c new file mode 100644 index 0000000..6593e92 --- /dev/null +++ b/src/pcap-thread/pcap_thread_ext_frag.c @@ -0,0 +1,1013 @@ +/* + * Author Jerry Lundström <jerry@dns-oarc.net> + * Copyright (c) 2016-2017, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "pcap_thread_ext_frag.h" + +#include <stdlib.h> +#include <string.h> +#ifdef HAVE_PTHREAD +#include <pthread.h> +#endif + +#ifndef PCAP_THREAD_EXT_FRAG_TRACE +#define PCAP_THREAD_EXT_FRAG_TRACE 0 +#endif + +/* + * Forward declares for callbacks + */ + +static void* pcap_thread_layer_callback_frag_new(void* conf, u_char* user); +static void pcap_thread_layer_callback_frag_free(void* _ctx); +static pcap_thread_packet_state_t pcap_thread_layer_callback_frag_reassemble(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length); +static void pcap_thread_layer_callback_frag_release(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length); + +/* + * Create/Free + */ + +static pcap_thread_ext_frag_conf_t _conf_defaults = PCAP_THREAD_EXT_FRAG_CONF_T_INIT; + +pcap_thread_ext_frag_conf_t* pcap_thread_ext_frag_conf_new(void) +{ + pcap_thread_ext_frag_conf_t* conf = calloc(1, sizeof(pcap_thread_ext_frag_conf_t)); + if (conf) { + memcpy(conf, &_conf_defaults, sizeof(pcap_thread_ext_frag_conf_t)); + } + + return conf; +} + +void pcap_thread_ext_frag_conf_free(pcap_thread_ext_frag_conf_t* conf) +{ + if (conf) { + free(conf); + } +} + +/* + * Get/Set + */ + +int pcap_thread_ext_frag_conf_reject_overlap(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return 0; + } + + return conf->reject_overlap; +} + +int pcap_thread_ext_frag_conf_set_reject_overlap(pcap_thread_ext_frag_conf_t* conf, const int reject_overlap) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->reject_overlap = reject_overlap ? 1 : 0; + + return PCAP_THREAD_OK; +} + +int pcap_thread_ext_frag_conf_check_timeout(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return 0; + } + + return conf->check_timeout; +} + +int pcap_thread_ext_frag_conf_set_check_timeout(pcap_thread_ext_frag_conf_t* conf, const int check_timeout) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->check_timeout = check_timeout ? 1 : 0; + + return PCAP_THREAD_OK; +} + +pcap_thread_ext_frag_reassemble_mode_t pcap_thread_ext_frag_conf_reassemble_mode(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791; + } + + return conf->reassemble_mode; +} + +int pcap_thread_ext_frag_conf_set_reassemble_mode(pcap_thread_ext_frag_conf_t* conf, const pcap_thread_ext_frag_reassemble_mode_t reassemble_mode) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + switch (reassemble_mode) { + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791: + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD: + break; + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815: + /* TODO: Implement */ + default: + return PCAP_THREAD_EINVAL; + } + + conf->reassemble_mode = reassemble_mode; + + return PCAP_THREAD_OK; +} + +size_t pcap_thread_ext_frag_conf_fragments(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return -1; + } + + return conf->fragments; +} + +int pcap_thread_ext_frag_conf_set_fragments(pcap_thread_ext_frag_conf_t* conf, const size_t fragments) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->fragments = fragments; + + return PCAP_THREAD_OK; +} + +size_t pcap_thread_ext_frag_conf_per_packet(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return -1; + } + + return conf->per_packet; +} + +int pcap_thread_ext_frag_conf_set_per_packet(pcap_thread_ext_frag_conf_t* conf, const size_t per_packet) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->per_packet = per_packet; + + return PCAP_THREAD_OK; +} + +struct timeval pcap_thread_ext_frag_conf_timeout(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + struct timeval ret = { 0, 0 }; + return ret; + } + + return conf->timeout; +} + +int pcap_thread_ext_frag_conf_set_timeout(pcap_thread_ext_frag_conf_t* conf, const struct timeval timeout) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->timeout = timeout; + + return PCAP_THREAD_OK; +} + +pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_overlap_callback(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return 0; + } + + return conf->overlap_callback; +} + +int pcap_thread_ext_frag_conf_set_overlap_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t overlap_callback) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->overlap_callback = overlap_callback; + + return PCAP_THREAD_OK; +} + +pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_timeout_callback(const pcap_thread_ext_frag_conf_t* conf) +{ + if (!conf) { + return 0; + } + + return conf->timeout_callback; +} + +int pcap_thread_ext_frag_conf_set_timeout_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t timeout_callback) +{ + if (!conf) { + return PCAP_THREAD_EINVAL; + } + + conf->timeout_callback = timeout_callback; + + return PCAP_THREAD_OK; +} + +/* + * Init + */ + +pcap_thread_layer_callback_frag_t pcap_thread_ext_frag_layer_callback(pcap_thread_ext_frag_conf_t* conf) +{ + pcap_thread_layer_callback_frag_t callback = PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT; + + if (conf) { + callback.conf = (void*)conf; + callback.new = pcap_thread_layer_callback_frag_new; + callback.free = pcap_thread_layer_callback_frag_free; + callback.reassemble = pcap_thread_layer_callback_frag_reassemble; + callback.release = pcap_thread_layer_callback_frag_release; + } + + return callback; +} + +/* + * Callbacks + */ + +#if PCAP_THREAD_EXT_FRAG_TRACE +#include <stdio.h> +#define layer_trace(msg) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__) +#define layer_tracef(msg, args...) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__, args) +#else +#define layer_trace(msg) +#define layer_tracef(msg, args...) +#endif + +/* TODO: +typedef struct _hole _hole_t; +struct _hole { + _hole_t* next; + + size_t first, last; +}; +*/ + +#ifdef HAVE_PTHREAD +#define PCAP_THREAD_EXT_FRAG_CTX_T_INIT_MUTEX PTHREAD_MUTEX_INITIALIZER, +#else +#define PCAP_THREAD_EXT_FRAG_CTX_T_INIT_MUTEX +#endif + +/* clang-format off */ +#define PCAP_THREAD_EXT_FRAG_CTX_T_INIT { \ + PCAP_THREAD_EXT_FRAG_CTX_T_INIT_MUTEX \ + PCAP_THREAD_EXT_FRAG_CONF_T_INIT, 0, 0 \ +} +/* clang-format on */ + +typedef struct _ctx _ctx_t; +struct _ctx { +#ifdef HAVE_PTHREAD + pthread_mutex_t mutex; +#endif + pcap_thread_ext_frag_conf_t conf; + pcap_thread_ext_frag_fragments_t* fragments; + size_t num_fragments; +}; + +static _ctx_t _ctx_defaults = PCAP_THREAD_EXT_FRAG_CTX_T_INIT; + +static void* pcap_thread_layer_callback_frag_new(void* conf, u_char* user) +{ + _ctx_t* ctx = calloc(1, sizeof(_ctx_t)); + if (ctx) { + layer_tracef("new ctx %p", ctx); + memcpy(ctx, &_ctx_defaults, sizeof(_ctx_t)); + if (conf) { + memcpy(&(ctx->conf), conf, sizeof(pcap_thread_ext_frag_conf_t)); + } + } + + return ctx; +} + +static void pcap_thread_layer_callback_frag_free(void* _ctx) +{ + _ctx_t* ctx = (_ctx_t*)_ctx; + if (ctx) { + layer_tracef("free ctx %p", ctx); + while (ctx->fragments) { + pcap_thread_ext_frag_fragments_t* frags = ctx->fragments; + ctx->fragments = frags->next; + + while (frags->fragments) { + pcap_thread_ext_frag_fragment_t* frag = frags->fragments; + frags->fragments = frag->next; + + if (frag->payload) { + free(frag->payload); + } + free(frag); + } + + if (frags->payload) { + free(frags->payload); + } + free(frags); + } + } +} + +static pcap_thread_packet_state_t reassemble(_ctx_t* ctx, const pcap_thread_packet_t* packet, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length, pcap_thread_ext_frag_fragments_t* frags, pcap_thread_ext_frag_fragment_t* frag) +{ + pcap_thread_ext_frag_fragment_t *f, *f_prev; + int missing_frag = 0; + /* TODO: + int rfc815_seen_no_more_frags = 0; + */ + + if ((frag->offset + frag->length) > frags->length) { + frags->length = frag->offset + frag->length; + } + + layer_tracef("new frag len %lu off %lu mf %d (frags len %lu)", frag->length, frag->offset, frag->flag_more_fragments, frags->length); + + /* Place the fragment in the fragments list */ + switch (ctx->conf.reassemble_mode) { + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791: + for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + + if (f->offset > frag->offset) { + if (f_prev) { + f_prev->next = frag; + } else { + frags->fragments = frag; + } + frag->next = f; + f = frag; + break; + } + if (f_prev && (f_prev->offset + f_prev->length) < f->offset) { + missing_frag = 1; + } + } + if (!f) { + if (f_prev) { + f_prev->next = frag; + if ((f_prev->offset + f_prev->length) < frag->offset) { + missing_frag = 1; + } + } else { + frags->fragments = frag; + } + /* New frag is now last frag */ + f_prev = frag; + } else if (!missing_frag) { + for (; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + if (f_prev && (f_prev->offset + f_prev->length) < f->offset) { + missing_frag = 1; + break; + } + } + } + /* + * If first is not offset zero or last have more fragments flag, + * we are missing fragments. + */ + if (!missing_frag && (frags->fragments->offset || (f_prev && f_prev->flag_more_fragments))) { + missing_frag = 1; + } + break; + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815: + /* TODO: + for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + + if (!f->flag_more_fragments) { + rfc815_seen_no_more_frags = 1; + } + } + */ + free(frag->payload); + free(frag); + return PCAP_THREAD_EINVAL; + break; + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD: + for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + + if (f->offset > frag->offset) { + if (f_prev) { + f_prev->next = frag; + } else { + frags->fragments = frag; + } + frag->next = f; + f = frag; + break; + } + if (f_prev && (f->offset + f->length) < f_prev->offset) { + missing_frag = 1; + } + } + if (!f) { + if (f_prev) { + f_prev->next = frag; + if ((frag->offset + frag->length) < f_prev->offset) { + missing_frag = 1; + } + } else { + frags->fragments = frag; + } + } else if (!missing_frag) { + for (; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + if (f_prev && (f->offset + f->length) < f_prev->offset) { + missing_frag = 1; + break; + } + } + } + /* + * If first (last on list) is not offset zero or last (first on + * list) have more fragments flag, we are missing fragments. + */ + if (!missing_frag && ((f_prev && f_prev->offset) || frags->fragments->flag_more_fragments)) { + missing_frag = 1; + } + break; + } + frags->num_fragments++; + + if (missing_frag) { + layer_trace("need more frags"); + return PCAP_THREAD_PACKET_OK; + } + + if (!frags->length) { + layer_trace("frags complete but no size"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + if (ctx->conf.reject_overlap) { + switch (ctx->conf.reassemble_mode) { + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791: + for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + if (f_prev && (f_prev->offset + f_prev->length) > f->offset) { + layer_trace("overlapping fragment"); + if (ctx->conf.overlap_callback) + ctx->conf.overlap_callback(packet, frag->payload, frag->length, frags); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + } + break; + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815: + /* TODO: + */ + break; + case PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD: + for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) { + layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next); + if (f_prev && (f->offset + f->length) > f_prev->offset) { + layer_trace("overlapping fragment"); + if (ctx->conf.overlap_callback) + ctx->conf.overlap_callback(packet, frag->payload, frag->length, frags); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + } + break; + } + } + + /* + * Reassemble packet + */ + if (!(frags->payload = calloc(1, frags->length))) { + layer_trace("nomem frags payload"); + return PCAP_THREAD_PACKET_ENOMEM; + } + for (f = frags->fragments; f; f = f->next) { + memcpy(frags->payload + f->offset, f->payload, f->length); + } + + frags->packet.name = packet->name; + frags->packet.dlt = packet->dlt; + frags->packet.pkthdr = packet->pkthdr; + /* + * We add the total payload length minus current fragment, since it is + * already included, to the pkthdr lengths in order to return correct + * total packet length (header + payload). + */ + frags->packet.pkthdr.len += frags->length - frag->length; + frags->packet.pkthdr.caplen += frags->length - frag->length; + frags->packet.have_pkthdr = packet->have_pkthdr; + + *whole_packet = &(frags->packet); + *whole_payload = frags->payload; + *whole_length = frags->length; + + return PCAP_THREAD_PACKET_OK; +} + +static pcap_thread_packet_state_t reassemble_ipv4(_ctx_t* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length) +{ + pcap_thread_ext_frag_fragments_t *frags, *frags_prev; + pcap_thread_ext_frag_fragment_t* frag; + + if (!packet->have_pkthdr) { + layer_trace("no pkthdr"); + return PCAP_THREAD_PACKET_INVALID; + } + + layer_tracef("ipv4 ctx %p", ctx); + + /* Find packet fragments */ + for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) { + if (frags->packet.have_iphdr + && packet->iphdr.ip_id == frags->packet.iphdr.ip_id + && packet->iphdr.ip_p == frags->packet.iphdr.ip_p + && packet->iphdr.ip_src.s_addr == frags->packet.iphdr.ip_src.s_addr + && packet->iphdr.ip_dst.s_addr == frags->packet.iphdr.ip_dst.s_addr) { + + layer_tracef("frags %d found", packet->iphdr.ip_id); + + /* Found it, remove from list */ + if (frags_prev) { + frags_prev->next = frags->next; + } + if (ctx->fragments == frags) { + ctx->fragments = frags->next; + } + frags->next = 0; + break; + } + } + + /* Check if frags is timed out */ + if (ctx->conf.check_timeout && frags) { + struct timeval ts; + + ts = frags->packet.pkthdr.ts; + ts.tv_sec += ctx->conf.timeout.tv_sec; + ts.tv_usec += ctx->conf.timeout.tv_usec; + ts.tv_usec %= 1000000; + if (packet->pkthdr.ts.tv_sec > ts.tv_sec + || (packet->pkthdr.ts.tv_sec == ts.tv_sec + && packet->pkthdr.ts.tv_usec > ts.tv_usec)) { + + pcap_thread_ext_frag_fragment_t* f; + + layer_tracef("frags timed out (last: %lu.%lu, this: %lu.%lu)", + frags->packet.pkthdr.ts.tv_sec, frags->packet.pkthdr.ts.tv_usec, + packet->pkthdr.ts.tv_sec, packet->pkthdr.ts.tv_usec); + + if (ctx->conf.timeout_callback) + ctx->conf.timeout_callback(packet, payload, length, frags); + + for (f = frags->fragments; f;) { + frag = f; + f = f->next; + if (frag->payload) { + free(frag->payload); + } + free(frag); + } + + if (frags->payload) { + free(frags->payload); + } + free(frags); + frags = 0; + } else { + frags->packet.pkthdr.ts = packet->pkthdr.ts; + } + } + + /* No fragments found, create new */ + if (!frags) { + if (ctx->num_fragments >= ctx->conf.fragments) { + layer_trace("too many frags"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + if (!(frags = calloc(1, sizeof(pcap_thread_ext_frag_fragments_t)))) { + layer_trace("nomem frags"); + return PCAP_THREAD_PACKET_ENOMEM; + } + + layer_tracef("new frags %d", packet->iphdr.ip_id); + + // TODO: How to handle prevpkt + memcpy(&(frags->packet.iphdr), &(packet->iphdr), sizeof(struct ip)); + frags->packet.have_iphdr = 1; + frags->packet.pkthdr.ts = packet->pkthdr.ts; + + ctx->num_fragments++; + } + /* Put the fragments first on the list */ + frags->next = ctx->fragments; + ctx->fragments = frags; + + if (frags->payload) { + layer_trace("already reassembled"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + if (frags->num_fragments >= ctx->conf.per_packet) { + layer_trace("too many frags frag"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + /* Allocate for the new fragment */ + if (!(frag = calloc(1, sizeof(pcap_thread_ext_frag_fragment_t)))) { + layer_trace("nomem frag"); + return PCAP_THREAD_PACKET_ENOMEM; + } + if (!(frag->payload = calloc(1, length))) { + free(frag); + layer_trace("nomem frag"); + return PCAP_THREAD_PACKET_ENOMEM; + } + memcpy(frag->payload, payload, length); + frag->length = length; + frag->offset = (packet->iphdr.ip_off & 0x1fff) * 8; + frag->flag_more_fragments = packet->iphdr.ip_off & 0x2000 ? 1 : 0; + + return reassemble(ctx, packet, whole_packet, whole_payload, whole_length, frags, frag); +} + +static pcap_thread_packet_state_t reassemble_ipv6(_ctx_t* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length) +{ + pcap_thread_ext_frag_fragments_t *frags, *frags_prev; + pcap_thread_ext_frag_fragment_t* frag; + + layer_tracef("ipv6 ctx %p", ctx); + + /* Find packet fragments */ + for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) { + if (frags->packet.have_ip6hdr + && packet->ip6frag.ip6f_ident == frags->packet.ip6frag.ip6f_ident + && !memcmp(&(packet->ip6hdr.ip6_src), &(frags->packet.ip6hdr.ip6_src), sizeof(struct in6_addr)) + && ((!packet->have_ip6rtdst && !memcmp(&(packet->ip6hdr.ip6_dst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))) + || (packet->have_ip6rtdst && !memcmp(&(packet->ip6rtdst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))))) { + + layer_tracef("frags %x found", packet->ip6frag.ip6f_ident); + + /* Found it, remove from list */ + if (frags_prev) { + frags_prev->next = frags->next; + } + if (ctx->fragments == frags) { + ctx->fragments = frags->next; + } + frags->next = 0; + break; + } + } + + /* Check if frags is timed out */ + if (ctx->conf.check_timeout && frags) { + struct timeval ts; + + ts = frags->packet.pkthdr.ts; + ts.tv_sec += ctx->conf.timeout.tv_sec; + ts.tv_usec += ctx->conf.timeout.tv_usec; + ts.tv_usec %= 1000000; + if (packet->pkthdr.ts.tv_sec > ts.tv_sec + || (packet->pkthdr.ts.tv_sec == ts.tv_sec + && packet->pkthdr.ts.tv_usec > ts.tv_usec)) { + + pcap_thread_ext_frag_fragment_t* f; + + layer_tracef("frags timed out (last: %lu.%lu, this: %lu.%lu)", + frags->packet.pkthdr.ts.tv_sec, frags->packet.pkthdr.ts.tv_usec, + packet->pkthdr.ts.tv_sec, packet->pkthdr.ts.tv_usec); + + if (ctx->conf.timeout_callback) + ctx->conf.timeout_callback(packet, payload, length, frags); + + for (f = frags->fragments; f;) { + frag = f; + f = f->next; + if (frag->payload) { + free(frag->payload); + } + free(frag); + } + + if (frags->payload) { + free(frags->payload); + } + free(frags); + frags = 0; + } else { + frags->packet.pkthdr.ts = packet->pkthdr.ts; + } + } + + /* No fragments found, create new */ + if (!frags) { + if (ctx->num_fragments >= ctx->conf.fragments) { + layer_trace("too many frags"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + if (!(frags = calloc(1, sizeof(pcap_thread_ext_frag_fragments_t)))) { + layer_trace("nomem frags"); + return PCAP_THREAD_PACKET_ENOMEM; + } + + layer_tracef("new frags %x", packet->ip6frag.ip6f_ident); + + // TODO: How to handle prevpkt + memcpy(&(frags->packet.ip6hdr), &(packet->ip6hdr), sizeof(struct ip6_hdr)); + frags->packet.have_ip6hdr = 1; + memcpy(&(frags->packet.ip6frag), &(packet->ip6frag), sizeof(struct ip6_frag)); + frags->packet.have_ip6frag = 1; + frags->packet.ip6frag_payload = packet->ip6frag_payload; + if (packet->have_ip6rtdst) { + frags->packet.ip6hdr.ip6_dst = packet->ip6rtdst; + } + frags->packet.pkthdr.ts = packet->pkthdr.ts; + + ctx->num_fragments++; + } else { + if (frags->packet.ip6frag_payload != packet->ip6frag_payload) { + layer_trace("wrong payload"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + } + /* Put the fragments first on the list */ + frags->next = ctx->fragments; + ctx->fragments = frags; + + if (frags->payload) { + layer_trace("already reassembled"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + if (frags->num_fragments >= ctx->conf.per_packet) { + layer_trace("too many frags frag"); + return PCAP_THREAD_PACKET_INVALID_FRAGMENT; + } + + /* Allocate for the new fragment */ + if (!(frag = calloc(1, sizeof(pcap_thread_ext_frag_fragment_t)))) { + layer_trace("nomem frag"); + return PCAP_THREAD_PACKET_ENOMEM; + } + if (!(frag->payload = calloc(1, length))) { + free(frag); + layer_trace("nomem frag"); + return PCAP_THREAD_PACKET_ENOMEM; + } + memcpy(frag->payload, payload, length); + frag->length = length; + frag->offset = ((packet->ip6frag.ip6f_offlg & 0xfff8) >> 3) * 8; + frag->flag_more_fragments = packet->ip6frag.ip6f_offlg & 0x1 ? 1 : 0; + + return reassemble(ctx, packet, whole_packet, whole_payload, whole_length, frags, frag); +} + +#ifdef HAVE_PTHREAD /* _release() is only used when mutex functions fails */ +static void _release(_ctx_t* ctx, const pcap_thread_packet_t* packet) +{ + pcap_thread_ext_frag_fragments_t *frags, *frags_prev; + + layer_tracef("release ctx %p", ctx); + + /* Find packet fragments */ + for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) { + if (frags->packet.have_iphdr + && packet->iphdr.ip_id == frags->packet.iphdr.ip_id + && packet->iphdr.ip_p == frags->packet.iphdr.ip_p + && packet->iphdr.ip_src.s_addr == frags->packet.iphdr.ip_src.s_addr + && packet->iphdr.ip_dst.s_addr == frags->packet.iphdr.ip_dst.s_addr) { + + layer_tracef("release frags %d", packet->iphdr.ip_id); + break; + } else if (frags->packet.have_ip6hdr + && packet->ip6frag.ip6f_ident == frags->packet.ip6frag.ip6f_ident + && !memcmp(&(packet->ip6hdr.ip6_src), &(frags->packet.ip6hdr.ip6_src), sizeof(struct in6_addr)) + && ((!packet->have_ip6rtdst && !memcmp(&(packet->ip6hdr.ip6_dst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))) + || (packet->have_ip6rtdst && !memcmp(&(packet->ip6rtdst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))))) { + + layer_tracef("release frags %x", packet->ip6frag.ip6f_ident); + break; + } + } + + if (frags) { + pcap_thread_ext_frag_fragment_t *frag, *f; + + /* Found it, remove from list */ + if (frags_prev) { + frags_prev->next = frags->next; + } + if (ctx->fragments == frags) { + ctx->fragments = frags->next; + } + frags->next = 0; + ctx->num_fragments--; + + for (f = frags->fragments; f;) { + frag = f; + f = f->next; + if (frag->payload) { + free(frag->payload); + } + free(frag); + } + + if (frags->payload) { + free(frags->payload); + } + free(frags); + } +} +#endif + +static pcap_thread_packet_state_t pcap_thread_layer_callback_frag_reassemble(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length) +{ + _ctx_t* ctx = (_ctx_t*)_ctx; + pcap_thread_packet_state_t state = PCAP_THREAD_PACKET_INVALID; + + if (!ctx) { + return PCAP_THREAD_PACKET_INVALID; + } + if (!packet) { + return PCAP_THREAD_PACKET_INVALID; + } + if (!payload) { + return PCAP_THREAD_PACKET_INVALID; + } + if (!length) { + return PCAP_THREAD_PACKET_INVALID; + } + if (!whole_packet) { + return PCAP_THREAD_PACKET_INVALID; + } + if (!whole_payload) { + return PCAP_THREAD_PACKET_INVALID; + } + if (!whole_length) { + return PCAP_THREAD_PACKET_INVALID; + } + + if (ctx && packet && payload && length + && whole_packet && whole_payload && whole_length) { + if (packet->have_iphdr) { +#ifdef HAVE_PTHREAD + if (pthread_mutex_lock(&(ctx->mutex))) { + return PCAP_THREAD_PACKET_EMUTEX; + } +#endif + state = reassemble_ipv4(ctx, packet, payload, length, whole_packet, whole_payload, whole_length); +#ifdef HAVE_PTHREAD + if (pthread_mutex_unlock(&(ctx->mutex))) { + if (state == PCAP_THREAD_PACKET_OK && *whole_packet && *whole_payload && *whole_length) { + _release(ctx, *whole_packet); + } + return PCAP_THREAD_PACKET_EMUTEX; + } +#endif + } else if (packet->have_ip6hdr && packet->have_ip6frag) { +#ifdef HAVE_PTHREAD + if (pthread_mutex_lock(&(ctx->mutex))) { + return PCAP_THREAD_PACKET_EMUTEX; + } +#endif + state = reassemble_ipv6(ctx, packet, payload, length, whole_packet, whole_payload, whole_length); +#ifdef HAVE_PTHREAD + if (pthread_mutex_unlock(&(ctx->mutex))) { + if (state == PCAP_THREAD_PACKET_OK && *whole_packet && *whole_payload && *whole_length) { + _release(ctx, *whole_packet); + } + return PCAP_THREAD_PACKET_EMUTEX; + } +#endif + } + } + + return state; +} + +static void pcap_thread_layer_callback_frag_release(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length) +{ + _ctx_t* ctx = (_ctx_t*)_ctx; + pcap_thread_ext_frag_fragments_t *frags, *frags_prev; + + if (!ctx) { + return; + } + if (!packet) { + return; + } + if (packet->have_ip6hdr) { + if (!packet->have_ip6frag) { + return; + } + } else if (!packet->have_iphdr) { + return; + } + +#ifdef HAVE_PTHREAD + if (pthread_mutex_lock(&(ctx->mutex))) { + return; + } +#endif + + /* Find packet fragments */ + for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) { + if ((frags->packet.have_iphdr + && packet->iphdr.ip_id == frags->packet.iphdr.ip_id + && packet->iphdr.ip_p == frags->packet.iphdr.ip_p + && packet->iphdr.ip_src.s_addr == frags->packet.iphdr.ip_src.s_addr + && packet->iphdr.ip_dst.s_addr == frags->packet.iphdr.ip_dst.s_addr) + || (frags->packet.have_ip6hdr + && packet->ip6frag.ip6f_ident == frags->packet.ip6frag.ip6f_ident + && !memcmp(&(packet->ip6hdr.ip6_src), &(frags->packet.ip6hdr.ip6_src), sizeof(struct in6_addr)) + && ((!packet->have_ip6rtdst && !memcmp(&(packet->ip6hdr.ip6_dst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))) + || (packet->have_ip6rtdst && !memcmp(&(packet->ip6rtdst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr)))))) { + + /* Found it, remove from list */ + if (frags_prev) { + frags_prev->next = frags->next; + } + if (ctx->fragments == frags) { + ctx->fragments = frags->next; + } + frags->next = 0; + ctx->num_fragments--; + break; + } + } + +#ifdef HAVE_PTHREAD + pthread_mutex_unlock(&(ctx->mutex)); +#endif + + if (frags) { + pcap_thread_ext_frag_fragment_t *frag, *f; + + for (f = frags->fragments; f;) { + frag = f; + f = f->next; + if (frag->payload) { + free(frag->payload); + } + free(frag); + } + + if (frags->payload) { + free(frags->payload); + } + free(frags); + } +} diff --git a/src/pcap-thread/pcap_thread_ext_frag.h b/src/pcap-thread/pcap_thread_ext_frag.h new file mode 100644 index 0000000..dfa151a --- /dev/null +++ b/src/pcap-thread/pcap_thread_ext_frag.h @@ -0,0 +1,131 @@ +/* + * Author Jerry Lundström <jerry@dns-oarc.net> + * Copyright (c) 2016-2017, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "pcap_thread.h" + +#ifndef __pcap_thread_ext_frag_h +#define __pcap_thread_ext_frag_h + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * RFC791 - Handle fragments in an offset ascending order, allow fragments to overlap + * RFC815 - Handle fragments in a receiving order, allow fragments to overlap + * BSD - Handle fragments in an offset descending order, allow fragments to overlap + */ +typedef enum pcap_thread_ext_frag_reassemble_mode pcap_thread_ext_frag_reassemble_mode_t; +enum pcap_thread_ext_frag_reassemble_mode { + PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791 = 0, + PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815, + PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD +}; + +typedef struct pcap_thread_ext_frag_fragment pcap_thread_ext_frag_fragment_t; +struct pcap_thread_ext_frag_fragment { + pcap_thread_ext_frag_fragment_t* next; + + unsigned short flag_more_fragments : 1; + + u_char* payload; + size_t length; + size_t offset; +}; + +typedef struct pcap_thread_ext_frag_fragments pcap_thread_ext_frag_fragments_t; +struct pcap_thread_ext_frag_fragments { + pcap_thread_ext_frag_fragments_t* next; + + pcap_thread_packet_t packet; + pcap_thread_ext_frag_fragment_t* fragments; + size_t num_fragments; + u_char* payload; + size_t length; +}; + +typedef void (*pcap_thread_ext_frag_callback_t)(const pcap_thread_packet_t* packet, const u_char* payload, size_t length, const pcap_thread_ext_frag_fragments_t* fragments); + +/* clang-format off */ +#define PCAP_THREAD_EXT_FRAG_CONF_T_INIT { \ + 0, 0, \ + PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791, \ + 100, 10, { 30, 0 }, \ + 0, 0 \ +} +/* clang-format on */ + +typedef struct pcap_thread_ext_frag_conf pcap_thread_ext_frag_conf_t; +struct pcap_thread_ext_frag_conf { + unsigned short reject_overlap : 1; + unsigned short check_timeout : 1; + + pcap_thread_ext_frag_reassemble_mode_t reassemble_mode; + + size_t fragments; + size_t per_packet; + struct timeval timeout; + + pcap_thread_ext_frag_callback_t overlap_callback; + pcap_thread_ext_frag_callback_t timeout_callback; +}; + +pcap_thread_ext_frag_conf_t* pcap_thread_ext_frag_conf_new(void); +void pcap_thread_ext_frag_conf_free(pcap_thread_ext_frag_conf_t* conf); + +int pcap_thread_ext_frag_conf_reject_overlap(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_reject_overlap(pcap_thread_ext_frag_conf_t* conf, const int reject_overlap); +int pcap_thread_ext_frag_conf_check_timeout(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_check_timeout(pcap_thread_ext_frag_conf_t* conf, const int check_timeout); +pcap_thread_ext_frag_reassemble_mode_t pcap_thread_ext_frag_conf_reassemble_mode(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_reassemble_mode(pcap_thread_ext_frag_conf_t* conf, const pcap_thread_ext_frag_reassemble_mode_t reassemble_mode); +size_t pcap_thread_ext_frag_conf_fragments(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_fragments(pcap_thread_ext_frag_conf_t* conf, const size_t fragments); +size_t pcap_thread_ext_frag_conf_per_packet(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_per_packet(pcap_thread_ext_frag_conf_t* conf, const size_t per_packet); +struct timeval pcap_thread_ext_frag_conf_timeout(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_timeout(pcap_thread_ext_frag_conf_t* conf, const struct timeval timeout); +pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_overlap_callback(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_overlap_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t overlap_callback); +pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_timeout_callback(const pcap_thread_ext_frag_conf_t* conf); +int pcap_thread_ext_frag_conf_set_timeout_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t timeout_callback); + +pcap_thread_layer_callback_frag_t pcap_thread_ext_frag_layer_callback(pcap_thread_ext_frag_conf_t* conf); + +#ifdef __cplusplus +} +#endif + +#endif /* __pcap_thread_ext_frag_h */ diff --git a/src/pcaps.c b/src/pcaps.c new file mode 100644 index 0000000..9cb6b7b --- /dev/null +++ b/src/pcaps.c @@ -0,0 +1,236 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "pcaps.h" +#include "log.h" +#include "network.h" + +#include "pcap-thread/pcap_thread_ext_frag.h" + +static void +drop_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt) +{ + mypcap_ptr mypcap = (mypcap_ptr)user; + + pcap_drops++; + if (mypcap) { + mypcap->drops++; + } +} + +void print_pcap_thread_error(const char* func, int err) +{ + if (err == PCAP_THREAD_EPCAP) { + fprintf(stderr, "%s: pcap_thread libpcap error [%d] %s: %s (%s)\n", + ProgramName, + pcap_thread_status(&pcap_thread), + func, + pcap_statustostr(pcap_thread_status(&pcap_thread)), + pcap_thread_errbuf(&pcap_thread)); + } else if (err != PCAP_THREAD_OK) { + fprintf(stderr, "%s: pcap_thread error [%d] %s: %s\n", + ProgramName, + err, + func, + pcap_thread_strerr(err)); + } +} + +static pcap_thread_ext_frag_conf_t frag_conf_v4 = PCAP_THREAD_EXT_FRAG_CONF_T_INIT; +static pcap_thread_ext_frag_conf_t frag_conf_v6 = PCAP_THREAD_EXT_FRAG_CONF_T_INIT; + +void open_pcaps(void) +{ + mypcap_ptr mypcap; + int err; + + if ((err = pcap_thread_set_snaplen(&pcap_thread, SNAPLEN)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_snaplen()", err); + exit(1); + } + if ((err = pcap_thread_set_promiscuous(&pcap_thread, promisc)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_promiscuous()", err); + exit(1); + } + if ((err = pcap_thread_set_monitor(&pcap_thread, monitor_mode)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_monitor()", err); + exit(1); + } + if ((err = pcap_thread_set_immediate_mode(&pcap_thread, immediate_mode)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_immediate_mode()", err); + exit(1); + } + if (options.use_layers) { + if ((err = pcap_thread_set_callback_icmp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback_icmp()", err); + exit(1); + } + if ((err = pcap_thread_set_callback_icmpv6(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback_icmpv6()", err); + exit(1); + } + if ((err = pcap_thread_set_callback_udp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback_udp()", err); + exit(1); + } + if ((err = pcap_thread_set_callback_tcp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback_tcp()", err); + exit(1); + } + + if ((err = pcap_thread_set_use_layers(&pcap_thread, 1)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_use_layers()", err); + exit(1); + } + + if (options.defrag_ipv4) { + if (options.max_ipv4_fragments > 0 && (err = pcap_thread_ext_frag_conf_set_fragments(&frag_conf_v4, options.max_ipv4_fragments)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_ext_frag_conf_set_fragments()", err); + exit(1); + } + if (options.max_ipv4_fragments_per_packet > 0 && (err = pcap_thread_ext_frag_conf_set_per_packet(&frag_conf_v4, options.max_ipv4_fragments_per_packet)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_ext_frag_conf_set_per_packet()", err); + exit(1); + } + if ((err = pcap_thread_set_callback_ipv4_frag(&pcap_thread, pcap_thread_ext_frag_layer_callback(&frag_conf_v4))) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback_ipv4_frag()", err); + exit(1); + } + } + if (options.defrag_ipv6) { + if (options.max_ipv6_fragments > 0 && (err = pcap_thread_ext_frag_conf_set_fragments(&frag_conf_v6, options.max_ipv6_fragments)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_ext_frag_conf_set_fragments()", err); + exit(1); + } + if (options.max_ipv6_fragments_per_packet > 0 && (err = pcap_thread_ext_frag_conf_set_per_packet(&frag_conf_v6, options.max_ipv6_fragments_per_packet)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_ext_frag_conf_set_per_packet()", err); + exit(1); + } + if ((err = pcap_thread_set_callback_ipv6_frag(&pcap_thread, pcap_thread_ext_frag_layer_callback(&frag_conf_v6))) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback_ipv6_frag()", err); + exit(1); + } + } + } else { + if ((err = pcap_thread_set_callback(&pcap_thread, dl_pkt)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_callback()", err); + exit(1); + } + } + if ((err = pcap_thread_set_dropback(&pcap_thread, drop_pkt)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_dropback()", err); + exit(1); + } + if ((err = pcap_thread_set_filter(&pcap_thread, bpft, strlen(bpft))) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_filter()", err); + exit(1); + } + if (options.pcap_buffer_size && (err = pcap_thread_set_buffer_size(&pcap_thread, options.pcap_buffer_size)) != PCAP_THREAD_OK) { + print_pcap_thread_error("pcap_thread_set_buffer_size()", err); + exit(1); + } + + assert(!EMPTY(mypcaps)); + for (mypcap = HEAD(mypcaps); + mypcap != NULL; + mypcap = NEXT(mypcap, link)) { + if (pcap_offline) + err = pcap_thread_open_offline(&pcap_thread, mypcap->name, (u_char*)mypcap); + else + err = pcap_thread_open(&pcap_thread, mypcap->name, (u_char*)mypcap); + + if (err == PCAP_THREAD_EPCAP) { + fprintf(stderr, "%s: pcap_thread libpcap error [%d]: %s (%s)\n", + ProgramName, + pcap_thread_status(&pcap_thread), + pcap_statustostr(pcap_thread_status(&pcap_thread)), + pcap_thread_errbuf(&pcap_thread)); + exit(1); + } + if (err) { + fprintf(stderr, "%s: pcap_thread error [%d]: %s\n", + ProgramName, + err, + pcap_thread_strerr(err)); + exit(1); + } + } + pcap_dead = pcap_open_dead(DLT_RAW, SNAPLEN); +} + +void poll_pcaps(void) +{ + pcap_thread_run(&pcap_thread); + main_exit = TRUE; +} + +void breakloop_pcaps(void) +{ + pcap_thread_stop(&pcap_thread); +} + +void close_pcaps(void) +{ + pcap_thread_close(&pcap_thread); +} + +static void stat_callback(u_char* user, const struct pcap_stat* stats, const char* name, int dlt) +{ + mypcap_ptr mypcap; + for (mypcap = HEAD(mypcaps); + mypcap != NULL; + mypcap = NEXT(mypcap, link)) { + if (!strcmp(name, mypcap->name)) + break; + } + + if (mypcap) { + mypcap->ps0 = mypcap->ps1; + mypcap->ps1 = *stats; + logerr("%s: %u recv %u drop %u total ptdrop %lu", + mypcap->name, + mypcap->ps1.ps_recv - mypcap->ps0.ps_recv, + mypcap->ps1.ps_drop - mypcap->ps0.ps_drop, + mypcap->ps1.ps_recv + mypcap->ps1.ps_drop - mypcap->ps0.ps_recv - mypcap->ps0.ps_drop, + mypcap->drops); + } +} + +void do_pcap_stats() +{ + logerr("total drops: %lu", pcap_drops); + pcap_thread_stats(&pcap_thread, stat_callback, 0); +} diff --git a/src/pcaps.h b/src/pcaps.h new file mode 100644 index 0000000..6e1e075 --- /dev/null +++ b/src/pcaps.h @@ -0,0 +1,47 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_pcaps_h +#define __dnscap_pcaps_h + +void print_pcap_thread_error(const char* func, int err); +void open_pcaps(void); +void poll_pcaps(void); +void breakloop_pcaps(void); +void close_pcaps(void); +void do_pcap_stats(); + +#endif /* __dnscap_pcaps_h */ diff --git a/src/sig.c b/src/sig.c new file mode 100644 index 0000000..7e7376e --- /dev/null +++ b/src/sig.c @@ -0,0 +1,102 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "sig.h" +#include "log.h" +#include "dumper.h" +#include "pcaps.h" + +void setsig(int sig, int oneshot) +{ + struct sigaction sa; + + memset(&sa, 0, sizeof sa); + if (oneshot) { + sa.sa_handler = sigbreak; + sa.sa_flags = SA_RESETHAND; + } else { + sa.sa_handler = sigclose; + sa.sa_flags = SA_RESTART; + } + if (sigaction(sig, &sa, NULL) < 0) { + logerr("sigaction: %s", strerror(errno)); + exit(1); + } +} + +void sigclose(int signum) +{ + if (0 == last_ts.tv_sec) + gettimeofday(&last_ts, NULL); + if (signum == SIGALRM) + alarm_set = FALSE; + if (dumper_close(last_ts)) + breakloop_pcaps(); +} + +void sigbreak(int signum __attribute__((unused))) +{ + logerr("%s: signalled break", ProgramName); + main_exit = TRUE; + breakloop_pcaps(); +} + +void* sigthread(void* arg) +{ +#if HAVE_PTHREAD + sigset_t* set = (sigset_t*)arg; + int sig, err; + + while (1) { + if ((err = sigwait(set, &sig))) { + logerr("sigwait: %s", strerror(err)); + return 0; + } + + switch (sig) { + case SIGALRM: + sigclose(sig); + break; + + default: + sigbreak(sig); + break; + } + } +#endif + + return 0; +} diff --git a/src/sig.h b/src/sig.h new file mode 100644 index 0000000..c7b1296 --- /dev/null +++ b/src/sig.h @@ -0,0 +1,45 @@ +/* + * Copyright (c) 2016-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_sig_h +#define __dnscap_sig_h + +void setsig(int sig, int oneshot); +void sigclose(int signum); +void sigbreak(int signum __attribute__((unused))); +void* sigthread(void* arg); + +#endif /* __dnscap_sig_h */ diff --git a/src/tcpreasm.c b/src/tcpreasm.c new file mode 100644 index 0000000..ce37b10 --- /dev/null +++ b/src/tcpreasm.c @@ -0,0 +1,547 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "tcpreasm.h" +#include "log.h" +#include "network.h" + +#include <stdlib.h> +#include <ldns/ldns.h> + +#define dfprintf(a, b...) \ + if (dumptrace >= 3) { \ + fprintf(stderr, b); \ + fprintf(stderr, "\n"); \ + } +#define dsyslogf(a, b...) logerr(b) +#define nptohs(p) ((((uint8_t*)(p))[0] << 8) | ((uint8_t*)(p))[1]) + +#define BFB_BUF_SIZE (0xffff + 0xffff + 2 + 2) + +/* + * Originally from DSC: + * + * TCP Reassembly. + * + * When we see a SYN, we allocate a new tcpstate for the connection, and + * establish the initial sequence number of the first dns message (seq_start) + * on the connection. We assume that no other segment can arrive before the + * SYN (if one does, it is discarded, and if is not repeated the message it + * belongs to can never be completely reassembled). + * + * Then, for each segment that arrives on the connection: + * - If it's the first segment of a message (containing the 2-byte message + * length), we allocate a msgbuf, and check for any held segments that might + * belong to it. + * - If the first byte of the segment belongs to any msgbuf, we fill + * in the holes of that message. If the message has no more holes, we + * handle the complete dns message. If the tail of the segment was longer + * than the hole, we recurse on the tail. + * - Otherwise, if the segment could be within the tcp window, we hold onto it + * pending the creation of a matching msgbuf. + * + * This algorithm handles segments that arrive out of order, duplicated or + * overlapping (including segments from different dns messages arriving out of + * order), and dns messages that do not necessarily start on segment + * boundaries. + * + */ + +static int dns_protocol_handler(tcpreasm_t* t, u_char* segment, uint16_t dnslen, uint32_t seq) +{ + int m; + + if (options.reassemble_tcp_bfbparsedns) { + int s; + ldns_pkt* pkt; + size_t at, len; + + if (!t->bfb_buf && !(t->bfb_buf = malloc(BFB_BUF_SIZE))) { + dfprintf(1, "dns_protocol_handler: no memory for bfb_buf"); + return 1; + } + + /* if this is the first segment, add it to the processing buffer + and move up to next wanted segment */ + if (seq == t->seq_bfb + 2) { + dfprintf(1, "dns_protocol_handler: first bfb_seg: seq = %u, len = %d", seq, dnslen); + if ((BFB_BUF_SIZE - t->bfb_at) < (dnslen + 2)) { + dfprintf(1, "dns_protocol_handler: out of space in bfb_buf"); + return 1; + } + + t->bfb_buf[t->bfb_at++] = dnslen >> 8; + t->bfb_buf[t->bfb_at++] = dnslen & 0xff; //NOSONAR + memcpy(&t->bfb_buf[t->bfb_at], segment, dnslen); + t->bfb_at += dnslen; + t->seq_bfb += 2 + dnslen; + } else { + /* add segment for later processing */ + dfprintf(1, "dns_protocol_handler: add bfb_seg: seq = %u, len = %d", seq, dnslen); + for (s = 0; s < MAX_TCP_SEGS; s++) { + if (t->bfb_seg[s]) + continue; + t->bfb_seg[s] = calloc(1, sizeof(tcp_segbuf_t) + dnslen); + t->bfb_seg[s]->seq = seq; + t->bfb_seg[s]->len = dnslen; + memcpy(t->bfb_seg[s]->buf, segment, dnslen); + dfprintf(1, "dns_protocol_handler: new bfbseg %d: seq = %u, len = %d", + s, t->bfb_seg[s]->seq, t->bfb_seg[s]->len); + break; + } + if (s >= MAX_TCP_SEGS) { + dfprintf(1, "dns_protocol_handler: out of bfbsegs"); + return 1; + } + return 0; + } + + for (;;) { + /* process the buffer, extract dnslen and try and parse */ + at = 0; + len = t->bfb_at; + for (;;) { + dfprintf(1, "dns_protocol_handler: processing at = %zu, len = %zu", at, len); + if (len < 2) { + dfprintf(1, "dns_protocol_handler: bfb need more for dnslen"); + break; + } + dnslen = nptohs(&t->bfb_buf[at]) & 0xffff; + if (dnslen > 11) { + /* 12 bytes minimum DNS header, other lengths should be invalid */ + if (len < dnslen + 2) { + dfprintf(1, "dns_protocol_handler: bfb need %zu more", dnslen - len); + break; + } + + if (ldns_wire2pkt(&pkt, &t->bfb_buf[at + 2], dnslen) == LDNS_STATUS_OK) { + ldns_pkt_free(pkt); + dfprintf(1, "dns_protocol_handler: dns at %zu len %u", at + 2, dnslen); + + for (m = 0; t->dnsmsg[m];) { + if (++m >= MAX_TCP_DNS_MSG) { + dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs"); + return 1; + } + } + if (!(t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen))) { + dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen); + return 1; + } + t->dnsmsgs++; + t->dnsmsg[m]->dnslen = dnslen; + memcpy(t->dnsmsg[m]->dnspkt, &t->bfb_buf[at + 2], dnslen); + dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen); + + at += 2 + dnslen; + len -= 2 + dnslen; + continue; + } + if (errno == EMSGSIZE) { + size_t l = calcdnslen(&t->bfb_buf[at + 2], dnslen); + if (l > 0 && l < dnslen && ldns_wire2pkt(&pkt, &t->bfb_buf[at + 2], l) == LDNS_STATUS_OK) { + ldns_pkt_free(pkt); + dfprintf(1, "dns_protocol_handler: dns at %zu len %u (real len %zu)", at + 2, dnslen, l); + + for (m = 0; t->dnsmsg[m];) { + if (++m >= MAX_TCP_DNS_MSG) { + dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs"); + return 1; + } + } + if (!(t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen))) { + dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen); + return 1; + } + t->dnsmsgs++; + t->dnsmsg[m]->dnslen = dnslen; + memcpy(t->dnsmsg[m]->dnspkt, &t->bfb_buf[at + 2], dnslen); + dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen); + + at += 2 + dnslen; + len -= 2 + dnslen; + continue; + } + } + } + dfprintf(1, "dns_protocol_handler: bfb dns parse failed at %zu", at); + at += 2; + len -= 2; + } + + /* check for leftovers in the buffer */ + if (!len) { + dfprintf(1, "dns_protocol_handler: bfb all buf parsed, reset at"); + t->bfb_at = 0; + } else if (len && at) { + dfprintf(1, "dns_protocol_handler: bfb move %zu len %zu", at, len); + memmove(t->bfb_buf, &t->bfb_buf[at], len); + t->bfb_at = len; + } + + dfprintf(1, "dns_protocol_handler: bfb fill at %zu", t->bfb_at); + /* see if we can fill the buffer */ + for (s = 0; s < MAX_TCP_SEGS; s++) { + if (!t->bfb_seg[s]) + continue; + + if (t->bfb_seg[s]->seq == t->seq_bfb + 2) { + tcp_segbuf_t* seg = t->bfb_seg[s]; + dfprintf(1, "dns_protocol_handler: next bfb_seg %d: seq = %u, len = %d", s, seg->seq, seg->len); + if ((BFB_BUF_SIZE - t->bfb_at) < (seg->len + 2)) { + dfprintf(1, "dns_protocol_handler: out of space in bfb_buf"); + return 1; + } + t->bfb_seg[s] = 0; + t->bfb_buf[t->bfb_at++] = seg->len >> 8; + t->bfb_buf[t->bfb_at++] = seg->len & 0xff; + memcpy(&t->bfb_buf[t->bfb_at], seg->buf, seg->len); + t->bfb_at += seg->len; + t->seq_bfb += 2 + seg->len; + free(seg); + break; + } + } + if (s >= MAX_TCP_SEGS) { + dfprintf(1, "dns_protocol_handler: bfb need next seg"); + return 0; + } + } + } + + for (m = 0; t->dnsmsg[m];) { + if (++m >= MAX_TCP_DNS_MSG) { + dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs"); + return 1; + } + } + t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen); + if (NULL == t->dnsmsg[m]) { + dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen); + return 1; + } + t->dnsmsgs++; + t->dnsmsg[m]->segments_seen = t->segments_seen; + t->dnsmsg[m]->dnslen = dnslen; + memcpy(t->dnsmsg[m]->dnspkt, segment, dnslen); + dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen); + t->segments_seen = 0; + return 0; +} + +int pcap_handle_tcp_segment(u_char* segment, int len, uint32_t seq, tcpstate_ptr _tcpstate) +{ + int i, m, s, ret; + uint16_t dnslen; + int segoff, seglen; + tcpreasm_t* tcpstate = _tcpstate->reasm; + + dfprintf(1, "pcap_handle_tcp_segment: seq=%u, len=%d", seq, len); + + if (len <= 0) /* there is no more payload */ + return 0; + + tcpstate->segments_seen++; + + if (seq - tcpstate->seq_start < 2) { + /* this segment contains all or part of the 2-byte DNS length field */ + uint32_t o = seq - tcpstate->seq_start; + int l = (len > 1 && o == 0) ? 2 : 1; + dfprintf(1, "pcap_handle_tcp_segment: copying %d bytes to dnslen_buf[%d]", l, o); + memcpy(&tcpstate->dnslen_buf[o], segment, l); + if (l == 2) + tcpstate->dnslen_bytes_seen_mask = 3; + else + tcpstate->dnslen_bytes_seen_mask |= (1 << o); + len -= l; + segment += l; + seq += l; + } + + if (3 == tcpstate->dnslen_bytes_seen_mask) { + /* We have the dnslen stored now */ + dnslen = nptohs(tcpstate->dnslen_buf) & 0xffff; + /* + * Next we poison the mask to indicate we are in to the message body. + * If one doesn't remember we're past the then, + * one loops forever getting more msgbufs rather than filling + * in the contents of THIS message. + * + * We need to later reset that mask when we process the message + * (method: tcpstate->dnslen_bytes_seen_mask = 0). + */ + tcpstate->dnslen_bytes_seen_mask = 7; + tcpstate->seq_start += sizeof(uint16_t) + dnslen; + dfprintf(1, "pcap_handle_tcp_segment: first segment; dnslen = %d", dnslen); + if (len >= dnslen) { + /* this segment contains a complete message - avoid the reassembly + * buffer and just handle the message immediately */ + ret = dns_protocol_handler(tcpstate, segment, dnslen, seq); + + tcpstate->dnslen_bytes_seen_mask = 0; /* go back for another message in this tcp connection */ + /* handle the trailing part of the segment? */ + if (len > dnslen) { + dfprintf(1, "pcap_handle_tcp_segment: %s", "segment tail"); + ret |= pcap_handle_tcp_segment(segment + dnslen, len - dnslen, seq + dnslen, _tcpstate); + } + return ret; + } + /* + * At this point we KNOW we have an incomplete message and need to do reassembly. + * i.e.: assert(len < dnslen); + */ + dfprintf(2, "pcap_handle_tcp_segment: %s", "buffering segment"); + /* allocate a msgbuf for reassembly */ + for (m = 0; tcpstate->msgbuf[m];) { + if (++m >= MAX_TCP_MSGS) { + dfprintf(1, "pcap_handle_tcp_segment: %s", "out of msgbufs"); + return 1; + } + } + tcpstate->msgbuf[m] = calloc(1, sizeof(tcp_msgbuf_t) + dnslen); + if (NULL == tcpstate->msgbuf[m]) { + dsyslogf(LOG_ERR, "out of memory for tcp_msgbuf (%d)", dnslen); + return 1; + } + tcpstate->msgbufs++; + tcpstate->msgbuf[m]->seq = seq; + tcpstate->msgbuf[m]->dnslen = dnslen; + tcpstate->msgbuf[m]->holes = 1; + tcpstate->msgbuf[m]->hole[0].start = len; + tcpstate->msgbuf[m]->hole[0].len = dnslen - len; + dfprintf(1, + "pcap_handle_tcp_segment: new msgbuf %d: seq = %u, dnslen = %d, hole start = %d, hole len = %d", m, + tcpstate->msgbuf[m]->seq, tcpstate->msgbuf[m]->dnslen, tcpstate->msgbuf[m]->hole[0].start, + tcpstate->msgbuf[m]->hole[0].len); + /* copy segment to appropriate location in reassembly buffer */ + memcpy(tcpstate->msgbuf[m]->buf, segment, len); + + /* Now that we know the length of this message, we must check any held + * segments to see if they belong to it. */ + ret = 0; + for (s = 0; s < MAX_TCP_SEGS; s++) { + if (!tcpstate->segbuf[s]) + continue; + /* TODO: seq >= 0 */ + if (tcpstate->segbuf[s]->seq - seq > 0 && tcpstate->segbuf[s]->seq - seq < dnslen) { + tcp_segbuf_t* segbuf = tcpstate->segbuf[s]; + tcpstate->segbuf[s] = NULL; + dfprintf(1, "pcap_handle_tcp_segment: %s", "message reassembled"); + ret |= pcap_handle_tcp_segment(segbuf->buf, segbuf->len, segbuf->seq, _tcpstate); + /* + * Note that our recursion will also cover any tail messages (I hope). + * Thus we do not need to do so here and can return. + */ + free(segbuf); + } + } + return ret; + } + + /* + * Welcome to reassembly-land. + */ + /* find the message to which the first byte of this segment belongs */ + for (m = 0; m < MAX_TCP_MSGS; m++) { + if (!tcpstate->msgbuf[m]) + continue; + segoff = seq - tcpstate->msgbuf[m]->seq; + if (segoff >= 0 && segoff < tcpstate->msgbuf[m]->dnslen) { + /* segment starts in this msgbuf */ + dfprintf(1, "pcap_handle_tcp_segment: seg matches msg %d: seq = %u, dnslen = %d", + m, tcpstate->msgbuf[m]->seq, tcpstate->msgbuf[m]->dnslen); + if (segoff + len > tcpstate->msgbuf[m]->dnslen) { + /* segment would overflow msgbuf */ + seglen = tcpstate->msgbuf[m]->dnslen - segoff; + dfprintf(1, "pcap_handle_tcp_segment: using partial segment %d", seglen); + } else { + seglen = len; + } + break; + } + } + if (m >= MAX_TCP_MSGS) { + /* seg does not match any msgbuf; just hold on to it. */ + dfprintf(1, "pcap_handle_tcp_segment: %s", "seg does not match any msgbuf"); + + if (seq - tcpstate->seq_start > MAX_TCP_WINDOW_SIZE) { + dfprintf(1, "pcap_handle_tcp_segment: %s %u %u", "seg is outside window; discarding", seq, tcpstate->seq_start); + return 1; + } + for (s = 0; s < MAX_TCP_SEGS; s++) { + if (tcpstate->segbuf[s]) + continue; + tcpstate->segbuf[s] = calloc(1, sizeof(tcp_segbuf_t) + len); + tcpstate->segbuf[s]->seq = seq; + tcpstate->segbuf[s]->len = len; + memcpy(tcpstate->segbuf[s]->buf, segment, len); + dfprintf(1, "pcap_handle_tcp_segment: new segbuf %d: seq = %u, len = %d", + s, tcpstate->segbuf[s]->seq, tcpstate->segbuf[s]->len); + return 0; + } + dfprintf(1, "pcap_handle_tcp_segment: %s", "out of segbufs"); + return 1; + } + + /* Reassembly algorithm adapted from RFC 815. */ + for (i = 0; i < MAX_TCP_HOLES; i++) { + tcphole_t* newhole; + uint16_t hole_start, hole_len; + if (tcpstate->msgbuf[m]->hole[i].len == 0) + continue; /* hole descriptor is not in use */ + hole_start = tcpstate->msgbuf[m]->hole[i].start; + hole_len = tcpstate->msgbuf[m]->hole[i].len; + if (segoff >= hole_start + hole_len) + continue; /* segment is totally after hole */ + if (segoff + seglen <= hole_start) + continue; /* segment is totally before hole */ + /* The segment overlaps this hole. Delete the hole. */ + dfprintf(1, "pcap_handle_tcp_segment: overlaping hole %d: %d %d", i, hole_start, hole_len); + tcpstate->msgbuf[m]->hole[i].len = 0; + tcpstate->msgbuf[m]->holes--; + if (segoff + seglen < hole_start + hole_len) { + /* create a new hole after the segment (common case) */ + newhole = &tcpstate->msgbuf[m]->hole[i]; /* hole[i] is guaranteed free */ + newhole->start = segoff + seglen; + newhole->len = (hole_start + hole_len) - newhole->start; + tcpstate->msgbuf[m]->holes++; + dfprintf(1, "pcap_handle_tcp_segment: new post-hole %d: %d %d", i, newhole->start, newhole->len); + } + if (segoff > hole_start) { + /* create a new hole before the segment */ + int j; + for (j = 0; j < MAX_TCP_HOLES; j++) { + if (tcpstate->msgbuf[m]->hole[j].len == 0) { + newhole = &tcpstate->msgbuf[m]->hole[j]; + break; + } + } + if (j >= MAX_TCP_HOLES) { + dfprintf(1, "pcap_handle_tcp_segment: %s", "out of hole descriptors"); + return 1; + } + tcpstate->msgbuf[m]->holes++; + newhole->start = hole_start; + newhole->len = segoff - hole_start; + dfprintf(1, "pcap_handle_tcp_segment: new pre-hole %d: %d %d", j, newhole->start, newhole->len); + } + if (segoff >= hole_start && (hole_len == 0 || segoff + seglen < hole_start + hole_len)) { + /* The segment does not extend past hole boundaries; there is + * no need to look for other matching holes. */ + break; + } + } + + /* copy payload to appropriate location in reassembly buffer */ + memcpy(&tcpstate->msgbuf[m]->buf[segoff], segment, seglen); + + dfprintf(1, "pcap_handle_tcp_segment: holes remaining: %d", tcpstate->msgbuf[m]->holes); + + ret = 0; + if (tcpstate->msgbuf[m]->holes == 0) { + /* We now have a completely reassembled dns message */ + dfprintf(2, "pcap_handle_tcp_segment: %s", "reassembly to dns_protocol_handler"); + ret |= dns_protocol_handler(tcpstate, tcpstate->msgbuf[m]->buf, tcpstate->msgbuf[m]->dnslen, tcpstate->msgbuf[m]->seq); + tcpstate->dnslen_bytes_seen_mask = 0; /* go back for another message in this tcp connection */ + free(tcpstate->msgbuf[m]); + tcpstate->msgbuf[m] = NULL; + tcpstate->msgbufs--; + } + + if (seglen < len) { + dfprintf(1, "pcap_handle_tcp_segment: %s", "segment tail after reassembly"); + ret |= pcap_handle_tcp_segment(segment + seglen, len - seglen, seq + seglen, _tcpstate); + } else { + dfprintf(1, "pcap_handle_tcp_segment: %s", "nothing more after reassembly"); + } + + return ret; +} + +void tcpreasm_free(tcpreasm_t* tcpreasm) +{ + int i; + + if (tcpreasm) { + for (i = 0; i < MAX_TCP_MSGS; i++) { + if (tcpreasm->msgbuf[i]) { + free(tcpreasm->msgbuf[i]); + } + } + for (i = 0; i < MAX_TCP_SEGS; i++) { + if (tcpreasm->segbuf[i]) { + free(tcpreasm->segbuf[i]); + } + if (tcpreasm->bfb_seg[i]) { + free(tcpreasm->bfb_seg[i]); + } + } + for (i = 0; i < MAX_TCP_DNS_MSG; i++) { + if (tcpreasm->dnsmsg[i]) { + free(tcpreasm->dnsmsg[i]); + } + } + free(tcpreasm->bfb_buf); + free(tcpreasm); + } +} + +void tcpreasm_reset(tcpreasm_t* tcpreasm) +{ + int i; + + if (tcpreasm) { + for (i = 0; i < MAX_TCP_MSGS; i++) { + if (tcpreasm->msgbuf[i]) { + free(tcpreasm->msgbuf[i]); + } + } + for (i = 0; i < MAX_TCP_SEGS; i++) { + if (tcpreasm->segbuf[i]) { + free(tcpreasm->segbuf[i]); + } + if (tcpreasm->bfb_seg[i]) { + free(tcpreasm->bfb_seg[i]); + } + } + for (i = 0; i < MAX_TCP_DNS_MSG; i++) { + if (tcpreasm->dnsmsg[i]) { + free(tcpreasm->dnsmsg[i]); + } + } + memset(tcpreasm, 0, sizeof(tcpreasm_t)); + } +} diff --git a/src/tcpreasm.h b/src/tcpreasm.h new file mode 100644 index 0000000..6418fb2 --- /dev/null +++ b/src/tcpreasm.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_tcpreasm_h +#define __dnscap_tcpreasm_h + +int pcap_handle_tcp_segment(u_char* segment, int len, uint32_t seq, tcpstate_ptr _tcpstate); +void tcpreasm_free(tcpreasm_t* tcpreasm); +void tcpreasm_reset(tcpreasm_t* tcpreasm); + +#endif /* __dnscap_tcpreasm_h */ diff --git a/src/tcpstate.c b/src/tcpstate.c new file mode 100644 index 0000000..bfc5198 --- /dev/null +++ b/src/tcpstate.c @@ -0,0 +1,141 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" + +#include "tcpstate.h" +#include "iaddr.h" +#include "log.h" +#include "tcpreasm.h" + +#define MAX_TCP_IDLE_TIME 600 +#define MAX_TCP_IDLE_COUNT 4096 +#define TCP_GC_TIME 60 + +tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t) +{ + static time_t next_gc = 0; + tcpstate_ptr tcpstate; + + for (tcpstate = HEAD(tcpstates); + tcpstate != NULL; + tcpstate = NEXT(tcpstate, link)) { + if (ia_equal(tcpstate->saddr, from) && ia_equal(tcpstate->daddr, to) && tcpstate->sport == sport && tcpstate->dport == dport) + break; + } + if (tcpstate != NULL) { + tcpstate->last_use = t; + if (tcpstate != HEAD(tcpstates)) { + /* move to beginning of list */ + UNLINK(tcpstates, tcpstate, link); + PREPEND(tcpstates, tcpstate, link); + } + } + + if (t >= next_gc || tcpstate_count > MAX_TCP_IDLE_COUNT) { + /* garbage collect stale states */ + time_t min_last_use = t - MAX_TCP_IDLE_TIME; + while ((tcpstate = TAIL(tcpstates)) && tcpstate->last_use < min_last_use) { + UNLINK(tcpstates, tcpstate, link); + tcpstate_count--; + } + next_gc = t + TCP_GC_TIME; + } + + return tcpstate; +} + +tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport) +{ + + tcpstate_ptr tcpstate = calloc(1, sizeof *tcpstate); + if (tcpstate == NULL) { + /* Out of memory; recycle the least recently used */ + logerr("warning: out of memory, " + "discarding some TCP state early"); + tcpstate = TAIL(tcpstates); + assert(tcpstate != NULL); + } else { + tcpstate_count++; + } + tcpstate->saddr = from; + tcpstate->daddr = to; + tcpstate->sport = sport; + tcpstate->dport = dport; + INIT_LINK(tcpstate, link); + PREPEND(tcpstates, tcpstate, link); + return tcpstate; +} + +/* Discard this packet. If it's part of TCP stream, all subsequent pkts on + * the same tcp stream will also be discarded. */ +void tcpstate_discard(tcpstate_ptr tcpstate, const char* msg) +{ + if (dumptrace >= 3 && msg) + fprintf(stderr, "discarding packet: %s\n", msg); + if (tcpstate) { + UNLINK(tcpstates, tcpstate, link); + if (tcpstate->reasm) { + tcpreasm_free(tcpstate->reasm); + } + free(tcpstate); + tcpstate_count--; + return; + } +} + +tcpstate_ptr _curr_tcpstate = 0; + +tcpstate_ptr tcpstate_getcurr(void) +{ + return _curr_tcpstate; +} + +void tcpstate_reset(tcpstate_ptr tcpstate, const char* msg) +{ + if (options.allow_reset_tcpstate && tcpstate) { + if (dumptrace >= 3 && msg) + fprintf(stderr, "resetting tcpstate: %s\n", msg); + + tcpstate->start = tcpstate->currseq; + tcpstate->maxdiff = 0; + tcpstate->dnslen = 0; + tcpstate->lastdns = tcpstate->currseq + tcpstate->currlen; + + if (tcpstate->reasm) { + tcpreasm_reset(tcpstate->reasm); + tcpstate->reasm->seq_start = tcpstate->start; + } + } +} diff --git a/src/tcpstate.h b/src/tcpstate.h new file mode 100644 index 0000000..ac3dd56 --- /dev/null +++ b/src/tcpstate.h @@ -0,0 +1,46 @@ +/* + * Copyright (c) 2018-2021, OARC, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. Neither the name of the copyright holder nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include "dnscap.h" + +#ifndef __dnscap_tcpstate_h +#define __dnscap_tcpstate_h + +tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t); +tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport); +void tcpstate_discard(tcpstate_ptr tcpstate, const char* msg); +tcpstate_ptr tcpstate_getcurr(void); +void tcpstate_reset(tcpstate_ptr tcpstate, const char* msg); + +#endif /* __dnscap_tcpstate_h */ diff --git a/src/test/.gitignore b/src/test/.gitignore new file mode 100644 index 0000000..7eaa8b0 --- /dev/null +++ b/src/test/.gitignore @@ -0,0 +1,4 @@ +dns.out +dns.pcap.dist +test*.log +test*.trs diff --git a/src/test/1qtcpnosyn.pcap b/src/test/1qtcpnosyn.pcap Binary files differnew file mode 100644 index 0000000..d8de79b --- /dev/null +++ b/src/test/1qtcpnosyn.pcap diff --git a/src/test/1qtcppadd.pcap b/src/test/1qtcppadd.pcap Binary files differnew file mode 100644 index 0000000..652234d --- /dev/null +++ b/src/test/1qtcppadd.pcap diff --git a/src/test/Makefile.am b/src/test/Makefile.am new file mode 100644 index 0000000..83d8621 --- /dev/null +++ b/src/test/Makefile.am @@ -0,0 +1,68 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in + +CLEANFILES = test*.log test*.trs \ + *.pcap-dist \ + dns.out \ + no-layers.out layers.out \ + frags.out \ + padding-no-layers.out padding-layers.out \ + vlan11.out \ + dnspad.out \ + test7.out test7.layer.out \ + test8.out \ + test9.out \ + test10.out \ + test11.out \ + test12.out test12.20161020.152301.075993.gz \ + test13.out \ + test14.out + +TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh test6.sh test7.sh \ + test8.sh test9.sh test10.sh test11.sh test12.sh test13.sh test14.sh + +test1.sh: dns.pcap-dist + +test2.sh: dns.pcap-dist + +test3.sh: frags.pcap-dist + +test4.sh: 1qtcppadd.pcap-dist + +test5.sh: vlan11.pcap-dist + +test6.sh: dnspad.pcap-dist + +test7.sh: 1qtcpnosyn.pcap-dist dnso1tcp.pcap-dist \ + do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist + +test8.sh: dnsotcp-many1pkt.pcap-dist dnsotcp-manyopkts.pcap-dist \ + dnso1tcp-bighole.pcap-dist + +test9.sh: dns.pcap-dist + +test10.sh: dns6.pcap-dist + +test11.sh: dns.pcap-dist + +test12.sh: dns.pcap-dist + +test13.sh: dns.pcap-dist + +test14.sh: dns.pcap-dist + +.pcap.pcap-dist: + cp "$<" "$@" + +EXTRA_DIST = $(TESTS) \ + dns.gold dns.pcap \ + frags.pcap \ + 1qtcppadd.pcap \ + vlan11.gold vlan11.pcap \ + dnspad.gold dnspad.pcap \ + test7.gold 1qtcpnosyn.pcap dnso1tcp.pcap do1t-nosyn-1nolen.pcap \ + dnso1tcp-midmiss.pcap \ + test8.gold dnsotcp-many1pkt.pcap dnsotcp-manyopkts.pcap \ + dnso1tcp-bighole.pcap \ + test9.gold \ + dns6.pcap test10.gold \ + test14.gold diff --git a/src/test/dns.gold b/src/test/dns.gold new file mode 100644 index 0000000..b1cdd8f --- /dev/null +++ b/src/test/dns.gold @@ -0,0 +1,714 @@ +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 diff --git a/src/test/dns.pcap b/src/test/dns.pcap Binary files differnew file mode 100644 index 0000000..a0e585c --- /dev/null +++ b/src/test/dns.pcap diff --git a/src/test/dns6.pcap b/src/test/dns6.pcap Binary files differnew file mode 100644 index 0000000..5fa3af8 --- /dev/null +++ b/src/test/dns6.pcap diff --git a/src/test/dnso1tcp-bighole.pcap b/src/test/dnso1tcp-bighole.pcap Binary files differnew file mode 100644 index 0000000..66bf30b --- /dev/null +++ b/src/test/dnso1tcp-bighole.pcap diff --git a/src/test/dnso1tcp-midmiss.pcap b/src/test/dnso1tcp-midmiss.pcap Binary files differnew file mode 100644 index 0000000..c99b0fb --- /dev/null +++ b/src/test/dnso1tcp-midmiss.pcap diff --git a/src/test/dnso1tcp.pcap b/src/test/dnso1tcp.pcap Binary files differnew file mode 100644 index 0000000..47dd663 --- /dev/null +++ b/src/test/dnso1tcp.pcap diff --git a/src/test/dnsotcp-many1pkt.pcap b/src/test/dnsotcp-many1pkt.pcap Binary files differnew file mode 100644 index 0000000..c43ce03 --- /dev/null +++ b/src/test/dnsotcp-many1pkt.pcap diff --git a/src/test/dnsotcp-manyopkts.pcap b/src/test/dnsotcp-manyopkts.pcap Binary files differnew file mode 100644 index 0000000..e232bac --- /dev/null +++ b/src/test/dnsotcp-manyopkts.pcap diff --git a/src/test/dnspad.gold b/src/test/dnspad.gold new file mode 100644 index 0000000..8a5275a --- /dev/null +++ b/src/test/dnspad.gold @@ -0,0 +1,8 @@ +[59] 2016-10-20 15:23:01.075993 [#0 dnspad.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[59] 2016-10-20 15:23:01.075993 [#0 dnspad.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 diff --git a/src/test/dnspad.pcap b/src/test/dnspad.pcap Binary files differnew file mode 100644 index 0000000..df2b574 --- /dev/null +++ b/src/test/dnspad.pcap diff --git a/src/test/do1t-nosyn-1nolen.pcap b/src/test/do1t-nosyn-1nolen.pcap Binary files differnew file mode 100644 index 0000000..cd20a74 --- /dev/null +++ b/src/test/do1t-nosyn-1nolen.pcap diff --git a/src/test/frags.pcap b/src/test/frags.pcap Binary files differnew file mode 100644 index 0000000..5d44810 --- /dev/null +++ b/src/test/frags.pcap diff --git a/src/test/test1.sh b/src/test/test1.sh new file mode 100755 index 0000000..03142c9 --- /dev/null +++ b/src/test/test1.sh @@ -0,0 +1,9 @@ +#!/bin/sh -xe + +../dnscap -g -r dns.pcap-dist 2>dns.out + +mv dns.out dns.out.old +grep -v "^libgcov profiling error:" dns.out.old > dns.out +rm dns.out.old + +diff dns.out "$srcdir/dns.gold" diff --git a/src/test/test10.gold b/src/test/test10.gold new file mode 100644 index 0000000..69f51ef --- /dev/null +++ b/src/test/test10.gold @@ -0,0 +1,22 @@ +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \ + [2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \ + dns QUERY,NOERROR,51420,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \ + [2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \ + dns QUERY,NOERROR,51420,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,299,172.217.20.46 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] diff --git a/src/test/test10.sh b/src/test/test10.sh new file mode 100755 index 0000000..2779cb0 --- /dev/null +++ b/src/test/test10.sh @@ -0,0 +1,6 @@ +#!/bin/sh -xe + +../dnscap -r dns6.pcap-dist -g 2>test10.out +../dnscap -r dns6.pcap-dist -o use_layers=yes -g 2>>test10.out + +diff test10.out "$srcdir/test10.gold" diff --git a/src/test/test11.sh b/src/test/test11.sh new file mode 100755 index 0000000..7f58c89 --- /dev/null +++ b/src/test/test11.sh @@ -0,0 +1,79 @@ +#!/bin/sh -xe + +../dnscap -? +! ../dnscap -j + +! ../dnscap -o testing +! ../dnscap -o testing= +! ../dnscap -o testing=a +../dnscap -o user=user -o user=user -o group=group -o group=group \ + -o dump_format=pcap -o dump_format=cbor -o dump_format=cds \ + -F pcap -F cbor -F cds \ + -? +../dnscap -b -N -p -d -1 -I -i fake -m q -m u -m n -s i -s r -h i -h r \ + -e n -e y -e t -e f -e s -e x -e i -e r -w - -W a -W a -t 1 -c 1 -C 1 \ + -x '.*' -S -U fake -U fake -M -D -? +../dnscap -w fake -k false -? +! ../dnscap -m X +! ../dnscap -s X +! ../dnscap -h X +! ../dnscap -e X +! ../dnscap -k false +! ../dnscap -F invalid +! ../dnscap -t invalid +! ../dnscap -c invalid +! ../dnscap -C invalid +! ../dnscap -x '(' +! ../dnscap -B invalid +! ../dnscap -E invalid +! ../dnscap -P invalid +if ! ../dnscap -y -? 2>test11.out; then + grep -qF "seccomp-bpf not enabled" test11.out +fi +! ../dnscap -w fake -o use_layers=yes +! ../dnscap -g -f -h i +! ../dnscap -g -l 1 -L 1 +! ../dnscap -g -b -d -g +! ../dnscap -g -b -g +! ../dnscap -g -B "2020-01-01 00:00:00" -E "2019-01-01 00:00:00" +! ../dnscap -g -o defrag_ipv4=yes +! ../dnscap -g -o defrag_ipv6=yes +! ../dnscap -g -o reassemble_tcp_bfbparsedns=yes + +../dnscap -V + +../dnscap -r dns.pcap-dist -g -ddddd +../dnscap -r dns.pcap-dist -x '.*' -X '.*' -g -ddddd + +! ../dnscap -r dns.pcap-dist -i fake 2>test11.out +cat test11.out +grep -qF -- "-i makes no sense after -r" test11.out +! ../dnscap -i fake -r dns.pcap-dist 2>test11.out +cat test11.out +grep -qF -- "-r makes no sense after -i" test11.out + +all_opts= +for opt in cbor_chunk_size cds_cbor_size cds_message_size cds_max_rlabels \ +cds_min_rlabel_size cds_rdata_index_min_size cds_rdata_rindex_size \ +cds_rdata_rindex_min_size pcap_buffer_size max_ipv4_fragments \ +max_ipv6_fragments max_ipv6_fragments_per_packet reassemble_tcp_faultreset; \ +do + ! ../dnscap -o "$opt=0" + all_opts="$all_opts -o $opt=1" +done + +../dnscap $all_opts -? + +all_opts= +for opt in cds_use_rdata_rindex cds_use_rdata_index defrag_ipv6 \ +reassemble_tcp_bfbparsedns bpf_hosts_apply_all; \ +do + ! ../dnscap -o "$opt=f" + all_opts="$all_opts -o $opt=yes" +done + +../dnscap $all_opts -? + +! ../dnscap -l 0 -l 4095 -l 4096 +! ../dnscap -L 0 -L 4095 -L 4096 +! ../dnscap -u 5353 -u 65536 diff --git a/src/test/test12.sh b/src/test/test12.sh new file mode 100755 index 0000000..76b0e01 --- /dev/null +++ b/src/test/test12.sh @@ -0,0 +1,6 @@ +#!/bin/sh -xe + +if ! ../dnscap -g -r dns.pcap-dist -w test12 -W .gz 2>test12.out; then + grep -qF "gzip compression requested but not supported" test12.out && exit 0 + exit 1 +fi diff --git a/src/test/test13.sh b/src/test/test13.sh new file mode 100755 index 0000000..4749a92 --- /dev/null +++ b/src/test/test13.sh @@ -0,0 +1,28 @@ +#!/bin/sh -xe + +test -f /etc/resolv.conf || exit 0 + +! ../dnscap -a "fake_host-should+not/work" 2>test13.out +cat test13.out +grep -qF "invalid host address" test13.out + +if [ "`uname`" = "OpenBSD" ]; then + # IPv6 addresses in BPF seems to segfault on OpenBSD and doing host and + # not host throws generic pcap_compile error + ../dnscap -a 127.0.0.1 -r dns.pcap-dist -g -dddd + ../dnscap -z 127.0.0.1 -r dns.pcap-dist -g -dddd + ../dnscap -A 127.0.0.1 -r dns.pcap-dist -g -dddd + ../dnscap -Z 127.0.0.1 -r dns.pcap-dist -g -dddd + ../dnscap -Y 127.0.0.1 -r dns.pcap-dist -g -dddd +else + ../dnscap -a 127.0.0.1 -a ::1 -r dns.pcap-dist -g -dddd + ../dnscap -z 127.0.0.1 -z ::1 -r dns.pcap-dist -g -dddd + ../dnscap -A 127.0.0.1 -A ::1 -r dns.pcap-dist -g -dddd + ../dnscap -Z 127.0.0.1 -Z ::1 -r dns.pcap-dist -g -dddd + ../dnscap -Y 127.0.0.1 -Y ::1 -r dns.pcap-dist -g -dddd +fi +if [ "$TEST_DNSCAP_WITH_NETWORK" = "1" ]; then + ../dnscap -a google.com -r dns.pcap-dist -g -dddd +fi +../dnscap -Y 127.0.0.1 -r dns.pcap-dist -g +../dnscap -Y 8.8.8.8 -r dns.pcap-dist -g diff --git a/src/test/test14.gold b/src/test/test14.gold new file mode 100644 index 0000000..fb342e2 --- /dev/null +++ b/src/test/test14.gold @@ -0,0 +1,2864 @@ +-- only 1 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +-- not 1 +[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +-- only PTR +[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +-- not PTR +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +-- only 1 +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 +-- not 1 +[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +-- only PTR +[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +-- not PTR +[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 diff --git a/src/test/test14.sh b/src/test/test14.sh new file mode 100755 index 0000000..1788f10 --- /dev/null +++ b/src/test/test14.sh @@ -0,0 +1,25 @@ +#!/bin/sh -xe + +echo "-- only 1" >test14.out +../dnscap -g -q 1 -r dns.pcap-dist 2>>test14.out +echo "-- not 1" >>test14.out +../dnscap -g -Q 1 -r dns.pcap-dist 2>>test14.out +echo "-- only PTR" >>test14.out +../dnscap -g -q PTR -r dns.pcap-dist 2>>test14.out +echo "-- not PTR" >>test14.out +../dnscap -g -Q PTR -r dns.pcap-dist 2>>test14.out + +echo "-- only 1" >>test14.out +../dnscap -g -o use_layers=yes -q 1 -r dns.pcap-dist 2>>test14.out +echo "-- not 1" >>test14.out +../dnscap -g -o use_layers=yes -Q 1 -r dns.pcap-dist 2>>test14.out +echo "-- only PTR" >>test14.out +../dnscap -g -o use_layers=yes -q PTR -r dns.pcap-dist 2>>test14.out +echo "-- not PTR" >>test14.out +../dnscap -g -o use_layers=yes -Q PTR -r dns.pcap-dist 2>>test14.out + +mv test14.out test14.out.old +grep -v "^libgcov profiling error:" test14.out.old > test14.out +rm test14.out.old + +diff test14.out "$srcdir/test14.gold" diff --git a/src/test/test2.sh b/src/test/test2.sh new file mode 100755 index 0000000..83cc8c0 --- /dev/null +++ b/src/test/test2.sh @@ -0,0 +1,6 @@ +#!/bin/sh -xe + +../dnscap -g -r dns.pcap-dist 2>no-layers.out +../dnscap -g -r dns.pcap-dist -o use_layers=yes 2>layers.out + +diff no-layers.out layers.out diff --git a/src/test/test3.sh b/src/test/test3.sh new file mode 100755 index 0000000..4b65121 --- /dev/null +++ b/src/test/test3.sh @@ -0,0 +1,13 @@ +#!/bin/sh -xe + +../dnscap -g -f -r frags.pcap-dist -o use_layers=yes -o defrag_ipv4=yes -o max_ipv4_fragments_per_packet=64 2>frags.out + +# remove timestamp +sed -i -e 's%^\(\[[0-9]*\]\)[^\[]*\[%\1 [%g' frags.out + +# create gold file +cp "$srcdir/dns.gold" frags.gold +sed -i -e 's%^\(\[[0-9]*\]\)[^\[]*\[%\1 [%g' frags.gold +sed -i -e 's%dns.pcap-dist%frags.pcap-dist%g' frags.gold + +diff frags.out frags.gold diff --git a/src/test/test4.sh b/src/test/test4.sh new file mode 100755 index 0000000..7cdf34e --- /dev/null +++ b/src/test/test4.sh @@ -0,0 +1,6 @@ +#!/bin/sh -xe + +../dnscap -g -T -r 1qtcppadd.pcap-dist 2>padding-no-layers.out +../dnscap -g -T -r 1qtcppadd.pcap-dist -o use_layers=yes 2>padding-layers.out + +diff padding-no-layers.out padding-layers.out diff --git a/src/test/test5.sh b/src/test/test5.sh new file mode 100755 index 0000000..a4789d7 --- /dev/null +++ b/src/test/test5.sh @@ -0,0 +1,20 @@ +#!/bin/sh -xe + +osrel=`uname -s` + +../dnscap -g -r vlan11.pcap-dist 2>vlan11.out +test -f vlan11.out && ! test -s vlan11.out +../dnscap -g -r vlan11.pcap-dist -L 10 2>vlan11.out +test -f vlan11.out && ! test -s vlan11.out +../dnscap -g -r vlan11.pcap-dist -L 4095 2>vlan11.out +diff vlan11.out "$srcdir/vlan11.gold" +../dnscap -g -r vlan11.pcap-dist -L 11 2>vlan11.out +diff vlan11.out "$srcdir/vlan11.gold" +../dnscap -g -r vlan11.pcap-dist -o use_layers=yes 2>vlan11.out +test -f vlan11.out && ! test -s vlan11.out +../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 10 2>vlan11.out +test -f vlan11.out && ! test -s vlan11.out +../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 4095 2>vlan11.out +diff vlan11.out "$srcdir/vlan11.gold" +../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 11 2>vlan11.out +diff vlan11.out "$srcdir/vlan11.gold" diff --git a/src/test/test6.sh b/src/test/test6.sh new file mode 100755 index 0000000..f05713b --- /dev/null +++ b/src/test/test6.sh @@ -0,0 +1,6 @@ +#!/bin/sh -xe + +../dnscap -g -r dnspad.pcap-dist 2>dnspad.out +../dnscap -o use_layers=yes -g -r dnspad.pcap-dist 2>>dnspad.out + +diff dnspad.out "$srcdir/dnspad.gold" diff --git a/src/test/test7.gold b/src/test/test7.gold new file mode 100644 index 0000000..c3bb683 --- /dev/null +++ b/src/test/test7.gold @@ -0,0 +1,1417 @@ +[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:41.616663 [#8 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.659921 [#9 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.663576 [#10 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.663734 [#11 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.706183 [#12 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.709680 [#13 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.709779 [#14 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.754101 [#15 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.757876 [#16 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:41.758191 [#17 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.804255 [#18 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.809483 [#19 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.809780 [#20 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.854113 [#21 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.857788 [#22 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.858002 [#23 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.902165 [#24 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.905802 [#25 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:41.905918 [#26 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.950164 [#27 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.954138 [#28 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.954452 [#29 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.999121 [#30 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.002657 [#31 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.002831 [#32 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.047148 [#33 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.052425 [#34 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.052901 [#35 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.097899 [#36 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.101443 [#37 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.101553 [#38 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.145005 [#39 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.148639 [#40 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.148770 [#41 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.192777 [#42 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.196256 [#43 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.196471 [#44 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.240395 [#45 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.245103 [#46 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.245585 [#47 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.290257 [#48 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.293978 [#49 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.294300 [#50 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.337985 [#51 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.341559 [#52 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.341648 [#53 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.385009 [#54 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.389082 [#55 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.389343 [#56 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.433458 [#57 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.438748 [#58 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.439060 [#59 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.484005 [#60 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.487697 [#61 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.488035 [#62 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.532414 [#63 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.537574 [#64 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.537941 [#65 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.583021 [#66 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.586898 [#67 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.587050 [#68 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.630221 [#69 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.633808 [#70 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.634006 [#71 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.679168 [#72 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.682888 [#73 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.683273 [#74 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.727254 [#75 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.732703 [#76 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.733029 [#77 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.777184 [#78 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.781053 [#79 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.781416 [#80 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.824222 [#81 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.828050 [#82 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.828346 [#83 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.872186 [#84 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.875911 [#85 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.876226 [#86 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.920231 [#87 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.923917 [#88 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.924082 [#89 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.968961 [#90 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.972662 [#91 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.972972 [#92 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.017364 [#93 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.022591 [#94 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.022938 [#95 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.066765 [#96 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.070349 [#97 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.070484 [#98 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.114332 [#99 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.119538 [#100 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.119857 [#101 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.163857 [#102 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.167576 [#103 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.167733 [#104 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.211417 [#105 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.216686 [#106 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.217042 [#107 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.260995 [#108 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.265047 [#109 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.265399 [#110 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.310017 [#111 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.313596 [#112 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.313685 [#113 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.356802 [#114 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.360685 [#115 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.360864 [#116 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.406308 [#117 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.410191 [#118 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.410440 [#119 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.454193 [#120 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.458191 [#121 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.458511 [#122 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.503242 [#123 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.506884 [#124 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[52] 2018-01-10 11:22:43.507821 [#125 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[52] 2018-01-10 11:22:43.511351 [#126 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6 +1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com. +1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com. +1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.616460 8.8.8.8 53 172.17.0.8 51388 6 35665 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.616663 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.659921 172.17.0.8 51388 8.8.8.8 53 6 5337 0 0 |RD| IN A google.com. +1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 5337 0 0 |QR|RD|RA| IN A google.com. +1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 22982 0 0 |RD| IN A google.com. +1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 22982 0 0 |QR|RD|RA| IN A google.com. +1515583361.709779 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.754101 172.17.0.8 51388 8.8.8.8 53 6 18718 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.757876 8.8.8.8 53 172.17.0.8 51388 6 18718 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.758191 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.804255 172.17.0.8 51388 8.8.8.8 53 6 22531 0 0 |RD| IN A google.com. +1515583361.809483 8.8.8.8 53 172.17.0.8 51388 6 22531 0 0 |QR|RD|RA| IN A google.com. +1515583361.809780 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.854113 172.17.0.8 51388 8.8.8.8 53 6 58510 0 0 |RD| IN A google.com. +1515583361.857788 8.8.8.8 53 172.17.0.8 51388 6 58510 0 0 |QR|RD|RA| IN A google.com. +1515583361.858002 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.902165 172.17.0.8 51388 8.8.8.8 53 6 45248 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.905802 8.8.8.8 53 172.17.0.8 51388 6 45248 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.905918 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.950164 172.17.0.8 51388 8.8.8.8 53 6 49483 0 0 |RD| IN A google.com. +1515583361.954138 8.8.8.8 53 172.17.0.8 51388 6 49483 0 0 |QR|RD|RA| IN A google.com. +1515583361.954452 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.999121 172.17.0.8 51388 8.8.8.8 53 6 31669 0 0 |RD| IN A google.com. +1515583362.002657 8.8.8.8 53 172.17.0.8 51388 6 31669 0 0 |QR|RD|RA| IN A google.com. +1515583362.002831 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.047148 172.17.0.8 51388 8.8.8.8 53 6 25433 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.052425 8.8.8.8 53 172.17.0.8 51388 6 25433 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.052901 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.097899 172.17.0.8 51388 8.8.8.8 53 6 63798 0 0 |RD| IN A google.com. +1515583362.101443 8.8.8.8 53 172.17.0.8 51388 6 63798 0 0 |QR|RD|RA| IN A google.com. +1515583362.101553 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.145005 172.17.0.8 51388 8.8.8.8 53 6 8470 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.148639 8.8.8.8 53 172.17.0.8 51388 6 8470 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.148770 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.192777 172.17.0.8 51388 8.8.8.8 53 6 60258 0 0 |RD| IN A google.com. +1515583362.196256 8.8.8.8 53 172.17.0.8 51388 6 60258 0 0 |QR|RD|RA| IN A google.com. +1515583362.196471 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.240395 172.17.0.8 51388 8.8.8.8 53 6 44985 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.245103 8.8.8.8 53 172.17.0.8 51388 6 44985 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.245585 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.290257 172.17.0.8 51388 8.8.8.8 53 6 45512 0 0 |RD| IN A google.com. +1515583362.293978 8.8.8.8 53 172.17.0.8 51388 6 45512 0 0 |QR|RD|RA| IN A google.com. +1515583362.294300 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.337985 172.17.0.8 51388 8.8.8.8 53 6 22980 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.341559 8.8.8.8 53 172.17.0.8 51388 6 22980 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.341648 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.385009 172.17.0.8 51388 8.8.8.8 53 6 1834 0 0 |RD| IN A google.com. +1515583362.389082 8.8.8.8 53 172.17.0.8 51388 6 1834 0 0 |QR|RD|RA| IN A google.com. +1515583362.389343 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.433458 172.17.0.8 51388 8.8.8.8 53 6 25431 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.438748 8.8.8.8 53 172.17.0.8 51388 6 25431 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.439060 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.484005 172.17.0.8 51388 8.8.8.8 53 6 48432 0 0 |RD| IN A google.com. +1515583362.487697 8.8.8.8 53 172.17.0.8 51388 6 48432 0 0 |QR|RD|RA| IN A google.com. +1515583362.488035 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.532414 172.17.0.8 51388 8.8.8.8 53 6 47411 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.537574 8.8.8.8 53 172.17.0.8 51388 6 47411 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.537941 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.583021 172.17.0.8 51388 8.8.8.8 53 6 12038 0 0 |RD| IN A google.com. +1515583362.586898 8.8.8.8 53 172.17.0.8 51388 6 12038 0 0 |QR|RD|RA| IN A google.com. +1515583362.587050 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.630221 172.17.0.8 51388 8.8.8.8 53 6 11614 0 0 |RD| IN A google.com. +1515583362.633808 8.8.8.8 53 172.17.0.8 51388 6 11614 0 0 |QR|RD|RA| IN A google.com. +1515583362.634006 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.679168 172.17.0.8 51388 8.8.8.8 53 6 59173 0 0 |RD| IN A google.com. +1515583362.682888 8.8.8.8 53 172.17.0.8 51388 6 59173 0 0 |QR|RD|RA| IN A google.com. +1515583362.683273 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.727254 172.17.0.8 51388 8.8.8.8 53 6 45535 0 0 |RD| IN A google.com. +1515583362.732703 8.8.8.8 53 172.17.0.8 51388 6 45535 0 0 |QR|RD|RA| IN A google.com. +1515583362.733029 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.777184 172.17.0.8 51388 8.8.8.8 53 6 60808 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.781053 8.8.8.8 53 172.17.0.8 51388 6 60808 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.781416 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.824222 172.17.0.8 51388 8.8.8.8 53 6 64325 0 0 |RD| IN A google.com. +1515583362.828050 8.8.8.8 53 172.17.0.8 51388 6 64325 0 0 |QR|RD|RA| IN A google.com. +1515583362.828346 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.872186 172.17.0.8 51388 8.8.8.8 53 6 25543 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.875911 8.8.8.8 53 172.17.0.8 51388 6 25543 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.876226 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.920231 172.17.0.8 51388 8.8.8.8 53 6 20736 0 0 |RD| IN A google.com. +1515583362.923917 8.8.8.8 53 172.17.0.8 51388 6 20736 0 0 |QR|RD|RA| IN A google.com. +1515583362.924082 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.968961 172.17.0.8 51388 8.8.8.8 53 6 25911 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.972662 8.8.8.8 53 172.17.0.8 51388 6 25911 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.972972 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.017364 172.17.0.8 51388 8.8.8.8 53 6 64358 0 0 |RD| IN A google.com. +1515583363.022591 8.8.8.8 53 172.17.0.8 51388 6 64358 0 0 |QR|RD|RA| IN A google.com. +1515583363.022938 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.066765 172.17.0.8 51388 8.8.8.8 53 6 37698 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.070349 8.8.8.8 53 172.17.0.8 51388 6 37698 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.070484 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.114332 172.17.0.8 51388 8.8.8.8 53 6 54706 0 0 |RD| IN A google.com. +1515583363.119538 8.8.8.8 53 172.17.0.8 51388 6 54706 0 0 |QR|RD|RA| IN A google.com. +1515583363.119857 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.163857 172.17.0.8 51388 8.8.8.8 53 6 32142 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.167576 8.8.8.8 53 172.17.0.8 51388 6 32142 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.167733 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.211417 172.17.0.8 51388 8.8.8.8 53 6 41808 0 0 |RD| IN A google.com. +1515583363.216686 8.8.8.8 53 172.17.0.8 51388 6 41808 0 0 |QR|RD|RA| IN A google.com. +1515583363.217042 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.260995 172.17.0.8 51388 8.8.8.8 53 6 18886 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.265047 8.8.8.8 53 172.17.0.8 51388 6 18886 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.265399 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.310017 172.17.0.8 51388 8.8.8.8 53 6 10624 0 0 |RD| IN A google.com. +1515583363.313596 8.8.8.8 53 172.17.0.8 51388 6 10624 0 0 |QR|RD|RA| IN A google.com. +1515583363.313685 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.356802 172.17.0.8 51388 8.8.8.8 53 6 33139 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.360685 8.8.8.8 53 172.17.0.8 51388 6 33139 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.360864 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.406308 172.17.0.8 51388 8.8.8.8 53 6 61415 0 0 |RD| IN A google.com. +1515583363.410191 8.8.8.8 53 172.17.0.8 51388 6 61415 0 0 |QR|RD|RA| IN A google.com. +1515583363.410440 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.454193 172.17.0.8 51388 8.8.8.8 53 6 59258 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.458191 8.8.8.8 53 172.17.0.8 51388 6 59258 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.458511 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.503242 172.17.0.8 51388 8.8.8.8 53 6 17700 0 0 |RD| IN A google.com. +1515583363.506884 8.8.8.8 53 172.17.0.8 51388 6 17700 0 0 |QR|RD|RA| IN A google.com. +1515583363.507821 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.511351 8.8.8.8 53 172.17.0.8 51388 6 +[52] 2017-12-11 13:59:04.957247 [#0 1qtcpnosyn.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 +[52] 2017-12-11 13:59:04.960230 [#1 1qtcpnosyn.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.9].48613 +1513000744.957247 172.17.0.9 48613 8.8.8.8 53 6 +1513000744.960230 8.8.8.8 53 172.17.0.9 48613 6 +[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[98] 2018-01-10 11:22:41.663576 [#7 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[54] 2018-01-10 11:22:41.663734 [#8 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.706183 [#9 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[98] 2018-01-10 11:22:41.709680 [#10 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6 +1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com. +1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com. +1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 +1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 + +Enabling parse_ongoing_tcp and allow_reset_tcpstate + +[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:41.616663 [#8 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.659921 [#9 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.663576 [#10 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.663734 [#11 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.706183 [#12 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.709680 [#13 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.709779 [#14 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.754101 [#15 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.757876 [#16 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:41.758191 [#17 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.804255 [#18 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.809483 [#19 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.809780 [#20 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.854113 [#21 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.857788 [#22 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.858002 [#23 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.902165 [#24 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.905802 [#25 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:41.905918 [#26 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.950164 [#27 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.954138 [#28 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.954452 [#29 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.999121 [#30 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.002657 [#31 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.002831 [#32 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.047148 [#33 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.052425 [#34 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.052901 [#35 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.097899 [#36 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.101443 [#37 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.101553 [#38 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.145005 [#39 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.148639 [#40 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.148770 [#41 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.192777 [#42 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.196256 [#43 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.196471 [#44 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.240395 [#45 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.245103 [#46 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.245585 [#47 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.290257 [#48 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.293978 [#49 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.294300 [#50 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.337985 [#51 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.341559 [#52 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.341648 [#53 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.385009 [#54 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.389082 [#55 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.389343 [#56 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.433458 [#57 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.438748 [#58 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.439060 [#59 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.484005 [#60 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.487697 [#61 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.488035 [#62 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.532414 [#63 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.537574 [#64 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.537941 [#65 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.583021 [#66 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.586898 [#67 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.587050 [#68 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.630221 [#69 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.633808 [#70 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.634006 [#71 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.679168 [#72 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.682888 [#73 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.683273 [#74 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.727254 [#75 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.732703 [#76 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.733029 [#77 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.777184 [#78 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.781053 [#79 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.781416 [#80 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.824222 [#81 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.828050 [#82 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.828346 [#83 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.872186 [#84 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.875911 [#85 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.876226 [#86 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.920231 [#87 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.923917 [#88 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[54] 2018-01-10 11:22:42.924082 [#89 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.968961 [#90 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.972662 [#91 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:42.972972 [#92 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.017364 [#93 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.022591 [#94 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.022938 [#95 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.066765 [#96 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.070349 [#97 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.070484 [#98 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.114332 [#99 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.119538 [#100 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.119857 [#101 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.163857 [#102 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.167576 [#103 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.167733 [#104 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.211417 [#105 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.216686 [#106 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.217042 [#107 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.260995 [#108 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.265047 [#109 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.265399 [#110 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.310017 [#111 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.313596 [#112 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.313685 [#113 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.356802 [#114 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.360685 [#115 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.360864 [#116 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.406308 [#117 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.410191 [#118 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[54] 2018-01-10 11:22:43.410440 [#119 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.454193 [#120 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.458191 [#121 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[54] 2018-01-10 11:22:43.458511 [#122 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.503242 [#123 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.506884 [#124 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[52] 2018-01-10 11:22:43.507821 [#125 dnso1tcp.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[52] 2018-01-10 11:22:43.511351 [#126 dnso1tcp.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6 +1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com. +1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com. +1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.616460 8.8.8.8 53 172.17.0.8 51388 6 35665 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.616663 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.659921 172.17.0.8 51388 8.8.8.8 53 6 5337 0 0 |RD| IN A google.com. +1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 5337 0 0 |QR|RD|RA| IN A google.com. +1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 22982 0 0 |RD| IN A google.com. +1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 22982 0 0 |QR|RD|RA| IN A google.com. +1515583361.709779 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.754101 172.17.0.8 51388 8.8.8.8 53 6 18718 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.757876 8.8.8.8 53 172.17.0.8 51388 6 18718 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.758191 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.804255 172.17.0.8 51388 8.8.8.8 53 6 22531 0 0 |RD| IN A google.com. +1515583361.809483 8.8.8.8 53 172.17.0.8 51388 6 22531 0 0 |QR|RD|RA| IN A google.com. +1515583361.809780 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.854113 172.17.0.8 51388 8.8.8.8 53 6 58510 0 0 |RD| IN A google.com. +1515583361.857788 8.8.8.8 53 172.17.0.8 51388 6 58510 0 0 |QR|RD|RA| IN A google.com. +1515583361.858002 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.902165 172.17.0.8 51388 8.8.8.8 53 6 45248 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.905802 8.8.8.8 53 172.17.0.8 51388 6 45248 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.905918 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.950164 172.17.0.8 51388 8.8.8.8 53 6 49483 0 0 |RD| IN A google.com. +1515583361.954138 8.8.8.8 53 172.17.0.8 51388 6 49483 0 0 |QR|RD|RA| IN A google.com. +1515583361.954452 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.999121 172.17.0.8 51388 8.8.8.8 53 6 31669 0 0 |RD| IN A google.com. +1515583362.002657 8.8.8.8 53 172.17.0.8 51388 6 31669 0 0 |QR|RD|RA| IN A google.com. +1515583362.002831 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.047148 172.17.0.8 51388 8.8.8.8 53 6 25433 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.052425 8.8.8.8 53 172.17.0.8 51388 6 25433 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.052901 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.097899 172.17.0.8 51388 8.8.8.8 53 6 63798 0 0 |RD| IN A google.com. +1515583362.101443 8.8.8.8 53 172.17.0.8 51388 6 63798 0 0 |QR|RD|RA| IN A google.com. +1515583362.101553 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.145005 172.17.0.8 51388 8.8.8.8 53 6 8470 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.148639 8.8.8.8 53 172.17.0.8 51388 6 8470 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.148770 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.192777 172.17.0.8 51388 8.8.8.8 53 6 60258 0 0 |RD| IN A google.com. +1515583362.196256 8.8.8.8 53 172.17.0.8 51388 6 60258 0 0 |QR|RD|RA| IN A google.com. +1515583362.196471 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.240395 172.17.0.8 51388 8.8.8.8 53 6 44985 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.245103 8.8.8.8 53 172.17.0.8 51388 6 44985 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.245585 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.290257 172.17.0.8 51388 8.8.8.8 53 6 45512 0 0 |RD| IN A google.com. +1515583362.293978 8.8.8.8 53 172.17.0.8 51388 6 45512 0 0 |QR|RD|RA| IN A google.com. +1515583362.294300 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.337985 172.17.0.8 51388 8.8.8.8 53 6 22980 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.341559 8.8.8.8 53 172.17.0.8 51388 6 22980 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.341648 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.385009 172.17.0.8 51388 8.8.8.8 53 6 1834 0 0 |RD| IN A google.com. +1515583362.389082 8.8.8.8 53 172.17.0.8 51388 6 1834 0 0 |QR|RD|RA| IN A google.com. +1515583362.389343 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.433458 172.17.0.8 51388 8.8.8.8 53 6 25431 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.438748 8.8.8.8 53 172.17.0.8 51388 6 25431 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.439060 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.484005 172.17.0.8 51388 8.8.8.8 53 6 48432 0 0 |RD| IN A google.com. +1515583362.487697 8.8.8.8 53 172.17.0.8 51388 6 48432 0 0 |QR|RD|RA| IN A google.com. +1515583362.488035 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.532414 172.17.0.8 51388 8.8.8.8 53 6 47411 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.537574 8.8.8.8 53 172.17.0.8 51388 6 47411 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.537941 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.583021 172.17.0.8 51388 8.8.8.8 53 6 12038 0 0 |RD| IN A google.com. +1515583362.586898 8.8.8.8 53 172.17.0.8 51388 6 12038 0 0 |QR|RD|RA| IN A google.com. +1515583362.587050 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.630221 172.17.0.8 51388 8.8.8.8 53 6 11614 0 0 |RD| IN A google.com. +1515583362.633808 8.8.8.8 53 172.17.0.8 51388 6 11614 0 0 |QR|RD|RA| IN A google.com. +1515583362.634006 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.679168 172.17.0.8 51388 8.8.8.8 53 6 59173 0 0 |RD| IN A google.com. +1515583362.682888 8.8.8.8 53 172.17.0.8 51388 6 59173 0 0 |QR|RD|RA| IN A google.com. +1515583362.683273 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.727254 172.17.0.8 51388 8.8.8.8 53 6 45535 0 0 |RD| IN A google.com. +1515583362.732703 8.8.8.8 53 172.17.0.8 51388 6 45535 0 0 |QR|RD|RA| IN A google.com. +1515583362.733029 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.777184 172.17.0.8 51388 8.8.8.8 53 6 60808 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.781053 8.8.8.8 53 172.17.0.8 51388 6 60808 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.781416 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.824222 172.17.0.8 51388 8.8.8.8 53 6 64325 0 0 |RD| IN A google.com. +1515583362.828050 8.8.8.8 53 172.17.0.8 51388 6 64325 0 0 |QR|RD|RA| IN A google.com. +1515583362.828346 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.872186 172.17.0.8 51388 8.8.8.8 53 6 25543 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.875911 8.8.8.8 53 172.17.0.8 51388 6 25543 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.876226 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.920231 172.17.0.8 51388 8.8.8.8 53 6 20736 0 0 |RD| IN A google.com. +1515583362.923917 8.8.8.8 53 172.17.0.8 51388 6 20736 0 0 |QR|RD|RA| IN A google.com. +1515583362.924082 172.17.0.8 51388 8.8.8.8 53 6 +1515583362.968961 172.17.0.8 51388 8.8.8.8 53 6 25911 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.972662 8.8.8.8 53 172.17.0.8 51388 6 25911 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583362.972972 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.017364 172.17.0.8 51388 8.8.8.8 53 6 64358 0 0 |RD| IN A google.com. +1515583363.022591 8.8.8.8 53 172.17.0.8 51388 6 64358 0 0 |QR|RD|RA| IN A google.com. +1515583363.022938 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.066765 172.17.0.8 51388 8.8.8.8 53 6 37698 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.070349 8.8.8.8 53 172.17.0.8 51388 6 37698 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.070484 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.114332 172.17.0.8 51388 8.8.8.8 53 6 54706 0 0 |RD| IN A google.com. +1515583363.119538 8.8.8.8 53 172.17.0.8 51388 6 54706 0 0 |QR|RD|RA| IN A google.com. +1515583363.119857 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.163857 172.17.0.8 51388 8.8.8.8 53 6 32142 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.167576 8.8.8.8 53 172.17.0.8 51388 6 32142 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.167733 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.211417 172.17.0.8 51388 8.8.8.8 53 6 41808 0 0 |RD| IN A google.com. +1515583363.216686 8.8.8.8 53 172.17.0.8 51388 6 41808 0 0 |QR|RD|RA| IN A google.com. +1515583363.217042 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.260995 172.17.0.8 51388 8.8.8.8 53 6 18886 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.265047 8.8.8.8 53 172.17.0.8 51388 6 18886 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.265399 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.310017 172.17.0.8 51388 8.8.8.8 53 6 10624 0 0 |RD| IN A google.com. +1515583363.313596 8.8.8.8 53 172.17.0.8 51388 6 10624 0 0 |QR|RD|RA| IN A google.com. +1515583363.313685 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.356802 172.17.0.8 51388 8.8.8.8 53 6 33139 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.360685 8.8.8.8 53 172.17.0.8 51388 6 33139 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.360864 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.406308 172.17.0.8 51388 8.8.8.8 53 6 61415 0 0 |RD| IN A google.com. +1515583363.410191 8.8.8.8 53 172.17.0.8 51388 6 61415 0 0 |QR|RD|RA| IN A google.com. +1515583363.410440 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.454193 172.17.0.8 51388 8.8.8.8 53 6 59258 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.458191 8.8.8.8 53 172.17.0.8 51388 6 59258 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +1515583363.458511 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.503242 172.17.0.8 51388 8.8.8.8 53 6 17700 0 0 |RD| IN A google.com. +1515583363.506884 8.8.8.8 53 172.17.0.8 51388 6 17700 0 0 |QR|RD|RA| IN A google.com. +1515583363.507821 172.17.0.8 51388 8.8.8.8 53 6 +1515583363.511351 8.8.8.8 53 172.17.0.8 51388 6 +[93] 2017-12-11 13:59:04.953122 [#0 1qtcpnosyn.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 \ + dns QUERY,NOERROR,4815,rd|ad \ + 1 google.com.,IN,A 0 0 \ + 1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] +[109] 2017-12-11 13:59:04.956698 [#1 1qtcpnosyn.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.9].48613 \ + dns QUERY,NOERROR,4815,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,47,172.217.22.174 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[52] 2017-12-11 13:59:04.957247 [#2 1qtcpnosyn.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 +[52] 2017-12-11 13:59:04.960230 [#3 1qtcpnosyn.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.9].48613 +1513000744.953122 172.17.0.9 48613 8.8.8.8 53 6 4815 0 0 |RD|AD| IN A google.com. +1513000744.956698 8.8.8.8 53 172.17.0.9 48613 6 4815 0 0 |QR|RD|RA| IN A google.com. +1513000744.957247 172.17.0.9 48613 8.8.8.8 53 6 +1513000744.960230 8.8.8.8 53 172.17.0.9 48613 6 +[80] 2018-01-10 11:22:41.552406 [#0 do1t-nosyn-1nolen.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns Label length overflow +[98] 2018-01-10 11:22:41.555912 [#1 do1t-nosyn-1nolen.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.556032 [#2 do1t-nosyn-1nolen.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.600183 [#3 do1t-nosyn-1nolen.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.616460 [#4 do1t-nosyn-1nolen.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com. +1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.616460 8.8.8.8 53 172.17.0.8 51388 6 35665 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa. +[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[98] 2018-01-10 11:22:41.663576 [#7 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[54] 2018-01-10 11:22:41.663734 [#8 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.706183 [#9 dnso1tcp-midmiss.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.709680 [#10 dnso1tcp-midmiss.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6 +1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com. +1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com. +1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa. +1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 5337 0 0 |QR|RD|RA| IN A google.com. +1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6 +1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 22982 0 0 |RD| IN A google.com. +1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 22982 0 0 |QR|RD|RA| IN A google.com. diff --git a/src/test/test7.sh b/src/test/test7.sh new file mode 100755 index 0000000..6c9a4ec --- /dev/null +++ b/src/test/test7.sh @@ -0,0 +1,33 @@ +#!/bin/sh -xe + +txtout="../../plugins/txtout/.libs/txtout.so" + +rm -f test7.out test7.layer.out + +for what in dnso1tcp.pcap-dist 1qtcpnosyn.pcap-dist do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist; do + ../dnscap -r "$what" -g -T 2>>test7.out + ../dnscap -r "$what" -g -T -o use_layers=yes 2>>test7.layer.out + if [ -f "$txtout" ]; then + ../dnscap -r "$what" -T -P "$txtout" >>test7.out + ../dnscap -r "$what" -T -o use_layers=yes -P "$txtout" >>test7.layer.out + fi +done + +echo "" >>test7.out +echo "Enabling parse_ongoing_tcp and allow_reset_tcpstate" >>test7.out +echo "" >>test7.out +echo "" >>test7.layer.out +echo "Enabling parse_ongoing_tcp and allow_reset_tcpstate" >>test7.layer.out +echo "" >>test7.layer.out + +for what in dnso1tcp.pcap-dist 1qtcpnosyn.pcap-dist do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist; do + ../dnscap -r "$what" -g -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes 2>>test7.out + ../dnscap -r "$what" -g -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes 2>>test7.layer.out + if [ -f "$txtout" ]; then + ../dnscap -r "$what" -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -P "$txtout" >>test7.out + ../dnscap -r "$what" -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes -P "$txtout" >>test7.layer.out + fi +done + +diff test7.out "$srcdir/test7.gold" +diff test7.layer.out "$srcdir/test7.gold" diff --git a/src/test/test8.gold b/src/test/test8.gold new file mode 100644 index 0000000..a4196e4 --- /dev/null +++ b/src/test/test8.gold @@ -0,0 +1,440 @@ +[60] 2017-12-11 13:59:04.949707 [#0 dnsotcp-many1pkt.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 +[60] 2017-12-11 13:59:04.953026 [#1 dnsotcp-many1pkt.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.9].48613 +[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[109] 2017-12-11 13:59:04.956698 [#5 dnsotcp-many1pkt.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.9].48613 \ + dns QUERY,NOERROR,4815,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,47,172.217.22.174 0 \ + 1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0] +[52] 2017-12-11 13:59:04.957247 [#6 dnsotcp-many1pkt.pcap-dist 4095] \ + [172.17.0.9].48613 [8.8.8.8].53 +[52] 2017-12-11 13:59:04.960230 [#7 dnsotcp-many1pkt.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.9].48613 +[60] 2018-01-10 11:22:41.543825 [#0 dnsotcp-manyopkts.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[60] 2018-01-10 11:22:41.548834 [#1 dnsotcp-manyopkts.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[97] 2018-01-10 11:22:41.548947 [#2 dnsotcp-manyopkts.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 +[80] 2018-01-10 11:22:41.552406 [#2 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.552406 [#2 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,58,216.58.211.142 0 0 +[97] 2018-01-10 11:22:41.600183 [#5 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:41.600183 [#5 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:41.659921 [#8 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:41.659921 [#8 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[97] 2018-01-10 11:22:42.047148 [#10 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.047148 [#10 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[80] 2018-01-10 11:22:42.097899 [#12 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.097899 [#12 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[97] 2018-01-10 11:22:42.145005 [#14 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.145005 [#14 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[80] 2018-01-10 11:22:42.192777 [#16 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.192777 [#16 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[97] 2018-01-10 11:22:42.240395 [#18 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.240395 [#18 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.245103 [#20 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:42.290257 [#21 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.290257 [#21 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.293978 [#23 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[97] 2018-01-10 11:22:42.337985 [#24 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.337985 [#24 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.341559 [#26 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:42.385009 [#27 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.385009 [#27 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.389082 [#29 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[97] 2018-01-10 11:22:42.433458 [#30 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.433458 [#30 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.438748 [#32 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:42.484005 [#33 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.484005 [#33 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.487697 [#35 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[97] 2018-01-10 11:22:42.532414 [#36 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.532414 [#36 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.537574 [#38 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:42.583021 [#39 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.583021 [#39 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.586898 [#41 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[80] 2018-01-10 11:22:42.630221 [#42 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.630221 [#42 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.633808 [#44 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[80] 2018-01-10 11:22:42.679168 [#45 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.679168 [#45 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.682888 [#47 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[80] 2018-01-10 11:22:42.727254 [#48 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.727254 [#48 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.732703 [#50 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[97] 2018-01-10 11:22:42.777184 [#51 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.777184 [#51 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.781053 [#53 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:42.824222 [#54 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.824222 [#54 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.828050 [#56 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[97] 2018-01-10 11:22:42.872186 [#57 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.872186 [#57 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.875911 [#59 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:42.920231 [#60 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:42.920231 [#60 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:42.923917 [#62 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,57,216.58.211.142 0 0 +[97] 2018-01-10 11:22:42.968961 [#63 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:42.968961 [#63 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:42.972662 [#65 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:43.017364 [#66 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.017364 [#66 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.022591 [#68 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[97] 2018-01-10 11:22:43.066765 [#69 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.066765 [#69 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.070349 [#71 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:43.114332 [#72 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.114332 [#72 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.119538 [#74 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[97] 2018-01-10 11:22:43.163857 [#75 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.163857 [#75 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.167576 [#77 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:43.211417 [#78 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.211417 [#78 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.216686 [#80 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[97] 2018-01-10 11:22:43.260995 [#81 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.260995 [#81 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.265047 [#83 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:43.310017 [#84 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.310017 [#84 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.313596 [#86 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[97] 2018-01-10 11:22:43.356802 [#87 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.356802 [#87 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.360685 [#89 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:43.406308 [#90 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.406308 [#90 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.410191 [#92 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[97] 2018-01-10 11:22:43.454193 [#93 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[97] 2018-01-10 11:22:43.454193 [#93 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[197] 2018-01-10 11:22:43.458191 [#95 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0 +[80] 2018-01-10 11:22:43.503242 [#96 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[80] 2018-01-10 11:22:43.503242 [#96 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[98] 2018-01-10 11:22:43.506884 [#98 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,56,216.58.211.142 0 0 +[52] 2018-01-10 11:22:43.507821 [#99 dnso1tcp-bighole.pcap-dist 4095] \ + [172.17.0.8].51388 [8.8.8.8].53 +[52] 2018-01-10 11:22:43.511351 [#100 dnso1tcp-bighole.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.8].51388 diff --git a/src/test/test8.sh b/src/test/test8.sh new file mode 100755 index 0000000..e091ff6 --- /dev/null +++ b/src/test/test8.sh @@ -0,0 +1,16 @@ +#!/bin/sh -xe + +rm -f test8.out test8.layer.out + +for what in dnsotcp-many1pkt.pcap-dist dnsotcp-manyopkts.pcap-dist; do + ../dnscap -r "$what" -g -T -o reassemble_tcp=yes 2>>test8.out + ../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o use_layers=yes 2>>test8.layer.out +done + +for what in dnso1tcp-bighole.pcap-dist; do + ../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o allow_reset_tcpstate=yes 2>>test8.out + ../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes 2>>test8.layer.out +done + +diff test8.out "$srcdir/test8.gold" +diff test8.layer.out "$srcdir/test8.gold" diff --git a/src/test/test9.gold b/src/test/test9.gold new file mode 100644 index 0000000..1c50c70 --- /dev/null +++ b/src/test/test9.gold @@ -0,0 +1,104 @@ +[56] 2016-10-20 15:23:52.860937 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#0 dns.pcap-dist 4095] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#1 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#2 dns.pcap-dist 4095] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#3 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 diff --git a/src/test/test9.sh b/src/test/test9.sh new file mode 100755 index 0000000..aff7610 --- /dev/null +++ b/src/test/test9.sh @@ -0,0 +1,6 @@ +#!/bin/sh -xe + +../dnscap -r dns.pcap-dist -g -B '2016-10-20 15:23:30' -E '2016-10-20 15:24:00' 2>test9.out +../dnscap -r dns.pcap-dist -o use_layers=yes -g -B '2016-10-20 15:23:30' -E '2016-10-20 15:24:00' 2>>test9.out + +diff test9.out "$srcdir/test9.gold" diff --git a/src/test/vlan11.gold b/src/test/vlan11.gold new file mode 100644 index 0000000..92f8d39 --- /dev/null +++ b/src/test/vlan11.gold @@ -0,0 +1,714 @@ +[56] 2016-10-20 15:23:01.075993 [#0 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].53199 [8.8.8.8].53 \ + dns QUERY,NOERROR,59311,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.077982 [#1 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].53199 \ + dns QUERY,NOERROR,59311,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns4.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[73] 2016-10-20 15:23:01.082865 [#2 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].57822 [8.8.8.8].53 \ + dns QUERY,NOERROR,35665,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:01.084107 [#3 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].57822 \ + dns QUERY,NOERROR,35665,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 \ + ns2.google.com.,IN,A,157880,216.239.34.10 +[56] 2016-10-20 15:23:01.087291 [#4 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].40043 [8.8.8.8].53 \ + dns QUERY,NOERROR,5337,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:01.088733 [#5 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].40043 \ + dns QUERY,NOERROR,5337,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,44,216.58.218.206 \ + 4 google.com.,IN,NS,157880,ns1.google.com. \ + google.com.,IN,NS,157880,ns2.google.com. \ + google.com.,IN,NS,157880,ns3.google.com. \ + google.com.,IN,NS,157880,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157880,216.239.34.10 \ + ns1.google.com.,IN,A,331882,216.239.32.10 \ + ns3.google.com.,IN,A,157880,216.239.36.10 \ + ns4.google.com.,IN,A,157880,216.239.38.10 +[56] 2016-10-20 15:23:10.322117 [#6 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].37953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22982,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:10.323399 [#7 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].37953 \ + dns QUERY,NOERROR,22982,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,34,216.58.218.206 \ + 4 google.com.,IN,NS,157870,ns4.google.com. \ + google.com.,IN,NS,157870,ns1.google.com. \ + google.com.,IN,NS,157870,ns2.google.com. \ + google.com.,IN,NS,157870,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157870,216.239.34.10 \ + ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 +[73] 2016-10-20 15:23:10.328324 [#8 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].48658 [8.8.8.8].53 \ + dns QUERY,NOERROR,18718,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:10.329572 [#9 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].48658 \ + dns QUERY,NOERROR,18718,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331872,216.239.32.10 \ + ns3.google.com.,IN,A,157870,216.239.36.10 \ + ns4.google.com.,IN,A,157870,216.239.38.10 \ + ns2.google.com.,IN,A,157870,216.239.34.10 +[56] 2016-10-20 15:23:52.860937 [#10 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].40953 [8.8.8.8].53 \ + dns QUERY,NOERROR,22531,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:52.863771 [#11 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].40953 \ + dns QUERY,NOERROR,22531,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,297,216.58.218.206 \ + 4 google.com.,IN,NS,157828,ns2.google.com. \ + google.com.,IN,NS,157828,ns4.google.com. \ + google.com.,IN,NS,157828,ns1.google.com. \ + google.com.,IN,NS,157828,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157828,216.239.34.10 \ + ns1.google.com.,IN,A,331830,216.239.32.10 \ + ns3.google.com.,IN,A,157828,216.239.36.10 \ + ns4.google.com.,IN,A,157828,216.239.38.10 +[56] 2016-10-20 15:23:59.083869 [#12 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].45174 [8.8.8.8].53 \ + dns QUERY,NOERROR,58510,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:23:59.086104 [#13 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].45174 \ + dns QUERY,NOERROR,58510,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,291,216.58.218.206 \ + 4 google.com.,IN,NS,157822,ns2.google.com. \ + google.com.,IN,NS,157822,ns3.google.com. \ + google.com.,IN,NS,157822,ns1.google.com. \ + google.com.,IN,NS,157822,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157822,216.239.34.10 \ + ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 +[73] 2016-10-20 15:23:59.090911 [#14 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].33916 [8.8.8.8].53 \ + dns QUERY,NOERROR,45248,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:23:59.092204 [#15 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].33916 \ + dns QUERY,NOERROR,45248,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331824,216.239.32.10 \ + ns3.google.com.,IN,A,157822,216.239.36.10 \ + ns4.google.com.,IN,A,157822,216.239.38.10 \ + ns2.google.com.,IN,A,157822,216.239.34.10 +[56] 2016-10-20 15:24:04.323868 [#16 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].43559 [8.8.8.8].53 \ + dns QUERY,NOERROR,49483,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:04.325597 [#17 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].43559 \ + dns QUERY,NOERROR,49483,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,285,216.58.218.206 \ + 4 google.com.,IN,NS,157816,ns4.google.com. \ + google.com.,IN,NS,157816,ns3.google.com. \ + google.com.,IN,NS,157816,ns1.google.com. \ + google.com.,IN,NS,157816,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157816,216.239.34.10 \ + ns1.google.com.,IN,A,331818,216.239.32.10 \ + ns3.google.com.,IN,A,157816,216.239.36.10 \ + ns4.google.com.,IN,A,157816,216.239.38.10 +[56] 2016-10-20 15:24:06.332239 [#18 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].54859 [8.8.8.8].53 \ + dns QUERY,NOERROR,31669,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:06.333743 [#19 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].54859 \ + dns QUERY,NOERROR,31669,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,283,216.58.218.206 \ + 4 google.com.,IN,NS,157814,ns2.google.com. \ + google.com.,IN,NS,157814,ns1.google.com. \ + google.com.,IN,NS,157814,ns4.google.com. \ + google.com.,IN,NS,157814,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157814,216.239.34.10 \ + ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 +[73] 2016-10-20 15:24:06.339145 [#20 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].58176 [8.8.8.8].53 \ + dns QUERY,NOERROR,25433,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:06.340820 [#21 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].58176 \ + dns QUERY,NOERROR,25433,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331816,216.239.32.10 \ + ns3.google.com.,IN,A,157814,216.239.36.10 \ + ns4.google.com.,IN,A,157814,216.239.38.10 \ + ns2.google.com.,IN,A,157814,216.239.34.10 +[56] 2016-10-20 15:24:07.346429 [#22 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].41266 [8.8.8.8].53 \ + dns QUERY,NOERROR,63798,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:07.348160 [#23 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].41266 \ + dns QUERY,NOERROR,63798,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,282,216.58.218.206 \ + 4 google.com.,IN,NS,157813,ns4.google.com. \ + google.com.,IN,NS,157813,ns1.google.com. \ + google.com.,IN,NS,157813,ns3.google.com. \ + google.com.,IN,NS,157813,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157813,216.239.34.10 \ + ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 +[73] 2016-10-20 15:24:07.353123 [#24 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].34607 [8.8.8.8].53 \ + dns QUERY,NOERROR,8470,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:07.354682 [#25 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].34607 \ + dns QUERY,NOERROR,8470,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331815,216.239.32.10 \ + ns3.google.com.,IN,A,157813,216.239.36.10 \ + ns4.google.com.,IN,A,157813,216.239.38.10 \ + ns2.google.com.,IN,A,157813,216.239.34.10 +[56] 2016-10-20 15:24:08.360528 [#26 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].60437 [8.8.8.8].53 \ + dns QUERY,NOERROR,60258,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:08.362206 [#27 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].60437 \ + dns QUERY,NOERROR,60258,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,281,216.58.218.206 \ + 4 google.com.,IN,NS,157812,ns3.google.com. \ + google.com.,IN,NS,157812,ns2.google.com. \ + google.com.,IN,NS,157812,ns4.google.com. \ + google.com.,IN,NS,157812,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157812,216.239.34.10 \ + ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 +[73] 2016-10-20 15:24:08.368516 [#28 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].37149 [8.8.8.8].53 \ + dns QUERY,NOERROR,44985,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:08.370119 [#29 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].37149 \ + dns QUERY,NOERROR,44985,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331814,216.239.32.10 \ + ns3.google.com.,IN,A,157812,216.239.36.10 \ + ns4.google.com.,IN,A,157812,216.239.38.10 \ + ns2.google.com.,IN,A,157812,216.239.34.10 +[56] 2016-10-20 15:24:09.375942 [#30 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].53820 [8.8.8.8].53 \ + dns QUERY,NOERROR,45512,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:09.378425 [#31 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].53820 \ + dns QUERY,NOERROR,45512,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,280,216.58.218.206 \ + 4 google.com.,IN,NS,157811,ns3.google.com. \ + google.com.,IN,NS,157811,ns4.google.com. \ + google.com.,IN,NS,157811,ns1.google.com. \ + google.com.,IN,NS,157811,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157811,216.239.34.10 \ + ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 +[73] 2016-10-20 15:24:09.384057 [#32 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].52368 [8.8.8.8].53 \ + dns QUERY,NOERROR,22980,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:09.385463 [#33 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].52368 \ + dns QUERY,NOERROR,22980,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331813,216.239.32.10 \ + ns3.google.com.,IN,A,157811,216.239.36.10 \ + ns4.google.com.,IN,A,157811,216.239.38.10 \ + ns2.google.com.,IN,A,157811,216.239.34.10 +[56] 2016-10-20 15:24:10.391358 [#34 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].47637 [8.8.8.8].53 \ + dns QUERY,NOERROR,1834,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:10.392886 [#35 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].47637 \ + dns QUERY,NOERROR,1834,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,279,216.58.218.206 \ + 4 google.com.,IN,NS,157810,ns1.google.com. \ + google.com.,IN,NS,157810,ns2.google.com. \ + google.com.,IN,NS,157810,ns4.google.com. \ + google.com.,IN,NS,157810,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157810,216.239.34.10 \ + ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 +[73] 2016-10-20 15:24:10.398099 [#36 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].34426 [8.8.8.8].53 \ + dns QUERY,NOERROR,25431,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:10.400317 [#37 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].34426 \ + dns QUERY,NOERROR,25431,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331812,216.239.32.10 \ + ns3.google.com.,IN,A,157810,216.239.36.10 \ + ns4.google.com.,IN,A,157810,216.239.38.10 \ + ns2.google.com.,IN,A,157810,216.239.34.10 +[56] 2016-10-20 15:24:11.406297 [#38 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].41059 [8.8.8.8].53 \ + dns QUERY,NOERROR,48432,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:11.407460 [#39 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].41059 \ + dns QUERY,NOERROR,48432,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,278,216.58.218.206 \ + 4 google.com.,IN,NS,157809,ns3.google.com. \ + google.com.,IN,NS,157809,ns4.google.com. \ + google.com.,IN,NS,157809,ns2.google.com. \ + google.com.,IN,NS,157809,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157809,216.239.34.10 \ + ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 +[73] 2016-10-20 15:24:11.412133 [#40 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].51181 [8.8.8.8].53 \ + dns QUERY,NOERROR,47411,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:11.413370 [#41 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].51181 \ + dns QUERY,NOERROR,47411,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331811,216.239.32.10 \ + ns3.google.com.,IN,A,157809,216.239.36.10 \ + ns4.google.com.,IN,A,157809,216.239.38.10 \ + ns2.google.com.,IN,A,157809,216.239.34.10 +[56] 2016-10-20 15:24:12.419936 [#42 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].32976 [8.8.8.8].53 \ + dns QUERY,NOERROR,12038,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:12.421228 [#43 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].32976 \ + dns QUERY,NOERROR,12038,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,277,216.58.218.206 \ + 4 google.com.,IN,NS,157808,ns2.google.com. \ + google.com.,IN,NS,157808,ns3.google.com. \ + google.com.,IN,NS,157808,ns1.google.com. \ + google.com.,IN,NS,157808,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157808,216.239.34.10 \ + ns1.google.com.,IN,A,331810,216.239.32.10 \ + ns3.google.com.,IN,A,157808,216.239.36.10 \ + ns4.google.com.,IN,A,157808,216.239.38.10 +[56] 2016-10-20 15:24:14.428524 [#44 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].53467 [8.8.8.8].53 \ + dns QUERY,NOERROR,11614,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:14.429863 [#45 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].53467 \ + dns QUERY,NOERROR,11614,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,275,216.58.218.206 \ + 4 google.com.,IN,NS,157806,ns3.google.com. \ + google.com.,IN,NS,157806,ns1.google.com. \ + google.com.,IN,NS,157806,ns4.google.com. \ + google.com.,IN,NS,157806,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157806,216.239.34.10 \ + ns1.google.com.,IN,A,331808,216.239.32.10 \ + ns3.google.com.,IN,A,157806,216.239.36.10 \ + ns4.google.com.,IN,A,157806,216.239.38.10 +[56] 2016-10-20 15:24:16.435733 [#46 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].41532 [8.8.8.8].53 \ + dns QUERY,NOERROR,59173,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:16.437471 [#47 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].41532 \ + dns QUERY,NOERROR,59173,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,273,216.58.218.206 \ + 4 google.com.,IN,NS,157804,ns1.google.com. \ + google.com.,IN,NS,157804,ns3.google.com. \ + google.com.,IN,NS,157804,ns2.google.com. \ + google.com.,IN,NS,157804,ns4.google.com. \ + 4 ns2.google.com.,IN,A,157804,216.239.34.10 \ + ns1.google.com.,IN,A,331806,216.239.32.10 \ + ns3.google.com.,IN,A,157804,216.239.36.10 \ + ns4.google.com.,IN,A,157804,216.239.38.10 +[56] 2016-10-20 15:24:18.445519 [#48 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].44982 [8.8.8.8].53 \ + dns QUERY,NOERROR,45535,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:18.446775 [#49 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].44982 \ + dns QUERY,NOERROR,45535,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,271,216.58.218.206 \ + 4 google.com.,IN,NS,157802,ns4.google.com. \ + google.com.,IN,NS,157802,ns2.google.com. \ + google.com.,IN,NS,157802,ns1.google.com. \ + google.com.,IN,NS,157802,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157802,216.239.34.10 \ + ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 +[73] 2016-10-20 15:24:18.452451 [#50 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].40224 [8.8.8.8].53 \ + dns QUERY,NOERROR,60808,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:18.454030 [#51 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].40224 \ + dns QUERY,NOERROR,60808,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331804,216.239.32.10 \ + ns3.google.com.,IN,A,157802,216.239.36.10 \ + ns4.google.com.,IN,A,157802,216.239.38.10 \ + ns2.google.com.,IN,A,157802,216.239.34.10 +[56] 2016-10-20 15:24:19.460087 [#52 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].45658 [8.8.8.8].53 \ + dns QUERY,NOERROR,64325,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:19.462224 [#53 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].45658 \ + dns QUERY,NOERROR,64325,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,270,216.58.218.206 \ + 4 google.com.,IN,NS,157801,ns1.google.com. \ + google.com.,IN,NS,157801,ns3.google.com. \ + google.com.,IN,NS,157801,ns4.google.com. \ + google.com.,IN,NS,157801,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157801,216.239.34.10 \ + ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 +[73] 2016-10-20 15:24:19.467324 [#54 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].60457 [8.8.8.8].53 \ + dns QUERY,NOERROR,25543,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:19.468895 [#55 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].60457 \ + dns QUERY,NOERROR,25543,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331803,216.239.32.10 \ + ns3.google.com.,IN,A,157801,216.239.36.10 \ + ns4.google.com.,IN,A,157801,216.239.38.10 \ + ns2.google.com.,IN,A,157801,216.239.34.10 +[56] 2016-10-20 15:24:20.475086 [#56 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].59762 [8.8.8.8].53 \ + dns QUERY,NOERROR,20736,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:20.476841 [#57 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].59762 \ + dns QUERY,NOERROR,20736,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,269,216.58.218.206 \ + 4 google.com.,IN,NS,157800,ns3.google.com. \ + google.com.,IN,NS,157800,ns1.google.com. \ + google.com.,IN,NS,157800,ns4.google.com. \ + google.com.,IN,NS,157800,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157800,216.239.34.10 \ + ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 +[73] 2016-10-20 15:24:20.482188 [#58 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].56022 [8.8.8.8].53 \ + dns QUERY,NOERROR,25911,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:20.483927 [#59 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].56022 \ + dns QUERY,NOERROR,25911,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \ + 4 ns1.google.com.,IN,A,331802,216.239.32.10 \ + ns3.google.com.,IN,A,157800,216.239.36.10 \ + ns4.google.com.,IN,A,157800,216.239.38.10 \ + ns2.google.com.,IN,A,157800,216.239.34.10 +[56] 2016-10-20 15:24:21.489468 [#60 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].37669 [8.8.8.8].53 \ + dns QUERY,NOERROR,64358,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:21.490573 [#61 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].37669 \ + dns QUERY,NOERROR,64358,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,268,216.58.218.206 \ + 4 google.com.,IN,NS,157799,ns2.google.com. \ + google.com.,IN,NS,157799,ns1.google.com. \ + google.com.,IN,NS,157799,ns4.google.com. \ + google.com.,IN,NS,157799,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157799,216.239.34.10 \ + ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 +[73] 2016-10-20 15:24:21.495324 [#62 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].42978 [8.8.8.8].53 \ + dns QUERY,NOERROR,37698,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:21.496815 [#63 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].42978 \ + dns QUERY,NOERROR,37698,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331801,216.239.32.10 \ + ns3.google.com.,IN,A,157799,216.239.36.10 \ + ns4.google.com.,IN,A,157799,216.239.38.10 \ + ns2.google.com.,IN,A,157799,216.239.34.10 +[56] 2016-10-20 15:24:22.502667 [#64 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].49829 [8.8.8.8].53 \ + dns QUERY,NOERROR,54706,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:22.504738 [#65 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].49829 \ + dns QUERY,NOERROR,54706,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,267,216.58.218.206 \ + 4 google.com.,IN,NS,157798,ns2.google.com. \ + google.com.,IN,NS,157798,ns4.google.com. \ + google.com.,IN,NS,157798,ns3.google.com. \ + google.com.,IN,NS,157798,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157798,216.239.34.10 \ + ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 +[73] 2016-10-20 15:24:22.510176 [#66 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].50599 [8.8.8.8].53 \ + dns QUERY,NOERROR,32142,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:22.511746 [#67 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].50599 \ + dns QUERY,NOERROR,32142,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \ + 4 ns1.google.com.,IN,A,331800,216.239.32.10 \ + ns3.google.com.,IN,A,157798,216.239.36.10 \ + ns4.google.com.,IN,A,157798,216.239.38.10 \ + ns2.google.com.,IN,A,157798,216.239.34.10 +[56] 2016-10-20 15:24:23.520203 [#68 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].44980 [8.8.8.8].53 \ + dns QUERY,NOERROR,41808,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:23.521976 [#69 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].44980 \ + dns QUERY,NOERROR,41808,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,266,216.58.218.206 \ + 4 google.com.,IN,NS,157797,ns2.google.com. \ + google.com.,IN,NS,157797,ns4.google.com. \ + google.com.,IN,NS,157797,ns1.google.com. \ + google.com.,IN,NS,157797,ns3.google.com. \ + 4 ns2.google.com.,IN,A,157797,216.239.34.10 \ + ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 +[73] 2016-10-20 15:24:23.527449 [#70 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].60063 [8.8.8.8].53 \ + dns QUERY,NOERROR,18886,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:23.529385 [#71 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].60063 \ + dns QUERY,NOERROR,18886,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331799,216.239.32.10 \ + ns3.google.com.,IN,A,157797,216.239.36.10 \ + ns4.google.com.,IN,A,157797,216.239.38.10 \ + ns2.google.com.,IN,A,157797,216.239.34.10 +[56] 2016-10-20 15:24:24.537264 [#72 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].42042 [8.8.8.8].53 \ + dns QUERY,NOERROR,10624,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:24.539398 [#73 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].42042 \ + dns QUERY,NOERROR,10624,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,265,216.58.218.206 \ + 4 google.com.,IN,NS,157796,ns3.google.com. \ + google.com.,IN,NS,157796,ns4.google.com. \ + google.com.,IN,NS,157796,ns1.google.com. \ + google.com.,IN,NS,157796,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157796,216.239.34.10 \ + ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 +[73] 2016-10-20 15:24:24.544538 [#74 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].60469 [8.8.8.8].53 \ + dns QUERY,NOERROR,33139,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:24.546172 [#75 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].60469 \ + dns QUERY,NOERROR,33139,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \ + 4 ns1.google.com.,IN,A,331798,216.239.32.10 \ + ns3.google.com.,IN,A,157796,216.239.36.10 \ + ns4.google.com.,IN,A,157796,216.239.38.10 \ + ns2.google.com.,IN,A,157796,216.239.34.10 +[56] 2016-10-20 15:24:25.554744 [#76 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].45703 [8.8.8.8].53 \ + dns QUERY,NOERROR,61415,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:25.556513 [#77 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].45703 \ + dns QUERY,NOERROR,61415,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,264,216.58.218.206 \ + 4 google.com.,IN,NS,157795,ns3.google.com. \ + google.com.,IN,NS,157795,ns4.google.com. \ + google.com.,IN,NS,157795,ns2.google.com. \ + google.com.,IN,NS,157795,ns1.google.com. \ + 4 ns2.google.com.,IN,A,157795,216.239.34.10 \ + ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 +[73] 2016-10-20 15:24:25.562608 [#78 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].33507 [8.8.8.8].53 \ + dns QUERY,NOERROR,59258,rd \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0 +[289] 2016-10-20 15:24:25.564509 [#79 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].33507 \ + dns QUERY,NOERROR,59258,qr|rd|ra \ + 1 206.218.58.216.in-addr.arpa.,IN,PTR \ + 2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \ + 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \ + 4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \ + 218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \ + 4 ns1.google.com.,IN,A,331797,216.239.32.10 \ + ns3.google.com.,IN,A,157795,216.239.36.10 \ + ns4.google.com.,IN,A,157795,216.239.38.10 \ + ns2.google.com.,IN,A,157795,216.239.34.10 +[56] 2016-10-20 15:24:26.572784 [#80 vlan11.pcap-dist (vlan 11) 11] \ + [172.17.0.10].46798 [8.8.8.8].53 \ + dns QUERY,NOERROR,17700,rd \ + 1 google.com.,IN,A 0 0 0 +[208] 2016-10-20 15:24:26.574350 [#81 vlan11.pcap-dist (vlan 11) 11] \ + [8.8.8.8].53 [172.17.0.10].46798 \ + dns QUERY,NOERROR,17700,qr|rd|ra \ + 1 google.com.,IN,A \ + 1 google.com.,IN,A,263,216.58.218.206 \ + 4 google.com.,IN,NS,157794,ns1.google.com. \ + google.com.,IN,NS,157794,ns4.google.com. \ + google.com.,IN,NS,157794,ns3.google.com. \ + google.com.,IN,NS,157794,ns2.google.com. \ + 4 ns2.google.com.,IN,A,157794,216.239.34.10 \ + ns1.google.com.,IN,A,331796,216.239.32.10 \ + ns3.google.com.,IN,A,157794,216.239.36.10 \ + ns4.google.com.,IN,A,157794,216.239.38.10 diff --git a/src/test/vlan11.pcap b/src/test/vlan11.pcap Binary files differnew file mode 100644 index 0000000..9e1f5be --- /dev/null +++ b/src/test/vlan11.pcap |