From 22c74419e2c258319bc723351876604b3304604b Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Thu, 4 Mar 2021 20:22:03 +0100
Subject: Adding upstream version 2.0.0+debian.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .clang-format                          |    6 +
 .copr/Makefile                         |   23 +
 .github/FUNDING.yml                    |    1 +
 .gitignore                             |   36 +
 .gitmodules                            |    3 +
 .lgtm.yml                              |   26 +
 .travis.yml                            |   30 +
 CBOR_DNS_STREAM.md                     |  399 ++++
 CHANGES                                |  796 +++++++
 CONTRIBUTORS                           |   17 +
 LICENSE                                |   33 +
 Makefile.am                            |   13 +
 README.md                              |  247 +++
 autogen.sh                             |    3 +
 configure.ac                           |  160 ++
 contrib/cdsdump.py                     |  699 ++++++
 contrib/cdsidxchk.py                   |  797 +++++++
 fmt.sh                                 |    9 +
 isc/assertions.h                       |  123 +
 isc/list.h                             |  117 +
 m4/.placeholder                        |    0
 m4/ax_append_flag.m4                   |   50 +
 m4/ax_cflags_warn_all.m4               |  122 +
 m4/ax_require_defined.m4               |   37 +
 m4/dl.sh                               |    8 +
 plugins/Makefile.am                    |    6 +
 plugins/anonaes128/Makefile.am         |   24 +
 plugins/anonaes128/anonaes128.c        |  344 +++
 plugins/anonaes128/test1.gold          | 2146 ++++++++++++++++++
 plugins/anonaes128/test1.sh            |   26 +
 plugins/anonaes128/test2.gold          |   33 +
 plugins/anonaes128/test2.sh            |   30 +
 plugins/anonaes128/test3.gold          |   11 +
 plugins/anonaes128/test3.sh            |   29 +
 plugins/anonaes128/test4.sh            |   24 +
 plugins/anonmask/Makefile.am           |   23 +
 plugins/anonmask/anonmask.c            |  244 ++
 plugins/anonmask/test1.gold            | 2857 ++++++++++++++++++++++++
 plugins/anonmask/test1.sh              |   24 +
 plugins/anonmask/test2.gold            |   77 +
 plugins/anonmask/test2.sh              |   34 +
 plugins/anonmask/test3.sh              |   16 +
 plugins/cryptopan/Makefile.am          |   24 +
 plugins/cryptopan/cryptopan.c          |  475 ++++
 plugins/cryptopan/test1.gold           | 2147 ++++++++++++++++++
 plugins/cryptopan/test1.sh             |   27 +
 plugins/cryptopan/test2.gold           |   33 +
 plugins/cryptopan/test2.sh             |   30 +
 plugins/cryptopan/test3.gold           |  725 ++++++
 plugins/cryptopan/test3.sh             |   32 +
 plugins/cryptopan/test4.sh             |   26 +
 plugins/cryptopant/Makefile.am         |   24 +
 plugins/cryptopant/cryptopant.c        |  241 ++
 plugins/cryptopant/keyfile             |    1 +
 plugins/cryptopant/test1.gold          | 2858 ++++++++++++++++++++++++
 plugins/cryptopant/test1.sh            |   31 +
 plugins/cryptopant/test2.gold          |   33 +
 plugins/cryptopant/test2.sh            |   37 +
 plugins/cryptopant/test3.gold          |  725 ++++++
 plugins/cryptopant/test3.sh            |   38 +
 plugins/cryptopant/test4.sh            |   22 +
 plugins/eventlog/Makefile.am           |   22 +
 plugins/eventlog/eventlog.c            |  425 ++++
 plugins/eventlog/test1.sh              |   22 +
 plugins/ipcrypt/Makefile.am            |   24 +
 plugins/ipcrypt/ipcrypt.c              |  351 +++
 plugins/ipcrypt/test1.gold             | 2144 ++++++++++++++++++
 plugins/ipcrypt/test1.sh               |   24 +
 plugins/ipcrypt/test2.gold             |   33 +
 plugins/ipcrypt/test2.sh               |   30 +
 plugins/ipcrypt/test3.gold             |  725 ++++++
 plugins/ipcrypt/test3.sh               |   32 +
 plugins/ipcrypt/test4.sh               |   21 +
 plugins/pcapdump/Makefile.am           |   22 +
 plugins/pcapdump/pcapdump.c            |  262 +++
 plugins/pcapdump/test1.sh              |   16 +
 plugins/royparse/Makefile.am           |   22 +
 plugins/royparse/royparse.c            |  272 +++
 plugins/royparse/test1.sh              |   15 +
 plugins/rssm/.gitignore                |    1 +
 plugins/rssm/Makefile.am               |   42 +
 plugins/rssm/README.md                 |   41 +
 plugins/rssm/dnscap-rssm-rssac002      |  209 ++
 plugins/rssm/dnscap-rssm-rssac002.1.in |   98 +
 plugins/rssm/rssm.c                    |  696 ++++++
 plugins/rssm/test1.gold                |   58 +
 plugins/rssm/test1.sh                  |   11 +
 plugins/rssm/test2.gold                |   43 +
 plugins/rssm/test2.sh                  |    5 +
 plugins/rssm/test3.gold                |   57 +
 plugins/rssm/test3.sh                  |   11 +
 plugins/rssm/test4.sh                  |   14 +
 plugins/rssm/test5.gold                |   58 +
 plugins/rssm/test5.sh                  |   11 +
 plugins/rzkeychange/Makefile.am        |   23 +
 plugins/rzkeychange/rzkeychange.c      |  470 ++++
 plugins/rzkeychange/test1.sh           |   21 +
 plugins/template/Makefile.am           |   22 +
 plugins/template/template.c            |  147 ++
 plugins/template/test1.sh              |   13 +
 plugins/txtout/Makefile.am             |   22 +
 plugins/txtout/test1.sh                |   15 +
 plugins/txtout/txtout.c                |  299 +++
 rpm/dnscap.spec                        |  605 +++++
 sonar-project.properties.local         |    1 +
 src/Makefile.am                        |   42 +
 src/args.c                             |  843 +++++++
 src/args.h                             |   48 +
 src/assert.c                           |   54 +
 src/bpft.c                             |  233 ++
 src/bpft.h                             |   45 +
 src/daemon.c                           |  250 +++
 src/daemon.h                           |   43 +
 src/dnscap.1.in                        | 1011 +++++++++
 src/dnscap.c                           |  249 +++
 src/dnscap.h                           |  441 ++++
 src/dnscap_common.h                    |  158 ++
 src/dump_cbor.c                        |  680 ++++++
 src/dump_cbor.h                        |   65 +
 src/dump_cds.c                         | 1962 ++++++++++++++++
 src/dump_cds.h                         |  218 ++
 src/dump_dns.c                         |  319 +++
 src/dump_dns.h                         |   47 +
 src/dumper.c                           |  399 ++++
 src/dumper.h                           |   50 +
 src/endian_compat.h                    |  108 +
 src/endpoint.c                         |  103 +
 src/endpoint.h                         |   44 +
 src/hashtbl.c                          |  161 ++
 src/hashtbl.h                          |   70 +
 src/iaddr.c                            |   68 +
 src/iaddr.h                            |   43 +
 src/log.c                              |   52 +
 src/log.h                              |   42 +
 src/memzero.c                          |   62 +
 src/memzero.h                          |   40 +
 src/network.c                          | 1834 +++++++++++++++
 src/network.h                          |   52 +
 src/options.c                          |  248 +++
 src/options.h                          |  121 +
 src/pcap-thread/m4/ax_pcap_thread.m4   |   15 +
 src/pcap-thread/m4/ax_pthread.m4       |  485 ++++
 src/pcap-thread/pcap_thread.c          | 3818 ++++++++++++++++++++++++++++++++
 src/pcap-thread/pcap_thread.h          |  640 ++++++
 src/pcap-thread/pcap_thread_ext_frag.c | 1013 +++++++++
 src/pcap-thread/pcap_thread_ext_frag.h |  131 ++
 src/pcaps.c                            |  236 ++
 src/pcaps.h                            |   47 +
 src/sig.c                              |  102 +
 src/sig.h                              |   45 +
 src/tcpreasm.c                         |  547 +++++
 src/tcpreasm.h                         |   44 +
 src/tcpstate.c                         |  141 ++
 src/tcpstate.h                         |   46 +
 src/test/.gitignore                    |    4 +
 src/test/1qtcpnosyn.pcap               |  Bin 0 -> 778 bytes
 src/test/1qtcppadd.pcap                |  Bin 0 -> 1028 bytes
 src/test/Makefile.am                   |   68 +
 src/test/dns.gold                      |  714 ++++++
 src/test/dns.pcap                      |  Bin 0 -> 20228 bytes
 src/test/dns6.pcap                     |  Bin 0 -> 274 bytes
 src/test/dnso1tcp-bighole.pcap         |  Bin 0 -> 21212 bytes
 src/test/dnso1tcp-midmiss.pcap         |  Bin 0 -> 1843 bytes
 src/test/dnso1tcp.pcap                 |  Bin 0 -> 22512 bytes
 src/test/dnsotcp-many1pkt.pcap         |  Bin 0 -> 1007 bytes
 src/test/dnsotcp-manyopkts.pcap        |  Bin 0 -> 704 bytes
 src/test/dnspad.gold                   |    8 +
 src/test/dnspad.pcap                   |  Bin 0 -> 113 bytes
 src/test/do1t-nosyn-1nolen.pcap        |  Bin 0 -> 1028 bytes
 src/test/frags.pcap                    |  Bin 0 -> 28694 bytes
 src/test/test1.sh                      |    9 +
 src/test/test10.gold                   |   22 +
 src/test/test10.sh                     |    6 +
 src/test/test11.sh                     |   79 +
 src/test/test12.sh                     |    6 +
 src/test/test13.sh                     |   28 +
 src/test/test14.gold                   | 2864 ++++++++++++++++++++++++
 src/test/test14.sh                     |   25 +
 src/test/test2.sh                      |    6 +
 src/test/test3.sh                      |   13 +
 src/test/test4.sh                      |    6 +
 src/test/test5.sh                      |   20 +
 src/test/test6.sh                      |    6 +
 src/test/test7.gold                    | 1417 ++++++++++++
 src/test/test7.sh                      |   33 +
 src/test/test8.gold                    |  440 ++++
 src/test/test8.sh                      |   16 +
 src/test/test9.gold                    |  104 +
 src/test/test9.sh                      |    6 +
 src/test/vlan11.gold                   |  714 ++++++
 src/test/vlan11.pcap                   |  Bin 0 -> 20760 bytes
 191 files changed, 48816 insertions(+)
 create mode 100644 .clang-format
 create mode 100644 .copr/Makefile
 create mode 100644 .github/FUNDING.yml
 create mode 100644 .gitignore
 create mode 100644 .gitmodules
 create mode 100644 .lgtm.yml
 create mode 100644 .travis.yml
 create mode 100644 CBOR_DNS_STREAM.md
 create mode 100644 CHANGES
 create mode 100644 CONTRIBUTORS
 create mode 100644 LICENSE
 create mode 100644 Makefile.am
 create mode 100644 README.md
 create mode 100755 autogen.sh
 create mode 100644 configure.ac
 create mode 100755 contrib/cdsdump.py
 create mode 100755 contrib/cdsidxchk.py
 create mode 100755 fmt.sh
 create mode 100644 isc/assertions.h
 create mode 100644 isc/list.h
 create mode 100644 m4/.placeholder
 create mode 100644 m4/ax_append_flag.m4
 create mode 100644 m4/ax_cflags_warn_all.m4
 create mode 100644 m4/ax_require_defined.m4
 create mode 100755 m4/dl.sh
 create mode 100644 plugins/Makefile.am
 create mode 100644 plugins/anonaes128/Makefile.am
 create mode 100644 plugins/anonaes128/anonaes128.c
 create mode 100644 plugins/anonaes128/test1.gold
 create mode 100755 plugins/anonaes128/test1.sh
 create mode 100644 plugins/anonaes128/test2.gold
 create mode 100755 plugins/anonaes128/test2.sh
 create mode 100644 plugins/anonaes128/test3.gold
 create mode 100755 plugins/anonaes128/test3.sh
 create mode 100755 plugins/anonaes128/test4.sh
 create mode 100644 plugins/anonmask/Makefile.am
 create mode 100644 plugins/anonmask/anonmask.c
 create mode 100644 plugins/anonmask/test1.gold
 create mode 100755 plugins/anonmask/test1.sh
 create mode 100644 plugins/anonmask/test2.gold
 create mode 100755 plugins/anonmask/test2.sh
 create mode 100755 plugins/anonmask/test3.sh
 create mode 100644 plugins/cryptopan/Makefile.am
 create mode 100644 plugins/cryptopan/cryptopan.c
 create mode 100644 plugins/cryptopan/test1.gold
 create mode 100755 plugins/cryptopan/test1.sh
 create mode 100644 plugins/cryptopan/test2.gold
 create mode 100755 plugins/cryptopan/test2.sh
 create mode 100644 plugins/cryptopan/test3.gold
 create mode 100755 plugins/cryptopan/test3.sh
 create mode 100755 plugins/cryptopan/test4.sh
 create mode 100644 plugins/cryptopant/Makefile.am
 create mode 100644 plugins/cryptopant/cryptopant.c
 create mode 100644 plugins/cryptopant/keyfile
 create mode 100644 plugins/cryptopant/test1.gold
 create mode 100755 plugins/cryptopant/test1.sh
 create mode 100644 plugins/cryptopant/test2.gold
 create mode 100755 plugins/cryptopant/test2.sh
 create mode 100644 plugins/cryptopant/test3.gold
 create mode 100755 plugins/cryptopant/test3.sh
 create mode 100755 plugins/cryptopant/test4.sh
 create mode 100644 plugins/eventlog/Makefile.am
 create mode 100644 plugins/eventlog/eventlog.c
 create mode 100755 plugins/eventlog/test1.sh
 create mode 100644 plugins/ipcrypt/Makefile.am
 create mode 100644 plugins/ipcrypt/ipcrypt.c
 create mode 100644 plugins/ipcrypt/test1.gold
 create mode 100755 plugins/ipcrypt/test1.sh
 create mode 100644 plugins/ipcrypt/test2.gold
 create mode 100755 plugins/ipcrypt/test2.sh
 create mode 100644 plugins/ipcrypt/test3.gold
 create mode 100755 plugins/ipcrypt/test3.sh
 create mode 100755 plugins/ipcrypt/test4.sh
 create mode 100644 plugins/pcapdump/Makefile.am
 create mode 100644 plugins/pcapdump/pcapdump.c
 create mode 100755 plugins/pcapdump/test1.sh
 create mode 100644 plugins/royparse/Makefile.am
 create mode 100644 plugins/royparse/royparse.c
 create mode 100755 plugins/royparse/test1.sh
 create mode 100644 plugins/rssm/.gitignore
 create mode 100644 plugins/rssm/Makefile.am
 create mode 100644 plugins/rssm/README.md
 create mode 100755 plugins/rssm/dnscap-rssm-rssac002
 create mode 100644 plugins/rssm/dnscap-rssm-rssac002.1.in
 create mode 100644 plugins/rssm/rssm.c
 create mode 100644 plugins/rssm/test1.gold
 create mode 100755 plugins/rssm/test1.sh
 create mode 100644 plugins/rssm/test2.gold
 create mode 100755 plugins/rssm/test2.sh
 create mode 100644 plugins/rssm/test3.gold
 create mode 100755 plugins/rssm/test3.sh
 create mode 100755 plugins/rssm/test4.sh
 create mode 100644 plugins/rssm/test5.gold
 create mode 100755 plugins/rssm/test5.sh
 create mode 100644 plugins/rzkeychange/Makefile.am
 create mode 100644 plugins/rzkeychange/rzkeychange.c
 create mode 100755 plugins/rzkeychange/test1.sh
 create mode 100644 plugins/template/Makefile.am
 create mode 100644 plugins/template/template.c
 create mode 100755 plugins/template/test1.sh
 create mode 100644 plugins/txtout/Makefile.am
 create mode 100755 plugins/txtout/test1.sh
 create mode 100644 plugins/txtout/txtout.c
 create mode 100644 rpm/dnscap.spec
 create mode 100644 sonar-project.properties.local
 create mode 100644 src/Makefile.am
 create mode 100644 src/args.c
 create mode 100644 src/args.h
 create mode 100644 src/assert.c
 create mode 100644 src/bpft.c
 create mode 100644 src/bpft.h
 create mode 100644 src/daemon.c
 create mode 100644 src/daemon.h
 create mode 100644 src/dnscap.1.in
 create mode 100644 src/dnscap.c
 create mode 100644 src/dnscap.h
 create mode 100644 src/dnscap_common.h
 create mode 100644 src/dump_cbor.c
 create mode 100644 src/dump_cbor.h
 create mode 100644 src/dump_cds.c
 create mode 100644 src/dump_cds.h
 create mode 100644 src/dump_dns.c
 create mode 100644 src/dump_dns.h
 create mode 100644 src/dumper.c
 create mode 100644 src/dumper.h
 create mode 100644 src/endian_compat.h
 create mode 100644 src/endpoint.c
 create mode 100644 src/endpoint.h
 create mode 100644 src/hashtbl.c
 create mode 100644 src/hashtbl.h
 create mode 100644 src/iaddr.c
 create mode 100644 src/iaddr.h
 create mode 100644 src/log.c
 create mode 100644 src/log.h
 create mode 100644 src/memzero.c
 create mode 100644 src/memzero.h
 create mode 100644 src/network.c
 create mode 100644 src/network.h
 create mode 100644 src/options.c
 create mode 100644 src/options.h
 create mode 100644 src/pcap-thread/m4/ax_pcap_thread.m4
 create mode 100644 src/pcap-thread/m4/ax_pthread.m4
 create mode 100644 src/pcap-thread/pcap_thread.c
 create mode 100644 src/pcap-thread/pcap_thread.h
 create mode 100644 src/pcap-thread/pcap_thread_ext_frag.c
 create mode 100644 src/pcap-thread/pcap_thread_ext_frag.h
 create mode 100644 src/pcaps.c
 create mode 100644 src/pcaps.h
 create mode 100644 src/sig.c
 create mode 100644 src/sig.h
 create mode 100644 src/tcpreasm.c
 create mode 100644 src/tcpreasm.h
 create mode 100644 src/tcpstate.c
 create mode 100644 src/tcpstate.h
 create mode 100644 src/test/.gitignore
 create mode 100644 src/test/1qtcpnosyn.pcap
 create mode 100644 src/test/1qtcppadd.pcap
 create mode 100644 src/test/Makefile.am
 create mode 100644 src/test/dns.gold
 create mode 100644 src/test/dns.pcap
 create mode 100644 src/test/dns6.pcap
 create mode 100644 src/test/dnso1tcp-bighole.pcap
 create mode 100644 src/test/dnso1tcp-midmiss.pcap
 create mode 100644 src/test/dnso1tcp.pcap
 create mode 100644 src/test/dnsotcp-many1pkt.pcap
 create mode 100644 src/test/dnsotcp-manyopkts.pcap
 create mode 100644 src/test/dnspad.gold
 create mode 100644 src/test/dnspad.pcap
 create mode 100644 src/test/do1t-nosyn-1nolen.pcap
 create mode 100644 src/test/frags.pcap
 create mode 100755 src/test/test1.sh
 create mode 100644 src/test/test10.gold
 create mode 100755 src/test/test10.sh
 create mode 100755 src/test/test11.sh
 create mode 100755 src/test/test12.sh
 create mode 100755 src/test/test13.sh
 create mode 100644 src/test/test14.gold
 create mode 100755 src/test/test14.sh
 create mode 100755 src/test/test2.sh
 create mode 100755 src/test/test3.sh
 create mode 100755 src/test/test4.sh
 create mode 100755 src/test/test5.sh
 create mode 100755 src/test/test6.sh
 create mode 100644 src/test/test7.gold
 create mode 100755 src/test/test7.sh
 create mode 100644 src/test/test8.gold
 create mode 100755 src/test/test8.sh
 create mode 100644 src/test/test9.gold
 create mode 100755 src/test/test9.sh
 create mode 100644 src/test/vlan11.gold
 create mode 100644 src/test/vlan11.pcap

diff --git a/.clang-format b/.clang-format
new file mode 100644
index 0000000..1bd4430
--- /dev/null
+++ b/.clang-format
@@ -0,0 +1,6 @@
+BasedOnStyle: webkit
+IndentWidth: 4
+AlignConsecutiveAssignments: true
+AlignConsecutiveDeclarations: true
+AlignOperands: true
+SortIncludes: false
diff --git a/.copr/Makefile b/.copr/Makefile
new file mode 100644
index 0000000..29ed0bc
--- /dev/null
+++ b/.copr/Makefile
@@ -0,0 +1,23 @@
+top=..
+
+all: srpm
+
+prereq: $(top)/rpmbuild
+	rpm -q git rpm-build >/dev/null || dnf -y install git rpm-build
+
+update-dist-tools: $(top)/dist-tools
+	( cd "$(top)/dist-tools" && git pull )
+
+$(top)/dist-tools:
+	git clone https://github.com/jelu/dist-tools.git "$(top)/dist-tools"
+
+$(top)/rpmbuild:
+	mkdir -p "$(top)"/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
+
+srpm: prereq update-dist-tools
+	test -f .gitmodules && git submodule update --init || true
+	echo "$(spec)" | grep -q "develop.spec" && auto_build_number=`date --utc +%s` message="Auto build `date --utc --iso-8601=seconds`" "$(top)/dist-tools/spec-new-changelog-entry" || true
+	overwrite=yes nosign=yes "$(top)/dist-tools/create-source-packages" rpm
+	cp ../*.orig.tar.gz "$(top)/rpmbuild/SOURCES/"
+	echo "$(spec)" | grep -q "develop.spec" && rpmbuild -bs --define "%_topdir $(top)/rpmbuild" --undefine=dist rpm/*.spec || rpmbuild -bs --define "%_topdir $(top)/rpmbuild" --undefine=dist "$(spec)"
+	cp "$(top)"/rpmbuild/SRPMS/*.src.rpm "$(outdir)"
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..38cc1c4
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+custom: https://www.dns-oarc.net/donate
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..26bcab6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,36 @@
+*.o
+*.lo
+*.la
+config.log
+config.status
+stamp-h1
+ar-lib
+config.guess
+config.sub
+libtool
+ltmain.sh
+.deps
+.libs
+Makefile
+Makefile.in
+src/dnscap
+src/dnscap.1
+autom4te.cache
+Makefile.old
+aclocal.m4
+compile
+configure
+depcomp
+install-sh
+missing
+test-driver
+config.h
+config.h.in~
+m4/libtool.m4
+m4/ltoptions.m4
+m4/ltsugar.m4
+m4/ltversion.m4
+m4/lt~obsolete.m4
+build/
+config.h.in
+dnscap-[0-9]*tar*
diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..4d2f1bc
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "src/pcap-thread"]
+	path = src/pcap-thread
+	url = https://github.com/DNS-OARC/pcap-thread.git
diff --git a/.lgtm.yml b/.lgtm.yml
new file mode 100644
index 0000000..a1c94c7
--- /dev/null
+++ b/.lgtm.yml
@@ -0,0 +1,26 @@
+extraction:
+  cpp:
+    prepare:
+      packages:
+        - build-essential
+        - automake
+        - autoconf
+        - libtool
+        - pkg-config
+        - libpcap-dev
+        - libldns-dev
+        - libyaml-perl
+        - zlib1g-dev
+        - libssl-dev
+    after_prepare:
+      - git clone https://github.com/DNS-OARC/cryptopANT.git
+      - cd cryptopANT
+      - ./autogen.sh
+      - ./configure --prefix="$PWD/../root"
+      - make
+      - make install
+      - cd ..
+    configure:
+      command:
+        - ./autogen.sh
+        - ./configure --with-extra-cflags="-I $PWD/root/include" --with-extra-ldflags="-L$PWD/root/lib"
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..9b598f2
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,30 @@
+dist: xenial
+addons:
+  apt:
+    sources:
+    - sourceline: 'ppa:dns-oarc/dnscap-pr'
+    update: true
+    packages:
+    - libpcap-dev
+    - libldns-dev
+    - libyaml-perl
+    - zlib1g-dev
+    - libssl-dev
+    - libcryptopant-dev
+language: c
+compiler:
+  - clang
+  - gcc
+install: ./autogen.sh
+script:
+  - ./configure --enable-warn-all
+  - make dist
+  - tar zxvf *.tar.gz
+  - cd dnscap-[0-9]*
+  - mkdir build
+  - cd build
+  - ../configure --enable-warn-all
+  - make
+  - make test
+  - cat src/test/test*.sh.log
+  - cat plugins/*/test*.sh.log
diff --git a/CBOR_DNS_STREAM.md b/CBOR_DNS_STREAM.md
new file mode 100644
index 0000000..a54dc63
--- /dev/null
+++ b/CBOR_DNS_STREAM.md
@@ -0,0 +1,399 @@
+# CBOR DNS Stream Format version 1 (CDSv1)
+
+This is an experimental format for representing DNS information in CBOR
+with the goals to:
+- Be able to stream the information
+- Support incomplete, broken and/or invalid DNS
+- Have close to no data quality and signature degradation
+- Support additional non-DNS meta data (such as ICMP/TCP attributes)
+
+## Overview
+
+In CBOR you are expected to have one root element, most likely an array or
+map.  This format does not have a root element, instead you are expected to
+read one CBOR array element at a time as a stream of CBOR elements with the
+first array element being the stream initiator object.
+
+```
+[stream_init]
+[message]
+...
+[message]
+```
+
+Here are some number on the compression rate compared to PCAP:
+
+Uncompressed | PCAP       | CDS       | Factor
+-------------|------------|-----------|-------
+client       | 458373     | 133640    | 0,2915
+zonalizer    | 51769844   | 9450475   | 0,1825
+large ditl   | 1003931674 | 298167709 | 0,2970
+small ditl   | 1651252    | 603314    | 0,3653
+
+Gzipped      | PCAP       | CDS       | Factor  | F/Uncompressed
+-------------|------------|-----------|---------|---------------
+client       | 108136     | 45944     | 0,4248  | 0,1002
+zonalizer    | 12468329   | 2485620   | 0,1993  | 0,0480
+large ditl   | 327227203  | 117569598 | 0,3592  | 0,1171
+small ditl   | 539323     | 253402    | 0,4698  | 0,1534
+
+Xzipped      | PCAP       | CDS       | Factor  | F/Uncompressed
+-------------|------------|-----------|---------|---------------
+client       | 76248      | 36308     | 0,4761  | 0,0792
+zonalizer    | 7894356    | 1695920   | 0,2148  | 0,0327
+large ditl   | 267031412  | 86747604  | 0,3248  | 0,0864
+small ditl   | 442260     | 206596    | 0,4671  | 0,1251
+
+- `client` is a couple of hours of DNS from my workstation
+- `zonalizer` is half a day from [Zonalizer](https://zonalizer.makeinstall.se) which continuously tests gTLDs
+- `large ditl`, `small ditl` are capture from [DITL](https://www.dns-oarc.net/oarc/data/ditl)
+
+## Types
+
+- `int`: A CBOR integer (major type 0x00)
+- `uint`: A CBOR integer (value >= 0, major type 0x00)
+- `nint`: A CBOR negative integer (value < 0, major type 0x00), this type has special meaning see `Negative Integers`
+- `simple`: A CBOR simple value (major type 0xe0)
+- `bytes`: A CBOR byte string (major type 0x40)
+- `string`: A CBOR UTF-8 string (major type 0x60)
+- `any`: Any CBOR value
+- `bool`: A CBOR boolean
+- `rindex`: A CBOR negative integer that is a reverse index, see `Deduplication`
+
+## Special Keywords
+
+- `union`: Can be used to merge the given array or map into the current object
+- `optional`: The attribute or object reference is optional
+
+## Negative Integers
+
+CBOR encodes negative numbers in a special way and this format uses that
+for none negative number to tell them apart.
+
+Because of that, all negative numbers needs special decoding:
+
+```
+value = -value - 1
+```
+
+## Objects
+
+The object code below uses:
+- `[` and `]` to indicate the start and end of an array
+- `type name` per object attribute
+- `name` per object reference
+- `...` to indicate a list of previous definition
+- `(`, `|` and `)` to indicate list of various types that the attribute can be
+
+### stream_init
+
+The initial object in the stream.
+
+```
+[
+    string version,
+    union stream_option option,
+    ...
+]
+```
+
+- `version`: The version of the format
+- `option`: A list of stream option objects
+
+### stream_option
+
+A stream option that can specify critical information about the stream and
+how it should be decoded, see `Stream Options` for more information.
+
+```
+[
+    uint option_type,
+    optional any option_value
+]
+```
+
+- `option_type`: The type of option represented as a number
+- `option_value`: The option value
+
+### message
+
+A message object that describes various DNS packets or other information.
+
+```
+[
+    optional bool is_complete,
+    union timestamp timestamp,
+    simple message_bits,
+    union ip_header ip_header,
+    union ( icmp_message | udp_message | tcp_message | dns_message ) content
+]
+```
+
+- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists
+- `timestamp`: A timestamp object
+- `message_bits`: Bitmap indicating message content
+  - Bit 0: 0=Not DNS 1=DNS
+  - Bit 1: if DNS: 0=UDP 1=TCP else: 0=ICMP/ICMPv6 1=TCP
+  - Bit 2: Fragmented (0=no 1=yes)
+  - Bit 3: Malformed (0=no 1=yes)
+- `ip_header`: An IP header object
+- `content`: The message content, may be an ICMP, UDP, TCP or DNS message object
+
+### timestamp
+
+The timestamp object of a message.
+
+```
+[
+    ( uint seconds | nint diff_from_last ),
+    optional uint useconds
+    optional uint nseconds
+]
+```
+
+- `seconds`: The seconds of a UNIX timestamp
+- `diff_from_last`: The differentially from last `timestamp.seconds`
+- `useconds`: The microseconds of a UNIX timestamp or if `diff_from_last` is used it will be the differentially from last `timestamp.useconds`
+- `nseconds`: The nanoseconds of a UNIX timestamp or if `diff_from_last` is used it will be the differentially from last `timestamp.nseconds`
+
+### ip_header
+
+The IP header of a message.
+
+```
+[
+    ( uint | nint ) ip_bits,
+    optional bytes src_addr,
+    optional bytes dest_addr,
+    optional ( uint | nint ) src_dest_port
+]
+```
+
+- `ip_bits`: Bitmap indicating IP header content, if the type is `nint` it also indicates that it is a reverse from last, see `Deduplication` for more information
+  - Bit 0: address family (0=AF_INET, 1=AF_INET6)
+  - Bit 1: src_addr present
+  - Bit 2: dest_addr present
+  - Bit 3: port present
+- `src_addr`: The source address with length specifying address family, 4 bytes is IPv4 and 16 is IPv6
+- `dest_addr`: The destination address with length specifying address family, 4 bytes is IPv4 and 16 is IPv6
+- `src_dest_port`: A combined source and destination port, see `Source And Destination Port`
+
+#### Source And Destination Port
+
+The source and destination port are combined into one value.  If both source
+and destination exists then the value is larger then 65535, the destination
+will be the high 16 bits and source the low otherwise it will only be the
+source.  If the value is negative then only the destination exists.
+
+```
+if value > 0xffff then
+    src_port = value & 0xffff
+    dest_port = value >> 16
+else if value < 0 then
+    dest_port = -value - 1
+else
+    src_port = value
+```
+
+### icmp_message
+
+`if ip_header.ip_bits.1=0 && ip_header.ip_bits.2=0`
+
+```
+[
+    uint type,
+    uint code
+]
+```
+
+- `type`: TODO
+- `code`: TODO
+
+### udp_message
+
+`if ip_header.ip_bits.1=1 && ip_header.ip_bits.2=0`
+
+TODO
+
+### tcp_message
+
+`if ip_header.ip_bits.2=1`
+
+```
+[
+    uint seq_nr,
+    uint ack_nr,
+    uint tcp_bits,
+    uint window
+]
+```
+
+- `seq_nr`: TODO
+- `ack_nr`: TODO
+- `tcp_bits`: TODO
+  - 0: URG
+  - 1: ACK
+  - 2: PSH
+  - 3: RST
+  - 4: SYN
+  - 5: FIN
+- `window`: TODO
+
+### dns_message
+
+A DNS packet.
+
+```
+[
+    optional bool is_complete,
+    uint id,
+    uint raw_dns_header,        # TODO
+    optional nint count_bits,
+    optional uint qdcount,
+    optional uint ancount,
+    optional uint nscount,
+    optional uint arcount,
+    optional simple rr_bits,
+    optional [
+        dns_question question,
+        ...
+    ],
+    optional [
+        resource_record answer,
+        ...
+    ],
+    optional [
+        resource_record authority,
+        ...
+    ],
+    optional [
+        resource_record additional,
+        ...
+    ],
+    optional bytes malformed
+]
+```
+
+- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists
+- `id`: DNS identifier
+- `raw_dns_header`: TODO
+- `count_bits`: Bitmap indicating which counts are present, see `Negative Integers` and `Deduplication`
+  - Bit 0: qdcount present
+  - Bit 1: ancount present
+  - Bit 2: nscount present
+  - Bit 3: arcount present
+- `qdcount`: Number of question records if different from the number of entries in `question`
+- `ancount`: Number of answer resource records if different from the number of entries in `answer`
+- `nscount`: Number of authority resource records if different from the number of entries in `authority`
+- `arcount`: Number of additional resource records if different from the number of entries in `additional`
+- `question`: The question records
+- `answer`: The answer resource records
+- `authority`: The authority resource records
+- `additional`: The additional resource records
+- `malformed`: Holds the bytes of the message that was not parsed
+
+### question
+
+A DNS question record.
+
+```
+[
+    optional bool is_complete,
+    ( bytes | compressed_name | rindex ) qname,
+    optional uint qtype,
+    optional nint qclass
+]
+```
+
+- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists
+- `qname`: The QNAME as byte string, a name compression object or a reverse index, see `Deduplication`
+- `qtype`: The QTYPE, see `Deduplication`
+- `qclass`: The QCLASS, see `Negative Integers` and `Deduplication`
+
+### compressed_name
+
+An compressed name which has references to other labels within the same message.
+
+```
+[
+    ( bytes label | uint label_index | nint offset | simple extension_bits ),
+    ...
+]
+```
+
+- `label`: A byte string with a label part
+- `label_index`: An index to the N byte string label in the message
+- `offset`: The offset specified in the DNS message which could not be translated into a label index
+- `extension_bits`: The extension bits if not 0b00 or 0b11 # TODO: add the extension bits
+
+### resource_record
+
+A DNS resource record.
+
+```
+[
+    optional bool is_complete,
+    ( bytes | compressed_name | rindex ) name,
+    optional simple rr_bits,
+    optional uint type,
+    optional uint class,
+    optional uint ttl,
+    optional uint rdlength,
+    ( bytes | mixed_rdata ) rdata
+]
+```
+
+- `is_complete`: Will exist and be false if the message is not complete and following attributes may not exists
+- `name`:
+- `rr_bits`: Bitmap indicating what is present, see `Deduplication`
+  - Bit 0: type
+  - Bit 1: class
+  - Bit 2: ttl
+  - Bit 3: rdlength     # TODO: reverse index for TTL?
+- `type`: The resource record type
+- `class`: The resource record class
+- `ttl`: The resource record ttl
+- `rdlength`: The resource record rdata length
+- `rdata`: The resource record data
+
+### mixed_rdata
+
+An array mixed with resource data and compressed names.
+
+```
+[
+    ( bytes | compressed_name ) rdata_part,
+    ...
+]
+```
+- `rdata_part`: The parts of the resource records data
+
+## Stream Options
+
+Each option is specified here as OptionName(OptionNumber) and optional
+OptionValue type.
+
+- `RLABELS(0) uint`: Indicates how many labels should be stored in the reverse label index before discarding them
+- `RLABEL_MIN_SIZE(1) uint`: The minimum size a label must be to be put in the reverse label index
+- `RDATA_RINDEX_SIZE(2) uint`: Indicates how many rdata should be stored in the reverse rdata index before discarding them
+- `RDATA_RINDEX_MIN_SIZE(3) uint`: The minimum size a rdata must be to be put in the reverse rdata index
+- `USE_RDATA_INDEX(4)`: If present then the stream uses rdata indexing
+- `RDATA_INDEX_MIN_SIZE(5) uint`: The minimum size a rdata must be to be put in the rdata index
+
+## Deduplication
+
+Deduplication is done in a few different ways, data may be left out to
+indicate that it is the same as the previous value, an index may be used to
+indicate that it is the same as the N previous value and a reverse index
+may be used to indicate that it is the N previous value looking backwards
+across the stream.
+
+In other words, using the index deduplication you will need to build a table
+of the values you come across during the decoding of the stream, this table
+can grow very large.
+
+As an smaller alternative a reverse index can indicate often used data from
+the N previous value looking back over the stream. This type of index also
+reorder itself to try and put the most used data always in the index.
+
+TODO: details of each attribute and it's deduplication
diff --git a/CHANGES b/CHANGES
new file mode 100644
index 0000000..c6a0909
--- /dev/null
+++ b/CHANGES
@@ -0,0 +1,796 @@
+2021-02-12 Jerry Lundström
+
+    Release 2.0.0
+
+    This major release contains three backward incompatible changes, two
+    new command line options and a completely restructured man-page(!),
+    please read the change notes carefully before upgrading!
+
+    The first backward incompatible change has to do with the removal of
+    libbind dependency. This library was causing segfaults on OpenBSD due to
+    shared (and overwritten) symbols with OpenBSD's libc.
+    It was replaced with LDNS and LDNS renders domain names as Fully
+    Qualified Domain Names (FQDN, the trailing dot!) so every output of a
+    domain name has been changed to a FQDN.
+    This also changes `-X`/`-x`, which will now match against FQDNs.
+
+    The second backward incompatible change is that `-6` has been removed.
+    This was used to alter the BPF in order to "fix" it, dnscap adds
+    specific filters to IP and UDP headers which does not work for IPv6
+    traffic.
+    The generated BPF has been changed to allow IPv6 to always pass, making
+    the option obsolete. IPv6 filtering is then done in dnscap.
+
+    The last backward incompatible change has to do with the output format
+    of `-g` related to EDNS0 and is now more consistent with the rest of
+    the parsable output:
+    - No more spaces in the output
+    - Fix incorrect `\` and extra empty new-line
+    - All EDNS0 options are added after `edns0[...]` using comma separation, example: `edns0[],edns0opt[],...`
+    - Client Subnet format: `edns0opt[ECS,family=nn,source=nn,scope=nn,addr=...]`
+    - Unknown/unsupported code: `edns0opt[code=nn,codelen=nn]`
+    - Parsing error messages have changed, they came from libbind, now comes from LDNS
+
+    New options:
+    - Add `-q` and `-Q` to filter on matched/not matched QTYPE
+
+    Bugfixes:
+    - Fix memory leak in EDNS0 ECS address parsing
+    - `network`: Fix sonarcloud issues, potential `memcpy()` of null pointer
+
+    Other changes:
+    - Fix CBOR output inclusion, LDNS is always available now
+    - Add macros for Apple and Windows endian functions
+    - Restructure and correct the man-page
+
+    557e5f5 man-page
+    025529f v6bug, interval
+    37b79e9 FQDN
+    ebcf434 QTYPE match, args, tests
+    0cb5562 v6bug
+    75f6115 Endian
+    aaeb213 Sonarcloud
+    8685946 CBOR output
+    3e26802 Sonarcloud
+    30aa366 libbind
+    3f94d0b Mattermost
+
+2020-10-22 Jerry Lundström
+
+    Release 1.12.0
+
+    This release fixes the handling of `-?` option for dnscap and all plugins,
+    previously the handling varied between places and depending on `getopt()`
+    implementation an invalid option could return the wrong exit code.
+
+    Other changes:
+    - Fix typo in configure help text
+    - `plugins/anonmask`: Fix typo in help text
+    - `plugins/rzkeychange`:
+      - Add `-D`, dry run mode, for testing
+      - Fix handling of `-a` and error on too many
+
+    KNOWN ISSUES:
+
+    On OpenBSD the system library libc exports the same symbols as libbind
+    does and this causes runtime warnings. Until now this has not caused any
+    known problems but is now also causing segfaults if the packet filter used
+    (BPF) includes IPv6 addresses.
+    On all other platforms OARC supports, these symbols are macros and in so
+    should not cause any problem.
+
+    ee478c0 Known issues
+    2f9d957 Tests
+    3c663a2 Tests
+    c88efc5 rzkeychange test
+    f062f33 Tests
+
+2020-08-20 Jerry Lundström
+
+    Release 1.11.1
+
+    This release fixes a lot of issues found by code analysis, adds a
+    explicit memory zeroing function to remove account information (read
+    when dropping privileges) and adds code coverage reporting.
+
+    The `dnscap_memzero()` will use `explicit_bzero()` on FreeBSD and
+    OpenBSD, or `memset_s()` (if supported), otherwise it will manually
+    set the memory to zero. This will hopefully ensure that the memory
+    is zeroed as compilers can optimize out `memset()`'s that is just
+    before `free()`.
+
+    The plugins exit code for the help option `-?` has been changed to 0
+    to have the same as `dnscap -?`.
+
+    d9747ee memzero
+    1cf17c6 Coverage
+    19c7120 Coverage
+    7435676 Sonarcloud
+    928e181 Sonarcloud
+    ca4afd0 Sonarcloud
+    028f5e0 Badges
+    db0d6a1 LGTM
+
+2020-06-01 Jerry Lundström
+
+    Release 1.11.0
+
+    This release includes a new plugin called `eventlog`, contributed
+    by Byron Darrah (@ByronDarrah), output DNS activity as log events,
+    including answers to A and AAAA queries.
+
+    Other changes includes compile warning and code analysis fixes.
+
+    382eac4 COPR
+    4c03650 Compile warn
+    21d6a67 Slight change -- wording now matches usage() output.
+    dd19b0b Added the eventlog.so plugin...
+    1ebf504 Added new dnscap plugin: evenlog.so...
+    f3f9aaa Compile warnings
+
+2020-03-02 Jerry Lundström
+
+    Release 1.10.4
+
+    Fixed a bug that would not drop privileges when not specifying any
+    interface (which is equal to capturing on all interfaces).
+    Added functionality to set the supplemental groups when dropping
+    privileges and changing user, or clear them if that is not supported.
+    Other changes includes corrected man-page about '-w' and update to
+    documentation.
+
+    a0285e4 drop privileges errors, initgroups/setgroups
+    96336f3 daemon: Attempt to drop supplemental groups
+    467a9a7 Drop privileges
+    de940a8 man-page -w
+    187ec43 README
+
+2019-10-02 Jerry Lundström
+
+    Release 1.10.3
+
+    Fixed plugins inclusion in deb packages for Debian and Ubuntu.
+
+    017ebb2 Deb packages
+    cf59143 COPR, spec
+
+2019-08-05 Jerry Lundström
+
+    Release 1.10.2
+
+    Fixed bug in the handling of defragmentation configuration which lead
+    to the use of a local scope variable later on and caused unexpected
+    behavior.
+
+    91692b8 Frag conf
+    6a74376 Package
+    d0d1a6d Package
+
+2019-07-08 Jerry Lundström
+
+    Release 1.10.1
+
+    Fix various issues found by code analysis tools, a few compiler warnings
+    removed, undefined bit shift behavior fixed, parameter memory leaks
+    plugged and documentation updates.
+
+    Fixes:
+    - `dump_dns`: Remove usage of `strcpy()` and use `snprintf()` instead
+      of `sprintf()`
+    - `bpft`:
+      - Use `text_ptr->len` to store length of generated text
+      - Use `memcpy()` instead of `strcat()`
+      - Remove unneeded `realloc()` and `strcpy()`
+    - `plugins/cryptopan`: Fix strict-aliasing warnings
+    - `network`: Rework part of `dl_pkt()` to remove usage of `strcpy()`
+      and use `snprintf()` instead of `sprintf()`
+    - `plugins/anonaes128`: Use `a6` as dest when copying v4 addresses for
+      readability and code analysis
+    - `plugins/cryptopan`: Run first pass separate to eliminate a 32bit
+      shift by 32 (undefined behavior)
+    - `plugins/cryptopant`: Fix memory leak of `keyfile` if `-k` is
+      specified more then once
+
+    Documentation:
+    - Update `README.md` with correction to building from git and note
+      about PCAP on OpenBSD
+    - Fix #190: Update link to `libbind` source
+
+    074923c Funding
+    5d2e84c libbind
+    8ee9f2a Travis-CI
+    6babd09 Fixes
+    bb2d1c7 README, compile warnings
+    0d9cd9c LGTM, Travis-CI
+
+2018-12-03 Jerry Lundström
+
+    Release 1.10.0
+
+    This release adds a new plugin type "filter" and 5 new plugins that can
+    do anonymization, deanonymization and masking of the IP addresses.
+
+    New features:
+    - Check plugins for `pluginname_type()` which returns `enum plugin_type`,
+      if missing the plugin is counted as an "output" plugin
+    - New plugin type "filter" which calls `pluginname_filter()` prior of
+      outputting any data or calling of "output" plugins, if the new function
+      returns non-zero then the packet is filtered out (dropped)
+    - New extension `DNSCAP_EXT_SET_IADDR` that gives access to a function
+      for setting the from and to IP addresses both in the extracted data
+      and the wire
+
+    New plugins:
+    - `anonaes128`: Anonymize IP addresses using AES128
+    - `anonmask`: Pseudo-anonymize IP addresses by masking them
+    - `cryptopan`: Anonymize IP addresses using an extension to Crypto-PAn
+      (College of Computing, Georgia Tech) made by David Stott (Lucent)
+    - `cryptopant`: Anonymize IP addresses using cryptopANT, a different
+      implementation of Crypto-PAn made by the ANT project at USC/ISI
+    - `ipcrypt`: Anonymize IP addresses using ipcrypt create by
+      Jean-Philippe Aumasson
+
+    Bugfixes:
+    - Fix changing `royparse` and `txtout` with other plugins (thanks to
+      Duane Wessels and Paul Hoffman)
+    - Free pointers to allocated strings in `text_free()` (thanks to Michał
+      Kępień)
+    - Fix IP checksum calculation
+
+    Other changes:
+    - `-B` and `-E` can be used without `-w` (thanks to Duane Wessels)
+    - Use `pcap_findalldevs()` instead of `pcap_lookupdev()` (thanks to
+      Michał Kępień)
+    - Document and add `-?` option to all plugins
+    - Fix clang `scan-build` bugs and LGTM alerts
+    - Use `gmtime_r()` instead of `gmtime()`
+    - Update `pcap-thread` to v4.0.0
+
+    67d8e2c Fix
+    fb0ed02 Plugin documentation
+    a2c9a6c cryptopant
+    39db1ca Deanonymize, IPv6 test
+    afc7107 Crypto-PAn, cryptopANT
+    f1912cc OpenSSL, anonaes128
+    f2bab62 ipcrypt, anonmask
+    158b1e7 anonmask help
+    60ece58 anonmask
+    8f1b138 Plugin types, filter plugin, set iaddr extension, anonymization
+            by masking
+    b7d7991 IP checksum
+    641a23a Free pointers to allocated strings in text_free()
+    4d313bf pcap_findalldevs()
+    091e0ca Use pcap_findalldevs() instead of pcap_lookupdev()
+    6a7b25e Clean up use of feature test macros on Linux
+    cbba14c Configure, uninitialized
+    f228c9c Code formatting
+    3fd738c man-page
+    770168a Test
+    714e4f5 Fix -B <begin> so that it works when reading offline pcap files.
+    8675bea Test
+    911fec9 Implementing test9 as a test of -B and -E command line args.
+    a7cc72d -B <begin> and -E <end> can work fine without -w <base>.
+    04c4928 Made the same changes to txtout as were in 165a786
+    165a786 Workaround for stdio mystery causing duplicate royparse output.
+
+2018-02-28 Jerry Lundström
+
+    Release 1.9.0
+
+    This release adds a new option to change how the Berkeley Packet Filter
+    is generated to include the host restrictions for all selections,
+    previously this restriction would only apply to specific parts.
+
+    Additional tweaks to the RSSM plugin has been made to conform to the
+    RSSAC002v3 specification. One noticeable change is that the plugin now
+    requires the DNS to be parsed before counted, any error in the parsing
+    will result in the message being left out of the statistics.
+
+    Changes:
+    - Fix spacing in BPF filter to look better
+    - Fix #146: Add `bpf_hosts_apply_all`, apply any host restriction to all
+    - `plugin/rssm`:
+      - Remove quoting of `start-period` and correctly handle empty hashes
+      - Issue #152, Issue #91: Parse DNS before processing RSSM counters
+    - `plugin/rssm/dnscap-rssm-rssac002`: Use `YAML::Dump()` for output
+
+    47d892b Issue #152: RSSM YAML output
+    d4f1466 Issue #152, Issue #91: Parse DNS before processing RSSM counters
+    68fc1ff BPF, `bpf_hosts_apply_all`
+
+2018-02-07 Jerry Lundström
+
+    Release 1.8.0
+
+    This release updates the TCP stream code in order to be able to look
+    at more then just the first query, for handling already ongoing TCP
+    connections without having seen SYN/ACK and for reassembly of the TCP
+    stream prior of parsing it for DNS with an additional layer of parsing
+    (see `reassemble_tcp_bfbparsedns`).
+
+    Updates to the Root Server Scaling Measurement (RSSM) plugin have also
+    been made to bring it up to date with RSSAC002v3 specification, be
+    able to output the YAML format described and an additional script to
+    merge YAML files if the interval is less then the RSSAC002v3 24 hour
+    period. See "Updates to the RSSM plugin" below and
+    `plugins/rssm/README.md`.
+
+    New extended options:
+    - `parse_ongoing_tcp`: Start tracking TCP connections even if SYN/ACK
+      has not been seen
+    - `allow_reset_tcpstate`: Allow external reset of TCP state
+    - `reassemble_tcp`: Use to enable TCP stream reassembly
+    - `reassemble_tcp_faultreset`: Number of faults before reseting TCP
+      state when reassembly is enabled
+    - `reassemble_tcp_bfbparsedns`: Enable an experimental additional layer
+      of reassemble that uses `libbind` to parse the payload before accepting
+      it. If the DNS is invalid it will move 2 bytes within the payload and
+      treat it as a new payload, taking the DNS length again and restart
+      the process. Requires `libbind` and `reassemble_tcp`.
+
+    New extension functions for plugins:
+    - `DNSCAP_EXT_TCPSTATE_GETCURR`: Function to get a pointer for the
+      current TCP state
+    - `DNSCAP_EXT_TCPSTATE_RESET`: Function to reset a TCP state
+
+    New features:
+    - Parse additional DNS queries in TCP connections
+    - `-g` and the `txtout` plugin will reset TCP state (if allowed) on
+      failure to parse DNS
+
+    Bugfixes:
+    - Fix `-g` output, separate error message with a space
+    - Fix TCP packets wrongfully flagged as DNS when using layers.
+    - Fix TCP debug output when using layers, `ia_str()` is not safe to call
+      twice in the same `printf` because of local buffer.
+    - Fix exported extension functions, need to be file local
+
+    New tests for:
+    - Multiple DNS queries in one TCP connection
+    - Query over TCP without SYN
+    - Queries over TCP with first query missing length
+    - Queries over TCP with middle payloads missing
+    - Add test with TCP stream that missing multiple packets in the middle
+
+    Updates to the RSSM plugin (`plugins/rssm`):
+    - Add info about saving counts and sources
+    - Fix memory leak on `fopen()` errors
+    - Update to RSSAC002v3 specification
+    - New options:
+      - `-D` to disable forking on close
+      - `-Y`: Use RSSAC002v3 YAML format when writing counters, the file
+        will contain multiple YAML documents, one for each RSSAC002v3 metric
+        Used with; -S adds custom metric `dnscap-rssm-sources` and -A adds
+        `dnscap-rssm-aggregated-sources`
+      - `-n`: Set the service name to use in RSSAC002v3 YAML
+      - `-S`: Write source IPs into counters file with the prefix `source`
+      - `-A`: Write aggregated IPv6(/64) sources into counters file with
+        the prefix `aggregated-source`
+      - `-a`: Write aggregated IPv6(/64) sources to
+        `<name>.<timesec>.<timeusec>`
+    - Add `dnscap-rssm-rssac002` Perl script for merging RSSAC002v3 YAML files
+    - Add README.md for the plugin man-page for `dnscap-rssm-rssac002`
+    - Add test for YAML output and merging of YAML files
+
+    c7058c8 Use file local functions for all extensions
+    66b352d RSSM RSSAC002v3 YAML Tool
+    b09efc2 `plugins/rssm` RSSAC002v3
+    709aba6 Fix #89: Add additional reassembly layers that parses the
+            payload byte for byte for valid DNS
+    04fa013 Fix CID 1463944 (again)
+    b1cf623 RSSM saving data and forking
+    fb23305 Fix CID 1463944
+    0fca1a8 Issue #89: TCP stream reassemble
+    bb6428c CID 1463814: Check `ns_initparse()` for errors
+    a57066f Fix #88: TCP handling
+
+2017-12-27 Jerry Lundström
+
+    Release 1.7.1
+
+    The library used for parsing DNS (libbind) is unable to parse DNS
+    messages when there is padding at the end (the UDP/TCP payload is larger
+    then the DNS message). This has been fixed by trying to find the actual
+    DNS message size, walking all labels and RR data, and then retry parsing.
+
+    Other changes and bug-fixes:
+    - Fix size when there is a VLAN to match output of `use_layers` yes/no
+    - Add test of VLAN matching
+    - Fix `hashtbl.c` building in `rssm`
+    - Add test with padded DNS message
+
+    49e5400 Fix #127: If `ns_initparse()` returns `EMSGSIZE`, try and get
+            actual size and reparse
+    99bda0b Fix #98: VLAN
+
+2017-12-19 Jerry Lundström
+
+    Release 1.7.0
+
+    This release adds IP fragmentation handling by using layers in pcap-thread
+    which also adds a new flag to output and modules. `DNSCAP_OUTPUT_ISLAYER`
+    indicates that `pkt_copy` is equal to `payload` since the layers of the
+    traffic have already been parsed. IP fragments are reassembled with the
+    `pcap_thread_ext_frag` extension that is included in pcap-thread.
+
+    New extended (`-o`) options:
+    - `use_layers`: Use pcap-thread layers to handle the traffic
+    - `defrag_ipv4`: Enabled IPv4 de-fragmentation
+    - `defrag_ipv6`: Enabled IPv6 de-fragmentation
+    - `max_ipv4_fragments`: Set maximum fragmented IPv4 packets to track
+    - `max_ipv4_fragments_per_packet`: Set the maximum IPv4 fragments per
+      tracked packet
+    - `max_ipv6_fragments`: Set maximum fragmented IPv6 packets to track
+    - `max_ipv6_fragments_per_packet`: Set the maximum IPv6 fragments per
+      tracked packet
+
+    Currently `-w` does not work with `use_layers` and the plugins `pcapdump`
+    and `royparse` will discard output with the flag `DNSCAP_OUTPUT_ISLAYER`
+    because they need access to the original packet.
+
+    The `rzkeychange` plugin now encodes certain flag bits in the data that
+    it reports for RFC8145 key tag signaling. The flags of interest are:
+    `DO`, `CD`, and `RD`. These are encoded in an bit-mask as a hexadecimal
+    value before the `_ta` component of the query name.
+
+    Other changes and bug-fixes:
+    - Fix #115: document `-g` output, see `OUTPUT FORMATS` `diagnostic` in
+      `dnscap(1)` man-page
+    - Add test to match output from non-layers runs with those using layers
+    - Add test with fragmented DNS queries
+    - Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2
+    - Fix `ip->ip_len` byte order
+    - Fix parsing of IP packets with padding or missing parts of payload
+
+    0347f74 Add AUTHORS section in man-page
+    ef1b68c Fix CID 1463073
+    8a79f89 Layers
+    a404d08 Update pcap-thread to v3.1.0, add test for padding fixes
+    08402f1 Fix byte order bug.  ip->ip_len must be evaluated with ntohs().
+    d6d2340 CBOR/CDS and formatting
+    85ec2d8 Fix #87: IP fragmentation reassembly
+    22bfd4a Documentation
+    c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data.
+            This may be useful to find "false" key tag signals from sources
+            that don't actually perform DNSSEC validation.
+
+2017-12-01 Jerry Lundström
+
+    Release 1.6.0
+
+    New additions to the plugins:
+    - `rzkeychange` can now collect RFC8145 key tag signaling. Signals are
+      saved during the collection interval, and then sent to the specified
+      `-k <zone>`, one at a time, at the end of the interval. Only root zone
+      signals are collected. Added by Duane Wessels (@wessels).
+    - `royparse` is a new plugin to splits a PCAP into two streams, queries
+      in PCAP format and responses in ASCII format. Created by Roy Arends
+      (@RoyArends).
+    - `txtout` new option `-s` for short output, only print QTYPE and QNAME
+      for IN records. Added by Paul Hoffman (@paulehoffman)
+    - The extension interface has been extended with `DNSCAP_EXT_IA_STR` to
+      export the `ia_str()` function.
+
+    Bugfixes and other changes:
+    - Remove duplicated hashtbl code
+    - `rssm`: fix bug where count in table was taken out as `uint16_t` but
+      was a `uint64_t`
+    - Handle return values from hashtbl functions
+    - `txtout`: removed unused `-f` options
+    - Change `ia_str()` to use buffers with correct sizes, thanks to
+      @RoyArends for spotting this!
+
+    Commits:
+    3f78a31 Add copy/author text
+    1bd914d Fix CID 1462343, 1462344, 1462345
+    f9bb955 Fix `fprintf()` format for message size
+    abedf84 Fix #105: `inet_ntop` buffers
+    bfdcd0d Addresses the suggestions from Jerry.
+    dda0996 royparse :)
+    4f6520a royparse plugin finished
+    f1aa4f2 Fix #103: Remove `opt_f`
+    32355b7 Rearrange code to keep the change smaller and fix indentation
+    d6612c1 Added -s to txtout for short output
+    9d8d1ef Check return of `snprintf()`
+    55f5aba Format code
+    9f19ec3 Fixed memory leak in rzkeychange_keytagsignal()
+    58b8784 Fix memory leaks and better return value checks in
+            rzkeychange_submit_counts()
+    b06659f Add server and node to keytag signal query name
+    705a866 Always free response packets in rzkeychange plugin.
+    e802843 Implement RFC8145 key tag signal collection in rzkeychange plugin
+    5fbf6d0 Added extension for ia_str() so it can be used by rzkeychange
+            plugin.
+    3be8b8f Split `dnscap.c` into more files
+    e431d14 Fix #92: hashtbl
+
+2017-08-21 Jerry Lundström
+
+    Release 1.5.1
+
+    Compatibility fixes for FreeBSD 11.1+ which is now packing `struct ip`
+    and for OpenBSD.
+
+    Commits:
+    17e3c92 FreeBSD is packing `struct ip`, need to `memcpy()`
+    f8add66 Code formatting
+    38cd585 Add documentation about libbind
+    d1dd55b Fix #82: Update dependencies for OpenBSD
+
+2017-06-06 Jerry Lundström
+
+    Release 1.5.0
+
+    Added support for writing gzipped PCAP if the `-W` suffix ends with
+    `.gz` and made `-X` work without `-x`. New inteface for plugins to
+    tell them what extensions are available and a new plugin `rzkeychange`.
+
+    Plugin extensions:
+    - Call `plugin_extension(ext, arg)` to tell plugin what extensions exists
+    - Add extension for checking responder (`is_responder()`)
+
+    The rzkeychange plugin was developed by Duane Wessels 2016 in support
+    of the root zone ZSK size increase. It is also being used in support of
+    the 2017 root KSK rollover and collects the following measurements:
+    - total number of responses sent
+    - number of responses with TC bit set
+    - number of responses over TCP
+    - number of DNSKEY responses
+    - number of ICMP_UNREACH_NEEDFRAG messages received
+    - number of ICMP_TIMXCEED_INTRANS messages received
+    - number of ICMP_TIMXCEED_REASS messages received
+
+    Other fixes (author Duane Wessels):
+    - 232cbd0: Correct comment description for meaning of IPPROTO_AH
+    - 181eaa4: Add #include <sys/time.h> for struct timeval on NetBSD
+
+    Commits:
+
+    1d894e2 Make -x and -X work correctly together and update man-page
+    34bc54c Make the -X option work without requiring a -x option.
+    f43222e Fix CID 1440488, 1440489, 1440490
+    aa54395 Update pcap-thread to v2.1.3
+    81174ce Prepare SPEC for OSB/COPR
+    21d7468 New plugin rzkeychange and plugin extensions
+    38491a3 Config header is generated by autotools
+    419a8ab Small tweaks and fixes for gzip support
+    1967abc updated for earlier BSD versions
+    f135c90 added auto gzip if the -W suffix ends with .gz
+
+    Commits during development of rzkeychange (author Duane Wessels):
+    - 620828d: Add rzkeychange -z option to specify resolver IP addresses
+    - 1f77987: Add -p and -t options to rzkeychange plugin to configure an
+      alternate port and TCP. Useful for ssh tunnels.
+    - 2a571f1: Split ICMP time exceeded counter into two counters for time
+      exceeded due to TTL and another due to fragmentation
+    - e4ee2d3: The rzkeychange data collection plugin uses
+      `DNSCAP_EXT_IS_RESPONDER` extension to know if an IP address is a
+      "responder" or not, because when dnscap is instructed to collect ICMP
+      with -I, it processes all ICMP packets, not just those limited to
+      responders (or initiators).
+    - cee16b8: Add ICMP Time Exceeded to counters
+    - ad8a227: Counting source IPs has performance impacts. #ifdef'd out for
+      now add ICMP "frag needed" counts
+    - c25e72b: Implemented DNS queries with ldns. First there will be some
+      test queries to ensure the zone is reachable and configured to receive
+      data. Then a query naming the fields, followed by the periodic queries
+      delivering counts.
+    - fd23be7: Make report zone, server, node command line argumements mandatory
+    - 137789b: Adding rzkeychange plugin files
+
+2017-03-29 Jerry Lundström
+
+    Release 1.4.1
+
+    Fixed an issue that when compiled with libpcap that had a specific
+    feature enabled it would result in a runtime error which could not be
+    worked around.
+
+    Also fixed various compatibility issues and updated dependency
+    documentation for CentOS.
+
+    Commits:
+
+    785d4c4 Fix compiler warnings
+    2d4df8d Fix #65: Update pcap-thread to v2.1.2
+    26d3fbc Fix #64: Add missing dependency
+    55e6741 Update pcap-thread to v2.1.1, fix issue with libpcap timestamp
+            type
+    c6fdb7a Fix typo and remove unused variables
+
+2017-02-27 Jerry Lundström
+
+    Release 1.4.0
+
+    Until it can be confirmed that the threaded code works as well as the
+    non-threaded code it has been made optional and requires a configuration
+    option to enable it during compilation.
+
+    New extended option:
+    - `-o pcap_buffer_size=<bytes>` can be used to increase the capture
+      buffer within pcap-thread/libpcap, this can help mitigate dropped
+      packets by the kernel during breaks (like when closing dump file).
+
+    Commits:
+
+    1c6fbb2 Update copyright year
+    63ef665 Suppress OpenBSD warnings about symbols
+    2c99946 pcap-thread v2.0.0, disable threads, errors handling
+    4cade97 Fix #56: Update pcap-thread to v1.2.2 and add test
+
+2016-12-23 Jerry Lundström
+
+    Release 1.3.0
+
+    Rare lockup has been fixed that could happen if a signal was received
+    in the wrong thread at the wrong time due to `pcap_thread_stop()`
+    canceling and waiting on threads to join again. The handling of signals
+    have been improved for threaded and non-threaded operations.
+
+    New features:
+    - Experimental CBOR DNS Stream format output, see `CBOR_DNS_STREAM.md`
+    - Extended options to specify user and group to use when dropping
+      privileges, see EXTENDED OPTIONS in man-page
+
+    Commits:
+
+    a5fa14e Signal and threads
+    3868104 Use old style C comments
+    7946be5 Clarify building
+    d5463b4 RPM spec and various automake fixes
+    df206bf Resource data indexing and documentation
+    0e2d0fe Fix #22, fix #43: Update README
+    5921d73 Add stream option RLABELS and RLABEL_MIN_SIZE
+    6dd6ec1 Implement experimental CBOR DNS Stream Format
+    4baf695 Fix #37: Extended options to specifty user/group to use when
+            dropping privileges
+    61d830a Fix #35: Use `AC_HEADER_TIME` and fix warning
+
+2016-10-27 Jerry Lundström
+
+    Release 1.2.0
+
+    Update `pcap-thread` to v1.2.0 to get the new callback queue mode which
+    puts that mode into using pthread conditions if all pcaps are offline and
+    keeps us from losing packets.
+
+    Use `pcap_thread_dropback()` callback to get the notification when a
+    packet was dropped because the queue was full, indicating that we can't
+    process all the packets.  Added this stats to the `-S` output as total
+    and per interface as `ptdrop`.  Changed the output for each interface
+    to not cut of information, for example interface name was cut to
+    4 characters.
+
+    Other changes:
+
+    - Add extended options `-o <option>=<value>` because we are running out
+      of short options.
+    - Better handling of library checks and automake rules
+    - New option `-F <format>` to specify the format of the output in `-w`
+    - Add experimental CBOR output support
+      - LDNS is used to parse the packets
+      - Tinycbor is used to construct the CBOR output
+      - DNS-in-JSON draft [1] for representing the objects
+      - Check CBOR topic in README.md for more information
+    - When only reading offline pcap files it will not attempt to drop
+      privileges and add new option `-N` to explicitly not drop privileges.
+
+    Commits:
+
+    f42e23f Extended options and CBOR output format
+    a28f498 Fix #24: Handle packet drops
+    2308eaa Fix #26: Unable to drop GID to nobody, exiting.
+    82d65f2 Update pcap-thread to v1.1.2
+
+    [1] https://datatracker.ietf.org/doc/draft-hoffman-dns-in-json/
+
+2016-10-11 Jerry Lundström
+
+    Release 1.1.0
+
+    The ownership of DNSCAP was transferred from ISC to DNS-OARC in
+    the summer of 2016 and this is the first release since that.
+
+    This project now uses Semantic Versioning and these are the changes
+    since the `dnscap-20160205` release (which can also be found using
+    the tag `v0.0.0-20160205`).
+
+    Highlights:
+    - Restructure repository and use autotools
+    - Compiled and tested on Debian, Ubuntu, CentOS, FreeBSD and OpenBSD
+      using Jenkins and Travis-CI
+    - Source code static analysis using Coverity Scan
+    - Compatibility fixes for FreeBSD, OpenBSD and OS X
+    - ABI change to `output()`, previous `isfrag` is now a `flags` that
+      represents what the packet is through a bitmask
+    - Use helper library `pcap-thread` when capturing to solve missing
+      packets during very low traffic
+
+    New command line options:
+    - `-V`: Prints version and then exits
+    - `-M`: Enable monitor mode on interfaces
+    - `-D`: Enable immediate mode on interfaces
+    - `-W`: Allow to specify a suffix for the pcap dump file
+    - `-C`: Limit/rotate capture after a certain amount of bytes
+
+    Special thanks to:
+    - Duane Wessels
+    - Paul Vixie
+    - Klaus Darilion
+
+    Commits:
+
+    bc7eb22 Update license after ownership transfer from ISC to DNS-OARC,
+            update contributors, add build badges and removed SuperFastHash
+            since apparently it was not used.
+    778e457 Add `-V` for displaying version and the exiting
+    71c2d79 Fix #12: Sync man-page and help text
+    33576ef Swap option C and D, C for this makes more sense. Also ensure
+            that `capturedbytes` is zero on start.
+    0077aff Correct dump trace with new `flags`
+    f9cbba0 Do not use dump suffix unless it set
+    4dd81d6 Update the man page
+    7435c49 Change new option C to D because C was already taken
+    813dddb Fix -B and -E, these options are supported only once
+    76f19d1 fix usage of -W
+    519b64f Add -Y option to short usage instructions
+    348c738 Fix -C feature: capturedbytes was not increased
+    3db6f94 Improve logging
+    b567bef New option -C: limit/rotate capture after a certain amount
+            of bytes
+    341abdf Add -W feature: allow to specify a suffix for the pcap dump
+            file, e. g.: '.pcap'
+    097a3b4 Count every packet which is sent to output(), not only
+            the normal ones.
+    75e5968 Close PCAPs after dumper_close() to have statistics still
+            available during dumper_close(). Otherwise we get a segfault
+            on shutdown.
+    c09d61a Add debian/ubuntu package files.
+    020f2aa Forgot about the compiler warnings and fix the last
+            Coverity Scan issue
+    00c834d More Coverity Scan fixes
+    ad2f230 Fix various Coverity Scan issues
+    606f0cd Update pcap thread to version 1.1.1
+    f065cd7 Fix #14: Add options `-M` and `-C` for monitor and
+            immediate mode, update help and man-page.
+    b872035 Update to pcap-thread version 1.1.0
+    1f30637 Update pcap_thread to v1.0.1, add travis check that dnscap
+            can run
+    b19efaa Building from Git repository instructions
+    b5460df Use `calloc()` instead of `malloc()` to be sure the memory
+            is zeroed
+    ae6a04d Use pcap_thread v1.0.0
+    9426a2d Update pcap_thread and add pcap stats
+    820b2f2 Update pcap_thread and support offline pcaps
+    a47dd67 Update pcap_thread
+    237a7a7 CentOS autoreconf complained
+    7b5568c Use pcap_thread
+    11d0388 Revert the changes on all lines that had NULL, 0 before.
+    7d6a7e4 Passing IPv6 fragment payloads may not currently be safe.
+            Needs more work. For now pass pkt=NULL to be safe for plugins.
+    ea8f9a4 Make the family of output() functions future proof with a flags
+            bitmask. Rather than separate 'isfrag' and 'isdns' flags,
+            they are now set as bitmasks in a single 'flags' value passed
+            to output() f
+    472a172 A change to the interface of the family of output() functions.
+    95a6e62 timeval.* are not unsigned
+    d3f32de Fix #1: Use NS_*SZ
+    e555871 Fix compiler warnings
+    3ed8f29 Fix #1
+    864cbd7 Can you change #ifdef __APPLE__ to check for the
+            arpa/nameser_compat.h header and include it if it exists?
+    796e8ea plugin/rssm needs to include arpa/nameser_compat.h for OS X
+            so that the HEADER struct is declared.
+    daf4bd3 In plugin/txtout silence compiler warnings about int vs short
+    e5bc24b plugin/pcapdump needs to include arpa/nameser_compat.h for OS X
+            so that the HEADER struct is declared.
+    0061b57 Work around configure problem detecting libresolv on Mac OS X
+            Without some #include files, the configure test won't find
+            the symbol res_mkquery() in libresolv on OS X.  It is called
+            res_9_mkquery()
+    5309655 Mac OS X doesn't have setresuid() and setresgid().
+            This patch adds configure checks for setreuid() and setregid()
+            and will use those instead if the other versions are
+            not available.
+    d257a1c Fix compilation on FreeBSD and OpenBSD
+    07b2a75 Restructure repository and move to Automake.
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
new file mode 100644
index 0000000..08d60a6
--- /dev/null
+++ b/CONTRIBUTORS
@@ -0,0 +1,17 @@
+Paul Vixie (ISC)
+Duane Wessels (The Measurement Factory, DNS-OARC, Verisign)
+Ken Keys (CAIDA)
+Sebastian Castro (CAIDA, NZRS)
+Iñigo Ortiz de Urbina Cazenave (RIPE)
+Kevin Brintnall
+Peter Koch (DENIC)
+Brad Belanger (Cogent)
+Mark Santcroos
+Andris Kalnozols
+Robert Story (TIS Labs)
+Bruce Campbell
+Chris Higgens
+Evan Hunt (ISC)
+Stephane Bortzmeyer (Afnic)
+Jerry Lundström (DNS-OARC)
+Klaus Darilion
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..f6e1052
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,33 @@
+DNSCAP
+
+Copyright (c) 2016-2021, OARC, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in
+   the documentation and/or other materials provided with the
+   distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived
+   from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..0056327
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,13 @@
+ACLOCAL_AMFLAGS = -I m4 -I src/pcap-thread/m4
+
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in \
+    $(srcdir)/src/config.h.in~ \
+    $(srcdir)/configure
+
+SUBDIRS = src plugins
+
+dist_doc_DATA = README.md LICENSE CONTRIBUTORS
+
+EXTRA_DIST = isc m4 .clang-format fmt.sh
+
+test: check
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3f86a6f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,247 @@
+# dnscap
+
+[![Build Status](https://travis-ci.com/DNS-OARC/dnscap.svg?branch=develop)](https://travis-ci.com/DNS-OARC/dnscap) [![Total alerts](https://img.shields.io/lgtm/alerts/g/DNS-OARC/dnscap.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/DNS-OARC/dnscap/alerts/) [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=dns-oarc%3Adnscap&metric=bugs)](https://sonarcloud.io/dashboard?id=dns-oarc%3Adnscap) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=dns-oarc%3Adnscap&metric=security_rating)](https://sonarcloud.io/dashboard?id=dns-oarc%3Adnscap)
+
+`dnscap` is a network capture utility designed specifically for DNS traffic.
+It produces binary data in `pcap(3)` and other format. This utility is similar
+to `tcpdump(1)`, but has a number of features tailored to DNS transactions
+and protocol options. DNS-OARC uses `dnscap` for DITL data collections.
+
+Some of its features include:
+- Understands both IPv4 and IPv6
+- Captures UDP, TCP, and IP fragments.
+- Collect only queries, responses, or both (`-s` option)
+- Collect for only certain source/destination addresses (`-a` `-z` `-A` `-Z` options)
+- Periodically creates new pcap files (`-t` option)
+- Spawns an upload script after closing a pcap file (`-k` option)
+- Will start and stop collecting at specific times (`-B` `-E` options)
+
+More information may be found here:
+- https://www.dns-oarc.net/tools/dnscap
+- https://www.dns-oarc.net/oarc/data/ditl
+
+Issues should be reported here:
+- https://github.com/DNS-OARC/dnscap/issues
+
+General support and discussion:
+- Mattermost: https://chat.dns-oarc.net/community/channels/oarc-software
+- mailing-list: https://lists.dns-oarc.net/mailman/listinfo/dnscap-users
+
+## Dependencies
+
+`dnscap` requires a couple of libraries beside a normal C compiling
+environment with autoconf, automake, libtool and pkgconfig.
+
+`dnscap` has a non-optional dependency on the PCAP library and LDNS.
+
+To install the dependencies under Debian/Ubuntu:
+```
+apt-get install -y libpcap-dev libldns-dev zlib1g-dev libyaml-perl libssl-dev
+```
+
+To install the dependencies under CentOS (with EPEL enabled):
+```
+yum install -y libpcap-devel ldns-devel openssl-devel zlib-devel perl-YAML
+```
+
+For the following OS you will need to install some of the dependencies
+from source or Ports, these instructions are not included.
+
+To install some of the dependencies under FreeBSD 10+ using `pkg`:
+```
+pkg install -y libpcap ldns p5-YAML openssl-devel
+```
+
+To install some of the dependencies under OpenBSD 5+ using `pkg_add`:
+```
+pkg_add libldns p5-YAML
+```
+
+NOTE: It is recommended to install the PCAP library from source/ports on
+OpenBSD since the bundled version is an older and modified version.
+
+### Dependencies for `cryptopant.so` plugin
+
+For this plugin a library call `cryptopANT` is required and the original
+can be found here: https://ant.isi.edu/software/cryptopANT/index.html .
+
+For DNS-OARC packages we build our own fork, with slight modifications to
+conform across distributions, of this library which is included in the same
+package repository as `dnscap`. The modifications and packaging files can be
+found here: https://github.com/DNS-OARC/cryptopANT .
+
+## Building from source tarball
+
+The [source tarball from DNS-OARC](https://www.dns-oarc.net/tools/dnscap)
+comes prepared with `configure`:
+
+```
+tar zxvf dnscap-version.tar.gz
+cd dnscap-version
+./configure [options]
+make
+make install
+```
+
+## Building from Git repository
+
+If you are building `dnscap` from it's Git repository you will first need
+to initiate the Git submodules that exists and later create autoconf/automake
+files, this will require a build environment with autoconf, automake, libtool
+and pkg-config to be installed.
+
+```
+git clone https://github.com/DNS-OARC/dnscap.git
+cd dnscap
+git submodule update --init
+./autogen.sh
+./configure [options]
+make
+make install
+```
+
+### 64-bit libraries
+
+If you need to link against 64-bit libraries found in non-standard
+locations, provide the location by setting LDFLAGS before running
+configure:
+
+```
+$ env LDFLAGS=-L/usr/lib64 ./configure
+```
+
+### OpenBSD
+
+For OpenBSD you probably installed libpcap in `/usr/local` so you will need
+to tell `configure` where to find the libraries and header files:
+
+```
+$ env CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure
+```
+
+## Plugins
+
+`dnscap` comes bundled with a set of plugins, see `-P` option.
+
+- `anonaes128.so`: Anonymize IP addresses using AES128
+- `anonmask.so`: Pseudo-anonymize IP addresses by masking them
+- `cryptopan.so`: Anonymize IP addresses using an extension to Crypto-PAn (College of Computing, Georgia Tech) made by David Stott (Lucent)
+- `cryptopant.so`: Anonymize IP addresses using cryptopANT, a different implementation of Crypto-PAn made by the ANT project at USC/ISI
+- `ipcrypt.so`: Anonymize IP addresses using ipcrypt create by Jean-Philippe Aumasson
+- `pcapdump.so`: Dump DNS into a PCAP with some filtering options
+- `royparse.so`: Splits a PCAP into two streams; queries in PCAP format and responses in ASCII format
+- `rssm.so`: Root Server Scaling Measurement plugin, see it's [README.md](plugins/rssm/README.md) for more information
+- `rzkeychange.so`: RFC8145 key tag signal collection and reporting plugin
+- `txtout.so`: Dump DNS as one-line text
+- `eventlog.so`: Syslog style output for easy parsing, use with a SIEM, etc.
+
+There is also a `template` plugin in the source repository to help others
+develop new plugins.
+
+## CBOR DNS Stream Format
+
+This is an experimental format for representing DNS information in CBOR
+with the goals to:
+- Be able to stream the information
+- Support incomplete, broken and/or invalid DNS
+- Have close to no data quality and signature degradation
+- Support additional non-DNS meta data (such as ICMP/TCP attributes)
+
+Read [CBOR_DNS_STREAM.md](https://github.com/DNS-OARC/dnscap/blob/develop/CBOR_DNS_STREAM.md) for more information.
+
+To enable this output please follow the instructions below for Enabling
+CBOR Output, note that this only requires Tinycbor.
+
+### Outputting to CBOR DNS Stream (CDS)
+
+To output to the CDS format you tell `dnscap` to write to a file and set
+the format to CDS.  CDS is a stream of CBOR objects and you can control how
+many objects are kept in memory until flushed to the file by setting
+`cds_cbor_size`, note that this is bytes of memory and not number of objects.
+When it reaches this limit it will write the output and start on a new file.
+Read `dnscap`'s man page for all CDS extended options.
+
+```
+src/dnscap [...] -w <file> -F cds [ -o cds_cbor_size=<bytes> ]
+```
+
+## CBOR
+
+There is experimental support for CBOR output using LDNS and Tinycbor with
+a data structure described in the DNS-in-JSON draft.
+
+https://datatracker.ietf.org/doc/draft-hoffman-dns-in-json/
+
+### Enabling CBOR Output
+
+To enable the CBOR output support you will need to install it's dependencies
+before running `configure`, LDNS exists for most distributions but Tinycbor
+is new so you need to download and compile it, you do not necessary need to
+install it as shown in the example below.
+
+```sh
+git clone https://github.com/DNS-OARC/dnscap.git
+cd dnscap
+git submodule update --init
+git clone https://github.com/01org/tinycbor.git
+cd tinycbor
+git checkout v0.4.2
+make
+cd ..
+sh autogen.sh
+CFLAGS="-I$PWD/tinycbor/src" LDFLAGS="-L$PWD/tinycbor/lib" LIBS="-ltinycbor" ./configure
+make
+```
+
+**NOTE**: Paths in `CFLAGS` and `LDFLAGS` must be absolute.
+
+### CBOR to JSON
+
+Tinycbor comes with a tool to convert CBOR to JSON, check `bin/cbordump -h`
+in the Tinycbor directory after having compiled it.
+
+### Outputting to CBOR
+
+To output to the CBOR format you tell `dnscap` to write to a file and set
+the format to CBOR.  Since Tinycbor constructs everything in memory there
+is a limit and when it is reached it will write the output and start on a
+new file.  You can control the number of bytes with the extended option
+`cbor_chunk_size`.
+
+```
+src/dnscap [...] -w <file> -F cbor [ -o cbor_chunk_size=<bytes> ]
+```
+
+### Additional attributes
+
+There is currently an additional attribute added to the CBOR object which
+contains the IP information as following:
+
+```
+"ip": [
+  <proto>,
+  "<source ip address>",
+  <source port>
+  "<destination ip address>",
+  <destination port>
+]
+```
+
+Example:
+
+```json
+"ip": [
+  17,
+  "127.0.0.1",
+  34856,
+  "127.0.0.1",
+  53
+]
+```
+
+### Limitations, deviations and issues
+
+Since this is still experimental there are of course some issues:
+- RDATA is in binary format
+- DNS packet are parsed by LDNS which can fail if malformed packets
+- `dateSeconds` is added as a C `double` which might loose some of the time precision
diff --git a/autogen.sh b/autogen.sh
new file mode 100755
index 0000000..deb3713
--- /dev/null
+++ b/autogen.sh
@@ -0,0 +1,3 @@
+#!/bin/sh -e
+
+autoreconf --force --install --no-recursive --include=m4 --include=src/pcap-thread/m4
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..f43cce5
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,160 @@
+# Copyright (c) 2016-2021, OARC, Inc.
+# Copyright (c) 2007, The Measurement Factory, Inc.
+# Copyright (c) 2007, Internet Systems Consortium, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+AC_PREREQ(2.61)
+AC_INIT([dnscap], [2.0.0], [dnscap-users@dns-oarc.net], [dnscap], [https://github.com/DNS-OARC/dnscap/issues])
+AM_INIT_AUTOMAKE([-Wall -Werror foreign subdir-objects])
+AC_CONFIG_SRCDIR([src/dnscap.c])
+AC_CONFIG_HEADER([src/config.h])
+AC_CONFIG_MACRO_DIR([m4])
+
+# Checks for programs.
+AC_PROG_CC
+AM_PROG_CC_C_O
+AC_CANONICAL_HOST
+m4_ifdef([AM_PROG_AR], [AM_PROG_AR])
+LT_INIT([disable-static])
+
+# Check --enable-warn-all
+AC_ARG_ENABLE([warn-all], [AS_HELP_STRING([--enable-warn-all], [Enable all compiler warnings])], [AX_CFLAGS_WARN_ALL()])
+
+# Check --with-extra-cflags
+AC_ARG_WITH([extra-cflags], [AS_HELP_STRING([--with-extra-cflags=CFLAGS], [Add extra CFLAGS])], [
+  AC_MSG_NOTICE([appending extra CFLAGS... $withval])
+  AS_VAR_APPEND(CFLAGS, [" $withval"])
+])
+
+# Check --with-extra-ldflags
+AC_ARG_WITH([extra-ldflags], [AS_HELP_STRING([--with-extra-ldflags=LDFLAGS], [Add extra LDFLAGS])], [
+  AC_MSG_NOTICE([appending extra LDFLAGS... $withval])
+  AS_VAR_APPEND(LDFLAGS, [" $withval"])
+])
+
+# pcap_thread
+AC_ARG_ENABLE(threads,
+    [AS_HELP_STRING([--enable-threads],
+        [enable the usage of threads (default disabled)])],
+    [AX_PCAP_THREAD],
+    [AX_PCAP_THREAD_PCAP])
+
+# Check --enable-gcov
+AC_ARG_ENABLE([gcov], [AS_HELP_STRING([--enable-gcov], [Enable coverage testing])], [
+  coverage_cflags="--coverage -g -O0 -fno-inline -fno-inline-small-functions -fno-default-inline"
+  AC_MSG_NOTICE([enabling coverage testing... $coverage_cflags])
+  AS_VAR_APPEND(CFLAGS, [" $coverage_cflags"])
+])
+AM_CONDITIONAL([ENABLE_GCOV], [test "x$enable_gcov" != "xno"])
+AM_EXTRA_RECURSIVE_TARGETS([gcov])
+
+# Checks for libraries.
+AC_CHECK_LIB([dl], [dlopen])
+AC_CHECK_LIB([tinycbor], [cbor_parser_init])
+AM_CONDITIONAL([HAVE_CBOR], [test "x$ac_cv_lib_tinycbor_cbor_parser_init" = "xyes"])
+AC_CHECK_LIB([z], [gzopen])
+PKG_CHECK_MODULES([libcrypto], [libcrypto],
+    [AC_DEFINE([HAVE_LIBCRYPTO], [1], [Define to 1 if you have libcrypto.])])
+AC_CHECK_LIB([cryptopant], [scramble_init], [], [
+    AC_CHECK_LIB([cryptopANT], [scramble_init])
+])
+PKG_CHECK_MODULES([libldns], [libldns], , [
+  PKG_CHECK_MODULES([libldns], [ldns])
+])
+
+# Check for OS specific libraries
+case "$host_os" in
+    # HPUX
+    hpux*)
+        AC_CHECK_LIB([hplx], [main])
+        ;;
+
+    # Solaris
+    solaris*)
+        AC_CHECK_LIB([rt], [main])
+        AC_CHECK_LIB([md5], [main])
+        AC_CHECK_LIB([socket], [main])
+        AC_CHECK_LIB([nsl], [main])
+        ;;
+esac
+
+# Checks for header files.
+AC_HEADER_RESOLV
+AC_HEADER_TIME
+AC_CHECK_HEADERS([arpa/inet.h fcntl.h netdb.h netinet/in.h stdlib.h string.h])
+AC_CHECK_HEADERS([sys/ioctl.h sys/param.h sys/socket.h sys/time.h unistd.h])
+AC_CHECK_HEADERS([ldns/ldns.h arpa/nameser_compat.h cbor.h cbor/cbor.h])
+AC_CHECK_HEADERS([sys/time.h])
+AC_CHECK_HEADERS([zlib.h])
+AC_CHECK_HEADERS([openssl/conf.h openssl/evp.h openssl/err.h])
+AC_CHECK_HEADERS([cryptopANT.h])
+AC_CHECK_HEADERS([endian.h sys/endian.h machine/endian.h])
+
+# Checks for library functions.
+AC_CHECK_FUNCS([snprintf])
+AC_CHECK_FUNCS([setreuid setresuid setregid setresgid setegid seteuid initgroups setgroups])
+AC_CHECK_FUNCS([funopen fopencookie gzopen])
+AC_CHECK_FUNCS([__assertion_failed])
+
+# Check for SECCOMP
+SECCOMPFLAGS=
+AC_ARG_ENABLE(seccomp, AC_HELP_STRING([--enable-seccomp], [Linux seccomp-bpf sandbox]))
+case "$enable_seccomp" in
+    yes)
+        AC_DEFINE_UNQUOTED([USE_SECCOMP], [1], [Define this to enable Linux seccomp-bpf sandbox.])
+        SECCOMPFLAGS="-lseccomp -fPIE -fstack-protector-all -Wl,-z,relro -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2"
+        ;;
+
+    *)
+        ;;
+esac
+AC_SUBST(SECCOMPFLAGS, ["$SECCOMPFLAGS"])
+
+# Output Makefiles
+AC_CONFIG_FILES([
+    Makefile
+    src/Makefile
+	src/test/Makefile
+    plugins/Makefile
+    plugins/pcapdump/Makefile
+    plugins/rssm/Makefile
+    plugins/txtout/Makefile
+    plugins/rzkeychange/Makefile
+    plugins/royparse/Makefile
+    plugins/anonmask/Makefile
+    plugins/ipcrypt/Makefile
+	plugins/anonaes128/Makefile
+	plugins/cryptopan/Makefile
+    plugins/cryptopant/Makefile
+    plugins/eventlog/Makefile
+])
+AC_OUTPUT
diff --git a/contrib/cdsdump.py b/contrib/cdsdump.py
new file mode 100755
index 0000000..3eee22f
--- /dev/null
+++ b/contrib/cdsdump.py
@@ -0,0 +1,699 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2016-2021, OARC, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+import sys
+import logging
+import optparse
+import struct
+import socket
+from cbor2 import CBORDecoder;
+
+logging.basicConfig(format='%(levelname).5s: %(module)s:%(lineno)d: '
+                           '%(message)s')
+log = logging.getLogger(__name__)
+
+class SimpleValue(object):
+    def __init__(self, value):
+        self.value = value
+
+    def get(self):
+        return self.value
+
+    def __repr__(self):
+        return "{}".format(self.value)
+
+def decode_simple_value(self, fp, shareable_index=None):
+    return SimpleValue(struct.unpack('>B', fp.read(1))[0])
+
+try:
+    from cbor2.types import CBORSimpleValue
+except Exception:
+    CBORSimpleValue = SimpleValue
+
+class LastValues(object):
+    def __init__(self):
+        self.reset()
+
+    def reset(self):
+        self.ts = None
+        self.src_addr4 = None
+        self.src_port4 = None
+        self.dest_addr4 = None
+        self.dest_port4 = None
+        self.src_addr6 = None
+        self.src_port6 = None
+        self.dest_addr6 = None
+        self.dest_port6 = None
+        self.rlabel = []
+        self.mlabel = []
+        self.rr_type = None
+        self.rr_class = None
+        self.rr_ttl = None
+
+last = LastValues()
+
+MAX_RLABELS = 255
+MIN_RLABEL_SIZE = 3
+
+def get_rlabel(idx):
+    rlabel_idx = -idx - 1
+    try:
+        label = last.rlabel.pop(rlabel_idx)
+        last.rlabel.insert(0, label)
+        return label
+    except:
+        raise Exception("rlabel index {} out of range".format(rlabel_idx))
+
+def add_rlabel(label):
+    size = 0
+    if isinstance(label, list):
+        for l in label:
+            if isinstance(l, str):
+                size += len(l)
+    if size < MIN_RLABEL_SIZE:
+        return
+    last.rlabel.insert(0, label)
+    if len(last.rlabel) > MAX_RLABELS:
+        last.rlabel.pop()
+
+def build_mlabel_label(label):
+    if isinstance(label, int) and label < 0:
+        label = get_rlabel(label)
+    else:
+        add_rlabel(label)
+
+    if isinstance(label, str):
+        last.mlabel.append(label)
+    elif isinstance(label, list):
+        if len(label) and isinstance(label[0], int):
+            last.mlabel.append(label)
+            return
+        label = list(label)
+        while len(label):
+            last.mlabel.append(list(label))
+            label.pop(0)
+
+def build_mlabel(rrs):
+    for rr in rrs:
+        if len(rr) and isinstance(rr[0], bool):
+            continue
+        if len(rr):
+            build_mlabel_label(rr[0])
+        if len(rr) > 1 and isinstance(rr[len(rr)-1], list):
+            for l in rr[len(rr)-1]:
+                build_mlabel_label(l)
+
+def parse_label(label, lvl):
+    if isinstance(label, int) and label < 0:
+        label = get_rlabel(label)
+    else:
+        add_rlabel(label)
+
+    if isinstance(label, bytes):
+        print((" " * lvl)+"label: {}".format(bytes))
+    elif isinstance(label, list):
+        if len(label) and isinstance(label[0], int) and label[0] < 0:
+            dn = list(get_rlabel(label[0]))
+        else:
+            dn = list(label)
+        print((" " * lvl)+"clabel: {}".format(dn))
+        dnstr = []
+        seen_mlabel = {}
+        while len(dn):
+            while isinstance(dn[0], int):
+                if dn[0] in seen_mlabel:
+                    dn = [ "{ name compression loop }" ]
+                    break
+                seen_mlabel[dn[0]] = 1
+                dn = list(last.mlabel[dn[0]])
+            dnstr.append(dn.pop(0))
+        print((" " * lvl)+"label:  "+ " . ".join(dnstr))
+
+    else:
+        raise Exception("invalid label type {}".format(type(label)))
+
+
+def parse_rrs(rrs, lvl):
+    for rr in rrs:
+        print((" " * lvl)+"rr:")
+        lvl+=2
+
+        if len(rr) and isinstance(rr[0], bool):
+            print((" " * lvl)+"incomplete/broken DNS RR, no support for these yet")
+            continue
+
+        parse_label(rr.pop(0), lvl)
+
+        bits = 0
+        if isinstance(rr[0], CBORSimpleValue):
+            bits = rr.pop(0).value
+            print((" " * lvl)+"type    (0): "+("yes" if bits & 1 else "no"))
+            print((" " * lvl)+"class   (1): "+("yes" if bits & 1<<1 else "no"))
+            print((" " * lvl)+"ttl     (2): "+("yes" if bits & 1<<2 else "no"))
+            print((" " * lvl)+"rdlength(3): "+("yes" if bits & 1<<3 else "no"))
+
+        rr_type = None
+        rr_class = None
+        rr_ttl = None
+        rdlength = None
+        if not bits:
+            if len(rr) > 4:
+                bits = 0xff
+            elif len(rr) > 1:
+                raise Exception("invalid rr, expected none (0) or all (4) optional values but got {}".format(len(rr)-1))
+        if bits & 1:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.type, expected int but got: {}".format(type(rr[0])))
+            rr_type = rr.pop(0)
+        if bits & 1<<1:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.class, expected int but got: {}".format(type(rr[0])))
+            rr_class = rr.pop(0)
+        if bits & 1<<2:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.ttl, expected int but got: {}".format(type(rr[0])))
+            rr_ttl = rr.pop(0)
+        if bits & 1<<3:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.rdlength, expected int but got: {}".format(type(rr[0])))
+            rdlength = rr.pop(0)
+
+        if not rr_type:
+            rr_type = last.rr_type
+        if not rr_class:
+            rr_class = last.rr_class
+        if not rr_ttl:
+            rr_ttl = last.rr_ttl
+
+        print((" " * lvl)+"type: {}".format(rr_type))
+        print((" " * lvl)+"class: {}".format(rr_class))
+        print((" " * lvl)+"ttl: {}".format(rr_ttl))
+        if rdlength:
+            print((" " * lvl)+"rdlength: {}".format(rdlength))
+
+        if rr_type != 41:
+            last.rr_type = rr_type
+            last.rr_class = rr_class
+            last.rr_ttl = rr_ttl
+
+        if isinstance(rr[0], bytes):
+            print((" " * lvl)+"rdata: "+"".join("{:02x}".format(byte) for byte in rr.pop(0)))
+        elif isinstance(rr[0], list):
+            rdata = []
+            for i in rr.pop(0):
+                if isinstance(i, int) and i < 0:
+                    i = get_rlabel(i)
+                elif not isinstance(i, bytes):
+                    add_rlabel(i)
+
+                if isinstance(i, bytes):
+                    rdata.append("".join("{:02x}".format(byte) for byte in i))
+                elif isinstance(i, list):
+                    dn = list(i)
+                    dnstr = []
+                    seen_mlabel = {}
+                    while len(dn):
+                        while isinstance(dn[0], int):
+                            if dn[0] in seen_mlabel:
+                                dn = [ "{ name compression loop }" ]
+                                break
+                            seen_mlabel[dn[0]] = 1
+                            dn = list(last.mlabel[dn[0]])
+                        dnstr.append(dn.pop(0))
+                    rdata.append("[ clabel: {} label: ".format(i) + " . ".join(dnstr) + " ]")
+                else:
+                    raise Exception("invalid rr.rdata[], expected bytes|list but got: {}".format(type(i)))
+
+            print((" " * lvl)+"rdata: "+" ".join(rdata))
+        else:
+            raise Exception("invalid rr.rdata, expected bytes|list but got: {}".format(type(rr[0])))
+
+        lvl-=2
+
+def parse_qrs(qrs, lvl):
+    for qr in qrs:
+        print((" " * lvl)+"qr:")
+        lvl+=2
+        parse_label(qr.pop(0), lvl)
+
+        rr_type = None
+        rr_class = None
+        if len(qr):
+            if not isinstance(qr[0], int):
+                raise Exception("invalid qr.type|class, expected int but got {}".format(type(qr[0])))
+            if qr[0] > -1:
+                rr_type = qr.pop(0)
+                if len(qr):
+                    if not isinstance(qr[0], int):
+                        raise Exception("invalid qr.class, expected int but got {}".format(type(qr[0])))
+                    elif not qr[0] < 0:
+                        raise Exception("invalid qr.class, expected negative int but got positive")
+                    rr_class = -qr.pop(0) - 1
+            else:
+                rr_class = -qr.pop(0) - 1
+
+        if not rr_type:
+            rr_type = last.rr_type
+        if not rr_class:
+            rr_class = last.rr_class
+
+        print((" " * lvl)+"type: {}".format(rr_type))
+        print((" " * lvl)+"class: {}".format(rr_class))
+
+        if rr_type != 41:
+            last.rr_type = rr_type
+            last.rr_class = rr_class
+
+        lvl-=2
+
+def parse_dns_message(dns, lvl):
+    print((" " * lvl)+"dns:")
+    lvl+=2
+
+    if isinstance(dns[0], bool):
+        print((" " * lvl)+"incomplete/broken DNS packet, no support for these yet")
+        return
+
+    print((" " * lvl)+"header:")
+    lvl+=2
+    id = dns.pop(0)
+    print((" " * lvl)+"id: {}".format(id))
+    raw = dns.pop(0)
+    print((" " * lvl)+"raw: 0x{:04x}".format(raw))
+    lvl+=2
+    print((" " * lvl)+"    QR: "+("yes" if raw & 1<<15 else "no"))
+    print((" " * lvl)+"Opcode: {}".format(((raw >> 11) & 0xf)))
+    print((" " * lvl)+"    AA: "+("yes" if raw & 1<<10 else "no"))
+    print((" " * lvl)+"    TC: "+("yes" if raw & 1<<9 else "no"))
+    print((" " * lvl)+"    RD: "+("yes" if raw & 1<<8 else "no"))
+    print((" " * lvl)+"    RA: "+("yes" if raw & 1<<7 else "no"))
+    print((" " * lvl)+"     Z: "+("yes" if raw & 1<<6 else "no"))
+    print((" " * lvl)+"    AD: "+("yes" if raw & 1<<5 else "no"))
+    print((" " * lvl)+"    CD: "+("yes" if raw & 1<<4 else "no"))
+    print((" " * lvl)+" RCODE: {}".format(raw & 0xf))
+    lvl-=2
+
+    bits = 0
+    if isinstance(dns[0], int) and dns[0] < 0:
+        bits = -dns.pop(0) - 1
+        print((" " * lvl)+"qdcount(0): "+("yes" if bits & 1 else "no"))
+        print((" " * lvl)+"ancount(1): "+("yes" if bits & 1<<1 else "no"))
+        print((" " * lvl)+"nscount(2): "+("yes" if bits & 1<<2 else "no"))
+        print((" " * lvl)+"arcount(3): "+("yes" if bits & 1<<3 else "no"))
+
+    if not bits:
+        if isinstance(dns[0], int):
+            bits = 0xff
+
+    if bits & 1:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.qdcount, expected int but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"qdcount: {}".format(dns.pop(0)))
+    if bits & 1<<1:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.ancount, expected int but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"ancount: {}".format(dns.pop(0)))
+    if bits & 1<<2:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.nscount, expected int but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"nscount: {}".format(dns.pop(0)))
+    if bits & 1<<3:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.arcount, expected int but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"arcount: {}".format(dns.pop(0)))
+
+    bits = 0
+    if isinstance(dns[0], CBORSimpleValue):
+        bits = dns.pop(0).value
+        print((" " * lvl)+"questions  (0): "+("yes" if bits & 1 else "no"))
+        print((" " * lvl)+"answers    (1): "+("yes" if bits & 1<<1 else "no"))
+        print((" " * lvl)+"authorities(2): "+("yes" if bits & 1<<2 else "no"))
+        print((" " * lvl)+"additionals(3): "+("yes" if bits & 1<<3 else "no"))
+
+    last.mlabel = []
+    rlabel = list(last.rlabel)
+    for n in range(4):
+        if len(dns) > n and isinstance(dns[n], list):
+            build_mlabel(dns[n])
+    last.rlabel = rlabel
+
+    if not bits:
+        if len(dns) > 3:
+            bits = 0xff
+        elif len(dns) > 0:
+            raise Exception("invalid dns.message rr's, expected none (0) or all (4) but got {}".format(len(dns)))
+
+    if bits & 1:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.questions, expected list but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"questions:")
+        parse_qrs(dns.pop(0), lvl+2)
+    if bits & 1<<1:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.answers, expected list but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"answers:")
+        parse_rrs(dns.pop(0), lvl+2)
+    if bits & 1<<2:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.authorities, expected list but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"authorities:")
+        parse_rrs(dns.pop(0), lvl+2)
+    if bits & 1<<3:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.additionals, expected list but got: {}".format(type(dns[0])))
+        print((" " * lvl)+"additionals:")
+        parse_rrs(dns.pop(0), lvl+2)
+
+    if len(dns):
+        if isinstance(dns[0], bytes):
+            print((" " * lvl)+"malformed: "+"".join("{:02x}".format(byte) for byte in dns.pop(0)))
+        if len(dns):
+            raise Exception("invalid dns.message, garbage at end: {}".format(dns))
+
+def parse_ip_header(ip_header, lvl):
+    print((" " * lvl)+"ip_header:")
+    lvl+=2
+
+    print((" " * lvl)+"bits:")
+    lvl+=2
+    bits = ip_header.pop(0)
+    reverse = False
+    if isinstance(bits, int):
+        if bits < 0:
+            print((" " * lvl)+"reverse: yes")
+            bits = -bits - 1
+            reverse = True
+        print((" " * lvl)+"family   (0): "+("INET6" if bits & 1 else "INET"))
+        print((" " * lvl)+"have_src (1): "+("yes" if bits & 1<<1 else "no"))
+        print((" " * lvl)+"have_dest(2): "+("yes" if bits & 1<<2 else "no"))
+        print((" " * lvl)+"have_port(3): "+("yes" if bits & 1<<3 else "no"))
+    else:
+        raise Exception("invalid ip_header.bits, expected int but got: {}".format(type(bits)))
+    lvl-=2
+
+    src_addr = None
+    dest_addr = None
+    src_port = None
+    dest_port = None
+
+    if bits & 1<<1:
+        src_addr = ip_header.pop(0)
+        if not isinstance(src_addr, bytes):
+            raise Exception("invalid ip_header.src_addr, expected bytes but got: {}".format(type(src_addr)))
+    else:
+        if reverse:
+            src_addr = last.dest_addr6 if bits & 1 else last.dest_addr4
+            if not src_addr:
+                raise Exception("invalid ip_header.bits, expected to have last dest addr but don't")
+        else:
+            src_addr = last.src_addr6 if bits & 1 else last.src_addr4
+            if not src_addr:
+                raise Exception("invalid ip_header.bits, expected to have last src addr but don't")
+
+    if bits & 1<<2:
+        dest_addr = ip_header.pop(0)
+        if not isinstance(dest_addr, bytes):
+            raise Exception("invalid ip_header.dest_addr, expected bytes but got: {}".format(type(dest_addr)))
+    else:
+        if reverse:
+            dest_addr = last.src_addr6 if bits & 1 else last.src_addr4
+            if not dest_addr:
+                raise Exception("invalid ip_header.bits, expected to have last src addr but don't")
+        else:
+            dest_addr = last.dest_addr6 if bits & 1 else last.dest_addr4
+            if not dest_addr:
+                raise Exception("invalid ip_header.bits, expected to have last dest addr but don't")
+
+    if bits & 1<<3:
+        ports = ip_header.pop(0)
+        if not isinstance(ports, int):
+            raise Exception("invalid ip_header.src_dest_port, expected int but got: {}".format(type(ports)))
+        if ports > 0xffff:
+            src_port = ports & 0xffff
+            dest_port = ports >> 16
+        elif ports < 0:
+            if reverse:
+                src_port = last.dest_port6 if bits & 1 else last.dest_port4
+                if src_port is None:
+                        raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+            else:
+                src_port = last.src_port6 if bits & 1 else last.src_port4
+                if src_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+            dest_port = -ports - 1
+        else:
+            src_port = ports
+            if reverse:
+                dest_port = last.src_port6 if bits & 1 else last.src_port4
+                if dest_port is None:
+                        raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+            else:
+                dest_port = last.dest_port6 if bits & 1 else last.dest_port4
+                if dest_port is None:
+                        raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+    else:
+        if reverse:
+            src_port = last.dest_port6 if bits & 1 else last.dest_port4
+            if src_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+        else:
+            src_port = last.src_port6 if bits & 1 else last.src_port4
+            if src_port is None:
+                raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+        if reverse:
+            dest_port = last.src_port6 if bits & 1 else last.src_port4
+            if dest_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+        else:
+            dest_port = last.dest_port6 if bits & 1 else last.dest_port4
+            if dest_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+
+    print((" " * lvl)+" src addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, src_addr))
+    print((" " * lvl)+"dest addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, dest_addr))
+    print((" " * lvl)+" src port: {}".format(src_port))
+    print((" " * lvl)+"dest port: {}".format(dest_port))
+
+    if bits & 1:
+        last.src_addr6 = src_addr
+        last.dest_addr6 = dest_addr
+        last.src_port6 = src_port
+        last.dest_port6 = dest_port
+    else:
+        last.src_addr4 = src_addr
+        last.dest_addr4 = dest_addr
+        last.src_port4 = src_port
+        last.dest_port4 = dest_port
+
+
+def parse_message_bits(bits, lvl):
+    print((" " * lvl)+"message_bits:")
+    lvl+=2
+    dns = "no"
+    if isinstance(bits, int):
+        if bits & 1:
+            dns = "yes"
+        print((" " * lvl)+"dns      (0): "+dns)
+
+        if bits & 1<<1:
+            proto = "tcp"
+        elif dns == "yes":
+            proto = "udp"
+        else:
+            proto = "icmp"
+        print((" " * lvl)+"proto    (1): "+proto)
+
+        if bits & 1<<2:
+            frag = "yes"
+        else:
+            frag = "no"
+        print((" " * lvl)+"frag     (2): "+frag)
+
+        if bits & 1<<3:
+            malformed = "yes"
+        else:
+            malformed = "no"
+        print((" " * lvl)+"malformed(3): "+malformed)
+
+    else:
+        raise Exception("invalid message_bits, expected int but got: {}".format(type(bits)))
+
+    return 1 if dns == "yes" else 0
+
+def parse_timestamp(ts, lvl):
+    print((" " * lvl)+"timestamp:")
+    lvl+=2
+
+    if isinstance(ts, list):
+        if ts[0] < 0:
+            if not last.ts:
+                raise Exception("invalid timestamp.seconds, got diff from last value but have no last value")
+            if not len(last.ts) == len(ts):
+                raise Exception("invalid timestamp.seconds, differentialy precision missmatch")
+
+            ts[0] = last.ts[0] + ( -ts[0] - 1 )
+            print((" " * lvl)+"seconds: {}".format(ts[0]))
+
+            if len(ts) > 1:
+                ts[1] = last.ts[1] + ts[1]
+                print((" " * lvl)+"useconds: {}".format(ts[1]))
+            if len(ts) > 2:
+                ts[2] = last.ts[2] + ts[2]
+                print((" " * lvl)+"nseconds: {}".format(ts[2]))
+        else:
+            print((" " * lvl)+"seconds: {}".format(ts[0]))
+            if len(ts) > 1:
+                print((" " * lvl)+"useconds: {}".format(ts[1]))
+            if len(ts) > 2:
+                print((" " * lvl)+"nseconds: {}".format(ts[2]))
+        last.ts = ts
+
+    elif isinstance(ts, int):
+        print((" " * lvl)+"seconds: {}".format(ts))
+    else:
+        raise Exception("invalid timestamp, expected list|int but got: {}".format(type(ts)))
+
+def parse(cds):
+    print("paket:")
+    try:
+        parse_timestamp(cds.pop(0), 2)
+        is_dns = parse_message_bits(cds.pop(0), 2)
+        parse_ip_header(cds, 2)
+        if not is_dns:
+            raise Exception("not dns? huh?")
+        parse_dns_message(cds, 2)
+    except IndexError as idx:
+        if not str(idx) == "pop from empty list":
+            raise
+        print("  ...")
+    except:
+        raise
+
+def main():
+    usage = '%prog [-v] [-h] <cds file...>'
+    parser = optparse.OptionParser(usage, version='%prog 0.01')
+    parser.add_option('-v', '--verbose', action='store_true', dest='verbose',
+                      help='turn verbose mode on')
+
+    (options, args) = parser.parse_args()
+
+    if options.verbose == True:
+        log.setLevel(logging.DEBUG)
+        log.debug('argv: %s', sys.argv)
+        log.debug('options: %s', options)
+        log.debug('args: %s', args)
+    else:
+        log.setLevel(logging.WARNING)
+
+    if not args:
+        parser.print_usage()
+        exit(1)
+
+    decoder = CBORDecoder()
+    # if https://github.com/agronholm/cbor2/pull/5 is not merged/released yet
+    if 0 not in decoder.special_decoders:
+        decoder.special_decoders[0] = lambda self, fp, shareable_index=None: SimpleValue(0)
+        decoder.special_decoders[1] = lambda self, fp, shareable_index=None: SimpleValue(1)
+        decoder.special_decoders[2] = lambda self, fp, shareable_index=None: SimpleValue(2)
+        decoder.special_decoders[3] = lambda self, fp, shareable_index=None: SimpleValue(3)
+        decoder.special_decoders[4] = lambda self, fp, shareable_index=None: SimpleValue(4)
+        decoder.special_decoders[5] = lambda self, fp, shareable_index=None: SimpleValue(5)
+        decoder.special_decoders[6] = lambda self, fp, shareable_index=None: SimpleValue(6)
+        decoder.special_decoders[7] = lambda self, fp, shareable_index=None: SimpleValue(7)
+        decoder.special_decoders[8] = lambda self, fp, shareable_index=None: SimpleValue(8)
+        decoder.special_decoders[9] = lambda self, fp, shareable_index=None: SimpleValue(9)
+        decoder.special_decoders[10] = lambda self, fp, shareable_index=None: SimpleValue(10)
+        decoder.special_decoders[11] = lambda self, fp, shareable_index=None: SimpleValue(11)
+        decoder.special_decoders[12] = lambda self, fp, shareable_index=None: SimpleValue(12)
+        decoder.special_decoders[13] = lambda self, fp, shareable_index=None: SimpleValue(13)
+        decoder.special_decoders[14] = lambda self, fp, shareable_index=None: SimpleValue(14)
+        decoder.special_decoders[15] = lambda self, fp, shareable_index=None: SimpleValue(15)
+        decoder.special_decoders[16] = lambda self, fp, shareable_index=None: SimpleValue(16)
+        decoder.special_decoders[17] = lambda self, fp, shareable_index=None: SimpleValue(17)
+        decoder.special_decoders[18] = lambda self, fp, shareable_index=None: SimpleValue(18)
+        decoder.special_decoders[19] = lambda self, fp, shareable_index=None: SimpleValue(19)
+        decoder.special_decoders[24] = decode_simple_value
+
+    version = None
+
+    for f in args:
+        log.debug('file: %s', f)
+        with open(f, 'rb') as fp:
+            obj = None
+            try:
+                obj = decoder.decode(fp)
+            except Exception as e:
+                if e.__str__().find("index out of range") == -1:
+                    raise
+            if not isinstance(obj, list):
+                raise Exception("Invalid element, expected an array but found: {}".format(type(obj)))
+
+            version = obj.pop(0)
+            if version != "CDSv1":
+                raise Exception("Invalid version, expected CDSv1 but got: {}".format(version))
+
+            while len(obj):
+                opt = obj.pop(0)
+                if not isinstance(opt, int):
+                    raise Exception("Invalid option, expected int but got: {}".format(type(opt)))
+                if opt == 0:
+                    MAX_RLABELS = obj.pop(0)
+                    if not isinstance(MAX_RLABELS, int) or MAX_RLABELS < 1:
+                        raise Exception("Invalid option for maximum rlabels, got: {}".format(MAX_RLABELS))
+                    log.debug("Using maximum rlabels {}".format(MAX_RLABELS))
+                elif opt == 1:
+                    MIN_RLABEL_SIZE = obj.pop(0)
+                    if not isinstance(MIN_RLABEL_SIZE, int) or MIN_RLABEL_SIZE < 1:
+                        raise Exception("Invalid option for minimum rlabel size, got: {}".format(MIN_RLABEL_SIZE))
+                    log.debug("Using minimum rlabel size {}".format(MIN_RLABEL_SIZE))
+                else:
+                    raise Exception("Unknown option: {}".format(opt))
+
+            while True:
+                obj = None
+                try:
+                    obj = decoder.decode(fp)
+                except Exception as e:
+                    if e.__str__().find("index out of range") == -1:
+                        raise
+                if obj is None:
+                    break
+                if not isinstance(obj, list):
+                    raise Exception("Invalid element, expected an array but found: {}".format(type(obj)))
+                parse(obj)
+
+            last.reset()
+
+if __name__ == '__main__':
+    main()
diff --git a/contrib/cdsidxchk.py b/contrib/cdsidxchk.py
new file mode 100755
index 0000000..bcc1a67
--- /dev/null
+++ b/contrib/cdsidxchk.py
@@ -0,0 +1,797 @@
+#!/usr/bin/env python3
+#
+# Copyright (c) 2016-2021, OARC, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+import sys
+import logging
+import optparse
+import struct
+from cbor2 import CBORDecoder;
+
+logging.basicConfig(format='%(levelname).5s: %(module)s:%(lineno)d: '
+                           '%(message)s')
+log = logging.getLogger(__name__)
+
+class SimpleValue(object):
+    def __init__(self, value):
+        self.value = value
+
+    def get(self):
+        return self.value
+
+    def __repr__(self):
+        return "{}".format(self.value)
+
+def decode_simple_value(self, fp, shareable_index=None):
+    return SimpleValue(struct.unpack('>B', fp.read(1))[0])
+
+try:
+    from cbor2.types import CBORSimpleValue
+except Exception:
+    CBORSimpleValue = SimpleValue
+
+class LastValues(object):
+    def __init__(self):
+        self.reset()
+
+    def reset(self):
+        self.ts = None
+        self.src_addr4 = None
+        self.src_port4 = None
+        self.dest_addr4 = None
+        self.dest_port4 = None
+        self.src_addr6 = None
+        self.src_port6 = None
+        self.dest_addr6 = None
+        self.dest_port6 = None
+        self.rlabel = []
+        self.mlabel = []
+        self.rr_type = None
+        self.rr_class = None
+        self.rr_ttl = None
+        self.labels = {}
+        self.label_len = {}
+        self.label_parts = {}
+        self.label_part_len = {}
+        self.rdata = {}
+        self.rdata_len = {}
+
+
+last = LastValues()
+
+MAX_RLABELS = 255
+MIN_RLABEL_SIZE = 3
+
+def add_label(label):
+    size = 0
+    if isinstance(label, list):
+        for l in label:
+            if isinstance(l, str) and len(l) > 2:
+                if not l in last.label_parts:
+                    last.label_parts[l] = 1
+                    last.label_part_len[l] = len(l)
+                else:
+                    last.label_parts[l] += 1
+            if not isinstance(l, int):
+                size += len(l)
+    else:
+        size = len(label)
+    if size < 3:
+        return
+
+    idx = "{}".format(label)
+#    print(idx)
+
+    if not idx in last.labels:
+        last.labels[idx] = 1
+        last.label_len[idx] = size
+    else:
+        last.labels[idx] += 1
+
+def add_rdata(rdata):
+    size = 0
+    if isinstance(rdata, list):
+        for l in rdata:
+            if not isinstance(l, int):
+                size += len(l)
+    else:
+        size = len(rdata)
+    if size < 3:
+        return
+
+    idx = "{}".format(rdata)
+#    print(idx)
+    if not idx in last.rdata:
+        last.rdata[idx] = 1
+        last.rdata_len[idx] = size
+    else:
+        last.rdata[idx] += 1
+
+
+
+def get_rlabel(idx):
+    rlabel_idx = -idx - 1
+    try:
+        label = last.rlabel.pop(rlabel_idx)
+        last.rlabel.insert(0, label)
+        return label
+    except:
+        raise Exception("rlabel index {} out of range".format(rlabel_idx))
+
+def add_rlabel(label):
+    size = 0
+    if isinstance(label, list):
+        for l in label:
+            if isinstance(l, str):
+                size += len(l)
+    if size < MIN_RLABEL_SIZE:
+        return
+    last.rlabel.insert(0, label)
+    if len(last.rlabel) > MAX_RLABELS:
+        last.rlabel.pop()
+
+def build_mlabel_label(label):
+    if isinstance(label, int) and label < 0:
+        label = get_rlabel(label)
+    else:
+        add_rlabel(label)
+
+    if isinstance(label, str):
+        last.mlabel.append(label)
+    elif isinstance(label, list):
+        if len(label) and isinstance(label[0], int):
+            last.mlabel.append(label)
+            return
+        label = list(label)
+        while len(label):
+            last.mlabel.append(list(label))
+            label.pop(0)
+
+def build_mlabel(rrs):
+    for rr in rrs:
+        if len(rr) and isinstance(rr[0], bool):
+            continue
+        if len(rr):
+            build_mlabel_label(rr[0])
+        if len(rr) > 1 and isinstance(rr[len(rr)-1], list):
+            for l in rr[len(rr)-1]:
+                build_mlabel_label(l)
+
+def parse_label(label, lvl):
+    if isinstance(label, int) and label < 0:
+        label = get_rlabel(label)
+    else:
+        add_rlabel(label)
+        add_label(label)
+
+    if isinstance(label, bytes):
+        #print((" " * lvl)+"label: {}".format(bytes))
+        pass
+    elif isinstance(label, list):
+        if len(label) and isinstance(label[0], int) and label[0] < 0:
+            dn = list(get_rlabel(label[0]))
+        else:
+            dn = list(label)
+        #print((" " * lvl)+"clabel: {}".format(dn))
+        dnstr = []
+        seen_mlabel = {}
+        while len(dn):
+            while isinstance(dn[0], int):
+                if dn[0] in seen_mlabel:
+                    dn = [ "{ name compression loop }" ]
+                    break
+                seen_mlabel[dn[0]] = 1
+                dn = list(last.mlabel[dn[0]])
+            dnstr.append(dn.pop(0))
+        #print((" " * lvl)+"label:  "+ " . ".join(dnstr))
+
+    else:
+        raise Exception("invalid label type {}".format(type(label)))
+
+
+def parse_rrs(rrs, lvl):
+    for rr in rrs:
+        #print((" " * lvl)+"rr:")
+        lvl+=2
+
+        if len(rr) and isinstance(rr[0], bool):
+            #print((" " * lvl)+"incomplete/broken DNS RR, no support for these yet")
+            continue
+
+        parse_label(rr.pop(0), lvl)
+
+        bits = 0
+        if isinstance(rr[0], CBORSimpleValue):
+            bits = rr.pop(0).value
+            #print((" " * lvl)+"type    (0): "+("yes" if bits & 1 else "no"))
+            #print((" " * lvl)+"class   (1): "+("yes" if bits & 1<<1 else "no"))
+            #print((" " * lvl)+"ttl     (2): "+("yes" if bits & 1<<2 else "no"))
+            #print((" " * lvl)+"rdlength(3): "+("yes" if bits & 1<<3 else "no"))
+
+        rr_type = None
+        rr_class = None
+        rr_ttl = None
+        rdlength = None
+        if not bits:
+            if len(rr) > 4:
+                bits = 0xff
+            elif len(rr) > 1:
+                raise Exception("invalid rr, expected none (0) or all (4) optional values but got {}".format(len(rr)-1))
+        if bits & 1:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.type, expected int but got: {}".format(type(rr[0])))
+            rr_type = rr.pop(0)
+        if bits & 1<<1:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.class, expected int but got: {}".format(type(rr[0])))
+            rr_class = rr.pop(0)
+        if bits & 1<<2:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.ttl, expected int but got: {}".format(type(rr[0])))
+            rr_ttl = rr.pop(0)
+        if bits & 1<<3:
+            if not isinstance(rr[0], int):
+                raise Exception("invalid rr.rdlength, expected int but got: {}".format(type(rr[0])))
+            rdlength = rr.pop(0)
+
+        if not rr_type:
+            rr_type = last.rr_type
+        if not rr_class:
+            rr_class = last.rr_class
+        if not rr_ttl:
+            rr_ttl = last.rr_ttl
+
+        #print((" " * lvl)+"type: {}".format(rr_type))
+        #print((" " * lvl)+"class: {}".format(rr_class))
+        #print((" " * lvl)+"ttl: {}".format(rr_ttl))
+        if rdlength:
+            #print((" " * lvl)+"rdlength: {}".format(rdlength))
+            pass
+
+        if rr_type != 41:
+            last.rr_type = rr_type
+            last.rr_class = rr_class
+            last.rr_ttl = rr_ttl
+
+        if isinstance(rr[0], bytes):
+            add_rdata(rr[0])
+            rr.pop(0)
+            #print((" " * lvl)+"rdata: "+"".join("{:02x}".format(byte) for byte in rr.pop(0)))
+        elif isinstance(rr[0], list):
+            add_rdata(rr[0])
+            rdata = []
+            for i in rr.pop(0):
+                if isinstance(i, int) and i < 0:
+                    i = get_rlabel(i)
+                elif not isinstance(i, bytes):
+                    add_rlabel(i)
+                    add_label(i)
+
+                if isinstance(i, bytes):
+                    rdata.append("".join("{:02x}".format(byte) for byte in i))
+                elif isinstance(i, list):
+                    dn = list(i)
+                    dnstr = []
+                    seen_mlabel = {}
+                    while len(dn):
+                        while isinstance(dn[0], int):
+                            if dn[0] in seen_mlabel:
+                                dn = [ "{ name compression loop }" ]
+                                break
+                            seen_mlabel[dn[0]] = 1
+                            dn = list(last.mlabel[dn[0]])
+                        dnstr.append(dn.pop(0))
+                    rdata.append("[ clabel: {} label: ".format(i) + " . ".join(dnstr) + " ]")
+                else:
+                    raise Exception("invalid rr.rdata[], expected bytes|list but got: {}".format(type(i)))
+
+            #print((" " * lvl)+"rdata: "+" ".join(rdata))
+        else:
+            raise Exception("invalid rr.rdata, expected bytes|list but got: {}".format(type(rr[0])))
+
+        lvl-=2
+
+def parse_qrs(qrs, lvl):
+    for qr in qrs:
+        #print((" " * lvl)+"qr:")
+        lvl+=2
+        parse_label(qr.pop(0), lvl)
+
+        rr_type = None
+        rr_class = None
+        if len(qr):
+            if not isinstance(qr[0], int):
+                raise Exception("invalid qr.type|class, expected int but got {}".format(type(qr[0])))
+            if qr[0] > -1:
+                rr_type = qr.pop(0)
+                if len(qr):
+                    if not isinstance(qr[0], int):
+                        raise Exception("invalid qr.class, expected int but got {}".format(type(qr[0])))
+                    elif not qr[0] < 0:
+                        raise Exception("invalid qr.class, expected negative int but got positive")
+                    rr_class = -qr.pop(0) - 1
+            else:
+                rr_class = -qr.pop(0) - 1
+
+        if not rr_type:
+            rr_type = last.rr_type
+        if not rr_class:
+            rr_class = last.rr_class
+
+        #print((" " * lvl)+"type: {}".format(rr_type))
+        #print((" " * lvl)+"class: {}".format(rr_class))
+
+        if rr_type != 41:
+            last.rr_type = rr_type
+            last.rr_class = rr_class
+
+        lvl-=2
+
+def parse_dns_message(dns, lvl):
+    #print((" " * lvl)+"dns:")
+    lvl+=2
+
+    if isinstance(dns[0], bool):
+        #print((" " * lvl)+"incomplete/broken DNS packet, no support for these yet")
+        return
+
+    #print((" " * lvl)+"header:")
+    lvl+=2
+    id = dns.pop(0) # lgtm [py/unused-local-variable]
+    #print((" " * lvl)+"id: {}".format(id))
+    raw = dns.pop(0) # lgtm [py/unused-local-variable]
+    #print((" " * lvl)+"raw: 0x{:04x}".format(raw))
+    lvl+=2
+    #print((" " * lvl)+"    QR: "+("yes" if raw & 1<<15 else "no"))
+    #print((" " * lvl)+"Opcode: {}".format(((raw >> 11) & 0xf)))
+    #print((" " * lvl)+"    AA: "+("yes" if raw & 1<<10 else "no"))
+    #print((" " * lvl)+"    TC: "+("yes" if raw & 1<<9 else "no"))
+    #print((" " * lvl)+"    RD: "+("yes" if raw & 1<<8 else "no"))
+    #print((" " * lvl)+"    RA: "+("yes" if raw & 1<<7 else "no"))
+    #print((" " * lvl)+"     Z: "+("yes" if raw & 1<<6 else "no"))
+    #print((" " * lvl)+"    AD: "+("yes" if raw & 1<<5 else "no"))
+    #print((" " * lvl)+"    CD: "+("yes" if raw & 1<<4 else "no"))
+    #print((" " * lvl)+" RCODE: {}".format(raw & 0xf))
+    lvl-=2
+
+    bits = 0
+    if isinstance(dns[0], int) and dns[0] < 0:
+        bits = -dns.pop(0) - 1
+        #print((" " * lvl)+"qdcount(0): "+("yes" if bits & 1 else "no"))
+        #print((" " * lvl)+"ancount(1): "+("yes" if bits & 1<<1 else "no"))
+        #print((" " * lvl)+"nscount(2): "+("yes" if bits & 1<<2 else "no"))
+        #print((" " * lvl)+"arcount(3): "+("yes" if bits & 1<<3 else "no"))
+
+    if not bits:
+        if isinstance(dns[0], int):
+            bits = 0xff
+
+    if bits & 1:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.qdcount, expected int but got: {}".format(type(dns[0])))
+        dns.pop(0)
+        #print((" " * lvl)+"qdcount: {}".format(dns.pop(0)))
+    if bits & 1<<1:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.ancount, expected int but got: {}".format(type(dns[0])))
+        dns.pop(0)
+        #print((" " * lvl)+"ancount: {}".format(dns.pop(0)))
+    if bits & 1<<2:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.nscount, expected int but got: {}".format(type(dns[0])))
+        dns.pop(0)
+        #print((" " * lvl)+"nscount: {}".format(dns.pop(0)))
+    if bits & 1<<3:
+        if not isinstance(dns[0], int):
+            raise Exception("invalid dns.header.arcount, expected int but got: {}".format(type(dns[0])))
+        dns.pop(0)
+        #print((" " * lvl)+"arcount: {}".format(dns.pop(0)))
+
+    bits = 0
+    if isinstance(dns[0], CBORSimpleValue):
+        bits = dns.pop(0).value
+        #print((" " * lvl)+"questions  (0): "+("yes" if bits & 1 else "no"))
+        #print((" " * lvl)+"answers    (1): "+("yes" if bits & 1<<1 else "no"))
+        #print((" " * lvl)+"authorities(2): "+("yes" if bits & 1<<2 else "no"))
+        #print((" " * lvl)+"additionals(3): "+("yes" if bits & 1<<3 else "no"))
+
+    last.mlabel = []
+    rlabel = list(last.rlabel)
+    for n in range(4):
+        if len(dns) > n and isinstance(dns[n], list):
+            build_mlabel(dns[n])
+    last.rlabel = rlabel
+
+    if not bits:
+        if len(dns) > 3:
+            bits = 0xff
+        elif len(dns) > 0:
+            raise Exception("invalid dns.message rr's, expected none (0) or all (4) but got {}".format(len(dns)))
+
+    if bits & 1:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.questions, expected list but got: {}".format(type(dns[0])))
+        #print((" " * lvl)+"questions:")
+        parse_qrs(dns.pop(0), lvl+2)
+    if bits & 1<<1:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.answers, expected list but got: {}".format(type(dns[0])))
+        #print((" " * lvl)+"answers:")
+        parse_rrs(dns.pop(0), lvl+2)
+    if bits & 1<<2:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.authorities, expected list but got: {}".format(type(dns[0])))
+        #print((" " * lvl)+"authorities:")
+        parse_rrs(dns.pop(0), lvl+2)
+    if bits & 1<<3:
+        if not isinstance(dns[0], list):
+            raise Exception("invalid dns.message.additionals, expected list but got: {}".format(type(dns[0])))
+        #print((" " * lvl)+"additionals:")
+        parse_rrs(dns.pop(0), lvl+2)
+
+    if len(dns):
+        if isinstance(dns[0], bytes):
+            dns.pop(0)
+            #print((" " * lvl)+"malformed: "+"".join("{:02x}".format(byte) for byte in dns.pop(0)))
+        if len(dns):
+            raise Exception("invalid dns.message, garbage at end: {}".format(dns))
+
+def parse_ip_header(ip_header, lvl):
+    #print((" " * lvl)+"ip_header:")
+    lvl+=2
+
+    #print((" " * lvl)+"bits:")
+    lvl+=2
+    bits = ip_header.pop(0)
+    reverse = False
+    if isinstance(bits, int):
+        if bits < 0:
+            #print((" " * lvl)+"reverse: yes")
+            bits = -bits - 1
+            reverse = True
+        #print((" " * lvl)+"family   (0): "+("INET6" if bits & 1 else "INET"))
+        #print((" " * lvl)+"have_src (1): "+("yes" if bits & 1<<1 else "no"))
+        #print((" " * lvl)+"have_dest(2): "+("yes" if bits & 1<<2 else "no"))
+        #print((" " * lvl)+"have_port(3): "+("yes" if bits & 1<<3 else "no"))
+    else:
+        raise Exception("invalid ip_header.bits, expected int but got: {}".format(type(bits)))
+    lvl-=2
+
+    src_addr = None
+    dest_addr = None
+    src_port = None
+    dest_port = None
+
+    if bits & 1<<1:
+        src_addr = ip_header.pop(0)
+        if not isinstance(src_addr, bytes):
+            raise Exception("invalid ip_header.src_addr, expected bytes but got: {}".format(type(src_addr)))
+    else:
+        if reverse:
+            src_addr = last.dest_addr6 if bits & 1 else last.dest_addr4
+            if not src_addr:
+                raise Exception("invalid ip_header.bits, expected to have last dest addr but don't")
+        else:
+            src_addr = last.src_addr6 if bits & 1 else last.src_addr4
+            if not src_addr:
+                raise Exception("invalid ip_header.bits, expected to have last src addr but don't")
+
+    if bits & 1<<2:
+        dest_addr = ip_header.pop(0)
+        if not isinstance(dest_addr, bytes):
+            raise Exception("invalid ip_header.dest_addr, expected bytes but got: {}".format(type(dest_addr)))
+    else:
+        if reverse:
+            dest_addr = last.src_addr6 if bits & 1 else last.src_addr4
+            if not dest_addr:
+                raise Exception("invalid ip_header.bits, expected to have last src addr but don't")
+        else:
+            dest_addr = last.dest_addr6 if bits & 1 else last.dest_addr4
+            if not dest_addr:
+                raise Exception("invalid ip_header.bits, expected to have last dest addr but don't")
+
+    if bits & 1<<3:
+        ports = ip_header.pop(0)
+        if not isinstance(ports, int):
+            raise Exception("invalid ip_header.src_dest_port, expected int but got: {}".format(type(ports)))
+        if ports > 0xffff:
+            src_port = ports & 0xffff
+            dest_port = ports >> 16
+        elif ports < 0:
+            if reverse:
+                src_port = last.dest_port6 if bits & 1 else last.dest_port4
+                if src_port is None:
+                        raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+            else:
+                src_port = last.src_port6 if bits & 1 else last.src_port4
+                if src_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+            dest_port = -ports - 1
+        else:
+            src_port = ports
+            if reverse:
+                dest_port = last.src_port6 if bits & 1 else last.src_port4
+                if dest_port is None:
+                        raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+            else:
+                dest_port = last.dest_port6 if bits & 1 else last.dest_port4
+                if dest_port is None:
+                        raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+    else:
+        if reverse:
+            src_port = last.dest_port6 if bits & 1 else last.dest_port4
+            if src_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+        else:
+            src_port = last.src_port6 if bits & 1 else last.src_port4
+            if src_port is None:
+                raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+        if reverse:
+            dest_port = last.src_port6 if bits & 1 else last.src_port4
+            if dest_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last src port but don't")
+        else:
+            dest_port = last.dest_port6 if bits & 1 else last.dest_port4
+            if dest_port is None:
+                    raise Exception("invalid ip_header.bits, expected to have last dest port but don't")
+
+    #print((" " * lvl)+" src addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, src_addr))
+    #print((" " * lvl)+"dest addr: " + socket.inet_ntop(socket.AF_INET6 if bits & 1 else socket.AF_INET, dest_addr))
+    #print((" " * lvl)+" src port: {}".format(src_port))
+    #print((" " * lvl)+"dest port: {}".format(dest_port))
+
+    if bits & 1:
+        last.src_addr6 = src_addr
+        last.dest_addr6 = dest_addr
+        last.src_port6 = src_port
+        last.dest_port6 = dest_port
+    else:
+        last.src_addr4 = src_addr
+        last.dest_addr4 = dest_addr
+        last.src_port4 = src_port
+        last.dest_port4 = dest_port
+
+
+def parse_message_bits(bits, lvl):
+    #print((" " * lvl)+"message_bits:")
+    lvl+=2
+    dns = "no"
+    if isinstance(bits, int):
+        # if bits & 1:
+        #     dns = "yes"
+        # #print((" " * lvl)+"dns      (0): "+dns)
+        #
+        # if bits & 1<<1:
+        #     proto = "tcp"
+        # elif dns == "yes":
+        #     proto = "udp"
+        # else:
+        #     proto = "icmp"
+        # #print((" " * lvl)+"proto    (1): "+proto)
+        #
+        # if bits & 1<<2:
+        #     frag = "yes"
+        # else:
+        #     frag = "no"
+        # #print((" " * lvl)+"frag     (2): "+frag)
+        #
+        # if bits & 1<<3:
+        #     malformed = "yes"
+        # else:
+        #     malformed = "no"
+        # #print((" " * lvl)+"malformed(3): "+malformed)
+        pass
+
+    else:
+        raise Exception("invalid message_bits, expected int but got: {}".format(type(bits)))
+
+    return 1 if dns == "yes" else 0
+
+def parse_timestamp(ts, lvl):
+    #print((" " * lvl)+"timestamp:")
+    lvl+=2
+
+    if isinstance(ts, list):
+        if ts[0] < 0:
+            if not last.ts:
+                raise Exception("invalid timestamp.seconds, got diff from last value but have no last value")
+            if not len(last.ts) == len(ts):
+                raise Exception("invalid timestamp.seconds, differentialy precision missmatch")
+
+            ts[0] = last.ts[0] + ( -ts[0] - 1 )
+            #print((" " * lvl)+"seconds: {}".format(ts[0]))
+
+            if len(ts) > 1:
+                ts[1] = last.ts[1] + ts[1]
+                #print((" " * lvl)+"useconds: {}".format(ts[1]))
+            if len(ts) > 2:
+                ts[2] = last.ts[2] + ts[2]
+                #print((" " * lvl)+"nseconds: {}".format(ts[2]))
+        else:
+            #print((" " * lvl)+"seconds: {}".format(ts[0]))
+            if len(ts) > 1:
+                #print((" " * lvl)+"useconds: {}".format(ts[1]))
+                pass
+            if len(ts) > 2:
+                #print((" " * lvl)+"nseconds: {}".format(ts[2]))
+                pass
+        last.ts = ts
+
+    elif isinstance(ts, int):
+        #print((" " * lvl)+"seconds: {}".format(ts))
+        pass
+    else:
+        raise Exception("invalid timestamp, expected list|int but got: {}".format(type(ts)))
+
+def parse(cds):
+    #print("paket:")
+    try:
+        parse_timestamp(cds.pop(0), 2)
+        is_dns = parse_message_bits(cds.pop(0), 2)
+        parse_ip_header(cds, 2)
+        if not is_dns:
+            raise Exception("not dns? huh?")
+        parse_dns_message(cds, 2)
+    except IndexError as idx:
+        if not str(idx) == "pop from empty list":
+            raise
+        #print("  ...")
+    except:
+        raise
+
+def main():
+    usage = '%prog [-v] [-h] <cds file...>'
+    parser = optparse.OptionParser(usage, version='%prog 0.01')
+    parser.add_option('-v', '--verbose', action='store_true', dest='verbose',
+                      help='turn verbose mode on')
+
+    (options, args) = parser.parse_args()
+
+    if options.verbose == True:
+        log.setLevel(logging.DEBUG)
+        log.debug('argv: %s', sys.argv)
+        log.debug('options: %s', options)
+        log.debug('args: %s', args)
+    else:
+        log.setLevel(logging.WARNING)
+
+    if not args:
+        parser.print_usage()
+        exit(1)
+
+    decoder = CBORDecoder()
+    # if https://github.com/agronholm/cbor2/pull/5 is not merged/released yet
+    if 0 not in decoder.special_decoders:
+        decoder.special_decoders[0] = lambda self, fp, shareable_index=None: SimpleValue(0)
+        decoder.special_decoders[1] = lambda self, fp, shareable_index=None: SimpleValue(1)
+        decoder.special_decoders[2] = lambda self, fp, shareable_index=None: SimpleValue(2)
+        decoder.special_decoders[3] = lambda self, fp, shareable_index=None: SimpleValue(3)
+        decoder.special_decoders[4] = lambda self, fp, shareable_index=None: SimpleValue(4)
+        decoder.special_decoders[5] = lambda self, fp, shareable_index=None: SimpleValue(5)
+        decoder.special_decoders[6] = lambda self, fp, shareable_index=None: SimpleValue(6)
+        decoder.special_decoders[7] = lambda self, fp, shareable_index=None: SimpleValue(7)
+        decoder.special_decoders[8] = lambda self, fp, shareable_index=None: SimpleValue(8)
+        decoder.special_decoders[9] = lambda self, fp, shareable_index=None: SimpleValue(9)
+        decoder.special_decoders[10] = lambda self, fp, shareable_index=None: SimpleValue(10)
+        decoder.special_decoders[11] = lambda self, fp, shareable_index=None: SimpleValue(11)
+        decoder.special_decoders[12] = lambda self, fp, shareable_index=None: SimpleValue(12)
+        decoder.special_decoders[13] = lambda self, fp, shareable_index=None: SimpleValue(13)
+        decoder.special_decoders[14] = lambda self, fp, shareable_index=None: SimpleValue(14)
+        decoder.special_decoders[15] = lambda self, fp, shareable_index=None: SimpleValue(15)
+        decoder.special_decoders[16] = lambda self, fp, shareable_index=None: SimpleValue(16)
+        decoder.special_decoders[17] = lambda self, fp, shareable_index=None: SimpleValue(17)
+        decoder.special_decoders[18] = lambda self, fp, shareable_index=None: SimpleValue(18)
+        decoder.special_decoders[19] = lambda self, fp, shareable_index=None: SimpleValue(19)
+        decoder.special_decoders[24] = decode_simple_value
+
+    version = None
+
+    for f in args:
+        log.debug('file: %s', f)
+        with open(f, 'rb') as fp:
+            obj = None
+            try:
+                obj = decoder.decode(fp)
+            except Exception as e:
+                if e.__str__().find("index out of range") == -1:
+                    raise
+            if not isinstance(obj, list):
+                raise Exception("Invalid element, expected an array but found: {}".format(type(obj)))
+
+            version = obj.pop(0)
+            if version != "CDSv1":
+                raise Exception("Invalid version, expected CDSv1 but got: {}".format(version))
+
+            while len(obj):
+                opt = obj.pop(0)
+                if not isinstance(opt, int):
+                    raise Exception("Invalid option, expected int but got: {}".format(type(opt)))
+                if opt == 0:
+                    MAX_RLABELS = obj.pop(0)
+                    if not isinstance(MAX_RLABELS, int) or MAX_RLABELS < 1:
+                        raise Exception("Invalid option for maximum rlabels, got: {}".format(MAX_RLABELS))
+                    log.debug("Using maximum rlabels {}".format(MAX_RLABELS))
+                elif opt == 1:
+                    MIN_RLABEL_SIZE = obj.pop(0)
+                    if not isinstance(MIN_RLABEL_SIZE, int) or MIN_RLABEL_SIZE < 1:
+                        raise Exception("Invalid option for minimum rlabel size, got: {}".format(MIN_RLABEL_SIZE))
+                    log.debug("Using minimum rlabel size {}".format(MIN_RLABEL_SIZE))
+                else:
+                    raise Exception("Unknown option: {}".format(opt))
+
+            while True:
+                obj = None
+                try:
+                    obj = decoder.decode(fp)
+                except Exception as e:
+                    if e.__str__().find("index out of range") == -1:
+                        raise
+                if obj is None:
+                    break
+                if not isinstance(obj, list):
+                    raise Exception("Invalid element, expected an array but found: {}".format(type(obj)))
+                parse(obj)
+
+            log.debug("unique labels: {} parts: {} rdata: {}".format(len(last.labels), len(last.label_parts), len(last.rdata)))
+
+            n = 0
+            e = 0
+            for l in last.labels:
+#                print("{}: {}".format(l, last.labels[l]))
+                if last.labels[l] > 1:
+                    n += last.label_len[l] * ( last.labels[l] - 1 )
+                    e += 2 * ( last.labels[l] - 1 )
+            log.debug("reduce labels: {} - {}".format(n, e))
+
+            n = 0
+            e = 0
+            for l in last.label_parts:
+#                print("{}: {}".format(l, last.label_parts[l]))
+                if last.label_parts[l] > 1:
+                    n += last.label_part_len[l] * ( last.label_parts[l] - 1 )
+                    e += 2 * ( last.label_parts[l] - 1 )
+            log.debug("reduce label parts: {} - {}".format(n, e))
+
+            n = 0
+            e = 0
+            for l in last.rdata:
+                if last.rdata[l] > 1:
+                    n += last.rdata_len[l] * ( last.rdata[l] - 1 )
+                    e += 2 * ( last.rdata[l] - 1 )
+#                    print("{}: {}".format(l, last.rdata[l]))
+            log.debug("reduce rdata: {} - {}".format(n, e))
+
+            last.reset()
+
+if __name__ == '__main__':
+    main()
diff --git a/fmt.sh b/fmt.sh
new file mode 100755
index 0000000..8161539
--- /dev/null
+++ b/fmt.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+clang-format \
+    -style=file \
+    -i \
+    src/*.c \
+    src/*.h \
+    `find plugins -type f -name '*.c'` \
+    `find plugins -type f -name '*.h'`
diff --git a/isc/assertions.h b/isc/assertions.h
new file mode 100644
index 0000000..68925e7
--- /dev/null
+++ b/isc/assertions.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: assertions.h,v 1.5 2008/11/14 02:36:51 marka Exp $
+ */
+
+#ifndef ASSERTIONS_H
+#define ASSERTIONS_H		1
+
+typedef enum {
+	assert_require, assert_ensure, assert_insist, assert_invariant
+} assertion_type;
+
+typedef void (*assertion_failure_callback)(const char *, int, assertion_type,
+					   const char *, int);
+
+/* coverity[+kill] */
+extern assertion_failure_callback __assertion_failed;
+void set_assertion_failure_callback(assertion_failure_callback f);
+const char *assertion_type_to_text(assertion_type type);
+
+#if defined(CHECK_ALL) || defined(__COVERITY__)
+#define CHECK_REQUIRE		1
+#define CHECK_ENSURE		1
+#define CHECK_INSIST		1
+#define CHECK_INVARIANT		1
+#endif
+
+#if defined(CHECK_NONE) && !defined(__COVERITY__)
+#define CHECK_REQUIRE		0
+#define CHECK_ENSURE		0
+#define CHECK_INSIST		0
+#define CHECK_INVARIANT		0
+#endif
+
+#ifndef CHECK_REQUIRE
+#define CHECK_REQUIRE		1
+#endif
+
+#ifndef CHECK_ENSURE
+#define CHECK_ENSURE		1
+#endif
+
+#ifndef CHECK_INSIST
+#define CHECK_INSIST		1
+#endif
+
+#ifndef CHECK_INVARIANT
+#define CHECK_INVARIANT		1
+#endif
+
+#if CHECK_REQUIRE != 0
+#define REQUIRE(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_require, \
+				       #cond, 0), 0)))
+#define REQUIRE_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_require, \
+				       #cond, 1), 0)))
+#else
+#define REQUIRE(cond)		((void) (cond))
+#define REQUIRE_ERR(cond)	((void) (cond))
+#endif /* CHECK_REQUIRE */
+
+#if CHECK_ENSURE != 0
+#define ENSURE(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \
+				       #cond, 0), 0)))
+#define ENSURE_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \
+				       #cond, 1), 0)))
+#else
+#define ENSURE(cond)		((void) (cond))
+#define ENSURE_ERR(cond)	((void) (cond))
+#endif /* CHECK_ENSURE */
+
+#if CHECK_INSIST != 0
+#define INSIST(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \
+				       #cond, 0), 0)))
+#define INSIST_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \
+				       #cond, 1), 0)))
+#else
+#define INSIST(cond)		((void) (cond))
+#define INSIST_ERR(cond)	((void) (cond))
+#endif /* CHECK_INSIST */
+
+#if CHECK_INVARIANT != 0
+#define INVARIANT(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \
+				       #cond, 0), 0)))
+#define INVARIANT_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \
+				       #cond, 1), 0)))
+#else
+#define INVARIANT(cond)		((void) (cond))
+#define INVARIANT_ERR(cond)	((void) (cond))
+#endif /* CHECK_INVARIANT */
+#endif /* ASSERTIONS_H */
+/*! \file */
diff --git a/isc/list.h b/isc/list.h
new file mode 100644
index 0000000..c5ac35f
--- /dev/null
+++ b/isc/list.h
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef LIST_H
+#define LIST_H 1
+
+#define LIST(type) struct { type *head, *tail; }
+#define INIT_LIST(list) \
+	do { (list).head = NULL; (list).tail = NULL; } while (0)
+
+#define LINK(type) struct { type *prev, *next; }
+#define INIT_LINK_TYPE(elt, link, type) \
+	do { \
+		(elt)->link.prev = (type *)(-1); \
+		(elt)->link.next = (type *)(-1); \
+	} while (0)
+#define INIT_LINK(elt, link) \
+	INIT_LINK_TYPE(elt, link, void)
+#define LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1) && \
+			   (void *)((elt)->link.next) != (void *)(-1))
+
+#define HEAD(list) ((list).head)
+#define TAIL(list) ((list).tail)
+#define EMPTY(list) ((list).head == NULL)
+
+#define PREPEND(list, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((list).head != NULL) \
+			(list).head->link.prev = (elt); \
+		else \
+			(list).tail = (elt); \
+		(elt)->link.prev = NULL; \
+		(elt)->link.next = (list).head; \
+		(list).head = (elt); \
+	} while (0)
+
+#define APPEND(list, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((list).tail != NULL) \
+			(list).tail->link.next = (elt); \
+		else \
+			(list).head = (elt); \
+		(elt)->link.prev = (list).tail; \
+		(elt)->link.next = NULL; \
+		(list).tail = (elt); \
+	} while (0)
+
+#define UNLINK_TYPE(list, elt, link, type) \
+	do { \
+		INSIST(LINKED(elt, link));\
+		if ((elt)->link.next != NULL) \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else { \
+			INSIST((list).tail == (elt)); \
+			(list).tail = (elt)->link.prev; \
+		} \
+		if ((elt)->link.prev != NULL) \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else { \
+			INSIST((list).head == (elt)); \
+			(list).head = (elt)->link.next; \
+		} \
+		INIT_LINK_TYPE(elt, link, type); \
+	} while (0)
+#define UNLINK(list, elt, link) \
+	UNLINK_TYPE(list, elt, link, void)
+
+#define PREV(elt, link) ((elt)->link.prev)
+#define NEXT(elt, link) ((elt)->link.next)
+
+#define INSERT_BEFORE(list, before, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((before)->link.prev == NULL) \
+			PREPEND(list, elt, link); \
+		else { \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt); \
+			(elt)->link.prev->link.next = (elt); \
+			(elt)->link.next = (before); \
+		} \
+	} while (0)
+
+#define INSERT_AFTER(list, after, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((after)->link.next == NULL) \
+			APPEND(list, elt, link); \
+		else { \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt); \
+			(elt)->link.next->link.prev = (elt); \
+			(elt)->link.prev = (after); \
+		} \
+	} while (0)
+
+#define ENQUEUE(list, elt, link) APPEND(list, elt, link)
+#define DEQUEUE(list, elt, link) UNLINK(list, elt, link)
+
+#endif /* LIST_H */
+/*! \file */
diff --git a/m4/.placeholder b/m4/.placeholder
new file mode 100644
index 0000000..e69de29
diff --git a/m4/ax_append_flag.m4 b/m4/ax_append_flag.m4
new file mode 100644
index 0000000..dd6d8b6
--- /dev/null
+++ b/m4/ax_append_flag.m4
@@ -0,0 +1,50 @@
+# ===========================================================================
+#      https://www.gnu.org/software/autoconf-archive/ax_append_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_APPEND_FLAG(FLAG, [FLAGS-VARIABLE])
+#
+# DESCRIPTION
+#
+#   FLAG is appended to the FLAGS-VARIABLE shell variable, with a space
+#   added in between.
+#
+#   If FLAGS-VARIABLE is not specified, the current language's flags (e.g.
+#   CFLAGS) is used.  FLAGS-VARIABLE is not changed if it already contains
+#   FLAG.  If FLAGS-VARIABLE is unset in the shell, it is set to exactly
+#   FLAG.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved.  This file is offered as-is, without any
+#   warranty.
+
+#serial 8
+
+AC_DEFUN([AX_APPEND_FLAG],
+[dnl
+AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_SET_IF
+AS_VAR_PUSHDEF([FLAGS], [m4_default($2,_AC_LANG_PREFIX[FLAGS])])
+AS_VAR_SET_IF(FLAGS,[
+  AS_CASE([" AS_VAR_GET(FLAGS) "],
+    [*" $1 "*], [AC_RUN_LOG([: FLAGS already contains $1])],
+    [
+     AS_VAR_APPEND(FLAGS,[" $1"])
+     AC_RUN_LOG([: FLAGS="$FLAGS"])
+    ])
+  ],
+  [
+  AS_VAR_SET(FLAGS,[$1])
+  AC_RUN_LOG([: FLAGS="$FLAGS"])
+  ])
+AS_VAR_POPDEF([FLAGS])dnl
+])dnl AX_APPEND_FLAG
diff --git a/m4/ax_cflags_warn_all.m4 b/m4/ax_cflags_warn_all.m4
new file mode 100644
index 0000000..094577e
--- /dev/null
+++ b/m4/ax_cflags_warn_all.m4
@@ -0,0 +1,122 @@
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_cflags_warn_all.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CFLAGS_WARN_ALL   [(shellvar [,default, [A/NA]])]
+#   AX_CXXFLAGS_WARN_ALL [(shellvar [,default, [A/NA]])]
+#   AX_FCFLAGS_WARN_ALL  [(shellvar [,default, [A/NA]])]
+#
+# DESCRIPTION
+#
+#   Try to find a compiler option that enables most reasonable warnings.
+#
+#   For the GNU compiler it will be -Wall (and -ansi -pedantic) The result
+#   is added to the shellvar being CFLAGS, CXXFLAGS, or FCFLAGS by default.
+#
+#   Currently this macro knows about the GCC, Solaris, Digital Unix, AIX,
+#   HP-UX, IRIX, NEC SX-5 (Super-UX 10), Cray J90 (Unicos 10.0.0.8), and
+#   Intel compilers.  For a given compiler, the Fortran flags are much more
+#   experimental than their C equivalents.
+#
+#    - $1 shell-variable-to-add-to : CFLAGS, CXXFLAGS, or FCFLAGS
+#    - $2 add-value-if-not-found : nothing
+#    - $3 action-if-found : add value to shellvariable
+#    - $4 action-if-not-found : nothing
+#
+#   NOTE: These macros depend on AX_APPEND_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2010 Rhys Ulerich <rhys.ulerich@gmail.com>
+#
+#   This program is free software; you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation; either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <https://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 16
+
+AC_DEFUN([AX_FLAGS_WARN_ALL],[dnl
+AS_VAR_PUSHDEF([FLAGS],[_AC_LANG_PREFIX[]FLAGS])dnl
+AS_VAR_PUSHDEF([VAR],[ac_cv_[]_AC_LANG_ABBREV[]flags_warn_all])dnl
+AC_CACHE_CHECK([m4_ifval($1,$1,FLAGS) for maximum warnings],
+VAR,[VAR="no, unknown"
+ac_save_[]FLAGS="$[]FLAGS"
+for ac_arg dnl
+in "-warn all  % -warn all"   dnl Intel
+   "-pedantic  % -Wall"       dnl GCC
+   "-xstrconst % -v"          dnl Solaris C
+   "-std1      % -verbose -w0 -warnprotos" dnl Digital Unix
+   "-qlanglvl=ansi % -qsrcmsg -qinfo=all:noppt:noppc:noobs:nocnd" dnl AIX
+   "-ansi -ansiE % -fullwarn" dnl IRIX
+   "+ESlit     % +w1"         dnl HP-UX C
+   "-Xc        % -pvctl[,]fullmsg" dnl NEC SX-5 (Super-UX 10)
+   "-h conform % -h msglevel 2" dnl Cray C (Unicos)
+   #
+do FLAGS="$ac_save_[]FLAGS "`echo $ac_arg | sed -e 's,%%.*,,' -e 's,%,,'`
+   AC_COMPILE_IFELSE([AC_LANG_PROGRAM],
+                     [VAR=`echo $ac_arg | sed -e 's,.*% *,,'` ; break])
+done
+FLAGS="$ac_save_[]FLAGS"
+])
+AS_VAR_POPDEF([FLAGS])dnl
+AX_REQUIRE_DEFINED([AX_APPEND_FLAG])
+case ".$VAR" in
+     .ok|.ok,*) m4_ifvaln($3,$3) ;;
+   .|.no|.no,*) m4_default($4,[m4_ifval($2,[AX_APPEND_FLAG([$2], [$1])])]) ;;
+   *) m4_default($3,[AX_APPEND_FLAG([$VAR], [$1])]) ;;
+esac
+AS_VAR_POPDEF([VAR])dnl
+])dnl AX_FLAGS_WARN_ALL
+dnl  implementation tactics:
+dnl   the for-argument contains a list of options. The first part of
+dnl   these does only exist to detect the compiler - usually it is
+dnl   a global option to enable -ansi or -extrawarnings. All other
+dnl   compilers will fail about it. That was needed since a lot of
+dnl   compilers will give false positives for some option-syntax
+dnl   like -Woption or -Xoption as they think of it is a pass-through
+dnl   to later compile stages or something. The "%" is used as a
+dnl   delimiter. A non-option comment can be given after "%%" marks
+dnl   which will be shown but not added to the respective C/CXXFLAGS.
+
+AC_DEFUN([AX_CFLAGS_WARN_ALL],[dnl
+AC_LANG_PUSH([C])
+AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
+AC_LANG_POP([C])
+])
+
+AC_DEFUN([AX_CXXFLAGS_WARN_ALL],[dnl
+AC_LANG_PUSH([C++])
+AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
+AC_LANG_POP([C++])
+])
+
+AC_DEFUN([AX_FCFLAGS_WARN_ALL],[dnl
+AC_LANG_PUSH([Fortran])
+AX_FLAGS_WARN_ALL([$1], [$2], [$3], [$4])
+AC_LANG_POP([Fortran])
+])
diff --git a/m4/ax_require_defined.m4 b/m4/ax_require_defined.m4
new file mode 100644
index 0000000..17c3eab
--- /dev/null
+++ b/m4/ax_require_defined.m4
@@ -0,0 +1,37 @@
+# ===========================================================================
+#    https://www.gnu.org/software/autoconf-archive/ax_require_defined.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_REQUIRE_DEFINED(MACRO)
+#
+# DESCRIPTION
+#
+#   AX_REQUIRE_DEFINED is a simple helper for making sure other macros have
+#   been defined and thus are available for use.  This avoids random issues
+#   where a macro isn't expanded.  Instead the configure script emits a
+#   non-fatal:
+#
+#     ./configure: line 1673: AX_CFLAGS_WARN_ALL: command not found
+#
+#   It's like AC_REQUIRE except it doesn't expand the required macro.
+#
+#   Here's an example:
+#
+#     AX_REQUIRE_DEFINED([AX_CHECK_LINK_FLAG])
+#
+# LICENSE
+#
+#   Copyright (c) 2014 Mike Frysinger <vapier@gentoo.org>
+#
+#   Copying and distribution of this file, with or without modification, are
+#   permitted in any medium without royalty provided the copyright notice
+#   and this notice are preserved. This file is offered as-is, without any
+#   warranty.
+
+#serial 2
+
+AC_DEFUN([AX_REQUIRE_DEFINED], [dnl
+  m4_ifndef([$1], [m4_fatal([macro ]$1[ is not defined; is a m4 file missing?])])
+])dnl AX_REQUIRE_DEFINED
diff --git a/m4/dl.sh b/m4/dl.sh
new file mode 100755
index 0000000..6f12c04
--- /dev/null
+++ b/m4/dl.sh
@@ -0,0 +1,8 @@
+#!/bin/sh -e
+
+m4_files="ax_append_flag.m4 ax_cflags_warn_all.m4 ax_require_defined.m4"
+
+for ax in $m4_files; do
+  rm -f "$ax"
+  wget -O "$ax" "http://git.savannah.gnu.org/gitweb/?p=autoconf-archive.git;a=blob_plain;f=m4/$ax"
+done
diff --git a/plugins/Makefile.am b/plugins/Makefile.am
new file mode 100644
index 0000000..7a6880c
--- /dev/null
+++ b/plugins/Makefile.am
@@ -0,0 +1,6 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+
+SUBDIRS = pcapdump rssm txtout rzkeychange royparse anonmask ipcrypt \
+  anonaes128 cryptopan cryptopant eventlog
+
+EXTRA_DIST = template
diff --git a/plugins/anonaes128/Makefile.am b/plugins/anonaes128/Makefile.am
new file mode 100644
index 0000000..2e9df57
--- /dev/null
+++ b/plugins/anonaes128/Makefile.am
@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
+
+pkglib_LTLIBRARIES = anonaes128.la
+anonaes128_la_SOURCES = anonaes128.c
+anonaes128_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS)
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20181127.155200.414188 \
+  test4.tmp
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(anonaes128_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/anonaes128/anonaes128.c b/plugins/anonaes128/anonaes128.c
new file mode 100644
index 0000000..340bb71
--- /dev/null
+++ b/plugins/anonaes128/anonaes128.c
@@ -0,0 +1,344 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "dnscap_common.h"
+
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H)
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#define USE_OPENSSL 1
+#endif
+
+static set_iaddr_t anonaes128_set_iaddr = 0;
+
+static logerr_t*     logerr;
+static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0;
+static unsigned char key[16];
+static unsigned char iv[16];
+#ifdef USE_OPENSSL
+static EVP_CIPHER_CTX* ctx = 0;
+#endif
+
+enum plugin_type anonaes128_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "anonaes128.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void anonaes128_usage()
+{
+    fprintf(stderr,
+        "\nanonaes128.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <key>      A 16 character long key\n"
+        "\t-K <file>     Read the 16 first bytes from file and use as key\n"
+        "\t-i <key>      A 16 character long Initialisation Vector (IV)\n"
+        "\t-I <file>     Read the 16 first bytes from file and use as IV\n"
+        "\t-D            Decrypt IPv6 addresses\n"
+        "\t-c            Only en/de-crypt clients (port != 53)\n"
+        "\t-s            Only en/de-crypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-4            Encrypt IPv4 addresses, not default or recommended\n");
+}
+
+void anonaes128_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        anonaes128_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void anonaes128_getopt(int* argc, char** argv[])
+{
+    int           c, got_key = 0, got_iv = 0;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (strlen(optarg) != 16) {
+                usage("key must be 16 characters long");
+            }
+            memcpy(key, optarg, 16);
+            got_key = 1;
+            break;
+        case 'K': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open key file");
+            }
+            if ((r = read(fd, key, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from key file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from key file");
+            }
+            close(fd);
+            got_key = 1;
+            break;
+        }
+        case 'i':
+            if (strlen(optarg) != 16) {
+                usage("IV must be 16 characters long");
+            }
+            memcpy(iv, optarg, 16);
+            got_iv = 1;
+            break;
+        case 'I': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open IV file");
+            }
+            if ((r = read(fd, iv, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from IV file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from IV file");
+            }
+            close(fd);
+            got_iv = 1;
+            break;
+        }
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case '4':
+            encrypt_v4 = 1;
+            break;
+        case '?':
+            anonaes128_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (!got_key || !got_iv) {
+        usage("must have key (-k/-K) and IV (-i/-I)");
+    }
+    if (decrypt && encrypt_v4) {
+        usage("decryption (-D) can not be done for IPv4 addresses (-4)");
+    }
+
+#ifdef USE_OPENSSL
+    if (!(ctx = EVP_CIPHER_CTX_new())) {
+        usage("unable to create openssl cipher context");
+    }
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, iv, decrypt ? 0 : 1)) {
+        unsigned long e = ERR_get_error();
+        fprintf(stderr, "%s:%s:%s", ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e));
+        usage("unable to initialize AES128 cipher");
+    }
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+#else
+    usage("no openssl support built in, can't encrypt IP addresses");
+#endif
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+}
+
+int anonaes128_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void anonaes128_stop()
+{
+#ifdef USE_OPENSSL
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = 0;
+#endif
+}
+
+int anonaes128_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonaes128_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonaes128_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+#ifdef USE_OPENSSL
+    unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
+    int           outlen = 0;
+
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET6:
+            if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&from->u.a6, 16)) {
+                logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                exit(1);
+            }
+            if (outlen != 16) {
+                logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                exit(1);
+            }
+            memcpy(&from->u.a6, outbuf, 16);
+            break;
+        case AF_INET:
+            if (encrypt_v4) {
+                memcpy(((uint8_t*)&from->u.a6) + 4, &from->u.a4, 4);
+                memcpy(((uint8_t*)&from->u.a6) + 8, &from->u.a4, 4);
+                memcpy(((uint8_t*)&from->u.a6) + 12, &from->u.a4, 4);
+
+                if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&from->u.a6, 16)) {
+                    logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                    exit(1);
+                }
+                if (outlen != 16) {
+                    logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                    exit(1);
+                }
+                memcpy(&from->u.a4, outbuf, 4);
+                break;
+            }
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET6:
+            if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&to->u.a6, 16)) {
+                logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                exit(1);
+            }
+            if (outlen != 16) {
+                logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                exit(1);
+            }
+            memcpy(&to->u.a6, outbuf, 16);
+            break;
+        case AF_INET:
+            if (encrypt_v4) {
+                memcpy(((uint8_t*)&to->u.a6) + 4, &to->u.a4, 4);
+                memcpy(((uint8_t*)&to->u.a6) + 8, &to->u.a4, 4);
+                memcpy(((uint8_t*)&to->u.a6) + 12, &to->u.a4, 4);
+
+                if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&to->u.a6, 16)) {
+                    logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                    exit(1);
+                }
+                if (outlen != 16) {
+                    logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                    exit(1);
+                }
+                memcpy(&to->u.a4, outbuf, 4);
+                break;
+            }
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (anonaes128_set_iaddr && (from || to)) {
+        anonaes128_set_iaddr(from, to);
+    }
+#endif
+    return 0;
+}
diff --git a/plugins/anonaes128/test1.gold b/plugins/anonaes128/test1.gold
new file mode 100644
index 0000000..8bd4844
--- /dev/null
+++ b/plugins/anonaes128/test1.gold
@@ -0,0 +1,2146 @@
+anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I)
+anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I)
+anonaes128.so usage error: must have key (-k/-K) and IV (-i/-I)
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[207.109.225.214].53199 [38.134.79.111].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[207.109.225.214].57822 [38.134.79.111].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[207.109.225.214].40043 [38.134.79.111].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[207.109.225.214].37953 [38.134.79.111].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[207.109.225.214].48658 [38.134.79.111].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[207.109.225.214].40953 [38.134.79.111].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[207.109.225.214].45174 [38.134.79.111].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[207.109.225.214].33916 [38.134.79.111].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[207.109.225.214].43559 [38.134.79.111].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[207.109.225.214].54859 [38.134.79.111].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[207.109.225.214].58176 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[207.109.225.214].41266 [38.134.79.111].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[207.109.225.214].34607 [38.134.79.111].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[207.109.225.214].60437 [38.134.79.111].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[207.109.225.214].37149 [38.134.79.111].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[207.109.225.214].53820 [38.134.79.111].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[207.109.225.214].52368 [38.134.79.111].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[207.109.225.214].47637 [38.134.79.111].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[207.109.225.214].34426 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[207.109.225.214].41059 [38.134.79.111].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[207.109.225.214].51181 [38.134.79.111].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[207.109.225.214].32976 [38.134.79.111].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[207.109.225.214].53467 [38.134.79.111].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[207.109.225.214].41532 [38.134.79.111].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[207.109.225.214].44982 [38.134.79.111].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[207.109.225.214].40224 [38.134.79.111].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[207.109.225.214].45658 [38.134.79.111].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[207.109.225.214].60457 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[207.109.225.214].59762 [38.134.79.111].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[207.109.225.214].56022 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[207.109.225.214].37669 [38.134.79.111].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[207.109.225.214].42978 [38.134.79.111].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[207.109.225.214].49829 [38.134.79.111].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[207.109.225.214].50599 [38.134.79.111].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[207.109.225.214].44980 [38.134.79.111].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[207.109.225.214].60063 [38.134.79.111].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[207.109.225.214].42042 [38.134.79.111].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[207.109.225.214].60469 [38.134.79.111].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[207.109.225.214].45703 [38.134.79.111].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[207.109.225.214].33507 [38.134.79.111].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[207.109.225.214].46798 [38.134.79.111].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [207.109.225.214].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[207.109.225.214].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[207.109.225.214].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[207.109.225.214].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[207.109.225.214].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[207.109.225.214].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[207.109.225.214].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[207.109.225.214].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[207.109.225.214].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[207.109.225.214].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[207.109.225.214].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[207.109.225.214].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[207.109.225.214].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[207.109.225.214].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[207.109.225.214].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[207.109.225.214].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[207.109.225.214].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[207.109.225.214].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[207.109.225.214].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[207.109.225.214].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[207.109.225.214].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[207.109.225.214].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[207.109.225.214].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[207.109.225.214].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[207.109.225.214].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[207.109.225.214].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[207.109.225.214].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[207.109.225.214].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[207.109.225.214].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[207.109.225.214].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[207.109.225.214].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[207.109.225.214].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[207.109.225.214].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[207.109.225.214].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[207.109.225.214].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[207.109.225.214].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[207.109.225.214].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[207.109.225.214].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[207.109.225.214].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[207.109.225.214].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[207.109.225.214].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[207.109.225.214].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [207.109.225.214].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [38.134.79.111].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [38.134.79.111].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [38.134.79.111].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [38.134.79.111].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [38.134.79.111].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [38.134.79.111].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [38.134.79.111].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [38.134.79.111].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [38.134.79.111].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [38.134.79.111].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [38.134.79.111].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [38.134.79.111].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [38.134.79.111].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [38.134.79.111].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [38.134.79.111].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [38.134.79.111].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [38.134.79.111].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [38.134.79.111].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [38.134.79.111].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [38.134.79.111].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [38.134.79.111].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [38.134.79.111].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [38.134.79.111].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [38.134.79.111].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [38.134.79.111].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [38.134.79.111].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [38.134.79.111].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [38.134.79.111].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [38.134.79.111].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [38.134.79.111].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [38.134.79.111].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [38.134.79.111].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [38.134.79.111].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [38.134.79.111].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [38.134.79.111].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [38.134.79.111].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [38.134.79.111].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [38.134.79.111].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[38.134.79.111].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+anonaes128.so usage error: -c and -s options are mutually exclusive
diff --git a/plugins/anonaes128/test1.sh b/plugins/anonaes128/test1.sh
new file mode 100755
index 0000000..296bcd5
--- /dev/null
+++ b/plugins/anonaes128/test1.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"
diff --git a/plugins/anonaes128/test2.gold b/plugins/anonaes128/test2.gold
new file mode 100644
index 0000000..29b4a52
--- /dev/null
+++ b/plugins/anonaes128/test2.gold
@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/anonaes128/test2.sh b/plugins/anonaes128/test2.sh
new file mode 100755
index 0000000..ff21327
--- /dev/null
+++ b/plugins/anonaes128/test2.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"
diff --git a/plugins/anonaes128/test3.gold b/plugins/anonaes128/test3.gold
new file mode 100644
index 0000000..a3d589d
--- /dev/null
+++ b/plugins/anonaes128/test3.gold
@@ -0,0 +1,11 @@
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/anonaes128/test3.sh b/plugins/anonaes128/test3.sh
new file mode 100755
index 0000000..09fb116
--- /dev/null
+++ b/plugins/anonaes128/test3.sh
@@ -0,0 +1,29 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -w test3.pcap -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" 2>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -D -k "some 16-byte key" -i "some 16-byte key" 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"
diff --git a/plugins/anonaes128/test4.sh b/plugins/anonaes128/test4.sh
new file mode 100755
index 0000000..3d51818
--- /dev/null
+++ b/plugins/anonaes128/test4.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i tooshort
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -K "$srcdir/test4.sh" -I "$srcdir/test4.sh"
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I does_not_exist
+rm -f test4.tmp
+touch test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -D -4 -k "some 16-byte key" -i "some 16-byte key"
diff --git a/plugins/anonmask/Makefile.am b/plugins/anonmask/Makefile.am
new file mode 100644
index 0000000..48f5a10
--- /dev/null
+++ b/plugins/anonmask/Makefile.am
@@ -0,0 +1,23 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = anonmask.la
+anonmask_la_SOURCES = anonmask.c
+anonmask_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh test2.sh test3.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold
+CLEANFILES += test1.out test2.out
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(anonmask_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/anonmask/anonmask.c b/plugins/anonmask/anonmask.c
new file mode 100644
index 0000000..ca3dc0d
--- /dev/null
+++ b/plugins/anonmask/anonmask.c
@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "dnscap_common.h"
+
+static set_iaddr_t anonmask_set_iaddr = 0;
+
+static logerr_t*       logerr;
+static int             only_clients = 0, only_servers = 0, mask_port = 53, mask_v4 = 24, mask_v6 = 48;
+static struct in_addr  in4  = { INADDR_ANY };
+static struct in6_addr in6  = IN6ADDR_ANY_INIT;
+static uint32_t*       in6p = (uint32_t*)&in6;
+
+enum plugin_type anonmask_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "anonmask.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void anonmask_usage()
+{
+    fprintf(stderr,
+        "\nanonmask.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-c            Only mask clients (port != 53)\n"
+        "\t-s            Only mask servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s masking, default 53\n"
+        "\t-4 <netmask>  The /mask for IPv4 addresses, default /24\n"
+        "\t-6 <netmask>  The /mask for IPv6 addresses, default /48\n");
+}
+
+void anonmask_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        anonmask_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void anonmask_getopt(int* argc, char** argv[])
+{
+    int           c;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?csp:4:6:")) != EOF) {
+        switch (c) {
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            mask_port = (unsigned)ul;
+            break;
+        case '4':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 31U)
+                usage("IPv4 mask must be an integer 0..31");
+            mask_v4 = (unsigned)ul;
+            break;
+        case '6':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 127U)
+                usage("IPv6 mask must be an integer 0..127");
+            mask_v6 = (unsigned)ul;
+            break;
+        case '?':
+            anonmask_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+
+    if (mask_v4) {
+        in4.s_addr = htonl(0xffffffff << (32 - mask_v4));
+    }
+
+    if (mask_v6) {
+        if (mask_v6 <= 32) {
+            in6p[0] = htonl(0xffffffff << (32 - mask_v6));
+        } else if (mask_v6 <= 64) {
+            in6p[0] = 0xffffffff;
+            in6p[1] = htonl(0xffffffff << (64 - mask_v6));
+        } else if (mask_v6 <= 96) {
+            in6p[0] = 0xffffffff;
+            in6p[1] = 0xffffffff;
+            in6p[2] = htonl(0xffffffff << (96 - mask_v6));
+        } else {
+            in6p[0] = 0xffffffff;
+            in6p[1] = 0xffffffff;
+            in6p[2] = 0xffffffff;
+            in6p[3] = htonl(0xffffffff << (128 - mask_v6));
+        }
+    }
+}
+
+int anonmask_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void anonmask_stop()
+{
+}
+
+int anonmask_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonmask_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonmask_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    uint32_t* p6;
+
+    for (;;) {
+        if (only_clients && sport == mask_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != mask_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            from->u.a4.s_addr &= in4.s_addr;
+            break;
+        case AF_INET6:
+            p6 = (uint32_t*)&from->u.a6;
+            p6[0] &= in6p[0];
+            p6[1] &= in6p[1];
+            p6[2] &= in6p[2];
+            p6[3] &= in6p[3];
+            break;
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == mask_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != mask_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            to->u.a4.s_addr &= in4.s_addr;
+            break;
+        case AF_INET6:
+            p6 = (uint32_t*)&to->u.a6;
+            p6[0] &= in6p[0];
+            p6[1] &= in6p[1];
+            p6[2] &= in6p[2];
+            p6[3] &= in6p[3];
+            break;
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (anonmask_set_iaddr && (from || to)) {
+        anonmask_set_iaddr(from, to);
+    }
+
+    return 0;
+}
diff --git a/plugins/anonmask/test1.gold b/plugins/anonmask/test1.gold
new file mode 100644
index 0000000..d6dde5a
--- /dev/null
+++ b/plugins/anonmask/test1.gold
@@ -0,0 +1,2857 @@
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.0].53199 [8.8.8.0].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.0].57822 [8.8.8.0].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.0].40043 [8.8.8.0].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.0].37953 [8.8.8.0].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.0].48658 [8.8.8.0].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.0].40953 [8.8.8.0].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.0].45174 [8.8.8.0].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.0].33916 [8.8.8.0].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.0].43559 [8.8.8.0].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.0].54859 [8.8.8.0].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.0].58176 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.0].41266 [8.8.8.0].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.0].34607 [8.8.8.0].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.0].60437 [8.8.8.0].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.0].37149 [8.8.8.0].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.0].53820 [8.8.8.0].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.0].52368 [8.8.8.0].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.0].47637 [8.8.8.0].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.0].34426 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.0].41059 [8.8.8.0].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.0].51181 [8.8.8.0].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.0].32976 [8.8.8.0].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.0].53467 [8.8.8.0].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.0].41532 [8.8.8.0].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.0].44982 [8.8.8.0].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.0].40224 [8.8.8.0].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.0].45658 [8.8.8.0].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.0].60457 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.0].59762 [8.8.8.0].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.0].56022 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.0].37669 [8.8.8.0].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.0].42978 [8.8.8.0].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.0].49829 [8.8.8.0].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.0].50599 [8.8.8.0].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.0].44980 [8.8.8.0].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.0].60063 [8.8.8.0].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.0].42042 [8.8.8.0].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.0].60469 [8.8.8.0].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.0].45703 [8.8.8.0].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.0].33507 [8.8.8.0].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.0].46798 [8.8.8.0].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.0].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.0].53199 [8.8.0.0].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.0].57822 [8.8.0.0].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.0].40043 [8.8.0.0].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.0].37953 [8.8.0.0].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.0].48658 [8.8.0.0].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.0].40953 [8.8.0.0].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.0].45174 [8.8.0.0].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.0].33916 [8.8.0.0].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.0].43559 [8.8.0.0].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.0].54859 [8.8.0.0].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.0].58176 [8.8.0.0].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.0].41266 [8.8.0.0].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.0].34607 [8.8.0.0].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.0].60437 [8.8.0.0].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.0].37149 [8.8.0.0].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.0].53820 [8.8.0.0].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.0].52368 [8.8.0.0].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.0].47637 [8.8.0.0].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.0].34426 [8.8.0.0].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.0].41059 [8.8.0.0].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.0].51181 [8.8.0.0].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.0].32976 [8.8.0.0].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.0].53467 [8.8.0.0].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.0].41532 [8.8.0.0].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.0].44982 [8.8.0.0].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.0].40224 [8.8.0.0].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.0].45658 [8.8.0.0].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.0].60457 [8.8.0.0].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.0].59762 [8.8.0.0].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.0].56022 [8.8.0.0].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.0].37669 [8.8.0.0].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.0].42978 [8.8.0.0].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.0].49829 [8.8.0.0].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.0].50599 [8.8.0.0].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.0].44980 [8.8.0.0].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.0].60063 [8.8.0.0].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.0].42042 [8.8.0.0].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.0].60469 [8.8.0.0].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.0].45703 [8.8.0.0].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.0].33507 [8.8.0.0].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.0].46798 [8.8.0.0].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.0.0].53 [172.17.0.0].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.0].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.0].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.0].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.0].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.0].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.0].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.0].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.0].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.0].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.0].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.0].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.0].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.0].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.0].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.0].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.0].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.0].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.0].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.0].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.0].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.0].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.0].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.0].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.0].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.0].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.0].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.0].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.0].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.0].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.0].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.0].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.0].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.0].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.0].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.0].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.0].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.0].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.0].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.0].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.0].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.0].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.0].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.0].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [8.8.8.0].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [8.8.8.0].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [8.8.8.0].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [8.8.8.0].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.0].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.0].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.0].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [8.8.8.0].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [8.8.8.0].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [8.8.8.0].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [8.8.8.0].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [8.8.8.0].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [8.8.8.0].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [8.8.8.0].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [8.8.8.0].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [8.8.8.0].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [8.8.8.0].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [8.8.8.0].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [8.8.8.0].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [8.8.8.0].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [8.8.8.0].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [8.8.8.0].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [8.8.8.0].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [8.8.8.0].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [8.8.8.0].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [8.8.8.0].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [8.8.8.0].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [8.8.8.0].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [8.8.8.0].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [8.8.8.0].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [8.8.8.0].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [8.8.8.0].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [8.8.8.0].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [8.8.8.0].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [8.8.8.0].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [8.8.8.0].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [8.8.8.0].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.0].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+anonmask.so usage error: -c and -s options are mutually exclusive
diff --git a/plugins/anonmask/test1.sh b/plugins/anonmask/test1.sh
new file mode 100755
index 0000000..a15a9bb
--- /dev/null
+++ b/plugins/anonmask/test1.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonmask.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonmask plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 16 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"
diff --git a/plugins/anonmask/test2.gold b/plugins/anonmask/test2.gold
new file mode 100644
index 0000000..ac84f76
--- /dev/null
+++ b/plugins/anonmask/test2.gold
@@ -0,0 +1,77 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0::].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:300::].51972 [2001:4800::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4800::].53 [2a01:300::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0::].51972 [2001:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860::].53 [2a01:3f0::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0:0:57::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0:0:57::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0::].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/anonmask/test2.sh b/plugins/anonmask/test2.sh
new file mode 100755
index 0000000..7a155c5
--- /dev/null
+++ b/plugins/anonmask/test2.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonmask.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonmask plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 24 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 32 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 64 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 96 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"
diff --git a/plugins/anonmask/test3.sh b/plugins/anonmask/test3.sh
new file mode 100755
index 0000000..b5018d8
--- /dev/null
+++ b/plugins/anonmask/test3.sh
@@ -0,0 +1,16 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonmask.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonmask plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 99
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -6 999
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1
diff --git a/plugins/cryptopan/Makefile.am b/plugins/cryptopan/Makefile.am
new file mode 100644
index 0000000..0215742
--- /dev/null
+++ b/plugins/cryptopan/Makefile.am
@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
+
+pkglib_LTLIBRARIES = cryptopan.la
+cryptopan_la_SOURCES = cryptopan.c
+cryptopan_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS)
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \
+  test3.pcap.20181127.155200.414188 test4.tmp
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(cryptopan_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/cryptopan/cryptopan.c b/plugins/cryptopan/cryptopan.c
new file mode 100644
index 0000000..2e439af
--- /dev/null
+++ b/plugins/cryptopan/cryptopan.c
@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Crypto-PAn encryption based on submitted extension by David Stott (Lucent)
+ * https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/lucent.shtml
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "dnscap_common.h"
+
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H)
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#define USE_OPENSSL 1
+#endif
+
+static set_iaddr_t cryptopan_set_iaddr = 0;
+
+static logerr_t*     logerr;
+static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v6 = 0, decrypt = 0;
+static unsigned char key[16];
+static unsigned char iv[16];
+static unsigned char pad[16];
+#ifdef USE_OPENSSL
+static EVP_CIPHER_CTX* ctx = 0;
+#endif
+
+enum plugin_type cryptopan_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "cryptopan.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void cryptopan_usage()
+{
+    fprintf(stderr,
+        "\ncryptopan.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <key>      A 16 character long key\n"
+        "\t-K <file>     Read the 16 first bytes from file and use as key\n"
+        "\t-i <key>      A 16 character long Initialisation Vector (IV)\n"
+        "\t-I <file>     Read the 16 first bytes from file and use as IV\n"
+        "\t-a <key>      A 16 character long padding\n"
+        "\t-A <file>     Read the 16 first bytes from file and use as padding\n"
+        "\t-D            Decrypt IP addresses\n"
+        "\t-c            Only en/de-crypt clients (port != 53)\n"
+        "\t-s            Only en/de-crypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n");
+}
+
+void cryptopan_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        cryptopan_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void cryptopan_getopt(int* argc, char** argv[])
+{
+    int           c, got_key = 0, got_iv = 0, got_pad = 0;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?k:K:i:I:a:A:Dcsp:6")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (strlen(optarg) != 16) {
+                usage("key must be 16 characters long");
+            }
+            memcpy(key, optarg, 16);
+            got_key = 1;
+            break;
+        case 'K': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open key file");
+            }
+            if ((r = read(fd, key, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from key file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from key file");
+            }
+            close(fd);
+            got_key = 1;
+            break;
+        }
+        case 'i':
+            if (strlen(optarg) != 16) {
+                usage("IV must be 16 characters long");
+            }
+            memcpy(iv, optarg, 16);
+            got_iv = 1;
+            break;
+        case 'I': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open IV file");
+            }
+            if ((r = read(fd, iv, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from IV file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from IV file");
+            }
+            close(fd);
+            got_iv = 1;
+            break;
+        }
+        case 'a':
+            if (strlen(optarg) != 16) {
+                usage("padding must be 16 characters long");
+            }
+            memcpy(pad, optarg, 16);
+            got_pad = 1;
+            break;
+        case 'A': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open padding file");
+            }
+            if ((r = read(fd, pad, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from padding file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from padding file");
+            }
+            close(fd);
+            got_pad = 1;
+            break;
+        }
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case '6':
+            encrypt_v6 = 1;
+            break;
+        case '?':
+            cryptopan_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (!got_key || !got_iv || !got_pad) {
+        usage("must have key (-k/-K), IV (-i/-I) and padding (-a/-A)");
+    }
+
+#ifdef USE_OPENSSL
+    if (!(ctx = EVP_CIPHER_CTX_new())) {
+        usage("unable to create openssl cipher context");
+    }
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, iv, 1)) {
+        unsigned long e = ERR_get_error();
+        fprintf(stderr, "%s:%s:%s\n", ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e));
+        usage("unable to initialize AES128 cipher");
+    }
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+    {
+        unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
+        int           outlen = 0;
+
+        if (!EVP_CipherUpdate(ctx, outbuf, &outlen, pad, 16)) {
+            fprintf(stderr, "cryptopan.so: error encrypting padding: %s\n", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            fprintf(stderr, "cryptopan.so: error encrypted padding is not 16 bytes\n");
+            exit(1);
+        }
+        memcpy(&pad, outbuf, 16);
+    }
+#else
+    usage("no openssl support built in, can't encrypt IP addresses");
+#endif
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+}
+
+int cryptopan_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void cryptopan_stop()
+{
+#ifdef USE_OPENSSL
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = 0;
+#endif
+}
+
+int cryptopan_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int cryptopan_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+#ifdef USE_OPENSSL
+struct input {
+    union {
+        unsigned char input[16];
+        uint32_t      ui32;
+    } u;
+};
+struct output {
+    union {
+        unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
+        uint32_t      ui32;
+    } u;
+};
+static inline void _encrypt(uint32_t* in)
+{
+    struct input  input;
+    struct output output;
+    int           outlen = 0, pos;
+    uint32_t      orig, result = 0, pad4b, mask = 0;
+
+    memcpy(input.u.input, pad, 16);
+    orig = ntohl(*in);
+    memcpy(&pad4b, pad, 4);
+
+    // First pass with padding only
+
+    input.u.ui32 = htonl(pad4b);
+
+    if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+        fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+        exit(1);
+    }
+    if (outlen != 16) {
+        fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+        exit(1);
+    }
+
+    result |= ntohl(output.u.ui32) & 0x80000000;
+    mask >>= 1;
+    mask |= 0x80000000;
+
+    for (pos = 1; pos < 32; pos++) {
+        input.u.ui32 = htonl(((pad4b << pos) | (pad4b >> (32 - pos))) ^ (orig & mask));
+
+        if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+            fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+            exit(1);
+        }
+
+        result |= (ntohl(output.u.ui32) & 0x80000000) >> pos;
+        mask >>= 1;
+        mask |= 0x80000000;
+    }
+
+    *in = htonl(result ^ orig);
+}
+
+static inline void _decrypt(uint32_t* in)
+{
+    struct input  input;
+    struct output output;
+    int           outlen = 0, pos;
+    uint32_t      orig, pad4b, mask = 0;
+
+    memcpy(input.u.input, pad, 16);
+    orig = ntohl(*in);
+    memcpy(&pad4b, pad, 4);
+
+    // First pass with padding only
+
+    input.u.ui32 = htonl(pad4b);
+
+    if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+        fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+        exit(1);
+    }
+    if (outlen != 16) {
+        fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+        exit(1);
+    }
+
+    orig ^= ntohl(output.u.ui32) & 0x80000000;
+    mask >>= 1;
+    mask |= 0x80000000;
+
+    for (pos = 1; pos < 32; pos++) {
+        input.u.ui32 = htonl(((pad4b << pos) | (pad4b >> (32 - pos))) ^ (orig & mask));
+
+        if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+            fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+            exit(1);
+        }
+
+        orig ^= (ntohl(output.u.ui32) & 0x80000000) >> pos;
+        mask >>= 1;
+        mask |= 0x80000000;
+    }
+
+    *in = htonl(orig);
+}
+#endif
+
+int cryptopan_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+#ifdef USE_OPENSSL
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint32_t*)&from->u.a4) : _encrypt((uint32_t*)&from->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint32_t*)&from->u.a6);
+                    _decrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                } else {
+                    _encrypt((uint32_t*)&from->u.a6);
+                    _encrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                }
+                break;
+            }
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint32_t*)&to->u.a4) : _encrypt((uint32_t*)&to->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint32_t*)&to->u.a6);
+                    _decrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                } else {
+                    _encrypt((uint32_t*)&to->u.a6);
+                    _encrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                }
+                break;
+            }
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (cryptopan_set_iaddr && (from || to)) {
+        cryptopan_set_iaddr(from, to);
+    }
+#endif
+    return 0;
+}
diff --git a/plugins/cryptopan/test1.gold b/plugins/cryptopan/test1.gold
new file mode 100644
index 0000000..71bbba1
--- /dev/null
+++ b/plugins/cryptopan/test1.gold
@@ -0,0 +1,2147 @@
+cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A)
+cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A)
+cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A)
+cryptopan.so usage error: must have key (-k/-K), IV (-i/-I) and padding (-a/-A)
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[137.205.188.255].53199 [44.76.218.44].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[137.205.188.255].57822 [44.76.218.44].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[137.205.188.255].40043 [44.76.218.44].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[137.205.188.255].37953 [44.76.218.44].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[137.205.188.255].48658 [44.76.218.44].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[137.205.188.255].40953 [44.76.218.44].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[137.205.188.255].45174 [44.76.218.44].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[137.205.188.255].33916 [44.76.218.44].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[137.205.188.255].43559 [44.76.218.44].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[137.205.188.255].54859 [44.76.218.44].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[137.205.188.255].58176 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[137.205.188.255].41266 [44.76.218.44].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[137.205.188.255].34607 [44.76.218.44].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[137.205.188.255].60437 [44.76.218.44].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[137.205.188.255].37149 [44.76.218.44].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[137.205.188.255].53820 [44.76.218.44].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[137.205.188.255].52368 [44.76.218.44].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[137.205.188.255].47637 [44.76.218.44].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[137.205.188.255].34426 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[137.205.188.255].41059 [44.76.218.44].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[137.205.188.255].51181 [44.76.218.44].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[137.205.188.255].32976 [44.76.218.44].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[137.205.188.255].53467 [44.76.218.44].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[137.205.188.255].41532 [44.76.218.44].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[137.205.188.255].44982 [44.76.218.44].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[137.205.188.255].40224 [44.76.218.44].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[137.205.188.255].45658 [44.76.218.44].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[137.205.188.255].60457 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[137.205.188.255].59762 [44.76.218.44].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[137.205.188.255].56022 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[137.205.188.255].37669 [44.76.218.44].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[137.205.188.255].42978 [44.76.218.44].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[137.205.188.255].49829 [44.76.218.44].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[137.205.188.255].50599 [44.76.218.44].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[137.205.188.255].44980 [44.76.218.44].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[137.205.188.255].60063 [44.76.218.44].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[137.205.188.255].42042 [44.76.218.44].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[137.205.188.255].60469 [44.76.218.44].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[137.205.188.255].45703 [44.76.218.44].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[137.205.188.255].33507 [44.76.218.44].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[137.205.188.255].46798 [44.76.218.44].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [137.205.188.255].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[137.205.188.255].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[137.205.188.255].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[137.205.188.255].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[137.205.188.255].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[137.205.188.255].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[137.205.188.255].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[137.205.188.255].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[137.205.188.255].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[137.205.188.255].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[137.205.188.255].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[137.205.188.255].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[137.205.188.255].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[137.205.188.255].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[137.205.188.255].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[137.205.188.255].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[137.205.188.255].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[137.205.188.255].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[137.205.188.255].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[137.205.188.255].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[137.205.188.255].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[137.205.188.255].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[137.205.188.255].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[137.205.188.255].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[137.205.188.255].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[137.205.188.255].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[137.205.188.255].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[137.205.188.255].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[137.205.188.255].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[137.205.188.255].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[137.205.188.255].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[137.205.188.255].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[137.205.188.255].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[137.205.188.255].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[137.205.188.255].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[137.205.188.255].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[137.205.188.255].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[137.205.188.255].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[137.205.188.255].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[137.205.188.255].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[137.205.188.255].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[137.205.188.255].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [137.205.188.255].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [44.76.218.44].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [44.76.218.44].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [44.76.218.44].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [44.76.218.44].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [44.76.218.44].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [44.76.218.44].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [44.76.218.44].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [44.76.218.44].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [44.76.218.44].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [44.76.218.44].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [44.76.218.44].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [44.76.218.44].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [44.76.218.44].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [44.76.218.44].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [44.76.218.44].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [44.76.218.44].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [44.76.218.44].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [44.76.218.44].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [44.76.218.44].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [44.76.218.44].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [44.76.218.44].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [44.76.218.44].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [44.76.218.44].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [44.76.218.44].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [44.76.218.44].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [44.76.218.44].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [44.76.218.44].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [44.76.218.44].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [44.76.218.44].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [44.76.218.44].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [44.76.218.44].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [44.76.218.44].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [44.76.218.44].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [44.76.218.44].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [44.76.218.44].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [44.76.218.44].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [44.76.218.44].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [44.76.218.44].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[44.76.218.44].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+cryptopan.so usage error: -c and -s options are mutually exclusive
diff --git a/plugins/cryptopan/test1.sh b/plugins/cryptopan/test1.sh
new file mode 100755
index 0000000..b499f12
--- /dev/null
+++ b/plugins/cryptopan/test1.sh
@@ -0,0 +1,27 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i "some 16-byte key" 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"
diff --git a/plugins/cryptopan/test2.gold b/plugins/cryptopan/test2.gold
new file mode 100644
index 0000000..d7d5e63
--- /dev/null
+++ b/plugins/cryptopan/test2.gold
@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/cryptopan/test2.sh b/plugins/cryptopan/test2.sh
new file mode 100755
index 0000000..3f41fc4
--- /dev/null
+++ b/plugins/cryptopan/test2.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"
diff --git a/plugins/cryptopan/test3.gold b/plugins/cryptopan/test3.gold
new file mode 100644
index 0000000..afd1d7d
--- /dev/null
+++ b/plugins/cryptopan/test3.gold
@@ -0,0 +1,725 @@
+[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/cryptopan/test3.sh b/plugins/cryptopan/test3.sh
new file mode 100755
index 0000000..48dc90f
--- /dev/null
+++ b/plugins/cryptopan/test3.sh
@@ -0,0 +1,32 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>test3.out
+../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -6 2>>test3.out
+../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -D 2>>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -6 -D 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"
diff --git a/plugins/cryptopan/test4.sh b/plugins/cryptopan/test4.sh
new file mode 100755
index 0000000..499a86c
--- /dev/null
+++ b/plugins/cryptopan/test4.sh
@@ -0,0 +1,26 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a tooshort
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K "$srcdir/test4.sh" -I "$srcdir/test4.sh" -A "$srcdir/test4.sh"
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -A does_not_exist
+rm -f test4.tmp
+touch test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -A test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1
diff --git a/plugins/cryptopant/Makefile.am b/plugins/cryptopant/Makefile.am
new file mode 100644
index 0000000..3aaa44a
--- /dev/null
+++ b/plugins/cryptopant/Makefile.am
@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
+
+pkglib_LTLIBRARIES = cryptopant.la
+cryptopant_la_SOURCES = cryptopant.c
+cryptopant_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS)
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold keyfile test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \
+  test3.pcap.20181127.155200.414188
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(cryptopant_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/cryptopant/cryptopant.c b/plugins/cryptopant/cryptopant.c
new file mode 100644
index 0000000..6fb34ed
--- /dev/null
+++ b/plugins/cryptopant/cryptopant.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+
+#include "dnscap_common.h"
+
+#if defined(HAVE_LIBCRYPTOPANT) && defined(HAVE_CRYPTOPANT_H)
+#include <cryptopANT.h>
+#define USE_CRYPTOPANT 1
+#endif
+
+static set_iaddr_t cryptopant_set_iaddr = 0;
+
+static logerr_t* logerr;
+static int       only_clients = 0, only_servers = 0, dns_port = 53, pass4 = 0, pass6 = 0, decrypt = 0;
+
+enum plugin_type cryptopant_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "cryptopant.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void cryptopant_usage()
+{
+    fprintf(stderr,
+        "\ncryptopant.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <file>     Keyfile to use (generated by scramble_ips -G)\n"
+        "\t-4 <num>      pass <num> higher bits of IPv4 through unchanged\n"
+        "\t-6 <num>      pass <num> higher bits of IPv6 through unchanged\n"
+        "\t-D            Decrypt IP addresses\n"
+        "\t-c            Only encrypt clients (port != 53)\n"
+        "\t-s            Only encrypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n");
+}
+
+void cryptopant_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        cryptopant_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void cryptopant_getopt(int* argc, char** argv[])
+{
+    int           c;
+    unsigned long ul;
+    char *        p, *keyfile = 0;
+
+    while ((c = getopt(*argc, *argv, "?k:4:6:Dcsp:")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (keyfile) {
+                free(keyfile);
+            }
+            keyfile = strdup(optarg);
+            break;
+        case '4':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 31U)
+                usage("pass IPv4 bits must be an integer 0..31");
+            pass4 = (unsigned)ul;
+            break;
+        case '6':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 127U)
+                usage("pass IPv6 bits must be an integer 0..127");
+            pass6 = (unsigned)ul;
+            break;
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case '?':
+            cryptopant_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+#ifdef USE_CRYPTOPANT
+    if (!keyfile) {
+        usage("must have a -k keyfile");
+    }
+
+    if (scramble_init_from_file(keyfile, SCRAMBLE_NONE, SCRAMBLE_NONE, 0)) {
+        usage("unable to initialize cryptopANT");
+    }
+#else
+    usage("no cryptopANT support built in, can't encrypt IP addresses");
+#endif
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+
+    if (keyfile) {
+        free(keyfile);
+    }
+}
+
+int cryptopant_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void cryptopant_stop()
+{
+}
+
+int cryptopant_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int cryptopant_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int cryptopant_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+#ifdef USE_CRYPTOPANT
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            from->u.a4.s_addr = decrypt ? unscramble_ip4(from->u.a4.s_addr, pass4) : scramble_ip4(from->u.a4.s_addr, pass4);
+            break;
+        case AF_INET6:
+            decrypt ? unscramble_ip6(&from->u.a6, pass6) : scramble_ip6(&from->u.a6, pass6);
+            break;
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            to->u.a4.s_addr = decrypt ? unscramble_ip4(to->u.a4.s_addr, pass4) : scramble_ip4(to->u.a4.s_addr, pass4);
+            break;
+        case AF_INET6:
+            decrypt ? unscramble_ip6(&to->u.a6, pass6) : scramble_ip6(&to->u.a6, pass6);
+            break;
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (cryptopant_set_iaddr && (from || to)) {
+        cryptopant_set_iaddr(from, to);
+    }
+#endif
+    return 0;
+}
diff --git a/plugins/cryptopant/keyfile b/plugins/cryptopant/keyfile
new file mode 100644
index 0000000..66e6f5c
--- /dev/null
+++ b/plugins/cryptopant/keyfile
@@ -0,0 +1 @@
+02:02:cd6adc7b7dcaf5b926c657190ab7e05a:1df8f74f976ad7ff7a443ce7d2e2ce44235fa2a7080107b19a6785698064f121::54d9e7a215dbd120f70f054a176ca398
diff --git a/plugins/cryptopant/test1.gold b/plugins/cryptopant/test1.gold
new file mode 100644
index 0000000..2201d4f
--- /dev/null
+++ b/plugins/cryptopant/test1.gold
@@ -0,0 +1,2858 @@
+cryptopant.so usage error: must have a -k keyfile
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[143.24.244.213].53199 [108.201.214.210].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[143.24.244.213].57822 [108.201.214.210].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[143.24.244.213].40043 [108.201.214.210].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[143.24.244.213].37953 [108.201.214.210].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[143.24.244.213].48658 [108.201.214.210].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[143.24.244.213].40953 [108.201.214.210].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[143.24.244.213].45174 [108.201.214.210].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[143.24.244.213].33916 [108.201.214.210].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[143.24.244.213].43559 [108.201.214.210].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[143.24.244.213].54859 [108.201.214.210].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[143.24.244.213].58176 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[143.24.244.213].41266 [108.201.214.210].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[143.24.244.213].34607 [108.201.214.210].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[143.24.244.213].60437 [108.201.214.210].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[143.24.244.213].37149 [108.201.214.210].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[143.24.244.213].53820 [108.201.214.210].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[143.24.244.213].52368 [108.201.214.210].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[143.24.244.213].47637 [108.201.214.210].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[143.24.244.213].34426 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[143.24.244.213].41059 [108.201.214.210].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[143.24.244.213].51181 [108.201.214.210].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[143.24.244.213].32976 [108.201.214.210].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[143.24.244.213].53467 [108.201.214.210].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[143.24.244.213].41532 [108.201.214.210].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[143.24.244.213].44982 [108.201.214.210].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[143.24.244.213].40224 [108.201.214.210].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[143.24.244.213].45658 [108.201.214.210].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[143.24.244.213].60457 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[143.24.244.213].59762 [108.201.214.210].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[143.24.244.213].56022 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[143.24.244.213].37669 [108.201.214.210].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[143.24.244.213].42978 [108.201.214.210].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[143.24.244.213].49829 [108.201.214.210].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[143.24.244.213].50599 [108.201.214.210].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[143.24.244.213].44980 [108.201.214.210].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[143.24.244.213].60063 [108.201.214.210].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[143.24.244.213].42042 [108.201.214.210].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[143.24.244.213].60469 [108.201.214.210].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[143.24.244.213].45703 [108.201.214.210].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[143.24.244.213].33507 [108.201.214.210].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[143.24.244.213].46798 [108.201.214.210].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [143.24.244.213].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.24.244.213].53199 [8.201.214.210].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.24.244.213].57822 [8.201.214.210].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.24.244.213].40043 [8.201.214.210].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.24.244.213].37953 [8.201.214.210].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.24.244.213].48658 [8.201.214.210].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.24.244.213].40953 [8.201.214.210].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.24.244.213].45174 [8.201.214.210].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.24.244.213].33916 [8.201.214.210].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.24.244.213].43559 [8.201.214.210].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.24.244.213].54859 [8.201.214.210].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.24.244.213].58176 [8.201.214.210].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.24.244.213].41266 [8.201.214.210].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.24.244.213].34607 [8.201.214.210].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.24.244.213].60437 [8.201.214.210].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.24.244.213].37149 [8.201.214.210].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.24.244.213].53820 [8.201.214.210].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.24.244.213].52368 [8.201.214.210].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.24.244.213].47637 [8.201.214.210].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.24.244.213].34426 [8.201.214.210].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.24.244.213].41059 [8.201.214.210].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.24.244.213].51181 [8.201.214.210].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.24.244.213].32976 [8.201.214.210].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.24.244.213].53467 [8.201.214.210].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.24.244.213].41532 [8.201.214.210].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.24.244.213].44982 [8.201.214.210].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.24.244.213].40224 [8.201.214.210].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.24.244.213].45658 [8.201.214.210].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.24.244.213].60457 [8.201.214.210].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.24.244.213].59762 [8.201.214.210].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.24.244.213].56022 [8.201.214.210].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.24.244.213].37669 [8.201.214.210].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.24.244.213].42978 [8.201.214.210].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.24.244.213].49829 [8.201.214.210].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.24.244.213].50599 [8.201.214.210].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.24.244.213].44980 [8.201.214.210].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.24.244.213].60063 [8.201.214.210].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.24.244.213].42042 [8.201.214.210].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.24.244.213].60469 [8.201.214.210].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.24.244.213].45703 [8.201.214.210].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.24.244.213].33507 [8.201.214.210].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.24.244.213].46798 [8.201.214.210].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.201.214.210].53 [172.24.244.213].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[143.24.244.213].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[143.24.244.213].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[143.24.244.213].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[143.24.244.213].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[143.24.244.213].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[143.24.244.213].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[143.24.244.213].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[143.24.244.213].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[143.24.244.213].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[143.24.244.213].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[143.24.244.213].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[143.24.244.213].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[143.24.244.213].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[143.24.244.213].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[143.24.244.213].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[143.24.244.213].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[143.24.244.213].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[143.24.244.213].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[143.24.244.213].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[143.24.244.213].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[143.24.244.213].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[143.24.244.213].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[143.24.244.213].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[143.24.244.213].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[143.24.244.213].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[143.24.244.213].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[143.24.244.213].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[143.24.244.213].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[143.24.244.213].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[143.24.244.213].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[143.24.244.213].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[143.24.244.213].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[143.24.244.213].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[143.24.244.213].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[143.24.244.213].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[143.24.244.213].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[143.24.244.213].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[143.24.244.213].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[143.24.244.213].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[143.24.244.213].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[143.24.244.213].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [143.24.244.213].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [108.201.214.210].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [108.201.214.210].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [108.201.214.210].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [108.201.214.210].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [108.201.214.210].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [108.201.214.210].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [108.201.214.210].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [108.201.214.210].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [108.201.214.210].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [108.201.214.210].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [108.201.214.210].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [108.201.214.210].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [108.201.214.210].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [108.201.214.210].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [108.201.214.210].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [108.201.214.210].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [108.201.214.210].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [108.201.214.210].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [108.201.214.210].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [108.201.214.210].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [108.201.214.210].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [108.201.214.210].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [108.201.214.210].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [108.201.214.210].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [108.201.214.210].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [108.201.214.210].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [108.201.214.210].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [108.201.214.210].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [108.201.214.210].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [108.201.214.210].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [108.201.214.210].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [108.201.214.210].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [108.201.214.210].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [108.201.214.210].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [108.201.214.210].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [108.201.214.210].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [108.201.214.210].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [108.201.214.210].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[108.201.214.210].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+cryptopant.so usage error: -c and -s options are mutually exclusive
diff --git a/plugins/cryptopant/test1.sh b/plugins/cryptopant/test1.sh
new file mode 100755
index 0000000..cb632cf
--- /dev/null
+++ b/plugins/cryptopant/test1.sh
@@ -0,0 +1,31 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out || true
+if grep -q "no cryptopANT support built in" test1.out 2>/dev/null; then
+    echo "No cryptopANT support, skipping tests"
+    exit 0
+fi
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -4 8 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"
diff --git a/plugins/cryptopant/test2.gold b/plugins/cryptopant/test2.gold
new file mode 100644
index 0000000..60525e4
--- /dev/null
+++ b/plugins/cryptopant/test2.gold
@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3a0:52c7:8483:3fd2:892c:443c:197e].51972 [2001:48e7:eb7b:8330:a6b3:e29f:c7a1:a114].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:48e7:eb7b:8330:a6b3:e29f:c7a1:a114].53 [2a01:3a0:52c7:8483:3fd2:892c:443c:197e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[f97c:c1a0:52c7:8483:3fd2:892c:443c:197e].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [f97c:c1a0:52c7:8483:3fd2:892c:443c:197e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [f29a:ede7:eb7b:8330:a6b3:e29f:c7a1:a114].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[f29a:ede7:eb7b:8330:a6b3:e29f:c7a1:a114].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/cryptopant/test2.sh b/plugins/cryptopant/test2.sh
new file mode 100755
index 0000000..9d50269
--- /dev/null
+++ b/plugins/cryptopant/test2.sh
@@ -0,0 +1,37 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" 2>test2.out || true
+if grep -q "no cryptopANT support built in" test2.out 2>/dev/null; then
+    echo "No cryptopANT support, skipping tests"
+    exit 0
+fi
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -6 24 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"
diff --git a/plugins/cryptopant/test3.gold b/plugins/cryptopant/test3.gold
new file mode 100644
index 0000000..afd1d7d
--- /dev/null
+++ b/plugins/cryptopant/test3.gold
@@ -0,0 +1,725 @@
+[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/cryptopant/test3.sh b/plugins/cryptopant/test3.sh
new file mode 100755
index 0000000..1ebb524
--- /dev/null
+++ b/plugins/cryptopant/test3.sh
@@ -0,0 +1,38 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test3.out || true
+if grep -q "no cryptopANT support built in" test3.out 2>/dev/null; then
+    echo "No cryptopANT support, skipping tests"
+    exit 0
+fi
+
+../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "$srcdir/keyfile" 2>test3.out
+../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "$srcdir/keyfile" 2>>test3.out
+../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "$srcdir/keyfile" -D 2>>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "$srcdir/keyfile" -D 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"
diff --git a/plugins/cryptopant/test4.sh b/plugins/cryptopant/test4.sh
new file mode 100755
index 0000000..986d120
--- /dev/null
+++ b/plugins/cryptopant/test4.sh
@@ -0,0 +1,22 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+# ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out || true
+# if grep -q "no cryptopANT support built in" test1.out 2>/dev/null; then
+#     echo "No cryptopANT support, skipping tests"
+#     exit 0
+# fi
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 99
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -6 999
diff --git a/plugins/eventlog/Makefile.am b/plugins/eventlog/Makefile.am
new file mode 100644
index 0000000..e29af63
--- /dev/null
+++ b/plugins/eventlog/Makefile.am
@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = eventlog.la
+eventlog_la_SOURCES = eventlog.c
+eventlog_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(eventlog_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/eventlog/eventlog.c b/plugins/eventlog/eventlog.c
new file mode 100644
index 0000000..93d0d15
--- /dev/null
+++ b/plugins/eventlog/eventlog.c
@@ -0,0 +1,425 @@
+/* eventlog.c
+ *
+ * Byron Darrah - May 20, 2020
+ * Version 1.0
+ *
+ * This is a plugin for dnscap, based on the txtout plugin.
+ *
+ * This plugin generates one line of output for each packet, with a human-
+ * readable timestamp, and includes the results of A and AAAA queries (which
+ * is either a list of IP addresses, or an NXDOMAIN flag).
+ *
+ * Below is the original copyright notice from txtout.c.
+ */
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <ctype.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+static logerr_t* logerr;
+static char*     opt_o = NULL;
+static int       opt_s = 0;
+static FILE*     out   = 0;
+static int       opt_t = 0;
+static char*     opt_n = NULL;
+
+output_t eventlog_output;
+
+void eventlog_usage()
+{
+    fprintf(stderr,
+        "\neventlog.so options:\n"
+        "   -?         print these instructions and exit\n"
+        "   -o <arg>   output file name\n"
+        "   -s         short output, only QTYPE/QNAME for IN\n"
+        "   -t         prefix event messages with DNS packet timestamp\n"
+        "   -n <arg>   include name with each event message\n\n"
+        "Produces a line of text per packet suitable for event logging,\n"
+        "including IP addresses from query responses.\n");
+}
+
+void eventlog_getopt(int* argc, char** argv[])
+{
+    /*
+     * The "getopt" function will be called from the parent to
+     * process plugin options.
+     */
+    int c;
+    while ((c = getopt(*argc, *argv, "?so:tn:")) != EOF) {
+        switch (c) {
+        case 'o':
+            if (opt_o)
+                free(opt_o);
+            opt_o = strdup(optarg);
+            break;
+        case 's':
+            opt_s = 1;
+            break;
+        case 't':
+            opt_t = 1;
+            break;
+        case 'n':
+            opt_n = strdup(optarg);
+            break;
+        case '?':
+            eventlog_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int eventlog_start(logerr_t* a_logerr)
+{
+    /*
+     * The "start" function is called once, when the program
+     * starts.  It is used to initialize the plugin.  If the
+     * plugin wants to write debugging and or error messages,
+     * it should save the a_logerr pointer passed from the
+     * parent code.
+     */
+    logerr = a_logerr;
+    if (opt_o) {
+        out = fopen(opt_o, "a");
+        if (0 == out) {
+            logerr("%s: %s\n", opt_o, strerror(errno));
+            exit(1);
+        }
+    } else {
+        out = stdout;
+    }
+    setbuf(out, 0);
+
+    if (opt_t) {
+        time_t    curtime;
+        char      time_text[25];
+        struct tm res;
+        curtime = time(NULL);
+        if (strftime(time_text, 25, "%G %m/%d %T", localtime_r(&curtime, &res)) > 0) {
+            fprintf(out, "%s ", time_text);
+        } else {
+            fprintf(out, "**ERROR reading time** ");
+        }
+    }
+    if (opt_n) {
+        fprintf(out, "%s ", opt_n);
+    }
+    fprintf(out, "DNS event logging started.\n");
+
+    return 0;
+}
+
+void eventlog_stop()
+{
+    /*
+     * The "start" function is called once, when the program
+     * is exiting normally.  It might be used to clean up state,
+     * free memory, etc.
+     */
+    if (out != stdout)
+        fclose(out);
+}
+
+int eventlog_open(my_bpftimeval ts)
+{
+    /*
+     * The "open" function is called at the start of each
+     * collection interval, which might be based on a period
+     * of time or a number of packets.  In the original code,
+     * this is where we opened an output pcap file.
+     */
+    return 0;
+}
+
+int eventlog_close(my_bpftimeval ts)
+{
+    /*
+     * The "close" function is called at the end of each
+     * collection interval, which might be based on a period
+     * of time or on a number of packets.  In the original code
+     * this is where we closed an output pcap file.
+     */
+    return 0;
+}
+
+ia_str_t           ia_str           = 0;
+tcpstate_getcurr_t tcpstate_getcurr = 0;
+tcpstate_reset_t   tcpstate_reset   = 0;
+
+void eventlog_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        ia_str = (ia_str_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_GETCURR:
+        tcpstate_getcurr = (tcpstate_getcurr_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_RESET:
+        tcpstate_reset = (tcpstate_reset_t)arg;
+        break;
+    }
+}
+
+static void eventlog_output_ipbytes(size_t len, const uint8_t* data)
+{
+
+    /* If there are 4 bytes, print them as an IPv4 address. */
+    if (len == 4) {
+        fprintf(out, "%u.%u.%u.%u", data[0], data[1], data[2], data[3]);
+    }
+
+    /* If there are 16 bytes, print them as an IPv6 address. */
+    else if (len == 16) {
+        /* If there are 16 bytes, print them as an IPv6 address. */
+        fprintf(out, "%x:%x:%x:%x:%x:%x:%x:%x",
+            ((unsigned int)data[0]) << 8 | data[1],
+            ((unsigned int)data[2]) << 8 | data[3],
+            ((unsigned int)data[4]) << 8 | data[5],
+            ((unsigned int)data[6]) << 8 | data[7],
+            ((unsigned int)data[8]) << 8 | data[9],
+            ((unsigned int)data[10]) << 8 | data[11],
+            ((unsigned int)data[12]) << 8 | data[13],
+            ((unsigned int)data[14]) << 8 | data[15]);
+    }
+}
+
+void eventlog_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, unsigned olen,
+    const u_char* payload, unsigned payloadlen)
+{
+
+    /* Do not output anything if there is no DNS info to report. */
+    if (!(flags & DNSCAP_OUTPUT_ISDNS)) {
+        return;
+    }
+    ldns_pkt* pkt;
+    if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+        if (tcpstate_getcurr && tcpstate_reset)
+            tcpstate_reset(tcpstate_getcurr(), "");
+        return;
+    }
+    ldns_buffer* buf = ldns_buffer_new(512);
+    if (!buf) {
+        logerr("out of memmory\n");
+        exit(1);
+    }
+
+    /*
+     * Output the packet timestamp
+     */
+    if (opt_t) {
+        char      time_text[25];
+        struct tm res;
+        if (strftime(time_text, 25, "%G %m/%d %T", localtime_r(&ts.tv_sec, &res)) > 0) {
+            fprintf(out, "%s ", time_text);
+        } else {
+            fprintf(out, "**ERROR reading packet time** ");
+        }
+    }
+    if (opt_n) {
+        fprintf(out, "%s ", opt_n);
+    }
+
+    /*
+     * Short output, only print QTYPE and QNAME for IN records
+     */
+    if (opt_s) {
+        ldns_rr_list* qds = ldns_pkt_question(pkt);
+        if (qds) {
+            ldns_rr* qd = ldns_rr_list_rr(qds, 0);
+
+            if (qd && ldns_rr_get_class(qd) == LDNS_RR_CLASS_IN) {
+                if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, "%s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, "ERR");
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s\n", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, "ERR\n");
+                }
+            }
+        }
+        ldns_pkt_free(pkt);
+        ldns_buffer_free(buf);
+        return;
+    }
+
+    /*
+     * IP Stuff
+     */
+    fprintf(out, "src=%s spt=%u ", ia_str(from), sport);
+    fprintf(out, "dst=%s dpt=%u ", ia_str(to), dport);
+    switch (proto) {
+    case 17:
+        fprintf(out, "proto=UDP");
+        break;
+    case 6:
+        fprintf(out, "proto=TCP");
+        break;
+    default:
+        fprintf(out, "proto=%hhu", proto);
+        break;
+    }
+
+    /*
+     * DNS Header
+     */
+    fprintf(out, " mid=%u", ldns_pkt_id(pkt));
+    fprintf(out, " op=%u", ldns_pkt_get_opcode(pkt));
+    fprintf(out, " fl=|");
+    if (ldns_pkt_qr(pkt))
+        fprintf(out, "QR|");
+    if (ldns_pkt_aa(pkt))
+        fprintf(out, "AA|");
+    if (ldns_pkt_tc(pkt))
+        fprintf(out, "TC|");
+    if (ldns_pkt_rd(pkt))
+        fprintf(out, "RD|");
+    if (ldns_pkt_ra(pkt))
+        fprintf(out, "RA|");
+    if (ldns_pkt_ad(pkt))
+        fprintf(out, "AD|");
+    if (ldns_pkt_cd(pkt))
+        fprintf(out, "CD|");
+    switch (ldns_pkt_get_rcode(pkt)) {
+    case LDNS_RCODE_NOERROR:
+        fprintf(out, " rc=OK");
+        break;
+    case LDNS_RCODE_NXDOMAIN:
+        fprintf(out, " rc=NXDOMAIN");
+        break;
+    case LDNS_RCODE_SERVFAIL:
+        fprintf(out, " rc=SRVFAIL");
+        break;
+    default:
+        fprintf(out, " rc=%u", ldns_pkt_get_rcode(pkt));
+        break;
+    }
+
+    ldns_rr_list* qds = ldns_pkt_question(pkt);
+    ldns_rr*      qd;
+    if (qds && (qd = ldns_rr_list_rr(qds, 0))) {
+        if (ldns_rr_class2buffer_str(buf, ldns_rr_get_class(qd)) == LDNS_STATUS_OK) {
+            fprintf(out, " cl=%s", (char*)ldns_buffer_begin(buf));
+        } else {
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+
+        ldns_buffer_clear(buf);
+        if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+            fprintf(out, " tp=%s", (char*)ldns_buffer_begin(buf));
+        } else {
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+
+        ldns_buffer_clear(buf);
+        if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+            fprintf(out, " name=%s\n", (char*)ldns_buffer_begin(buf));
+        } else {
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+    }
+
+    /* output the query answers */
+    ldns_rr_list* ans = ldns_pkt_answer(pkt);
+    if (ans) {
+        const char* delim = " ans=";
+        size_t      i, n;
+        for (i = 0, n = ldns_rr_list_rr_count(ans); i < n; i++) {
+            ldns_rr* rr = ldns_rr_list_rr(ans, i);
+
+            if (rr) {
+                switch (ldns_rr_get_type(rr)) {
+                case LDNS_RR_TYPE_A:
+                case LDNS_RR_TYPE_AAAA: {
+                    ldns_rdf* rdf = ldns_rr_rdf(rr, 0);
+                    if (rdf) {
+                        fprintf(out, "%s", delim);
+                        delim = ",";
+                        eventlog_output_ipbytes(ldns_rdf_size(rdf), ldns_rdf_data(rdf));
+                        continue;
+                    }
+                    break;
+                }
+                default:
+                    continue;
+                }
+            }
+
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+    }
+
+    /*
+     * Done
+     */
+    fprintf(out, "\n");
+    ldns_pkt_free(pkt);
+    ldns_buffer_free(buf);
+}
diff --git a/plugins/eventlog/test1.sh b/plugins/eventlog/test1.sh
new file mode 100755
index 0000000..7dda20e
--- /dev/null
+++ b/plugins/eventlog/test1.sh
@@ -0,0 +1,22 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'eventlog.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the eventlog plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+ln -fs "$srcdir/../../src/test/dnso1tcp.pcap" dnso1tcp.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -o test1.out -o test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -t
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -n test
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin"
+../../src/dnscap -T -r dnso1tcp.pcap-dist -g -P "$plugin"
diff --git a/plugins/ipcrypt/Makefile.am b/plugins/ipcrypt/Makefile.am
new file mode 100644
index 0000000..64effb7
--- /dev/null
+++ b/plugins/ipcrypt/Makefile.am
@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = ipcrypt.la
+ipcrypt_la_SOURCES = ipcrypt.c
+ipcrypt_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \
+  test3.pcap.20181127.155200.414188 test4.tmp
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(ipcrypt_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/ipcrypt/ipcrypt.c b/plugins/ipcrypt/ipcrypt.c
new file mode 100644
index 0000000..2fadcf4
--- /dev/null
+++ b/plugins/ipcrypt/ipcrypt.c
@@ -0,0 +1,351 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "dnscap_common.h"
+
+static set_iaddr_t ipcrypt_set_iaddr = 0;
+
+static logerr_t* logerr;
+static int       only_clients = 0, only_servers = 0, dns_port = 53, iterations = 1, encrypt_v6 = 0, decrypt = 0;
+static uint8_t   key[16];
+
+/*
+ * ipcrypt based on Python and Go code at https://github.com/veorq/ipcrypt
+ * by Jean-Philippe Aumasson jeanphilippe.aumasson@gmail.com
+ */
+
+static inline uint8_t rotl(uint8_t b, int r)
+{
+    return (b << r) | (b >> (8 - r));
+}
+
+static inline void permute_fwd(uint8_t* state)
+{
+    state[0] += state[1];
+    state[2] += state[3];
+    state[1] = rotl(state[1], 2) ^ state[0];
+    state[3] = rotl(state[3], 5) ^ state[2];
+    // state[1] ^= state[0];
+    // state[3] ^= state[2];
+    state[0] = rotl(state[0], 4) + state[3];
+    // state[0] += state[3];
+    state[2] += state[1];
+    state[1] = rotl(state[1], 3) ^ state[2];
+    state[3] = rotl(state[3], 7) ^ state[0];
+    // state[1] ^= state[2];
+    // state[3] ^= state[0];
+    state[2] = rotl(state[2], 4);
+}
+
+static inline void permute_bwd(uint8_t* state)
+{
+    state[2] = rotl(state[2], 4);
+    state[1] ^= state[2];
+    state[3] ^= state[0];
+    state[1] = rotl(state[1], 5);
+    state[3] = rotl(state[3], 1);
+    state[0] -= state[3];
+    state[2] -= state[1];
+    state[0] = rotl(state[0], 4);
+    state[1] ^= state[0];
+    state[3] ^= state[2];
+    state[1] = rotl(state[1], 6);
+    state[3] = rotl(state[3], 3);
+    state[0] -= state[1];
+    state[2] -= state[3];
+}
+
+static inline void xor4(uint8_t* x, uint8_t* y)
+{
+    *(uint32_t*)x ^= *(uint32_t*)y;
+    // x[0] ^= y[0];
+    // x[1] ^= y[1];
+    // x[2] ^= y[2];
+    // x[3] ^= y[3];
+}
+
+static inline void _encrypt(uint8_t* ip)
+{
+    int i = iterations;
+    for (; i; i--) {
+        xor4(ip, key);
+        permute_fwd(ip);
+        xor4(ip, &key[4]);
+        permute_fwd(ip);
+        xor4(ip, &key[8]);
+        permute_fwd(ip);
+        xor4(ip, &key[12]);
+    }
+}
+
+static inline void _decrypt(uint8_t* ip)
+{
+    int i = iterations;
+    for (; i; i--) {
+        xor4(ip, &key[12]);
+        permute_bwd(ip);
+        xor4(ip, &key[8]);
+        permute_bwd(ip);
+        xor4(ip, &key[4]);
+        permute_bwd(ip);
+        xor4(ip, key);
+    }
+}
+
+enum plugin_type ipcrypt_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "ipcrypt.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void ipcrypt_usage()
+{
+    fprintf(stderr,
+        "\nipcrypt.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <key>      A 16 character long key\n"
+        "\t-f <file>     Read the 16 first bytes from file and use as key\n"
+        "\t-D            Decrypt IP addresses\n"
+        "\t-c            Only en/de-crypt clients (port != 53)\n"
+        "\t-s            Only en/de-crypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-i <num>      Number of en/de-cryption iterations, default 1\n"
+        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n");
+}
+
+void ipcrypt_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        ipcrypt_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void ipcrypt_getopt(int* argc, char** argv[])
+{
+    int           c, got_key = 0;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?k:f:Dcsp:i:6")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (strlen(optarg) != 16) {
+                usage("key must be 16 characters long");
+            }
+            memcpy(key, optarg, 16);
+            got_key = 1;
+            break;
+        case 'f': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open key file");
+            }
+            if ((r = read(fd, key, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from key file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from key file");
+            }
+            close(fd);
+            got_key = 1;
+            break;
+        }
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case 'i':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("iterations must be an integer 1..65535");
+            iterations = (unsigned)ul;
+            break;
+        case '6':
+            encrypt_v6 = 1;
+            break;
+        case '?':
+            ipcrypt_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (!got_key) {
+        usage("must have -k <key> or -f <file>");
+    }
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+}
+
+int ipcrypt_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void ipcrypt_stop()
+{
+}
+
+int ipcrypt_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int ipcrypt_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int ipcrypt_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint8_t*)&from->u.a4) : _encrypt((uint8_t*)&from->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint8_t*)&from->u.a6);
+                    _decrypt(((uint8_t*)&from->u.a6) + 4);
+                    _decrypt(((uint8_t*)&from->u.a6) + 8);
+                    _decrypt(((uint8_t*)&from->u.a6) + 12);
+                } else {
+                    _encrypt((uint8_t*)&from->u.a6);
+                    _encrypt(((uint8_t*)&from->u.a6) + 4);
+                    _encrypt(((uint8_t*)&from->u.a6) + 8);
+                    _encrypt(((uint8_t*)&from->u.a6) + 12);
+                }
+                break;
+            }
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint8_t*)&to->u.a4) : _encrypt((uint8_t*)&to->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint8_t*)&to->u.a6);
+                    _decrypt(((uint8_t*)&to->u.a6) + 4);
+                    _decrypt(((uint8_t*)&to->u.a6) + 8);
+                    _decrypt(((uint8_t*)&to->u.a6) + 12);
+                } else {
+                    _encrypt((uint8_t*)&to->u.a6);
+                    _encrypt(((uint8_t*)&to->u.a6) + 4);
+                    _encrypt(((uint8_t*)&to->u.a6) + 8);
+                    _encrypt(((uint8_t*)&to->u.a6) + 12);
+                }
+                break;
+            }
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (ipcrypt_set_iaddr && (from || to)) {
+        ipcrypt_set_iaddr(from, to);
+    }
+
+    return 0;
+}
diff --git a/plugins/ipcrypt/test1.gold b/plugins/ipcrypt/test1.gold
new file mode 100644
index 0000000..040d875
--- /dev/null
+++ b/plugins/ipcrypt/test1.gold
@@ -0,0 +1,2144 @@
+ipcrypt.so usage error: must have -k <key> or -f <file>
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[66.11.55.236].53199 [46.48.51.50].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[66.11.55.236].57822 [46.48.51.50].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[66.11.55.236].40043 [46.48.51.50].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[66.11.55.236].37953 [46.48.51.50].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[66.11.55.236].48658 [46.48.51.50].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[66.11.55.236].40953 [46.48.51.50].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[66.11.55.236].45174 [46.48.51.50].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[66.11.55.236].33916 [46.48.51.50].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[66.11.55.236].43559 [46.48.51.50].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[66.11.55.236].54859 [46.48.51.50].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[66.11.55.236].58176 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[66.11.55.236].41266 [46.48.51.50].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[66.11.55.236].34607 [46.48.51.50].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[66.11.55.236].60437 [46.48.51.50].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[66.11.55.236].37149 [46.48.51.50].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[66.11.55.236].53820 [46.48.51.50].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[66.11.55.236].52368 [46.48.51.50].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[66.11.55.236].47637 [46.48.51.50].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[66.11.55.236].34426 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[66.11.55.236].41059 [46.48.51.50].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[66.11.55.236].51181 [46.48.51.50].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[66.11.55.236].32976 [46.48.51.50].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[66.11.55.236].53467 [46.48.51.50].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[66.11.55.236].41532 [46.48.51.50].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[66.11.55.236].44982 [46.48.51.50].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[66.11.55.236].40224 [46.48.51.50].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[66.11.55.236].45658 [46.48.51.50].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[66.11.55.236].60457 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[66.11.55.236].59762 [46.48.51.50].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[66.11.55.236].56022 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[66.11.55.236].37669 [46.48.51.50].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[66.11.55.236].42978 [46.48.51.50].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[66.11.55.236].49829 [46.48.51.50].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[66.11.55.236].50599 [46.48.51.50].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[66.11.55.236].44980 [46.48.51.50].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[66.11.55.236].60063 [46.48.51.50].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[66.11.55.236].42042 [46.48.51.50].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[66.11.55.236].60469 [46.48.51.50].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[66.11.55.236].45703 [46.48.51.50].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[66.11.55.236].33507 [46.48.51.50].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[66.11.55.236].46798 [46.48.51.50].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [66.11.55.236].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[66.11.55.236].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[66.11.55.236].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[66.11.55.236].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[66.11.55.236].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[66.11.55.236].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[66.11.55.236].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[66.11.55.236].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[66.11.55.236].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[66.11.55.236].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[66.11.55.236].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[66.11.55.236].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[66.11.55.236].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[66.11.55.236].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[66.11.55.236].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[66.11.55.236].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[66.11.55.236].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[66.11.55.236].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[66.11.55.236].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[66.11.55.236].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[66.11.55.236].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[66.11.55.236].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[66.11.55.236].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[66.11.55.236].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[66.11.55.236].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[66.11.55.236].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[66.11.55.236].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[66.11.55.236].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[66.11.55.236].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[66.11.55.236].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[66.11.55.236].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[66.11.55.236].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[66.11.55.236].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[66.11.55.236].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[66.11.55.236].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[66.11.55.236].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[66.11.55.236].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[66.11.55.236].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[66.11.55.236].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[66.11.55.236].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[66.11.55.236].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[66.11.55.236].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [66.11.55.236].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [46.48.51.50].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [46.48.51.50].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [46.48.51.50].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [46.48.51.50].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [46.48.51.50].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [46.48.51.50].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [46.48.51.50].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [46.48.51.50].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [46.48.51.50].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [46.48.51.50].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [46.48.51.50].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [46.48.51.50].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [46.48.51.50].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [46.48.51.50].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [46.48.51.50].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [46.48.51.50].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [46.48.51.50].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [46.48.51.50].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [46.48.51.50].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [46.48.51.50].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [46.48.51.50].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [46.48.51.50].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [46.48.51.50].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [46.48.51.50].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [46.48.51.50].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [46.48.51.50].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [46.48.51.50].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [46.48.51.50].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [46.48.51.50].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [46.48.51.50].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [46.48.51.50].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [46.48.51.50].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [46.48.51.50].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [46.48.51.50].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [46.48.51.50].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [46.48.51.50].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [46.48.51.50].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [46.48.51.50].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[46.48.51.50].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+ipcrypt.so usage error: -c and -s options are mutually exclusive
diff --git a/plugins/ipcrypt/test1.sh b/plugins/ipcrypt/test1.sh
new file mode 100755
index 0000000..3be7107
--- /dev/null
+++ b/plugins/ipcrypt/test1.sh
@@ -0,0 +1,24 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"
diff --git a/plugins/ipcrypt/test2.gold b/plugins/ipcrypt/test2.gold
new file mode 100644
index 0000000..3118c84
--- /dev/null
+++ b/plugins/ipcrypt/test2.gold
@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/ipcrypt/test2.sh b/plugins/ipcrypt/test2.sh
new file mode 100755
index 0000000..7b99122
--- /dev/null
+++ b/plugins/ipcrypt/test2.sh
@@ -0,0 +1,30 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"
diff --git a/plugins/ipcrypt/test3.gold b/plugins/ipcrypt/test3.gold
new file mode 100644
index 0000000..afd1d7d
--- /dev/null
+++ b/plugins/ipcrypt/test3.gold
@@ -0,0 +1,725 @@
+[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/plugins/ipcrypt/test3.sh b/plugins/ipcrypt/test3.sh
new file mode 100755
index 0000000..860f272
--- /dev/null
+++ b/plugins/ipcrypt/test3.sh
@@ -0,0 +1,32 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "some 16-byte key" 2>test3.out
+../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "some 16-byte key" -6 2>>test3.out
+../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "some 16-byte key" -D 2>>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "some 16-byte key" -6 -D 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"
diff --git a/plugins/ipcrypt/test4.sh b/plugins/ipcrypt/test4.sh
new file mode 100755
index 0000000..e92abf1
--- /dev/null
+++ b/plugins/ipcrypt/test4.sh
@@ -0,0 +1,21 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -f does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+rm -f test4.tmp
+touch test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -f test4.tmp
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 -i 1 -f "$srcdir/test4.sh"
diff --git a/plugins/pcapdump/Makefile.am b/plugins/pcapdump/Makefile.am
new file mode 100644
index 0000000..bfbf8a4
--- /dev/null
+++ b/plugins/pcapdump/Makefile.am
@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = pcapdump.la
+pcapdump_la_SOURCES = pcapdump.c
+pcapdump_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out* *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(pcapdump_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/pcapdump/pcapdump.c b/plugins/pcapdump/pcapdump.c
new file mode 100644
index 0000000..ff70fe3
--- /dev/null
+++ b/plugins/pcapdump/pcapdump.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <pcap.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#if HAVE_ARPA_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+
+#include "dnscap_common.h"
+
+#define SNAPLEN 65536
+#define THOUSAND 1000
+#define MILLION (THOUSAND * THOUSAND)
+
+output_t pcapdump_output;
+
+static logerr_t*      logerr       = 0;
+char*                 dump_base    = 0;
+static int            to_stdout    = 0;
+static int            dbg_lvl      = 0;
+static char*          dumpname     = 0;
+static char*          dumpnamepart = 0;
+static pcap_t*        pcap_dead    = 0;
+static pcap_dumper_t* dumper       = 0;
+static char*          kick_cmd     = 0;
+static int            flush        = 0;
+static int            dir_wanted   = DIR_INITIATE | DIR_RESPONSE;
+
+void pcapdump_usage()
+{
+    fprintf(stderr,
+        "\npcapdump.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-d         increase debugging\n"
+        "\t-f         flush output on every packet\n"
+        "\t-k <cmd>   kick off <cmd> when each dump closes\n"
+        "\t-s [ir]    select sides: initiations, responses\n"
+        "\t-w <base>  dump to <base>.<timesec>.<timeusec>\n");
+}
+
+void pcapdump_getopt(int* argc, char** argv[])
+{
+    int         c;
+    int         u;
+    const char* p;
+    while ((c = getopt(*argc, *argv, "?dfk:s:w:")) != EOF) {
+        switch (c) {
+        case 'd':
+            dbg_lvl++;
+            break;
+        case 'f':
+            flush = 1;
+            break;
+        case 'k':
+            if (kick_cmd)
+                free(kick_cmd);
+            kick_cmd = strdup(optarg);
+            break;
+        case 's':
+            u = 0;
+            for (p = optarg; *p; p++)
+                switch (*p) {
+                case 'i':
+                    u |= DIR_INITIATE;
+                    break;
+                case 'r':
+                    u |= DIR_RESPONSE;
+                    break;
+                default:
+                    fprintf(stderr, "-s takes only [ir]\n");
+                    pcapdump_usage();
+                    break;
+                }
+            dir_wanted = u;
+            break;
+        case 'w':
+            if (!strcmp(optarg, "-"))
+                to_stdout = 1;
+            else {
+                if (dump_base)
+                    free(dump_base);
+                dump_base = strdup(optarg);
+            }
+            break;
+        case '?':
+            pcapdump_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+    if (!to_stdout && !dump_base) {
+        fprintf(stderr, "-w basename argument is required\n");
+        pcapdump_usage();
+        exit(1);
+    }
+    if (to_stdout && kick_cmd) {
+        fprintf(stderr, "Can't use -k when dumping to stdout\n");
+        pcapdump_usage();
+        exit(1);
+    }
+}
+
+int pcapdump_start(logerr_t* a_logerr)
+{
+    logerr    = a_logerr;
+    pcap_dead = pcap_open_dead(DLT_RAW, SNAPLEN);
+    return 0;
+}
+
+void pcapdump_stop()
+{
+    pcap_close(pcap_dead);
+    pcap_dead = 0;
+}
+
+int pcapdump_open(my_bpftimeval ts)
+{
+    const char* t = NULL;
+    if (to_stdout) {
+        t = "-";
+    } else {
+        char      sbuf[64];
+        struct tm tm;
+        while (ts.tv_usec >= MILLION) {
+            ts.tv_sec++;
+            ts.tv_usec -= MILLION;
+        }
+        gmtime_r((time_t*)&ts.tv_sec, &tm);
+        strftime(sbuf, 64, "%Y%m%d.%H%M%S", &tm);
+        if (asprintf(&dumpname, "%s.%s.%06lu",
+                dump_base, sbuf, (u_long)ts.tv_usec)
+                < 0
+            || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) {
+            logerr("asprintf: %s", strerror(errno));
+            return 1;
+        }
+        t = dumpnamepart;
+    }
+    dumper = pcap_dump_open(pcap_dead, t);
+    if (dumper == NULL) {
+        logerr("pcap dump open: %s", pcap_geterr(pcap_dead));
+        return 1;
+    }
+    return 0;
+}
+
+int pcapdump_close(my_bpftimeval ts)
+{
+    int ret = 0;
+#if 0
+    if (print_pcap_stats)
+    do_pcap_stats();
+#endif
+    pcap_dump_close(dumper);
+    dumper = 0;
+    if (to_stdout) {
+        assert(dumpname == 0);
+        assert(dumpnamepart == 0);
+        if (dbg_lvl >= 1)
+            logerr("breaking");
+        ret = 0;
+    } else {
+        char* cmd = NULL;
+        if (dbg_lvl >= 1)
+            logerr("closing %s", dumpname);
+        if (rename(dumpnamepart, dumpname)) {
+            logerr("rename: %s", strerror(errno));
+            return 1;
+        }
+        if (kick_cmd != NULL)
+            if (asprintf(&cmd, "%s %s &", kick_cmd, dumpname) < 0) {
+                logerr("asprintf: %s", strerror(errno));
+                cmd = NULL;
+            }
+        free(dumpnamepart);
+        dumpnamepart = NULL;
+        free(dumpname);
+        dumpname = NULL;
+        if (cmd != NULL) {
+            int x = system(cmd);
+            if (x) {
+                logerr("system %s returned %d", cmd, x);
+            }
+            free(cmd);
+        }
+        if (kick_cmd == NULL)
+            ret = 0;
+    }
+    return ret;
+}
+
+void pcapdump_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen, const u_char* payload, const unsigned payloadlen)
+{
+    struct pcap_pkthdr h;
+    if (flags & DNSCAP_OUTPUT_ISLAYER)
+        return;
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        HEADER* dns = (HEADER*)payload;
+        if (0 == dns->qr && 0 == (dir_wanted & DIR_INITIATE))
+            return;
+        if (1 == dns->qr && 0 == (dir_wanted & DIR_RESPONSE))
+            return;
+    }
+    memset(&h, 0, sizeof h);
+    h.ts  = ts;
+    h.len = h.caplen = olen;
+    pcap_dump((u_char*)dumper, &h, pkt_copy);
+    if (flush)
+        pcap_dump_flush(dumper);
+}
diff --git a/plugins/pcapdump/test1.sh b/plugins/pcapdump/test1.sh
new file mode 100755
index 0000000..bcf2fdb
--- /dev/null
+++ b/plugins/pcapdump/test1.sh
@@ -0,0 +1,16 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'pcapdump.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the pcapdump plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -w test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -f -w test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -s r -w test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -s i -w test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
diff --git a/plugins/royparse/Makefile.am b/plugins/royparse/Makefile.am
new file mode 100644
index 0000000..795a277
--- /dev/null
+++ b/plugins/royparse/Makefile.am
@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = royparse.la
+royparse_la_SOURCES = royparse.c
+royparse_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out* *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(royparse_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/royparse/royparse.c b/plugins/royparse/royparse.c
new file mode 100644
index 0000000..83e26a6
--- /dev/null
+++ b/plugins/royparse/royparse.c
@@ -0,0 +1,272 @@
+/*
+ * Author Roy Arends
+ *
+ * Copyright (c) 2017-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include "dnscap_common.h"
+
+#include <errno.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <pcap.h>
+#include <ldns/ldns.h>
+
+static logerr_t* logerr;
+static char*     opt_q = 0;
+static char*     opt_r = 0;
+
+pcap_t*        pcap;
+pcap_dumper_t* q_out = 0;
+static FILE*   r_out = 0;
+
+output_t royparse_output;
+ia_str_t royparse_ia_str = 0;
+
+void royparse_usage()
+{
+    fprintf(stderr,
+        "\nroyparse splits a pcap into two streams: queries in pcap format and responses in ASCII format.\n"
+        "\nroyparse.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-q <arg>   query pcap stream output file name (default: no output)\n"
+        "\t-r <arg>   royparse output file name (default: stdout)\n");
+}
+
+void royparse_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        royparse_ia_str = (ia_str_t)arg;
+        break;
+    }
+}
+
+void royparse_getopt(int* argc, char** argv[])
+{
+    int c;
+
+    while ((c = getopt(*argc, *argv, "?q:r:")) != EOF) {
+        switch (c) {
+        case 'q':
+            if (opt_q)
+                free(opt_q);
+            opt_q = strdup(optarg);
+            break;
+        case 'r':
+            if (opt_r)
+                free(opt_r);
+            opt_r = strdup(optarg);
+            break;
+        case '?':
+            royparse_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int royparse_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+
+    if (opt_q) {
+        pcap  = pcap_open_dead(DLT_RAW, 65535);
+        q_out = pcap_dump_open(pcap, opt_q);
+        if (q_out == 0) {
+            logerr("%s: %s\n", opt_q, strerror(errno));
+            exit(1);
+        }
+    }
+    if (opt_r) {
+        r_out = fopen(opt_r, "w");
+        if (r_out == 0) {
+            logerr("%s: %s\n", opt_r, strerror(errno));
+            exit(1);
+        }
+    } else {
+        r_out = stdout;
+    }
+    setbuf(r_out, 0);
+
+    return 0;
+}
+
+void royparse_stop()
+{
+    if (q_out != 0) {
+        pcap_close(pcap);
+        pcap_dump_close(q_out);
+    }
+    if (r_out != stdout)
+        fclose(r_out);
+}
+
+int royparse_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int royparse_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+void royparse_normalize(char* str)
+{
+    /*
+     * The "normalize" function converts upper case characters to lower case,
+     * and replaces the space and comma characters with a question mark.
+     */
+
+    for (; *str; str++) {
+        if (('A' <= *str) && (*str <= 'Z')) {
+            *str |= 32;
+        } else if ((*str == ',') || (*str == ' ')) {
+            *str = '?';
+        }
+    }
+}
+
+void royparse_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, unsigned olen,
+    const u_char* payload, unsigned payloadlen)
+{
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        ldns_buffer* buf = ldns_buffer_new(512);
+        if (!buf) {
+            logerr("out of memmory\n");
+            exit(1);
+        }
+
+        ldns_pkt* pkt;
+        if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+            fprintf(r_out, "ERR\n");
+            ldns_buffer_free(buf);
+            return;
+        }
+        if (ldns_pkt_qr(pkt) && sport == 53) {
+            fprintf(r_out, "%cD_", ldns_pkt_rd(pkt) ? 'R' : 'N');
+
+            switch (ldns_pkt_get_opcode(pkt)) {
+            case LDNS_PACKET_QUERY:
+                fprintf(r_out, "QUERY");
+                break;
+            case LDNS_PACKET_NOTIFY:
+                fprintf(r_out, "NOTIFY");
+                break;
+            case LDNS_PACKET_UPDATE:
+                fprintf(r_out, "UPDATE");
+                break;
+            default:
+                fprintf(r_out, "ELSE");
+            }
+
+            fprintf(r_out, "_%u_%cA_", ldns_pkt_ancount(pkt) ? 1 : 0, ldns_pkt_aa(pkt) ? 'A' : 'N');
+
+            switch (ldns_pkt_get_rcode(pkt)) {
+            case LDNS_RCODE_NOERROR:
+                fprintf(r_out, "NOERROR");
+                break;
+            case LDNS_RCODE_FORMERR:
+                fprintf(r_out, "FORMERR");
+                break;
+            case LDNS_RCODE_NXDOMAIN:
+                fprintf(r_out, "NXDOMAIN");
+                break;
+            case LDNS_RCODE_NOTIMPL:
+                fprintf(r_out, "NOTIMP");
+                break;
+            case LDNS_RCODE_REFUSED:
+                fprintf(r_out, "REFUSED");
+                break;
+            case LDNS_RCODE_NOTAUTH:
+                fprintf(r_out, "NOTAUTH");
+                break;
+            default:
+                fprintf(r_out, "ELSE");
+            }
+
+            fprintf(r_out, " %s,", royparse_ia_str(to));
+
+            ldns_rr_list* qds = ldns_pkt_question(pkt);
+            ldns_rr*      qd;
+            if (qds && (qd = ldns_rr_list_rr(qds, 0))) {
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                    royparse_normalize((char*)ldns_buffer_begin(buf));
+                    fprintf(r_out, "%s%s,%u", (char*)ldns_buffer_begin(buf),
+                        ((char*)ldns_buffer_begin(buf))[0] == '.' ? "" : ".",
+                        ldns_rr_get_type(qd));
+                } else {
+                    fprintf(r_out, "ERR,ERR");
+                }
+            } else
+                fprintf(r_out, ",");
+
+            fprintf(r_out, ",%zu,%s%s%s%s", ldns_pkt_size(pkt), ldns_pkt_id(pkt) < 256 ? "-L" : "",
+                ldns_pkt_tc(pkt) ? "-TC" : "",
+                ldns_pkt_ad(pkt) ? "-AD" : "",
+                ldns_pkt_cd(pkt) ? "-CD" : "");
+            if (ldns_pkt_edns(pkt)) {
+                fprintf(r_out, "-%c", ldns_pkt_edns_do(pkt) ? 'D' : 'E');
+            }
+            fprintf(r_out, "\n");
+        } else if (opt_q != 0 && !ldns_pkt_qr(pkt) && dport == 53) {
+            struct pcap_pkthdr h;
+            if (flags & DNSCAP_OUTPUT_ISLAYER) {
+                ldns_pkt_free(pkt);
+                ldns_buffer_free(buf);
+                return;
+            }
+            memset(&h, 0, sizeof h);
+            h.ts  = ts;
+            h.len = h.caplen = olen;
+            pcap_dump((u_char*)q_out, &h, pkt_copy);
+        }
+        ldns_pkt_free(pkt);
+        ldns_buffer_free(buf);
+    }
+}
diff --git a/plugins/royparse/test1.sh b/plugins/royparse/test1.sh
new file mode 100755
index 0000000..ec07886
--- /dev/null
+++ b/plugins/royparse/test1.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'royparse.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the royparse plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -q test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -r test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
diff --git a/plugins/rssm/.gitignore b/plugins/rssm/.gitignore
new file mode 100644
index 0000000..7d3ffec
--- /dev/null
+++ b/plugins/rssm/.gitignore
@@ -0,0 +1 @@
+hashtbl.c
diff --git a/plugins/rssm/Makefile.am b/plugins/rssm/Makefile.am
new file mode 100644
index 0000000..08e4429
--- /dev/null
+++ b/plugins/rssm/Makefile.am
@@ -0,0 +1,42 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = $(srcdir)/hashtbl.c \
+    hashtbl.c *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) \
+    $(libldns_CFLAGS)
+
+pkglib_LTLIBRARIES = rssm.la
+rssm_la_SOURCES = rssm.c
+nodist_rssm_la_SOURCES = hashtbl.c
+BUILT_SOURCES = hashtbl.c
+rssm_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
+TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh
+EXTRA_DIST = $(TESTS) test1.gold test2.gold dnscap-rssm-rssac002.1.in \
+  test3.gold test5.gold
+dist_bin_SCRIPTS = dnscap-rssm-rssac002
+man1_MANS = dnscap-rssm-rssac002.1
+CLEANFILES += test1.20161020.152301.075993 test2.out $(man1_MANS) \
+  test3.20181127.155200.414188 test4.*20161020.152301.075993 \
+  test5.20180110.112241.543825
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(rssm_la_SOURCES) $(nodist_rssm_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
+
+hashtbl.c: $(top_srcdir)/src/hashtbl.c
+	cp $(top_srcdir)/src/hashtbl.c ./
+
+$(srcdir)/hashtbl.c: $(top_srcdir)/src/hashtbl.c
+	cp $(top_srcdir)/src/hashtbl.c $(srcdir)/
+
+dnscap-rssm-rssac002.1: dnscap-rssm-rssac002.1.in Makefile
+	sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \
+        -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
+        -e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
+        < $(srcdir)/dnscap-rssm-rssac002.1.in > dnscap-rssm-rssac002.1
diff --git a/plugins/rssm/README.md b/plugins/rssm/README.md
new file mode 100644
index 0000000..98fbde4
--- /dev/null
+++ b/plugins/rssm/README.md
@@ -0,0 +1,41 @@
+# Root Server Scaling Measurement (RSSM) plugin
+
+This plugin collects data as described by the [RSSAC002v3 specification](https://www.icann.org/en/system/files/files/rssac-002-measurements-root-06jun16-en.pdf)
+which has been created by [ICANN Root Server System Advisory Committee](https://www.icann.org/groups/rssac) (RSSAC).
+
+## Additions
+
+As the RSSAC002v3 specification states that measurements should be saved per
+24 hours interval, this plugin produces additional metrics that can be used
+to compile the 24 hours measurements allowing for variable time between
+output generation.
+
+Metric `dnscap-rssm-sources` has a hash entry called `sources` which lists
+IP addresses and the number of times they appeared.
+
+Metric `dnscap-rssm-aggregated-sources` has a hash entry called `aggregated-sources`
+which lists the aggregated IPv6 addresses by a /64 net and the number of times
+it has appeared.
+
+## Merge Tool
+
+The Perl script `dnscap-rssm-rssac002` is included and installed with `dnscap`
+and can be used to multiple combine RSSM plugin RSSAC002v3 YAML output files
+into one file.
+
+The script will merge and remove metric specific to this plugin and replace
+others to fill in correct values for the new time period. The earliest
+`start-period` found will be used for all metrics.
+
+**NOTE** no parsing of `start-period` is performed, it is up to the operator
+to only give input files related to the same 24 hour period.
+
+Options:
+- `--no-recompile`: Disabled the combining of metrics and the removal of
+  metrics specific to this plugin
+- `--keep-dnscap-rssm`: Do the combining but keep the metrics specific to
+  this plugin
+- `--sort`: Output will always start with `version:`, `service:`,
+  `start-period:` and `metric:`, rest of the values are not ordered by label.
+  This option enabled sorting of them, which is not required by the
+  specification but may help in debugging and testing cases.
diff --git a/plugins/rssm/dnscap-rssm-rssac002 b/plugins/rssm/dnscap-rssm-rssac002
new file mode 100755
index 0000000..f7eaaf6
--- /dev/null
+++ b/plugins/rssm/dnscap-rssm-rssac002
@@ -0,0 +1,209 @@
+#!/usr/bin/env perl
+#
+# Copyright (c) 2018-2021, OARC, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+use strict;
+use warnings;
+use YAML;
+
+unless (scalar @ARGV > 1) {
+    print "usage: dnscap-rssm-rssac002 [--no-recompile|--keep-dnscap-rssm|--sort] <YAML files to merge...>\n";
+    exit(1);
+}
+
+my %service = ();
+my $earliest_start_period;
+my $recompile = 1;
+my $keep_dnscap_rssm = 0;
+my $sort = 0;
+
+foreach my $file (@ARGV) {
+    if ($file eq '--no-recompile') {
+        $recompile = 0;
+        next;
+    } elsif ($file eq '--keep-dnscap-rssm') {
+        $keep_dnscap_rssm = 1;
+        next;
+    } elsif ($file eq '--sort') {
+        $sort = 1;
+        next;
+    }
+    foreach my $doc (YAML::LoadFile($file)) {
+        my $version = delete $doc->{version};
+        my $service = delete $doc->{service};
+        my $start_period = delete $doc->{'start-period'};
+        my $metric = delete $doc->{metric};
+        unless ($version) {
+            die "$file: not valid RSSAC002 YAML, missing version";
+        }
+        unless ($service) {
+            die "$file: not valid RSSAC002 YAML, missing service";
+        }
+        unless ($start_period) {
+            die "$file: not valid RSSAC002 YAML, missing start-period";
+        }
+        unless ($metric) {
+            die "$file: not valid RSSAC002 YAML, missing metric";
+        }
+        unless ($version eq 'rssac002v3') {
+            die "$file: unsupported RSSAC002 version $version";
+        }
+
+        push(@{$service{$service}->{$metric}}, $doc);
+
+        if (!$earliest_start_period or $start_period lt $earliest_start_period) {
+            $earliest_start_period = $start_period;
+        }
+    }
+}
+
+foreach my $service (keys %service) {
+    foreach my $metric (keys %{$service{$service}}) {
+        my %doc = ();
+        foreach (@{$service{$service}->{$metric}}) {
+            eval {
+                merge(\%doc, $_);
+            };
+            if ($@) {
+                die "service $service metric $metric: $@";
+            }
+        }
+        $service{$service}->{$metric} = \%doc;
+    }
+}
+
+if ($recompile) {
+    foreach my $service (keys %service) {
+        my ($ipv4, $ipv6, $aggregated) = (0, 0, 0);
+        my $metric;
+
+        if ($keep_dnscap_rssm) {
+            $metric = $service{$service}->{'dnscap-rssm-sources'};
+        } else {
+            $metric = delete $service{$service}->{'dnscap-rssm-sources'};
+        }
+        if ($metric) {
+            if (ref($metric->{sources}) eq 'HASH') {
+                foreach my $ip (keys %{$metric->{sources}}) {
+                    if ($ip =~ /:/o) {
+                        $ipv6++;
+                    } else {
+                        $ipv4++;
+                    }
+                }
+            }
+        }
+
+        if ($keep_dnscap_rssm) {
+            $metric = $service{$service}->{'dnscap-rssm-aggregated-sources'};
+        } else {
+            $metric = delete $service{$service}->{'dnscap-rssm-aggregated-sources'};
+        }
+        if ($metric) {
+            if (ref($metric->{'aggregated-sources'}) eq 'HASH') {
+                my @keys = keys %{$metric->{'aggregated-sources'}};
+                $aggregated += scalar @keys;
+            }
+        }
+
+        $service{$service}->{'unique-sources'} = {
+            'num-sources-ipv4' => $ipv4,
+            'num-sources-ipv6' => $ipv6,
+            'num-sources-ipv6-aggregate' => $aggregated,
+        };
+    }
+}
+
+if ($sort) {
+    my $first = 1;
+    $YAML::SortKeys = 1;
+    foreach my $service (sort keys %service) {
+        foreach my $metric (sort keys %{$service{$service}}) {
+            if ($first) {
+                $first = 0;
+            } else {
+                print "\n";
+            }
+            print YAML::Dump({
+                version => "rssac002v3",
+                service => $service,
+                'start-period' => $earliest_start_period,
+                metric => $metric,
+                %{ $service{$service}->{$metric} },
+            });
+        }
+    }
+} else {
+    my $first = 1;
+    $YAML::SortKeys = 0;
+    foreach my $service (keys %service) {
+        foreach my $metric (keys %{$service{$service}}) {
+            if ($first) {
+                $first = 0;
+            } else {
+                print "\n";
+            }
+            print YAML::Dump({
+                version => "rssac002v3",
+                service => $service,
+                'start-period' => $earliest_start_period,
+                metric => $metric,
+                %{ $service{$service}->{$metric} },
+            });
+        }
+    }
+}
+
+sub merge {
+    my ( $doc, $measurements ) = @_;
+
+    foreach my $key (keys %$measurements) {
+        if (ref($doc->{$key}) eq 'HASH') {
+            unless (ref($measurements->{$key}) eq 'HASH') {
+                die "invalid measurement types for key $key: not a hash";
+            }
+            eval {
+                merge($doc->{$key}, $measurements->{$key});
+            };
+            die $@ if ($@);
+            next;
+        }
+        if (defined($doc->{$key})) {
+            if (defined($measurements->{$key}) and $measurements->{$key} ne '') {
+                $doc->{$key} += $measurements->{$key};
+            }
+        } else {
+            $doc->{$key} = $measurements->{$key};
+        }
+    }
+}
diff --git a/plugins/rssm/dnscap-rssm-rssac002.1.in b/plugins/rssm/dnscap-rssm-rssac002.1.in
new file mode 100644
index 0000000..a625d9b
--- /dev/null
+++ b/plugins/rssm/dnscap-rssm-rssac002.1.in
@@ -0,0 +1,98 @@
+.\" Copyright (c) 2017-2021, OARC, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. Neither the name of the copyright holder nor the names of its
+.\"    contributors may be used to endorse or promote products derived
+.\"    from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.TH dnscap-rssm-rssac002 1 "dnscap-v@PACKAGE_VERSION@" "dnscap RSSAC002v3 Tool"
+.SH NAME
+dnscap-rssm-rssac002 \- Combine RSSAC002v3 YAML files
+.SH SYNOPSIS
+.B dnscap-rssm-rssac002
+[
+.B \--no-recompile
+.B \--keep-dnscap-rssm
+.B \--sort
+]
+.I files...
+.SH DESCRIPTION
+This Perl script will merge and remove metric specific to this plugin and
+replace others to fill in correct values for the new time period.
+The earliest
+.I start-period
+found will be used for all metrics.
+.LP
+.B NOTE
+no parsing of
+.I start-period
+is performed, it is up to the operator to only give input files related
+to the same 24 hour period.
+.SH OPTIONS
+.TP
+.B \--no-recompile
+Disabled the combining of metrics and the removal of metrics specific to
+this plugin.
+.TP
+.B \--keep-dnscap-rssm
+Do the combining but keep the metrics specific to this plugin.
+.TP
+.B \--sort
+Output will always start with
+.IR version: ,
+.IR service: ,
+.I start-period:
+and
+.IR metric: ,
+rest of the values are not ordered by label.
+This option enabled sorting of them, which is not required by the
+specification but may help in debugging and testing cases.
+.SH SEE ALSO
+.BR dnscap (1)
+.SH AUTHORS
+Jerry Lundström, DNS-OARC
+.LP
+Maintained by DNS-OARC
+.LP
+.RS
+.I https://www.dns-oarc.net/
+.RE
+.LP
+.SH BUGS
+For issues and feature requests please use:
+.LP
+.RS
+\fI@PACKAGE_URL@\fP
+.RE
+.LP
+For question and help please use:
+.LP
+.RS
+\fI@PACKAGE_BUGREPORT@\fP
+.RE
+.LP
diff --git a/plugins/rssm/rssm.c b/plugins/rssm/rssm.c
new file mode 100644
index 0000000..45b0ec9
--- /dev/null
+++ b/plugins/rssm/rssm.c
@@ -0,0 +1,696 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <arpa/nameser.h>
+#if HAVE_ARPA_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+#include "hashtbl.h"
+
+static logerr_t*     logerr;
+static my_bpftimeval open_ts;
+static my_bpftimeval close_ts;
+#define COUNTS_PREFIX_DEFAULT "rssm"
+static char* counts_prefix            = 0;
+static char* sources_prefix           = 0;
+static char* aggregated_prefix        = 0;
+static int   dont_fork_on_close       = 0;
+static int   sources_into_counters    = 0;
+static int   aggregated_into_counters = 0;
+static char* service_name             = 0;
+static int   rssac002v3_yaml          = 0;
+
+output_t rssm_output;
+
+#define MAX_SIZE_INDEX 4096
+#define MSG_SIZE_SHIFT 4
+#define MAX_TBL_ADDRS 2000000
+#define MAX_TBL_ADDRS2 200000
+#define MAX_RCODE (1 << 12)
+
+typedef struct {
+    hashtbl*     tbl;
+    iaddr        addrs[MAX_TBL_ADDRS];
+    uint64_t     count[MAX_TBL_ADDRS];
+    unsigned int num_addrs;
+} my_hashtbl;
+
+typedef struct {
+    hashtbl*     tbl;
+    iaddr        addrs[MAX_TBL_ADDRS2];
+    uint64_t     count[MAX_TBL_ADDRS2];
+    unsigned int num_addrs;
+} my_hashtbl2;
+
+struct {
+    uint64_t    dns_udp_queries_received_ipv4;
+    uint64_t    dns_udp_queries_received_ipv6;
+    uint64_t    dns_tcp_queries_received_ipv4;
+    uint64_t    dns_tcp_queries_received_ipv6;
+    uint64_t    dns_udp_responses_sent_ipv4;
+    uint64_t    dns_udp_responses_sent_ipv6;
+    uint64_t    dns_tcp_responses_sent_ipv4;
+    uint64_t    dns_tcp_responses_sent_ipv6;
+    uint64_t    udp_query_size[MAX_SIZE_INDEX];
+    uint64_t    tcp_query_size[MAX_SIZE_INDEX];
+    uint64_t    udp_response_size[MAX_SIZE_INDEX];
+    uint64_t    tcp_response_size[MAX_SIZE_INDEX];
+    uint64_t    rcodes[MAX_RCODE];
+    my_hashtbl  sources;
+    my_hashtbl2 aggregated;
+    uint64_t    num_ipv4_sources;
+    uint64_t    num_ipv6_sources;
+} counts;
+
+static unsigned int
+iaddr_hash(const void* key)
+{
+    const iaddr* ia = (const iaddr*)key;
+
+    if (AF_INET == ia->af)
+        return ia->u.a4.s_addr >> 8;
+    else if (AF_INET6 == ia->af) {
+        uint16_t* h = (uint16_t*)&ia->u;
+        return h[2] + h[3] + h[4];
+    } else
+        return 0;
+}
+
+static int
+iaddr_cmp(const void* _a, const void* _b)
+{
+    const iaddr *a = (const iaddr*)_a, *b = (const iaddr*)_b;
+
+    if (a->af == b->af) {
+        if (AF_INET == a->af)
+            return memcmp(&a->u.a4.s_addr, &b->u.a4.s_addr, sizeof(a->u.a4.s_addr));
+        if (AF_INET6 == a->af)
+            return memcmp(&a->u.a6.s6_addr, &b->u.a6.s6_addr, sizeof(a->u.a6.s6_addr));
+        return 0;
+    }
+    if (a->af < b->af)
+        return -1;
+    return 1;
+}
+
+ia_str_t ia_str = 0;
+
+void rssm_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        ia_str = (ia_str_t)arg;
+        break;
+    }
+}
+
+void rssm_usage()
+{
+    fprintf(stderr,
+        "\nrssm.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-w <name>  write basic counters to <name>.<timesec>.<timeusec>\n"
+        "\t-Y         use RSSAC002v3 YAML format when writing counters, the\n"
+        "\t           file will contain multiple YAML documents, one for each\n"
+        "\t           RSSAC002v3 metric\n"
+        "\t           Used with; -S adds custom metric \"dnscap-rssm-sources\"\n"
+        "\t           and -A adds \"dnscap-rssm-aggregated-sources\"\n"
+        "\t-n <name>  the service name to use in RSSAC002v3 YAML\n"
+        "\t-S         write source IPs into counters file with the prefix\n"
+        "\t           \"source\" or ...\n"
+        "\t-s <name>  write source IPs to <name>.<timesec>.<timeusec>\n"
+        "\t-A         write aggregated IPv6(/64) sources into counters file\n"
+        "\t           with the prefix \"aggregated-source\" or ...\n"
+        "\t-a <name>  write aggregated IPv6(/64) sources to\n"
+        "\t           <name>.<timesec>.<timeusec>\n"
+        "\t-D         don't fork on close\n");
+}
+
+void rssm_getopt(int* argc, char** argv[])
+{
+    int c;
+    while ((c = getopt(*argc, *argv, "?w:Yn:Ss:Aa:D")) != EOF) {
+        switch (c) {
+        case 'w':
+            if (counts_prefix)
+                free(counts_prefix);
+            counts_prefix = strdup(optarg);
+            break;
+        case 'Y':
+            rssac002v3_yaml = 1;
+            break;
+        case 'n':
+            if (service_name)
+                free(service_name);
+            service_name = strdup(optarg);
+            break;
+        case 'S':
+            sources_into_counters = 1;
+            break;
+        case 's':
+            if (sources_prefix)
+                free(sources_prefix);
+            sources_prefix = strdup(optarg);
+            break;
+        case 'A':
+            aggregated_into_counters = 1;
+            break;
+        case 'a':
+            if (aggregated_prefix)
+                free(aggregated_prefix);
+            aggregated_prefix = strdup(optarg);
+            break;
+        case 'D':
+            dont_fork_on_close = 1;
+            break;
+        case '?':
+            rssm_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+    if (sources_into_counters && sources_prefix) {
+        fprintf(stderr, "rssm: -S and -s can not be used at the same time!\n");
+        rssm_usage();
+        exit(1);
+    }
+    if (aggregated_into_counters && aggregated_prefix) {
+        fprintf(stderr, "rssm: -A and -a can not be used at the same time!\n");
+        rssm_usage();
+        exit(1);
+    }
+    if (rssac002v3_yaml && !service_name) {
+        fprintf(stderr, "rssm: service name (-n) needed for RSSAC002v3 YAML (-Y) output!\n");
+        rssm_usage();
+        exit(1);
+    }
+}
+
+int rssm_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void rssm_stop()
+{
+}
+
+int rssm_open(my_bpftimeval ts)
+{
+    open_ts = ts;
+    if (counts.sources.tbl)
+        hash_destroy(counts.sources.tbl);
+    if (counts.aggregated.tbl)
+        hash_destroy(counts.aggregated.tbl);
+    memset(&counts, 0, sizeof(counts));
+    if (!(counts.sources.tbl = hash_create(65536, iaddr_hash, iaddr_cmp, 0))) {
+        return -1;
+    }
+    if (!(counts.aggregated.tbl = hash_create(4096, iaddr_hash, iaddr_cmp, 0))) {
+        return -1;
+    }
+    return 0;
+}
+
+void rssm_save_counts(const char* sbuf)
+{
+    FILE* fp;
+    int   i;
+    char* tbuf = 0;
+    i          = asprintf(&tbuf, "%s.%s.%06lu", counts_prefix ? counts_prefix : COUNTS_PREFIX_DEFAULT, sbuf, (u_long)open_ts.tv_usec);
+    if (i < 1 || !tbuf) {
+        logerr("asprintf: out of memory");
+        return;
+    }
+    fprintf(stderr, "rssm: saving counts in %s\n", tbuf);
+    fp = fopen(tbuf, "w");
+    if (!fp) {
+        logerr("%s: %s", sbuf, strerror(errno));
+        free(tbuf);
+        return;
+    }
+    if (rssac002v3_yaml) {
+        char      tz[21];
+        struct tm tm;
+
+        gmtime_r((time_t*)&open_ts.tv_sec, &tm);
+        if (!strftime(tz, sizeof(tz), "%Y-%m-%dT%H:%M:%SZ", &tm)) {
+            logerr("rssm: strftime failed");
+            fclose(fp);
+            free(tbuf);
+            return;
+        }
+
+        fprintf(fp, "---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: traffic-volume\n", service_name, tz);
+        fprintf(fp, "dns-udp-queries-received-ipv4: %" PRIu64 "\n", counts.dns_udp_queries_received_ipv4);
+        fprintf(fp, "dns-udp-queries-received-ipv6: %" PRIu64 "\n", counts.dns_udp_queries_received_ipv6);
+        fprintf(fp, "dns-tcp-queries-received-ipv4: %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv4);
+        fprintf(fp, "dns-tcp-queries-received-ipv6: %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv6);
+        fprintf(fp, "dns-udp-responses-sent-ipv4: %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv4);
+        fprintf(fp, "dns-udp-responses-sent-ipv6: %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv6);
+        fprintf(fp, "dns-tcp-responses-sent-ipv4: %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv4);
+        fprintf(fp, "dns-tcp-responses-sent-ipv6: %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv6);
+
+        fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: traffic-sizes\n", service_name, tz);
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.udp_query_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "udp-request-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.udp_query_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.udp_query_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "udp-request-sizes: {}\n");
+        }
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.udp_response_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "udp-response-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.udp_response_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.udp_response_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "udp-response-sizes: {}\n");
+        }
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.tcp_query_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "tcp-request-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.tcp_query_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.tcp_query_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "tcp-request-sizes: {}\n");
+        }
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.tcp_response_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "tcp-response-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.tcp_response_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.tcp_response_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "tcp-response-sizes: {}\n");
+        }
+
+        fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: rcode-volume\n", service_name, tz);
+        for (i = 0; i < MAX_RCODE; i++) {
+            if (counts.rcodes[i]) {
+                fprintf(fp, "%d: %" PRIu64 "\n", i, counts.rcodes[i]);
+            }
+        }
+
+        fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: unique-sources\n", service_name, tz);
+        fprintf(fp, "num-sources-ipv4: %" PRIu64 "\n", counts.num_ipv4_sources);
+        fprintf(fp, "num-sources-ipv6: %" PRIu64 "\n", counts.num_ipv6_sources);
+        fprintf(fp, "num-sources-ipv6-aggregate: %u\n", counts.aggregated.num_addrs);
+
+        if (sources_into_counters) {
+            fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: dnscap-rssm-sources\n", service_name, tz);
+            if (counts.sources.num_addrs) {
+                fprintf(fp, "sources:\n");
+                for (i = 0; i < counts.sources.num_addrs; i++) {
+                    fprintf(fp, "  %s: %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]);
+                }
+            } else {
+                fprintf(fp, "sources: {}\n");
+            }
+        }
+
+        if (aggregated_into_counters) {
+            fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: dnscap-rssm-aggregated-sources\n", service_name, tz);
+            if (counts.aggregated.num_addrs) {
+                fprintf(fp, "aggregated-sources:\n");
+                for (i = 0; i < counts.aggregated.num_addrs; i++) {
+                    fprintf(fp, "  %s: %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]);
+                }
+            } else {
+                fprintf(fp, "aggregated-sources: {}\n");
+            }
+        }
+    } else {
+        fprintf(fp, "first-packet-time %ld\n", (long)open_ts.tv_sec);
+        fprintf(fp, "last-packet-time %ld\n", (long)close_ts.tv_sec);
+        fprintf(fp, "dns-udp-queries-received-ipv4 %" PRIu64 "\n", counts.dns_udp_queries_received_ipv4);
+        fprintf(fp, "dns-udp-queries-received-ipv6 %" PRIu64 "\n", counts.dns_udp_queries_received_ipv6);
+        fprintf(fp, "dns-tcp-queries-received-ipv4 %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv4);
+        fprintf(fp, "dns-tcp-queries-received-ipv6 %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv6);
+        fprintf(fp, "dns-udp-responses-sent-ipv4 %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv4);
+        fprintf(fp, "dns-udp-responses-sent-ipv6 %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv6);
+        fprintf(fp, "dns-tcp-responses-sent-ipv4 %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv4);
+        fprintf(fp, "dns-tcp-responses-sent-ipv6 %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv6);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.udp_query_size[i])
+                fprintf(fp, "dns-udp-query-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.udp_query_size[i]);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.tcp_query_size[i])
+                fprintf(fp, "dns-tcp-query-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.tcp_query_size[i]);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.udp_response_size[i])
+                fprintf(fp, "dns-udp-response-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.udp_response_size[i]);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.tcp_response_size[i])
+                fprintf(fp, "dns-tcp-response-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.tcp_response_size[i]);
+        for (i = 0; i < MAX_RCODE; i++)
+            if (counts.rcodes[i])
+                fprintf(fp, "dns-rcode %d %" PRIu64 "\n",
+                    i, counts.rcodes[i]);
+        fprintf(fp, "num-sources %u\n", counts.sources.num_addrs);
+        if (sources_into_counters) {
+            for (i = 0; i < counts.sources.num_addrs; i++) {
+                fprintf(fp, "source %s %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]);
+            }
+        }
+        if (aggregated_into_counters) {
+            for (i = 0; i < counts.aggregated.num_addrs; i++) {
+                fprintf(fp, "aggregated-source %s %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]);
+            }
+        }
+    }
+    fclose(fp);
+    fprintf(stderr, "rssm: done\n");
+    free(tbuf);
+}
+
+void rssm_save_sources(const char* sbuf)
+{
+    FILE* fp;
+    char* tbuf = 0;
+    int   i;
+    i = asprintf(&tbuf, "%s.%s.%06lu", sources_prefix, sbuf, (u_long)open_ts.tv_usec);
+    if (i < 1 || !tbuf) {
+        logerr("asprintf: out of memory");
+        return;
+    }
+    fprintf(stderr, "rssm: saving %u sources in %s\n", counts.sources.num_addrs, tbuf);
+    fp = fopen(tbuf, "w");
+    if (!fp) {
+        logerr("%s: %s", tbuf, strerror(errno));
+        free(tbuf);
+        return;
+    }
+    for (i = 0; i < counts.sources.num_addrs; i++) {
+        fprintf(fp, "%s %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]);
+    }
+    fclose(fp);
+    fprintf(stderr, "rssm: done\n");
+    free(tbuf);
+}
+
+void rssm_save_aggregated(const char* sbuf)
+{
+    FILE* fp;
+    char* tbuf = 0;
+    int   i;
+    i = asprintf(&tbuf, "%s.%s.%06lu", aggregated_prefix, sbuf, (u_long)open_ts.tv_usec);
+    if (i < 1 || !tbuf) {
+        logerr("asprintf: out of memory");
+        return;
+    }
+    fprintf(stderr, "rssm: saving %u aggregated in %s\n", counts.aggregated.num_addrs, tbuf);
+    fp = fopen(tbuf, "w");
+    if (!fp) {
+        logerr("%s: %s", tbuf, strerror(errno));
+        free(tbuf);
+        return;
+    }
+    for (i = 0; i < counts.aggregated.num_addrs; i++) {
+        fprintf(fp, "%s %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]);
+    }
+    fclose(fp);
+    fprintf(stderr, "rssm: done\n");
+    free(tbuf);
+}
+
+/*
+ * Fork a separate process so that we don't block the main dnscap.  Use double-fork
+ * to avoid zombies for the main dnscap process.
+ */
+int rssm_close(my_bpftimeval ts)
+{
+    char      sbuf[265];
+    pid_t     pid;
+    struct tm tm;
+
+    if (dont_fork_on_close) {
+        struct tm tm;
+        gmtime_r((time_t*)&open_ts.tv_sec, &tm);
+        strftime(sbuf, sizeof(sbuf), "%Y%m%d.%H%M%S", &tm);
+        close_ts = ts;
+        rssm_save_counts(sbuf);
+        if (sources_prefix)
+            rssm_save_sources(sbuf);
+        if (aggregated_prefix)
+            rssm_save_aggregated(sbuf);
+        return 0;
+    }
+
+    pid = fork();
+    if (pid < 0) {
+        logerr("rssm.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* parent */
+        waitpid(pid, NULL, 0);
+        return 0;
+    }
+    /* 1st gen child continues */
+    pid = fork();
+    if (pid < 0) {
+        logerr("rssm.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* 1st gen child exits */
+        exit(0);
+    }
+    /* grandchild (2nd gen) continues */
+    gmtime_r((time_t*)&open_ts.tv_sec, &tm);
+    strftime(sbuf, sizeof(sbuf), "%Y%m%d.%H%M%S", &tm);
+    close_ts = ts;
+    rssm_save_counts(sbuf);
+    if (sources_prefix)
+        rssm_save_sources(sbuf);
+    if (aggregated_prefix)
+        rssm_save_aggregated(sbuf);
+    exit(0);
+}
+
+static void
+find_or_add(iaddr ia)
+{
+    uint64_t* c = hash_find(&ia, counts.sources.tbl);
+    if (c) {
+        (*c)++;
+    } else {
+        if (counts.sources.num_addrs == MAX_TBL_ADDRS)
+            return;
+        counts.sources.addrs[counts.sources.num_addrs] = ia;
+        if (hash_add(&counts.sources.addrs[counts.sources.num_addrs], &counts.sources.count[counts.sources.num_addrs], counts.sources.tbl)) {
+            logerr("rssm.so: unable to add address to hash");
+            return;
+        }
+        counts.sources.count[counts.sources.num_addrs]++;
+        counts.sources.num_addrs++;
+        if (ia.af == AF_INET) {
+            counts.num_ipv4_sources++;
+        } else {
+            counts.num_ipv6_sources++;
+        }
+    }
+
+    if (ia.af == AF_INET6) {
+        iaddr v6agg = ia;
+
+        memset(((uint8_t*)&v6agg.u.a6) + 8, 0, 8);
+        c = hash_find(&v6agg, counts.aggregated.tbl);
+        if (c) {
+            (*c)++;
+        } else {
+            if (counts.aggregated.num_addrs == MAX_TBL_ADDRS2)
+                return;
+            counts.aggregated.addrs[counts.aggregated.num_addrs] = v6agg;
+            if (hash_add(&counts.aggregated.addrs[counts.aggregated.num_addrs], &counts.aggregated.count[counts.aggregated.num_addrs], counts.aggregated.tbl)) {
+                logerr("rssm.so: unable to add aggregated address to hash");
+                return;
+            }
+            counts.aggregated.count[counts.aggregated.num_addrs]++;
+            counts.aggregated.num_addrs++;
+        }
+    }
+}
+
+void rssm_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    unsigned  dnslen;
+    ldns_pkt* pkt = 0;
+
+    if (!(flags & DNSCAP_OUTPUT_ISDNS))
+        return;
+
+    if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+        return;
+    }
+
+    dnslen = payloadlen >> MSG_SIZE_SHIFT;
+    if (dnslen >= MAX_SIZE_INDEX)
+        dnslen = MAX_SIZE_INDEX - 1;
+
+    if (!ldns_pkt_qr(pkt)) {
+        find_or_add(from);
+        if (IPPROTO_UDP == proto) {
+            counts.udp_query_size[dnslen]++;
+        } else if (IPPROTO_TCP == proto) {
+            counts.tcp_query_size[dnslen]++;
+        }
+        if (AF_INET == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_queries_received_ipv4++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_queries_received_ipv4++;
+            }
+        } else if (AF_INET6 == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_queries_received_ipv6++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_queries_received_ipv6++;
+            }
+        }
+    } else {
+        uint16_t rcode = ldns_pkt_get_rcode(pkt);
+        if (IPPROTO_UDP == proto) {
+            counts.udp_response_size[dnslen]++;
+        } else if (IPPROTO_TCP == proto) {
+            counts.tcp_response_size[dnslen]++;
+        }
+        if (AF_INET == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_responses_sent_ipv4++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_responses_sent_ipv4++;
+            }
+        } else if (AF_INET6 == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_responses_sent_ipv6++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_responses_sent_ipv6++;
+            }
+        }
+        if (ldns_pkt_arcount(pkt)) {
+            rcode |= ((uint16_t)ldns_pkt_edns_extended_rcode(pkt) << 4);
+        }
+        counts.rcodes[rcode]++;
+    }
+
+    ldns_pkt_free(pkt);
+}
diff --git a/plugins/rssm/test1.gold b/plugins/rssm/test1.gold
new file mode 100644
index 0000000..86957d0
--- /dev/null
+++ b/plugins/rssm/test1.gold
@@ -0,0 +1,58 @@
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: traffic-volume
+dns-udp-queries-received-ipv4: 41
+dns-udp-queries-received-ipv6: 0
+dns-tcp-queries-received-ipv4: 0
+dns-tcp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 41
+dns-udp-responses-sent-ipv6: 0
+dns-tcp-responses-sent-ipv4: 0
+dns-tcp-responses-sent-ipv6: 0
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: traffic-sizes
+udp-request-sizes:
+  16-31: 24
+  32-47: 17
+udp-response-sizes:
+  176-191: 24
+  256-271: 17
+tcp-request-sizes: {}
+tcp-response-sizes: {}
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: rcode-volume
+0: 41
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: unique-sources
+num-sources-ipv4: 1
+num-sources-ipv6: 0
+num-sources-ipv6-aggregate: 0
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: dnscap-rssm-sources
+sources:
+  172.17.0.10: 41
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: dnscap-rssm-aggregated-sources
+aggregated-sources: {}
diff --git a/plugins/rssm/test1.sh b/plugins/rssm/test1.sh
new file mode 100755
index 0000000..d43b947
--- /dev/null
+++ b/plugins/rssm/test1.sh
@@ -0,0 +1,11 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -N -T -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -w test1 -Y -n test1 -A -S -D
+
+diff test1.20161020.152301.075993 "$srcdir/test1.gold"
diff --git a/plugins/rssm/test2.gold b/plugins/rssm/test2.gold
new file mode 100644
index 0000000..85625c0
--- /dev/null
+++ b/plugins/rssm/test2.gold
@@ -0,0 +1,43 @@
+---
+0: 123
+metric: rcode-volume
+service: test1
+start-period: 2016-10-20T15:23:01Z
+version: rssac002v3
+
+---
+metric: traffic-sizes
+service: test1
+start-period: 2016-10-20T15:23:01Z
+tcp-request-sizes: {}
+tcp-response-sizes: {}
+udp-request-sizes:
+  16-31: 72
+  32-47: 51
+udp-response-sizes:
+  176-191: 72
+  256-271: 51
+version: rssac002v3
+
+---
+dns-tcp-queries-received-ipv4: 0
+dns-tcp-queries-received-ipv6: 0
+dns-tcp-responses-sent-ipv4: 0
+dns-tcp-responses-sent-ipv6: 0
+dns-udp-queries-received-ipv4: 123
+dns-udp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 123
+dns-udp-responses-sent-ipv6: 0
+metric: traffic-volume
+service: test1
+start-period: 2016-10-20T15:23:01Z
+version: rssac002v3
+
+---
+metric: unique-sources
+num-sources-ipv4: 1
+num-sources-ipv6: 0
+num-sources-ipv6-aggregate: 0
+service: test1
+start-period: 2016-10-20T15:23:01Z
+version: rssac002v3
diff --git a/plugins/rssm/test2.sh b/plugins/rssm/test2.sh
new file mode 100755
index 0000000..11f44af
--- /dev/null
+++ b/plugins/rssm/test2.sh
@@ -0,0 +1,5 @@
+#!/bin/sh -xe
+
+"$srcdir"/dnscap-rssm-rssac002 --sort "$srcdir/test1.gold" "$srcdir/test1.gold" "$srcdir/test1.gold" > test2.out
+
+diff test2.out "$srcdir/test2.gold"
diff --git a/plugins/rssm/test3.gold b/plugins/rssm/test3.gold
new file mode 100644
index 0000000..237af89
--- /dev/null
+++ b/plugins/rssm/test3.gold
@@ -0,0 +1,57 @@
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: traffic-volume
+dns-udp-queries-received-ipv4: 0
+dns-udp-queries-received-ipv6: 1
+dns-tcp-queries-received-ipv4: 0
+dns-tcp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 0
+dns-udp-responses-sent-ipv6: 1
+dns-tcp-responses-sent-ipv4: 0
+dns-tcp-responses-sent-ipv6: 0
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: traffic-sizes
+udp-request-sizes:
+  32-47: 1
+udp-response-sizes:
+  48-63: 1
+tcp-request-sizes: {}
+tcp-response-sizes: {}
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: rcode-volume
+0: 1
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: unique-sources
+num-sources-ipv4: 0
+num-sources-ipv6: 1
+num-sources-ipv6-aggregate: 1
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: dnscap-rssm-sources
+sources:
+  2a01:3f0:0:57::245: 1
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: dnscap-rssm-aggregated-sources
+aggregated-sources:
+  2a01:3f0:0:57::: 1
diff --git a/plugins/rssm/test3.sh b/plugins/rssm/test3.sh
new file mode 100755
index 0000000..60b2e8a
--- /dev/null
+++ b/plugins/rssm/test3.sh
@@ -0,0 +1,11 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -N -T -r "$srcdir/../../src/test/dns6.pcap" -P "$plugin" -w test3 -Y -n test3 -A -S -D
+
+diff test3.20181127.155200.414188 "$srcdir/test3.gold"
diff --git a/plugins/rssm/test4.sh b/plugins/rssm/test4.sh
new file mode 100755
index 0000000..3c28711
--- /dev/null
+++ b/plugins/rssm/test4.sh
@@ -0,0 +1,14 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -?
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -X
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -s s -s s -S
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -a a -a a -A
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -Y
+../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -D -w test4 -w test4 -n n -n n -s test4.src -a test4.agg
diff --git a/plugins/rssm/test5.gold b/plugins/rssm/test5.gold
new file mode 100644
index 0000000..acaa7cd
--- /dev/null
+++ b/plugins/rssm/test5.gold
@@ -0,0 +1,58 @@
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: traffic-volume
+dns-udp-queries-received-ipv4: 0
+dns-udp-queries-received-ipv6: 0
+dns-tcp-queries-received-ipv4: 41
+dns-tcp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 0
+dns-udp-responses-sent-ipv6: 0
+dns-tcp-responses-sent-ipv4: 41
+dns-tcp-responses-sent-ipv6: 0
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: traffic-sizes
+udp-request-sizes: {}
+udp-response-sizes: {}
+tcp-request-sizes:
+  16-31: 24
+  32-47: 17
+tcp-response-sizes:
+  32-47: 24
+  128-143: 17
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: rcode-volume
+0: 41
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: unique-sources
+num-sources-ipv4: 1
+num-sources-ipv6: 0
+num-sources-ipv6-aggregate: 0
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: dnscap-rssm-sources
+sources:
+  172.17.0.8: 41
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: dnscap-rssm-aggregated-sources
+aggregated-sources: {}
diff --git a/plugins/rssm/test5.sh b/plugins/rssm/test5.sh
new file mode 100755
index 0000000..4b93df5
--- /dev/null
+++ b/plugins/rssm/test5.sh
@@ -0,0 +1,11 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -N -T -r "$srcdir/../../src/test/dnso1tcp.pcap" -P "$plugin" -w test5 -Y -n test5 -A -S -D
+
+diff test5.20180110.112241.543825 "$srcdir/test5.gold"
diff --git a/plugins/rzkeychange/Makefile.am b/plugins/rzkeychange/Makefile.am
new file mode 100644
index 0000000..869eba6
--- /dev/null
+++ b/plugins/rzkeychange/Makefile.am
@@ -0,0 +1,23 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) \
+    $(libldns_CFLAGS)
+
+pkglib_LTLIBRARIES = rzkeychange.la
+rzkeychange_la_SOURCES = rzkeychange.c
+rzkeychange_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(rzkeychange_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/rzkeychange/rzkeychange.c b/plugins/rzkeychange/rzkeychange.c
new file mode 100644
index 0000000..4f14c40
--- /dev/null
+++ b/plugins/rzkeychange/rzkeychange.c
@@ -0,0 +1,470 @@
+/*
+ * Author Duane Wessels
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory.h>
+#include <time.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/wait.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <arpa/nameser.h>
+
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/ip_icmp.h>
+
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+static logerr_t*      logerr           = 0;
+static my_bpftimeval  open_ts          = { 0, 0 };
+static my_bpftimeval  clos_ts          = { 0, 0 };
+static char*          report_zone      = 0;
+static char*          report_server    = 0;
+static char*          report_node      = 0;
+static char*          keytag_zone      = 0;
+static unsigned short resolver_port    = 0;
+static unsigned int   resolver_use_tcp = 0;
+static ldns_resolver* res;
+
+static int dry_run = 0;
+
+output_t       rzkeychange_output;
+is_responder_t rzkeychange_is_responder = 0;
+ia_str_t       rzkeychange_ia_str       = 0;
+
+#define MAX_KEY_TAG_SIGNALS 500
+static unsigned int num_key_tag_signals;
+struct {
+    iaddr       addr;
+    uint8_t     flags;
+    const char* signal;
+} key_tag_signals[MAX_KEY_TAG_SIGNALS];
+
+#define KEYTAG_FLAG_DO 1
+#define KEYTAG_FLAG_CD 2
+#define KEYTAG_FLAG_RD 4
+
+struct {
+    uint64_t dnskey;
+    uint64_t tc_bit;
+    uint64_t tcp;
+    uint64_t icmp_unreach_frag;
+    uint64_t icmp_timxceed_reass;
+    uint64_t icmp_timxceed_intrans;
+    uint64_t total;
+} counts;
+
+#define MAX_NAMESERVERS 10
+static unsigned int num_ns_addrs = 0;
+static char*        ns_addrs[MAX_NAMESERVERS];
+
+void rzkeychange_usage()
+{
+    fprintf(stderr,
+        "\nrzkeychange.so options:\n"
+        "\t-?           print these instructions and exit\n"
+        "\t-D           dry run, just print queries\n"
+        "\t-z <zone>    Report counters to DNS zone <zone> (required)\n"
+        "\t-s <server>  Data is from server <server> (required)\n"
+        "\t-n <node>    Data is from site/node <node> (required)\n"
+        "\t-k <zone>    Report RFC 8145 key tag signals to <zone>\n"
+        "\t-a <addr>    Send DNS queries to this addr\n"
+        "\t-p <port>    Send DNS queries to this port\n"
+        "\t-t           Use TCP for DNS queries\n");
+}
+
+void rzkeychange_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IS_RESPONDER:
+        rzkeychange_is_responder = (is_responder_t)arg;
+        break;
+    case DNSCAP_EXT_IA_STR:
+        rzkeychange_ia_str = (ia_str_t)arg;
+        break;
+    }
+}
+
+void rzkeychange_getopt(int* argc, char** argv[])
+{
+    int c;
+    while ((c = getopt(*argc, *argv, "?a:k:n:p:s:tz:D")) != EOF) {
+        switch (c) {
+        case 'n':
+            if (report_node)
+                free(report_node);
+            report_node = strdup(optarg);
+            if (!report_node) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 's':
+            if (report_server)
+                free(report_server);
+            report_server = strdup(optarg);
+            if (!report_server) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 'z':
+            if (report_zone)
+                free(report_zone);
+            report_zone = strdup(optarg);
+            if (!report_zone) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 'k':
+            if (keytag_zone)
+                free(keytag_zone);
+            keytag_zone = strdup(optarg);
+            if (!keytag_zone) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 'a':
+            if (num_ns_addrs < MAX_NAMESERVERS) {
+                ns_addrs[num_ns_addrs] = strdup(optarg);
+                if (!ns_addrs[num_ns_addrs]) {
+                    fprintf(stderr, "strdup() out of memory\n");
+                    exit(1);
+                }
+                num_ns_addrs++;
+            } else {
+                fprintf(stderr, "too many nameservers\n");
+                exit(1);
+            }
+            break;
+        case 'p':
+            resolver_port = strtoul(optarg, 0, 10);
+            break;
+        case 't':
+            resolver_use_tcp = 1;
+            break;
+        case 'D':
+            dry_run = 1;
+            break;
+        case '?':
+            rzkeychange_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+    if (!report_zone || !report_server || !report_node) {
+        rzkeychange_usage();
+        exit(1);
+    }
+}
+
+ldns_pkt*
+dns_query(const char* name, ldns_rr_type type)
+{
+    fprintf(stderr, "%s\n", name);
+    if (dry_run) {
+        return 0;
+    }
+
+    ldns_rdf* domain = ldns_dname_new_frm_str(name);
+    if (0 == domain) {
+        fprintf(stderr, "bad query name: '%s'\n", name);
+        exit(1);
+    }
+    ldns_pkt* pkt = ldns_resolver_query(res,
+        domain,
+        type,
+        LDNS_RR_CLASS_IN,
+        LDNS_RD);
+    ldns_rdf_deep_free(domain);
+    return pkt;
+}
+
+static void
+add_resolver_nameserver(const char* s)
+{
+    ldns_rdf* nsaddr;
+    fprintf(stderr, "adding nameserver '%s' to resolver config\n", s);
+    if (strchr(s, ':'))
+        nsaddr = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_AAAA, s);
+    else
+        nsaddr = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, s);
+    if (!nsaddr) {
+        logerr("rzkeychange.so: invalid IP address '%s'", s);
+        exit(1);
+    }
+    assert(LDNS_STATUS_OK == ldns_resolver_push_nameserver(res, nsaddr));
+}
+
+int rzkeychange_start(logerr_t* a_logerr)
+{
+    ldns_pkt*      pkt;
+    struct timeval to;
+    char           qname[256];
+    logerr = a_logerr;
+    if (LDNS_STATUS_OK != ldns_resolver_new_frm_file(&res, NULL)) {
+        fprintf(stderr, "Failed to initialize ldns resolver\n");
+        exit(1);
+    }
+    if (num_ns_addrs) {
+        unsigned int i;
+        ldns_resolver_set_nameserver_count(res, 0);
+        for (i = 0; i < num_ns_addrs; i++)
+            add_resolver_nameserver(ns_addrs[i]);
+    }
+    if (0 == ldns_resolver_nameserver_count(res))
+        add_resolver_nameserver("127.0.0.1");
+    if (resolver_port)
+        ldns_resolver_set_port(res, resolver_port);
+    if (resolver_use_tcp)
+        ldns_resolver_set_usevc(res, 1);
+
+    if (dry_run) {
+        return 0;
+    }
+
+    fprintf(stderr, "Testing reachability of zone '%s'\n", report_zone);
+    pkt = dns_query(report_zone, LDNS_RR_TYPE_TXT);
+    if (!pkt) {
+        fprintf(stderr, "Test of zone '%s' failed\n", report_zone);
+        exit(1);
+    }
+    if (0 != ldns_pkt_get_rcode(pkt)) {
+        fprintf(stderr, "Query to zone '%s' returned rcode %d\n", report_zone, ldns_pkt_get_rcode(pkt));
+        exit(1);
+    }
+    fprintf(stderr, "Success.\n");
+    if (pkt)
+        ldns_pkt_free(pkt);
+    /*
+     * For all subsequent queries we don't actually care about the response
+     * and don't wait to wait very long for it so  the timeout is set really low.
+     */
+    to.tv_sec  = 0;
+    to.tv_usec = 500000;
+    ldns_resolver_set_timeout(res, to);
+    snprintf(qname, sizeof(qname), "ts-elapsed-tot-dnskey-tcp-tc-unreachfrag-texcfrag-texcttl.%s.%s.%s", report_node, report_server, report_zone);
+    pkt = dns_query(qname, LDNS_RR_TYPE_TXT);
+    if (pkt)
+        ldns_pkt_free(pkt);
+    return 0;
+}
+
+void rzkeychange_stop()
+{
+}
+
+int rzkeychange_open(my_bpftimeval ts)
+{
+    open_ts = clos_ts.tv_sec ? clos_ts : ts;
+    memset(&counts, 0, sizeof(counts));
+    memset(&key_tag_signals, 0, sizeof(key_tag_signals));
+    num_key_tag_signals = 0;
+    return 0;
+}
+
+void rzkeychange_submit_counts(void)
+{
+    char      qname[256];
+    ldns_pkt* pkt;
+    double    elapsed = (double)clos_ts.tv_sec - (double)open_ts.tv_sec + 0.000001 * clos_ts.tv_usec - 0.000001 * open_ts.tv_usec; //NOSONAR
+    int       k;
+
+    k = snprintf(qname, sizeof(qname), "%lu-%u-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 ".%s.%s.%s",
+        (u_long)open_ts.tv_sec,
+        (unsigned int)(elapsed + 0.5),
+        counts.total,
+        counts.dnskey,
+        counts.tcp,
+        counts.tc_bit,
+        counts.icmp_unreach_frag,
+        counts.icmp_timxceed_reass,
+        counts.icmp_timxceed_intrans,
+        report_node,
+        report_server,
+        report_zone);
+
+    if (k < sizeof(qname)) {
+        pkt = dns_query(qname, LDNS_RR_TYPE_TXT);
+        if (pkt)
+            ldns_pkt_free(pkt);
+    }
+
+    if (keytag_zone != 0) {
+        unsigned int i;
+
+        for (i = 0; i < num_key_tag_signals; i++) {
+            char* s = strdup(rzkeychange_ia_str(key_tag_signals[i].addr));
+            char* t;
+
+            if (0 == s) {
+                /*
+                 * Apparently out of memory.  This function is called in
+                 * a child process which will exit right after this we
+                 * break from the loop and return from this function.
+                 */
+                break;
+            }
+
+            for (t = s; *t; t++)
+                if (*t == '.' || *t == ':')
+                    *t = '-';
+
+            k = snprintf(qname, sizeof(qname), "%lu.%s.%hhx.%s.%s.%s.%s",
+                (u_long)open_ts.tv_sec,
+                s,
+                key_tag_signals[i].flags,
+                key_tag_signals[i].signal,
+                report_node,
+                report_server,
+                keytag_zone);
+            free(s);
+
+            if (k >= sizeof(qname))
+                continue; // qname was truncated in snprintf()
+
+            pkt = dns_query(qname, LDNS_RR_TYPE_TXT);
+            if (pkt)
+                ldns_pkt_free(pkt);
+        }
+    }
+}
+
+/*
+ * Fork a separate process so that we don't block the main dnscap.  Use
+ * double-fork to avoid zombies for the main dnscap process.
+ */
+int rzkeychange_close(my_bpftimeval ts)
+{
+    pid_t pid;
+    pid = fork();
+    if (pid < 0) {
+        logerr("rzkeychange.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* parent */
+        waitpid(pid, NULL, 0);
+        return 0;
+    }
+    /* 1st gen child continues */
+    pid = fork();
+    if (pid < 0) {
+        logerr("rzkeychange.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* 1st gen child exits */
+        exit(0);
+    }
+    /* grandchild (2nd gen) continues */
+    clos_ts = ts;
+    rzkeychange_submit_counts();
+    exit(0);
+}
+
+void rzkeychange_keytagsignal(const ldns_pkt* pkt, const ldns_rr* question_rr, iaddr addr)
+{
+    ldns_rdf* qn;
+    char*     qn_str = 0;
+    if (LDNS_RR_TYPE_NULL != ldns_rr_get_type(question_rr))
+        return;
+    if (num_key_tag_signals == MAX_KEY_TAG_SIGNALS)
+        return;
+    qn = ldns_rr_owner(question_rr);
+    if (qn == 0)
+        return;
+    qn_str = ldns_rdf2str(qn);
+    if (qn_str == 0)
+        return;
+    if (0 != strncasecmp(qn_str, "_ta-", 4))
+        goto keytagsignal_done;
+    qn_str[strlen(qn_str) - 1] = 0; // ldns always adds terminating dot
+    if (strchr(qn_str, '.')) // dont want non-root keytag signals
+        goto keytagsignal_done;
+    key_tag_signals[num_key_tag_signals].addr   = addr;
+    key_tag_signals[num_key_tag_signals].signal = strdup(qn_str);
+    assert(key_tag_signals[num_key_tag_signals].signal);
+    if (ldns_pkt_rd(pkt))
+        key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_RD;
+    if (ldns_pkt_cd(pkt))
+        key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_CD;
+    if (ldns_pkt_edns_do(pkt))
+        key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_DO;
+    num_key_tag_signals++;
+keytagsignal_done:
+    if (qn_str)
+        free(qn_str);
+}
+
+void rzkeychange_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    ldns_pkt*     pkt              = 0;
+    ldns_rr_list* question_rr_list = 0;
+    ldns_rr*      question_rr      = 0;
+    if (!(flags & DNSCAP_OUTPUT_ISDNS)) {
+        if (IPPROTO_ICMP == proto && payloadlen >= 4) {
+            struct icmp* icmp;
+            if (rzkeychange_is_responder && !rzkeychange_is_responder(to))
+                goto done;
+            icmp = (void*)payload;
+            if (ICMP_UNREACH == icmp->icmp_type) {
+                if (ICMP_UNREACH_NEEDFRAG == icmp->icmp_code)
+                    counts.icmp_unreach_frag++;
+            } else if (ICMP_TIMXCEED == icmp->icmp_type) {
+                if (ICMP_TIMXCEED_INTRANS == icmp->icmp_code)
+                    counts.icmp_timxceed_intrans++;
+                else if (ICMP_TIMXCEED_REASS == icmp->icmp_code)
+                    counts.icmp_timxceed_reass++;
+            }
+        }
+        goto done;
+    }
+    if (LDNS_STATUS_OK != ldns_wire2pkt(&pkt, payload, payloadlen))
+        return;
+    if (0 == ldns_pkt_qr(pkt))
+        goto done;
+    counts.total++;
+    if (IPPROTO_UDP == proto) {
+        if (0 != ldns_pkt_tc(pkt))
+            counts.tc_bit++;
+    } else if (IPPROTO_TCP == proto) {
+        counts.tcp++;
+    }
+    if (LDNS_PACKET_QUERY != ldns_pkt_get_opcode(pkt))
+        goto done;
+    question_rr_list = ldns_pkt_question(pkt);
+    if (0 == question_rr_list)
+        goto done;
+    question_rr = ldns_rr_list_rr(question_rr_list, 0);
+    if (0 == question_rr)
+        goto done;
+    if (LDNS_RR_CLASS_IN == ldns_rr_get_class(question_rr))
+        if (LDNS_RR_TYPE_DNSKEY == ldns_rr_get_type(question_rr))
+            counts.dnskey++;
+    if (keytag_zone != 0)
+        rzkeychange_keytagsignal(pkt, question_rr, to); // 'to' here because plugin should be processing responses
+done:
+    ldns_pkt_free(pkt);
+}
diff --git a/plugins/rzkeychange/test1.sh b/plugins/rzkeychange/test1.sh
new file mode 100755
index 0000000..de066e3
--- /dev/null
+++ b/plugins/rzkeychange/test1.sh
@@ -0,0 +1,21 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rzkeychange.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the rzkeychange plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -n text -n text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s text -s text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -z text -z text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k text -k text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 7 -a 8 -a 9 -a 10 -a 11
+
+# LDNS resolver needs /etc/resolv.conf
+test -f /etc/resolv.conf || exit 0
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -D -t -p 5353 -a 127.0.0.1 -n n -s s -z example.com -k k
diff --git a/plugins/template/Makefile.am b/plugins/template/Makefile.am
new file mode 100644
index 0000000..2cc0d7e
--- /dev/null
+++ b/plugins/template/Makefile.am
@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = template.la
+template_la_SOURCES = template.c
+template_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(template_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/template/template.c b/plugins/template/template.c
new file mode 100644
index 0000000..6abf23c
--- /dev/null
+++ b/plugins/template/template.c
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include "dnscap_common.h"
+
+static logerr_t*   logerr;
+static int         opt_f = 0;
+static const char* opt_x = 0;
+
+output_t template_output;
+
+void template_usage()
+{
+    fprintf(stderr,
+        "\ntemplate.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-f         flag option\n"
+        "\t-x <arg>   option with argument\n");
+}
+
+void template_getopt(int* argc, char** argv[])
+{
+    /*
+     * The "getopt" function will be called from the parent to
+     * process plugin options.
+     */
+    int c;
+    while ((c = getopt(*argc, *argv, "?fx:")) != EOF) {
+        switch (c) {
+        case 'f':
+            opt_f = 1;
+            break;
+        case 'x':
+            opt_x = strdup(optarg);
+            break;
+        case '?':
+            template_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int template_start(logerr_t* a_logerr)
+{
+    /*
+     * The "start" function is called once, when the program
+     * starts.  It is used to initialize the plugin.  If the
+     * plugin wants to write debugging and or error messages,
+     * it should save the a_logerr pointer passed from the
+     * parent code.
+     */
+    logerr = a_logerr;
+    return 0;
+}
+
+void template_stop()
+{
+    /*
+     * The "start" function is called once, when the program
+     * is exiting normally.  It might be used to clean up state,
+     * free memory, etc.
+     */
+}
+
+int template_open(my_bpftimeval ts)
+{
+    /*
+     * The "open" function is called at the start of each
+     * collection interval, which might be based on a period
+     * of time or a number of packets.  In the original code,
+     * this is where we opened an output pcap file.
+     */
+    return 0;
+}
+
+int template_close(my_bpftimeval ts)
+{
+    /*
+     * The "close" function is called at the end of each
+     * collection interval, which might be based on a period
+     * of time or on a number of packets.  In the original code
+     * this is where we closed an output pcap file.
+     */
+    return 0;
+}
+
+void template_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    /*
+     * Here you can "process" a packet.  The function is named
+     * "output" because in the original code this is where
+     * packets were outputted.
+     *
+     * if flags & PCAP_OUTPUT_ISDNS != 0 then payload is the start of a DNS message.
+     *
+     * if flags & PCAP_OUTPUT_ISFRAG != 0 then the packet is a fragment.
+     *
+     * if flags & PCAP_OUTPUT_ISLAYER != 0 then the pkt_copy is the same as payload.
+     */
+}
diff --git a/plugins/template/test1.sh b/plugins/template/test1.sh
new file mode 100755
index 0000000..3cb518f
--- /dev/null
+++ b/plugins/template/test1.sh
@@ -0,0 +1,13 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'template.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the template plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
diff --git a/plugins/txtout/Makefile.am b/plugins/txtout/Makefile.am
new file mode 100644
index 0000000..c802b92
--- /dev/null
+++ b/plugins/txtout/Makefile.am
@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libldns_CFLAGS)
+
+pkglib_LTLIBRARIES = txtout.la
+txtout_la_SOURCES = txtout.c
+txtout_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(txtout_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/plugins/txtout/test1.sh b/plugins/txtout/test1.sh
new file mode 100755
index 0000000..c862e46
--- /dev/null
+++ b/plugins/txtout/test1.sh
@@ -0,0 +1,15 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'txtout.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the txtout plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -o test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
diff --git a/plugins/txtout/txtout.c b/plugins/txtout/txtout.c
new file mode 100644
index 0000000..37249b9
--- /dev/null
+++ b/plugins/txtout/txtout.c
@@ -0,0 +1,299 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <ctype.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+static logerr_t* logerr;
+static char*     opt_o = 0;
+static int       opt_s = 0;
+static FILE*     out   = 0;
+
+output_t txtout_output;
+
+void txtout_usage()
+{
+    fprintf(stderr,
+        "\ntxtout.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-o <arg>   output file name\n"
+        "\t-s         short output, only QTYPE/QNAME for IN\n");
+}
+
+void txtout_getopt(int* argc, char** argv[])
+{
+    /*
+     * The "getopt" function will be called from the parent to
+     * process plugin options.
+     */
+    int c;
+    while ((c = getopt(*argc, *argv, "?so:")) != EOF) {
+        switch (c) {
+        case 'o':
+            if (opt_o)
+                free(opt_o);
+            opt_o = strdup(optarg);
+            break;
+        case 's':
+            opt_s = 1;
+            break;
+        case '?':
+            txtout_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int txtout_start(logerr_t* a_logerr)
+{
+    /*
+     * The "start" function is called once, when the program
+     * starts.  It is used to initialize the plugin.  If the
+     * plugin wants to write debugging and or error messages,
+     * it should save the a_logerr pointer passed from the
+     * parent code.
+     */
+    logerr = a_logerr;
+    if (opt_o) {
+        out = fopen(opt_o, "w");
+        if (0 == out) {
+            logerr("%s: %s\n", opt_o, strerror(errno));
+            exit(1);
+        }
+    } else {
+        out = stdout;
+    }
+    setbuf(out, 0);
+    return 0;
+}
+
+void txtout_stop()
+{
+    /*
+     * The "start" function is called once, when the program
+     * is exiting normally.  It might be used to clean up state,
+     * free memory, etc.
+     */
+    if (out != stdout)
+        fclose(out);
+}
+
+int txtout_open(my_bpftimeval ts)
+{
+    /*
+     * The "open" function is called at the start of each
+     * collection interval, which might be based on a period
+     * of time or a number of packets.  In the original code,
+     * this is where we opened an output pcap file.
+     */
+    return 0;
+}
+
+int txtout_close(my_bpftimeval ts)
+{
+    /*
+     * The "close" function is called at the end of each
+     * collection interval, which might be based on a period
+     * of time or on a number of packets.  In the original code
+     * this is where we closed an output pcap file.
+     */
+    return 0;
+}
+
+ia_str_t           ia_str           = 0;
+tcpstate_getcurr_t tcpstate_getcurr = 0;
+tcpstate_reset_t   tcpstate_reset   = 0;
+
+void txtout_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        ia_str = (ia_str_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_GETCURR:
+        tcpstate_getcurr = (tcpstate_getcurr_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_RESET:
+        tcpstate_reset = (tcpstate_reset_t)arg;
+        break;
+    }
+}
+
+void txtout_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, unsigned olen,
+    const u_char* payload, unsigned payloadlen)
+{
+    /*
+     * Short output, only print QTYPE and QNAME for IN records
+     */
+    if (opt_s) {
+        if (flags & DNSCAP_OUTPUT_ISDNS) {
+            ldns_pkt* pkt;
+
+            if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+                if (tcpstate_getcurr && tcpstate_reset)
+                    tcpstate_reset(tcpstate_getcurr(), "");
+                return;
+            }
+
+            ldns_rr_list* qds = ldns_pkt_question(pkt);
+            if (qds) {
+                ldns_rr* qd = ldns_rr_list_rr(qds, 0);
+
+                if (qd && ldns_rr_get_class(qd) == LDNS_RR_CLASS_IN) {
+                    ldns_buffer* buf = ldns_buffer_new(512);
+                    if (!buf) {
+                        logerr("out of memmory\n");
+                        exit(1);
+                    }
+
+                    if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+                        fprintf(out, "%s", (char*)ldns_buffer_begin(buf));
+                    } else {
+                        fprintf(out, "ERR");
+                    }
+
+                    ldns_buffer_clear(buf);
+                    if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                        fprintf(out, " %s\n", (char*)ldns_buffer_begin(buf));
+                    } else {
+                        fprintf(out, "ERR\n");
+                    }
+                    ldns_buffer_free(buf);
+                }
+            }
+            ldns_pkt_free(pkt);
+        }
+        return;
+    }
+
+    /*
+     * IP Stuff
+     */
+    fprintf(out, "%10ld.%06ld", (long)ts.tv_sec, (long)ts.tv_usec);
+    fprintf(out, " %s %u", ia_str(from), sport);
+    fprintf(out, " %s %u", ia_str(to), dport);
+    fprintf(out, " %hhu", proto);
+
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        ldns_pkt* pkt;
+
+        if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+            if (tcpstate_getcurr && tcpstate_reset)
+                tcpstate_reset(tcpstate_getcurr(), "");
+            fprintf(out, "\n");
+            return;
+        }
+
+        /*
+         * DNS Header
+         */
+        fprintf(out, " %u", ldns_pkt_id(pkt));
+        fprintf(out, " %u", ldns_pkt_get_opcode(pkt));
+        fprintf(out, " %u", ldns_pkt_get_rcode(pkt));
+        fprintf(out, " |");
+        if (ldns_pkt_qr(pkt))
+            fprintf(out, "QR|");
+        if (ldns_pkt_aa(pkt))
+            fprintf(out, "AA|");
+        if (ldns_pkt_tc(pkt))
+            fprintf(out, "TC|");
+        if (ldns_pkt_rd(pkt))
+            fprintf(out, "RD|");
+        if (ldns_pkt_ra(pkt))
+            fprintf(out, "RA|");
+        if (ldns_pkt_ad(pkt))
+            fprintf(out, "AD|");
+        if (ldns_pkt_cd(pkt))
+            fprintf(out, "CD|");
+
+        ldns_rr_list* qds = ldns_pkt_question(pkt);
+        if (qds) {
+            ldns_rr* qd = ldns_rr_list_rr(qds, 0);
+
+            if (qd) {
+                ldns_buffer* buf = ldns_buffer_new(512);
+                if (!buf) {
+                    logerr("out of memmory\n");
+                    exit(1);
+                }
+
+                if (ldns_rr_class2buffer_str(buf, ldns_rr_get_class(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, " ERR");
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, " ERR");
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, "ERR");
+                }
+                ldns_buffer_free(buf);
+            }
+        }
+        ldns_pkt_free(pkt);
+    }
+    /*
+     * Done
+     */
+    fprintf(out, "\n");
+}
diff --git a/rpm/dnscap.spec b/rpm/dnscap.spec
new file mode 100644
index 0000000..3aab83f
--- /dev/null
+++ b/rpm/dnscap.spec
@@ -0,0 +1,605 @@
+Name:           dnscap
+Version:        2.0.0
+Release:        1%{?dist}
+Summary:        Network capture utility designed specifically for DNS traffic
+Group:          Productivity/Networking/DNS/Utilities
+
+License:        BSD-3-Clause
+URL:            https://www.dns-oarc.net/tools/dnscap
+# Source needs to be generated by dist-tools/create-source-packages, see
+# https://github.com/jelu/dist-tools
+Source0:        https://www.dns-oarc.net/files/dnscap/%{name}-%{version}.tar.gz?/%{name}_%{version}.orig.tar.gz
+
+BuildRequires:  libpcap-devel
+BuildRequires:  ldns-devel
+BuildRequires:  openssl-devel
+BuildRequires:  zlib-devel
+BuildRequires:  autoconf
+BuildRequires:  automake
+BuildRequires:  libtool
+BuildRequires:  perl-YAML
+BuildRequires:  cryptopant-devel
+BuildRequires:  pkgconfig
+
+%description
+dnscap is a network capture utility designed specifically for DNS
+traffic. It produces binary data in pcap(3) format. This utility
+is similar to tcpdump(1), but has a number of features tailored
+to DNS transactions and protocol options.
+
+
+%prep
+%setup -q -n %{name}_%{version}
+
+
+%build
+sh autogen.sh
+%configure
+make %{?_smp_mflags}
+
+
+%check
+make test
+
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+
+%files
+%defattr(-,root,root)
+%{_bindir}/*
+%{_datadir}/doc/*
+%{_mandir}/man1/*
+%{_libdir}/*
+
+
+%changelog
+* Fri Feb 12 2021 Jerry Lundström <lundstrom.jerry@gmail.com> 2.0.0-1
+- Release 2.0.0
+  * This major release contains three backward incompatible changes, two
+    new command line options and a completely restructured man-page(!),
+    please read the change notes carefully before upgrading!
+  * The first backward incompatible change has to do with the removal of
+    libbind dependency. This library was causing segfaults on OpenBSD due to
+    shared (and overwritten) symbols with OpenBSD's libc.
+    It was replaced with LDNS and LDNS renders domain names as Fully
+    Qualified Domain Names (FQDN, the trailing dot!) so every output of a
+    domain name has been changed to a FQDN.
+    This also changes `-X`/`-x`, which will now match against FQDNs.
+  * The second backward incompatible change is that `-6` has been removed.
+    This was used to alter the BPF in order to "fix" it, dnscap adds
+    specific filters to IP and UDP headers which does not work for IPv6
+    traffic.
+    The generated BPF has been changed to allow IPv6 to always pass, making
+    the option obsolete. IPv6 filtering is then done in dnscap.
+  * The last backward incompatible change has to do with the output format
+    of `-g` related to EDNS0 and is now more consistent with the rest of
+    the parsable output:
+    - No more spaces in the output
+    - Fix incorrect `\` and extra empty new-line
+    - All EDNS0 options are added after `edns0[...]` using comma separation, example: `edns0[],edns0opt[],...`
+    - Client Subnet format: `edns0opt[ECS,family=nn,source=nn,scope=nn,addr=...]`
+    - Unknown/unsupported code: `edns0opt[code=nn,codelen=nn]`
+    - Parsing error messages have changed, they came from libbind, now comes from LDNS
+  * New options:
+    - Add `-q` and `-Q` to filter on matched/not matched QTYPE
+  * Bugfixes:
+    - Fix memory leak in EDNS0 ECS address parsing
+    - `network`: Fix sonarcloud issues, potential `memcpy()` of null pointer
+  * Other changes:
+    - Fix CBOR output inclusion, LDNS is always available now
+    - Add macros for Apple and Windows endian functions
+    - Restructure and correct the man-page
+  * Commits:
+    557e5f5 man-page
+    025529f v6bug, interval
+    37b79e9 FQDN
+    ebcf434 QTYPE match, args, tests
+    0cb5562 v6bug
+    75f6115 Endian
+    aaeb213 Sonarcloud
+    8685946 CBOR output
+    3e26802 Sonarcloud
+    30aa366 libbind
+    3f94d0b Mattermost
+* Thu Oct 22 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.12.0-1
+- Release 1.12.0
+  * This release fixes the handling of `-?` option for dnscap and all plugins,
+    previously the handling varied between places and depending on `getopt()`
+    implementation an invalid option could return the wrong exit code.
+  * Other changes:
+    - Fix typo in configure help text
+    - `plugins/anonmask`: Fix typo in help text
+    - `plugins/rzkeychange`:
+      - Add `-D`, dry run mode, for testing
+      - Fix handling of `-a` and error on too many
+  * KNOWN ISSUES:
+    On OpenBSD the system library libc exports the same symbols as libbind
+    does and this causes runtime warnings. Until now this has not caused any
+    known problems but is now also causing segfaults if the packet filter used
+    (BPF) includes IPv6 addresses.
+    On all other platforms OARC supports, these symbols are macros and in so
+    should not cause any problem.
+  * Commits:
+    ee478c0 Known issues
+    2f9d957 Tests
+    3c663a2 Tests
+    c88efc5 rzkeychange test
+    f062f33 Tests
+* Thu Aug 20 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.11.1-1
+- Release 1.11.1
+  * This release fixes a lot of issues found by code analysis, adds a
+    explicit memory zeroing function to remove account information (read
+    when dropping privileges) and adds code coverage reporting.
+  * The `dnscap_memzero()` will use `explicit_bzero()` on FreeBSD and
+    OpenBSD, or `memset_s()` (if supported), otherwise it will manually
+    set the memory to zero. This will hopefully ensure that the memory
+    is zeroed as compilers can optimize out `memset()`'s that is just
+    before `free()`.
+  * The plugins exit code for the help option `-?` has been changed to 0
+    to have the same as `dnscap -?`.
+  * Commits:
+    d9747ee memzero
+    1cf17c6 Coverage
+    19c7120 Coverage
+    7435676 Sonarcloud
+    928e181 Sonarcloud
+    ca4afd0 Sonarcloud
+    028f5e0 Badges
+    db0d6a1 LGTM
+* Mon Jun 01 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.11.0-1
+- Release 1.11.0
+  * This release includes a new plugin called `eventlog`, contributed
+    by Byron Darrah (@ByronDarrah), output DNS activity as log events,
+    including answers to A and AAAA queries.
+  * Other changes includes compile warning and code analysis fixes.
+  * Commits:
+    382eac4 COPR
+    4c03650 Compile warn
+    21d6a67 Slight change -- wording now matches usage() output.
+    dd19b0b Added the eventlog.so plugin...
+    1ebf504 Added new dnscap plugin: evenlog.so...
+    f3f9aaa Compile warnings
+* Mon Mar 02 2020 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.4-1
+- Release 1.10.4
+  * Fixed a bug that would not drop privileges when not specifying any
+    interface (which is equal to capturing on all interfaces).
+  * Added functionality to set the supplemental groups when dropping
+    privileges and changing user, or clear them if that is not supported.
+  * Other changes includes corrected man-page about '-w' and update to
+    documentation.
+  * Commits:
+    a0285e4 drop privileges errors, initgroups/setgroups
+    96336f3 daemon: Attempt to drop supplemental groups
+    467a9a7 Drop privileges
+    de940a8 man-page -w
+    187ec43 README
+* Wed Oct 02 2019 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.3-1
+- Release 1.10.3
+  * Fixed plugins inclusion in deb packages for Debian and Ubuntu.
+  * Commits:
+    017ebb2 Deb packages
+    cf59143 COPR, spec
+* Mon Aug 05 2019 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.2-1
+- Release 1.10.2
+  * Fixed bug in the handling of defragmentation configuration which lead
+    to the use of a local scope variable later on and caused unexpected
+    behavior.
+  * Commits:
+    91692b8 Frag conf
+    6a74376 Package
+    d0d1a6d Package
+* Mon Jul 08 2019 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.1-1
+- Release 1.10.1
+  * Fix various issues found by code analysis tools, a few compiler warnings
+    removed, undefined bit shift behavior fixed, parameter memory leaks
+    plugged and documentation updates.
+  * Fixes:
+    - `dump_dns`: Remove usage of `strcpy()` and use `snprintf()` instead
+      of `sprintf()`
+    - `bpft`:
+      - Use `text_ptr->len` to store length of generated text
+      - Use `memcpy()` instead of `strcat()`
+      - Remove unneeded `realloc()` and `strcpy()`
+    - `plugins/cryptopan`: Fix strict-aliasing warnings
+    - `network`: Rework part of `dl_pkt()` to remove usage of `strcpy()`
+      and use `snprintf()` instead of `sprintf()`
+    - `plugins/anonaes128`: Use `a6` as dest when copying v4 addresses for
+      readability and code analysis
+    - `plugins/cryptopan`: Run first pass separate to eliminate a 32bit
+      shift by 32 (undefined behavior)
+    - `plugins/cryptopant`: Fix memory leak of `keyfile` if `-k` is
+      specified more then once
+  * Documentation:
+    - Update `README.md` with correction to building from git and note
+      about PCAP on OpenBSD
+    - Fix #190: Update link to `libbind` source
+  * Commits:
+    074923c Funding
+    5d2e84c libbind
+    8ee9f2a Travis-CI
+    6babd09 Fixes
+    bb2d1c7 README, compile warnings
+    0d9cd9c LGTM, Travis-CI
+* Mon Dec 03 2018 Jerry Lundström <lundstrom.jerry@gmail.com> 1.10.0-1
+- Release 1.10.0
+  * This release adds a new plugin type "filter" and 5 new plugins that can
+    do anonymization, deanonymization and masking of the IP addresses.
+  * New features:
+    - Check plugins for `pluginname_type()` which returns `enum plugin_type`,
+      if missing the plugin is counted as an "output" plugin
+    - New plugin type "filter" which calls `pluginname_filter()` prior of
+      outputting any data or calling of "output" plugins, if the new function
+      returns non-zero then the packet is filtered out (dropped)
+    - New extension `DNSCAP_EXT_SET_IADDR` that gives access to a function
+      for setting the from and to IP addresses both in the extracted data
+      and the wire
+  * New plugins:
+    - `anonaes128`: Anonymize IP addresses using AES128
+    - `anonmask`: Pseudo-anonymize IP addresses by masking them
+    - `cryptopan`: Anonymize IP addresses using an extension to Crypto-PAn
+      (College of Computing, Georgia Tech) made by David Stott (Lucent)
+    - `cryptopant`: Anonymize IP addresses using cryptopANT, a different
+      implementation of Crypto-PAn made by the ANT project at USC/ISI
+    - `ipcrypt`: Anonymize IP addresses using ipcrypt create by
+      Jean-Philippe Aumasson
+  * Bugfixes:
+    - Fix changing `royparse` and `txtout` with other plugins (thanks to
+      Duane Wessels and Paul Hoffman)
+    - Free pointers to allocated strings in `text_free()` (thanks to Michał
+      Kępień)
+    - Fix IP checksum calculation
+  * Other changes:
+    - `-B` and `-E` can be used without `-w` (thanks to Duane Wessels)
+    - Use `pcap_findalldevs()` instead of `pcap_lookupdev()` (thanks to
+      Michał Kępień)
+    - Document and add `-?` option to all plugins
+    - Fix clang `scan-build` bugs and LGTM alerts
+    - Use `gmtime_r()` instead of `gmtime()`
+    - Update `pcap-thread` to v4.0.0
+  * Commits:
+    67d8e2c Fix
+    fb0ed02 Plugin documentation
+    a2c9a6c cryptopant
+    39db1ca Deanonymize, IPv6 test
+    afc7107 Crypto-PAn, cryptopANT
+    f1912cc OpenSSL, anonaes128
+    f2bab62 ipcrypt, anonmask
+    158b1e7 anonmask help
+    60ece58 anonmask
+    8f1b138 Plugin types, filter plugin, set iaddr extension, anonymization
+            by masking
+    b7d7991 IP checksum
+    641a23a Free pointers to allocated strings in text_free()
+    4d313bf pcap_findalldevs()
+    091e0ca Use pcap_findalldevs() instead of pcap_lookupdev()
+    6a7b25e Clean up use of feature test macros on Linux
+    cbba14c Configure, uninitialized
+    f228c9c Code formatting
+    3fd738c man-page
+    770168a Test
+    714e4f5 Fix -B <begin> so that it works when reading offline pcap files.
+    8675bea Test
+    911fec9 Implementing test9 as a test of -B and -E command line args.
+    a7cc72d -B <begin> and -E <end> can work fine without -w <base>.
+    04c4928 Made the same changes to txtout as were in 165a786
+    165a786 Workaround for stdio mystery causing duplicate royparse output.
+* Wed Feb 28 2018 Jerry Lundström <lundstrom.jerry@gmail.com> 1.9.0-1
+- Release 1.9.0
+  * This release adds a new option to change how the Berkeley Packet Filter
+    is generated to include the host restrictions for all selections,
+    previously this restriction would only apply to specific parts.
+  * Additional tweaks to the RSSM plugin has been made to conform to the
+    RSSAC002v3 specification. One noticeable change is that the plugin now
+    requires the DNS to be parsed before counted, any error in the parsing
+    will result in the message being left out of the statistics.
+  * Changes:
+    - Fix spacing in BPF filter to look better
+    - Fix #146: Add `bpf_hosts_apply_all`, apply any host restriction to all
+    - `plugin/rssm`:
+      - Remove quoting of `start-period` and correctly handle empty hashes
+      - Issue #152, Issue #91: Parse DNS before processing RSSM counters
+    - `plugin/rssm/dnscap-rssm-rssac002`: Use `YAML::Dump()` for output
+  * Commits:
+    47d892b Issue #152: RSSM YAML output
+    d4f1466 Issue #152, Issue #91: Parse DNS before processing RSSM counters
+    68fc1ff BPF, `bpf_hosts_apply_all`
+* Wed Feb 07 2018 Jerry Lundström <lundstrom.jerry@gmail.com> 1.8.0-1
+- Release 1.8.0
+  * This release updates the TCP stream code in order to be able to look
+    at more then just the first query, for handling already ongoing TCP
+    connections without having seen SYN/ACK and for reassembly of the TCP
+    stream prior of parsing it for DNS with an additional layer of parsing
+    (see `reassemble_tcp_bfbparsedns`).
+  * Updates to the Root Server Scaling Measurement (RSSM) plugin have also
+    been made to bring it up to date with RSSAC002v3 specification, be
+    able to output the YAML format described and an additional script to
+    merge YAML files if the interval is less then the RSSAC002v3 24 hour
+    period. See "Updates to the RSSM plugin" below and
+    `plugins/rssm/README.md`.
+  * New extended options:
+    - `parse_ongoing_tcp`: Start tracking TCP connections even if SYN/ACK
+      has not been seen
+    - `allow_reset_tcpstate`: Allow external reset of TCP state
+    - `reassemble_tcp`: Use to enable TCP stream reassembly
+    - `reassemble_tcp_faultreset`: Number of faults before reseting TCP
+      state when reassembly is enabled
+    - `reassemble_tcp_bfbparsedns`: Enable an experimental additional layer
+      of reassemble that uses `libbind` to parse the payload before accepting
+      it. If the DNS is invalid it will move 2 bytes within the payload and
+      treat it as a new payload, taking the DNS length again and restart
+      the process. Requires `libbind` and `reassemble_tcp`.
+  * New extension functions for plugins:
+    - `DNSCAP_EXT_TCPSTATE_GETCURR`: Function to get a pointer for the
+      current TCP state
+    - `DNSCAP_EXT_TCPSTATE_RESET`: Function to reset a TCP state
+  * New features:
+    - Parse additional DNS queries in TCP connections
+    - `-g` and the `txtout` plugin will reset TCP state (if allowed) on
+      failure to parse DNS
+  * Bugfixes:
+    - Fix `-g` output, separate error message with a space
+    - Fix TCP packets wrongfully flagged as DNS when using layers.
+    - Fix TCP debug output when using layers, `ia_str()` is not safe to call
+      twice in the same `printf` because of local buffer.
+    - Fix exported extension functions, need to be file local
+  * New tests for:
+    - Multiple DNS queries in one TCP connection
+    - Query over TCP without SYN
+    - Queries over TCP with first query missing length
+    - Queries over TCP with middle payloads missing
+    - Add test with TCP stream that missing multiple packets in the middle
+  * Updates to the RSSM plugin (`plugins/rssm`):
+    - Add info about saving counts and sources
+    - Fix memory leak on `fopen()` errors
+    - Update to RSSAC002v3 specification
+    - New options:
+      - `-D` to disable forking on close
+      - `-Y`: Use RSSAC002v3 YAML format when writing counters, the file
+        will contain multiple YAML documents, one for each RSSAC002v3 metric
+        Used with; -S adds custom metric `dnscap-rssm-sources` and -A adds
+        `dnscap-rssm-aggregated-sources`
+      - `-n`: Set the service name to use in RSSAC002v3 YAML
+      - `-S`: Write source IPs into counters file with the prefix `source`
+      - `-A`: Write aggregated IPv6(/64) sources into counters file with
+        the prefix `aggregated-source`
+      - `-a`: Write aggregated IPv6(/64) sources to
+        `<name>.<timesec>.<timeusec>`
+    - Add `dnscap-rssm-rssac002` Perl script for merging RSSAC002v3 YAML files
+    - Add README.md for the plugin man-page for `dnscap-rssm-rssac002`
+    - Add test for YAML output and merging of YAML files
+  * Commits:
+    c7058c8 Use file local functions for all extensions
+    66b352d RSSM RSSAC002v3 YAML Tool
+    b09efc2 `plugins/rssm` RSSAC002v3
+    709aba6 Fix #89: Add additional reassembly layers that parses the
+            payload byte for byte for valid DNS
+    04fa013 Fix CID 1463944 (again)
+    b1cf623 RSSM saving data and forking
+    fb23305 Fix CID 1463944
+    0fca1a8 Issue #89: TCP stream reassemble
+    bb6428c CID 1463814: Check `ns_initparse()` for errors
+    a57066f Fix #88: TCP handling
+* Wed Dec 27 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.7.1-1
+- Release 1.7.1
+  * The library used for parsing DNS (libbind) is unable to parse DNS
+    messages when there is padding at the end (the UDP/TCP payload is larger
+    then the DNS message). This has been fixed by trying to find the actual
+    DNS message size, walking all labels and RR data, and then retry parsing.
+  * Other changes and bug-fixes:
+    - Fix size when there is a VLAN to match output of `use_layers` yes/no
+    - Add test of VLAN matching
+    - Fix `hashtbl.c` building in `rssm`
+    - Add test with padded DNS message
+  * Commits:
+    49e5400 Fix #127: If `ns_initparse()` returns `EMSGSIZE`, try and get
+            actual size and reparse
+    99bda0b Fix #98: VLAN
+* Tue Dec 19 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.7.0-1
+- Release 1.7.0
+  * This release adds IP fragmentation handling by using layers in pcap-thread
+    which also adds a new flag to output and modules. `DNSCAP_OUTPUT_ISLAYER`
+    indicates that `pkt_copy` is equal to `payload` since the layers of the
+    traffic have already been parsed. IP fragments are reassembled with the
+    `pcap_thread_ext_frag` extension that is included in pcap-thread.
+  * New extended (`-o`) options:
+    - `use_layers`: Use pcap-thread layers to handle the traffic
+    - `defrag_ipv4`: Enabled IPv4 de-fragmentation
+    - `defrag_ipv6`: Enabled IPv6 de-fragmentation
+    - `max_ipv4_fragments`: Set maximum fragmented IPv4 packets to track
+    - `max_ipv4_fragments_per_packet`: Set the maximum IPv4 fragments per
+      tracked packet
+    - `max_ipv6_fragments`: Set maximum fragmented IPv6 packets to track
+    - `max_ipv6_fragments_per_packet`: Set the maximum IPv6 fragments per
+      tracked packet
+  * Currently `-w` does not work with `use_layers` and the plugins `pcapdump`
+    and `royparse` will discard output with the flag `DNSCAP_OUTPUT_ISLAYER`
+    because they need access to the original packet.
+  * The `rzkeychange` plugin now encodes certain flag bits in the data that
+    it reports for RFC8145 key tag signaling. The flags of interest are:
+    `DO`, `CD`, and `RD`. These are encoded in an bit-mask as a hexadecimal
+    value before the `_ta` component of the query name.
+  * Other changes and bug-fixes:
+    - Fix #115: document `-g` output, see `OUTPUT FORMATS` `diagnostic` in
+      `dnscap(1)` man-page
+    - Add test to match output from non-layers runs with those using layers
+    - Add test with fragmented DNS queries
+    - Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2
+    - Fix `ip->ip_len` byte order
+    - Fix parsing of IP packets with padding or missing parts of payload
+  * Commits:
+    0347f74 Add AUTHORS section in man-page
+    ef1b68c Fix CID 1463073
+    8a79f89 Layers
+    a404d08 Update pcap-thread to v3.1.0, add test for padding fixes
+    08402f1 Fix byte order bug.  ip->ip_len must be evaluated with ntohs().
+    d6d2340 CBOR/CDS and formatting
+    85ec2d8 Fix #87: IP fragmentation reassembly
+    22bfd4a Documentation
+    c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data.
+            This may be useful to find "false" key tag signals from sources
+            that don't actually perform DNSSEC validation.
+* Fri Dec 01 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.6.0-1
+- Release 1.6.0
+  * New additions to the plugins:
+    - `rzkeychange` can now collect RFC8145 key tag signaling. Signals are
+      saved during the collection interval, and then sent to the specified
+      `-k <zone>`, one at a time, at the end of the interval. Only root zone
+      signals are collected. Added by Duane Wessels (@wessels).
+    - `royparse` is a new plugin to splits a PCAP into two streams, queries
+      in PCAP format and responses in ASCII format. Created by Roy Arends
+      (@RoyArends).
+    - `txtout` new option `-s` for short output, only print QTYPE and QNAME
+      for IN records. Added by Paul Hoffman (@paulehoffman)
+    - The extension interface has been extended with `DNSCAP_EXT_IA_STR` to
+      export the `ia_str()` function.
+  * Bugfixes and other changes:
+    - Remove duplicated hashtbl code
+    - `rssm`: fix bug where count in table was taken out as `uint16_t` but
+      was a `uint64_t`
+    - Handle return values from hashtbl functions
+    - `txtout`: removed unused `-f` options
+    - Change `ia_str()` to use buffers with correct sizes, thanks to
+      @RoyArends for spotting this!
+  * Commits:
+    3f78a31 Add copy/author text
+    1bd914d Fix CID 1462343, 1462344, 1462345
+    f9bb955 Fix `fprintf()` format for message size
+    abedf84 Fix #105: `inet_ntop` buffers
+    bfdcd0d Addresses the suggestions from Jerry.
+    dda0996 royparse :)
+    4f6520a royparse plugin finished
+    f1aa4f2 Fix #103: Remove `opt_f`
+    32355b7 Rearrange code to keep the change smaller and fix indentation
+    d6612c1 Added -s to txtout for short output
+    9d8d1ef Check return of `snprintf()`
+    55f5aba Format code
+    9f19ec3 Fixed memory leak in rzkeychange_keytagsignal()
+    58b8784 Fix memory leaks and better return value checks in
+            rzkeychange_submit_counts()
+    b06659f Add server and node to keytag signal query name
+    705a866 Always free response packets in rzkeychange plugin.
+    e802843 Implement RFC8145 key tag signal collection in rzkeychange plugin
+    5fbf6d0 Added extension for ia_str() so it can be used by rzkeychange
+            plugin.
+    3be8b8f Split `dnscap.c` into more files
+    e431d14 Fix #92: hashtbl
+* Mon Aug 21 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.5.1-1
+- Release 1.5.1
+  * Compatibility fixes for FreeBSD 11.1+ which is now packing `struct ip`
+    and for OpenBSD.
+  * Commits:
+    17e3c92 FreeBSD is packing `struct ip`, need to `memcpy()`
+    f8add66 Code formatting
+    38cd585 Add documentation about libbind
+    d1dd55b Fix #82: Update dependencies for OpenBSD
+* Tue Jun 06 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.5.0-1
+- Release 1.5.0
+  * Added support for writing gzipped PCAP if the `-W` suffix ends with
+    `.gz` and made `-X` work without `-x`. New inteface for plugins to
+    tell them what extensions are available and a new plugin `rzkeychange`.
+  * Plugin extensions:
+    - Call `plugin_extension(ext, arg)` to tell plugin what extensions exists
+    - Add extension for checking responder (`is_responder()`)
+  * The rzkeychange plugin was developed by Duane Wessels 2016 in support
+    of the root zone ZSK size increase. It is also being used in support of
+    the 2017 root KSK rollover and collects the following measurements:
+    - total number of responses sent
+    - number of responses with TC bit set
+    - number of responses over TCP
+    - number of DNSKEY responses
+    - number of ICMP_UNREACH_NEEDFRAG messages received
+    - number of ICMP_TIMXCEED_INTRANS messages received
+    - number of ICMP_TIMXCEED_REASS messages received
+  * Other fixes (author Duane Wessels):
+    - 232cbd0: Correct comment description for meaning of IPPROTO_AH
+    - 181eaa4: Add #include <sys/time.h> for struct timeval on NetBSD
+  * Commits:
+    1d894e2 Make -x and -X work correctly together and update man-page
+    34bc54c Make the -X option work without requiring a -x option.
+    f43222e Fix CID 1440488, 1440489, 1440490
+    aa54395 Update pcap-thread to v2.1.3
+    81174ce Prepare SPEC for OSB/COPR
+    21d7468 New plugin rzkeychange and plugin extensions
+    38491a3 Config header is generated by autotools
+    419a8ab Small tweaks and fixes for gzip support
+    1967abc updated for earlier BSD versions
+    f135c90 added auto gzip if the -W suffix ends with .gz
+  * Commits during development of rzkeychange (author Duane Wessels):
+    - 620828d: Add rzkeychange -z option to specify resolver IP addresses
+    - 1f77987: Add -p and -t options to rzkeychange plugin to configure an
+      alternate port and TCP. Useful for ssh tunnels.
+    - 2a571f1: Split ICMP time exceeded counter into two counters for time
+      exceeded due to TTL and another due to fragmentation
+    - e4ee2d3: The rzkeychange data collection plugin uses
+      `DNSCAP_EXT_IS_RESPONDER` extension to know if an IP address is a
+      "responder" or not, because when dnscap is instructed to collect ICMP
+      with -I, it processes all ICMP packets, not just those limited to
+      responders (or initiators).
+    - cee16b8: Add ICMP Time Exceeded to counters
+    - ad8a227: Counting source IPs has performance impacts. #ifdef'd out for
+      now add ICMP "frag needed" counts
+    - c25e72b: Implemented DNS queries with ldns. First there will be some
+      test queries to ensure the zone is reachable and configured to receive
+      data. Then a query naming the fields, followed by the periodic queries
+      delivering counts.
+    - fd23be7: Make report zone, server, node command line argumements mandatory
+    - 137789b: Adding rzkeychange plugin files
+* Wed Mar 29 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.4.1-1
+- Release 1.4.1
+  * Fixed an issue that when compiled with libpcap that had a specific
+    feature enabled it would result in a runtime error which could not be
+    worked around.
+  * Also fixed various compatibility issues and updated dependency
+    documentation for CentOS.
+  * Commits:
+    785d4c4 Fix compiler warnings
+    2d4df8d Fix #65: Update pcap-thread to v2.1.2
+    26d3fbc Fix #64: Add missing dependency
+    55e6741 Update pcap-thread to v2.1.1, fix issue with libpcap timestamp
+            type
+    c6fdb7a Fix typo and remove unused variables
+* Mon Feb 27 2017 Jerry Lundström <lundstrom.jerry@gmail.com> 1.4.0-1
+- Release 1.4.0
+  * Until it can be confirmed that the threaded code works as well as the
+    non-threaded code it has been made optional and requires a configuration
+    option to enable it during compilation.
+  * New extended option:
+    - `-o pcap_buffer_size=<bytes>` can be used to increase the capture
+      buffer within pcap-thread/libpcap, this can help mitigate dropped
+      packets by the kernel during breaks (like when closing dump file).
+  * Commits:
+    1c6fbb2 Update copyright year
+    63ef665 Suppress OpenBSD warnings about symbols
+    2c99946 pcap-thread v2.0.0, disable threads, errors handling
+    4cade97 Fix #56: Update pcap-thread to v1.2.2 and add test
+* Fri Dec 23 2016 Jerry Lundström <lundstrom.jerry@gmail.com> 1.3.0-1
+- Release 1.3.0
+  * Rare lockup has been fixed that could happen if a signal was received
+    in the wrong thread at the wrong time due to `pcap_thread_stop()`
+    canceling and waiting on threads to join again. The handling of signals
+    have been improved for threaded and non-threaded operations.
+  * New features:
+    - Experimental CBOR DNS Stream format output, see `CBOR_DNS_STREAM.md`
+    - Extended options to specify user and group to use when dropping
+      privileges, see EXTENDED OPTIONS in man-page
+  * Commits:
+    a5fa14e Signal and threads
+    3868104 Use old style C comments
+    7946be5 Clarify building
+    d5463b4 RPM spec and various automake fixes
+    df206bf Resource data indexing and documentation
+    0e2d0fe Fix #22, fix #43: Update README
+    5921d73 Add stream option RLABELS and RLABEL_MIN_SIZE
+    6dd6ec1 Implement experimental CBOR DNS Stream Format
+    4baf695 Fix #37: Extended options to specifty user/group to use when
+            dropping privileges
+    61d830a Fix #35: Use `AC_HEADER_TIME` and fix warning
+* Thu Dec 15 2016 Jerry Lundström <lundstrom.jerry@gmail.com> 1.2.0-1
+- Initial package
diff --git a/sonar-project.properties.local b/sonar-project.properties.local
new file mode 100644
index 0000000..5322ee1
--- /dev/null
+++ b/sonar-project.properties.local
@@ -0,0 +1 @@
+sonar.coverage.exclusions=src/hashtbl.c, src/dump_cbor.c, src/dump_cds.c, src/assert.c
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 0000000..e194d95
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1,42 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/config.h.in
+CLEANFILES = dnscap.1 *.gcda *.gcno *.gcov
+
+SUBDIRS = test
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir) \
+    $(SECCOMPFLAGS) \
+    $(PTHREAD_CFLAGS) \
+    $(libcrypto_CFLAGS) \
+    $(libldns_CFLAGS)
+
+EXTRA_DIST = dnscap.1.in
+
+bin_PROGRAMS = dnscap
+
+dnscap_SOURCES = args.c assert.c bpft.c daemon.c dnscap.c dump_cbor.c \
+    dump_cds.c dump_dns.c dumper.c endpoint.c hashtbl.c iaddr.c log.c \
+    network.c options.c pcaps.c sig.c tcpstate.c tcpreasm.c memzero.c \
+    pcap-thread/pcap_thread.c pcap-thread/pcap_thread_ext_frag.c
+dist_dnscap_SOURCES = args.h bpft.h daemon.h dnscap_common.h dnscap.h \
+  dump_cbor.h dump_cds.h dump_dns.h dumper.h endpoint.h hashtbl.h iaddr.h \
+  log.h network.h options.h pcaps.h sig.h tcpstate.h tcpreasm.h memzero.h \
+  endian_compat.h \
+  pcap-thread/pcap_thread.h pcap-thread/pcap_thread_ext_frag.h
+dnscap_LDADD = $(PTHREAD_LIBS) $(libcrypto_LIBS) $(libldns_LIBS)
+
+man1_MANS = dnscap.1
+
+dnscap.1: dnscap.1.in Makefile
+	sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \
+        -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
+        -e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
+        -e 's,[@]pkglibdir[@],$(pkglibdir),g' \
+        < $(srcdir)/dnscap.1.in > dnscap.1
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(dnscap_SOURCES); do \
+	  gcov -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
diff --git a/src/args.c b/src/args.c
new file mode 100644
index 0000000..a7dd500
--- /dev/null
+++ b/src/args.c
@@ -0,0 +1,843 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "args.h"
+#include "endpoint.h"
+#include "iaddr.h"
+#include "log.h"
+#include "tcpstate.h"
+#include "network.h"
+
+#include <ldns/ldns.h>
+
+/*
+ * OpenBSD and Debian Stretch i386 need file local functions for export
+ * to loaded modules, so use this for all platforms.
+ */
+void* _tcpstate_getcurr(void)
+{
+    return (void*)tcpstate_getcurr();
+}
+
+void _tcpstate_reset(void* tcpstate, const char* msg)
+{
+    tcpstate_reset((tcpstate_ptr)tcpstate, msg);
+}
+
+const char* _ia_str(iaddr ia)
+{
+    return ia_str(ia);
+}
+
+extern struct ip6_hdr* network_ipv6;
+extern struct ip*      network_ip;
+extern struct udphdr*  network_udp;
+
+void set_iaddr(iaddr* from, iaddr* to)
+{
+    if (from) {
+        switch (from->af) {
+        case AF_INET:
+            if (network_ip) {
+                memcpy(&network_ip->ip_src, &from->u.a4, sizeof(struct in_addr));
+            }
+            break;
+        case AF_INET6:
+            if (network_ipv6) {
+                memcpy(&network_ipv6->ip6_src, &from->u.a6, sizeof(struct in6_addr));
+            }
+            break;
+        default:
+            from = 0;
+            break;
+        }
+    }
+    if (to) {
+        switch (to->af) {
+        case AF_INET:
+            if (network_ip) {
+                memcpy(&network_ip->ip_dst, &to->u.a4, sizeof(struct in_addr));
+            }
+            break;
+        case AF_INET6:
+            if (network_ipv6) {
+                memcpy(&network_ipv6->ip6_dst, &to->u.a6, sizeof(struct in6_addr));
+            }
+            break;
+        default:
+            to = 0;
+            break;
+        }
+    }
+    if (from || to) {
+        if (network_ip) {
+            network_ip->ip_sum = 0;
+            network_ip->ip_sum = ~in_checksum((u_char*)network_ip, sizeof *network_ip);
+        }
+        if (network_udp) {
+            network_udp->uh_sum = 0;
+        }
+    }
+}
+
+#ifdef __linux__
+extern char* strptime(const char*, const char*, struct tm*);
+#endif
+
+time_t xtimegm(struct tm* tmp)
+{
+#if defined(__SVR4) && defined(__sun)
+    char tz[3] = "TZ=";
+    putenv((char*)tz);
+    return mktime(tmp);
+#else
+    return timegm(tmp);
+#endif
+}
+
+void usage(const char* msg)
+{
+    struct plugin* p;
+
+    fprintf(stderr, "%s: usage error: %s\n", ProgramName, msg);
+    fprintf(stderr, "\n");
+
+    help_1();
+
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link))
+        if (p->usage)
+            (*p->usage)();
+
+    fprintf(stderr,
+        "\nnote: the -? or -\\? option will display full help text\n");
+
+    exit(1);
+}
+
+void help_1(void)
+{
+    fprintf(stderr, "%s: version %s\n\n", ProgramName, PACKAGE_VERSION);
+    fprintf(stderr,
+        "usage: %s\n"
+        "  [-?VbNpd1gfTI"
+#ifdef USE_SECCOMP
+        "y"
+#endif
+        "SMD] [-o option=value]+\n"
+        "  [-i <if>]+ [-r <file>]+ [-l <vlan>]+ [-L <vlan>]+\n"
+        "  [-u <port>] [-m [qun]] [-e [nytfsxir]] [-h [ir]] [-s [ir]]\n"
+        "  [-a <host>]+ [-z <host>]+ [-A <host>]+ [-Z <host>]+ [-Y <host>]+\n"
+        "  [-w <base> [-W <suffix>] [-k <cmd>] -F <format>]\n"
+        "  [-t <lim>] [-c <lim>] [-C <lim>]\n"
+        "  [-x <pat>]+ [-X <pat>]+\n"
+        "  [-B <datetime>] [-E <datetime>]\n"
+        "  [-U <str>] [-q <num|str>] [-Q <num|str>]\n"
+        "  [-P plugin.so <plugin options...>]\n",
+        ProgramName);
+}
+
+void help_2(void)
+{
+    help_1();
+    fprintf(stderr,
+        "\noptions:\n"
+        "  -? or -\\?  print these instructions and exit\n"
+        "  -V         print version and exit\n"
+        "  -o opt=val extended options, see man page for list of options\n"
+        "  -b         run in background as daemon\n"
+        "  -N         do not attempt to drop privileges, this is implicit\n"
+        "             if only reading offline pcap files\n"
+        "  -p         do not put interface in promiscuous mode\n"
+        "  -d         dump verbose trace information to stderr, specify multiple\n"
+        "             times to increase debugging\n"
+        "  -1         flush output on every packet\n"
+        "  -g         dump packets dig-style on stderr\n"
+        "  -f         include fragmented packets\n"
+        "  -T         include TCP packets (DNS header filters will inspect only the\n"
+        "             first DNS header, and the result will apply to all messages\n"
+        "             in the TCP stream; DNS payload filters will not be applied.)\n"
+        "  -I         include ICMP and ICMPv6 packets\n"
+        "  -i <if>    select this live interface(s)\n"
+        "  -r <file>  read this pcap file\n"
+        "  -l <vlan>  select only these vlan(s) (4095 for all)\n"
+        "  -L <vlan>  select these vlan(s) and non-VLAN frames (4095 for all)\n"
+        "  -u <port>  dns port (default: 53)\n"
+        "  -m [qun]   select messages: query, update, notify\n"
+        "  -e [nytfsxir] select error/response code\n"
+        "                 n = no error\n"
+        "                 y = any error\n"
+        "                 t = truncated response\n"
+        "                 f = format error (rcode 1)\n"
+        "                 s = server failure (rcode 2)\n"
+        "                 x = nxdomain (rcode 3)\n"
+        "                 i = not implemented (rcode 4)\n"
+        "                 r = refused (rcode 5)\n"
+        "  -h [ir]    hide initiators and/or responders\n"
+        "  -s [ir]    select sides: initiations, responses\n"
+        "  -a <host>  want messages from these initiator(s)\n"
+        "  -z <host>  want messages from these responder(s)\n"
+        "  -A <host>  want messages NOT to/from these initiator(s)\n"
+        "  -Z <host>  want messages NOT to/from these responder(s)\n"
+        "  -Y <host>  drop responses from these responder(s)\n"
+        "  -w <base>  dump to <base>.<timesec>.<timeusec>\n"
+        "  -W <suffix> add suffix to dump file name, e.g. '.pcap'\n"
+        "  -k <cmd>   kick off <cmd> when each dump closes\n"
+        "  -F <format> dump format: pcap (default), cbor, cds\n"
+        "  -t <lim>   close dump or exit every/after <lim> secs\n"
+        "  -c <lim>   close dump or exit every/after <lim> pkts\n"
+        "  -C <lim>   close dump or exit every/after <lim> bytes captured\n"
+        "  -x <pat>   select messages matching regex <pat>\n"
+        "  -X <pat>   select messages not matching regex <pat>\n"
+#ifdef USE_SECCOMP
+        "  -y         enable seccomp-bpf\n"
+#endif
+        "  -S         show summarized statistics\n"
+        "  -B <datetime> begin collecting at this date and time\n"
+        "  -E <datetime> end collecting at this date and time\n"
+        "  -M         set monitor mode on interfaces\n"
+        "  -D         set immediate mode on interfaces\n"
+        "  -U <str>   append 'and <str>' to the pcap filter\n"
+        "  -q <num|str> select messages based on QTYPE\n"
+        "  -Q <num|str> filter out messages based on QTYPE\n"
+        "  -P <plugin.so> load plugin, any argument after this is sent to the plugin!\n");
+}
+
+void check_gzip()
+{
+    char* dot = strrchr(dump_suffix, '.');
+    if (dot) {
+        wantgzip = (strcmp(dot, ".gz") == 0) ? TRUE : FALSE;
+    }
+
+#if !(HAVE_GZOPEN && (HAVE_FUNOPEN || HAVE_FOPENCOOKIE))
+    if (wantgzip) {
+        fprintf(stderr, "error: gzip compression requested but not supported\n");
+        exit(1);
+    }
+#endif
+}
+
+int is_responder(iaddr ia)
+{
+    if (EMPTY(responders))
+        return 1;
+    if (ep_present(&responders, ia))
+        return 1;
+    return 0;
+}
+
+void parse_args(int argc, char* argv[])
+{
+    mypcap_ptr    mypcap;
+    unsigned long ul;
+    vlan_ptr      vlan;
+    unsigned      u;
+    int           ch;
+    char *        p, *match_qtype_arg = 0;
+
+    if ((p = strrchr(argv[0], '/')) == NULL)
+        ProgramName = argv[0];
+    else
+        ProgramName = p + 1;
+    INIT_LIST(vlans_incl);
+    INIT_LIST(vlans_excl);
+    INIT_LIST(mypcaps);
+    INIT_LIST(initiators);
+    INIT_LIST(responders);
+    INIT_LIST(not_initiators);
+    INIT_LIST(not_responders);
+    INIT_LIST(drop_responders);
+    INIT_LIST(myregexes);
+    INIT_LIST(plugins);
+    while ((ch = getopt(argc, argv,
+                "a:bc:de:fgh:i:k:l:m:o:pr:s:t:u:w:x:yz:q:"
+                "A:B:C:DE:F:IL:MNP:STU:VW:X:Y:Z:Q:1?"))
+           != EOF) {
+        switch (ch) {
+        case 'o':
+            if (option_parse(&options, optarg)) {
+                fprintf(stderr, "%s: unknown or invalid extended -o option: %s\n", ProgramName, optarg);
+                exit(1);
+            }
+            break;
+        case 'b':
+            background = TRUE;
+            break;
+        case 'N':
+            dont_drop_privileges = TRUE;
+            break;
+        case 'p':
+            promisc = FALSE;
+            break;
+        case 'd':
+            dumptrace++;
+            break;
+        case '1':
+            flush = TRUE;
+            break;
+        case 'g':
+            preso = TRUE;
+            break;
+        case 'f':
+            wantfrags = TRUE;
+            break;
+        case 'I':
+            wanticmp = TRUE;
+            break;
+        case 'V':
+            printf("%s version %s\n", ProgramName, PACKAGE_VERSION);
+            exit(0);
+        case 'i':
+            if (pcap_offline != NULL)
+                usage("-i makes no sense after -r");
+            mypcap = calloc(1, sizeof *mypcap);
+            assert(mypcap != NULL);
+            INIT_LINK(mypcap, link);
+            mypcap->name = strdup(optarg);
+            assert(mypcap->name != NULL);
+            APPEND(mypcaps, mypcap, link);
+            break;
+        case 'r':
+            if (!EMPTY(mypcaps))
+                usage("-r makes no sense after -i");
+            pcap_offline = calloc(1, sizeof *pcap_offline);
+            assert(pcap_offline != NULL);
+            INIT_LINK(pcap_offline, link);
+            pcap_offline->name = strdup(optarg);
+            assert(pcap_offline->name != NULL);
+            APPEND(mypcaps, pcap_offline, link);
+            only_offline_pcaps = TRUE;
+            break;
+        case 'l':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > MAX_VLAN)
+                usage("-l vlan must be an integer 0..4095");
+            vlan = calloc(1, sizeof *vlan);
+            assert(vlan != NULL);
+            INIT_LINK(vlan, link);
+            vlan->vlan = (unsigned)ul;
+            APPEND(vlans_excl, vlan, link);
+            if (0 == ul)
+                fprintf(stderr, "Warning: previous versions of %s "
+                                "interpreted 0 as all VLANs. "
+                                "If you want all VLANs now you must "
+                                "specify %u.\n",
+                    ProgramName, MAX_VLAN);
+            break;
+        case 'L':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > MAX_VLAN)
+                usage("-L vlan must be an integer 0..4095");
+            vlan = calloc(1, sizeof *vlan);
+            assert(vlan != NULL);
+            INIT_LINK(vlan, link);
+            vlan->vlan = (unsigned)ul;
+            APPEND(vlans_incl, vlan, link);
+            if (0 == ul)
+                fprintf(stderr, "Warning: previous versions of %s "
+                                "interpreted 0 as all VLANs. "
+                                "If you want all VLANs now you must "
+                                "specify %u.\n",
+                    ProgramName, MAX_VLAN);
+            break;
+        case 'T':
+            wanttcp = TRUE;
+            break;
+        case 'u':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case 'm':
+            u = 0;
+            for (p = optarg; *p; p++)
+                switch (*p) {
+                case 'q':
+                    u |= MSG_QUERY;
+                    break;
+                case 'u':
+                    u |= MSG_UPDATE;
+                    break;
+                case 'n':
+                    u |= MSG_NOTIFY;
+                    break;
+                default:
+                    usage("-m takes only [qun]");
+                }
+            msg_wanted = u;
+            break;
+        case 's':
+            u = 0;
+            for (p = optarg; *p; p++)
+                switch (*p) {
+                case 'i':
+                    u |= DIR_INITIATE;
+                    break;
+                case 'r':
+                    u |= DIR_RESPONSE;
+                    break;
+                default:
+                    usage("-s takes only [ir]");
+                }
+            dir_wanted = u;
+            break;
+        case 'h':
+            u = 0;
+            for (p = optarg; *p; p++)
+                switch (*p) {
+                case 'i':
+                    u |= END_INITIATOR;
+                    break;
+                case 'r':
+                    u |= END_RESPONDER;
+                    break;
+                default:
+                    usage("-h takes only [ir]");
+                }
+            end_hide = u;
+            break;
+        case 'e':
+            u = 0;
+            for (p = optarg; *p; p++)
+                switch (*p) {
+                case 'n':
+                    u |= ERR_NO;
+                    break;
+                case 'y':
+                    u |= ERR_YES;
+                    break;
+                case 't':
+                    u |= ERR_TRUNC;
+                    break;
+                case 'f':
+                    u |= ERR_FORMERR;
+                    break;
+                case 's':
+                    u |= ERR_SERVFAIL;
+                    break;
+                case 'x':
+                    u |= ERR_NXDOMAIN;
+                    break;
+                case 'i':
+                    u |= ERR_NOTIMPL;
+                    break;
+                case 'r':
+                    u |= ERR_REFUSED;
+                    break;
+                default:
+                    usage("-e takes only [nytfsxir]");
+                }
+            err_wanted = u;
+            break;
+        case 'a':
+            endpoint_arg(&initiators, optarg);
+            break;
+        case 'z':
+            endpoint_arg(&responders, optarg);
+            break;
+        case 'A':
+            endpoint_arg(&not_initiators, optarg);
+            break;
+        case 'Z':
+            endpoint_arg(&not_responders, optarg);
+            break;
+        case 'Y':
+            endpoint_arg(&drop_responders, optarg);
+            break;
+        case 'w':
+            dump_base = optarg;
+            if (strcmp(optarg, "-") == 0)
+                dump_type = to_stdout;
+            else
+                dump_type = to_file;
+            break;
+        case 'W':
+            if (dump_suffix)
+                free(dump_suffix);
+            dump_suffix = strdup(optarg);
+            check_gzip();
+            break;
+        case 'k':
+            if (dump_type != to_file)
+                usage("-k depends on -w"
+                      " (note: can't be stdout)");
+            kick_cmd = optarg;
+            break;
+        case 'F':
+            if (!strcmp(optarg, "pcap")) {
+                options.dump_format = pcap;
+            } else if (!strcmp(optarg, "cbor")) {
+                options.dump_format = cbor;
+            } else if (!strcmp(optarg, "cds")) {
+                options.dump_format = cds;
+            } else {
+                usage("invalid output format for -F");
+            }
+            break;
+        case 't':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0')
+                usage("argument to -t must be an integer");
+            limit_seconds = (unsigned)ul;
+            break;
+        case 'c':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0')
+                usage("argument to -c must be an integer");
+            limit_packets = (unsigned)ul;
+            break;
+        case 'C':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0')
+                usage("argument to -C must be an integer");
+            limit_pcapfilesize = (unsigned)ul;
+            break;
+        case 'x':
+        /* FALLTHROUGH */
+        case 'X': {
+            int         i;
+            myregex_ptr myregex = calloc(1, sizeof *myregex);
+            assert(myregex != NULL);
+            INIT_LINK(myregex, link);
+            myregex->str = strdup(optarg);
+            i            = regcomp(&myregex->reg, myregex->str, REGEX_CFLAGS);
+            if (i != 0) {
+                regerror(i, &myregex->reg,
+                    errbuf, sizeof errbuf);
+                usage(errbuf);
+            }
+            myregex->not = (ch == 'X');
+            APPEND(myregexes, myregex, link);
+        } break;
+        case 'B': {
+            struct tm tm;
+            memset(&tm, '\0', sizeof(tm));
+            if (NULL == strptime(optarg, "%F %T", &tm))
+                usage("-B arg must have format YYYY-MM-DD HH:MM:SS");
+            start_time = xtimegm(&tm);
+        } break;
+        case 'E': {
+            struct tm tm;
+            memset(&tm, '\0', sizeof(tm));
+            if (NULL == strptime(optarg, "%F %T", &tm))
+                usage("-E arg must have format YYYY-MM-DD HH:MM:SS");
+            stop_time = xtimegm(&tm);
+        } break;
+        case 'S':
+            print_pcap_stats = TRUE;
+            break;
+        case 'P': {
+            char*          fn = strdup(optarg);
+            char*          t;
+            char           sn[256];
+            struct plugin* p = calloc(1, sizeof(*p));
+            assert(p != NULL);
+            INIT_LINK(p, link);
+            t       = strrchr(fn, '/');
+            p->name = strdup(t ? t + 1 : fn);
+            if ((t = strstr(p->name, ".so")))
+                *t = 0;
+            p->handle = dlopen(fn, RTLD_NOW);
+            if (!p->handle) {
+                logerr("%s: %s", fn, dlerror());
+                exit(1);
+            }
+            snprintf(sn, sizeof(sn), "%s_type", p->name);
+            p->type = dlsym(p->handle, sn);
+            if (p->type) {
+                p->pt = (*p->type)();
+                switch (p->pt) {
+                case plugin_output:
+                case plugin_filter:
+                    break;
+                default:
+                    logerr("invalid plugin type for plugin '%s'", p->name);
+                    exit(1);
+                }
+            } else {
+                p->pt = plugin_output;
+            }
+            snprintf(sn, sizeof(sn), "%s_start", p->name);
+            p->start = dlsym(p->handle, sn);
+            snprintf(sn, sizeof(sn), "%s_stop", p->name);
+            p->stop = dlsym(p->handle, sn);
+            snprintf(sn, sizeof(sn), "%s_open", p->name);
+            p->open = dlsym(p->handle, sn);
+            snprintf(sn, sizeof(sn), "%s_close", p->name);
+            p->close = dlsym(p->handle, sn);
+            snprintf(sn, sizeof(sn), "%s_output", p->name);
+            p->output = dlsym(p->handle, sn);
+            if (p->pt == plugin_output && !p->output) {
+                logerr("%s", dlerror());
+                exit(1);
+            }
+            snprintf(sn, sizeof(sn), "%s_filter", p->name);
+            p->filter = dlsym(p->handle, sn);
+            if (p->pt == plugin_filter && !p->filter) {
+                logerr("%s", dlerror());
+                exit(1);
+            }
+            snprintf(sn, sizeof(sn), "%s_usage", p->name);
+            p->usage = dlsym(p->handle, sn);
+            snprintf(sn, sizeof(sn), "%s_extension", p->name);
+            p->extension = dlsym(p->handle, sn);
+            if (p->extension) {
+                (*p->extension)(DNSCAP_EXT_IS_RESPONDER, (void*)is_responder);
+                (*p->extension)(DNSCAP_EXT_IA_STR, (void*)_ia_str);
+                (*p->extension)(DNSCAP_EXT_TCPSTATE_GETCURR, (void*)_tcpstate_getcurr);
+                (*p->extension)(DNSCAP_EXT_TCPSTATE_RESET, (void*)_tcpstate_reset);
+                (*p->extension)(DNSCAP_EXT_SET_IADDR, (void*)set_iaddr);
+            }
+            snprintf(sn, sizeof(sn), "%s_getopt", p->name);
+            p->getopt = dlsym(p->handle, sn);
+            if (p->getopt)
+                (*p->getopt)(&argc, &argv);
+            APPEND(plugins, p, link);
+            if (dumptrace)
+                fprintf(stderr, "Plugin '%s' loaded\n", p->name);
+            free(fn);
+        } break;
+        case 'U':
+            if (extra_bpf)
+                free(extra_bpf);
+            extra_bpf = strdup(optarg);
+            break;
+        case 'y':
+#ifdef USE_SECCOMP
+            use_seccomp = TRUE;
+            break;
+#else
+            usage("-y: seccomp-bpf not enabled");
+#endif
+        case 'M':
+            monitor_mode = TRUE;
+            break;
+        case 'D':
+            immediate_mode = TRUE;
+            break;
+        case 'q': {
+            if (nmatch_qtype) {
+                usage("-q and -Q can't be used together");
+            }
+            free(match_qtype_arg); // fix clang scan-build
+            match_qtype_arg = strdup(optarg);
+            match_qtype     = ldns_get_rr_type_by_name(optarg);
+            if (!match_qtype) {
+                ul = strtoul(optarg, &p, 0);
+                if (*p != '\0' || ul < 1U || ul > 65535U)
+                    usage("-q QTYPE must be a valid type or an integer 1..65535");
+                match_qtype = (ldns_rr_type)ul;
+            }
+            break;
+        }
+        case 'Q': {
+            if (match_qtype) {
+                usage("-q and -Q can't be used together");
+            }
+            free(match_qtype_arg); // fix clang scan-build
+            match_qtype_arg = strdup(optarg);
+            nmatch_qtype    = ldns_get_rr_type_by_name(optarg);
+            if (!nmatch_qtype) {
+                ul = strtoul(optarg, &p, 0);
+                if (*p != '\0' || ul < 1U || ul > 65535U)
+                    usage("-Q QTYPE must be a valid type or an integer 1..65535");
+                nmatch_qtype = (ldns_rr_type)ul;
+            }
+            break;
+        }
+        case '?':
+            if (!optopt || optopt == '?') {
+                help_2();
+                options_free(&options);
+                exit(0);
+            }
+            // fallthrough
+        default:
+            usage("unrecognized command line option");
+        }
+    }
+    assert(msg_wanted != 0U);
+    assert(err_wanted != 0U);
+    if (dump_type != nowhere && options.use_layers)
+        usage("use_layers is only compatible with -g so far");
+    if (dump_type == nowhere && !preso && EMPTY(plugins))
+        usage("without -w or -g, there would be no output");
+    if (end_hide != 0U && wantfrags)
+        usage("the -h and -f options are incompatible");
+    if (!EMPTY(vlans_incl) && !EMPTY(vlans_excl))
+        usage("the -L and -l options are mutually exclusive");
+    if (background && (dumptrace || preso))
+        usage("the -b option is incompatible with -d and -g");
+    if (dumptrace >= 1) {
+        endpoint_ptr ep;
+        const char*  sep;
+        myregex_ptr  mr;
+
+        fprintf(stderr, "%s: version %s\n", ProgramName, PACKAGE_VERSION);
+        fprintf(stderr,
+            "%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, C %zu, %sq %s\n",
+            ProgramName,
+            (msg_wanted & MSG_QUERY) != 0 ? 'Q' : '.',
+            (msg_wanted & MSG_UPDATE) != 0 ? 'U' : '.',
+            (msg_wanted & MSG_NOTIFY) != 0 ? 'N' : '.',
+            (dir_wanted & DIR_INITIATE) != 0 ? 'I' : '.',
+            (dir_wanted & DIR_RESPONSE) != 0 ? 'R' : '.',
+            (end_hide & END_INITIATOR) != 0 ? 'I' : '.',
+            (end_hide & END_RESPONDER) != 0 ? 'R' : '.',
+            (err_wanted & ERR_NO) != 0 ? 'N' : '.',
+            (err_wanted & ERR_YES) == ERR_YES ? 'Y' : '.',
+            (err_wanted & ERR_TRUNC) != 0 ? 't' : '.',
+            (err_wanted & ERR_FORMERR) != 0 ? 'f' : '.',
+            (err_wanted & ERR_SERVFAIL) != 0 ? 's' : '.',
+            (err_wanted & ERR_NXDOMAIN) != 0 ? 'x' : '.',
+            (err_wanted & ERR_NOTIMPL) != 0 ? 'i' : '.',
+            (err_wanted & ERR_REFUSED) != 0 ? 'r' : '.',
+            limit_seconds, limit_packets, limit_pcapfilesize,
+            nmatch_qtype ? "!" : "", match_qtype_arg);
+        sep = "\tinit";
+        for (ep = HEAD(initiators);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
+            sep = "";
+        }
+        if (!EMPTY(initiators))
+            fprintf(stderr, "\n");
+        sep = "\tresp";
+        for (ep = HEAD(responders);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
+            sep = "";
+        }
+        if (!EMPTY(responders))
+            fprintf(stderr, "\n");
+        sep = "\t!init";
+        for (ep = HEAD(not_initiators);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
+            sep = "";
+        }
+        if (!EMPTY(not_initiators))
+            fprintf(stderr, "\n");
+        sep = "\t!resp";
+        for (ep = HEAD(not_responders);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
+            sep = "";
+        }
+        if (!EMPTY(not_responders))
+            fprintf(stderr, "\n");
+        sep = "\t!dropresp";
+        for (ep = HEAD(drop_responders);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
+            sep = "";
+        }
+        if (!EMPTY(drop_responders))
+            fprintf(stderr, "\n");
+        if (!EMPTY(myregexes)) {
+            fprintf(stderr, "%s: pat:", ProgramName);
+            for (mr = HEAD(myregexes);
+                 mr != NULL;
+                 mr = NEXT(mr, link))
+                fprintf(stderr, " %s/%s/",
+                    mr->not ? "!" : "", mr->str);
+            fprintf(stderr, "\n");
+        }
+    }
+    if (EMPTY(mypcaps)) {
+        pcap_if_t* pcapdev = 0;
+        int        res;
+        res = pcap_findalldevs(&pcapdev, errbuf);
+        if (res == -1) {
+            fprintf(stderr, "%s: pcap_findalldevs: %s\n",
+                ProgramName, errbuf);
+            exit(1);
+        } else if (pcapdev == NULL) {
+            fprintf(stderr, "%s: pcap_findalldevs: no devices found\n",
+                ProgramName);
+            exit(1);
+        }
+        mypcap = calloc(1, sizeof *mypcap);
+        assert(mypcap != NULL);
+        INIT_LINK(mypcap, link);
+        mypcap->name = strdup(pcapdev->name);
+        APPEND(mypcaps, mypcap, link);
+        pcap_freealldevs(pcapdev);
+    }
+    if (start_time && stop_time && start_time >= stop_time)
+        usage("start time must be before stop time");
+
+    if (options.dump_format == cbor) {
+        if (!have_cbor_support()) {
+            usage("no built in cbor support");
+        }
+        cbor_set_size(options.cbor_chunk_size);
+    } else if (options.dump_format == cds) {
+        if (!have_cds_support()) {
+            usage("no built in cds support");
+        }
+        cds_set_cbor_size(options.cds_cbor_size);
+        cds_set_message_size(options.cds_message_size);
+        cds_set_max_rlabels(options.cds_max_rlabels);
+        cds_set_min_rlabel_size(options.cds_min_rlabel_size);
+        if (options.cds_use_rdata_index && options.cds_use_rdata_rindex) {
+            usage("can't use both CDS rdata index and rindex");
+        }
+        cds_set_use_rdata_index(options.cds_use_rdata_index);
+        cds_set_use_rdata_rindex(options.cds_use_rdata_rindex);
+        cds_set_rdata_index_min_size(options.cds_rdata_index_min_size);
+        cds_set_rdata_rindex_min_size(options.cds_rdata_rindex_min_size);
+        cds_set_rdata_rindex_size(options.cds_rdata_rindex_size);
+    }
+
+    if (!options.use_layers && (options.defrag_ipv4 || options.defrag_ipv6)) {
+        usage("can't defragment IP packets without use_layers=yes");
+    }
+
+    if (options.reassemble_tcp_bfbparsedns) {
+        if (!options.reassemble_tcp) {
+            usage("can't do byte for byte parsing of DNS without reassemble_tcp=yes");
+        }
+    }
+
+    free(match_qtype_arg);
+}
diff --git a/src/args.h b/src/args.h
new file mode 100644
index 0000000..6f3ab61
--- /dev/null
+++ b/src/args.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_args_h
+#define __dnscap_args_h
+
+time_t xtimegm(struct tm* tmp);
+void   usage(const char* msg);
+void   help_1(void);
+void   help_2(void);
+void   check_gzip();
+int    is_responder(iaddr ia);
+void   parse_args(int argc, char* argv[]);
+
+#endif /* __dnscap_args_h */
diff --git a/src/assert.c b/src/assert.c
new file mode 100644
index 0000000..32f2e3b
--- /dev/null
+++ b/src/assert.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "dnscap.h"
+
+#if !HAVE___ASSERTION_FAILED
+static void my_assertion_failed(const char* file, int line, assertion_type type, const char* msg, int something) __attribute__((noreturn));
+#endif
+
+#if !HAVE___ASSERTION_FAILED
+static void
+my_assertion_failed(const char* file, int line, assertion_type type, const char* msg, int something)
+{
+    (void)type;
+    (void)something;
+    fprintf(stderr, "assertion failed: %s(%d): %s\n", file, line, msg);
+    abort();
+}
+
+assertion_failure_callback __assertion_failed = my_assertion_failed;
+#endif
diff --git a/src/bpft.c b/src/bpft.c
new file mode 100644
index 0000000..e810910
--- /dev/null
+++ b/src/bpft.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "bpft.h"
+#include "iaddr.h"
+
+#include <ldns/ldns.h>
+
+void prepare_bpft(void)
+{
+    unsigned  udp10_mbs, udp10_mbc, udp11_mbc; //udp11_mbs
+    text_list bpfl;
+    text_ptr  text;
+    size_t    len;
+    char*     p;
+
+    /* Prepare the must-be-set and must-be-clear tests. */
+    udp10_mbs = udp10_mbc = udp11_mbc = 0U; // udp11_mbs
+    if ((dir_wanted & DIR_INITIATE) != 0) {
+        if ((dir_wanted & DIR_RESPONSE) == 0)
+            udp10_mbc |= UDP10_QR_MASK;
+    } else if ((dir_wanted & DIR_RESPONSE) != 0) {
+        udp10_mbs |= UDP10_QR_MASK;
+    }
+    if ((msg_wanted & MSG_UPDATE) != 0) {
+        if ((msg_wanted & (MSG_QUERY | MSG_NOTIFY)) == 0)
+            udp10_mbs |= (LDNS_PACKET_UPDATE << UDP10_OP_SHIFT);
+    } else if ((msg_wanted & MSG_NOTIFY) != 0) {
+        if ((msg_wanted & (MSG_QUERY | MSG_UPDATE)) == 0)
+            udp10_mbs |= (LDNS_PACKET_NOTIFY << UDP10_OP_SHIFT);
+    } else if ((msg_wanted & MSG_QUERY) != 0) {
+        udp10_mbc |= UDP10_OP_MASK;
+    }
+    if (err_wanted == ERR_NO) {
+        udp10_mbc |= UDP10_TC_MASK;
+        udp11_mbc |= UDP11_RC_MASK;
+    }
+
+    /*
+ * Model
+ * (vlan) and (transport)
+ * (vlan) and ((icmp) or (frags) or (dns))
+ * (vlan) and ((icmp) or (frags) or ((ports) and (hosts)))
+ * (vlan) and ((icmp) or (frags) or (((tcp) or (udp)) and (hosts)))
+ * [(vlan) and] ( [(icmp) or] [(frags) or] ( ( [(tcp) or] (udp) ) [and (hosts)] ) )
+ */
+
+    /* Make a BPF program to do early course kernel-level filtering. */
+    INIT_LIST(bpfl);
+    len = 0;
+    if (!EMPTY(vlans_excl))
+        len += text_add(&bpfl, "vlan and ("); /* vlan and ( transports ...  */
+    else
+        len += text_add(&bpfl, "("); /* ( transports ...  */
+    if (wanticmp) {
+        len += text_add(&bpfl, " ( ip proto 1 or ip proto 58 ) or");
+    }
+    if (wantfrags) {
+        len += text_add(&bpfl, " ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or");
+    }
+    len += text_add(&bpfl, " ("); /* ( dns ...  */
+    len += text_add(&bpfl, " ("); /* ( ports ...  */
+    if (wanttcp) {
+        len += text_add(&bpfl, " ( tcp port %d ) or", dns_port);
+        /* tcp packets can be filtered by initiators/responders, but
+         * not mbs/mbc. */
+    }
+    len += text_add(&bpfl, " ( udp port %d and ( ip6 or ( ip", dns_port);
+
+    if (udp10_mbc != 0)
+        len += text_add(&bpfl, " and udp[10] & 0x%x = 0",
+            udp10_mbc);
+    if (udp10_mbs != 0)
+        len += text_add(&bpfl, " and udp[10] & 0x%x = 0x%x",
+            udp10_mbs, udp10_mbs);
+    if (udp11_mbc != 0)
+        len += text_add(&bpfl, " and udp[11] & 0x%x = 0",
+            udp11_mbc);
+    /* Dead code, udp11_mbs never set
+        if (udp11_mbs != 0)
+            len += text_add(&bpfl, " and udp[11] & 0x%x = 0x%x",
+                    udp11_mbs, udp11_mbs);
+*/
+
+    if (err_wanted != ERR_NO) {
+        len += text_add(&bpfl, " and (");
+        if ((err_wanted & ERR_TRUNC) != 0) {
+            len += text_add(&bpfl, " udp[10] & 0x%x = 0x%x or", UDP10_TC_MASK, UDP10_TC_MASK);
+        }
+        len += text_add(&bpfl, " 0x%x << (udp[11] & 0xf) & 0x%x != 0 )", ERR_RCODE_BASE, err_wanted);
+    }
+
+    len += text_add(&bpfl, " )))"); /*  ... udp 53 ) */
+    len += text_add(&bpfl, " )"); /*  ... ports ) */
+    if (options.bpf_hosts_apply_all) {
+        len += text_add(&bpfl, " )"); /*  ... dns ) */
+        len += text_add(&bpfl, " )"); /* ... transport ) */
+    }
+    if (!EMPTY(initiators) || !EMPTY(responders)) {
+        const char* or = "or", *lp = "(", *sep;
+        endpoint_ptr ep;
+
+        len += text_add(&bpfl, " and host");
+        sep = lp;
+        for (ep = HEAD(initiators);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
+            sep = or ;
+        }
+        for (ep = HEAD(responders);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
+            sep = or ;
+        }
+        len += text_add(&bpfl, " )");
+    }
+    if (!EMPTY(not_initiators) || !EMPTY(not_responders)) {
+        const char* or = "or", *lp = "(", *sep;
+        endpoint_ptr ep;
+
+        len += text_add(&bpfl, " and not host");
+        sep = lp;
+        for (ep = HEAD(not_initiators);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
+            sep = or ;
+        }
+        for (ep = HEAD(not_responders);
+             ep != NULL;
+             ep = NEXT(ep, link)) {
+            len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
+            sep = or ;
+        }
+        len += text_add(&bpfl, " )");
+    }
+    if (!options.bpf_hosts_apply_all) {
+        len += text_add(&bpfl, " )"); /*  ... dns ) */
+        len += text_add(&bpfl, " )"); /* ... transport ) */
+    }
+    if (extra_bpf)
+        len += text_add(&bpfl, " and ( %s )", extra_bpf);
+
+    bpft = calloc(len + 1, sizeof(char));
+    assert(bpft != NULL);
+    p = bpft;
+    for (text = HEAD(bpfl); text != NULL; text = NEXT(text, link)) {
+        memcpy(p, text->text, text->len);
+        p += text->len;
+    }
+    text_free(&bpfl);
+    if (!EMPTY(vlans_incl)) {
+        char* bpft_vlan;
+
+        len       = (2 * len) + 64; /* add enough for the extra in snprintf() below */
+        bpft_vlan = calloc(len, sizeof(char));
+        assert(bpft_vlan != NULL);
+
+        snprintf(bpft_vlan, len, "( %s ) or ( vlan and ( %s ) )", bpft, bpft);
+        free(bpft);
+        bpft = bpft_vlan;
+    }
+    if (dumptrace >= 1)
+        fprintf(stderr, "%s: \"%s\"\n", ProgramName, bpft);
+}
+
+size_t text_add(text_list* list, const char* fmt, ...)
+{
+    text_ptr text;
+    va_list  ap;
+    int      len;
+
+    text = calloc(1, sizeof *text);
+    assert(text != NULL);
+    INIT_LINK(text, link);
+    va_start(ap, fmt);
+    len = vasprintf(&text->text, fmt, ap);
+    assert(len >= 0);
+    va_end(ap);
+    text->len = len;
+    APPEND(*list, text, link);
+    return (text->len);
+}
+
+void text_free(text_list* list)
+{
+    text_ptr at, text;
+
+    for (at = HEAD(*list); at;) {
+        text = at;
+        at   = NEXT(text, link);
+
+        UNLINK(*list, text, link);
+        free(text->text);
+        assert(text != (void*)-1);
+        free(text);
+    }
+}
diff --git a/src/bpft.h b/src/bpft.h
new file mode 100644
index 0000000..88a272c
--- /dev/null
+++ b/src/bpft.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_bpft_h
+#define __dnscap_bpft_h
+
+void prepare_bpft(void);
+
+size_t text_add(text_list* list, const char* fmt, ...);
+void   text_free(text_list* list);
+
+#endif /* __dnscap_bpft_h */
diff --git a/src/daemon.c b/src/daemon.c
new file mode 100644
index 0000000..67ef86e
--- /dev/null
+++ b/src/daemon.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "daemon.h"
+#include "log.h"
+#include "memzero.h"
+
+void drop_privileges(void)
+{
+    struct rlimit  rss;
+    struct passwd  pwd;
+    struct passwd* result = 0;
+    size_t         pwdBufSize;
+    char*          pwdBuf;
+    unsigned int   s;
+    uid_t          oldUID = getuid();
+    uid_t          oldGID = getgid();
+    uid_t          dropUID;
+    gid_t          dropGID;
+    const char*    user;
+    struct group*  grp = 0;
+
+    /*
+     * Security: getting UID and GUID for nobody
+     */
+    pwdBufSize = sysconf(_SC_GETPW_R_SIZE_MAX);
+    if (pwdBufSize == -1)
+        pwdBufSize = 16384;
+
+    pwdBuf = calloc(pwdBufSize, sizeof(char));
+    if (pwdBuf == NULL) {
+        fprintf(stderr, "unable to allocate buffer for pwdBuf\n");
+        exit(1);
+    }
+
+    user = options.user ? options.user : DROPTOUSER;
+    if (options.group) {
+        if (!(grp = getgrnam(options.group))) {
+            if (errno) {
+                fprintf(stderr, "Unable to get group %s: %s\n", options.group, strerror(errno));
+            } else {
+                fprintf(stderr, "Group %s not found, existing.\n", options.group);
+            }
+            exit(1);
+        }
+    }
+
+    s = getpwnam_r(user, &pwd, pwdBuf, pwdBufSize, &result);
+    if (result == NULL) {
+        if (s == 0) {
+            fprintf(stderr, "User %s not found, exiting.\n", user);
+            exit(1);
+        } else {
+            fprintf(stderr, "issue with getpwnnam_r call, exiting.\n");
+            exit(1);
+        }
+    }
+
+    dropUID = pwd.pw_uid;
+    dropGID = grp ? grp->gr_gid : pwd.pw_gid;
+    dnscap_memzero(pwdBuf, pwdBufSize);
+    free(pwdBuf);
+
+    /*
+     * Security section: setting memory limit and dropping privileges to nobody
+     */
+    getrlimit(RLIMIT_DATA, &rss);
+    if (mem_limit_set) {
+        rss.rlim_cur = mem_limit;
+        rss.rlim_max = mem_limit;
+        if (setrlimit(RLIMIT_DATA, &rss) == -1) {
+            fprintf(stderr, "Unable to set the memory limit, exiting\n");
+            exit(1);
+        }
+    }
+
+#if HAVE_SETRESGID
+    if (setresgid(dropGID, dropGID, dropGID) < 0) {
+        fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno));
+        exit(1);
+    }
+#elif HAVE_SETREGID
+    if (setregid(dropGID, dropGID) < 0) {
+        fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno));
+        exit(1);
+    }
+#elif HAVE_SETEGID
+    if (setegid(dropGID) < 0) {
+        fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno));
+        exit(1);
+    }
+#endif
+
+#if HAVE_INITGROUPS
+    if (initgroups(pwd.pw_name, dropGID) < 0) {
+        fprintf(stderr, "Unable to init supplemental groups for %s: %s\n", user, strerror(errno));
+        exit(1);
+    }
+#elif HAVE_SETGROUPS
+    if (setgroups(0, NULL) < 0) {
+        fprintf(stderr, "Unable to drop supplemental groups: %s\n", strerror(errno));
+        exit(1);
+    }
+#endif
+
+#if HAVE_SETRESUID
+    if (setresuid(dropUID, dropUID, dropUID) < 0) {
+        fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno));
+        exit(1);
+    }
+#elif HAVE_SETREUID
+    if (setreuid(dropUID, dropUID) < 0) {
+        fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno));
+        exit(1);
+    }
+#elif HAVE_SETEUID
+    if (seteuid(dropUID) < 0) {
+        fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno));
+        exit(1);
+    }
+#endif
+
+    /*
+     * Testing if privileges are dropped
+     */
+    if (oldGID != getgid() && (setgid(oldGID) == 1 && setegid(oldGID) != 1)) {
+        fprintf(stderr, "Able to restore back to root, exiting.\n");
+        fprintf(stderr, "currentUID:%u currentGID:%u\n", getuid(), getgid());
+        exit(1);
+    }
+    if ((oldUID != getuid() && getuid() == 0) && (setuid(oldUID) != 1 && seteuid(oldUID) != 1)) {
+        fprintf(stderr, "Able to restore back to root, exiting.\n");
+        fprintf(stderr, "currentUID:%u currentGID:%u\n", getgid(), getgid());
+        exit(1);
+    }
+
+#ifdef USE_SECCOMP
+    if (use_seccomp == FALSE) {
+        return;
+    }
+
+#if 0
+    /*
+     * Setting SCMP_ACT_TRAP means the process will get
+     * a SIGSYS signal when a bad syscall is executed
+     * This is for debugging and should be monitored.
+     */
+
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
+#endif
+
+    /*
+     * SCMP_ACT_KILL tells the kernel to kill the process
+     * when a syscall we did not filter on is called.
+     * This should be uncommented in production.
+     */
+    scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
+
+    if (ctx == NULL) {
+        fprintf(stderr, "Unable to create seccomp-bpf context\n");
+        exit(1);
+    }
+
+    int r = 0;
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(uname), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0);
+    r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
+
+    if (r != 0) {
+        fprintf(stderr, "Unable to apply seccomp-bpf filter\n");
+        seccomp_release(ctx);
+        exit(1);
+    }
+
+    r = seccomp_load(ctx);
+
+    if (r < 0) {
+        seccomp_release(ctx);
+        fprintf(stderr, "Unable to load seccomp-bpf filter\n");
+        exit(1);
+    }
+#endif
+}
+
+void daemonize(void)
+{
+    pid_t pid;
+#ifdef TIOCNOTTY
+    int i;
+#endif
+    if ((pid = fork()) < 0) {
+        logerr("fork failed: %s", strerror(errno));
+        exit(1);
+    } else if (pid > 0)
+        exit(0);
+    openlog("dnscap", 0, LOG_DAEMON);
+    if (setsid() < 0) {
+        logerr("setsid failed: %s", strerror(errno));
+        exit(1);
+    }
+#ifdef TIOCNOTTY
+    if ((i = open("/dev/tty", O_RDWR)) >= 0) {
+        ioctl(i, TIOCNOTTY, NULL);
+        close(i);
+    }
+#endif
+    logerr("Backgrounded as pid %u", getpid());
+}
diff --git a/src/daemon.h b/src/daemon.h
new file mode 100644
index 0000000..dc4fcc1
--- /dev/null
+++ b/src/daemon.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_daemon_h
+#define __dnscap_daemon_h
+
+void drop_privileges(void);
+void daemonize(void);
+
+#endif /* __dnscap_daemon_h */
diff --git a/src/dnscap.1.in b/src/dnscap.1.in
new file mode 100644
index 0000000..82a44fd
--- /dev/null
+++ b/src/dnscap.1.in
@@ -0,0 +1,1011 @@
+.\" Copyright (c) 2016-2021, OARC, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. Neither the name of the copyright holder nor the names of its
+.\"    contributors may be used to endorse or promote products derived
+.\"    from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.TH dnscap 1 "@PACKAGE_VERSION@" "dnscap"
+.SH NAME
+dnscap \- DNS network traffic capture utility
+.SH SYNOPSIS
+.SY dnscap
+.OP \-?VbNpd1g6fTIySMD
+.OP \-o option=value
+.OP \-i if
+.OP \-r file
+.OP \-l vlan
+.OP \-L vlan
+.OP \-u port
+.OP \-m [qun]
+.OP \-e [nytfsxir]
+.OP \-h [ir]
+.OP \-s [ir]
+.OP \-a host
+.OP \-z host
+.OP \-A host
+.OP \-Z host
+.OP \-Y host
+.OP \-w base
+.OP \-W suffix
+.OP \-k cmd
+.OP \-t lim
+.OP \-c lim
+.OP \-C lim
+.OP \-x pat
+.OP \-X pat
+.OP \-B datetime
+.OP \-E datetime
+.OP \-U str
+.OP \-q num|str
+.OP \-Q num|str
+.OP \-P "plugin.so ..."
+.SY dnscap
+.BR \-g " ..."
+.SY dnscap
+.BR \-w " ..."
+.YS
+.SH DESCRIPTION
+.B dnscap
+is a network capture utility designed specifically for DNS traffic.
+It normally produces binary data in
+.BR pcap (3)
+format, either on standard output or from files.
+This utility is similar to
+.BR tcpdump (1),
+but has finer grained packet recognition tailored to DNS transactions and
+protocol options.
+.B dnscap
+is expected to be used for gathering continuous research or audit traces.
+.SH OPTIONS
+.B dnscap
+has a large array of command line options and extended options
+.RB ( \-o
+.IR option=value ),
+and to make it easier to understand their usage they are categorized.
+.IP \(bu
+.I GENERIC
+section shows how to display help and version, and enable debugging.
+.IP \(bu
+.I RUNTIME
+section handles sandbox, privileges, start/stop and other runtime actions.
+.IP \(bu
+.I INPUT
+section deals with what interface to capture on, how to do it or if you want
+to read from a file.
+.IP \(bu
+.I OUTPUT
+section gives you options to do packet dumps, or get a diagnostic output,
+and to set limits or run external actions on intervals.
+.IP \(bu
+.I NETWORK
+section tweaks how and what is captured on the network and the individual
+layers.
+.IP \(bu
+.I DNS
+section lets you do filtering and modifications on the DNS message, along
+with pattern matching on the domain names.
+.IP \(bu
+Lastly,
+.I PLUGINS
+section gives you an overview on how
+.B dnscap
+can be extended by plugins and which plugins are bundled.
+.RE
+
+The only required options are
+.B \-g
+and
+.BR \-w ,
+at least one of them must be supplied to run.
+
+If neither
+.B \-r
+or
+.B \-i
+is used then the default is to capture on the first or all interfaces
+(depends on system, see
+.B \-i
+for more information).
+.\"
+.\"
+.\"
+.SS GENERIC
+.TP
+.B \-?
+Display short form help text about command line options and exit.
+.TP
+.B \-V
+Print version and exit.
+.TP
+.B \-d
+Tells a verbose story of options and patterns chosen, files opened, and so on.
+Multiple
+.B \-d
+options can be given to increase verbosity and frequency of trace messages.
+.\"
+.\"
+.\"
+.SS RUNTIME
+.TP
+.B \-y
+Enable Linux seccomp\-bpf sandbox if available (compile option).
+.TP
+.B \-b
+Run in background as daemon and drop privileges, using
+.IR set*uid() ,
+.I set*gid()
+functions, unless options
+.B \-N
+is given or only reading from files.
+.TP
+.BI "\-o user" =...
+Specify the user to drop privileges to (default nobody).
+.TP
+.BI "\-o group" =...
+Specify the group to drop privileges to (default nobody).
+.TP
+.B \-N
+Do not attempt to drop privileges, this is implicit if only reading
+offline pcap files.
+.TP
+.B \-S
+Print stats counters on standard error when closed the packet dump file
+(see
+.BR \-w ).
+.TP
+.BI "\-B " datetime
+Start collecting at a specific time.
+.I datetime
+should be specified as "YYYY\-MM\-DD HH:MM:SS".
+The program will
+.BR sleep (3)
+until the start time, or it will skip all packets related to an earlier
+time if used with an offline
+.BR pcap (3)
+file, and then begin capturing/processing packets.
+.TP
+.BI "\-E " datetime
+Stop collecting at a specific time.
+.I datetime
+should be specified as "YYYY\-MM\-DD HH:MM:SS".
+.B dnscap
+will exit when it sees a packet (live or offline
+.BR pcap (3)
+file) with timestamp greater or equal to it.
+.\"
+.\"
+.\"
+.SS INPUT
+.TP
+.BI "\-r " file
+Select an offline
+.BR pcap (3)
+file produced by this utility or by
+.BR tcpdump (1)
+(or simiar tools) as the input packet source.
+Can be given as "\-" to indicate standard input.
+.TP
+.BI "\-i " if
+Select an interface to be monitored.
+On BSD systems, the default is the first interface that was configured at
+system boot time.
+On Linux systems, the default is to monitor all interfaces.
+More than one interface may be selected which will cause output to be
+interleaved from all selected interfaces.
+.TP
+.B \-p
+Asks that the interface not be put into promiscuous mode.
+Note that even without this option, the interface could be in promiscuous
+mode for some other reason.
+.TP
+.B \-M
+Enable monitor mode on interfaces.
+.TP
+.B \-D
+Enable immediate mode on interfaces.
+
+Option
+.BR \-p ,
+.B \-M
+and
+.B \-D
+are libpcap specific options, see
+.BR pcap (3)
+for more information on their meaning.
+.TP
+.BI "\-o " pcap_buffer_size=num
+Set the
+.BR pcap (3)
+buffer size to
+.I num
+bytes when capturing packets.
+This can be used to increase the buffer so that packets are not missed/dropped
+while processing or rotating packet dumps.
+.TP
+.BI "\-o " use_layers=yes
+Enable pcap\-thread layers, this will let pcap\-thread parse the network layers
+and call back with UDP, TCP or ICMP traffic.
+
+This options is required for IP defragmentation (see
+.BI "\-o " defrag_ipv4=yes
+and
+.B \-o
+.IR defrag_ipv6=yes ),
+TCP reassembly (see
+.B \-o
+.IR reassemble_tcp=yes )
+and parsing ongoing TCP sessions (see
+.B \-o
+.IR parse_ongoing_tcp=yes ).
+.\"
+.\"
+.\"
+.SS OUTPUT
+For details on the diagnostic output and the different dump formats that
+exists, please see OUTPUT FORMATS below.
+Some formats have their own extended options, these are also listed in that
+section.
+.TP
+.BI "\-o " dump_format=format
+Specify the output
+.I format
+to use.
+Default is
+.IR pcap .
+.TP
+.B \-g
+Produce diagnostic output to standard error, showing the presentation form
+of DNS messages which passed through all of the filters.
+If
+.B \-w
+is also used, then every message will be dumped in both binary and
+presentation form.
+.TP
+.BI "\-w " base
+Dump the captured packets to successive binary files in
+.BR pcap (3)
+format with DLT_RAW datalink type.
+Each file will have a name like "%s.%s.%06u" where the first %s is
+.IR base ,
+second %s is the time as hours, minutes and seconds (%H%M%S), and %06u is
+the microseconds.
+The argument "\-" may be given to send the binary output to standard output.
+
+By default,
+.B dnscap
+will close its packet dump file only when interrupted.
+You can change that behavior with options
+.BR \-t ,
+.BR \-c ,
+and
+.BR \-C .
+.TP
+.BI "\-W " suffix
+The provided suffix is added to the dump file name, e. g.: ".pcap".
+If the suffix ends with ".gz" then files will be automatically gzip
+compressed.
+If gzip compression is requested but not supported (i.e. because of lack of
+system support) an error will be generated.
+.TP
+.B \-1
+Flush the output after every packet.
+Mostly this is useful when the packet dump is standard output, and has been
+piped to
+.BR tcpdump (1).
+.TP
+.BI "\-t " lim
+Set a time interval, specified in seconds.
+When writing to a file, the packet dump file will be closed and reopened
+(creating a new dump file) when time() %
+.I lim
+is zero.
+Note that the first file will usually be shorter than
+.I lim
+seconds.
+If the packet dump file is standard output or if
+.B \-g
+is used, then
+.B dnscap
+will exit after the first interval.
+.TP
+.BI "\-c " lim
+Set a size limit, measured in packets.
+When writing to a file, the packet dump file will be closed when
+.I lim
+number of packets has been written.
+If option
+.B \-k
+is
+.I "not used"
+(see below) or the packet dump file is standard output, or if
+.B \-g
+is used, then
+.B dnscap
+will exit after reaching the limit.
+.TP
+.BI "\-C " lim
+Set a size limit, measured in bytes.
+When writing to a file, the packet dump file will be closed when
+.I lim
+number of bytes (or larger then) has been written.
+If option
+.B \-k
+is
+.I "not used"
+or the packet dump file is standard output, or if
+.B \-g
+is used, then
+.B dnscap
+will exit after reaching the limit.
+
+When using the above options
+.BR \-t ,
+.BR \-c ,
+and
+.B \-C
+together, the order of applying them are
+.I 1)
+time interval,
+.I 2)
+number of packets and
+.I 3)
+number of bytes.
+.TP
+.BI "\-k " cmd
+After each dump file specified by
+.B \-w
+is closed, this command will be executed in a non\-blocking subprocess with
+the file name as its one argument.
+This can be used to submit the finished file to other processing systems.
+
+If this option is used together with
+.B \-c
+or
+.B \-C
+and the output is a packet dump file, then it will be reopened (creating
+a new dump file) before continuing.
+.\"
+.\"
+.\"
+.SS NETWORK
+.TP
+.BI "\-U " str
+Append "and
+.IR str """"
+to the BPF/pcap filter.
+.TP
+.BI "\-o " bpf_hosts_apply_all=yes
+This changes the BPF generation so that any host restriction will come
+after ICMP, fragments, ports or DNS section to allow it to apply for ICMP
+and fragments also.
+The default behavior is to only apply hosts to the ports or DNS section.
+.TP
+.B \-6
+Used to suppress the use of packet filter patterns that cause problems when
+processing IPv6 packets.
+As of version 2.0.0 this option is deprecated and filters have been reworked
+to only match IPv4 packets, IPv6 filtering are processed at a higher level.
+.TP
+.B \-f
+Selects fragments (which could include unrelated flows since fragments do not
+contain port numbers), and includes fragments in the binary output.
+Necessary if you intend to do IP Reassembly.
+Note that all fragments will be collected, not just those using the DNS port
+number, since fragments don't have port numbers.
+Beware this option if you also handle a lot of NFS traffic.
+.TP
+.B \-T
+Selects TCP packets.
+SYN, FIN, and RST packets are collected if they pass the layer 2, port, and
+host filters (although hosts need not be in the correct direction); they are
+not tested against filter options that require a DNS header such as
+.BR \-m ,
+.BR \-s ,
+or
+.BR \-e .
+All DNS messages in the stream is captured if it passes all filter options.
+
+Each TCP packet with payload will be tagged as DNS, unless
+.BI "\-o " reassemble_tcp=yes
+is used, with the support of having the DNS length arrive before the message
+in an own packet.
+Ongoing TCP connections can be inspected by using
+.B \-o
+.IR parse_ongoing_tcp=yes .
+TCP packets are processed as they arrive so missing, unaligned data or DNS
+message split over multiple packets will produce parsing errors.
+Using extended option
+.BI "\-o " allow_reset_tcpstate=yes
+may allow
+.B dnscap
+to recover from these scenarios.
+.TP
+.B \-I
+Select ICMP and ICMPv6 packets.
+.TP
+.BI "\-l " vlan
+Captures only 802.1Q encapsulated packets, and selects specific vlans to be
+monitored.
+Can be specified more than once to select multiple vlans.
+VLAN id 4095 can be used to specify all vlans.
+.TP
+.BI "\-L " vlan
+Captures 802.1Q encapsulated packets matching the specified vlans AND
+packets without VLAN tags.
+Can be specified more than one to select multiple vlans.
+VLAN id 4095 can be used to specify all vlans.
+.TP
+.BI "\-u " port
+Capture only packets on this UDP port, and treat as DNS traffic.
+The default port is 53.
+Note that there is no way to select multiple UDP ports, as would be
+necessary to capture both DNS (port 53) and mDNS (port 5353) traffic.
+
+.TP
+.BI "\-o " defrag_ipv4=yes
+.TQ
+.BI "\-o " defrag_ipv6=yes
+Enable IPv4/IPv6 defragmentation in pcap-thread, requires
+.B \-o
+.IR use_layers=yes .
+
+When enabled, the following options are also available:
+.RS
+.TP
+.BI "\-o " max_ipv4_fragments=num
+Set the maximum fragmented IPv4 packets
+.RI ( num )
+to track for reassembly, if the limit is reach then all other fragmented
+packets will not be reassembled.
+.TP
+.BI "\-o " max_ipv4_fragments_per_packet=num
+Set the maximum fragments
+.RI ( num )
+per tracked IPv4 packet to keep for reassembly.
+.TP
+.BI "\-o " max_ipv6_fragments=num
+Set the maximum fragmented IPv6 packets
+.RI ( num )
+to track for reassembly, if the limit is reach then all other fragmented
+packets will not be reassembled.
+.TP
+.BI "\-o " max_ipv6_fragments_per_packet=num
+Set the maximum fragments
+.RI ( num )
+per tracked IPv6 packet to keep for reassembly.
+.RE
+.TP
+.BI "\-o " parse_ongoing_tcp=yes
+.B dnscap
+will normally not look at TCP unless it sees the start of it.
+This enables state tracking when a new TCP stream is found but no SYN/ACK
+has been seen.
+Each TCP packet with payload will be tagged as DNS.
+.TP
+.BI "\-o " allow_reset_tcpstate=yes
+Allow the TCP state to be reseted, this is used in diagnostic output and
+plugins when parsing the DNS in a TCP packet fails to try and recover from
+missing or unaligned data.
+.TP
+.BI "\-o " reassemble_tcp=yes
+Enable reassembly of TCP packets, this will not parse each packet as an own
+DNS message but will store TCP segments until they can be reassembled.
+It will expect the DNS message length to come first and then wait for the
+full length of data to arrive until passing to outputs and plugins.
+
+Since the number of saved segments are limited and fixed, if the TCP steam
+becomes corrupt then processing may stop.
+Recovering from this can be done by enabling
+.Ar allow_reset_tcpstate=yes
+which will reset state and free all saved segments to try and start over.
+.TP
+.BI "\-o " reassemble_tcp_faultreset=num
+This controls the number of faults
+.RI ( num )
+that can happen before the state is reseted (as described above), faults
+are if the segments buffer are full or if the sequence is outside the
+TCP window.
+The default is zero which means it will reset the state as soon as the
+segment buffer is full.
+.TP
+.BI "\-o " reassemble_tcp_bfbparsedns=yes
+Enable an additional layer (experimental) of reassembly that uses LDNS to
+parse the payload before accepting it.
+If the DNS is invalid it will move 2 bytes within the payload and treat it
+as a new payload, taking the DNS length again and restart the process.
+.\"
+.\"
+.\"
+.SS DNS
+.TP
+.BI "\-m " [qun]
+Capture only messages of designated types;
+.IR q uery,
+.IR u pdate,
+and
+.IR n otify).
+Multiple types can be given at the same time, for example
+.B "\-m qn"
+will select query and notify messages.
+Multiple
+.B \-m
+can not be used to specify multiple types.
+Default is query.
+.TP
+.BI "\-e " [nytfsxir]
+Among responses, consider nonzero DNS TC or DNS RCODE to indicate an error,
+and select only responses which do not have
+.RI ( n ),
+or which have
+.RI ( y ),
+these conditions.
+The default is to only select non\-errors among responses.
+If both non\-error and error responses are to be selected, specify both the
+.I n
+and
+.I y
+options here.
+
+To be more specific, use one or more condition\-specific options, as follows:
+.RS
+.TP
+.B n
+no error
+.TP
+.B y
+some error
+.TP
+.B t
+truncated response (TC bit)
+.TP
+.B f
+format error (rcode 1)
+.TP
+.B s
+server failure (rcode 2)
+.TP
+.B x
+no such name (rcode 3)
+.TP
+.B i
+not implemented (rcode 4)
+.TP
+.B r
+refusal (rcode 5)
+.RE
+.TP
+.BI "\-h " ir
+Hide
+.IR i nitiator
+or
+.IR r esponder
+of each captured transaction.
+Hiding an initiator means wiping out the address and port number.
+Hiding a responder means to wipe out the address only.
+This wiping occurs on the copy of the packet sent to the
+.BR pcap (3)
+dump output, and both the IP and UDP checksums will be recomputed in that case.
+.TP
+.BI "\-s " ir
+Select messages which are
+.IR i nitiations
+and/or
+.IR r esponses.
+This is done by checking the DNS header flag QR and source/destination port
+against the DNS port (see
+.BR \-u ).
+Default is both.
+.TP
+.BI "\-a " host
+Capture only transactions having these initiators.
+Can be specified more than once to select multiple initiators.
+If a host name is used, then all of that host's addresses whether IPv4 or
+IPv6 are added to the recognition pattern.
+.TP
+.BI "\-z " host
+Capture only transactions having these responders.
+Can be specified more than once to select multiple responders.
+If a host name is used, then all of that host's addresses whether IPv4 or
+IPv6 are added to the recognition pattern.
+.TP
+.BI "\-A " host
+Capture only transactions NOT having these initiators.
+.TP
+.BI "\-Z " host
+Capture only transactions NOT having these responders.
+.TP
+.BI "\-Y " host
+Drop responses having these responders.
+Similar to
+.B \-Z
+in spirit.
+However,
+.B \-Y
+applies only to responses and does not cause any additions to the BPF filter
+string.
+.TP
+.BI "\-x " pat
+If one or more
+.B \-x
+options are provided, then DNS messages will only be selected if the
+printable representation of the QNAME or any RR matches at least one of the
+provided
+.I pat
+patterns.
+.TP
+.BI "\-X " pat
+If one or more
+.B \-X
+options are provided, then DNS messages matching these patterns will not
+be selected.
+
+If both options are used then the message must first be matched by
+.B \-x
+and then not matched by all
+.B \-X
+regex.
+See
+.BR regex (3)
+and
+.BR re_format (7)
+for more information about extended regular expression syntax.
+.TP
+.BI "\-q " num|str
+Only select DNS messages where QTYPE matches the specified type.
+Can not be used together with
+.BR \-Q .
+.TP
+.BI "\-Q " num|str
+Only select DNS messages where QTYPE does not matches the specified type.
+Can not be used together with
+.BR \-q .
+.\"
+.\"
+.\"
+.SS PLUGINS
+.TP
+.BI "\-P " "/path/to/plugin.so ..."
+Load and use the specified plugin, full path to plugin must be supplied.
+Any options given after this are sent to the plugin.
+
+Once a double dash, "\-\-", is encountered after
+.BR \-P ,
+processing of the command line options will go back to
+.BR dnscap .
+
+Using this you can chain and use multiple plugins at once:
+
+.EX
+  \-P /path/to/plugin_one.so \-a opt \-\- \-P /path/to/plugin_two.so \-b opt
+.EE
+
+To show the plugins option help, run it with
+.BR \-? :
+
+.EX
+  \-P /path/to/plugin_one.so \-?
+.EE
+
+Plugins are loaded, executed and given the packets to process in the
+order given on command line.
+
+These bundled plugins are installed in @pkglibdir@:
+.RS
+.TP
+.B anonaes128.so
+Anonymize IP addresses using AES128.
+.TP
+.B anonmask.so
+Pseudo\-anonymize IP addresses by masking them.
+.TP
+.B cryptopan.so
+Anonymize IP addresses using an extension to Crypto\-PAn (College of
+Computing, Georgia Tech) made by David Stott (Lucent).
+.TP
+.B cryptopant.so
+Anonymize IP addresses using cryptopANT, a different implementation of
+Crypto\-PAn made by the ANT project at USC/ISI.
+.TP
+.B eventlog.so
+Output DNS activity as log events, including IP addresses from query responses.
+.TP
+.B ipcrypt.so
+Anonymize IP addresses using ipcrypt create by Jean\-Philippe Aumasson.
+.TP
+.B pcapdump.so
+Dump DNS into a PCAP with some filtering options.
+.TP
+.B royparse.so
+Splits a PCAP into two streams; queries in PCAP format and responses in
+ASCII format.
+.TP
+.B rssm.so
+Root Server Scaling Measurement plugin.
+.TP
+.B rzkeychange.so
+RFC8145 key tag signal collection and reporting plugin.
+.TP
+.B txtout.so
+Dump DNS as one\-line text.
+.RE
+.\"
+.\"
+.\"
+.SH OUTPUT FORMATS
+Beside diagnostic and PCAP output, other output formats might be available
+depending on compile time support.
+
+Recognized formats are:
+.TP
+.B cbor
+Uses tinycbor library to write CBOR objects that are based on DNS\-in\-JSON
+draft by Paul Hoffman.
+.TP
+.B cds
+CBOR DNS Stream format, see
+.I https://github.com/DNS\-OARC/dnscap/blob/master/CBOR_DNS_STREAM.md
+for details and below for all extended options related to this format.
+.TP
+.B pcap
+This uses the pcap library to output the captured DNS packets. (default)
+.TP
+.B diagnostic
+This is the output produced by
+.BR \-g ,
+and is meant to be parse\-able.
+It is broken up into multiple lines with a backslash at the end to indicate
+that the line continues on the next.
+
+First line contains packet and capturing information:
+
+.EX
+  [<pktsize>] <date> <timestamp> [<pktnum> <file|interface> <vlanid>]
+.EE
+
+Second line shows IP information or if the packet is a fragment:
+
+.EX
+  [<srcip>].<srcport> \-> [<dstip>].<dstport>
+.EE
+.EX
+  ;: [<srcip>] \-> [<dstip>] (frag)
+.EE
+
+If the packet contains DNS information then the next line will show the DNS
+header information:
+
+.EX
+  dns <opcode>,<rcode>,<id>,<flags>
+.EE
+
+Next are the 4 sections of the DNS, each section is prefixed by the number
+of records and each record and section are separated by space.
+Below are a few example, first is just a query, second has just one answer
+and the last has also authority and additional records.
+
+.EX
+  1 example.com.,IN,A 0 0 0
+.EE
+
+.EX
+  1 example.com.,IN,A \\
+  1 example.com.,IN,A,47,127.0.0.1 0 0
+.EE
+
+.EX
+  1 example.com.,IN,A \\
+  1 example.com.,IN,A,263,127.0.0.1 \\
+  4 example.com.,IN,NS,157794,ns1.example.com. \\
+  example.com.,IN,NS,157794,ns4.example.com. \\
+  example.com.,IN,NS,157794,ns3.example.com. \\
+  example.com.,IN,NS,157794,ns2.example.com. \\
+  4 ns2.example.com.,IN,A,157794,127.0.0.1 \\
+  ns1.example.com.,IN,A,331796,127.0.0.1 \\
+  ns3.example.com.,IN,A,157794,127.0.0.1 \\
+  ns4.example.com.,IN,A,157794,127.0.0.1
+.EE
+
+Each DNS record contains the following:
+
+.EX
+  <fqdn>,<class>,<type>[,<ttl>[,<additional information>]]
+.EE
+
+Additional information will be displayed for SOA, A, AAAA, MX, NS, PTR,
+CNAME and OPT records containing EDNS0.
+.SS CBOR
+.TP
+.BI "\-o " cbor_chunk_size=bytes
+Specify the number of
+.I bytes
+of CBOR to construct before flushing the output, must be a non zero
+positive number.
+.SS CBOR DNS STREAM (CDS)
+.TP
+.BI "\-o " cds_cbor_size=bytes
+Number of
+.I bytes
+of memory to use before flushing to file.
+.TP
+.BI "\-o " cds_message_size=bytes
+Number of
+.I bytes
+of memory to use for each DNS packet.
+.TP
+.BI "\-o " cds_max_rlabels=num
+Number of labels
+.RI ( num )
+to keep in the reverse label index.
+.TP
+.BI "\-o " cds_min_rlabel_size=num
+The minimum size of a label
+.RI ( num )
+to be able to use the reverse label index.
+.TP
+.BI "\-o " cds_use_rdata_index=yes
+Use the resource data index, default is no.
+.TP
+.BI "\-o " cds_rdata_index_min_size=num
+The minimum size of the data
+.RI ( num )
+to be able to use the resource data index.
+.TP
+.BI "\-o " cds_use_rdata_rindex=yes
+Use the resource data reverse index, default is no.
+.TP
+.BI "\-o " cds_rdata_rindex_size=num
+Number of resource data
+.RI ( num )
+to keep in the resource data reverse index.
+.TP
+.BI "\-o " cds_rdata_rindex_min_size=num
+The minimum size of the data
+.RI ( num )
+to be able to use the resource data reverse index.
+.SH EXAMPLES
+In
+.BR dnscap 's
+simplest form, the output can be piped to
+.BR tcpdump (1)
+as in:
+
+.EX
+  dnscap -w - | tcpdump -r -
+.EE
+
+You can safely add the
+.B \-d
+option since the diagnostic output resulting from
+.B \-d
+goes to standard error rather than standard output.
+
+The more interesting use for
+.B dnscap
+is long term or continuous data collection.
+Assuming a shell script called
+.I dnscap-upload
+whose function is to transfer a
+.BR pcap (3)
+format file to an analytics system and then remove the local copy of it,
+then a name server operating system startup could invoke
+.B dnscap
+for continuous DNS auditing using a command like:
+
+.EX
+  dnscap -m qun -h i -z f.root-servers.net \\
+         -w /var/local/dnscaps/f-root -t 1800 \\
+         -k /usr/local/sbin/dnscap-upload
+.EE
+
+This will capture all query, update and notify messages where the responder
+is f.root-servers.net and the initiators will be hidden.
+The dump files will be saved in /var/local/dnscaps/ on a 30 minute (1800
+seconds) interval.
+After each interval the
+.I dnscap-upload
+script will be executed.
+
+A bizarre but actual example which combines almost all features of
+.B dnscap
+is:
+
+.EX
+  dnscap -d -w - -1 -i em0 -l 0 -x ^7 | \\
+    dnscap -d -r - -X spamhaus -g -l 0
+.EE
+
+Here, we're looking for all messages having a QNAME or RR beginning with the
+decimal digit "7", but we don't want to see anything containing "spamhaus".
+The interface is tagged, and since only one interface is selected, the output
+stream from the first
+.B dnscap
+will also be tagged, thus we need
+.BI "\-l " 0
+on both
+.B dnscap
+commands.
+.SH COMPATIBILITY NOTES
+If
+.B dnscap
+produces no output, it's probably due to some kind of bug in the kernel's
+.BR bpf (4)
+module or in the
+.BR pcap (3)
+library.
+
+You may need the
+.BI "\-l " 0
+,
+.BI "\-l " 4095
+or
+.BI "\-L " 4095
+options.
+
+To diagnose "no output", use the
+.B \-d
+and
+.B \-g
+options to find out what BPF program is being internally generated, and
+then cut/paste this BPF program and use
+.BR tcpdump (1)
+to see if it likewise produces no output.
+
+You can also run
+.BR tcpdump (1)
+with
+.B \-e
+to see the link-level headers in order to see if the traffic is encapsulated.
+.SH SEE ALSO
+.BR tcpdump (1),
+.BR pcap (3),
+.BR regex (3),
+.BR bpf (4),
+.BR re_format (7)
+.SH AUTHORS
+.B dnscap
+was written by Paul Vixie (ISC) with help from Duane Wessels,
+Kevin Brintnall, and others too numerous to mention.
+It's currently maintained by Jerry Lundström, DNS\-OARC.
+.LP
+.RS
+.I https://www.dns\-oarc.net/
+.RE
+.LP
+.SH BUGS
+For issues and feature requests please use:
+.LP
+.RS
+\fI@PACKAGE_URL@\fP
+.RE
+.LP
+For question and help please use:
+.LP
+.RS
+\fI@PACKAGE_BUGREPORT@\fP
+.RE
+.LP
diff --git a/src/dnscap.c b/src/dnscap.c
new file mode 100644
index 0000000..56e1ac1
--- /dev/null
+++ b/src/dnscap.c
@@ -0,0 +1,249 @@
+/* dnscap - DNS capture utility
+ *
+ * By Paul Vixie (ISC) and Duane Wessels (Measurement Factory), 2007.
+ */
+
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "dnscap.h"
+#include "args.h"
+#include "bpft.h"
+#include "pcaps.h"
+#include "dumper.h"
+#include "daemon.h"
+#include "log.h"
+#include "sig.h"
+
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H)
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#define INIT_OPENSSL 1
+#endif
+
+plugin_list     plugins;
+const char*     ProgramName = "amnesia";
+int             dumptrace   = 0;
+int             flush       = FALSE;
+vlan_list       vlans_excl;
+vlan_list       vlans_incl;
+unsigned        msg_wanted = MSG_QUERY;
+unsigned        dir_wanted = DIR_INITIATE | DIR_RESPONSE;
+unsigned        end_hide   = 0U;
+unsigned        err_wanted = ERR_NO | ERR_YES; /* accept all by default */
+tcpstate_list   tcpstates;
+int             tcpstate_count = 0;
+endpoint_list   initiators, not_initiators;
+endpoint_list   responders, not_responders;
+endpoint_list   drop_responders; /* drops only responses from these hosts */
+myregex_list    myregexes;
+mypcap_list     mypcaps;
+mypcap_ptr      pcap_offline       = NULL;
+const char*     dump_base          = NULL;
+char*           dump_suffix        = 0;
+char*           extra_bpf          = NULL;
+enum dump_type  dump_type          = nowhere;
+enum dump_state dump_state         = dumper_closed;
+const char*     kick_cmd           = NULL;
+unsigned        limit_seconds      = 0U;
+time_t          next_interval      = 0;
+unsigned        limit_packets      = 0U;
+size_t          limit_pcapfilesize = 0U;
+pcap_t*         pcap_dead;
+pcap_dumper_t*  dumper;
+time_t          dumpstart;
+unsigned        msgcount;
+size_t          capturedbytes = 0;
+char *          dumpname, *dumpnamepart;
+char*           bpft;
+unsigned        dns_port       = DNS_PORT;
+int             promisc        = TRUE;
+int             monitor_mode   = FALSE;
+int             immediate_mode = FALSE;
+int             background     = FALSE;
+char            errbuf[PCAP_ERRBUF_SIZE];
+int             wantgzip  = 0;
+int             wantfrags = FALSE;
+int             wanticmp  = FALSE;
+int             wanttcp   = FALSE;
+int             preso     = FALSE;
+#ifdef USE_SECCOMP
+int use_seccomp = FALSE;
+#endif
+int                main_exit            = FALSE;
+int                alarm_set            = FALSE;
+time_t             start_time           = 0;
+time_t             stop_time            = 0;
+int                print_pcap_stats     = FALSE;
+uint64_t           pcap_drops           = 0;
+my_bpftimeval      last_ts              = { 0, 0 };
+unsigned long long mem_limit            = (unsigned)MEM_MAX; /* process memory limit */
+int                mem_limit_set        = 1; /* TODO: Should be configurable */
+const char         DROPTOUSER[]         = "nobody";
+pcap_thread_t      pcap_thread          = PCAP_THREAD_T_INIT;
+int                only_offline_pcaps   = FALSE;
+int                dont_drop_privileges = FALSE;
+options_t          options              = OPTIONS_T_DEFAULTS;
+
+ldns_rr_type match_qtype = 0, nmatch_qtype = 0;
+
+int main(int argc, char* argv[])
+{
+    struct plugin* p;
+    struct timeval now;
+
+#ifdef INIT_OPENSSL
+    ERR_load_crypto_strings();
+    OpenSSL_add_all_algorithms();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+    OPENSSL_config(0);
+#endif
+#endif
+
+    parse_args(argc, argv);
+    gettimeofday(&now, 0);
+    if (!only_offline_pcaps && start_time) {
+        if (now.tv_sec < start_time) {
+            char      when[100];
+            struct tm tm;
+            gmtime_r(&start_time, &tm);
+            strftime(when, sizeof when, "%F %T", &tm);
+            fprintf(stderr, "Sleeping for %d seconds until %s UTC\n",
+                (int)(start_time - now.tv_sec), when);
+            sleep(start_time - now.tv_sec);
+            fprintf(stderr, "Awake.\n");
+        }
+    }
+    prepare_bpft();
+    open_pcaps();
+    if (dump_type == to_stdout) {
+        if (dumper_open(now)) {
+            fprintf(stderr, "%s: dumper_open() to stdout failed\n", ProgramName);
+            exit(1);
+        }
+    }
+    INIT_LIST(tcpstates);
+
+    if (!dont_drop_privileges && !only_offline_pcaps) {
+        drop_privileges();
+    }
+
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
+        if (p->start)
+            if (0 != (*p->start)(logerr)) {
+                logerr("%s_start returned non-zero", p->name);
+                exit(1);
+            }
+    }
+    if (dump_type == nowhere)
+        dumpstart = time(NULL);
+    if (background)
+        daemonize();
+
+#if HAVE_PTHREAD
+    /*
+     * Defer signal setup until we have dropped privileges and daemonized,
+     * otherwise signals might not reach us because different threads
+     * are running under different users/access
+     */
+    {
+        sigset_t  set;
+        int       err;
+        pthread_t thread;
+
+        sigfillset(&set);
+        if ((err = pthread_sigmask(SIG_BLOCK, &set, 0))) {
+            logerr("pthread_sigmask: %s", strerror(err));
+            exit(1);
+        }
+
+        sigemptyset(&set);
+        sigaddset(&set, SIGHUP);
+        sigaddset(&set, SIGINT);
+        sigaddset(&set, SIGALRM);
+        sigaddset(&set, SIGTERM);
+        sigaddset(&set, SIGQUIT);
+
+        if ((err = pthread_create(&thread, 0, &sigthread, (void*)&set))) {
+            logerr("pthread_create: %s", strerror(err));
+            exit(1);
+        }
+    }
+#else
+    {
+        sigset_t set;
+
+        sigfillset(&set);
+        sigdelset(&set, SIGHUP);
+        sigdelset(&set, SIGINT);
+        sigdelset(&set, SIGALRM);
+        sigdelset(&set, SIGTERM);
+        sigdelset(&set, SIGQUIT);
+
+        if (sigprocmask(SIG_BLOCK, &set, 0)) {
+            logerr("sigprocmask: %s", strerror(errno));
+            exit(1);
+        }
+    }
+
+    setsig(SIGHUP, TRUE);
+    setsig(SIGINT, TRUE);
+    setsig(SIGALRM, FALSE);
+    setsig(SIGTERM, TRUE);
+    setsig(SIGQUIT, TRUE);
+#endif
+
+    while (!main_exit)
+        poll_pcaps();
+    /* close PCAPs after dumper_close() to have statistics still available during dumper_close() */
+    if (dumper_opened == dump_state)
+        (void)dumper_close(last_ts);
+    close_pcaps();
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
+        if (p->stop)
+            (*p->stop)();
+    }
+    options_free(&options);
+
+#ifdef INIT_OPENSSL
+    EVP_cleanup();
+    CRYPTO_cleanup_all_ex_data();
+    ERR_free_strings();
+#endif
+
+    return 0;
+}
diff --git a/src/dnscap.h b/src/dnscap.h
new file mode 100644
index 0000000..dd03ddd
--- /dev/null
+++ b/src/dnscap.h
@@ -0,0 +1,441 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __dnscap_dnscap_h
+#define __dnscap_dnscap_h
+
+#ifdef __linux__
+#define _GNU_SOURCE
+#endif
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/select.h>
+#include <sys/socket.h>
+#include <sys/fcntl.h> /* for open() */
+#include <sys/ioctl.h> /* for TIOCNOTTY */
+#include <stdarg.h>
+#include <syslog.h>
+#include <dlfcn.h>
+#include <sys/stat.h>
+#include <sys/resource.h>
+#if HAVE_PTHREAD
+#include <pthread.h>
+#endif
+
+#ifdef __linux__
+#define __FAVOR_BSD
+#include <net/ethernet.h>
+#ifdef USE_SECCOMP
+#include <seccomp.h>
+#endif
+#endif
+
+#ifdef __FreeBSD__
+#include <net/ethernet.h>
+#endif
+
+#ifdef __NetBSD__
+#include <net/ethertypes.h>
+#include <net/if.h>
+#include <net/if_ether.h>
+#endif
+
+#ifdef __OpenBSD__
+#include <net/ethertypes.h>
+#include <net/if.h>
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/if_ether.h>
+#endif
+
+#ifdef __APPLE__
+#include <net/ethernet.h>
+#include <net/bpf.h>
+#endif
+
+#ifdef __hpux
+#include <net/if.h>
+#include <netinet/if_ether.h>
+#define ETHER_HDR_LEN ETHER_HLEN
+#define __BIT_TYPES_DEFINED
+#define __HPLX
+#endif
+
+#ifdef __SVR4
+#include <stdarg.h>
+#include <net/if.h>
+#include <net/if_arp.h>
+#include <netinet/if_ether.h>
+#include "snprintf.h"
+#define IP_OFFMASK 0x1fff
+#define u_int32_t uint32_t
+#ifndef ETHER_HDR_LEN
+#define ETHER_HDR_LEN 14
+#endif
+#endif
+
+#ifndef MY_BPFTIMEVAL
+#define MY_BPFTIMEVAL timeval
+#endif
+
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/udp.h>
+#include <netinet/tcp.h>
+#include <arpa/nameser.h>
+#if HAVE_ARPA_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+#include <arpa/inet.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <netdb.h>
+#include <pcap.h>
+#include <regex.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <pwd.h>
+#include <grp.h>
+
+#if HAVE_ZLIB_H
+#include <zlib.h>
+#endif
+
+#include <ldns/ldns.h>
+
+#ifndef IPV6_VERSION
+#define IPV6_VERSION 0x60
+#endif
+#ifndef IPV6_VERSION_MASK
+#define IPV6_VERSION_MASK 0xf0
+#endif
+
+#define UDP10_QR_MASK 0x80
+#define UDP10_QR_SHIFT 7
+#define UDP10_OP_MASK 0x78
+#define UDP10_OP_SHIFT 3
+#define UDP10_AA_MASK 0x04
+#define UDP10_AA_SHIFT 2
+#define UDP10_TC_MASK 0x02
+#define UDP10_TC_SHIFT 1
+#define UDP10_RD_MASK 0x01
+#define UDP10_RD_SHIFT 0
+
+#define UDP11_RC_MASK 0x0f
+#define UDP11_RC_SHIFT 0
+
+#define MSG_QUERY 0x0001
+#define MSG_UPDATE 0x0002
+#define MSG_NOTIFY 0x0004
+
+#define ERR_TRUNC 0x0001
+#define ERR_RCODE_BASE 0x0002
+#define ERR_NO (ERR_RCODE_BASE << 0)
+#define ERR_FORMERR (ERR_RCODE_BASE << 1)
+#define ERR_SERVFAIL (ERR_RCODE_BASE << 2)
+#define ERR_NXDOMAIN (ERR_RCODE_BASE << 3)
+#define ERR_NOTIMPL (ERR_RCODE_BASE << 4)
+#define ERR_REFUSED (ERR_RCODE_BASE << 5)
+#define ERR_YES (0xffffffff & ~ERR_NO)
+
+#define END_INITIATOR 0x0001
+#define END_RESPONDER 0x0002
+
+#define HIDE_INET "\177\177\177\177"
+#define HIDE_INET6 "\177\177\177\177\177\177\177\177" \
+                   "\177\177\177\177\177\177\177\177"
+#define HIDE_PORT 54321
+
+#ifndef ETHERTYPE_VLAN
+#define ETHERTYPE_VLAN 0x8100
+#endif
+#ifndef ETHERTYPE_IPV6
+#define ETHERTYPE_IPV6 0x86DD
+#endif
+
+#define THOUSAND 1000
+#define MILLION (THOUSAND * THOUSAND)
+#define MAX_VLAN 4095
+#define DNS_PORT 53
+#define TO_MS 1
+#define SNAPLEN 65536
+#define TRUE 1
+#define FALSE 0
+#define REGEX_CFLAGS (REG_EXTENDED | REG_ICASE | REG_NOSUB | REG_NEWLINE)
+#define MAX_TCP_WINDOW (0xFFFF << 14)
+#define MEM_MAX 20000000000 /* SETTING MAX MEMORY USAGE TO 2GB */
+
+#define ISC_CHECK_NONE 1
+#include "isc/list.h"
+#include "isc/assertions.h"
+
+#include "dnscap_common.h"
+
+#include "dump_dns.h"
+#include "dump_cbor.h"
+#include "dump_cds.h"
+#include "options.h"
+#include "pcap-thread/pcap_thread.h"
+
+struct text {
+    LINK(struct text)
+    link;
+    size_t len;
+    char*  text;
+};
+typedef struct text* text_ptr;
+typedef LIST(struct text) text_list;
+#define text_size(len) (sizeof(struct text) + len)
+
+struct mypcap {
+    LINK(struct mypcap)
+    link;
+    const char*      name;
+    struct pcap_stat ps0, ps1;
+    uint64_t         drops;
+};
+typedef struct mypcap* mypcap_ptr;
+typedef LIST(struct mypcap) mypcap_list;
+
+struct vlan {
+    LINK(struct vlan)
+    link;
+    unsigned vlan;
+};
+typedef struct vlan* vlan_ptr;
+typedef LIST(struct vlan) vlan_list;
+
+#define MAX_TCP_WINDOW_SIZE (0xFFFF << 14)
+#define MAX_TCP_MSGS 8
+#define MAX_TCP_SEGS 8
+#define MAX_TCP_HOLES 8
+#define MAX_TCP_DNS_MSG 8
+
+typedef struct tcphole    tcphole_t;
+typedef struct tcp_msgbuf tcp_msgbuf_t;
+typedef struct tcp_segbuf tcp_segbuf_t;
+typedef struct tcpdnsmsg  tcpdnsmsg_t;
+typedef struct tcpreasm   tcpreasm_t;
+
+struct tcphole {
+    uint16_t start;
+    uint16_t len;
+};
+
+struct tcp_msgbuf {
+    uint32_t  seq;
+    uint16_t  dnslen;
+    tcphole_t hole[MAX_TCP_HOLES];
+    int       holes;
+    u_char    buf[];
+};
+
+struct tcp_segbuf {
+    uint32_t seq;
+    uint16_t len;
+    u_char   buf[];
+};
+
+struct tcpdnsmsg {
+    size_t   segments_seen;
+    uint16_t dnslen;
+    u_char   dnspkt[];
+};
+
+struct tcpreasm {
+    uint32_t      seq_start;
+    size_t        msgbufs;
+    u_char        dnslen_buf[2];
+    u_char        dnslen_bytes_seen_mask;
+    tcp_msgbuf_t* msgbuf[MAX_TCP_MSGS];
+    tcp_segbuf_t* segbuf[MAX_TCP_SEGS];
+    size_t        segments_seen;
+    size_t        dnsmsgs;
+    tcpdnsmsg_t*  dnsmsg[MAX_TCP_DNS_MSG];
+    uint32_t      seq_bfb;
+    tcp_segbuf_t* bfb_seg[MAX_TCP_SEGS];
+    u_char*       bfb_buf;
+    size_t        bfb_at;
+};
+
+struct tcpstate {
+    LINK(struct tcpstate)
+    link;
+    iaddr    saddr;
+    iaddr    daddr;
+    uint16_t sport;
+    uint16_t dport;
+    uint32_t start; /* seq# of tcp payload start */
+    uint32_t maxdiff; /* maximum (seq# - start) */
+    uint16_t dnslen;
+    time_t   last_use;
+    uint32_t lastdns;
+    uint32_t currseq;
+    size_t   currlen;
+
+    tcpreasm_t* reasm;
+    size_t      reasm_faults;
+};
+typedef struct tcpstate* tcpstate_ptr;
+typedef LIST(struct tcpstate) tcpstate_list;
+
+struct endpoint {
+    LINK(struct endpoint)
+    link;
+    iaddr ia;
+};
+typedef struct endpoint* endpoint_ptr;
+typedef LIST(struct endpoint) endpoint_list;
+
+struct myregex {
+    LINK(struct myregex)
+    link;
+    regex_t reg;
+    char*   str;
+    int not ;
+};
+typedef struct myregex* myregex_ptr;
+typedef LIST(struct myregex) myregex_list;
+
+struct plugin {
+    LINK(struct plugin)
+    link;
+
+    char*            name;
+    void*            handle;
+    enum plugin_type pt;
+
+    type_t(*type);
+    int (*start)(logerr_t*);
+    void (*stop)();
+    int (*open)(my_bpftimeval);
+    int (*close)();
+    output_t(*output);
+    filter_t(*filter);
+    void (*getopt)(int*, char**[]);
+    void (*usage)();
+    void (*extension)(int, void*);
+};
+typedef LIST(struct plugin) plugin_list;
+
+enum dump_type {
+    nowhere,
+    to_stdout,
+    to_file
+};
+enum dump_state {
+    dumper_opened,
+    dumper_closed
+};
+
+extern plugin_list plugins;
+extern const char* ProgramName;
+extern char*       dump_suffix;
+extern int         wantgzip;
+
+extern plugin_list     plugins;
+extern const char*     ProgramName;
+extern int             dumptrace;
+extern int             flush;
+extern vlan_list       vlans_excl;
+extern vlan_list       vlans_incl;
+extern unsigned        msg_wanted;
+extern unsigned        dir_wanted;
+extern unsigned        end_hide;
+extern unsigned        err_wanted;
+extern tcpstate_list   tcpstates;
+extern int             tcpstate_count;
+extern endpoint_list   initiators, not_initiators;
+extern endpoint_list   responders, not_responders;
+extern endpoint_list   drop_responders;
+extern myregex_list    myregexes;
+extern mypcap_list     mypcaps;
+extern mypcap_ptr      pcap_offline;
+extern const char*     dump_base;
+extern char*           dump_suffix;
+extern char*           extra_bpf;
+extern enum dump_type  dump_type;
+extern enum dump_state dump_state;
+extern const char*     kick_cmd;
+extern unsigned        limit_seconds;
+extern time_t          next_interval;
+extern unsigned        limit_packets;
+extern size_t          limit_pcapfilesize;
+extern pcap_t*         pcap_dead;
+extern pcap_dumper_t*  dumper;
+extern time_t          dumpstart;
+extern unsigned        msgcount;
+extern size_t          capturedbytes;
+extern char *          dumpname, *dumpnamepart;
+extern char*           bpft;
+extern unsigned        dns_port;
+extern int             promisc;
+extern int             monitor_mode;
+extern int             immediate_mode;
+extern int             background;
+extern char            errbuf[PCAP_ERRBUF_SIZE];
+extern int             wantgzip;
+extern int             wantfrags;
+extern int             wanticmp;
+extern int             wanttcp;
+extern int             preso;
+#ifdef USE_SECCOMP
+extern int use_seccomp;
+#endif
+extern int                main_exit;
+extern int                alarm_set;
+extern time_t             start_time;
+extern time_t             stop_time;
+extern int                print_pcap_stats;
+extern uint64_t           pcap_drops;
+extern my_bpftimeval      last_ts;
+extern unsigned long long mem_limit;
+extern int                mem_limit_set;
+extern const char         DROPTOUSER[];
+extern pcap_thread_t      pcap_thread;
+extern int                only_offline_pcaps;
+extern int                dont_drop_privileges;
+extern options_t          options;
+
+extern ldns_rr_type match_qtype, nmatch_qtype;
+
+#endif /* __dnscap_dnscap_h */
diff --git a/src/dnscap_common.h b/src/dnscap_common.h
new file mode 100644
index 0000000..db1b88b
--- /dev/null
+++ b/src/dnscap_common.h
@@ -0,0 +1,158 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __dnscap_dnscap_common_h
+#define __dnscap_dnscap_common_h
+
+#include <netinet/in.h>
+#include <sys/types.h>
+
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#else
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif
+
+/*
+ * setup MY_BPFTIMEVAL as the timeval structure that bpf packets
+ * will be assoicated with packets from libpcap
+ */
+#ifndef MY_BPFTIMEVAL
+#define MY_BPFTIMEVAL timeval
+#endif
+typedef struct MY_BPFTIMEVAL my_bpftimeval;
+
+/*
+ * Structure to contain IP addresses
+ */
+typedef struct {
+    int af;
+    union {
+        struct in_addr  a4;
+        struct in6_addr a6;
+    } u;
+} iaddr;
+
+/*
+ * Prototype for the plugin "type" function
+ *
+ * output - Will run plugin's "output" function last when outputting (default
+ *          and same behavior before the existens of a plugin type)
+ * filter - Will run plugin's "filter" function before outputting and won't
+ *          output if the return of that function is non-zero.
+ */
+enum plugin_type {
+    plugin_output,
+    plugin_filter,
+};
+typedef enum plugin_type type_t(void);
+
+/*
+ * plugins can call the logerr() function in the main dnscap
+ * process.
+ */
+typedef int logerr_t(const char* fmt, ...);
+
+/*
+ * Prototype for the plugin "output" function
+ */
+typedef void output_t(const char* descr,
+    iaddr                         from,
+    iaddr                         to,
+    uint8_t                       proto,
+    unsigned                      flags,
+    unsigned                      sport,
+    unsigned                      dport,
+    my_bpftimeval                 ts,
+    const u_char*                 pkt_copy,
+    const unsigned                olen,
+    const u_char*                 payload,
+    const unsigned                payloadlen);
+
+/*
+ * Prototype for the plugin "filter" function
+ */
+typedef int filter_t(const char* descr,
+    iaddr*                       from,
+    iaddr*                       to,
+    uint8_t                      proto,
+    unsigned                     flags,
+    unsigned                     sport,
+    unsigned                     dport,
+    my_bpftimeval                ts,
+    const u_char*                pkt_copy,
+    const unsigned               olen,
+    const u_char*                payload,
+    const unsigned               payloadlen);
+
+/*
+ * Extensions
+ */
+
+#define DNSCAP_EXT_IS_RESPONDER 1
+typedef int (*is_responder_t)(iaddr ia);
+
+#define DNSCAP_EXT_IA_STR 2
+typedef const char* (*ia_str_t)(iaddr ia);
+
+#define DNSCAP_EXT_TCPSTATE_GETCURR 3
+typedef void* (*tcpstate_getcurr_t)(void);
+
+#define DNSCAP_EXT_TCPSTATE_RESET 4
+typedef void (*tcpstate_reset_t)(void* tcpstate, const char* msg);
+
+#define DNSCAP_EXT_SET_IADDR 5
+typedef void (*set_iaddr_t)(iaddr* from, iaddr* to);
+
+/*
+ * Flags
+ */
+
+#define DNSCAP_OUTPUT_ISFRAG (1 << 0)
+#define DNSCAP_OUTPUT_ISDNS (1 << 1)
+#define DNSCAP_OUTPUT_ISLAYER (1 << 2)
+
+/*
+ * Direction
+ */
+
+#define DIR_INITIATE 0x0001
+#define DIR_RESPONSE 0x0002
+
+#endif /* __dnscap_dnscap_common_h */
diff --git a/src/dump_cbor.c b/src/dump_cbor.c
new file mode 100644
index 0000000..1d2d848
--- /dev/null
+++ b/src/dump_cbor.c
@@ -0,0 +1,680 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+    DNS-in-JSON
+    - generally naming convention
+    - compressedNAME.length is there a point here? isn't the length in the
+      compressed data itself? Maybe have compressedNAME as just the data
+      of the compressed name
+    - 2.5 Additional Message Object Members
+      - IP stuff:
+        - ipProtocol: num
+        - sourceIpAddress: string
+        - sourcePort: num
+        - destinationIpAddress: string
+        - destinationPort: num
+        or
+        - ip: [ ipProtocol, sourceIpAddress, sourcePort, destinationIpAddress, destinationPort ]
+      - dateNanoFractions as addition to dateSeconds, specify the fraction of
+        nano seconds separatly to have better precision.
+*/
+
+#include "config.h"
+
+#include "dump_cbor.h"
+#include "dnscap.h"
+#include "iaddr.h"
+
+#if HAVE_LIBTINYCBOR
+
+#include <ldns/ldns.h>
+#if HAVE_CBOR_CBOR_H
+#include <cbor/cbor.h>
+#endif
+#if HAVE_CBOR_H
+#include <cbor.h>
+#endif
+
+static uint8_t* cbor_buf  = 0;
+static size_t   cbor_size = 128 * 1024;
+/*static size_t cbor_size = 1024;*/
+static size_t      cbor_reserve = 64 * 1024;
+static CborEncoder cbor_root, cbor_pkts;
+/*static cbor_stringref_t *cbor_stringrefs = 0;*/
+/*static size_t cbor_stringref_size = 8192;*/
+static int cbor_flushed = 1;
+
+int cbor_set_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CBOR_EINVAL;
+    }
+
+    cbor_size = size;
+
+    return DUMP_CBOR_OK;
+}
+
+int cbor_set_reserve(size_t reserve)
+{
+    if (!reserve) {
+        return DUMP_CBOR_EINVAL;
+    }
+
+    cbor_reserve = reserve;
+
+    return DUMP_CBOR_OK;
+}
+
+#define append_cbor(func, name, type)                                   \
+    CborError func(CborEncoder* encoder, type value, int* should_flush) \
+    {                                                                   \
+        CborError err;                                                  \
+        uint8_t*  ptr = encoder->data.ptr;                              \
+        err           = name(encoder, value);                           \
+        if (err == CborErrorOutOfMemory && !*should_flush) {            \
+            *should_flush     = 1;                                      \
+            encoder->data.ptr = ptr;                                    \
+            encoder->end      = cbor_buf + cbor_size + cbor_reserve;    \
+            err               = name(encoder, value);                   \
+        }                                                               \
+        return err;                                                     \
+    }
+
+static append_cbor(append_cbor_text_stringz, cbor_encode_text_stringz, const char*);
+static append_cbor(append_cbor_boolean, cbor_encode_boolean, bool);
+static append_cbor(append_cbor_int, cbor_encode_int, int64_t);
+static append_cbor(append_cbor_uint, cbor_encode_uint, uint64_t);
+static append_cbor(append_cbor_double, cbor_encode_double, double);
+
+static CborError append_cbor_bytes(CborEncoder* encoder, uint8_t* bytes, size_t length, int* should_flush)
+{
+    CborError err;
+    uint8_t*  ptr = encoder->data.ptr;
+    err           = cbor_encode_byte_string(encoder, bytes, length);
+    if (err == CborErrorOutOfMemory && !*should_flush) {
+        *should_flush     = 1;
+        encoder->data.ptr = ptr;
+        encoder->end      = cbor_buf + cbor_size + cbor_reserve;
+        err               = cbor_encode_byte_string(encoder, bytes, length);
+    }
+    return err;
+}
+
+/*CborError append_cbor_text_stringz2(CborEncoder *encoder, const char *value, int *should_flush) {*/
+/*    CborError err;*/
+/*    uint8_t *ptr = encoder->data.ptr;*/
+/*    err = cbor_encode_byte_string(encoder, bytes, length);*/
+/*    if (err == CborErrorOutOfMemory && !*should_flush) {*/
+/*        *should_flush = 1;*/
+/*        encoder->data.ptr = ptr;*/
+/*        encoder->end = cbor_buf + cbor_size + cbor_reserve;*/
+/*        err = cbor_encode_byte_string(encoder, bytes, length);*/
+/*    }*/
+/*    return err;*/
+/*}*/
+
+#define append_cbor_container(func, name)                                                          \
+    CborError func(CborEncoder* encoder, CborEncoder* container, size_t length, int* should_flush) \
+    {                                                                                              \
+        CborError err;                                                                             \
+        uint8_t*  ptr = encoder->data.ptr;                                                         \
+        err           = name(encoder, container, length);                                          \
+        if (err == CborErrorOutOfMemory && !*should_flush) {                                       \
+            *should_flush     = 1;                                                                 \
+            encoder->data.ptr = ptr;                                                               \
+            encoder->end      = cbor_buf + cbor_size + cbor_reserve;                               \
+            err               = name(encoder, container, length);                                  \
+        }                                                                                          \
+        return err;                                                                                \
+    }
+
+static append_cbor_container(append_cbor_array, cbor_encoder_create_array);
+static append_cbor_container(append_cbor_map, cbor_encoder_create_map);
+
+static CborError close_cbor_container(CborEncoder* encoder, CborEncoder* container, int* should_flush)
+{
+    CborError err;
+    uint8_t*  ptr = encoder->data.ptr;
+    err           = cbor_encoder_close_container_checked(encoder, container);
+    if (err == CborErrorOutOfMemory && !*should_flush) {
+        *should_flush     = 1;
+        encoder->data.ptr = ptr;
+        encoder->end      = cbor_buf + cbor_size + cbor_reserve;
+        err               = cbor_encoder_close_container_checked(encoder, container);
+    }
+    return err;
+}
+
+static CborError cbor_ldns_rr_list(CborEncoder* encoder, ldns_rr_list* list, size_t count, int* should_flush)
+{
+    CborError    cbor_err = CborNoError;
+    size_t       n;
+    ldns_buffer* dname;
+    char*        dname_str;
+
+    if (!encoder) {
+        return CborErrorInternalError;
+    }
+    if (!list) {
+        return CborErrorInternalError;
+    }
+    if (!count) {
+        return CborErrorInternalError;
+    }
+    if (!should_flush) {
+        return CborErrorInternalError;
+    }
+
+    for (n = 0; cbor_err == CborNoError && n < count; n++) {
+        CborEncoder  cbor_rr;
+        uint8_t*     rdata_bytes;
+        ldns_buffer* rdata;
+        ldns_rr*     rr = ldns_rr_list_rr(list, n);
+        size_t       rd_count;
+
+        if (!rr) {
+            return CborErrorInternalError;
+        }
+        rd_count = ldns_rr_rd_count(rr);
+
+        if (!(dname = ldns_buffer_new(512))) {
+            return CborErrorOutOfMemory;
+        }
+        if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
+            ldns_buffer_free(dname);
+            return CborErrorInternalError;
+        }
+        ldns_buffer_write_u8(dname, 0);
+        if (!(dname_str = ldns_buffer_export(dname))) {
+            ldns_buffer_free(dname);
+            return CborErrorOutOfMemory;
+        }
+
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_map(encoder, &cbor_rr, CborIndefiniteLength, should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor_rr, "NAME", should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor_rr, dname_str, should_flush);
+        free(dname_str);
+        ldns_buffer_free(dname);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor_rr, "CLASS", should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_get_class(rr), should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor_rr, "TYPE", should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_get_type(rr), should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor_rr, "TTL", should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_ttl(rr), should_flush);
+
+        if (rd_count == 1) {
+            if (!(rdata = ldns_buffer_new(64 * 1024))) {
+                return CborErrorOutOfMemory;
+            }
+            if (ldns_rdf2buffer_wire(rdata, ldns_rr_rdf(rr, 0)) != LDNS_STATUS_OK) {
+                ldns_buffer_free(rdata);
+                return CborErrorInternalError;
+            }
+            if (!(rdata_bytes = ldns_buffer_export(rdata))) {
+                ldns_buffer_free(rdata);
+                return CborErrorOutOfMemory;
+            }
+
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_text_stringz(&cbor_rr, "RDLENGTH", should_flush);
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_uint(&cbor_rr, ldns_buffer_position(rdata), should_flush);
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_text_stringz(&cbor_rr, "RDATA", should_flush);
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_bytes(&cbor_rr, rdata_bytes, ldns_buffer_position(rdata), should_flush);
+            free(rdata_bytes);
+            ldns_buffer_free(rdata);
+        } else if (rd_count > 1) {
+            size_t      n2;
+            CborEncoder rr_set;
+
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_text_stringz(&cbor_rr, "rrSet", should_flush);
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_array(&cbor_rr, &rr_set, CborIndefiniteLength, should_flush);
+            for (n2 = 0; n2 < rd_count; n2++) {
+                if (!(rdata = ldns_buffer_new(64 * 1024))) {
+                    return CborErrorOutOfMemory;
+                }
+                if (ldns_rdf2buffer_wire(rdata, ldns_rr_rdf(rr, n2)) != LDNS_STATUS_OK) {
+                    ldns_buffer_free(rdata);
+                    return CborErrorInternalError;
+                }
+                if (!(rdata_bytes = ldns_buffer_export(rdata))) {
+                    ldns_buffer_free(rdata);
+                    return CborErrorOutOfMemory;
+                }
+
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_text_stringz(&rr_set, "RDLENGTH", should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_uint(&rr_set, ldns_buffer_position(rdata), should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_text_stringz(&rr_set, "RDATA", should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_bytes(&rr_set, rdata_bytes, ldns_buffer_position(rdata), should_flush);
+                free(rdata_bytes);
+                ldns_buffer_free(rdata);
+            }
+            if (cbor_err == CborNoError)
+                cbor_err = close_cbor_container(&cbor_rr, &rr_set, should_flush);
+        }
+
+        if (cbor_err == CborNoError)
+            cbor_err = close_cbor_container(encoder, &cbor_rr, should_flush);
+    }
+
+    return cbor_err;
+}
+
+int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen)
+{
+    ldns_pkt*   pkt = 0;
+    ldns_status ldns_rc;
+
+    if (!payload) {
+        return DUMP_CBOR_EINVAL;
+    }
+    if (!payloadlen) {
+        return DUMP_CBOR_EINVAL;
+    }
+
+    /*    if (!cbor_stringrefs) {*/
+    /*        cbor_stringrefs = calloc(1, cbor_stringref_size);*/
+    /*    }*/
+    if (!cbor_buf) {
+        if (!(cbor_buf = calloc(1, cbor_size + cbor_reserve))) {
+            return DUMP_CBOR_ENOMEM;
+        }
+    }
+    if (cbor_flushed) {
+        CborError cbor_err;
+
+        cbor_encoder_init(&cbor_root, cbor_buf, cbor_size, 0);
+        /*        cbor_err = cbor_encode_tag(&cbor_root, 256);*/
+        /*        if (cbor_err == CborNoError)*/
+        cbor_err = cbor_encoder_create_array(&cbor_root, &cbor_pkts, CborIndefiniteLength);
+        if (cbor_err != CborNoError) {
+            fprintf(stderr, "cbor init error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
+            return DUMP_CBOR_ECBOR;
+        }
+        cbor_flushed = 0;
+    }
+
+    ldns_rc = ldns_wire2pkt(&pkt, payload, payloadlen);
+
+    if (ldns_rc != LDNS_STATUS_OK) {
+        fprintf(stderr, "ldns error [%d]: %s\n", ldns_rc, ldns_get_errorstr_by_id(ldns_rc));
+        return DUMP_CBOR_ELDNS;
+    }
+    if (!pkt) {
+        return DUMP_CBOR_ELDNS;
+    }
+
+    CborEncoder cbor, ip;
+    CborError   cbor_err     = CborNoError;
+    int         should_flush = 0;
+
+    cbor_err = append_cbor_map(&cbor_pkts, &cbor, CborIndefiniteLength, &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "dateSeconds", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_double(&cbor, (double)ts.tv_sec + ((double)ts.tv_usec / 1000000), &should_flush);
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "dateNanoFractions", &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, ts.tv_usec * 1000, &should_flush);*/
+
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "ip", &should_flush);
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, proto, &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "sourceIpAddress", &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, ia_str(from), &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "sourcePort", &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, sport, &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "destinationIpAddress", &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, ia_str(to), &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "destinationPort", &should_flush);*/
+    /*            if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, dport, &should_flush);*/
+
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_array(&cbor, &ip, CborIndefiniteLength, &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&ip, proto, &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&ip, ia_str(from), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&ip, sport, &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&ip, ia_str(to), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&ip, dport, &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = close_cbor_container(&cbor, &ip, &should_flush);
+
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "ID", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_id(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "QR", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_qr(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "Opcode", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_get_opcode(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "AA", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_aa(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "TC", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_tc(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "RD", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_rd(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "RA", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_ra(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "AD", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_ad(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "CD", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_boolean(&cbor, ldns_pkt_cd(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "RCODE", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_get_rcode(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "QDCOUNT", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_qdcount(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "ANCOUNT", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_ancount(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "NSCOUNT", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_nscount(pkt), &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_text_stringz(&cbor, "ARCOUNT", &should_flush);
+    if (cbor_err == CborNoError)
+        cbor_err = append_cbor_uint(&cbor, ldns_pkt_arcount(pkt), &should_flush);
+
+    /* questionRRs */
+
+    if (ldns_pkt_qdcount(pkt) > 0) {
+        ldns_rr_list* list = ldns_pkt_question(pkt);
+        ldns_rr*      rr;
+        size_t        n, qdcount = ldns_pkt_qdcount(pkt);
+        ldns_buffer*  dname;
+        char*         dname_str;
+
+        if (!list) {
+            ldns_pkt_free(pkt);
+            return DUMP_CBOR_ELDNS;
+        }
+        rr = ldns_rr_list_rr(list, 0);
+        if (!rr) {
+            ldns_pkt_free(pkt);
+            return DUMP_CBOR_ELDNS;
+        }
+
+        if (!(dname = ldns_buffer_new(512))) {
+            ldns_pkt_free(pkt);
+            return DUMP_CBOR_ENOMEM;
+        }
+        if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
+            ldns_buffer_free(dname);
+            ldns_pkt_free(pkt);
+            return DUMP_CBOR_ELDNS;
+        }
+        ldns_buffer_write_u8(dname, 0);
+        if (!(dname_str = ldns_buffer_export(dname))) {
+            ldns_buffer_free(dname);
+            ldns_pkt_free(pkt);
+            return DUMP_CBOR_ENOMEM;
+        }
+
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, "QNAME", &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, dname_str, &should_flush);
+        free(dname_str);
+        ldns_buffer_free(dname);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, "QCLASS", &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_uint(&cbor, ldns_rr_get_class(rr), &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, "QTYPE", &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_uint(&cbor, ldns_rr_get_type(rr), &should_flush);
+
+        if (qdcount > 1) {
+            CborEncoder queries;
+
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_text_stringz(&cbor, "questionRRs", &should_flush);
+            if (cbor_err == CborNoError)
+                cbor_err = append_cbor_array(&cbor, &queries, CborIndefiniteLength, &should_flush);
+            for (n = 1; cbor_err == CborNoError && n < qdcount; n++) {
+                CborEncoder query;
+
+                rr = ldns_rr_list_rr(list, n);
+                if (!rr) {
+                    ldns_pkt_free(pkt);
+                    return DUMP_CBOR_ELDNS;
+                }
+
+                if (!(dname = ldns_buffer_new(512))) {
+                    ldns_pkt_free(pkt);
+                    return DUMP_CBOR_ENOMEM;
+                }
+                if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
+                    ldns_buffer_free(dname);
+                    ldns_pkt_free(pkt);
+                    return DUMP_CBOR_ELDNS;
+                }
+                ldns_buffer_write_u8(dname, 0);
+                if (!(dname_str = ldns_buffer_export(dname))) {
+                    ldns_buffer_free(dname);
+                    ldns_pkt_free(pkt);
+                    return DUMP_CBOR_ENOMEM;
+                }
+
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_map(&queries, &query, CborIndefiniteLength, &should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_text_stringz(&query, "NAME", &should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_text_stringz(&query, dname_str, &should_flush);
+                free(dname_str);
+                ldns_buffer_free(dname);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_text_stringz(&query, "CLASS", &should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_uint(&query, ldns_rr_get_class(rr), &should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_text_stringz(&query, "TYPE", &should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = append_cbor_uint(&query, ldns_rr_get_type(rr), &should_flush);
+                if (cbor_err == CborNoError)
+                    cbor_err = close_cbor_container(&queries, &query, &should_flush);
+            }
+            if (cbor_err == CborNoError)
+                cbor_err = close_cbor_container(&cbor, &queries, &should_flush);
+        }
+    }
+
+    /* answerRRs */
+
+    if (ldns_pkt_ancount(pkt) > 0) {
+        CborEncoder cbor_rrs;
+
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, "answerRRs", &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush);
+        cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_answer(pkt), ldns_pkt_ancount(pkt), &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush);
+    }
+
+    /* authorityRRs */
+
+    if (ldns_pkt_nscount(pkt) > 0) {
+        CborEncoder cbor_rrs;
+
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, "authorityRRs", &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush);
+        cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_authority(pkt), ldns_pkt_nscount(pkt), &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush);
+    }
+
+    /* additionalRRs */
+
+    if (ldns_pkt_arcount(pkt) > 0) {
+        CborEncoder cbor_rrs;
+
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_text_stringz(&cbor, "additionalRRs", &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush);
+        cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_additional(pkt), ldns_pkt_arcount(pkt), &should_flush);
+        if (cbor_err == CborNoError)
+            cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush);
+    }
+
+    ldns_pkt_free(pkt);
+
+    if (cbor_err == CborNoError)
+        cbor_err = close_cbor_container(&cbor_pkts, &cbor, &should_flush);
+
+    if (cbor_err != CborNoError) {
+        fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
+        return DUMP_CBOR_ECBOR;
+    }
+
+    if (should_flush) {
+        if ((cbor_err = cbor_encoder_close_container_checked(&cbor_root, &cbor_pkts)) != CborNoError) {
+            fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
+            return DUMP_CBOR_ECBOR;
+        }
+
+        fprintf(stderr, "cbor output: %lu bytes\n", cbor_encoder_get_buffer_size(&cbor_root, cbor_buf));
+
+        cbor_flushed = 1;
+        return DUMP_CBOR_FLUSH;
+    }
+
+    return DUMP_CBOR_OK;
+}
+
+int dump_cbor(FILE* fp)
+{
+    CborError cbor_err;
+
+    if (!fp) {
+        return DUMP_CBOR_EINVAL;
+    }
+
+    if ((cbor_err = cbor_encoder_close_container_checked(&cbor_root, &cbor_pkts)) != CborNoError) {
+        fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
+        return DUMP_CBOR_ECBOR;
+    }
+
+    fprintf(stderr, "cbor output: %lu bytes\n", cbor_encoder_get_buffer_size(&cbor_root, cbor_buf));
+
+    if (fwrite(cbor_buf, cbor_encoder_get_buffer_size(&cbor_root, cbor_buf), 1, fp) != 1) {
+        return DUMP_CBOR_EWRITE;
+    }
+
+    return DUMP_CBOR_OK;
+}
+
+int have_cbor_support()
+{
+    return 1;
+}
+
+#else /* HAVE_LIBTINYCBOR */
+
+int cbor_set_size(size_t size)
+{
+    return DUMP_CBOR_ENOSUP;
+}
+
+int cbor_set_reserve(size_t reserve)
+{
+    return DUMP_CBOR_ENOSUP;
+}
+
+int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen)
+{
+    return DUMP_CBOR_ENOSUP;
+}
+
+int dump_cbor(FILE* fp)
+{
+    return DUMP_CBOR_ENOSUP;
+}
+
+int have_cbor_support()
+{
+    return 0;
+}
+
+#endif
diff --git a/src/dump_cbor.h b/src/dump_cbor.h
new file mode 100644
index 0000000..cbe8f3f
--- /dev/null
+++ b/src/dump_cbor.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap_common.h"
+
+#include <stdio.h>
+
+#ifndef __dnscap_dump_cbor_h
+#define __dnscap_dump_cbor_h
+
+#define DUMP_CBOR_OK 0
+#define DUMP_CBOR_EINVAL 1
+#define DUMP_CBOR_ENOMEM 2
+#define DUMP_CBOR_ECBOR 3
+#define DUMP_CBOR_ELDNS 4
+#define DUMP_CBOR_EWRITE 5
+#define DUMP_CBOR_FLUSH 6
+#define DUMP_CBOR_ENOSUP 7
+
+/*
+typedef struct cbor_stringref cbor_stringref_t;
+struct cbor_stringref {
+    char *string;
+    size_t ref;
+};
+*/
+
+int cbor_set_size(size_t size);
+int cbor_set_reserve(size_t reserve);
+int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen);
+int dump_cbor(FILE* fp);
+int have_cbor_support();
+
+#endif /* __dnscap_dump_cbor_h */
diff --git a/src/dump_cds.c b/src/dump_cds.c
new file mode 100644
index 0000000..e151d35
--- /dev/null
+++ b/src/dump_cds.c
@@ -0,0 +1,1962 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "dump_cds.h"
+#include "dnscap.h"
+#include "hashtbl.h"
+#include "iaddr.h"
+
+#if HAVE_LIBTINYCBOR
+
+#include <stdlib.h>
+#if HAVE_CBOR_CBOR_H
+#include <cbor/cbor.h>
+#endif
+#if HAVE_CBOR_H
+#include <cbor.h>
+#endif
+#include <assert.h>
+
+#define need8(v, p, l, d)                                           \
+    if (l < 1) {                                                    \
+        if (sizeof(d) > 1)                                          \
+            fprintf(stderr, "cds need 1B/8b, had %lu: %s\n", l, d); \
+        return 1;                                                   \
+    }                                                               \
+    v = *p;                                                         \
+    p += 1;                                                         \
+    l -= 1
+
+#define need16(v, p, l, d)                                           \
+    if (l < 2) {                                                     \
+        if (sizeof(d) > 1)                                           \
+            fprintf(stderr, "cds need 2B/16b, had %lu: %s\n", l, d); \
+        return 1;                                                    \
+    }                                                                \
+    v = (*p << 8) + *(p + 1);                                        \
+    p += 2;                                                          \
+    l -= 2
+
+#define need32(v, p, l, d)                                           \
+    if (l < 4) {                                                     \
+        if (sizeof(d) > 1)                                           \
+            fprintf(stderr, "cds need 4B/32b, had %lu: %s\n", l, d); \
+        return 1;                                                    \
+    }                                                                \
+    v = (*p << 24) + (*(p + 1) << 16) + (*(p + 2) << 8) + *(p + 3);  \
+    p += 4;                                                          \
+    l -= 4
+
+#define need64(v, p, l, d)                                                                                                                      \
+    if (l < 8) {                                                                                                                                \
+        if (sizeof(d) > 1)                                                                                                                      \
+            fprintf(stderr, "cds need 8B/64b, had %lu: %s\n", l, d);                                                                            \
+        return 1;                                                                                                                               \
+    }                                                                                                                                           \
+    v = (*p << 56) + (*(p + 1) << 48) + (*(p + 2) << 40) + (*(p + 3) << 32) + (*(p + 4) << 24) + (*(p + 5) << 16) + (*(p + 6) << 8) + *(p + 7); \
+    p += 8;                                                                                                                                     \
+    l -= 8
+
+#define needxb(b, x, p, l, d)                                             \
+    if (l < x) {                                                          \
+        if (sizeof(d) > 1)                                                \
+            fprintf(stderr, "cds need %d bytes, had %lu: %s\n", x, l, d); \
+        return 1;                                                         \
+    }                                                                     \
+    memcpy(b, p, x);                                                      \
+    p += x;                                                               \
+    l -= x
+
+#define advancexb(x, p, l, d)                                                          \
+    if (l < x) {                                                                       \
+        if (sizeof(d) > 1)                                                             \
+            fprintf(stderr, "cds needed to advance %d bytes, had %lu: %s\n", x, l, d); \
+        return 1;                                                                      \
+    }                                                                                  \
+    p += x;                                                                            \
+    l -= x
+
+static uint8_t* cbor_buf              = 0;
+static uint8_t* cbor_buf_p            = 0;
+static size_t   cbor_size             = 1024 * 1024;
+static uint8_t* message_buf           = 0;
+static size_t   message_size          = 64 * 1024;
+static int      cbor_flushed          = 1;
+static hashtbl* rdata_tbl             = 0;
+static size_t   MAX_RLABELS           = CDS_DEFAULT_MAX_RLABELS;
+static size_t   MIN_RLABEL_SIZE       = CDS_DEFAULT_MIN_RLABEL_SIZE;
+static int      use_rdata_index       = 0;
+static int      use_rdata_rindex      = 0;
+static size_t   RDATA_RINDEX_SIZE     = CDS_DEFAULT_RDATA_RINDEX_SIZE;
+static size_t   RDATA_RINDEX_MIN_SIZE = CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE;
+static size_t   RDATA_INDEX_MIN_SIZE  = CDS_DEFAULT_RDATA_INDEX_MIN_SIZE;
+
+struct rdata;
+struct rdata {
+    struct rdata* prev;
+    struct rdata* next;
+    uint8_t*      data;
+    size_t        len;
+    size_t        idx;
+};
+
+struct last {
+    my_bpftimeval ts;
+    ip_header_t   ip;
+
+    uint16_t dns_type;
+    uint16_t dns_class;
+    uint32_t dns_ttl;
+
+    dns_rlabel_t* dns_rlabel;
+    dns_rlabel_t* dns_rlabel_last;
+    size_t        dns_rlabels;
+
+    size_t        rdata_index;
+    size_t        rdata_num;
+    struct rdata* rdata;
+    struct rdata* rdata_last;
+};
+static struct last last;
+
+/*
+ * Set/Get
+ */
+
+int cds_set_cbor_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    cbor_size = size;
+    if (message_size > cbor_size) {
+        message_size = cbor_size;
+    }
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_message_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    message_size = size;
+    if (message_size > cbor_size) {
+        message_size = cbor_size;
+    }
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_max_rlabels(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    MAX_RLABELS = size;
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_min_rlabel_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    MIN_RLABEL_SIZE = size;
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_use_rdata_index(int use)
+{
+    use_rdata_index = use ? 1 : 0;
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_use_rdata_rindex(int use)
+{
+    use_rdata_rindex = use ? 1 : 0;
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_rdata_index_min_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    RDATA_INDEX_MIN_SIZE = size;
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_rdata_rindex_min_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    RDATA_RINDEX_MIN_SIZE = size;
+
+    return DUMP_CDS_OK;
+}
+
+int cds_set_rdata_rindex_size(size_t size)
+{
+    if (!size) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    RDATA_RINDEX_SIZE = size;
+
+    return DUMP_CDS_OK;
+}
+
+/*
+ * DNS
+ */
+
+static int check_dns_label(size_t* labels, uint8_t** p, size_t* l)
+{
+    uint8_t len;
+
+    while (1) {
+        need8(len, *p, *l, "");
+        *labels += 1;
+
+        if ((len & 0xc0) == 0xc0) {
+            advancexb(1, *p, *l, "");
+            break;
+        } else if (len & 0xc0) {
+            break;
+        } else if (len) {
+            advancexb(len, *p, *l, "");
+        } else {
+            break;
+        }
+    }
+
+    return 0;
+}
+
+static unsigned int rdata_hash(const void* _item)
+{
+    const struct rdata* item = (const struct rdata*)_item;
+    size_t              n, o, p;
+    unsigned int        key = 0;
+
+    for (n = 0, o = 0, p = 0; n < item->len; n++) {
+        p |= item->data[n] << (o * 8);
+        o++;
+        if (o > 3) {
+            key ^= p;
+            p = 0;
+            o = 0;
+        }
+    }
+    if (o) {
+        key ^= p;
+    }
+
+    return key;
+}
+
+static int rdata_cmp(const void* _a, const void* _b)
+{
+    const struct rdata *a = (const struct rdata*)_a, *b = (const struct rdata*)_b;
+
+    if (a->len == b->len) {
+        return memcmp(a->data, b->data, a->len);
+    } else if (a->len < b->len)
+        return -1;
+    return 1;
+}
+
+static void rdata_free(void* d)
+{
+    struct rdata* item = (struct rdata*)d;
+
+    if (item) {
+        if (item->data) {
+            free(item->data);
+        }
+        free(item);
+    }
+}
+
+static int rdata_add(uint8_t* p, size_t len)
+{
+    struct rdata* key;
+
+    if (len < RDATA_INDEX_MIN_SIZE)
+        return 1;
+
+    if (!(key = calloc(1, sizeof(struct rdata)))) {
+        return 0;
+    }
+    if (!(key->data = calloc(1, len))) {
+        free(key);
+        return 0;
+    }
+
+    key->len = len;
+    memcpy(key->data, p, len);
+    key->idx = last.rdata_index++;
+
+    /*    printf("rdata_add  %u: ", rdata_hash(key));*/
+    /*    {*/
+    /*        size_t n = len;*/
+    /*        uint8_t* x = p;*/
+    /*        while (n--) {*/
+    /*            printf("%02x", *x);*/
+    /*            x++;*/
+    /*        }*/
+    /*    }*/
+    /*    printf("\n");*/
+    hash_add(key, key, rdata_tbl);
+
+    return 0;
+}
+
+static size_t rdata_find(uint8_t* p, size_t len, size_t* found)
+{
+    struct rdata  key;
+    struct rdata* r;
+
+    if (len < RDATA_INDEX_MIN_SIZE)
+        return 1;
+
+    key.data = p;
+    key.len  = len;
+
+    /*    printf("rdata_find %u: ", rdata_hash(&key));*/
+    /*    {*/
+    /*        size_t n = len;*/
+    /*        uint8_t* x = p;*/
+    /*        while (n--) {*/
+    /*            printf("%02x", *x);*/
+    /*            x++;*/
+    /*        }*/
+    /*    }*/
+    /*    printf("\n");*/
+
+    if ((r = hash_find(&key, rdata_tbl))) {
+        /*        printf("rdata found %lu at %lu\n", len, found->idx);*/
+        *found = r->idx;
+        return 0;
+    }
+
+    return 1;
+}
+
+int rdata_find2(uint8_t* p, size_t len, size_t* found)
+{
+    struct rdata* r = last.rdata;
+    size_t        n = 0;
+
+    if (len < RDATA_RINDEX_MIN_SIZE)
+        return 1;
+
+    while (r) {
+        if (r->len == len && !memcmp(p, r->data, len)) {
+            break;
+        }
+        r = r->next;
+        n++;
+    }
+    if (r) {
+        /*        printf("rdata found at %lu: ", n);*/
+        /*        {*/
+        /*            size_t n = len;*/
+        /*            uint8_t* x = p;*/
+        /*            while (n--) {*/
+        /*                printf("%02x", *x);*/
+        /*                x++;*/
+        /*            }*/
+        /*        }*/
+        /*        printf("\n");*/
+
+        if (last.rdata != r) {
+            struct rdata *prev = r->prev, *next = r->next;
+
+            if (prev) {
+                prev->next = next;
+            }
+            if (next) {
+                next->prev = prev;
+            }
+
+            r->prev          = 0;
+            r->next          = last.rdata;
+            last.rdata->prev = r;
+            last.rdata       = r;
+        }
+
+        *found = n;
+        return 0;
+    }
+
+    return 1;
+}
+
+int rdata_add2(uint8_t* p, size_t len)
+{
+    struct rdata* r;
+
+    if (len < RDATA_RINDEX_MIN_SIZE)
+        return 1;
+
+    if (!(r = calloc(1, sizeof(struct rdata)))) {
+        return -1;
+    }
+    if (!(r->data = calloc(1, len))) {
+        free(r);
+        return -1;
+    }
+
+    r->len = len;
+    memcpy(r->data, p, len);
+
+    /*    printf("rdata_add: ");*/
+    /*    {*/
+    /*        size_t n = len;*/
+    /*        uint8_t* x = p;*/
+    /*        while (n--) {*/
+    /*            printf("%02x", *x);*/
+    /*            x++;*/
+    /*        }*/
+    /*    }*/
+    /*    printf("\n");*/
+
+    if (last.rdata) {
+        last.rdata->prev = r;
+    }
+    r->next    = last.rdata;
+    last.rdata = r;
+    last.rdata_num++;
+
+    if (last.rdata_last) {
+        if (last.rdata_num >= RDATA_RINDEX_SIZE) {
+            r = last.rdata_last;
+
+            last.rdata_last       = r->prev;
+            last.rdata_last->next = 0;
+            last.rdata_num--;
+            free(r->data);
+            free(r);
+        }
+    } else {
+        last.rdata_last = r;
+    }
+
+    return 0;
+}
+
+static int parse_dns_rr(char is_q, dns_rr_t* rr, size_t expected_rrs, size_t* actual_rrs, uint8_t** p, size_t* l)
+{
+    uint8_t      len;
+    uint8_t*     p2;
+    size_t       l2, idx;
+    dns_label_t* label;
+    size_t       num_labels, offset;
+
+    while (expected_rrs--) {
+        /* first pass check number of labels */
+        p2 = *p;
+        l2 = *l;
+
+        if (check_dns_label(&(rr->labels), &p2, &l2)) {
+            if (!rr->labels) {
+                fprintf(stderr, "cds no labels\n");
+                return 1;
+            }
+        }
+
+        /* second pass, allocate labels and fill */
+        if (!(rr->label = calloc(rr->labels, sizeof(dns_label_t)))) {
+            fprintf(stderr, "cds out of memory\n");
+            return -1;
+        }
+
+        *actual_rrs += 1;
+
+        label           = rr->label;
+        rr->have_labels = 1;
+
+        while (1) {
+            need8(len, *p, *l, "name length");
+
+            if ((len & 0xc0) == 0xc0) {
+                label->offset_p = *p;
+                need8(label->offset, *p, *l, "name offset");
+                label->offset |= (len & 0x3f) << 8;
+                label->have_offset = 1;
+                label->is_complete = 1;
+                break;
+            } else if (len & 0xc0) {
+                label->extension_bits      = len;
+                label->have_extension_bits = 1;
+                label->is_complete         = 1;
+                break;
+            } else if (len) {
+                label->size      = len;
+                label->have_size = 1;
+                label->label     = *p;
+                advancexb(len, *p, *l, "name label");
+                label->have_label = 1;
+            } else {
+                label->have_size   = 1;
+                label->is_complete = 1;
+                break;
+            }
+
+            label->is_complete = 1;
+            label++;
+        }
+
+        need16(rr->type, *p, *l, "type");
+        rr->have_type = 1;
+        need16(rr->class, *p, *l, "class");
+        rr->have_class = 1;
+
+        if (!is_q) {
+            need32(rr->ttl, *p, *l, "ttl");
+            rr->have_ttl = 1;
+            need16(rr->rdlength, *p, *l, "rdlength");
+            rr->have_rdlength = 1;
+            rr->rdata         = *p;
+            advancexb(rr->rdlength, *p, *l, "rdata");
+
+            if (use_rdata_index) {
+                if (!rdata_find(rr->rdata, rr->rdlength, &(rr->rdata_index))) {
+                    rr->have_rdata_index = 1;
+                } else {
+                    rdata_add(rr->rdata, rr->rdlength);
+                }
+            } else if (use_rdata_rindex) {
+                if (!rdata_find2(rr->rdata, rr->rdlength, &(rr->rdata_rindex))) {
+                    rr->have_rdata_rindex = 1;
+                } else {
+                    rdata_add2(rr->rdata, rr->rdlength);
+                }
+            }
+
+            num_labels = offset = 0;
+            switch (rr->type) {
+            case 2: /* NS */
+            case 3: /* MD */
+            case 4: /* MF */
+            case 5: /* CNAME */
+            case 7: /* MB */
+            case 8: /* MG */
+            case 9: /* MR */
+            case 12: /* PTR */
+            case 30: /* NXT */
+            case 39: /* DNAME */
+            case 47: /* NSEC */
+            case 249: /* TKEY */
+            case 250: /* TSIG */
+                num_labels = 1;
+                break;
+
+            case 6: /* SOA */
+            case 14: /* MINFO */
+            case 17: /* RP */
+            case 58: /* TALINK */
+                num_labels = 2;
+                break;
+
+            case 15: /* MX */
+            case 18: /* AFSDB */
+            case 21: /* RT */
+            case 36: /* KX */
+            case 107: /* LP */
+                num_labels = 1;
+                offset     = 2;
+                break;
+
+            case 26: /* PX */
+                num_labels = 2;
+                offset     = 2;
+                break;
+
+            case 24: /* SIG */
+            case 46: /* RRSIG */
+                num_labels = 1;
+                offset     = 18;
+                break;
+
+            case 33: /* SRV */
+                num_labels = 1;
+                offset     = 6;
+                break;
+
+            case 35: /* NAPTR */
+                num_labels = 1;
+                p2         = *p;
+                l2         = *l;
+                advancexb(2, p2, l2, "naptr int16 #1");
+                advancexb(2, p2, l2, "naptr int16 #2");
+                need8(len, p2, l2, "naptr str len #1");
+                advancexb(len, p2, l2, "naptr str #1");
+                need8(len, p2, l2, "naptr str len #2");
+                advancexb(len, p2, l2, "naptr str #2");
+                need8(len, p2, l2, "naptr str len #3");
+                advancexb(len, p2, l2, "naptr str #3");
+                offset = p2 - *p;
+                break;
+
+            case 55: /* HIP TODO */
+                break;
+            }
+
+            if (num_labels) {
+                dns_rdata_t* rdata;
+
+                rr->mixed_rdatas = num_labels + (offset ? 1 : 0) + 1;
+                if (!(rr->mixed_rdata = calloc(rr->mixed_rdatas, sizeof(dns_rdata_t)))) {
+                    fprintf(stderr, "cds out of memory\n");
+                    return -1;
+                }
+
+                p2                   = rr->rdata;
+                l2                   = rr->rdlength;
+                rdata                = rr->mixed_rdata;
+                rr->have_mixed_rdata = 1;
+
+                if (offset) {
+                    rdata->rdata_len = offset;
+                    rdata->rdata     = p2;
+                    advancexb((int)offset, p2, l2, "mixed rdata");
+                    rdata->have_rdata  = 1;
+                    rdata->is_complete = 1;
+                    rdata++;
+                }
+                while (num_labels--) {
+                    uint8_t* p3;
+                    size_t   l3;
+
+                    /* first pass check number of rdata labels */
+
+                    p3 = p2;
+                    l3 = l2;
+
+                    if (check_dns_label(&(rdata->labels), &p3, &l3)) {
+                        if (!rdata->labels) {
+                            fprintf(stderr, "cds mixed rdata no labels\n");
+                            return 1;
+                        }
+                    }
+
+                    /* second pass, allocate mixed rdata */
+                    if (!(rdata->label = calloc(rdata->labels, sizeof(dns_label_t)))) {
+                        fprintf(stderr, "cds out of memory\n");
+                        return -1;
+                    }
+
+                    label              = rdata->label;
+                    rdata->have_labels = 1;
+                    while (1) {
+                        need8(len, p2, l2, "name length");
+
+                        if ((len & 0xc0) == 0xc0) {
+                            label->offset_p = p2;
+                            need8(label->offset, p2, l2, "name offset");
+                            label->offset |= (len & 0x3f) << 8;
+                            label->have_offset = 1;
+                            label->is_complete = 1;
+                            break;
+                        } else if (len & 0xc0) {
+                            label->extension_bits      = len;
+                            label->have_extension_bits = 1;
+                            label->is_complete         = 1;
+                            break;
+                        } else if (len) {
+                            label->size      = len;
+                            label->have_size = 1;
+                            label->label     = p2;
+                            advancexb(len, p2, l2, "name label");
+                            label->have_label = 1;
+                        } else {
+                            label->have_size   = 1;
+                            label->is_complete = 1;
+                            break;
+                        }
+
+                        label->is_complete = 1;
+                        label++;
+                    }
+                    rdata->is_complete = 1;
+                    rdata++;
+                }
+                if (l2) {
+                    /*printf("last rdata %lu\n", l2);*/
+                    rdata->rdata_len = l2;
+                    rdata->rdata     = p2;
+                    advancexb((int)l2, p2, l2, "mixed rdata");
+                    rdata->have_rdata  = 1;
+                    rdata->is_complete = 1;
+                } else {
+                    rr->mixed_rdatas--;
+                }
+            }
+            rr->have_rdata = 1;
+        }
+
+        rr->is_complete = 1;
+        rr++;
+    }
+
+    return 0;
+}
+
+int print_cbor = 0;
+
+static int parse_dns(dns_t* dns, uint8_t** p, size_t* l)
+{
+    int ret;
+
+    need16(dns->id, *p, *l, "dns id");
+    dns->have_id = 1;
+    need16(dns->raw, *p, *l, "raw dns bits");
+    dns->have_raw = 1;
+    need16(dns->qdcount, *p, *l, "qdcount");
+    dns->have_qdcount = 1;
+    need16(dns->ancount, *p, *l, "ancount");
+    dns->have_ancount = 1;
+    need16(dns->nscount, *p, *l, "nscount");
+    dns->have_nscount = 1;
+    need16(dns->arcount, *p, *l, "arcount");
+    dns->have_arcount = 1;
+
+    dns->header_is_complete = 1;
+
+    if (dns->qdcount) {
+        if (!(dns->question = calloc(dns->qdcount, sizeof(dns_rr_t)))) {
+            fprintf(stderr, "cds out of memory\n");
+            return -1;
+        }
+        ret = parse_dns_rr(1, dns->question, dns->qdcount, &(dns->questions), p, l);
+        /*if (ret) printf("qr %d\n", ret);*/
+        if (ret > -1 && dns->questions) {
+            dns->have_questions = 1;
+        }
+        if (ret) {
+            return ret;
+        }
+    }
+
+    if (dns->ancount) {
+        if (!(dns->answer = calloc(dns->ancount, sizeof(dns_rr_t)))) {
+            fprintf(stderr, "cds out of memory\n");
+            return -1;
+        }
+        ret = parse_dns_rr(0, dns->answer, dns->ancount, &(dns->answers), p, l);
+        /*if (ret) printf("an %d\n", ret);*/
+        if (ret > -1 && dns->answers) {
+            dns->have_answers = 1;
+        }
+        if (ret) {
+            return ret;
+        }
+    }
+
+    if (dns->nscount) {
+        if (!(dns->authority = calloc(dns->nscount, sizeof(dns_rr_t)))) {
+            fprintf(stderr, "cds out of memory\n");
+            return -1;
+        }
+        ret = parse_dns_rr(0, dns->authority, dns->nscount, &(dns->authorities), p, l);
+        /*if (ret) { printf("ns %d %lu\n", ret, dns->authorities);*/
+        /*{*/
+        /*    size_t n;*/
+        /*    for (n = 0; n < dns->authorities; n++) {*/
+        /*        printf("%lu %d\n", n, dns->authority[n].is_complete);*/
+        /*        if (!dns->authority[n].is_complete) print_cbor = 1;*/
+        /*    }*/
+        /*} }*/
+        if (ret > -1 && dns->authorities) {
+            dns->have_authorities = 1;
+        }
+        if (ret) {
+            return ret;
+        }
+    }
+
+    if (dns->arcount) {
+        if (!(dns->additional = calloc(dns->arcount, sizeof(dns_rr_t)))) {
+            fprintf(stderr, "cds out of memory\n");
+            return -1;
+        }
+        ret = parse_dns_rr(0, dns->additional, dns->arcount, &(dns->additionals), p, l);
+        /*if (ret) printf("ar %d\n", ret);*/
+        if (ret > -1 && dns->additionals) {
+            dns->have_additionals = 1;
+        }
+        if (ret) {
+            return ret;
+        }
+    }
+
+    return 0;
+}
+
+static CborError encode_label(CborEncoder* encoder, dns_label_t* label, size_t labels)
+{
+    CborError   cbor_err = CborNoError;
+    CborEncoder array;
+
+    if (labels && label[labels - 1].have_size && !label[labels - 1].size) {
+        labels--;
+    }
+
+    cbor_err = cbor_encoder_create_array(encoder, &array, labels);
+    while (labels--) {
+        if (label->have_offset) {
+            if (label->have_n_offset) {
+                if (cbor_err == CborNoError)
+                    cbor_err = cbor_encode_uint(&array, label->n_offset);
+            } else {
+                if (cbor_err == CborNoError)
+                    cbor_err = cbor_encode_negative_int(&array, label->offset);
+            }
+        } else if (label->have_extension_bits) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_simple_value(&array, label->extension_bits >> 6);
+        } else if (label->have_label) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_text_string(&array, (const char*)label->label, label->size);
+        } else {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_null(&array);
+        }
+
+        label++;
+    }
+    if (cbor_err == CborNoError)
+        cbor_err = cbor_encoder_close_container_checked(encoder, &array);
+
+    return cbor_err;
+}
+
+/*
+ * OUTPUT
+ */
+
+int print_label(dns_label_t* label, size_t labels)
+{
+    size_t n;
+
+    for (n = 0; n < labels; n++) {
+        if (label[n].have_offset) {
+            if (label[n].have_n_offset) {
+                printf(" %lu", label[n].n_offset);
+            } else {
+                printf(" %d", -label[n].offset);
+            }
+        } else if (label[n].have_extension_bits) {
+            printf(" %x", label[n].extension_bits);
+        } else if (label[n].have_label) {
+            printf(" %.*s", label[n].size, label[n].label);
+        } else {
+            printf(" $");
+        }
+    }
+    return 0;
+}
+
+int print_rlabel(dns_rlabel_t* label)
+{
+    size_t n;
+
+    for (n = 0; n < label->labels; n++) {
+        if (label->label[n].size) {
+            printf(" %.*s", label->label[n].size, label->label[n].label);
+        } else if (label->label[n].have_n_offset) {
+            printf(" %lu", label->label[n].n_offset);
+        } else {
+            printf(" $");
+        }
+    }
+    return 0;
+}
+
+int dns_rlabel_add(dns_label_t* label, size_t labels)
+{
+    dns_rlabel_t* copy;
+    size_t        n, size = 0;
+
+    for (n = 0; n < labels; n++) {
+        if ((label[n].have_offset && !label[n].have_n_offset)
+            || label[n].have_extension_bits) {
+            return 1;
+        }
+        if (label[n].have_size) {
+            size += label[n].size;
+        }
+    }
+    /*printf("label size: %lu\n", size);*/
+    if (size < MIN_RLABEL_SIZE) {
+        return 1;
+    }
+
+    if (!(copy = calloc(1, sizeof(dns_rlabel_t)))) {
+        return -1;
+    }
+
+    assert(labels <= CDS_RLABEL_T_LABELS);
+    copy->labels = labels;
+
+    for (n = 0; n < labels; n++) {
+        if (label[n].have_n_offset) {
+            copy->label[n].have_n_offset = 1;
+            copy->label[n].n_offset      = label[n].n_offset;
+            continue;
+        }
+        if (label[n].size) {
+            assert(label[n].size <= CDS_RLABEL_LABEL_T_LABEL);
+
+            copy->label[n].size = label[n].size;
+            memcpy(&(copy->label[n].label), label[n].label, label[n].size);
+        }
+    }
+
+    /*printf("add"); print_label(label, labels); printf("\n");*/
+
+    if (last.dns_rlabel) {
+        last.dns_rlabel->prev = copy;
+    }
+    copy->next      = last.dns_rlabel;
+    last.dns_rlabel = copy;
+    last.dns_rlabels++;
+    if (last.dns_rlabel_last) {
+        if (last.dns_rlabels >= MAX_RLABELS) {
+            dns_rlabel_t* remove = last.dns_rlabel_last;
+
+            /*printf("remove %p %p\n", remove, remove->prev);*/
+
+            last.dns_rlabel_last       = remove->prev;
+            last.dns_rlabel_last->next = 0;
+            free(remove);
+            last.dns_rlabels--;
+        }
+    } else {
+        last.dns_rlabel_last = copy;
+    }
+
+    return 0;
+}
+
+static size_t dns_rlabel_find(dns_label_t* label, size_t labels, size_t* rlabel_idx)
+{
+    size_t        n, n2, size = 0;
+    dns_rlabel_t* rlabel;
+
+    for (n = 0; n < labels; n++) {
+        if ((label[n].have_offset && !label[n].have_n_offset)
+            || label[n].have_extension_bits) {
+            return 1;
+        }
+        if (label[n].have_size) {
+            size += label[n].size;
+        }
+    }
+    /*printf("label size: %lu\n", size);*/
+    if (size < MIN_RLABEL_SIZE) {
+        return 1;
+    }
+
+    /*printf("find"); print_label(label, labels); printf("\n");*/
+
+    n      = 0;
+    rlabel = last.dns_rlabel;
+    while (rlabel) {
+        if (rlabel->labels == labels) {
+            /*printf("check"); print_rlabel(rlabel); printf("\n");*/
+
+            for (n2 = 0; n2 < labels; n2++) {
+                /*printf("%d %lu <> %d %lu\n", label[n2].have_n_offset, label[n2].n_offset, rlabel->label[n2].have_n_offset, rlabel->label[n2].n_offset);*/
+                if (label[n2].have_n_offset
+                    || rlabel->label[n2].have_n_offset) {
+                    if (label[n2].n_offset == rlabel->label[n2].n_offset)
+                        continue;
+                } else if (label[n2].size == rlabel->label[n2].size
+                           && !memcmp(label[n2].label, rlabel->label[n2].label, label[n2].size)) {
+                    continue;
+                }
+                break;
+            }
+
+            if (n2 == labels) {
+                /*printf("found at %lu: ", n); print_rlabel(rlabel); printf("\n");*/
+                break;
+            }
+        }
+        rlabel = rlabel->next;
+        n++;
+    }
+    if (rlabel) {
+        if (last.dns_rlabel != rlabel) {
+            dns_rlabel_t *prev = rlabel->prev, *next = rlabel->next;
+
+            if (prev) {
+                prev->next = next;
+            }
+            if (next) {
+                next->prev = prev;
+            }
+
+            rlabel->prev          = 0;
+            rlabel->next          = last.dns_rlabel;
+            last.dns_rlabel->prev = rlabel;
+            last.dns_rlabel       = rlabel;
+        }
+
+        *rlabel_idx = n;
+        return 0;
+    }
+
+    return 1;
+}
+
+static void free_rdata(dns_rdata_t* rdata)
+{
+    if (rdata->label) {
+        free(rdata->label);
+    }
+}
+
+static void free_rr(dns_rr_t* rr)
+{
+    size_t n;
+
+    if (rr->label) {
+        free(rr->label);
+    }
+    for (n = 0; n < rr->mixed_rdatas; n++) {
+        free_rdata(&(rr->mixed_rdata[n]));
+    }
+    if (rr->mixed_rdata) {
+        free(rr->mixed_rdata);
+    }
+}
+
+static void free_dns(dns_t* dns)
+{
+    size_t n;
+
+    for (n = 0; n < dns->questions; n++) {
+        free_rr(&(dns->question[n]));
+    }
+    for (n = 0; n < dns->answers; n++) {
+        free_rr(&(dns->answer[n]));
+    }
+    for (n = 0; n < dns->authorities; n++) {
+        free_rr(&(dns->authority[n]));
+    }
+    for (n = 0; n < dns->additionals; n++) {
+        free_rr(&(dns->additional[n]));
+    }
+}
+
+void dns_rr_build_offset(dns_rr_t* rr_list, size_t count, uint16_t* offset, size_t offsets, size_t* n_offset, const u_char* payload)
+{
+    dns_rr_t* rrp;
+    size_t    rr, n, n2;
+
+    for (rr = 0; rr < count && *n_offset < offsets; rr++) {
+        rrp = &(rr_list[rr]);
+
+        for (n = 0; n < rrp->labels && *n_offset < offsets; n++) {
+            if (rrp->label[n].size) {
+                rrp->label[n].offset = rrp->label[n].label - payload - 1;
+                offset[*n_offset]    = rrp->label[n].offset;
+                *n_offset += 1;
+            } else if (rrp->label[n].have_offset) {
+                offset[*n_offset] = rrp->label[n].offset_p - payload - 1;
+                *n_offset += 1;
+            }
+
+            /*                printf("%u %u %u %.*s\n",*/
+            /*                    rrp->label[n].size,*/
+            /*                    rrp->label[n].extension_bits,*/
+            /*                    rrp->label[n].offset,*/
+            /*                    rrp->label[n].size ? rrp->label[n].size : 0,*/
+            /*                    rrp->label[n].size ? (char*)rrp->label[n].label : ""*/
+            /*                );*/
+        }
+        for (n = 0; n < rrp->mixed_rdatas && *n_offset < offsets; n++) {
+            for (n2 = 0; n2 < rrp->mixed_rdata[n].labels; n2++) {
+                if (rrp->mixed_rdata[n].label[n2].size) {
+                    rrp->mixed_rdata[n].label[n2].offset = rrp->mixed_rdata[n].label[n2].label - payload - 1;
+                    offset[*n_offset]                    = rrp->mixed_rdata[n].label[n2].offset;
+                    *n_offset += 1;
+                } else if (rrp->mixed_rdata[n].label[n2].have_offset) {
+                    offset[*n_offset] = rrp->mixed_rdata[n].label[n2].offset_p - payload - 1;
+                    *n_offset += 1;
+                }
+
+                /*                    printf(" %u %u %u %.*s\n",*/
+                /*                        rrp->mixed_rdata[n].label[n2].size,*/
+                /*                        rrp->mixed_rdata[n].label[n2].extension_bits,*/
+                /*                        rrp->mixed_rdata[n].label[n2].offset,*/
+                /*                        rrp->mixed_rdata[n].label[n2].size ? rrp->mixed_rdata[n].label[n2].size : 0,*/
+                /*                        rrp->mixed_rdata[n].label[n2].size ? (char*)rrp->mixed_rdata[n].label[n2].label : ""*/
+                /*                    );*/
+            }
+        }
+    }
+}
+
+void dns_rr_set_offset(dns_rr_t* rr_list, size_t count, uint16_t* offset, size_t n_offset)
+{
+    dns_rr_t* rrp;
+    size_t    rr, n, n2, n3;
+
+    for (rr = 0; rr < count; rr++) {
+        rrp = &(rr_list[rr]);
+
+        for (n = 0; n < rrp->labels; n++) {
+            if (!rrp->label[n].size && rrp->label[n].offset) {
+                for (n3 = 0; n3 < n_offset; n3++) {
+                    if (rrp->label[n].offset == offset[n3]) {
+                        /*                            printf("%u => %lu\n", rrp->label[n].offset, n3);*/
+                        rrp->label[n].n_offset      = n3;
+                        rrp->label[n].have_n_offset = 1;
+                        break;
+                    }
+                }
+            }
+        }
+        for (n = 0; n < rrp->mixed_rdatas; n++) {
+            for (n2 = 0; n2 < rrp->mixed_rdata[n].labels; n2++) {
+                if (!rrp->mixed_rdata[n].label[n2].size && rrp->mixed_rdata[n].label[n2].offset) {
+                    for (n3 = 0; n3 < n_offset; n3++) {
+                        if (rrp->mixed_rdata[n].label[n2].offset == offset[n3]) {
+                            /*                                printf("%u => %lu\n", rrp->mixed_rdata[n].label[n2].offset, n3);*/
+                            rrp->mixed_rdata[n].label[n2].n_offset      = n3;
+                            rrp->mixed_rdata[n].label[n2].have_n_offset = 1;
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+
+void dns_rr_build_rlabel(dns_rr_t* rr_list, size_t count)
+{
+    dns_rr_t* rrp;
+    size_t    rr, n;
+
+    for (rr = 0; rr < count; rr++) {
+        rrp = &(rr_list[rr]);
+
+        if (rrp->labels) {
+            if (!dns_rlabel_find(rrp->label, rrp->labels, &(rrp->rlabel_idx))) {
+                rrp->have_rlabel_idx = 1;
+            } else {
+                dns_rlabel_add(rrp->label, rrp->labels);
+            }
+        }
+
+        for (n = 0; n < rrp->mixed_rdatas; n++) {
+            if (rrp->mixed_rdata[n].labels) {
+                if (!dns_rlabel_find(rrp->mixed_rdata[n].label, rrp->mixed_rdata[n].labels, &(rrp->mixed_rdata[n].rlabel_idx))) {
+                    rrp->mixed_rdata[n].have_rlabel_idx = 1;
+                } else {
+                    dns_rlabel_add(rrp->mixed_rdata[n].label, rrp->mixed_rdata[n].labels);
+                }
+            }
+        }
+    }
+}
+
+CborError dns_build_rrs(CborEncoder* message, dns_rr_t* rr_list, size_t count)
+{
+    CborError   cbor_err = CborNoError;
+    CborEncoder rrs;
+    dns_rr_t*   rr = rr_list;
+    size_t      n  = count;
+
+    if (cbor_err == CborNoError)
+        cbor_err = cbor_encoder_create_array(message, &rrs, n);
+    while (n--) {
+        CborEncoder item;
+        if (!(rr->have_type && rr->type == 41)) {
+            if (rr->have_type && rr->type == last.dns_type) {
+                rr->have_type = 0;
+            }
+            if (rr->have_class && rr->class == last.dns_class) {
+                rr->have_class = 0;
+            }
+            if (rr->have_ttl && rr->ttl == last.dns_ttl) {
+                rr->have_ttl = 0;
+            }
+        }
+        if (rr->have_rdlength && rr->have_rdata) {
+            rr->have_rdlength = 0;
+        }
+
+        rr->bits = rr->have_type
+                   | rr->have_class << 1
+                   | rr->have_ttl << 2
+                   | rr->have_rdlength << 3;
+        if (rr->bits && rr->bits != 0xf) {
+            rr->have_bits = 1;
+        }
+
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_create_array(&rrs, &item,
+                (rr->is_complete ? 0 : 1) + rr->have_labels
+                    + rr->have_bits + rr->have_type + rr->have_class + rr->have_ttl + rr->have_rdlength
+                    + rr->have_rdata);
+        if (!rr->is_complete) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_boolean(&item, false);
+        }
+        if (rr->have_labels) {
+            if (rr->have_rlabel_idx) {
+                if (cbor_err == CborNoError)
+                    cbor_err = cbor_encode_negative_int(&item, rr->rlabel_idx);
+            } else {
+                if (cbor_err == CborNoError)
+                    cbor_err = encode_label(&item, rr->label, rr->labels);
+            }
+        }
+        if (rr->have_bits && cbor_err == CborNoError)
+            cbor_err = cbor_encode_simple_value(&item, rr->bits);
+        if (rr->have_type && cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&item, rr->type);
+        if (rr->have_class && cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&item, rr->class);
+        if (rr->have_ttl && cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&item, rr->ttl);
+        if (rr->have_rdlength && cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&item, rr->rdlength);
+        if (rr->have_rdata_index) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&item, rr->rdata_index);
+        } else if (rr->have_rdata_rindex) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_negative_int(&item, rr->rdata_rindex);
+        } else if (rr->have_mixed_rdata) {
+            CborEncoder  rdatas;
+            size_t       n2    = rr->mixed_rdatas;
+            dns_rdata_t* rdata = rr->mixed_rdata;
+
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encoder_create_array(&item, &rdatas, rr->mixed_rdatas);
+            while (n2--) {
+                if (rdata->have_labels) {
+                    if (rdata->have_rlabel_idx) {
+                        if (cbor_err == CborNoError)
+                            cbor_err = cbor_encode_negative_int(&rdatas, rdata->rlabel_idx);
+                    } else {
+                        if (cbor_err == CborNoError)
+                            cbor_err = encode_label(&rdatas, rdata->label, rdata->labels);
+                    }
+                } else if (rdata->have_rdata) {
+                    if (cbor_err == CborNoError)
+                        cbor_err = cbor_encode_byte_string(&rdatas, rdata->rdata, rdata->rdata_len);
+                }
+
+                rdata++;
+            }
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encoder_close_container_checked(&item, &rdatas);
+        } else if (rr->have_rdata && cbor_err == CborNoError)
+            cbor_err = cbor_encode_byte_string(&item, rr->rdata, rr->rdlength);
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_close_container_checked(&rrs, &item);
+
+        if (!(rr->have_type && rr->type == 41)) {
+            if (rr->have_type) {
+                last.dns_type = rr->type;
+            }
+            if (rr->have_class) {
+                last.dns_class = rr->class;
+            }
+            if (rr->have_ttl) {
+                last.dns_ttl = rr->ttl;
+            }
+        }
+        rr++;
+    }
+    if (cbor_err == CborNoError)
+        cbor_err = cbor_encoder_close_container_checked(message, &rrs);
+
+    return cbor_err;
+}
+
+int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen)
+{
+    CborEncoder cbor, message;
+    CborError   cbor_err = CborNoError;
+    ip_header_t ip;
+    dns_t       dns;
+    uint8_t*    malformed      = 0;
+    size_t      malformed_size = 0;
+    size_t      dns_parts      = 0;
+
+    if (!payload) {
+        return DUMP_CDS_EINVAL;
+    }
+    if (!payloadlen) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    if (!cbor_buf) {
+        memset(&last, 0, sizeof(last));
+        if (!(cbor_buf = calloc(1, cbor_size + message_size))) {
+            return DUMP_CDS_ENOMEM;
+        }
+    }
+    if (!cbor_buf_p) {
+        cbor_buf_p = cbor_buf;
+    }
+    if (!message_buf) {
+        if (!(message_buf = calloc(1, message_size))) {
+            return DUMP_CDS_ENOMEM;
+        }
+    }
+    if (cbor_flushed) {
+        dns_rlabel_t* rlabel;
+        struct rdata* r;
+
+        cbor_buf_p = cbor_buf;
+        while ((rlabel = last.dns_rlabel)) {
+            last.dns_rlabel = rlabel->next;
+            free(rlabel);
+        }
+        while ((r = last.rdata)) {
+            last.rdata = r->next;
+            rdata_free(r);
+        }
+        memset(&last, 0, sizeof(last));
+        if (rdata_tbl) {
+            hash_free(rdata_tbl);
+            rdata_tbl = 0;
+        }
+
+        cbor_encoder_init(&cbor, message_buf, message_size, 0);
+        cbor_err = cbor_encoder_create_array(&cbor, &message, 5 + (use_rdata_index ? 3 : 0) + (use_rdata_rindex ? 4 : 0));
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_text_stringz(&message, "CDSv1");
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&message, CDS_OPTION_RLABELS);
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&message, MAX_RLABELS);
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&message, CDS_OPTION_RLABEL_MIN_SIZE);
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&message, MIN_RLABEL_SIZE);
+        if (use_rdata_index) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, CDS_OPTION_USE_RDATA_INDEX);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, CDS_OPTION_RDATA_INDEX_MIN_SIZE);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, RDATA_INDEX_MIN_SIZE);
+        } else if (use_rdata_rindex) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, CDS_OPTION_RDATA_RINDEX_SIZE);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, RDATA_RINDEX_SIZE);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, CDS_OPTION_RDATA_RINDEX_MIN_SIZE);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, RDATA_RINDEX_MIN_SIZE);
+        }
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_close_container_checked(&cbor, &message);
+        if (cbor_err != CborNoError) {
+            fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
+            return DUMP_CDS_ECBOR;
+        }
+
+        /*        *cbor_buf_p = 0x9f;*/
+        /*        cbor_buf_p++;*/
+
+        if ((cbor_size - (cbor_buf_p - cbor_buf)) < cbor_encoder_get_buffer_size(&cbor, message_buf)) {
+            return DUMP_CDS_EBUF;
+        }
+        memcpy(cbor_buf_p, message_buf, cbor_encoder_get_buffer_size(&cbor, message_buf));
+        cbor_buf_p += cbor_encoder_get_buffer_size(&cbor, message_buf);
+
+        cbor_flushed = 0;
+    }
+    if (!rdata_tbl) {
+        if (!(rdata_tbl = hash_create(64 * 1024, rdata_hash, rdata_cmp, rdata_free))) {
+            return DUMP_CDS_ENOMEM;
+        }
+    }
+
+    /*
+     * IP Header
+     */
+
+    memset(&ip, 0, sizeof(ip_header_t));
+
+    /* fill ip */
+    if (from.af == AF_INET6) {
+        ip.is_v6 = 1;
+        memcpy(&(ip.src_addr6), &(from.u.a6), sizeof(struct in6_addr));
+        memcpy(&(ip.dest_addr6), &(to.u.a6), sizeof(struct in6_addr));
+        ip.src_port6  = sport;
+        ip.dest_port6 = dport;
+    } else {
+        memcpy(&(ip.src_addr4), &(from.u.a4), sizeof(struct in_addr));
+        memcpy(&(ip.dest_addr4), &(to.u.a4), sizeof(struct in_addr));
+        ip.src_port4  = sport;
+        ip.dest_port4 = dport;
+    }
+
+    /* deduplicate */
+    {
+        int         dedup = 0;
+        ip_header_t reverse;
+
+        reverse = ip;
+
+        /* check last.ip */
+        if (ip.is_v6) {
+            if (!memcmp(&(ip.src_addr6), &(last.ip.src_addr6), sizeof(struct in6_addr)))
+                dedup++;
+            else
+                ip.have_src_addr = 1;
+
+            if (!memcmp(&(ip.dest_addr6), &(last.ip.dest_addr6), sizeof(struct in6_addr)))
+                dedup++;
+            else
+                ip.have_dest_addr = 1;
+
+            if (ip.src_port6 == last.ip.src_port6)
+                dedup++;
+            else
+                ip.have_src_port = 1;
+
+            if (ip.dest_port6 == last.ip.dest_port6)
+                dedup++;
+            else
+                ip.have_dest_port = 1;
+        } else {
+            if (!memcmp(&(ip.src_addr4), &(last.ip.src_addr4), sizeof(struct in_addr)))
+                dedup++;
+            else
+                ip.have_src_addr = 1;
+
+            if (!memcmp(&(ip.dest_addr4), &(last.ip.dest_addr4), sizeof(struct in_addr)))
+                dedup++;
+            else
+                ip.have_dest_addr = 1;
+
+            if (ip.src_port4 == last.ip.src_port4)
+                dedup++;
+            else
+                ip.have_src_port = 1;
+
+            if (ip.dest_port4 == last.ip.dest_port4)
+                dedup++;
+            else
+                ip.have_dest_port = 1;
+        }
+
+        /* check reverse last.ip */
+        if (ip.is_v6) {
+            if (!memcmp(&(ip.src_addr6), &(last.ip.dest_addr6), sizeof(struct in6_addr)))
+                dedup--;
+            else
+                reverse.have_src_addr = 1;
+
+            if (!memcmp(&(ip.dest_addr6), &(last.ip.src_addr6), sizeof(struct in6_addr)))
+                dedup--;
+            else
+                reverse.have_dest_addr = 1;
+
+            if (ip.src_port6 == last.ip.dest_port6)
+                dedup--;
+            else
+                reverse.have_src_port = 1;
+
+            if (ip.dest_port6 == last.ip.src_port6)
+                dedup--;
+            else
+                reverse.have_dest_port = 1;
+        } else {
+            if (!memcmp(&(ip.src_addr4), &(last.ip.dest_addr4), sizeof(struct in_addr)))
+                dedup--;
+            else
+                reverse.have_src_addr = 1;
+
+            if (!memcmp(&(ip.dest_addr4), &(last.ip.src_addr4), sizeof(struct in_addr)))
+                dedup--;
+            else
+                reverse.have_dest_addr = 1;
+
+            if (ip.src_port4 == last.ip.dest_port4)
+                dedup--;
+            else
+                reverse.have_src_port = 1;
+
+            if (ip.dest_port4 == last.ip.src_port4)
+                dedup--;
+            else
+                reverse.have_dest_port = 1;
+        }
+
+        if (dedup < 0) {
+            ip            = reverse;
+            ip.is_reverse = 1;
+            /*fprintf(stderr, "reverse of last ip ");*/
+        }
+        /*fprintf(stderr, "v6:%d src:%d dest:%d sport:%d dport:%d\n", ip.is_v6, ip.have_src_addr, ip.have_dest_addr, ip.have_src_port, ip.have_dest_port);*/
+
+        ip.bits = ip.is_v6
+                  | ip.have_src_addr << 1
+                  | ip.have_dest_addr << 2
+                  | (ip.have_src_port | ip.have_dest_port) << 3;
+
+        if (ip.is_v6) {
+            last.ip.src_addr6  = ip.src_addr6;
+            last.ip.dest_addr6 = ip.dest_addr6;
+            last.ip.src_port6  = ip.src_port6;
+            last.ip.dest_port6 = ip.dest_port6;
+        } else {
+            last.ip.src_addr4  = ip.src_addr4;
+            last.ip.dest_addr4 = ip.dest_addr4;
+            last.ip.src_port4  = ip.src_port4;
+            last.ip.dest_port4 = ip.dest_port4;
+        }
+    }
+
+    /*
+     * DNS Message
+     */
+
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        uint8_t*  p = (uint8_t*)payload;
+        size_t    l = payloadlen, rr, n, n2, n3;
+        int       ret;
+        dns_rr_t* rrp;
+
+        size_t   n_offset = 0;
+        uint16_t offset[256]; /* TODO: Handle offsets better */
+
+        memset(&dns, 0, sizeof(dns));
+        ret = parse_dns(&dns, &p, &l);
+
+        if (ret < 0) {
+            free_dns(&dns);
+            return DUMP_CDS_ENOMEM;
+        } else if (ret > 0) {
+            malformed      = p;
+            malformed_size = l;
+        }
+
+        if (dns.have_qdcount && dns.qdcount == dns.questions) {
+            dns.have_qdcount = 0;
+        }
+        if (dns.have_ancount && dns.ancount == dns.answers) {
+            dns.have_ancount = 0;
+        }
+        if (dns.have_nscount && dns.nscount == dns.authorities) {
+            dns.have_nscount = 0;
+        }
+        if (dns.have_arcount && dns.arcount == dns.additionals) {
+            dns.have_arcount = 0;
+        }
+
+        dns.cnt_bits = dns.have_qdcount
+                       | dns.have_ancount << 1
+                       | dns.have_nscount << 2
+                       | dns.have_arcount << 3;
+        if (dns.cnt_bits && dns.cnt_bits != 0xf) {
+            dns.have_cnt_bits = 1;
+        }
+
+        dns.rr_bits = dns.have_questions
+                      | dns.have_answers << 1
+                      | dns.have_authorities << 2
+                      | dns.have_additionals << 3;
+        if (dns.rr_bits && dns.rr_bits != 0xf) {
+            dns.have_rr_bits = 1;
+        }
+
+        dns_rr_build_offset(dns.question, dns.questions, &offset[0], sizeof(offset), &n_offset, payload);
+        dns_rr_build_offset(dns.answer, dns.answers, &offset[0], sizeof(offset), &n_offset, payload);
+        dns_rr_build_offset(dns.authority, dns.authorities, &offset[0], sizeof(offset), &n_offset, payload);
+        dns_rr_build_offset(dns.additional, dns.additionals, &offset[0], sizeof(offset), &n_offset, payload);
+
+        /*        for (n = 0; n < n_offset; n++) {*/
+        /*            printf("%lu: %u\n", n, offset[n]);*/
+        /*        }*/
+
+        dns_rr_set_offset(dns.question, dns.questions, &offset[0], n_offset);
+        dns_rr_set_offset(dns.answer, dns.answers, &offset[0], n_offset);
+        dns_rr_set_offset(dns.authority, dns.authorities, &offset[0], n_offset);
+        dns_rr_set_offset(dns.additional, dns.additionals, &offset[0], n_offset);
+
+        dns_rr_build_rlabel(dns.question, dns.questions);
+        dns_rr_build_rlabel(dns.answer, dns.answers);
+        dns_rr_build_rlabel(dns.authority, dns.authorities);
+        dns_rr_build_rlabel(dns.additional, dns.additionals);
+    }
+
+    /*
+     * CBOR
+     */
+
+    cbor_encoder_init(&cbor, message_buf, message_size, 0);
+    cbor_err = cbor_encoder_create_array(&cbor, &message,
+        /* timestamp */
+        1
+            /* message bits */
+            + 1
+            /* ip header */
+            + 1 + ip.have_src_addr + ip.have_dest_addr + (ip.have_src_port | ip.have_dest_port)
+            /* dns message */
+            + dns.have_id + dns.have_raw
+            + dns.have_cnt_bits + dns.have_qdcount + dns.have_ancount + dns.have_nscount + dns.have_arcount
+            + dns.have_rr_bits + dns.have_questions + dns.have_answers + dns.have_authorities + dns.have_additionals
+            + (malformed ? 1 : 0));
+
+    /*
+     * Encode timestamp
+     */
+
+    {
+        CborEncoder timestamp;
+
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_create_array(&message, &timestamp, 2);
+        if (last.ts.tv_sec && last.ts.tv_sec <= ts.tv_sec) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_negative_int(&timestamp, ts.tv_sec - last.ts.tv_sec);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_int(&timestamp, ts.tv_usec - last.ts.tv_usec);
+        } else {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&timestamp, ts.tv_sec);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&timestamp, ts.tv_usec);
+        }
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_close_container_checked(&message, &timestamp);
+
+        last.ts = ts;
+    }
+
+    /*
+     * Encode message bits
+     */
+
+    if (cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message,
+            (flags & DNSCAP_OUTPUT_ISDNS ? 1 : 0)
+                + (flags & DNSCAP_OUTPUT_ISDNS ? proto == IPPROTO_TCP ? 1 << 1 : 0
+                                               : 0)
+                + (flags & DNSCAP_OUTPUT_ISFRAG ? 1 << 2 : 0)
+                + (malformed ? 1 << 3 : 0));
+
+    /*
+     * Encode IP Header
+     */
+
+    if (ip.is_reverse) {
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_negative_int(&message, ip.bits);
+    } else {
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_uint(&message, ip.bits);
+    }
+
+    if (ip.is_v6) {
+        if (ip.have_src_addr && cbor_err == CborNoError)
+            cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.src_addr6), sizeof(struct in6_addr));
+        if (ip.have_dest_addr && cbor_err == CborNoError)
+            cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.dest_addr6), sizeof(struct in6_addr));
+        if (ip.have_src_port && ip.have_dest_port) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, (ip.dest_port6 << 16) | ip.src_port6);
+        } else if (ip.have_src_port) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, ip.src_port6);
+        } else if (ip.have_dest_port) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_negative_int(&message, ip.dest_port6);
+        }
+    } else {
+        if (ip.have_src_addr && cbor_err == CborNoError)
+            cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.src_addr4), sizeof(struct in_addr));
+        if (ip.have_dest_addr && cbor_err == CborNoError)
+            cbor_err = cbor_encode_byte_string(&message, (uint8_t*)&(ip.dest_addr4), sizeof(struct in_addr));
+        if (ip.have_src_port && ip.have_dest_port) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, (ip.dest_port4 << 16) | ip.src_port4);
+        } else if (ip.have_src_port) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&message, ip.src_port4);
+        } else if (ip.have_dest_port) {
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encode_negative_int(&message, ip.dest_port4);
+        }
+    }
+
+    /*
+     * Encode DNS Message
+     */
+    if (flags & DNSCAP_OUTPUT_ISDNS && !dns.header_is_complete) {
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encode_boolean(&message, false);
+    }
+    if (dns.have_id && cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message, dns.id);
+    if (dns.have_raw && cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message, dns.raw);
+    if (dns.have_cnt_bits && cbor_err == CborNoError)
+        cbor_err = cbor_encode_negative_int(&message, dns.cnt_bits);
+    if (dns.have_qdcount && cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message, dns.qdcount);
+    if (dns.have_ancount && cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message, dns.ancount);
+    if (dns.have_nscount && cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message, dns.nscount);
+    if (dns.have_arcount && cbor_err == CborNoError)
+        cbor_err = cbor_encode_uint(&message, dns.arcount);
+    if (dns.have_rr_bits && cbor_err == CborNoError)
+        cbor_err = cbor_encode_simple_value(&message, dns.rr_bits);
+    if (dns.have_questions) {
+        CborEncoder rrs;
+        dns_rr_t*   rr = dns.question;
+        size_t      n  = dns.questions;
+
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_create_array(&message, &rrs, n);
+        while (n--) {
+            CborEncoder item;
+
+            if (rr->have_type && rr->type == last.dns_type) {
+                rr->have_type = 0;
+            }
+            if (rr->have_class && rr->class == last.dns_class) {
+                rr->have_class = 0;
+            }
+
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encoder_create_array(&rrs, &item,
+                    (rr->is_complete ? 0 : 1) + rr->have_labels + rr->have_type + rr->have_class);
+            if (!rr->is_complete) {
+                if (cbor_err == CborNoError)
+                    cbor_err = cbor_encode_boolean(&item, false);
+            }
+            if (rr->have_labels) {
+                if (rr->have_rlabel_idx) {
+                    if (cbor_err == CborNoError)
+                        cbor_err = cbor_encode_negative_int(&item, rr->rlabel_idx);
+                } else {
+                    if (cbor_err == CborNoError)
+                        cbor_err = encode_label(&item, rr->label, rr->labels);
+                }
+            }
+            if (rr->have_type && cbor_err == CborNoError)
+                cbor_err = cbor_encode_uint(&item, rr->type);
+            if (rr->have_class && cbor_err == CborNoError)
+                cbor_err = cbor_encode_negative_int(&item, rr->class);
+            if (cbor_err == CborNoError)
+                cbor_err = cbor_encoder_close_container_checked(&rrs, &item);
+
+            if (rr->have_type) {
+                last.dns_type = rr->type;
+            }
+            if (rr->have_class) {
+                last.dns_class = rr->class;
+            }
+
+            rr++;
+        }
+        if (cbor_err == CborNoError)
+            cbor_err = cbor_encoder_close_container_checked(&message, &rrs);
+    }
+    if (dns.have_answers && cbor_err == CborNoError)
+        cbor_err = dns_build_rrs(&message, dns.answer, dns.answers);
+    if (dns.have_authorities && cbor_err == CborNoError)
+        cbor_err = dns_build_rrs(&message, dns.authority, dns.authorities);
+    if (dns.have_additionals && cbor_err == CborNoError)
+        cbor_err = dns_build_rrs(&message, dns.additional, dns.additionals);
+
+    /*
+     * Encode malformed
+     */
+
+    if (malformed && cbor_err == CborNoError)
+        cbor_err = cbor_encode_byte_string(&message, (uint8_t*)malformed, malformed_size);
+
+    /*
+     * Close
+     */
+
+    free_dns(&dns);
+
+    if (cbor_err == CborNoError)
+        cbor_err = cbor_encoder_close_container_checked(&cbor, &message);
+    if (cbor_err != CborNoError) {
+        fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
+        return DUMP_CDS_ECBOR;
+    }
+
+    /*    if (print_cbor>1)*/
+    /*    {*/
+    /*        uint8_t* p = message_buf;*/
+    /*        size_t s = cbor_encoder_get_buffer_size(&cbor, message_buf);*/
+
+    /*        while (s--) {*/
+    /*            printf("%02x", *p++);*/
+    /*        }*/
+    /*        printf("\n");*/
+    /*    }*/
+
+    if (((cbor_size + message_size) - (cbor_buf_p - cbor_buf)) < cbor_encoder_get_buffer_size(&cbor, message_buf)) {
+        return DUMP_CDS_EBUF;
+    }
+    memcpy(cbor_buf_p, message_buf, cbor_encoder_get_buffer_size(&cbor, message_buf));
+    cbor_buf_p += cbor_encoder_get_buffer_size(&cbor, message_buf);
+
+    if (cbor_buf_p < (cbor_buf + cbor_size)) {
+        return DUMP_CDS_OK;
+    }
+
+    cbor_flushed = 1;
+    return DUMP_CDS_FLUSH;
+}
+
+int dump_cds(FILE* fp)
+{
+    CborError cbor_err;
+
+    if (!fp) {
+        return DUMP_CDS_EINVAL;
+    }
+
+    /*    *cbor_buf_p = 0xff;*/
+    /*    cbor_buf_p++;*/
+
+    /*    fprintf(stderr, "cds output: %lu bytes\n", cbor_buf_p - cbor_buf);*/
+
+    if (fwrite(cbor_buf, cbor_buf_p - cbor_buf, 1, fp) != 1) {
+        return DUMP_CDS_EWRITE;
+    }
+
+    return DUMP_CDS_OK;
+}
+
+int have_cds_support()
+{
+    return 1;
+}
+
+#else /* HAVE_LIBTINYCBOR */
+
+int cds_set_cbor_size(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_message_size(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_max_rlabels(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_min_rlabel_size(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_use_rdata_index(int use)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_use_rdata_rindex(int use)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_rdata_index_min_size(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_rdata_rindex_min_size(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int cds_set_rdata_rindex_size(size_t size)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int dump_cds(FILE* fp)
+{
+    return DUMP_CDS_ENOSUP;
+}
+
+int have_cds_support()
+{
+    return 0;
+}
+
+#endif
diff --git a/src/dump_cds.h b/src/dump_cds.h
new file mode 100644
index 0000000..a972e59
--- /dev/null
+++ b/src/dump_cds.h
@@ -0,0 +1,218 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap_common.h"
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+
+#ifndef __dnscap_dump_cds_h
+#define __dnscap_dump_cds_h
+
+#define DUMP_CDS_OK 0
+#define DUMP_CDS_EINVAL 1
+#define DUMP_CDS_ENOMEM 2
+#define DUMP_CDS_ECBOR 3
+#define DUMP_CDS_ELDNS 4
+#define DUMP_CDS_EWRITE 5
+#define DUMP_CDS_FLUSH 6
+#define DUMP_CDS_ENOSUP 7
+#define DUMP_CDS_EBUF 8
+
+#define CDS_OPTION_RLABELS 0
+#define CDS_OPTION_RLABEL_MIN_SIZE 1
+#define CDS_OPTION_RDATA_RINDEX_SIZE 2
+#define CDS_OPTION_RDATA_RINDEX_MIN_SIZE 3
+#define CDS_OPTION_USE_RDATA_INDEX 4
+#define CDS_OPTION_RDATA_INDEX_MIN_SIZE 5
+
+#define CDS_DEFAULT_MAX_RLABELS 255
+#define CDS_DEFAULT_MIN_RLABEL_SIZE 3
+#define CDS_DEFAULT_RDATA_INDEX_MIN_SIZE 5
+#define CDS_DEFAULT_RDATA_RINDEX_SIZE 255
+#define CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE 5
+
+typedef struct ip_header ip_header_t;
+struct ip_header {
+    unsigned short is_v6 : 1;
+    unsigned short is_reverse : 1;
+    unsigned short have_src_addr : 1;
+    unsigned short have_src_port : 1;
+    unsigned short have_dest_addr : 1;
+    unsigned short have_dest_port : 1;
+
+    uint8_t         bits;
+    struct in_addr  src_addr4;
+    uint16_t        src_port4;
+    struct in6_addr src_addr6;
+    uint16_t        src_port6;
+    struct in_addr  dest_addr4;
+    uint16_t        dest_port4;
+    struct in6_addr dest_addr6;
+    uint16_t        dest_port6;
+};
+
+typedef struct dns_label dns_label_t;
+struct dns_label {
+    unsigned short is_complete : 1;
+    unsigned short have_size : 1;
+    unsigned short have_extension_bits : 1;
+    unsigned short have_offset : 1;
+    unsigned short have_label : 1;
+    unsigned short have_n_offset : 1;
+
+    uint8_t  size;
+    uint8_t  extension_bits;
+    uint16_t offset;
+    uint8_t* offset_p;
+    uint8_t* label;
+    size_t   n_offset;
+};
+
+#define CDS_RLABEL_LABEL_T_LABEL 64
+
+typedef struct dns_rlabel_label dns_rlabel_label_t;
+struct dns_rlabel_label {
+    unsigned short have_n_offset : 1;
+
+    uint8_t size;
+    uint8_t label[CDS_RLABEL_LABEL_T_LABEL];
+    size_t  n_offset;
+};
+
+#define CDS_RLABEL_T_LABELS 256
+
+typedef struct dns_rlabel dns_rlabel_t;
+struct dns_rlabel {
+    dns_rlabel_t* next;
+    dns_rlabel_t* prev;
+
+    uint8_t            labels;
+    dns_rlabel_label_t label[CDS_RLABEL_T_LABELS];
+};
+
+typedef struct dns_rdata dns_rdata_t;
+struct dns_rdata {
+    unsigned short is_complete : 1;
+    unsigned short have_labels : 1;
+    unsigned short have_rlabel_idx : 1;
+    unsigned short have_rdata : 1;
+
+    size_t       rdata_len;
+    uint8_t*     rdata;
+    size_t       labels;
+    dns_label_t* label;
+    size_t       rlabel_idx;
+};
+
+typedef struct dns_rr dns_rr_t;
+struct dns_rr {
+    unsigned short is_complete : 1;
+    unsigned short have_labels : 1;
+    unsigned short have_rlabel_idx : 1;
+    unsigned short have_bits : 1;
+    unsigned short have_type : 1;
+    unsigned short have_class : 1;
+    unsigned short have_ttl : 1;
+    unsigned short have_rdlength : 1;
+    unsigned short have_rdata : 1;
+    unsigned short have_mixed_rdata : 1;
+    unsigned short have_rdata_index : 1;
+    unsigned short have_rdata_rindex : 1;
+
+    size_t       labels;
+    dns_label_t* label;
+    size_t       rlabel_idx;
+    uint8_t      bits;
+    uint16_t     type;
+    uint16_t class;
+    uint32_t     ttl;
+    uint16_t     rdlength;
+    uint8_t*     rdata;
+    size_t       mixed_rdatas;
+    dns_rdata_t* mixed_rdata;
+    size_t       rdata_index;
+    size_t       rdata_rindex;
+};
+
+typedef struct dns dns_t;
+struct dns {
+    unsigned short header_is_complete : 1;
+    unsigned short have_id : 1;
+    unsigned short have_raw : 1;
+    unsigned short have_cnt_bits : 1;
+    unsigned short have_qdcount : 1;
+    unsigned short have_ancount : 1;
+    unsigned short have_nscount : 1;
+    unsigned short have_arcount : 1;
+    unsigned short have_rr_bits : 1;
+    unsigned short have_questions : 1;
+    unsigned short have_answers : 1;
+    unsigned short have_authorities : 1;
+    unsigned short have_additionals : 1;
+
+    int       id;
+    uint16_t  raw;
+    uint8_t   cnt_bits;
+    uint16_t  qdcount;
+    uint16_t  ancount;
+    uint16_t  nscount;
+    uint16_t  arcount;
+    uint8_t   rr_bits;
+    size_t    questions;
+    dns_rr_t* question;
+    size_t    answers;
+    dns_rr_t* answer;
+    size_t    authorities;
+    dns_rr_t* authority;
+    size_t    additionals;
+    dns_rr_t* additional;
+};
+
+int cds_set_cbor_size(size_t size);
+int cds_set_message_size(size_t size);
+int cds_set_max_rlabels(size_t size);
+int cds_set_min_rlabel_size(size_t size);
+int cds_set_use_rdata_index(int use);
+int cds_set_use_rdata_rindex(int use);
+int cds_set_rdata_index_min_size(size_t size);
+int cds_set_rdata_rindex_min_size(size_t size);
+int cds_set_rdata_rindex_size(size_t size);
+int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen);
+int dump_cds(FILE* fp);
+int have_cds_support();
+
+#endif /* __dnscap_dump_cds_h */
diff --git a/src/dump_dns.c b/src/dump_dns.c
new file mode 100644
index 0000000..e03e33f
--- /dev/null
+++ b/src/dump_dns.c
@@ -0,0 +1,319 @@
+/* dump_dns.c - library function to emit decoded dns message on a FILE.
+ *
+ * By: Paul Vixie, ISC, October 2007
+ */
+
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "dnscap_common.h"
+
+#include "dump_dns.h"
+#include "network.h"
+#include "tcpstate.h"
+#include "endian_compat.h"
+
+#include <ldns/ldns.h>
+#include <netinet/in.h>
+
+static inline uint16_t _need16(const void* ptr)
+{
+    uint16_t v;
+    memcpy(&v, ptr, sizeof(v));
+    return be16toh(v);
+}
+
+static void dump_dns_rr(ldns_rr* rr, FILE* trace, ldns_buffer* lbuf, bool qsect)
+{
+    size_t    rdlen, i;
+    ldns_rdf* rdf;
+
+    // owner
+    ldns_buffer_clear(lbuf);
+    if (ldns_rdf2buffer_str(lbuf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
+        goto error;
+    }
+    fprintf(trace, "%s", (char*)ldns_buffer_begin(lbuf));
+
+    // class
+    ldns_buffer_clear(lbuf);
+    if (ldns_rr_class2buffer_str(lbuf, ldns_rr_get_class(rr)) != LDNS_STATUS_OK) {
+        goto error;
+    }
+    fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
+
+    // type
+    ldns_buffer_clear(lbuf);
+    if (ldns_rr_type2buffer_str(lbuf, ldns_rr_get_type(rr)) != LDNS_STATUS_OK) {
+        goto error;
+    }
+    fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
+
+    if (qsect)
+        return;
+
+    fprintf(trace, ",%u", ldns_rr_ttl(rr));
+    switch (ldns_rr_get_type(rr)) {
+    case LDNS_RR_TYPE_SOA:
+        for (i = 0; i < 2; i++) {
+            if (!(rdf = ldns_rr_rdf(rr, i))) {
+                goto error;
+            }
+            ldns_buffer_clear(lbuf);
+            if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
+                goto error;
+            }
+            fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
+        }
+        for (; i < 7; i++) {
+            if (!(rdf = ldns_rr_rdf(rr, i))) {
+                goto error;
+            }
+            ldns_buffer_clear(lbuf);
+            if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
+                goto error;
+            }
+            fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
+        }
+        break;
+
+    case LDNS_RR_TYPE_A:
+    case LDNS_RR_TYPE_AAAA:
+    case LDNS_RR_TYPE_MX:
+        if (!(rdf = ldns_rr_rdf(rr, 0))) {
+            goto error;
+        }
+        ldns_buffer_clear(lbuf);
+        if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
+            goto error;
+        }
+        fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
+        break;
+
+    case LDNS_RR_TYPE_NS:
+    case LDNS_RR_TYPE_PTR:
+    case LDNS_RR_TYPE_CNAME:
+        if (!(rdf = ldns_rr_rdf(rr, 0))) {
+            goto error;
+        }
+        ldns_buffer_clear(lbuf);
+        if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
+            goto error;
+        }
+        fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
+        break;
+
+    default:
+        goto error;
+    }
+    return;
+
+error:
+    for (rdlen = 0, i = 0, rdf = ldns_rr_rdf(rr, i); rdf; rdf = ldns_rr_rdf(rr, ++i)) {
+        rdlen += ldns_rdf_size(rdf);
+    }
+    fprintf(trace, ",[%zu]", rdlen);
+}
+
+static void dump_dns_sect(ldns_rr_list* rrs, FILE* trace, const char* endline, ldns_buffer* lbuf, bool qsect, bool ansect, ldns_pkt* pkt)
+{
+    size_t      rrnum, rrmax;
+    const char* sep;
+
+    if (ansect && ldns_pkt_edns(pkt)) {
+        rrmax = ldns_rr_list_rr_count(rrs);
+        fprintf(trace, " %s%zu", endline, rrmax + 1);
+        sep = "";
+        for (rrnum = 0; rrnum < rrmax; rrnum++) {
+            fprintf(trace, " %s", sep);
+            dump_dns_rr(ldns_rr_list_rr(rrs, rrnum), trace, lbuf, qsect);
+            sep = endline;
+        }
+        ldns_rdf* edns_data = ldns_pkt_edns_data(pkt);
+        fprintf(trace, " %s.,%u,%u,0,edns0[len=%zu,UDP=%u,ver=%u,rcode=%u,DO=%u,z=%u]",
+            sep, ldns_pkt_edns_udp_size(pkt), ldns_pkt_edns_udp_size(pkt),
+            edns_data ? ldns_rdf_size(edns_data) : 0,
+            ldns_pkt_edns_udp_size(pkt),
+            ldns_pkt_edns_version(pkt),
+            ldns_pkt_edns_extended_rcode(pkt),
+            ldns_pkt_edns_do(pkt) ? 1 : 0,
+            ldns_pkt_edns_z(pkt));
+        if (edns_data) {
+            size_t   len = ldns_rdf_size(edns_data);
+            uint8_t* d   = ldns_rdf_data(edns_data);
+
+            while (len >= 4) {
+                uint16_t opcode = _need16(d);
+                uint16_t oplen  = _need16(d + 2);
+                len -= 4;
+                d += 4;
+
+                if (oplen > len) {
+                    break;
+                }
+                switch (opcode) {
+                case 8: {
+                    if (oplen >= 4) {
+                        uint16_t        family            = _need16(d);
+                        uint8_t         source_prefix_len = *(d + 2), scope_prefix_len = *(d + 3);
+                        char            addr[(INET_ADDRSTRLEN < INET6_ADDRSTRLEN ? INET6_ADDRSTRLEN : INET_ADDRSTRLEN) + 1] = { 0 };
+                        struct in_addr  in4                                                                                 = { .s_addr = INADDR_ANY };
+                        struct in6_addr in6                                                                                 = IN6ADDR_ANY_INIT;
+                        void*           in                                                                                  = 0;
+                        int             af;
+
+                        switch (family) {
+                        case 1: {
+                            memcpy(&in4.s_addr, d + 4, oplen - 4 > sizeof(in4.s_addr) ? sizeof(in4.s_addr) : oplen - 4);
+                            in = &in4;
+                            af = AF_INET;
+                            break;
+                        }
+                        case 2: {
+                            memcpy(&in6.s6_addr, d + 4, oplen - 4 > sizeof(in6.s6_addr) ? sizeof(in6.s6_addr) : oplen - 4);
+                            in = &in6;
+                            af = AF_INET6;
+                            break;
+                        }
+                        default:
+                            break;
+                        }
+
+                        fprintf(trace, ",edns0opt[ECS,family=%u,source=%u,scope=%u,", family, source_prefix_len, scope_prefix_len);
+
+                        if (!in || !inet_ntop(af, in, addr, sizeof(addr) - 1)) {
+                            fprintf(trace, "addr=INVALID]");
+                        } else {
+                            fprintf(trace, "addr=%s]", addr);
+                        }
+
+                        break;
+                    }
+                }
+
+                default:
+                    fprintf(trace, ",edns0opt[code=%u,codelen=%u]", opcode, oplen);
+                    break;
+                }
+
+                len -= oplen;
+                d += oplen;
+            }
+        }
+        return;
+    }
+
+    rrmax = ldns_rr_list_rr_count(rrs);
+    if (rrmax == 0) {
+        fputs(" 0", trace);
+        return;
+    }
+    fprintf(trace, " %s%zu", endline, rrmax);
+    sep = "";
+    for (rrnum = 0; rrnum < rrmax; rrnum++) {
+        fprintf(trace, " %s", sep);
+        dump_dns_rr(ldns_rr_list_rr(rrs, rrnum), trace, lbuf, qsect);
+        sep = endline;
+    }
+}
+
+void dump_dns(const u_char* payload, size_t paylen, FILE* trace, const char* endline)
+{
+    const char*  sep;
+    tcpstate_ptr tcpstate;
+    ldns_pkt*    pkt  = 0;
+    ldns_buffer* lbuf = 0;
+    ldns_status  ret;
+
+    fprintf(trace, " %sdns ", endline);
+    if ((ret = ldns_wire2pkt(&pkt, payload, paylen)) != LDNS_STATUS_OK) {
+        /* DNS message may have padding, try get actual size */
+        size_t dnslen = calcdnslen(payload, paylen);
+        if (dnslen > 0 && dnslen < paylen) {
+            if ((ret = ldns_wire2pkt(&pkt, payload, dnslen)) != LDNS_STATUS_OK) {
+                fputs(ldns_get_errorstr_by_id(ret), trace);
+                if ((tcpstate = tcpstate_getcurr()))
+                    tcpstate_reset(tcpstate, strerror(errno));
+                return;
+            }
+        } else {
+            fputs(ldns_get_errorstr_by_id(ret), trace);
+            if ((tcpstate = tcpstate_getcurr()))
+                tcpstate_reset(tcpstate, strerror(errno));
+            return;
+        }
+    }
+
+    if (!(lbuf = ldns_buffer_new(512))) {
+        fprintf(stderr, "%s: out of memory", ProgramName);
+        exit(1);
+    }
+
+    if (ldns_pkt_opcode2buffer_str(lbuf, ldns_pkt_get_opcode(pkt)) != LDNS_STATUS_OK) {
+        fprintf(stderr, "%s: unable to covert opcode to str", ProgramName);
+        exit(1);
+    }
+    fprintf(trace, "%s,", (char*)ldns_buffer_begin(lbuf));
+    ldns_buffer_clear(lbuf);
+    if (ldns_pkt_rcode2buffer_str(lbuf, ldns_pkt_get_rcode(pkt)) != LDNS_STATUS_OK) {
+        fprintf(stderr, "%s: unable to covert rcode to str", ProgramName);
+        exit(1);
+    }
+    fprintf(trace, "%s,%u,", (char*)ldns_buffer_begin(lbuf), ldns_pkt_id(pkt));
+
+    sep = "";
+#define FLAG(t, f)                      \
+    if (f) {                            \
+        fprintf(trace, "%s%s", sep, t); \
+        sep = "|";                      \
+    }
+    FLAG("qr", ldns_pkt_qr(pkt));
+    FLAG("aa", ldns_pkt_aa(pkt));
+    FLAG("tc", ldns_pkt_tc(pkt));
+    FLAG("rd", ldns_pkt_rd(pkt));
+    FLAG("ra", ldns_pkt_ra(pkt));
+    FLAG("z", LDNS_Z_WIRE(payload));
+    FLAG("ad", ldns_pkt_ad(pkt));
+    FLAG("cd", ldns_pkt_cd(pkt));
+#undef FLAG
+    dump_dns_sect(ldns_pkt_question(pkt), trace, endline, lbuf, true, false, 0);
+    dump_dns_sect(ldns_pkt_answer(pkt), trace, endline, lbuf, false, false, 0);
+    dump_dns_sect(ldns_pkt_authority(pkt), trace, endline, lbuf, false, false, 0);
+    dump_dns_sect(ldns_pkt_additional(pkt), trace, endline, lbuf, false, true, pkt);
+
+    ldns_buffer_free(lbuf);
+    ldns_pkt_free(pkt);
+}
diff --git a/src/dump_dns.h b/src/dump_dns.h
new file mode 100644
index 0000000..14c01a9
--- /dev/null
+++ b/src/dump_dns.h
@@ -0,0 +1,47 @@
+/* dump_dns.c - library function to emit decoded dns message on a FILE.
+ *
+ * By: Paul Vixie, ISC, October 2007
+ */
+
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __dnscap_dump_dns_h
+#define __dnscap_dump_dns_h
+
+#include <stdio.h>
+
+void dump_dns(const u_char* payload, size_t paylen, FILE* trace, const char* endline);
+
+#endif // __dnscap_dump_dns_h
diff --git a/src/dumper.c b/src/dumper.c
new file mode 100644
index 0000000..b5458f5
--- /dev/null
+++ b/src/dumper.c
@@ -0,0 +1,399 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "dumper.h"
+#include "iaddr.h"
+#include "log.h"
+#include "pcaps.h"
+
+/*
+ * when flags & DNSCAP_OUTPUT_ISDNS, payload points to a DNS packet
+ */
+void output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    struct plugin* p;
+
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
+        if (p->filter && (*p->filter)(descr, &from, &to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen)) {
+            if (dumptrace >= 3) {
+                fprintf(stderr, "filtered: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n",
+                    capturedbytes,
+                    proto,
+                    flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no",
+                    flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no",
+                    olen,
+                    payloadlen);
+            }
+            return;
+        }
+    }
+
+    msgcount++;
+    capturedbytes += olen;
+
+    if (dumptrace >= 3) {
+        fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n",
+            capturedbytes,
+            proto,
+            flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no",
+            flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no",
+            olen,
+            payloadlen);
+    }
+
+    /* Output stage. */
+    if (preso) {
+        fputs(descr, stderr);
+        if (flags & DNSCAP_OUTPUT_ISFRAG) {
+            fprintf(stderr, ";: [%s] ", ia_str(from));
+            fprintf(stderr, "-> [%s] (frag)\n", ia_str(to));
+        } else {
+            fprintf(stderr, "\t[%s].%u ", ia_str(from), sport);
+            fprintf(stderr, "[%s].%u ", ia_str(to), dport);
+            if ((flags & DNSCAP_OUTPUT_ISDNS) && payload)
+                dump_dns(payload, payloadlen, stderr, "\\\n\t");
+        }
+        putc('\n', stderr);
+    }
+    if (dump_type != nowhere) {
+        if (options.dump_format == pcap) {
+            struct pcap_pkthdr h;
+
+            memset(&h, 0, sizeof h);
+            h.ts  = ts;
+            h.len = h.caplen = olen;
+            pcap_dump((u_char*)dumper, &h, pkt_copy);
+            if (flush)
+                pcap_dump_flush(dumper);
+        } else if (options.dump_format == cbor && (flags & DNSCAP_OUTPUT_ISDNS) && payload) {
+            int ret = output_cbor(from, to, proto, flags, sport, dport, ts, payload, payloadlen);
+
+            if (ret == DUMP_CBOR_FLUSH) {
+                if (dumper_close(ts)) {
+                    fprintf(stderr, "%s: dumper_close() failed\n", ProgramName);
+                    exit(1);
+                }
+                if (dumper_open(ts)) {
+                    fprintf(stderr, "%s: dumper_open() failed\n", ProgramName);
+                    exit(1);
+                }
+            } else if (ret != DUMP_CBOR_OK) {
+                fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret);
+                exit(1);
+            }
+        } else if (options.dump_format == cds) {
+            int ret = output_cds(from, to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen);
+
+            if (ret == DUMP_CDS_FLUSH) {
+                if (dumper_close(ts)) {
+                    fprintf(stderr, "%s: dumper_close() failed\n", ProgramName);
+                    exit(1);
+                }
+                if (dumper_open(ts)) {
+                    fprintf(stderr, "%s: dumper_open() failed\n", ProgramName);
+                    exit(1);
+                }
+            } else if (ret != DUMP_CDS_OK) {
+                fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret);
+                exit(1);
+            }
+        }
+    }
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link))
+        if (p->output)
+            (*p->output)(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen);
+    return;
+}
+
+int dumper_open(my_bpftimeval ts)
+{
+    const char*    t = NULL;
+    struct plugin* p;
+
+    assert(dump_state == dumper_closed);
+
+    while (ts.tv_usec >= MILLION) {
+        ts.tv_sec++;
+        ts.tv_usec -= MILLION;
+    }
+    if (limit_seconds != 0U)
+        next_interval = ts.tv_sec
+                        - (ts.tv_sec % limit_seconds)
+                        + limit_seconds;
+
+    if (dump_type == to_stdout) {
+        t = "-";
+    } else if (dump_type == to_file) {
+        char      sbuf[64];
+        struct tm tm;
+
+        gmtime_r((time_t*)&ts.tv_sec, &tm);
+        strftime(sbuf, 64, "%Y%m%d.%H%M%S", &tm);
+        if (asprintf(&dumpname, "%s.%s.%06lu%s",
+                dump_base, sbuf,
+                (u_long)ts.tv_usec, dump_suffix ? dump_suffix : "")
+                < 0
+            || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) {
+            logerr("asprintf: %s", strerror(errno));
+            return (TRUE);
+        }
+        t = dumpnamepart;
+    }
+    if (NULL != t) {
+        if (options.dump_format == pcap) {
+            dumper = dnscap_pcap_dump_open(pcap_dead, t);
+            if (dumper == NULL) {
+                logerr("pcap dump open: %s",
+                    pcap_geterr(pcap_dead));
+                return (TRUE);
+            }
+        }
+    }
+    dumpstart = ts.tv_sec;
+    if (limit_seconds != 0U) {
+        struct timeval now;
+        u_int          seconds;
+        time_t         targ;
+
+        gettimeofday(&now, NULL);
+        while (now.tv_usec >= MILLION) {
+            now.tv_sec++;
+            now.tv_usec -= MILLION;
+        }
+        targ = (((now.tv_sec + (limit_seconds / 2))
+                    / limit_seconds)
+                   + 1)
+               * limit_seconds;
+        assert(targ > now.tv_sec);
+        seconds = targ - now.tv_sec;
+        if (next_interval == 0) {
+            alarm(seconds);
+            alarm_set = TRUE;
+        }
+    }
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
+        int x;
+        if (!p->open)
+            continue;
+        x = (*p->open)(ts);
+        if (0 == x)
+            continue;
+        logerr("%s_open returned %d", p->name, x);
+    }
+    dump_state = dumper_opened;
+    return (FALSE);
+}
+
+int dumper_close(my_bpftimeval ts)
+{
+    int            ret = FALSE;
+    struct plugin* p;
+
+    assert(dump_state == dumper_opened);
+
+    if (print_pcap_stats)
+        do_pcap_stats();
+
+    if (alarm_set) {
+        alarm(0);
+        alarm_set = FALSE;
+    }
+
+    if (options.dump_format == pcap) {
+        if (dumper) {
+            pcap_dump_close(dumper);
+            dumper = FALSE;
+        }
+    } else if (options.dump_format == cbor) {
+        int ret;
+
+        if (dump_type == to_stdout) {
+            ret = dump_cbor(stdout);
+
+            if (ret != DUMP_CBOR_OK) {
+                fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret);
+                exit(1);
+            }
+        } else if (dump_type == to_file) {
+            FILE* fp;
+
+            if (!(fp = fopen(dumpnamepart, "w"))) {
+                fprintf(stderr, "%s: fopen(%s) failed: %s\n", ProgramName, dumpnamepart, strerror(errno));
+                exit(1);
+            }
+            ret = dump_cbor(fp);
+            fclose(fp);
+            if (ret != DUMP_CBOR_OK) {
+                fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret);
+                exit(1);
+            }
+        }
+    } else if (options.dump_format == cds) {
+        int ret;
+
+        if (dump_type == to_stdout) {
+            ret = dump_cds(stdout);
+
+            if (ret != DUMP_CDS_OK) {
+                fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret);
+                exit(1);
+            }
+        } else if (dump_type == to_file) {
+            FILE* fp;
+
+            if (!(fp = fopen(dumpnamepart, "w"))) {
+                fprintf(stderr, "%s: fopen(%s) failed: %s\n", ProgramName, dumpnamepart, strerror(errno));
+                exit(1);
+            }
+            ret = dump_cds(fp);
+            fclose(fp);
+            if (ret != DUMP_CDS_OK) {
+                fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret);
+                exit(1);
+            }
+        }
+    }
+
+    if (dump_type == to_stdout) {
+        assert(dumpname == NULL);
+        assert(dumpnamepart == NULL);
+        if (dumptrace >= 1)
+            fprintf(stderr, "%s: breaking\n", ProgramName);
+        ret = TRUE;
+    } else if (dump_type == to_file) {
+        char* cmd = NULL;
+        ;
+
+        if (dumptrace >= 1)
+            fprintf(stderr, "%s: closing %s\n",
+                ProgramName, dumpname);
+        if (rename(dumpnamepart, dumpname)) {
+            logerr("rename: %s", strerror(errno));
+            return ret;
+        }
+        if (kick_cmd != NULL)
+            if (asprintf(&cmd, "%s %s &", kick_cmd, dumpname) < 0) {
+                logerr("asprintf: %s", strerror(errno));
+                cmd = NULL;
+            }
+        free(dumpnamepart);
+        dumpnamepart = NULL;
+        free(dumpname);
+        dumpname = NULL;
+        if (cmd != NULL) {
+            int x = system(cmd);
+            if (x)
+                logerr("system: \"%s\" returned %d", cmd, x);
+            free(cmd);
+        }
+        if (kick_cmd == NULL && options.dump_format != cbor && options.dump_format != cds)
+            ret = TRUE;
+    }
+    for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
+        int x;
+        if (!p->close)
+            continue;
+        x = (*p->close)(ts);
+        if (x)
+            logerr("%s_close returned %d", p->name, x);
+    }
+    dump_state = dumper_closed;
+    return (ret);
+}
+
+#if HAVE_ZLIB_H
+#if HAVE_FUNOPEN
+static int
+gzip_cookie_write(void* cookie, const char* buf, int size)
+{
+    return gzwrite((gzFile)cookie, (voidpc)buf, (unsigned)size);
+}
+#elif HAVE_FOPENCOOKIE
+static ssize_t
+gzip_cookie_write(void* cookie, const char* buf, size_t size)
+{
+    return gzwrite((gzFile)cookie, (voidpc)buf, (unsigned)size);
+}
+#endif
+
+static int
+gzip_cookie_close(void* cookie)
+{
+    return gzclose((gzFile)cookie);
+}
+#endif /* HAVE_ZLIB_H */
+
+pcap_dumper_t* dnscap_pcap_dump_open(pcap_t* pcap, const char* path)
+{
+#if HAVE_ZLIB_H
+#if HAVE_GZOPEN
+    if (wantgzip) {
+        FILE*  fp = NULL;
+        gzFile z  = gzopen(path, "w");
+        if (z == NULL) {
+            perror("gzopen");
+            return NULL;
+        }
+
+#if HAVE_FUNOPEN
+        fp = funopen(z, NULL, gzip_cookie_write, NULL, gzip_cookie_close);
+        if (fp == NULL) {
+            perror("funopen");
+            return NULL;
+        }
+#elif HAVE_FOPENCOOKIE
+        {
+            static cookie_io_functions_t cookiefuncs = {
+                NULL, gzip_cookie_write, NULL, gzip_cookie_close
+            };
+
+            fp = fopencookie(z, "w", cookiefuncs);
+            if (fp == NULL) {
+                perror("fopencookie");
+                return NULL;
+            }
+        }
+#endif
+        return pcap_dump_fopen(pcap, fp);
+    }
+#endif /* HAVE_GZOPEN */
+#endif /* HAVE_ZLIB_H */
+
+    return pcap_dump_open(pcap, path);
+}
diff --git a/src/dumper.h b/src/dumper.h
new file mode 100644
index 0000000..f447f5c
--- /dev/null
+++ b/src/dumper.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_dumper_h
+#define __dnscap_dumper_h
+
+void output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen);
+
+int dumper_open(my_bpftimeval ts);
+int dumper_close(my_bpftimeval ts);
+
+pcap_dumper_t* dnscap_pcap_dump_open(pcap_t* pcap, const char* path);
+
+#endif /* __dnscap_dumper_h */
diff --git a/src/endian_compat.h b/src/endian_compat.h
new file mode 100644
index 0000000..6c49625
--- /dev/null
+++ b/src/endian_compat.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __dnscap_endian_compat_h
+#define __dnscap_endian_compat_h
+
+#ifdef HAVE_ENDIAN_H
+#include <endian.h>
+#else
+#ifdef HAVE_SYS_ENDIAN_H
+#include <sys/endian.h>
+#else
+#ifdef HAVE_MACHINE_ENDIAN_H
+#include <machine/endian.h>
+#endif
+#endif
+#endif
+
+#ifdef __APPLE__
+#include <libkern/OSByteOrder.h>
+#define htobe16(x) OSSwapHostToBigInt16(x)
+#define htole16(x) OSSwapHostToLittleInt16(x)
+#define be16toh(x) OSSwapBigToHostInt16(x)
+#define le16toh(x) OSSwapLittleToHostInt16(x)
+#define htobe32(x) OSSwapHostToBigInt32(x)
+#define htole32(x) OSSwapHostToLittleInt32(x)
+#define be32toh(x) OSSwapBigToHostInt32(x)
+#define le32toh(x) OSSwapLittleToHostInt32(x)
+#define htobe64(x) OSSwapHostToBigInt64(x)
+#define htole64(x) OSSwapHostToLittleInt64(x)
+#define be64toh(x) OSSwapBigToHostInt64(x)
+#define le64toh(x) OSSwapLittleToHostInt64(x)
+#define __BYTE_ORDER BYTE_ORDER
+#define __BIG_ENDIAN BIG_ENDIAN
+#define __LITTLE_ENDIAN LITTLE_ENDIAN
+#define __PDP_ENDIAN PDP_ENDIAN
+#endif
+
+#if defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)
+#include <winsock2.h>
+#include <sys/param.h>
+#if BYTE_ORDER == LITTLE_ENDIAN
+#define htobe16(x) htons(x)
+#define htole16(x) (x)
+#define be16toh(x) ntohs(x)
+#define le16toh(x) (x)
+#define htobe32(x) htonl(x)
+#define htole32(x) (x)
+#define be32toh(x) ntohl(x)
+#define le32toh(x) (x)
+#define htobe64(x) htonll(x)
+#define htole64(x) (x)
+#define be64toh(x) ntohll(x)
+#define le64toh(x) (x)
+#elif BYTE_ORDER == BIG_ENDIAN
+#define htobe16(x) (x)
+#define htole16(x) __builtin_bswap16(x)
+#define be16toh(x) (x)
+#define le16toh(x) __builtin_bswap16(x)
+#define htobe32(x) (x)
+#define htole32(x) __builtin_bswap32(x)
+#define be32toh(x) (x)
+#define le32toh(x) __builtin_bswap32(x)
+#define htobe64(x) (x)
+#define htole64(x) __builtin_bswap64(x)
+#define be64toh(x) (x)
+#define le64toh(x) __builtin_bswap64(x)
+#else
+#error "byte order not supported"
+#endif
+#define __BYTE_ORDER BYTE_ORDER
+#define __BIG_ENDIAN BIG_ENDIAN
+#define __LITTLE_ENDIAN LITTLE_ENDIAN
+#define __PDP_ENDIAN PDP_ENDIAN
+#endif
+
+#endif
diff --git a/src/endpoint.c b/src/endpoint.c
new file mode 100644
index 0000000..da37fe3
--- /dev/null
+++ b/src/endpoint.c
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "endpoint.h"
+#include "args.h"
+#include "iaddr.h"
+
+void endpoint_arg(endpoint_list* list, const char* arg)
+{
+    struct addrinfo* ai;
+    iaddr            ia;
+    void*            p;
+
+    if (inet_pton(AF_INET6, arg, &ia.u.a6) > 0) {
+        ia.af = AF_INET6;
+        endpoint_add(list, ia);
+    } else if (inet_pton(AF_INET, arg, &ia.u.a4) > 0) {
+        ia.af = AF_INET;
+        endpoint_add(list, ia);
+    } else if (getaddrinfo(arg, NULL, NULL, &ai) == 0) {
+        struct addrinfo* a;
+
+        for (a = ai; a != NULL; a = a->ai_next) {
+            if (a->ai_socktype != SOCK_DGRAM)
+                continue;
+            switch (a->ai_family) {
+            case PF_INET:
+                ia.af = AF_INET;
+                p     = &((struct sockaddr_in*)a->ai_addr)
+                         ->sin_addr;
+                memcpy(&ia.u.a4, p, sizeof ia.u.a4);
+                break;
+            case PF_INET6:
+                ia.af = AF_INET6;
+                p     = &((struct sockaddr_in6*)a->ai_addr)
+                         ->sin6_addr;
+                memcpy(&ia.u.a6, p, sizeof ia.u.a6);
+                break;
+            default:
+                continue;
+            }
+            endpoint_add(list, ia);
+        }
+        freeaddrinfo(ai);
+    } else
+        usage("invalid host address");
+}
+
+void endpoint_add(endpoint_list* list, iaddr ia)
+{
+    endpoint_ptr ep;
+
+    ep = calloc(1, sizeof *ep);
+    assert(ep != NULL);
+    INIT_LINK(ep, link);
+    ep->ia = ia;
+    APPEND(*list, ep, link);
+}
+
+int ep_present(const endpoint_list* list, iaddr ia)
+{
+    endpoint_ptr ep;
+
+    for (ep = HEAD(*list);
+         ep != NULL;
+         ep = NEXT(ep, link))
+        if (ia_equal(ia, ep->ia))
+            return TRUE;
+    return (FALSE);
+}
diff --git a/src/endpoint.h b/src/endpoint.h
new file mode 100644
index 0000000..9136ca9
--- /dev/null
+++ b/src/endpoint.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_endpoint_h
+#define __dnscap_endpoint_h
+
+void endpoint_arg(endpoint_list* list, const char* arg);
+void endpoint_add(endpoint_list* list, iaddr ia);
+int  ep_present(const endpoint_list* list, iaddr ia);
+
+#endif /* __dnscap_endpoint_h */
diff --git a/src/hashtbl.c b/src/hashtbl.c
new file mode 100644
index 0000000..62e1a9e
--- /dev/null
+++ b/src/hashtbl.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "hashtbl.h"
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <assert.h>
+
+hashtbl* hash_create(unsigned int N, hashkey_func hasher, hashkeycmp_func cmp, hashfree_func datafree)
+{
+    hashtbl* new;
+
+    assert(N);
+    assert(hasher);
+    assert(cmp);
+
+    if ((new = calloc(1, sizeof(hashtbl)))) {
+        new->modulus  = N;
+        new->hasher   = hasher;
+        new->keycmp   = cmp;
+        new->datafree = datafree;
+
+        if (!(new->items = calloc(N, sizeof(hashitem*)))) {
+            free(new);
+            return 0;
+        }
+    }
+
+    return new;
+}
+
+int hash_add(const void* key, void* data, hashtbl* tbl)
+{
+    hashitem* new, **I;
+    unsigned int slot;
+
+    if (!key || !tbl) {
+        return HASHTBL_EARGS;
+    }
+
+    new = calloc(1, sizeof(hashitem));
+    if (!new) {
+        return HASHTBL_ENOMEM;
+    }
+
+    new->key  = key;
+    new->data = data;
+    slot      = tbl->hasher(key) % tbl->modulus;
+
+    for (I = &tbl->items[slot]; *I; I = &(*I)->next)
+        ;
+    *I = new;
+
+    return 0;
+}
+
+void* hash_find(const void* key, hashtbl* tbl)
+{
+    unsigned int slot;
+    hashitem*    i;
+
+    if (!key || !tbl) {
+        return NULL;
+    }
+
+    slot = tbl->hasher(key) % tbl->modulus;
+
+    for (i = tbl->items[slot]; i; i = i->next) {
+        if (!tbl->keycmp(key, i->key))
+            return i->data;
+    }
+
+    return NULL;
+}
+
+void hash_remove(const void* key, hashtbl* tbl)
+{
+    hashitem **I, *i;
+    int        slot;
+
+    if (!key || !tbl) {
+        return;
+    }
+
+    slot = tbl->hasher(key) % tbl->modulus;
+
+    for (I = &tbl->items[slot]; *I; I = &(*I)->next) {
+        if (!tbl->keycmp(key, (*I)->key)) {
+            i  = *I;
+            *I = (*I)->next;
+            if (tbl->datafree)
+                tbl->datafree(i->data);
+            free(i);
+            break;
+        }
+    }
+}
+
+void hash_free(hashtbl* tbl)
+{
+    hashitem *i, *next;
+    int       slot;
+
+    if (!tbl) {
+        return;
+    }
+
+    for (slot = 0; slot < tbl->modulus; slot++) {
+        for (i = tbl->items[slot]; i;) {
+            next = i->next;
+            if (tbl->datafree)
+                tbl->datafree(i->data);
+            free(i);
+            i = next;
+        }
+        tbl->items[slot] = 0;
+    }
+}
+
+void hash_destroy(hashtbl* tbl)
+{
+    if (!tbl) {
+        return;
+    }
+
+    hash_free(tbl);
+    free(tbl->items);
+    free(tbl);
+}
diff --git a/src/hashtbl.h b/src/hashtbl.h
new file mode 100644
index 0000000..03eae65
--- /dev/null
+++ b/src/hashtbl.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __dnscap_hashtbl_h
+#define __dnscap_hashtbl_h
+
+#define HASHTBL_EARGS -1
+#define HASHTBL_ENOMEM -2
+
+typedef struct hashitem hashitem;
+
+struct hashitem {
+    const void* key;
+    void*       data;
+    hashitem*   next;
+};
+
+typedef unsigned int (*hashkey_func)(const void* key);
+typedef int (*hashkeycmp_func)(const void* a, const void* b);
+typedef void (*hashfree_func)(void* data);
+
+typedef struct hashtbl hashtbl;
+struct hashtbl {
+    unsigned int modulus;
+    hashitem**   items;
+
+    hashkey_func    hasher;
+    hashkeycmp_func keycmp;
+    hashfree_func   datafree;
+};
+
+hashtbl* hash_create(unsigned int N, hashkey_func hasher, hashkeycmp_func cmp, hashfree_func datafree);
+int      hash_add(const void* key, void* data, hashtbl* tbl);
+void*    hash_find(const void* key, hashtbl* tbl);
+void     hash_remove(const void* key, hashtbl* tbl);
+void     hash_free(hashtbl* tbl);
+void     hash_destroy(hashtbl* tbl);
+
+#endif // __dnscap_hashtbl_h
diff --git a/src/iaddr.c b/src/iaddr.c
new file mode 100644
index 0000000..2c5cbeb
--- /dev/null
+++ b/src/iaddr.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "iaddr.h"
+
+const char* ia_str(iaddr ia)
+{
+    static char inet[INET_ADDRSTRLEN], inet6[INET6_ADDRSTRLEN];
+
+    switch (ia.af) {
+    case AF_INET:
+        if (inet_ntop(ia.af, &ia.u, inet, sizeof(inet)))
+            return inet;
+        return "255.255.255.255";
+    case AF_INET6:
+        if (inet_ntop(ia.af, &ia.u, inet6, sizeof(inet6)))
+            return inet6;
+        return "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff";
+    }
+
+    return "UNKNOWN";
+}
+
+int ia_equal(iaddr x, iaddr y)
+{
+    if (x.af != y.af)
+        return FALSE;
+    switch (x.af) {
+    case AF_INET:
+        return (x.u.a4.s_addr == y.u.a4.s_addr);
+    case AF_INET6:
+        return (memcmp(&x.u.a6.s6_addr, &y.u.a6.s6_addr, sizeof(x.u.a6.s6_addr)) == 0);
+    }
+    return FALSE;
+}
diff --git a/src/iaddr.h b/src/iaddr.h
new file mode 100644
index 0000000..0c255bd
--- /dev/null
+++ b/src/iaddr.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_iaddr_h
+#define __dnscap_iaddr_h
+
+const char* ia_str(iaddr ia);
+int         ia_equal(iaddr x, iaddr y);
+
+#endif /* __dnscap_iaddr_h */
diff --git a/src/log.c b/src/log.c
new file mode 100644
index 0000000..a82d040
--- /dev/null
+++ b/src/log.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "log.h"
+
+int logerr(const char* fmt, ...)
+{
+    va_list ap;
+    int     x = 1;
+    va_start(ap, fmt);
+    if (background)
+        vsyslog(LOG_NOTICE, fmt, ap);
+    else {
+        x = vfprintf(stderr, fmt, ap);
+        fputc('\n', stderr);
+    }
+    va_end(ap);
+    return x;
+}
diff --git a/src/log.h b/src/log.h
new file mode 100644
index 0000000..7bee5b1
--- /dev/null
+++ b/src/log.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_log_h
+#define __dnscap_log_h
+
+int logerr(const char* fmt, ...);
+
+#endif /* __dnscap_log_h */
diff --git a/src/memzero.c b/src/memzero.c
new file mode 100644
index 0000000..98a3c0b
--- /dev/null
+++ b/src/memzero.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#if defined(__FreeBSD__)
+#include <strings.h>
+#elif defined(__OpenBSD__)
+#include <string.h>
+#else
+#ifndef __STDC_WANT_LIB_EXT1__
+#define __STDC_WANT_LIB_EXT1__ 1
+#endif
+#include <string.h>
+#endif
+
+void dnscap_memzero(void* const pnt, const size_t len)
+{
+#if defined(__FreeBSD__) || defined(__OpenBSD__)
+    explicit_bzero(pnt, len);
+#elif defined(__STDC_LIB_EXT1__)
+    memset_s(pnt, 0, len);
+#else
+    volatile unsigned char* volatile pnt_ = (volatile unsigned char* volatile)pnt;
+    size_t i                              = (size_t)0U;
+
+    while (i < len) {
+        pnt_[i++] = 0U;
+    }
+#endif
+}
diff --git a/src/memzero.h b/src/memzero.h
new file mode 100644
index 0000000..e25d81c
--- /dev/null
+++ b/src/memzero.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __dnscap_memzero_h
+#define __dnscap_memzero_h
+
+void dnscap_memzero(void* const pnt, const size_t len);
+
+#endif /* __dnscap_memzero_h */
diff --git a/src/network.c b/src/network.c
new file mode 100644
index 0000000..d0a4242
--- /dev/null
+++ b/src/network.c
@@ -0,0 +1,1834 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "network.h"
+#include "iaddr.h"
+#include "log.h"
+#include "pcaps.h"
+#include "dumper.h"
+#include "endpoint.h"
+#include "tcpstate.h"
+#include "tcpreasm.h"
+#include "endian_compat.h"
+
+#include <ldns/ldns.h>
+
+struct ip6_hdr* network_ipv6 = 0;
+struct ip*      network_ip   = 0;
+struct udphdr*  network_udp  = 0;
+
+extern tcpstate_ptr _curr_tcpstate; /* from tcpstate.c */
+
+static inline uint16_t _need16(const void* ptr)
+{
+    uint16_t v;
+    memcpy(&v, ptr, sizeof(v));
+    return be16toh(v);
+}
+
+static inline uint32_t _need32(const void* ptr)
+{
+    uint32_t v;
+    memcpy(&v, ptr, sizeof(v));
+    return be32toh(v);
+}
+
+static int skip_vlan(unsigned vlan)
+{
+    if (!EMPTY(vlans_excl)) {
+        vlan_ptr vl;
+
+        for (vl = HEAD(vlans_excl); vl != NULL; vl = NEXT(vl, link)) {
+            if (vl->vlan == vlan || vl->vlan == MAX_VLAN)
+                break;
+        }
+
+        /*
+         * If there is no VLAN matching the packet, skip it
+         */
+        if (vl == NULL)
+            return 1;
+    } else if (!EMPTY(vlans_incl)) {
+        vlan_ptr vl;
+
+        for (vl = HEAD(vlans_incl); vl != NULL; vl = NEXT(vl, link)) {
+            if (vl->vlan == vlan || vl->vlan == MAX_VLAN)
+                break;
+        }
+
+        /*
+         * If there is no VLAN matching the packet, and the packet is tagged, skip it
+         */
+        if (vl == NULL && vlan != MAX_VLAN)
+            return 1;
+    }
+
+    return 0;
+}
+
+void layer_pkt(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    mypcap_ptr                  mypcap = (mypcap_ptr)user;
+    size_t                      len;
+    unsigned                    vlan;
+    const pcap_thread_packet_t *prevpkt, *firstpkt = packet;
+    char                        descr[200];
+
+    if (!mypcap)
+        return;
+    if (!packet)
+        return;
+
+    while (firstpkt->have_prevpkt) {
+        if (firstpkt->have_pkthdr)
+            break;
+        firstpkt = firstpkt->prevpkt;
+    }
+    if (!firstpkt->have_pkthdr)
+        return;
+
+    if (only_offline_pcaps && start_time != 0 && firstpkt->pkthdr.ts.tv_sec < start_time)
+        return;
+
+    len = firstpkt->pkthdr.caplen;
+
+    last_ts = firstpkt->pkthdr.ts;
+    if (stop_time != 0 && firstpkt->pkthdr.ts.tv_sec >= stop_time) {
+        breakloop_pcaps();
+        main_exit = TRUE;
+    }
+
+    if (main_exit)
+        return;
+
+    /* If ever SNAPLEN wasn't big enough, we have no recourse. */
+    if (firstpkt->pkthdr.len != firstpkt->pkthdr.caplen)
+        return;
+
+    vlan = MAX_VLAN;
+    for (prevpkt = packet; prevpkt; prevpkt = prevpkt->prevpkt) {
+        if (prevpkt->have_ieee802hdr) {
+            /* TODO: Only match first found VLAN or all? */
+            vlan = prevpkt->ieee802hdr.vid;
+            len -= 4;
+            break;
+        }
+        if (!prevpkt->have_prevpkt)
+            break;
+    }
+    if (skip_vlan(vlan)) {
+        return;
+    }
+
+    descr[0] = 0;
+    if (preso) {
+        char      when[100];
+        struct tm tm;
+        time_t    t;
+
+        /*
+         * Reduce `len` to report same captured length as `dl_pkt`
+         */
+        for (prevpkt = packet; len && prevpkt; prevpkt = prevpkt->prevpkt) {
+            if (prevpkt->have_nullhdr) {
+                if (len > sizeof(prevpkt->nullhdr))
+                    len -= sizeof(prevpkt->nullhdr);
+                else
+                    len = 0;
+            }
+            if (prevpkt->have_loophdr) {
+                if (len > sizeof(prevpkt->loophdr))
+                    len -= sizeof(prevpkt->loophdr);
+                else
+                    len = 0;
+            }
+            if (prevpkt->have_ethhdr) {
+                if (len > sizeof(prevpkt->ethhdr))
+                    len -= sizeof(prevpkt->ethhdr);
+                else
+                    len = 0;
+            }
+            if (prevpkt->have_linux_sll) {
+                if (len > sizeof(prevpkt->linux_sll))
+                    len -= sizeof(prevpkt->linux_sll);
+                else
+                    len = 0;
+            }
+
+            if (!prevpkt->have_prevpkt)
+                break;
+        }
+
+        t = (time_t)firstpkt->pkthdr.ts.tv_sec;
+        gmtime_r(&t, &tm);
+        strftime(when, sizeof(when), "%Y-%m-%d %T", &tm);
+
+        if (vlan != MAX_VLAN) {
+            snprintf(descr, sizeof(descr), "[%lu] %s.%06lu [#%ld %s (vlan %u) %u] \\\n",
+                (u_long)len,
+                when,
+                (u_long)firstpkt->pkthdr.ts.tv_usec,
+                (long)msgcount,
+                mypcap->name ? mypcap->name : "\"some interface\"",
+                vlan,
+                vlan);
+        } else {
+            snprintf(descr, sizeof(descr), "[%lu] %s.%06lu [#%ld %s %u] \\\n",
+                (u_long)len,
+                when,
+                (u_long)firstpkt->pkthdr.ts.tv_usec,
+                (long)msgcount,
+                mypcap->name ? mypcap->name : "\"some interface\"",
+                vlan);
+        }
+    }
+
+    if (next_interval != 0 && firstpkt->pkthdr.ts.tv_sec >= next_interval) {
+        if (preso)
+            goto breakloop;
+        if (dumper_opened == dump_state)
+            dumper_close(firstpkt->pkthdr.ts);
+        if (dump_type == to_stdout)
+            goto breakloop;
+    }
+    if (dumper_closed == dump_state && dumper_open(firstpkt->pkthdr.ts))
+        goto breakloop;
+
+    network_pkt2(descr, firstpkt->pkthdr.ts, packet, payload, length);
+
+    if (limit_packets != 0U && msgcount == limit_packets) {
+        if (preso)
+            goto breakloop;
+        if (dumper_opened == dump_state && dumper_close(firstpkt->pkthdr.ts))
+            goto breakloop;
+        msgcount = 0;
+    }
+
+    if (limit_pcapfilesize != 0U && capturedbytes >= limit_pcapfilesize) {
+        if (preso) {
+            goto breakloop;
+        }
+        if (dumper_opened == dump_state && dumper_close(firstpkt->pkthdr.ts)) {
+            goto breakloop;
+        }
+        capturedbytes = 0;
+    }
+
+    return;
+breakloop:
+    breakloop_pcaps();
+    main_exit = TRUE;
+}
+
+void dl_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt)
+{
+    mypcap_ptr mypcap = (mypcap_ptr)user;
+    size_t     len    = hdr->caplen;
+    unsigned   etype, vlan, pf;
+    char       descr[512];
+
+    if (only_offline_pcaps && start_time != 0 && hdr->ts.tv_sec < start_time)
+        return;
+
+    last_ts = hdr->ts;
+    if (stop_time != 0 && hdr->ts.tv_sec >= stop_time) {
+        breakloop_pcaps();
+        main_exit = TRUE;
+    }
+
+    if (main_exit)
+        return;
+
+    /* If ever SNAPLEN wasn't big enough, we have no recourse. */
+    if (hdr->len != hdr->caplen)
+        return;
+
+    /* Data link. */
+    vlan = MAX_VLAN; /* MAX_VLAN (0xFFF) is reserved and shouldn't appear on the wire */
+    switch (dlt) {
+    case DLT_NULL: {
+        uint32_t x;
+
+        if (len < 4)
+            return;
+        x = _need32(pkt);
+        if (x == PF_INET)
+            etype = ETHERTYPE_IP;
+        else if (x == PF_INET6)
+            etype = ETHERTYPE_IPV6;
+        else
+            return;
+        pkt += 4;
+        len -= 4;
+        break;
+    }
+    case DLT_LOOP: {
+        uint32_t x;
+
+        if (len < 4)
+            return;
+        x = _need32(pkt);
+        if (x == PF_INET)
+            etype = ETHERTYPE_IP;
+        else if (x == PF_INET6)
+            etype = ETHERTYPE_IPV6;
+        else
+            return;
+        pkt += 4;
+        len -= 4;
+        break;
+    }
+    case DLT_RAW: {
+        if (len < 1)
+            return;
+        switch (*(const uint8_t*)pkt >> 4) {
+        case 4:
+            etype = ETHERTYPE_IP;
+            break;
+        case 6:
+            etype = ETHERTYPE_IPV6;
+            break;
+        default:
+            return;
+        }
+        break;
+    }
+    case DLT_EN10MB: {
+        const struct ether_header* ether;
+
+        if (len < ETHER_HDR_LEN)
+            return;
+        ether = (const struct ether_header*)pkt;
+        etype = ntohs(ether->ether_type);
+        pkt += ETHER_HDR_LEN;
+        len -= ETHER_HDR_LEN;
+        if (etype == ETHERTYPE_VLAN) {
+            if (len < 4)
+                return;
+            vlan = _need16(pkt) & 0xFFF;
+            pkt += 2;
+            len -= 2;
+            etype = _need16(pkt);
+            pkt += 2;
+            len -= 2;
+        }
+        break;
+    }
+#ifdef DLT_LINUX_SLL
+    case DLT_LINUX_SLL: {
+        if (len < 16)
+            return;
+        etype = _need16(&pkt[14]);
+        pkt += 16;
+        len -= 16;
+        break;
+    }
+#endif
+    default:
+        return;
+    }
+
+    if (!EMPTY(vlans_excl)) {
+        vlan_ptr vl;
+
+        for (vl = HEAD(vlans_excl);
+             vl != NULL;
+             vl = NEXT(vl, link))
+            if (vl->vlan == vlan || vl->vlan == MAX_VLAN)
+                break;
+        /*
+         * If there is no VLAN matching the packet, skip it
+         */
+        if (vl == NULL)
+            return;
+    } else if (!EMPTY(vlans_incl)) {
+        vlan_ptr vl;
+
+        for (vl = HEAD(vlans_incl);
+             vl != NULL;
+             vl = NEXT(vl, link))
+            if (vl->vlan == vlan || vl->vlan == MAX_VLAN)
+                break;
+        /*
+         * If there is no VLAN matching the packet, and the packet is tagged, skip it
+         */
+        if (vl == NULL && vlan != MAX_VLAN)
+            return;
+    }
+
+    switch (etype) {
+    case ETHERTYPE_IP:
+        pf = PF_INET;
+        break;
+    case ETHERTYPE_IPV6:
+        pf = PF_INET6;
+        break;
+    default:
+        return;
+    }
+
+    if (preso) {
+        char        when[100], via[100];
+        const char* viap;
+        struct tm   tm;
+        time_t      t;
+
+        t = (time_t)hdr->ts.tv_sec;
+        gmtime_r(&t, &tm);
+        strftime(when, sizeof when, "%Y-%m-%d %T", &tm);
+        if (vlan != MAX_VLAN) {
+            snprintf(via, sizeof(via), "%s (vlan %u)", mypcap->name ? mypcap->name : "\"some interface\"", vlan);
+            viap = via;
+        } else if (mypcap->name) {
+            viap = mypcap->name;
+        } else {
+            viap = "\"some interface\"";
+        }
+        snprintf(descr, sizeof(descr), "[%lu] %s.%06lu [#%ld %s %u] \\\n",
+            (u_long)len, when, (u_long)hdr->ts.tv_usec, (long)msgcount, viap, vlan);
+    } else {
+        descr[0] = '\0';
+    }
+
+    if (next_interval != 0 && hdr->ts.tv_sec >= next_interval) {
+        if (preso)
+            goto breakloop;
+        if (dumper_opened == dump_state)
+            dumper_close(hdr->ts);
+        if (dump_type == to_stdout)
+            goto breakloop;
+    }
+    if (dumper_closed == dump_state && dumper_open(hdr->ts))
+        goto breakloop;
+
+    network_pkt(descr, hdr->ts, pf, pkt, len);
+
+    if (limit_packets != 0U && msgcount == limit_packets) {
+        if (preso)
+            goto breakloop;
+        if (dumper_opened == dump_state && dumper_close(hdr->ts))
+            goto breakloop;
+        msgcount = 0;
+    }
+
+    if (limit_pcapfilesize != 0U && capturedbytes >= limit_pcapfilesize) {
+        if (preso) {
+            goto breakloop;
+        }
+        if (dumper_opened == dump_state && dumper_close(hdr->ts)) {
+            goto breakloop;
+        }
+        capturedbytes = 0;
+    }
+
+    return;
+breakloop:
+    breakloop_pcaps();
+    main_exit = TRUE;
+}
+
+void network_pkt2(const char* descr, my_bpftimeval ts, const pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    u_char        pkt_copy[SNAPLEN], *pkt = pkt_copy;
+    const u_char* dnspkt = 0;
+    unsigned      proto, sport, dport;
+    iaddr         from, to, initiator, responder;
+    int           response, m;
+    unsigned      flags    = DNSCAP_OUTPUT_ISLAYER;
+    tcpstate_ptr  tcpstate = NULL;
+    size_t        len, dnslen = 0;
+    HEADER        dns;
+    ldns_pkt*     lpkt = 0;
+
+    /* Make a writable copy of the packet and use that copy from now on. */
+    if (length > SNAPLEN)
+        return;
+    memcpy(pkt, payload, len = length);
+
+    /* Network. */
+    sport = dport = 0;
+    if (packet->have_iphdr) {
+        if (dumptrace >= 4)
+            fprintf(stderr, "processing IPv4 packet: len=%zu\n", length);
+
+        memset(&from, 0, sizeof from);
+        from.af = AF_INET;
+        memcpy(&from.u.a4, &(packet->iphdr.ip_src), sizeof(struct in_addr));
+        memset(&to, 0, sizeof to);
+        to.af = AF_INET;
+        memcpy(&to.u.a4, &(packet->iphdr.ip_dst), sizeof(struct in_addr));
+    } else if (packet->have_ip6hdr) {
+        if (dumptrace >= 4)
+            fprintf(stderr, "processing IPv6 packet: len=%zu\n", length);
+
+        memset(&from, 0, sizeof from);
+        from.af = AF_INET6;
+        memcpy(&from.u.a6, &(packet->ip6hdr.ip6_src), sizeof(struct in6_addr));
+        memset(&to, 0, sizeof to);
+        to.af = AF_INET6;
+        memcpy(&to.u.a6, &(packet->ip6hdr.ip6_dst), sizeof(struct in6_addr));
+    } else {
+        if (dumptrace >= 4)
+            fprintf(stderr, "processing unknown packet: len=%zu\n", length);
+        from.af = AF_UNSPEC;
+        to.af   = AF_UNSPEC;
+    }
+
+    /* Transport. */
+    if (packet->have_icmphdr) {
+        output(descr, from, to, IPPROTO_ICMP, flags, sport, dport, ts, pkt_copy, length, pkt, len);
+        return;
+    } else if (packet->have_icmpv6hdr) {
+        output(descr, from, to, IPPROTO_ICMPV6, flags, sport, dport, ts, pkt_copy, length, pkt, len);
+        return;
+    } else if (packet->have_udphdr) {
+        proto  = IPPROTO_UDP;
+        sport  = packet->udphdr.uh_sport;
+        dport  = packet->udphdr.uh_dport;
+        dnspkt = payload;
+        dnslen = length;
+        flags |= DNSCAP_OUTPUT_ISDNS;
+    } else if (packet->have_tcphdr) {
+        uint32_t seq = packet->tcphdr.th_seq;
+
+        proto = IPPROTO_TCP;
+        sport = packet->tcphdr.th_sport;
+        dport = packet->tcphdr.th_dport;
+
+        /*
+         * TCP processing.
+         *
+         * We need to capture enough to allow a later analysis to
+         * reassemble the TCP stream, but we don't want to keep all
+         * the state required to do reassembly here.
+         * When we get a SYN, we don't yet know if the DNS message
+         * will pass the filters, so we always output it, and also
+         * generate a tcpstate to keep track of the stream.  (An
+         * alternative would be to store the SYN packet on the
+         * tcpstate and not output it until a later packet passes the
+         * filter, but that would require more memory and would
+         * reorder packets in the pcap output.)
+         * When we get the _first_ DNS header on the stream, then we
+         * can apply the DNS header filters; if the packet passes, we
+         * output the packet and keep the tcpstate; if it fails, we
+         * discard the packet and the tcpstate.
+         * When we get any other packet with DNS payload, we output it
+         * only if there is a corresponding tcpstate indicating that
+         * the header passed the filters.
+         * Packets with no TCP payload (e.g., packets containing only
+         * an ACK) are discarded, since they carry no DNS information
+         * and are not needed for stream reassembly.
+         * FIN packets are always output to match the SYN, even if the
+         * DNS header failed the filter, to be friendly to later
+         * analysis programs that allocate state for each SYN.
+         * -- kkeys@caida.org
+         */
+
+        tcpstate = tcpstate_find(from, to, sport, dport, ts.tv_sec);
+        if (dumptrace >= 3) {
+            fprintf(stderr, "%s: tcp pkt: %lu.%06lu [%4lu] %15s -> ",
+                ProgramName,
+                (u_long)ts.tv_sec,
+                (u_long)ts.tv_usec,
+                (u_long)len,
+                ia_str(from));
+            fprintf(stderr, "%15s; ", ia_str(to));
+
+            if (tcpstate)
+                fprintf(stderr, "want=%08x; ", tcpstate->start);
+            else
+                fprintf(stderr, "no state; ");
+
+            fprintf(stderr, "seq=%08x; ", seq);
+        }
+        if (packet->tcphdr.th_flags & (TH_FIN | TH_RST)) {
+            if (dumptrace >= 3)
+                fprintf(stderr, "FIN|RST\n");
+
+            /* Always output FIN and RST segments. */
+            _curr_tcpstate = tcpstate;
+            output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0);
+            _curr_tcpstate = 0;
+
+            /* End of stream; deallocate the tcpstate. */
+            if (tcpstate) {
+                UNLINK(tcpstates, tcpstate, link);
+                if (tcpstate->reasm) {
+                    tcpreasm_free(tcpstate->reasm);
+                }
+                free(tcpstate);
+                tcpstate_count--;
+            }
+            return;
+        }
+        if (packet->tcphdr.th_flags & TH_SYN) {
+            if (dumptrace >= 3)
+                fprintf(stderr, "SYN\n");
+
+            if (tcpstate) {
+                if (tcpstate->start == seq + 1) {
+                    /* repeated SYN */
+                } else {
+                    /* Assume existing state is stale and recycle it. */
+
+                    /*
+                     * Disabled because warning may scare user, and
+                     * there's nothing else we can do anyway.
+                     */
+
+                    /*
+                    if (ts.tv_sec - tcpstate->last_use < MAX_TCP_IDLE_TIME)
+                    fprintf(stderr, "warning: recycling state for "
+                        "duplicate tcp stream after only %ld "
+                        "seconds idle\n",
+                        (u_long)(ts.tv_sec - tcpstate->last_use));
+                    */
+                }
+            } else {
+                /* create new tcpstate */
+                tcpstate = tcpstate_new(from, to, sport, dport);
+            }
+            tcpstate->last_use = ts.tv_sec;
+            tcpstate->start    = seq + 1; /* add 1 for the SYN */
+            tcpstate->maxdiff  = 1;
+            tcpstate->dnslen   = 0;
+            tcpstate->lastdns  = 0;
+
+            /* Always output SYN segments. */
+            _curr_tcpstate = tcpstate;
+            output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0);
+            _curr_tcpstate = 0;
+
+            return;
+        }
+        if (options.parse_ongoing_tcp && !tcpstate && len) {
+            tcpstate           = tcpstate_new(from, to, sport, dport);
+            tcpstate->last_use = ts.tv_sec;
+            tcpstate->start    = seq;
+            tcpstate->maxdiff  = 0;
+            tcpstate->dnslen   = 0;
+            tcpstate->lastdns  = seq;
+        }
+        if (tcpstate && options.reassemble_tcp) {
+            if (!tcpstate->reasm) {
+                if (!(tcpstate->reasm = calloc(1, sizeof(tcpreasm_t)))) {
+                    logerr("out of memory, TCP reassembly failed");
+                    return;
+                }
+                tcpstate->reasm->seq_start = tcpstate->start;
+                tcpstate->reasm->seq_bfb   = tcpstate->start;
+            }
+            if (options.allow_reset_tcpstate) {
+                if (tcpstate->reasm_faults > options.reassemble_tcp_faultreset) {
+                    if (dumptrace >= 3)
+                        fprintf(stderr, "fault reset ");
+                    tcpstate_reset(tcpstate, "too many reassembly faults");
+                    tcpstate->reasm->seq_start = seq;
+                    tcpstate->reasm->seq_bfb   = seq;
+                    tcpstate->reasm_faults     = 0;
+                }
+                if (dumptrace >= 3)
+                    fprintf(stderr, "reassemble\n");
+                if (pcap_handle_tcp_segment(pkt, len, seq, tcpstate)) {
+                    tcpstate->reasm_faults++;
+                }
+            } else {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "reassemble\n");
+                (void)pcap_handle_tcp_segment(pkt, len, seq, tcpstate);
+            }
+        } else if (tcpstate) {
+            uint32_t seqdiff = seq - tcpstate->start;
+
+            tcpstate->currseq = seq;
+            tcpstate->currlen = len;
+
+            if (options.allow_reset_tcpstate && tcpstate->lastdns && seq > tcpstate->lastdns + 2) {
+                /*
+                 * seq received is beyond where we expect next DNS message
+                 * to be, reset tcpstate and continue
+                 */
+                tcpstate->maxdiff = 0;
+                tcpstate->dnslen  = 0;
+                tcpstate->lastdns = seq;
+            }
+
+            if (dumptrace >= 3)
+                fprintf(stderr, "diff=%08x; lastdns=%08x; ", seqdiff, tcpstate->lastdns);
+
+            if (tcpstate->lastdns && seq == tcpstate->lastdns && len > 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "+len+hdr\n");
+                dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0);
+                dnspkt                    = pkt + 2;
+                if (dnslen > len - 2)
+                    dnslen = len - 2;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->maxdiff = (uint32_t)len;
+                tcpstate->lastdns = seq + 2 + tcpstate->dnslen;
+            } else if (tcpstate->lastdns && seq == tcpstate->lastdns && len == 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "+len\n");
+                tcpstate->dnslen  = (pkt[0] << 8) | (pkt[1] << 0);
+                tcpstate->maxdiff = (uint32_t)len;
+
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0);
+                _curr_tcpstate = 0;
+                return;
+            } else if (tcpstate->lastdns && ((seq == tcpstate->lastdns && len == 1) || seqdiff == 1)) {
+                tcpstate_discard(tcpstate, NULL);
+                return;
+            } else if (tcpstate->lastdns && seq == tcpstate->lastdns + 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "+hdr\n");
+                tcpstate->maxdiff = seqdiff + (uint32_t)len;
+                dnslen            = tcpstate->dnslen;
+                dnspkt            = pkt;
+                if (dnslen == 0) /* we never received it */
+                    dnslen = len;
+                if (dnslen > len)
+                    dnslen = len;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->lastdns = seq + tcpstate->dnslen;
+            } else if (seqdiff == 0 && len > 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "len+hdr\n");
+
+                /*
+                 * This is the first segment of the stream, and
+                 * contains the dnslen and dns header, so we can
+                 * filter on it.
+                 */
+                dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0);
+                dnspkt                    = pkt + 2;
+                if (dnslen > len - 2)
+                    dnslen = len - 2;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->maxdiff = (uint32_t)len;
+                tcpstate->lastdns = seq + 2 + tcpstate->dnslen;
+            } else if (seqdiff == 0 && len == 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "len\n");
+
+                /*
+                 * This is the first segment of the stream, but only
+                 * contains the dnslen.
+                 */
+                tcpstate->dnslen  = (pkt[0] << 8) | (pkt[1] << 0);
+                tcpstate->maxdiff = (uint32_t)len;
+
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0);
+                _curr_tcpstate = 0;
+                return;
+            } else if ((seqdiff == 0 && len == 1) || seqdiff == 1) {
+                /* shouldn't happen */
+                tcpstate_discard(tcpstate, NULL);
+                return;
+            } else if (seqdiff == 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "hdr\n");
+
+                /*
+                 * This is not the first segment, but it does contain
+                 * the first dns header, so we can filter on it.
+                 */
+                tcpstate->maxdiff = seqdiff + (uint32_t)len;
+                dnslen            = tcpstate->dnslen;
+                dnspkt            = pkt;
+                if (dnslen == 0) /* we never received it */
+                    dnslen = len;
+                if (dnslen > len)
+                    dnslen = len;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->lastdns = seq + tcpstate->dnslen;
+            } else if (seqdiff > tcpstate->maxdiff + MAX_TCP_WINDOW) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "out of window\n");
+
+                /* This segment is outside the window. */
+                return;
+            } else if (len == 0) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "empty\n");
+
+                /* No payload (e.g., an ACK) */
+                return;
+            } else {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "keep\n");
+
+                /* non-first */
+                if (tcpstate->maxdiff < seqdiff + (uint32_t)len)
+                    tcpstate->maxdiff = seqdiff + (uint32_t)len;
+
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0);
+                _curr_tcpstate = 0;
+                return;
+            }
+        } else {
+            if (dumptrace >= 3)
+                fprintf(stderr, "no state\n");
+
+            /*
+             * There is no state for this stream.  Either we never saw
+             * a SYN for this stream, or we have already decided to
+             * discard this stream.
+             */
+            return;
+        }
+    } else {
+        return;
+    }
+
+    for (m = 0; m < MAX_TCP_DNS_MSG; m++) {
+        if (tcpstate && tcpstate->reasm) {
+            if (!tcpstate->reasm->dnsmsg[m])
+                continue;
+            dnslen = tcpstate->reasm->dnsmsg[m]->dnslen;
+            dnspkt = tcpstate->reasm->dnsmsg[m]->dnspkt;
+            flags |= DNSCAP_OUTPUT_ISDNS;
+            if (tcpstate->reasm->dnsmsg[m]->segments_seen > 1) {
+                /* emulate dnslen in own packet */
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, NULL, 0);
+                _curr_tcpstate = 0;
+            }
+        }
+
+        /* Application. */
+        if (!dnspkt) {
+            tcpstate_discard(tcpstate, "no dns");
+            return;
+        }
+        if (dnslen < sizeof dns) {
+            tcpstate_discard(tcpstate, "too small");
+            return;
+        }
+        memcpy(&dns, dnspkt, sizeof dns);
+
+        /* Policy filtering. */
+        if (dns.qr == 0 && dport == dns_port) {
+            if ((dir_wanted & DIR_INITIATE) == 0) {
+                tcpstate_discard(tcpstate, "unwanted dir=i");
+                return;
+            }
+            initiator = from;
+            responder = to;
+            response  = FALSE;
+        } else if (dns.qr != 0 && sport == dns_port) {
+            if ((dir_wanted & DIR_RESPONSE) == 0) {
+                tcpstate_discard(tcpstate, "unwanted dir=r");
+                return;
+            }
+            initiator = to;
+            responder = from;
+            response  = TRUE;
+        } else {
+            tcpstate_discard(tcpstate, "unwanted direction/port");
+            return;
+        }
+        if ((!EMPTY(initiators) && !ep_present(&initiators, initiator)) || (!EMPTY(responders) && !ep_present(&responders, responder))) {
+            tcpstate_discard(tcpstate, "unwanted host");
+            return;
+        }
+        if ((!EMPTY(not_initiators) && ep_present(&not_initiators, initiator)) || (!EMPTY(not_responders) && ep_present(&not_responders, responder))) {
+            tcpstate_discard(tcpstate, "missing required host");
+            return;
+        }
+        if (!(((msg_wanted & MSG_QUERY) != 0 && dns.opcode == LDNS_PACKET_QUERY) || ((msg_wanted & MSG_UPDATE) != 0 && dns.opcode == LDNS_PACKET_UPDATE) || ((msg_wanted & MSG_NOTIFY) != 0 && dns.opcode == LDNS_PACKET_NOTIFY))) {
+            tcpstate_discard(tcpstate, "unwanted opcode");
+            return;
+        }
+        if (response) {
+            int match_tc    = (dns.tc != 0 && err_wanted & ERR_TRUNC);
+            int match_rcode = err_wanted & (ERR_RCODE_BASE << dns.rcode);
+
+            if (!match_tc && !match_rcode) {
+                tcpstate_discard(tcpstate, "unwanted error code");
+                return;
+            }
+            if (!EMPTY(drop_responders) && ep_present(&drop_responders, responder)) {
+                tcpstate_discard(tcpstate, "dropped response due to -Y");
+                return;
+            }
+        }
+        if (!EMPTY(myregexes) || match_qtype || nmatch_qtype) {
+            if (ldns_wire2pkt(&lpkt, dnspkt, dnslen) != LDNS_STATUS_OK) {
+                /* DNS message may have padding, try get actual size */
+                size_t dnslen2 = calcdnslen(dnspkt, dnslen);
+                if (dnslen2 > 0 && dnslen2 < dnslen) {
+                    if (ldns_wire2pkt(&lpkt, dnspkt, dnslen2) != LDNS_STATUS_OK) {
+                        tcpstate_discard(tcpstate, "failed parse");
+                        return;
+                    }
+                } else {
+                    tcpstate_discard(tcpstate, "failed parse");
+                    return;
+                }
+            }
+        }
+        if (match_qtype || nmatch_qtype) {
+            ldns_rr_list* rrs = ldns_pkt_question(lpkt);
+            if (!rrs) {
+                ldns_pkt_free(lpkt);
+                tcpstate_discard(tcpstate, "failed to get list of questions");
+                return;
+            }
+            /* Look at each RR in the section (or each QNAME in
+               the question section). */
+            size_t i, n;
+            for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) {
+                ldns_rr* rr = ldns_rr_list_rr(rrs, i);
+                if (!rr) {
+                    ldns_pkt_free(lpkt);
+                    tcpstate_discard(tcpstate, "failed to get question");
+                    return;
+                }
+
+                if (match_qtype && ldns_rr_get_type(rr) != match_qtype) {
+                    ldns_pkt_free(lpkt);
+                    tcpstate_discard(tcpstate, "qtype not match");
+                    return;
+                } else if (nmatch_qtype && ldns_rr_get_type(rr) == nmatch_qtype) {
+                    ldns_pkt_free(lpkt);
+                    tcpstate_discard(tcpstate, "!qtype match");
+                    return;
+                }
+            }
+        }
+        if (!EMPTY(myregexes)) {
+            int          match, negmatch;
+            ldns_buffer* buf = ldns_buffer_new(512);
+
+            if (!buf) {
+                fprintf(stderr, "%s: out of memory", ProgramName);
+                exit(1);
+            }
+
+            match    = -1;
+            negmatch = -1;
+            /* Look at each section of the message:
+                 question, answer, authority, additional */
+            ldns_rr_list* rrs = ldns_pkt_all(lpkt);
+            if (!rrs) {
+                ldns_pkt_free(lpkt);
+                ldns_buffer_free(buf);
+                tcpstate_discard(tcpstate, "failed to get list of RRs");
+                return;
+            }
+            /* Look at each RR in the section (or each QNAME in
+               the question section). */
+            size_t i, n;
+            for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) {
+                ldns_rr* rr = ldns_rr_list_rr(rrs, i);
+                if (!rr) {
+                    ldns_rr_list_free(rrs);
+                    ldns_pkt_free(lpkt);
+                    ldns_buffer_free(buf);
+                    tcpstate_discard(tcpstate, "failed to get RR");
+                    return;
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
+                    ldns_rr_list_free(rrs);
+                    ldns_pkt_free(lpkt);
+                    ldns_buffer_free(buf);
+                    tcpstate_discard(tcpstate, "failed to get RR");
+                    return;
+                }
+
+                myregex_ptr myregex;
+                for (myregex = HEAD(myregexes);
+                     myregex != NULL;
+                     myregex = NEXT(myregex, link)) {
+                    if (myregex->not ) {
+                        if (negmatch < 0)
+                            negmatch = 0;
+                    } else {
+                        if (match < 0)
+                            match = 0;
+                    }
+
+                    if (regexec(&myregex->reg, (char*)ldns_buffer_begin(buf), 0, NULL, 0) == 0) {
+                        if (myregex->not )
+                            negmatch++;
+                        else
+                            match++;
+
+                        if (dumptrace >= 2)
+                            fprintf(stderr,
+                                "; \"%s\" %s~ /%s/ %d %d\n",
+                                (char*)ldns_buffer_begin(buf),
+                                myregex->not ? "!" : "",
+                                myregex->str,
+                                match,
+                                negmatch);
+                    }
+                }
+            }
+            ldns_rr_list_free(rrs);
+            ldns_buffer_free(buf);
+
+            /*
+             * Fail if any negative matching or if no match, match can be -1 which
+             * indicates that there are only negative matching
+             */
+            if (negmatch > 0 || match == 0) {
+                ldns_pkt_free(lpkt);
+                tcpstate_discard(tcpstate, "failed regex match");
+                return;
+            }
+        }
+        if (lpkt) {
+            ldns_pkt_free(lpkt);
+        }
+
+        /*
+         * TODO: Policy hiding.
+         */
+
+        _curr_tcpstate = tcpstate;
+        output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, length, dnspkt, dnslen);
+        _curr_tcpstate = 0;
+
+        if (tcpstate && tcpstate->reasm) {
+            free(tcpstate->reasm->dnsmsg[m]);
+            tcpstate->reasm->dnsmsg[m] = 0;
+            tcpstate->reasm->dnsmsgs--;
+        } else
+            break;
+    }
+}
+
+void network_pkt(const char* descr, my_bpftimeval ts, unsigned pf,
+    const u_char* opkt, size_t olen)
+{
+    u_char          pkt_copy[SNAPLEN], *pkt = pkt_copy;
+    const u_char*   dnspkt = 0;
+    unsigned        proto, sport, dport;
+    iaddr           from, to, initiator, responder;
+    struct ip6_hdr* ipv6;
+    int             response, m;
+    unsigned        flags    = 0;
+    struct udphdr*  udp      = NULL;
+    struct tcphdr*  tcp      = NULL;
+    tcpstate_ptr    tcpstate = NULL;
+    struct ip*      ip;
+    size_t          len, dnslen = 0;
+    HEADER          dns;
+    ldns_pkt*       lpkt = 0;
+
+    if (dumptrace >= 4)
+        fprintf(stderr, "processing %s packet: len=%zu\n", (pf == PF_INET ? "IPv4" : (pf == PF_INET6 ? "IPv6" : "unknown")), olen);
+
+    /* Make a writable copy of the packet and use that copy from now on. */
+    memcpy(pkt, opkt, len = olen);
+
+    /* Network. */
+    ip    = NULL;
+    ipv6  = NULL;
+    sport = dport = 0;
+    switch (pf) {
+    case PF_INET: {
+        unsigned offset;
+
+        if (len < sizeof *ip)
+            return;
+        network_ip = ip = (void*)pkt;
+        network_ipv6    = 0;
+        if (ip->ip_v != IPVERSION)
+            goto network_pkt_end;
+        proto = ip->ip_p;
+        memset(&from, 0, sizeof from);
+        from.af = AF_INET;
+        memcpy(&from.u.a4, &ip->ip_src, sizeof(struct in_addr));
+        memset(&to, 0, sizeof to);
+        to.af = AF_INET;
+        memcpy(&to.u.a4, &ip->ip_dst, sizeof(struct in_addr));
+        offset = ip->ip_hl << 2;
+        if (len > ntohs(ip->ip_len)) /* small IP packets have L2 padding */
+            len = ntohs(ip->ip_len);
+        if (len <= (size_t)offset)
+            goto network_pkt_end;
+        pkt += offset;
+        len -= offset;
+        offset = ntohs(ip->ip_off);
+        if ((offset & IP_MF) != 0 || (offset & IP_OFFMASK) != 0) {
+            if (wantfrags) {
+                flags |= DNSCAP_OUTPUT_ISFRAG;
+                output(descr, from, to, ip->ip_p, flags, sport, dport, ts, pkt_copy, olen, NULL, 0);
+                goto network_pkt_end;
+            }
+            goto network_pkt_end;
+        }
+        break;
+    }
+    case PF_INET6: {
+        uint16_t payload_len;
+        uint8_t  nexthdr;
+        unsigned offset;
+
+        if (len < sizeof *ipv6)
+            return;
+        network_ipv6 = ipv6 = (void*)pkt;
+        network_ip          = 0;
+        if ((ipv6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION)
+            goto network_pkt_end;
+
+        nexthdr     = ipv6->ip6_nxt;
+        offset      = sizeof(struct ip6_hdr);
+        payload_len = ntohs(ipv6->ip6_plen);
+
+        memset(&from, 0, sizeof from);
+        from.af = AF_INET6;
+        memcpy(&from.u.a6, &ipv6->ip6_src, sizeof(struct in6_addr));
+        memset(&to, 0, sizeof to);
+        to.af = AF_INET6;
+        memcpy(&to.u.a6, &ipv6->ip6_dst, sizeof(struct in6_addr));
+
+        while (nexthdr == IPPROTO_ROUTING || /* routing header */
+               nexthdr == IPPROTO_HOPOPTS || /* Hop-by-Hop opts */
+               nexthdr == IPPROTO_FRAGMENT || /* fragmentation hdr */
+               nexthdr == IPPROTO_DSTOPTS || /* destination opts */
+               nexthdr == IPPROTO_AH || /* destination opts */
+               nexthdr == IPPROTO_ESP) /* encap sec payload */
+        {
+            struct {
+                uint8_t nexthdr;
+                uint8_t length;
+            } ext_hdr;
+            uint16_t ext_hdr_len;
+
+            /* Catch broken packets */
+            if ((offset + sizeof ext_hdr) > len)
+                goto network_pkt_end;
+
+            /* Cannot handle fragments. */
+            if (nexthdr == IPPROTO_FRAGMENT) {
+                if (wantfrags) {
+                    flags |= DNSCAP_OUTPUT_ISFRAG;
+                    output(descr, from, to, IPPROTO_FRAGMENT, flags, sport, dport, ts, pkt_copy, olen, NULL, 0);
+                    goto network_pkt_end;
+                }
+                goto network_pkt_end;
+            }
+
+            memcpy(&ext_hdr, (u_char*)ipv6 + offset,
+                sizeof ext_hdr);
+            nexthdr     = ext_hdr.nexthdr;
+            ext_hdr_len = (8 * (ntohs(ext_hdr.length) + 1));
+
+            if (ext_hdr_len > payload_len)
+                goto network_pkt_end;
+
+            offset += ext_hdr_len;
+            payload_len -= ext_hdr_len;
+        }
+
+        if ((offset + payload_len) > len || payload_len == 0)
+            goto network_pkt_end;
+
+        proto = nexthdr;
+        pkt += offset;
+        len -= offset;
+        break;
+    }
+    default:
+        goto network_pkt_end;
+    }
+
+    /* Transport. */
+    switch (proto) {
+    case IPPROTO_ICMP:
+    case IPPROTO_ICMPV6:
+        network_udp = 0;
+        output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, pkt, len);
+        goto network_pkt_end;
+    case IPPROTO_UDP: {
+        if (len < sizeof *udp)
+            goto network_pkt_end;
+        network_udp = udp = (void*)pkt;
+        switch (from.af) {
+        case AF_INET:
+        case AF_INET6:
+            sport = ntohs(udp->uh_sport);
+            dport = ntohs(udp->uh_dport);
+            break;
+        default:
+            abort();
+        }
+        pkt += sizeof *udp;
+        len -= sizeof *udp;
+        dnspkt = pkt;
+        dnslen = len;
+        flags |= DNSCAP_OUTPUT_ISDNS;
+        break;
+    }
+    case IPPROTO_TCP: {
+        network_udp = 0;
+
+        /* TCP processing.
+         * We need to capture enough to allow a later analysis to
+         * reassemble the TCP stream, but we don't want to keep all
+         * the state required to do reassembly here.
+         * When we get a SYN, we don't yet know if the DNS message
+         * will pass the filters, so we always output it, and also
+         * generate a tcpstate to keep track of the stream.  (An
+         * alternative would be to store the SYN packet on the
+         * tcpstate and not output it until a later packet passes the
+         * filter, but that would require more memory and would
+         * reorder packets in the pcap output.)
+         * When we get the _first_ DNS header on the stream, then we
+         * can apply the DNS header filters; if the packet passes, we
+         * output the packet and keep the tcpstate; if it fails, we
+         * discard the packet and the tcpstate.
+         * When we get any other packet with DNS payload, we output it
+         * only if there is a corresponding tcpstate indicating that
+         * the header passed the filters.
+         * Packets with no TCP payload (e.g., packets containing only
+         * an ACK) are discarded, since they carry no DNS information
+         * and are not needed for stream reassembly.
+         * FIN packets are always output to match the SYN, even if the
+         * DNS header failed the filter, to be friendly to later
+         * analysis programs that allocate state for each SYN.
+         * -- kkeys@caida.org
+         */
+        unsigned offset;
+        uint32_t seq;
+        if (!wanttcp)
+            goto network_pkt_end;
+        if (len < sizeof *tcp)
+            goto network_pkt_end;
+        tcp = (void*)pkt;
+        switch (from.af) {
+        case AF_INET:
+        case AF_INET6:
+            sport = ntohs(tcp->th_sport);
+            dport = ntohs(tcp->th_dport);
+            seq   = ntohl(tcp->th_seq);
+            break;
+        default:
+            abort();
+        }
+        offset = tcp->th_off * 4;
+        pkt += offset;
+        len -= offset;
+
+        tcpstate = tcpstate_find(from, to, sport, dport, ts.tv_sec);
+        if (dumptrace >= 3) {
+            fprintf(stderr, "%s: tcp pkt: %lu.%06lu [%4lu] ", ProgramName,
+                (u_long)ts.tv_sec, (u_long)ts.tv_usec, (u_long)len);
+            fprintf(stderr, "%15s -> ", ia_str(from));
+            fprintf(stderr, "%15s; ", ia_str(to));
+            if (tcpstate)
+                fprintf(stderr, "want=%08x; ", tcpstate->start);
+            else
+                fprintf(stderr, "no state; ");
+            fprintf(stderr, "seq=%08x; ", seq);
+        }
+        if (tcp->th_flags & (TH_FIN | TH_RST)) {
+            /* Always output FIN and RST segments. */
+            if (dumptrace >= 3)
+                fprintf(stderr, "FIN|RST\n");
+            _curr_tcpstate = tcpstate;
+            output(descr, from, to, proto, flags, sport, dport, ts,
+                pkt_copy, olen, NULL, 0);
+            _curr_tcpstate = 0;
+            /* End of stream; deallocate the tcpstate. */
+            if (tcpstate) {
+                UNLINK(tcpstates, tcpstate, link);
+                if (tcpstate->reasm) {
+                    tcpreasm_free(tcpstate->reasm);
+                }
+                free(tcpstate);
+                tcpstate_count--;
+            }
+            goto network_pkt_end;
+        }
+        if (tcp->th_flags & TH_SYN) {
+            if (dumptrace >= 3)
+                fprintf(stderr, "SYN\n");
+            if (tcpstate) {
+#if 0
+            /* Disabled because warning may scare user, and
+             * there's nothing else we can do anyway. */
+            if (tcpstate->start == seq + 1) {
+                /* repeated SYN */
+            } else {
+                /* Assume existing state is stale and recycle it. */
+                if (ts.tv_sec - tcpstate->last_use < MAX_TCP_IDLE_TIME)
+                fprintf(stderr, "warning: recycling state for "
+                    "duplicate tcp stream after only %ld "
+                    "seconds idle\n",
+                    (u_long)(ts.tv_sec - tcpstate->last_use));
+            }
+#endif
+            } else {
+                /* create new tcpstate */
+                tcpstate = tcpstate_new(from, to, sport, dport);
+            }
+            tcpstate->last_use = ts.tv_sec;
+            tcpstate->start    = seq + 1; /* add 1 for the SYN */
+            tcpstate->maxdiff  = 1;
+            tcpstate->dnslen   = 0;
+            tcpstate->lastdns  = 0;
+
+            /* Always output SYN segments. */
+            _curr_tcpstate = tcpstate;
+            output(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, NULL, 0);
+            _curr_tcpstate = 0;
+
+            goto network_pkt_end;
+        }
+        if (options.parse_ongoing_tcp && !tcpstate && len) {
+            tcpstate           = tcpstate_new(from, to, sport, dport);
+            tcpstate->last_use = ts.tv_sec;
+            tcpstate->start    = seq;
+            tcpstate->maxdiff  = 0;
+            tcpstate->dnslen   = 0;
+            tcpstate->lastdns  = seq;
+        }
+        if (tcpstate && options.reassemble_tcp) {
+            if (!tcpstate->reasm) {
+                if (!(tcpstate->reasm = calloc(1, sizeof(tcpreasm_t)))) {
+                    logerr("out of memory, TCP reassembly failed");
+                    goto network_pkt_end;
+                }
+                tcpstate->reasm->seq_start = tcpstate->start;
+                tcpstate->reasm->seq_bfb   = tcpstate->start;
+            }
+            if (options.allow_reset_tcpstate) {
+                if (tcpstate->reasm_faults > options.reassemble_tcp_faultreset) {
+                    if (dumptrace >= 3)
+                        fprintf(stderr, "fault reset ");
+                    tcpstate_reset(tcpstate, "too many reassembly faults");
+                    tcpstate->reasm->seq_start = seq;
+                    tcpstate->reasm->seq_bfb   = seq;
+                    tcpstate->reasm_faults     = 0;
+                }
+                if (dumptrace >= 3)
+                    fprintf(stderr, "reassemble\n");
+                if (pcap_handle_tcp_segment(pkt, len, seq, tcpstate)) {
+                    tcpstate->reasm_faults++;
+                }
+            } else {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "reassemble\n");
+                (void)pcap_handle_tcp_segment(pkt, len, seq, tcpstate);
+            }
+        } else if (tcpstate) {
+            uint32_t seqdiff  = seq - tcpstate->start;
+            tcpstate->currseq = seq;
+            tcpstate->currlen = len;
+            if (options.allow_reset_tcpstate && tcpstate->lastdns && seq > tcpstate->lastdns + 2) {
+                /*
+                 * seq received is beyond where we expect next DNS message
+                 * to be, reset tcpstate and continue
+                 */
+                tcpstate->maxdiff = 0;
+                tcpstate->dnslen  = 0;
+                tcpstate->lastdns = seq;
+            }
+            if (dumptrace >= 3)
+                fprintf(stderr, "diff=%08x; lastdns=%08x; ", seqdiff, tcpstate->lastdns);
+            if (tcpstate->lastdns && seq == tcpstate->lastdns && len > 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "+len+hdr\n");
+                dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0);
+                dnspkt                    = pkt + 2;
+                if (dnslen > len - 2)
+                    dnslen = len - 2;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->maxdiff = (uint32_t)len;
+                tcpstate->lastdns = seq + 2 + tcpstate->dnslen;
+            } else if (tcpstate->lastdns && seq == tcpstate->lastdns && len == 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "+len\n");
+                tcpstate->dnslen  = (pkt[0] << 8) | (pkt[1] << 0);
+                tcpstate->maxdiff = (uint32_t)len;
+
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts,
+                    pkt_copy, olen, NULL, 0);
+                _curr_tcpstate = 0;
+                goto network_pkt_end;
+            } else if (tcpstate->lastdns && ((seq == tcpstate->lastdns && len == 1) || seqdiff == 1)) {
+                tcpstate_discard(tcpstate, NULL);
+                goto network_pkt_end;
+            } else if (tcpstate->lastdns && seq == tcpstate->lastdns + 2) {
+                if (dumptrace >= 3)
+                    fprintf(stderr, "+hdr\n");
+                tcpstate->maxdiff = seqdiff + (uint32_t)len;
+                dnslen            = tcpstate->dnslen;
+                dnspkt            = pkt;
+                if (dnslen == 0) /* we never received it */
+                    dnslen = len;
+                if (dnslen > len)
+                    dnslen = len;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->lastdns = seq + tcpstate->dnslen;
+            } else if (seqdiff == 0 && len > 2) {
+                /* This is the first segment of the stream, and
+             * contains the dnslen and dns header, so we can
+             * filter on it. */
+                if (dumptrace >= 3)
+                    fprintf(stderr, "len+hdr\n");
+                dnslen = tcpstate->dnslen = (pkt[0] << 8) | (pkt[1] << 0);
+                dnspkt                    = pkt + 2;
+                if (dnslen > len - 2)
+                    dnslen = len - 2;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->maxdiff = (uint32_t)len;
+                tcpstate->lastdns = seq + 2 + tcpstate->dnslen;
+            } else if (seqdiff == 0 && len == 2) {
+                /* This is the first segment of the stream, but only
+             * contains the dnslen. */
+                if (dumptrace >= 3)
+                    fprintf(stderr, "len\n");
+                tcpstate->dnslen  = (pkt[0] << 8) | (pkt[1] << 0);
+                tcpstate->maxdiff = (uint32_t)len;
+
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts,
+                    pkt_copy, olen, NULL, 0);
+                _curr_tcpstate = 0;
+                goto network_pkt_end;
+            } else if ((seqdiff == 0 && len == 1) || seqdiff == 1) {
+                /* shouldn't happen */
+                tcpstate_discard(tcpstate, NULL);
+                goto network_pkt_end;
+            } else if (seqdiff == 2) {
+                /* This is not the first segment, but it does contain
+             * the first dns header, so we can filter on it. */
+                if (dumptrace >= 3)
+                    fprintf(stderr, "hdr\n");
+                tcpstate->maxdiff = seqdiff + (uint32_t)len;
+                dnslen            = tcpstate->dnslen;
+                dnspkt            = pkt;
+                if (dnslen == 0) /* we never received it */
+                    dnslen = len;
+                if (dnslen > len)
+                    dnslen = len;
+                flags |= DNSCAP_OUTPUT_ISDNS;
+                tcpstate->lastdns = seq + tcpstate->dnslen;
+            } else if (seqdiff > tcpstate->maxdiff + MAX_TCP_WINDOW) {
+                /* This segment is outside the window. */
+                if (dumptrace >= 3)
+                    fprintf(stderr, "out of window\n");
+                goto network_pkt_end;
+            } else if (len == 0) {
+                /* No payload (e.g., an ACK) */
+                if (dumptrace >= 3)
+                    fprintf(stderr, "empty\n");
+                goto network_pkt_end;
+            } else {
+                /* non-first */
+                if (dumptrace >= 3)
+                    fprintf(stderr, "keep\n");
+                if (tcpstate->maxdiff < seqdiff + (uint32_t)len)
+                    tcpstate->maxdiff = seqdiff + (uint32_t)len;
+
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts,
+                    pkt_copy, olen, NULL, 0);
+                _curr_tcpstate = 0;
+                goto network_pkt_end;
+            }
+        } else {
+            if (dumptrace >= 3)
+                fprintf(stderr, "no state\n");
+            /* There is no state for this stream.  Either we never saw
+             * a SYN for this stream, or we have already decided to
+             * discard this stream. */
+            goto network_pkt_end;
+        }
+        break;
+    }
+    default:
+        goto network_pkt_end;
+    }
+
+    for (m = 0; m < MAX_TCP_DNS_MSG; m++) {
+        if (tcpstate && tcpstate->reasm) {
+            if (!tcpstate->reasm->dnsmsg[m])
+                continue;
+            dnslen = tcpstate->reasm->dnsmsg[m]->dnslen;
+            dnspkt = tcpstate->reasm->dnsmsg[m]->dnspkt;
+            flags |= DNSCAP_OUTPUT_ISDNS;
+            if (tcpstate->reasm->dnsmsg[m]->segments_seen > 1) {
+                /* emulate dnslen in own packet */
+                _curr_tcpstate = tcpstate;
+                output(descr, from, to, proto, flags, sport, dport, ts,
+                    pkt_copy, olen, NULL, 0);
+                _curr_tcpstate = 0;
+            }
+        }
+
+        /* Application. */
+        if (!dnspkt) {
+            tcpstate_discard(tcpstate, "no dns");
+            goto network_pkt_end;
+        }
+        if (dnslen < sizeof dns) {
+            tcpstate_discard(tcpstate, "too small");
+            goto network_pkt_end;
+        }
+        memcpy(&dns, dnspkt, sizeof dns);
+
+        /* Policy filtering. */
+        if (dns.qr == 0 && dport == dns_port) {
+            if ((dir_wanted & DIR_INITIATE) == 0) {
+                tcpstate_discard(tcpstate, "unwanted dir=i");
+                goto network_pkt_end;
+            }
+            initiator = from;
+            responder = to;
+            response  = FALSE;
+        } else if (dns.qr != 0 && sport == dns_port) {
+            if ((dir_wanted & DIR_RESPONSE) == 0) {
+                tcpstate_discard(tcpstate, "unwanted dir=r");
+                goto network_pkt_end;
+            }
+            initiator = to;
+            responder = from;
+            response  = TRUE;
+        } else {
+            tcpstate_discard(tcpstate, "unwanted direction/port");
+            goto network_pkt_end;
+        }
+        if ((!EMPTY(initiators) && !ep_present(&initiators, initiator)) || (!EMPTY(responders) && !ep_present(&responders, responder))) {
+            tcpstate_discard(tcpstate, "unwanted host");
+            goto network_pkt_end;
+        }
+        if ((!EMPTY(not_initiators) && ep_present(&not_initiators, initiator)) || (!EMPTY(not_responders) && ep_present(&not_responders, responder))) {
+            tcpstate_discard(tcpstate, "missing required host");
+            goto network_pkt_end;
+        }
+        if (!(((msg_wanted & MSG_QUERY) != 0 && dns.opcode == LDNS_PACKET_QUERY) || ((msg_wanted & MSG_UPDATE) != 0 && dns.opcode == LDNS_PACKET_UPDATE) || ((msg_wanted & MSG_NOTIFY) != 0 && dns.opcode == LDNS_PACKET_NOTIFY))) {
+            tcpstate_discard(tcpstate, "unwanted opcode");
+            goto network_pkt_end;
+        }
+        if (response) {
+            int match_tc    = (dns.tc != 0 && err_wanted & ERR_TRUNC);
+            int match_rcode = err_wanted & (ERR_RCODE_BASE << dns.rcode);
+
+            if (!match_tc && !match_rcode) {
+                tcpstate_discard(tcpstate, "unwanted error code");
+                goto network_pkt_end;
+            }
+            if (!EMPTY(drop_responders) && ep_present(&drop_responders, responder)) {
+                tcpstate_discard(tcpstate, "dropped response due to -Y");
+                goto network_pkt_end;
+            }
+        }
+        if (!EMPTY(myregexes) || match_qtype || nmatch_qtype) {
+            if (ldns_wire2pkt(&lpkt, dnspkt, dnslen) != LDNS_STATUS_OK) {
+                /* DNS message may have padding, try get actual size */
+                size_t dnslen2 = calcdnslen(dnspkt, dnslen);
+                if (dnslen2 > 0 && dnslen2 < dnslen) {
+                    if (ldns_wire2pkt(&lpkt, dnspkt, dnslen2) != LDNS_STATUS_OK) {
+                        tcpstate_discard(tcpstate, "failed parse");
+                        goto network_pkt_end;
+                    }
+                } else {
+                    tcpstate_discard(tcpstate, "failed parse");
+                    goto network_pkt_end;
+                }
+            }
+        }
+        if (match_qtype || nmatch_qtype) {
+            ldns_rr_list* rrs = ldns_pkt_question(lpkt);
+            if (!rrs) {
+                tcpstate_discard(tcpstate, "failed to get list of questions");
+                goto network_pkt_end;
+            }
+            /* Look at each RR in the section (or each QNAME in
+               the question section). */
+            size_t i, n;
+            for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) {
+                ldns_rr* rr = ldns_rr_list_rr(rrs, i);
+                if (!rr) {
+                    tcpstate_discard(tcpstate, "failed to get question");
+                    goto network_pkt_end;
+                }
+
+                if (match_qtype && ldns_rr_get_type(rr) != match_qtype) {
+                    tcpstate_discard(tcpstate, "qtype not match");
+                    goto network_pkt_end;
+                } else if (nmatch_qtype && ldns_rr_get_type(rr) == nmatch_qtype) {
+                    tcpstate_discard(tcpstate, "!qtype match");
+                    goto network_pkt_end;
+                }
+            }
+        }
+        if (!EMPTY(myregexes)) {
+            int          match, negmatch;
+            ldns_buffer* buf = ldns_buffer_new(512);
+
+            if (!buf) {
+                fprintf(stderr, "%s: out of memory", ProgramName);
+                exit(1);
+            }
+
+            match    = -1;
+            negmatch = -1;
+            /* Look at each section of the message:
+                 question, answer, authority, additional */
+            ldns_rr_list* rrs = ldns_pkt_all(lpkt);
+            if (!rrs) {
+                ldns_buffer_free(buf);
+                tcpstate_discard(tcpstate, "failed to get list of RRs");
+                goto network_pkt_end;
+            }
+            /* Look at each RR in the section (or each QNAME in
+               the question section). */
+            size_t i, n;
+            for (i = 0, n = ldns_rr_list_rr_count(rrs); i < n; i++) {
+                ldns_rr* rr = ldns_rr_list_rr(rrs, i);
+                if (!rr) {
+                    ldns_rr_list_free(rrs);
+                    ldns_buffer_free(buf);
+                    tcpstate_discard(tcpstate, "failed to get RR");
+                    goto network_pkt_end;
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
+                    ldns_rr_list_free(rrs);
+                    ldns_buffer_free(buf);
+                    tcpstate_discard(tcpstate, "failed to get RR");
+                    goto network_pkt_end;
+                }
+
+                myregex_ptr myregex;
+                for (myregex = HEAD(myregexes);
+                     myregex != NULL;
+                     myregex = NEXT(myregex, link)) {
+                    if (myregex->not ) {
+                        if (negmatch < 0)
+                            negmatch = 0;
+                    } else {
+                        if (match < 0)
+                            match = 0;
+                    }
+
+                    if (regexec(&myregex->reg, (char*)ldns_buffer_begin(buf), 0, NULL, 0) == 0) {
+                        if (myregex->not )
+                            negmatch++;
+                        else
+                            match++;
+
+                        if (dumptrace >= 2)
+                            fprintf(stderr,
+                                "; \"%s\" %s~ /%s/ %d %d\n",
+                                (char*)ldns_buffer_begin(buf),
+                                myregex->not ? "!" : "",
+                                myregex->str,
+                                match,
+                                negmatch);
+                    }
+                }
+            }
+            ldns_rr_list_free(rrs);
+            ldns_buffer_free(buf);
+
+            /*
+             * Fail if any negative matching or if no match, match can be -1 which
+             * indicates that there are only negative matching
+             */
+            if (negmatch > 0 || match == 0) {
+                tcpstate_discard(tcpstate, "failed regex match");
+                goto network_pkt_end;
+            }
+        }
+
+        /* Policy hiding. */
+        if (end_hide != 0) {
+            switch (from.af) {
+            case AF_INET: {
+                void *    init_addr, *resp_addr;
+                uint16_t* init_port;
+
+                if (dns.qr == 0) {
+                    init_addr = (void*)&ip->ip_src;
+                    resp_addr = (void*)&ip->ip_dst;
+                    init_port = tcp ? &tcp->th_sport : &udp->uh_sport;
+                } else {
+                    init_addr = (void*)&ip->ip_dst;
+                    resp_addr = (void*)&ip->ip_src;
+                    init_port = tcp ? &tcp->th_dport : &udp->uh_dport;
+                }
+
+                if ((end_hide & END_INITIATOR) != 0) {
+                    memcpy(init_addr, HIDE_INET, sizeof(struct in_addr));
+                    *init_port = htons(HIDE_PORT);
+                }
+                if ((end_hide & END_RESPONDER) != 0)
+                    memcpy(resp_addr, HIDE_INET, sizeof(struct in_addr));
+
+                ip->ip_sum = 0;
+                ip->ip_sum = ~in_checksum((u_char*)ip, sizeof *ip);
+                if (udp)
+                    udp->uh_sum = 0U;
+                break;
+            }
+            case AF_INET6: {
+                void *    init_addr, *resp_addr;
+                uint16_t* init_port;
+
+                if (dns.qr == 0) {
+                    init_addr = (void*)&ipv6->ip6_src;
+                    resp_addr = (void*)&ipv6->ip6_dst;
+                    init_port = tcp ? &tcp->th_sport : &udp->uh_sport;
+                } else {
+                    init_addr = (void*)&ipv6->ip6_dst;
+                    resp_addr = (void*)&ipv6->ip6_src;
+                    init_port = tcp ? &tcp->th_dport : &udp->uh_dport;
+                }
+
+                if ((end_hide & END_INITIATOR) != 0) {
+                    memcpy(init_addr, HIDE_INET6, sizeof(struct in6_addr));
+                    *init_port = htons(HIDE_PORT);
+                }
+                if ((end_hide & END_RESPONDER) != 0)
+                    memcpy(resp_addr, HIDE_INET6, sizeof(struct in6_addr));
+
+                if (udp)
+                    udp->uh_sum = 0U;
+                break;
+            }
+            default:
+                abort();
+            }
+        }
+        _curr_tcpstate = tcpstate;
+        output(descr, from, to, proto, flags, sport, dport, ts,
+            pkt_copy, olen, dnspkt, dnslen);
+        _curr_tcpstate = 0;
+
+        if (tcpstate && tcpstate->reasm) {
+            free(tcpstate->reasm->dnsmsg[m]);
+            tcpstate->reasm->dnsmsg[m] = 0;
+            tcpstate->reasm->dnsmsgs--;
+        } else
+            break;
+    }
+
+network_pkt_end:
+    network_ip   = 0;
+    network_ipv6 = 0;
+    if (lpkt) {
+        ldns_pkt_free(lpkt);
+    }
+}
+
+uint16_t in_checksum(const u_char* ptr, size_t len)
+{
+    unsigned sum = 0, top;
+
+    /* Main body. */
+    while (len >= 2) {
+        sum += *(const uint16_t*)ptr;
+        ptr += 2;
+        len -= 2;
+    }
+
+    /* Leftover octet? */
+    if (len != 0)
+        sum += *ptr;
+
+    /* Leftover carries? */
+    while ((top = (sum >> 16)) != 0)
+        sum = ((uint16_t)sum) + top;
+
+    /* Caller should ~ this result. */
+    return ((uint16_t)sum);
+}
+
+static size_t calcrr(int q, const u_char* p, size_t l, size_t t)
+{
+    while (l < t) {
+        if ((p[l] & 0xc0) == 0xc0) {
+            l += 2;
+        } else if (p[l] & 0xc0) {
+            l += 1;
+        } else if (p[l]) {
+            l += p[l];
+        } else {
+            break;
+        }
+    }
+    l += 4; /* type + class */
+    if (q)
+        return l;
+    l += 6; /* ttl + rdlength */
+    if (l < t) {
+        l += (p[l - 2] << 8) + p[l - 1]; /* rdata */
+    }
+    return l;
+}
+
+size_t calcdnslen(const u_char* dnspkt, size_t dnslen)
+{
+    HEADER dns;
+    size_t n, len;
+
+    if (dnslen > 65535 || dnslen < sizeof(dns)) {
+        return 0;
+    }
+    memcpy(&dns, dnspkt, sizeof dns);
+    len = sizeof(dns);
+
+    for (n = 0; len < dnslen && n < dns.qdcount; n++) {
+        len = calcrr(1, dnspkt, len, dnslen);
+    }
+    for (n = 0; len < dnslen && n < dns.ancount; n++) {
+        len = calcrr(0, dnspkt, len, dnslen);
+    }
+    for (n = 0; len < dnslen && n < dns.nscount; n++) {
+        len = calcrr(0, dnspkt, len, dnslen);
+    }
+    for (n = 0; len < dnslen && n < dns.arcount; n++) {
+        len = calcrr(0, dnspkt, len, dnslen);
+    }
+    if (len < dnslen)
+        return len;
+    return dnslen;
+}
diff --git a/src/network.h b/src/network.h
new file mode 100644
index 0000000..9d5c7de
--- /dev/null
+++ b/src/network.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_network_h
+#define __dnscap_network_h
+
+tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t);
+tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport);
+void         dl_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt);
+void         discard(tcpstate_ptr tcpstate, const char* msg);
+void         network_pkt(const char* descr, my_bpftimeval ts, unsigned pf, const u_char* opkt, size_t olen);
+uint16_t     in_checksum(const u_char* ptr, size_t len);
+
+void layer_pkt(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+void network_pkt2(const char* descr, my_bpftimeval ts, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+
+size_t calcdnslen(const u_char* dnspkt, size_t dnslen);
+
+#endif /* __dnscap_network_h */
diff --git a/src/options.c b/src/options.c
new file mode 100644
index 0000000..1eee2cf
--- /dev/null
+++ b/src/options.c
@@ -0,0 +1,248 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "options.h"
+
+#include <string.h>
+#include <stdlib.h>
+
+#include <stdio.h>
+
+#define have(a) option_length == (sizeof(a) - 1) && !strncmp(option, a, (sizeof(a) - 1))
+
+int option_parse(options_t* options, const char* option)
+{
+    const char* argument;
+    int         option_length;
+    char*       p;
+    size_t      s;
+
+    if (!options) {
+        return -1;
+    }
+    if (!option) {
+        return -1;
+    }
+
+    if (!(argument = strchr(option, '='))) {
+        return -2;
+    }
+    argument++;
+    if (!*argument) {
+        return -2;
+    }
+    option_length = argument - option - 1;
+    if (option_length < 1) {
+        return -2;
+    }
+
+    if (have("cbor_chunk_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cbor_chunk_size = s;
+            return 0;
+        }
+    } else if (have("cds_cbor_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_cbor_size = s;
+            return 0;
+        }
+    } else if (have("cds_message_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_message_size = s;
+            return 0;
+        }
+    } else if (have("cds_max_rlabels")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_max_rlabels = s;
+            return 0;
+        }
+    } else if (have("cds_min_rlabel_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_min_rlabel_size = s;
+            return 0;
+        }
+    } else if (have("cds_use_rdata_index")) {
+        if (!strcmp(argument, "yes")) {
+            options->cds_use_rdata_index = 1;
+            return 0;
+        }
+    } else if (have("cds_rdata_index_min_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_rdata_index_min_size = s;
+            return 0;
+        }
+    } else if (have("cds_use_rdata_rindex")) {
+        if (!strcmp(argument, "yes")) {
+            options->cds_use_rdata_rindex = 1;
+            return 0;
+        }
+    } else if (have("cds_rdata_rindex_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_rdata_rindex_size = s;
+            return 0;
+        }
+    } else if (have("cds_rdata_rindex_min_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->cds_rdata_rindex_min_size = s;
+            return 0;
+        }
+    } else if (have("dump_format")) {
+        if (!strcmp(argument, "pcap")) {
+            options->dump_format = pcap;
+            return 0;
+        } else if (!strcmp(argument, "cbor")) {
+            options->dump_format = cbor;
+            return 0;
+        } else if (!strcmp(argument, "cds")) {
+            options->dump_format = cds;
+            return 0;
+        }
+    } else if (have("user")) {
+        if (options->user) {
+            free(options->user);
+        }
+        if ((options->user = strdup(argument))) {
+            return 0;
+        }
+    } else if (have("group")) {
+        if (options->group) {
+            free(options->group);
+        }
+        if ((options->group = strdup(argument))) {
+            return 0;
+        }
+    } else if (have("pcap_buffer_size")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->pcap_buffer_size = s;
+            return 0;
+        }
+    } else if (have("use_layers")) {
+        if (!strcmp(argument, "yes")) {
+            options->use_layers = 1;
+            return 0;
+        }
+    } else if (have("defrag_ipv4")) {
+        if (!strcmp(argument, "yes")) {
+            options->defrag_ipv4 = 1;
+            return 0;
+        }
+    } else if (have("max_ipv4_fragments")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->max_ipv4_fragments = s;
+            return 0;
+        }
+    } else if (have("max_ipv4_fragments_per_packet")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->max_ipv4_fragments_per_packet = s;
+            return 0;
+        }
+    } else if (have("defrag_ipv6")) {
+        if (!strcmp(argument, "yes")) {
+            options->defrag_ipv6 = 1;
+            return 0;
+        }
+    } else if (have("max_ipv6_fragments")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->max_ipv6_fragments = s;
+            return 0;
+        }
+    } else if (have("max_ipv6_fragments_per_packet")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->max_ipv6_fragments_per_packet = s;
+            return 0;
+        }
+    } else if (have("parse_ongoing_tcp")) {
+        if (!strcmp(argument, "yes")) {
+            options->parse_ongoing_tcp = 1;
+            return 0;
+        }
+    } else if (have("allow_reset_tcpstate")) {
+        if (!strcmp(argument, "yes")) {
+            options->allow_reset_tcpstate = 1;
+            return 0;
+        }
+    } else if (have("reassemble_tcp")) {
+        if (!strcmp(argument, "yes")) {
+            options->reassemble_tcp = 1;
+            return 0;
+        }
+    } else if (have("reassemble_tcp_faultreset")) {
+        s = strtoul(argument, &p, 0);
+        if (p && !*p && s > 0) {
+            options->reassemble_tcp_faultreset = s;
+            return 0;
+        }
+    } else if (have("reassemble_tcp_bfbparsedns")) {
+        if (!strcmp(argument, "yes")) {
+            options->reassemble_tcp_bfbparsedns = 1;
+            return 0;
+        }
+    } else if (have("bpf_hosts_apply_all")) {
+        if (!strcmp(argument, "yes")) {
+            options->bpf_hosts_apply_all = 1;
+            return 0;
+        }
+    }
+
+    return 1;
+}
+
+void options_free(options_t* options)
+{
+    if (options) {
+        if (options->user) {
+            free(options->user);
+            options->user = 0;
+        }
+        if (options->group) {
+            free(options->group);
+            options->group = 0;
+        }
+    }
+}
diff --git a/src/options.h b/src/options.h
new file mode 100644
index 0000000..e46dd06
--- /dev/null
+++ b/src/options.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include "dump_cds.h"
+
+#ifndef __dnscap_options_h
+#define __dnscap_options_h
+
+typedef enum dump_format dump_format_t;
+enum dump_format {
+    pcap,
+    cbor,
+    cds
+};
+
+/* clang-format off */
+
+#define OPTIONS_T_DEFAULTS { \
+    1024 * 1024, \
+\
+    1024 * 1024, \
+    64 * 1024, \
+    CDS_DEFAULT_MAX_RLABELS, \
+    CDS_DEFAULT_MIN_RLABEL_SIZE, \
+    0, \
+    CDS_DEFAULT_RDATA_INDEX_MIN_SIZE, \
+    0, \
+    CDS_DEFAULT_RDATA_RINDEX_SIZE, \
+    CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE, \
+\
+    pcap, \
+\
+    0, \
+    0, \
+\
+    0, \
+\
+    0, 0, 0, 0, 0, 0, 0, \
+\
+    0, 0, 0, 0, 0, \
+\
+    0 \
+}
+
+/* clang-format on */
+
+typedef struct options options_t;
+struct options {
+    size_t cbor_chunk_size;
+
+    size_t cds_cbor_size;
+    size_t cds_message_size;
+    size_t cds_max_rlabels;
+    size_t cds_min_rlabel_size;
+    int    cds_use_rdata_index;
+    size_t cds_rdata_index_min_size;
+    int    cds_use_rdata_rindex;
+    size_t cds_rdata_rindex_size;
+    size_t cds_rdata_rindex_min_size;
+
+    dump_format_t dump_format;
+
+    char* user;
+    char* group;
+
+    size_t pcap_buffer_size;
+
+    int    use_layers;
+    int    defrag_ipv4;
+    size_t max_ipv4_fragments;
+    size_t max_ipv4_fragments_per_packet;
+    int    defrag_ipv6;
+    size_t max_ipv6_fragments;
+    size_t max_ipv6_fragments_per_packet;
+
+    int    parse_ongoing_tcp;
+    int    allow_reset_tcpstate;
+    int    reassemble_tcp;
+    size_t reassemble_tcp_faultreset;
+    int    reassemble_tcp_bfbparsedns;
+
+    int bpf_hosts_apply_all;
+};
+
+int  option_parse(options_t* options, const char* option);
+void options_free(options_t* options);
+
+#endif /* __dnscap_options_h */
diff --git a/src/pcap-thread/m4/ax_pcap_thread.m4 b/src/pcap-thread/m4/ax_pcap_thread.m4
new file mode 100644
index 0000000..8831822
--- /dev/null
+++ b/src/pcap-thread/m4/ax_pcap_thread.m4
@@ -0,0 +1,15 @@
+AC_DEFUN([AX_PCAP_THREAD_PCAP], [
+    AC_HEADER_TIME
+    AC_CHECK_LIB([pcap], [pcap_open_live], [], AC_MSG_ERROR([libpcap not found]))
+    AC_CHECK_HEADER([pcap/pcap.h], [], [AC_MSG_ERROR([libpcap header not found])])
+    AC_CHECK_HEADERS([endian.h sys/endian.h machine/endian.h sys/time.h])
+    AC_CHECK_FUNCS([pcap_create pcap_set_tstamp_precision pcap_set_immediate_mode])
+    AC_CHECK_FUNCS([pcap_set_tstamp_type pcap_setdirection sched_yield])
+    AC_CHECK_FUNCS([pcap_open_offline_with_tstamp_precision pcap_activate])
+    AC_CHECK_TYPES([pcap_direction_t], [], [], [[#include <pcap/pcap.h>]])
+])
+
+AC_DEFUN([AX_PCAP_THREAD], [
+    AX_PTHREAD
+    AX_PCAP_THREAD_PCAP
+])
diff --git a/src/pcap-thread/m4/ax_pthread.m4 b/src/pcap-thread/m4/ax_pthread.m4
new file mode 100644
index 0000000..4c4051e
--- /dev/null
+++ b/src/pcap-thread/m4/ax_pthread.m4
@@ -0,0 +1,485 @@
+# ===========================================================================
+#        http://www.gnu.org/software/autoconf-archive/ax_pthread.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
+#
+# DESCRIPTION
+#
+#   This macro figures out how to build C programs using POSIX threads. It
+#   sets the PTHREAD_LIBS output variable to the threads library and linker
+#   flags, and the PTHREAD_CFLAGS output variable to any special C compiler
+#   flags that are needed. (The user can also force certain compiler
+#   flags/libs to be tested by setting these environment variables.)
+#
+#   Also sets PTHREAD_CC to any special C compiler that is needed for
+#   multi-threaded programs (defaults to the value of CC otherwise). (This
+#   is necessary on AIX to use the special cc_r compiler alias.)
+#
+#   NOTE: You are assumed to not only compile your program with these flags,
+#   but also to link with them as well. For example, you might link with
+#   $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
+#
+#   If you are only building threaded programs, you may wish to use these
+#   variables in your default LIBS, CFLAGS, and CC:
+#
+#     LIBS="$PTHREAD_LIBS $LIBS"
+#     CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+#     CC="$PTHREAD_CC"
+#
+#   In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
+#   has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to
+#   that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
+#
+#   Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
+#   PTHREAD_PRIO_INHERIT symbol is defined when compiling with
+#   PTHREAD_CFLAGS.
+#
+#   ACTION-IF-FOUND is a list of shell commands to run if a threads library
+#   is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
+#   is not found. If ACTION-IF-FOUND is not specified, the default action
+#   will define HAVE_PTHREAD.
+#
+#   Please let the authors know if this macro fails on any platform, or if
+#   you have any other suggestions or comments. This macro was based on work
+#   by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
+#   from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
+#   Alejandro Forero Cuervo to the autoconf macro repository. We are also
+#   grateful for the helpful feedback of numerous users.
+#
+#   Updated for Autoconf 2.68 by Daniel Richard G.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
+#   Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 23
+
+AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
+AC_DEFUN([AX_PTHREAD], [
+AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_CC])
+AC_REQUIRE([AC_PROG_SED])
+AC_LANG_PUSH([C])
+ax_pthread_ok=no
+
+# We used to check for pthread.h first, but this fails if pthread.h
+# requires special compiler flags (e.g. on Tru64 or Sequent).
+# It gets checked for in the link test anyway.
+
+# First of all, check if the user has set any of the PTHREAD_LIBS,
+# etcetera environment variables, and if threads linking works using
+# them:
+if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
+        ax_pthread_save_CC="$CC"
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"])
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+        AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS])
+        AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes])
+        AC_MSG_RESULT([$ax_pthread_ok])
+        if test "x$ax_pthread_ok" = "xno"; then
+                PTHREAD_LIBS=""
+                PTHREAD_CFLAGS=""
+        fi
+        CC="$ax_pthread_save_CC"
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+fi
+
+# We must check for the threads library under a number of different
+# names; the ordering is very important because some systems
+# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
+# libraries is broken (non-POSIX).
+
+# Create a list of thread flags to try.  Items starting with a "-" are
+# C compiler flags, and other items are library names, except for "none"
+# which indicates that we try without any flags at all, and "pthread-config"
+# which is a program returning the flags for the Pth emulation library.
+
+ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
+
+# The ordering *is* (sometimes) important.  Some notes on the
+# individual items follow:
+
+# pthreads: AIX (must check this before -lpthread)
+# none: in case threads are in libc; should be tried before -Kthread and
+#       other compiler flags to prevent continual compiler warnings
+# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
+# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
+#           (Note: HP C rejects this with "bad form for `-t' option")
+# -pthreads: Solaris/gcc (Note: HP C also rejects)
+# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
+#      doesn't hurt to check since this sometimes defines pthreads and
+#      -D_REENTRANT too), HP C (must be checked before -lpthread, which
+#      is present but should not be used directly; and before -mthreads,
+#      because the compiler interprets this as "-mt" + "-hreads")
+# -mthreads: Mingw32/gcc, Lynx/gcc
+# pthread: Linux, etcetera
+# --thread-safe: KAI C++
+# pthread-config: use pthread-config program (for GNU Pth library)
+
+case $host_os in
+
+        freebsd*)
+
+        # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
+        # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
+
+        ax_pthread_flags="-kthread lthread $ax_pthread_flags"
+        ;;
+
+        hpux*)
+
+        # From the cc(1) man page: "[-mt] Sets various -D flags to enable
+        # multi-threading and also sets -lpthread."
+
+        ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
+        ;;
+
+        openedition*)
+
+        # IBM z/OS requires a feature-test macro to be defined in order to
+        # enable POSIX threads at all, so give the user a hint if this is
+        # not set. (We don't define these ourselves, as they can affect
+        # other portions of the system API in unpredictable ways.)
+
+        AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING],
+            [
+#            if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
+             AX_PTHREAD_ZOS_MISSING
+#            endif
+            ],
+            [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])])
+        ;;
+
+        solaris*)
+
+        # On Solaris (at least, for some versions), libc contains stubbed
+        # (non-functional) versions of the pthreads routines, so link-based
+        # tests will erroneously succeed. (N.B.: The stubs are missing
+        # pthread_cleanup_push, or rather a function called by this macro,
+        # so we could check for that, but who knows whether they'll stub
+        # that too in a future libc.)  So we'll check first for the
+        # standard Solaris way of linking pthreads (-mt -lpthread).
+
+        ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
+        ;;
+esac
+
+# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
+
+AS_IF([test "x$GCC" = "xyes"],
+      [ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"])
+
+# The presence of a feature test macro requesting re-entrant function
+# definitions is, on some systems, a strong hint that pthreads support is
+# correctly enabled
+
+case $host_os in
+        darwin* | hpux* | linux* | osf* | solaris*)
+        ax_pthread_check_macro="_REENTRANT"
+        ;;
+
+        aix*)
+        ax_pthread_check_macro="_THREAD_SAFE"
+        ;;
+
+        *)
+        ax_pthread_check_macro="--"
+        ;;
+esac
+AS_IF([test "x$ax_pthread_check_macro" = "x--"],
+      [ax_pthread_check_cond=0],
+      [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"])
+
+# Are we compiling with Clang?
+
+AC_CACHE_CHECK([whether $CC is Clang],
+    [ax_cv_PTHREAD_CLANG],
+    [ax_cv_PTHREAD_CLANG=no
+     # Note that Autoconf sets GCC=yes for Clang as well as GCC
+     if test "x$GCC" = "xyes"; then
+        AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG],
+            [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
+#            if defined(__clang__) && defined(__llvm__)
+             AX_PTHREAD_CC_IS_CLANG
+#            endif
+            ],
+            [ax_cv_PTHREAD_CLANG=yes])
+     fi
+    ])
+ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
+
+ax_pthread_clang_warning=no
+
+# Clang needs special handling, because older versions handle the -pthread
+# option in a rather... idiosyncratic way
+
+if test "x$ax_pthread_clang" = "xyes"; then
+
+        # Clang takes -pthread; it has never supported any other flag
+
+        # (Note 1: This will need to be revisited if a system that Clang
+        # supports has POSIX threads in a separate library.  This tends not
+        # to be the way of modern systems, but it's conceivable.)
+
+        # (Note 2: On some systems, notably Darwin, -pthread is not needed
+        # to get POSIX threads support; the API is always present and
+        # active.  We could reasonably leave PTHREAD_CFLAGS empty.  But
+        # -pthread does define _REENTRANT, and while the Darwin headers
+        # ignore this macro, third-party headers might not.)
+
+        PTHREAD_CFLAGS="-pthread"
+        PTHREAD_LIBS=
+
+        ax_pthread_ok=yes
+
+        # However, older versions of Clang make a point of warning the user
+        # that, in an invocation where only linking and no compilation is
+        # taking place, the -pthread option has no effect ("argument unused
+        # during compilation").  They expect -pthread to be passed in only
+        # when source code is being compiled.
+        #
+        # Problem is, this is at odds with the way Automake and most other
+        # C build frameworks function, which is that the same flags used in
+        # compilation (CFLAGS) are also used in linking.  Many systems
+        # supported by AX_PTHREAD require exactly this for POSIX threads
+        # support, and in fact it is often not straightforward to specify a
+        # flag that is used only in the compilation phase and not in
+        # linking.  Such a scenario is extremely rare in practice.
+        #
+        # Even though use of the -pthread flag in linking would only print
+        # a warning, this can be a nuisance for well-run software projects
+        # that build with -Werror.  So if the active version of Clang has
+        # this misfeature, we search for an option to squash it.
+
+        AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread],
+            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG],
+            [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
+             # Create an alternate version of $ac_link that compiles and
+             # links in two steps (.c -> .o, .o -> exe) instead of one
+             # (.c -> exe), because the warning occurs only in the second
+             # step
+             ax_pthread_save_ac_link="$ac_link"
+             ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
+             ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
+             ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
+             ax_pthread_save_CFLAGS="$CFLAGS"
+             for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
+                AS_IF([test "x$ax_pthread_try" = "xunknown"], [break])
+                CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
+                ac_link="$ax_pthread_save_ac_link"
+                AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
+                    [ac_link="$ax_pthread_2step_ac_link"
+                     AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
+                         [break])
+                    ])
+             done
+             ac_link="$ax_pthread_save_ac_link"
+             CFLAGS="$ax_pthread_save_CFLAGS"
+             AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no])
+             ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
+            ])
+
+        case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
+                no | unknown) ;;
+                *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
+        esac
+
+fi # $ax_pthread_clang = yes
+
+if test "x$ax_pthread_ok" = "xno"; then
+for ax_pthread_try_flag in $ax_pthread_flags; do
+
+        case $ax_pthread_try_flag in
+                none)
+                AC_MSG_CHECKING([whether pthreads work without any flags])
+                ;;
+
+                -mt,pthread)
+                AC_MSG_CHECKING([whether pthreads work with -mt -lpthread])
+                PTHREAD_CFLAGS="-mt"
+                PTHREAD_LIBS="-lpthread"
+                ;;
+
+                -*)
+                AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag])
+                PTHREAD_CFLAGS="$ax_pthread_try_flag"
+                ;;
+
+                pthread-config)
+                AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
+                AS_IF([test "x$ax_pthread_config" = "xno"], [continue])
+                PTHREAD_CFLAGS="`pthread-config --cflags`"
+                PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
+                ;;
+
+                *)
+                AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag])
+                PTHREAD_LIBS="-l$ax_pthread_try_flag"
+                ;;
+        esac
+
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Check for various functions.  We must include pthread.h,
+        # since some functions may be macros.  (On the Sequent, we
+        # need a special flag -Kthread to make this header compile.)
+        # We check for pthread_join because it is in -lpthread on IRIX
+        # while pthread_create is in libc.  We check for pthread_attr_init
+        # due to DEC craziness with -lpthreads.  We check for
+        # pthread_cleanup_push because it is one of the few pthread
+        # functions on Solaris that doesn't have a non-functional libc stub.
+        # We try pthread_create on general principles.
+
+        AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
+#                       if $ax_pthread_check_cond
+#                        error "$ax_pthread_check_macro must be defined"
+#                       endif
+                        static void routine(void *a) { a = 0; }
+                        static void *start_routine(void *a) { return a; }],
+                       [pthread_t th; pthread_attr_t attr;
+                        pthread_create(&th, 0, start_routine, 0);
+                        pthread_join(th, 0);
+                        pthread_attr_init(&attr);
+                        pthread_cleanup_push(routine, 0);
+                        pthread_cleanup_pop(0) /* ; */])],
+            [ax_pthread_ok=yes],
+            [])
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        AC_MSG_RESULT([$ax_pthread_ok])
+        AS_IF([test "x$ax_pthread_ok" = "xyes"], [break])
+
+        PTHREAD_LIBS=""
+        PTHREAD_CFLAGS=""
+done
+fi
+
+# Various other checks:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ax_pthread_save_CFLAGS="$CFLAGS"
+        ax_pthread_save_LIBS="$LIBS"
+        CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
+        LIBS="$PTHREAD_LIBS $LIBS"
+
+        # Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
+        AC_CACHE_CHECK([for joinable pthread attribute],
+            [ax_cv_PTHREAD_JOINABLE_ATTR],
+            [ax_cv_PTHREAD_JOINABLE_ATTR=unknown
+             for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
+                 AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
+                                                 [int attr = $ax_pthread_attr; return attr /* ; */])],
+                                [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break],
+                                [])
+             done
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
+               test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
+               test "x$ax_pthread_joinable_attr_defined" != "xyes"],
+              [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE],
+                                  [$ax_cv_PTHREAD_JOINABLE_ATTR],
+                                  [Define to necessary symbol if this constant
+                                   uses a non-standard name on your system.])
+               ax_pthread_joinable_attr_defined=yes
+              ])
+
+        AC_CACHE_CHECK([whether more special flags are required for pthreads],
+            [ax_cv_PTHREAD_SPECIAL_FLAGS],
+            [ax_cv_PTHREAD_SPECIAL_FLAGS=no
+             case $host_os in
+             solaris*)
+             ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
+             ;;
+             esac
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
+               test "x$ax_pthread_special_flags_added" != "xyes"],
+              [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
+               ax_pthread_special_flags_added=yes])
+
+        AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
+            [ax_cv_PTHREAD_PRIO_INHERIT],
+            [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
+                                             [[int i = PTHREAD_PRIO_INHERIT;]])],
+                            [ax_cv_PTHREAD_PRIO_INHERIT=yes],
+                            [ax_cv_PTHREAD_PRIO_INHERIT=no])
+            ])
+        AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
+               test "x$ax_pthread_prio_inherit_defined" != "xyes"],
+              [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])
+               ax_pthread_prio_inherit_defined=yes
+              ])
+
+        CFLAGS="$ax_pthread_save_CFLAGS"
+        LIBS="$ax_pthread_save_LIBS"
+
+        # More AIX lossage: compile with *_r variant
+        if test "x$GCC" != "xyes"; then
+            case $host_os in
+                aix*)
+                AS_CASE(["x/$CC"],
+                    [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
+                    [#handle absolute path differently from PATH based program lookup
+                     AS_CASE(["x$CC"],
+                         [x/*],
+                         [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
+                         [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
+                ;;
+            esac
+        fi
+fi
+
+test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
+
+AC_SUBST([PTHREAD_LIBS])
+AC_SUBST([PTHREAD_CFLAGS])
+AC_SUBST([PTHREAD_CC])
+
+# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
+if test "x$ax_pthread_ok" = "xyes"; then
+        ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
+        :
+else
+        ax_pthread_ok=no
+        $2
+fi
+AC_LANG_POP
+])dnl AX_PTHREAD
diff --git a/src/pcap-thread/pcap_thread.c b/src/pcap-thread/pcap_thread.c
new file mode 100644
index 0000000..8acdcbe
--- /dev/null
+++ b/src/pcap-thread/pcap_thread.c
@@ -0,0 +1,3818 @@
+/*
+ * Author Jerry Lundström <jerry@dns-oarc.net>
+ * Copyright (c) 2016-2017, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "pcap_thread.h"
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/select.h>
+
+#ifndef PCAP_THREAD_LAYER_TRACE
+#define PCAP_THREAD_LAYER_TRACE 0
+#endif
+
+/*
+ * Forward declares for layer callbacks
+ */
+
+static void pcap_thread_callback(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt);
+static void pcap_thread_callback_linux_sll(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_ether(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_null(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_loop(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_ieee802(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_gre(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_ip(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_ipv4(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_ipv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_icmp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_icmpv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_udp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+static void pcap_thread_callback_tcp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+
+/*
+ * Version
+ */
+
+static const char* _version = PCAP_THREAD_VERSION_STR;
+
+const char* pcap_thread_version_str(void)
+{
+    return _version;
+}
+
+int pcap_thread_version_major(void)
+{
+    return PCAP_THREAD_VERSION_MAJOR;
+}
+
+int pcap_thread_version_minor(void)
+{
+    return PCAP_THREAD_VERSION_MINOR;
+}
+
+int pcap_thread_version_patch(void)
+{
+    return PCAP_THREAD_VERSION_PATCH;
+}
+
+/*
+ * Create/Free
+ */
+
+static pcap_thread_t _pcap_thread_defaults = PCAP_THREAD_T_INIT;
+
+pcap_thread_t* pcap_thread_create(void)
+{
+    pcap_thread_t* pcap_thread = calloc(1, sizeof(pcap_thread_t));
+    if (pcap_thread) {
+        memcpy(pcap_thread, &_pcap_thread_defaults, sizeof(pcap_thread_t));
+    }
+
+    return pcap_thread;
+}
+
+void pcap_thread_free(pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return;
+    }
+
+    pcap_thread_close(pcap_thread);
+    if (pcap_thread->filter) {
+        free(pcap_thread->filter);
+    }
+    free(pcap_thread);
+}
+
+/*
+ * Get/Set
+ */
+
+int pcap_thread_use_threads(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->use_threads;
+}
+
+int pcap_thread_set_use_threads(pcap_thread_t* pcap_thread, const int use_threads)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->use_threads = use_threads;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_use_layers(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->use_layers;
+}
+
+int pcap_thread_set_use_layers(pcap_thread_t* pcap_thread, const int use_layers)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->use_layers = use_layers;
+
+    return PCAP_THREAD_OK;
+}
+
+pcap_thread_queue_mode_t pcap_thread_queue_mode(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->queue_mode;
+}
+
+int pcap_thread_set_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t queue_mode)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    switch (queue_mode) {
+    case PCAP_THREAD_QUEUE_MODE_COND:
+    case PCAP_THREAD_QUEUE_MODE_DIRECT:
+        break;
+    case PCAP_THREAD_QUEUE_MODE_YIELD:
+    case PCAP_THREAD_QUEUE_MODE_WAIT:
+    case PCAP_THREAD_QUEUE_MODE_DROP:
+        return PCAP_THREAD_EOBSOLETE;
+    default:
+        return PCAP_THREAD_EINVAL;
+    }
+
+    pcap_thread->queue_mode = queue_mode;
+
+    return PCAP_THREAD_OK;
+}
+
+struct timeval pcap_thread_queue_wait(const pcap_thread_t* pcap_thread)
+{
+    static struct timeval tv = { 0, 0 };
+    return tv;
+}
+
+int pcap_thread_set_queue_wait(pcap_thread_t* pcap_thread, const struct timeval queue_wait)
+{
+    return PCAP_THREAD_EOBSOLETE;
+}
+
+pcap_thread_queue_mode_t pcap_thread_callback_queue_mode(const pcap_thread_t* pcap_thread)
+{
+    return PCAP_THREAD_EOBSOLETE;
+}
+
+int pcap_thread_set_callback_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t callback_queue_mode)
+{
+    return PCAP_THREAD_EOBSOLETE;
+}
+
+struct timeval pcap_thread_callback_queue_wait(const pcap_thread_t* pcap_thread)
+{
+    static struct timeval tv = { 0, 0 };
+    return tv;
+}
+
+int pcap_thread_set_callback_queue_wait(pcap_thread_t* pcap_thread, const struct timeval callback_queue_wait)
+{
+    return PCAP_THREAD_EOBSOLETE;
+}
+
+int pcap_thread_snapshot(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->snapshot;
+}
+
+int pcap_thread_snaplen(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->snaplen;
+}
+
+int pcap_thread_set_snaplen(pcap_thread_t* pcap_thread, const int snaplen)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->snaplen = snaplen;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_promiscuous(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->promiscuous;
+}
+
+int pcap_thread_set_promiscuous(pcap_thread_t* pcap_thread, const int promiscuous)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->promiscuous = promiscuous;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_monitor(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->monitor;
+}
+
+int pcap_thread_set_monitor(pcap_thread_t* pcap_thread, const int monitor)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->monitor = monitor;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_timeout(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->timeout;
+}
+
+int pcap_thread_set_timeout(pcap_thread_t* pcap_thread, const int timeout)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->timeout = timeout;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_buffer_size(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->buffer_size;
+}
+
+int pcap_thread_set_buffer_size(pcap_thread_t* pcap_thread, const int buffer_size)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->buffer_size = buffer_size;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_timestamp_type(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->timestamp_type;
+}
+
+int pcap_thread_set_timestamp_type(pcap_thread_t* pcap_thread, const int timestamp_type)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->have_timestamp_type = 1;
+    pcap_thread->timestamp_type      = timestamp_type;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_timestamp_precision(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->timestamp_precision;
+}
+
+int pcap_thread_set_timestamp_precision(pcap_thread_t* pcap_thread, const int timestamp_precision)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->have_timestamp_precision = 1;
+    pcap_thread->timestamp_precision      = timestamp_precision;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_immediate_mode(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->immediate_mode;
+}
+
+int pcap_thread_set_immediate_mode(pcap_thread_t* pcap_thread, const int immediate_mode)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->immediate_mode = immediate_mode;
+
+    return PCAP_THREAD_OK;
+}
+
+pcap_direction_t pcap_thread_direction(const pcap_thread_t* pcap_thread)
+{
+#ifdef HAVE_PCAP_DIRECTION_T
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->direction;
+#else
+    return 0;
+#endif
+}
+
+int pcap_thread_set_direction(pcap_thread_t* pcap_thread, const pcap_direction_t direction)
+{
+#ifdef HAVE_PCAP_DIRECTION_T
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->have_direction = 1;
+    pcap_thread->direction      = direction;
+
+    return PCAP_THREAD_OK;
+#else
+    return PCAP_THREAD_ENODIR;
+#endif
+}
+
+const char* pcap_thread_filter(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return 0;
+    }
+
+    return pcap_thread->filter;
+}
+
+int pcap_thread_set_filter(pcap_thread_t* pcap_thread, const char* filter, const size_t filter_len)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!filter) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!filter_len) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    if (pcap_thread->filter) {
+        free(pcap_thread->filter);
+    }
+    if (!(pcap_thread->filter = strndup(filter, filter_len))) {
+        return PCAP_THREAD_ENOMEM;
+    }
+    pcap_thread->filter_len = filter_len;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_clear_filter(pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    if (pcap_thread->filter) {
+        free(pcap_thread->filter);
+        pcap_thread->filter     = 0;
+        pcap_thread->filter_len = 0;
+    }
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_filter_errno(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->filter_errno;
+}
+
+int pcap_thread_filter_optimize(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->filter_optimize;
+}
+
+int pcap_thread_set_filter_optimize(pcap_thread_t* pcap_thread, const int filter_optimize)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->filter_optimize = filter_optimize;
+
+    return PCAP_THREAD_OK;
+}
+
+bpf_u_int32 pcap_thread_filter_netmask(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->filter_netmask;
+}
+
+int pcap_thread_set_filter_netmask(pcap_thread_t* pcap_thread, const bpf_u_int32 filter_netmask)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->filter_netmask = filter_netmask;
+
+    return PCAP_THREAD_OK;
+}
+
+struct timeval pcap_thread_timedrun(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        static struct timeval tv = { 0, 0 };
+        return tv;
+    }
+
+    return pcap_thread->timedrun;
+}
+
+int pcap_thread_set_timedrun(pcap_thread_t* pcap_thread, const struct timeval timedrun)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->timedrun = timedrun;
+
+    return PCAP_THREAD_OK;
+}
+
+struct timeval pcap_thread_timedrun_to(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        static struct timeval tv = { 0, 0 };
+        return tv;
+    }
+
+    return pcap_thread->timedrun_to;
+}
+
+int pcap_thread_set_timedrun_to(pcap_thread_t* pcap_thread, const struct timeval timedrun_to)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->timedrun_to = timedrun_to;
+
+    return PCAP_THREAD_OK;
+}
+
+pcap_thread_activate_mode_t pcap_thread_activate_mode(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_DEFAULT_ACTIVATE_MODE;
+    }
+
+    return pcap_thread->activate_mode;
+}
+
+int pcap_thread_set_activate_mode(pcap_thread_t* pcap_thread, const pcap_thread_activate_mode_t activate_mode)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->activate_mode = activate_mode;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_was_stopped(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    return pcap_thread->was_stopped;
+}
+
+/*
+ * Queue
+ */
+
+size_t pcap_thread_queue_size(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return -1;
+    }
+
+    return pcap_thread->queue_size;
+}
+
+int pcap_thread_set_queue_size(pcap_thread_t* pcap_thread, const size_t queue_size)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!queue_size) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->queue_size = queue_size;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback(pcap_thread_t* pcap_thread, pcap_thread_callback_t callback)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback = callback;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_dropback(pcap_thread_t* pcap_thread, pcap_thread_callback_t dropback)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->dropback = dropback;
+
+    return PCAP_THREAD_OK;
+}
+
+/*
+ * Layers
+ */
+
+int pcap_thread_set_callback_linux_sll(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_linux_sll)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_linux_sll = callback_linux_sll;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ether(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ether)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ether = callback_ether;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_null(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_null)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_null = callback_null;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_loop(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_loop)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_loop = callback_loop;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ieee802(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ieee802)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ieee802 = callback_ieee802;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_gre(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_gre)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_gre = callback_gre;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ip(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ip)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ip = callback_ip;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ipv4(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv4)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ipv4 = callback_ipv4;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ipv4_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv4_frag)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!callback_ipv4_frag.new
+        || !callback_ipv4_frag.free
+        || !callback_ipv4_frag.reassemble
+        || !callback_ipv4_frag.release) {
+        if (callback_ipv4_frag.new
+            || callback_ipv4_frag.free
+            || callback_ipv4_frag.reassemble
+            || callback_ipv4_frag.release) {
+            return PCAP_THREAD_EINVAL;
+        }
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ipv4_frag = callback_ipv4_frag;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ipv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv6)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_icmp
+        || pcap_thread->callback_icmpv6
+        || pcap_thread->callback_udp
+        || pcap_thread->callback_tcp) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ipv6 = callback_ipv6;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_ipv6_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv6_frag)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!callback_ipv6_frag.new
+        || !callback_ipv6_frag.free
+        || !callback_ipv6_frag.reassemble
+        || !callback_ipv6_frag.release) {
+        if (callback_ipv6_frag.new
+            || callback_ipv6_frag.free
+            || callback_ipv6_frag.reassemble
+            || callback_ipv6_frag.release) {
+            return PCAP_THREAD_EINVAL;
+        }
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_ipv6_frag = callback_ipv6_frag;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_icmp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmp)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_icmp = callback_icmp;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_icmpv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmpv6)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_icmpv6 = callback_icmpv6;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_udp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_udp)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_udp = callback_udp;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_tcp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->callback_linux_sll
+        || pcap_thread->callback_ether
+        || pcap_thread->callback_null
+        || pcap_thread->callback_loop
+        || pcap_thread->callback_ieee802
+        || pcap_thread->callback_gre
+        || pcap_thread->callback_ip
+        || pcap_thread->callback_ipv4
+        || pcap_thread->callback_ipv6) {
+        return PCAP_THREAD_ELAYERCB;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_tcp = callback_tcp;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_set_callback_invalid(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_invalid)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    pcap_thread->callback_invalid = callback_invalid;
+
+    return PCAP_THREAD_OK;
+}
+
+#define need4x2(v1, v2, p, l) \
+    if (l < 1) {              \
+        break;                \
+    }                         \
+    v1 = (*p) >> 4;           \
+    v2 = (*p) & 0xf;          \
+    p += 1;                   \
+    l -= 1
+
+#define need8(v, p, l) \
+    if (l < 1) {       \
+        break;         \
+    }                  \
+    v = *p;            \
+    p += 1;            \
+    l -= 1
+
+#define need16(v, p, l)       \
+    if (l < 2) {              \
+        break;                \
+    }                         \
+    v = (*p << 8) + *(p + 1); \
+    p += 2;                   \
+    l -= 2
+
+#define need32(v, p, l)                                             \
+    if (l < 4) {                                                    \
+        break;                                                      \
+    }                                                               \
+    v = (*p << 24) + (*(p + 1) << 16) + (*(p + 2) << 8) + *(p + 3); \
+    p += 4;                                                         \
+    l -= 4
+
+#define needxb(b, x, p, l) \
+    if (l < x) {           \
+        break;             \
+    }                      \
+    memcpy(b, p, x);       \
+    p += x;                \
+    l -= x
+
+#define advancexb(x, p, l) \
+    if (l < x) {           \
+        break;             \
+    }                      \
+    p += x;                \
+    l -= x
+
+#if PCAP_THREAD_LAYER_TRACE
+#define layer_trace(msg) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__)
+#define layer_tracef(msg, args...) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__, args)
+#else
+#define layer_trace(msg)
+#define layer_tracef(msg, args...)
+#endif
+
+static void pcap_thread_callback(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt)
+{
+    pcap_thread_pcaplist_t* pcaplist = (pcap_thread_pcaplist_t*)user;
+    size_t                  length;
+    pcap_thread_packet_t    packet;
+    const u_char*           orig = pkt;
+    size_t                  origlength;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!pkthdr) {
+        return;
+    }
+    if (!pkt) {
+        return;
+    }
+    if (!name) {
+        return;
+    }
+
+    memset(&packet, 0, sizeof(packet));
+    packet.name        = name;
+    packet.dlt         = dlt;
+    packet.pkthdr      = *pkthdr;
+    packet.have_pkthdr = 1;
+    length             = pkthdr->caplen;
+    origlength         = length;
+
+    layer_tracef("packet, length %lu", length);
+
+    switch (dlt) {
+    case DLT_NULL:
+        layer_trace("dlt_null");
+        {
+            uint8_t hdr[4];
+
+            packet.state = PCAP_THREAD_PACKET_INVALID_NULL;
+            need8(hdr[0], pkt, length);
+            need8(hdr[1], pkt, length);
+            need8(hdr[2], pkt, length);
+            need8(hdr[3], pkt, length);
+            packet.state = PCAP_THREAD_PACKET_OK;
+
+            /*
+                 * The header for null is in host byte order but may not be
+                 * in the same endian as host if coming from a savefile
+                 */
+
+            if (pcaplist->is_offline && pcap_is_swapped(pcaplist->pcap)) {
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+                packet.nullhdr.family = hdr[3] + (hdr[2] << 8) + (hdr[1] << 16) + (hdr[0] << 24);
+#elif __BYTE_ORDER == __BIG_ENDIAN
+                packet.nullhdr.family = hdr[0] + (hdr[1] << 8) + (hdr[2] << 16) + (hdr[3] << 24);
+#else
+#error "Please fix <endian.h>"
+#endif
+            } else {
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+                packet.nullhdr.family = hdr[0] + (hdr[1] << 8) + (hdr[2] << 16) + (hdr[3] << 24);
+#elif __BYTE_ORDER == __BIG_ENDIAN
+                packet.nullhdr.family = hdr[3] + (hdr[2] << 8) + (hdr[1] << 16) + (hdr[0] << 24);
+#else
+#error "Please fix <endian.h>"
+#endif
+            }
+            packet.have_nullhdr = 1;
+
+            if (pcaplist->pcap_thread->callback_null)
+                pcaplist->pcap_thread->callback_null(pcaplist->user, &packet, pkt, length);
+            else
+                pcap_thread_callback_null((void*)pcaplist, &packet, pkt, length);
+            return;
+        }
+        break;
+
+    case DLT_EN10MB:
+        layer_trace("dlt_en10mb");
+        packet.state = PCAP_THREAD_PACKET_INVALID_ETHER;
+        needxb(packet.ethhdr.ether_dhost, sizeof(packet.ethhdr.ether_dhost), pkt, length);
+        needxb(packet.ethhdr.ether_shost, sizeof(packet.ethhdr.ether_shost), pkt, length);
+        need16(packet.ethhdr.ether_type, pkt, length);
+        packet.state       = PCAP_THREAD_PACKET_OK;
+        packet.have_ethhdr = 1;
+
+        if (pcaplist->pcap_thread->callback_ether)
+            pcaplist->pcap_thread->callback_ether(pcaplist->user, &packet, pkt, length);
+        else
+            pcap_thread_callback_ether((void*)pcaplist, &packet, pkt, length);
+        return;
+
+    case DLT_LOOP:
+        layer_trace("dlt_loop");
+        packet.state = PCAP_THREAD_PACKET_INVALID_LOOP;
+        need32(packet.loophdr.family, pkt, length);
+        packet.state        = PCAP_THREAD_PACKET_OK;
+        packet.have_loophdr = 1;
+
+        if (pcaplist->pcap_thread->callback_loop)
+            pcaplist->pcap_thread->callback_loop(pcaplist->user, &packet, pkt, length);
+        else
+            pcap_thread_callback_loop((void*)pcaplist, &packet, pkt, length);
+        return;
+
+    case DLT_RAW:
+#ifdef DLT_IPV4
+    case DLT_IPV4:
+#endif
+#ifdef DLT_IPV6
+    case DLT_IPV6:
+#endif
+        layer_trace("dlt_raw/ipv4/ipv6");
+        if (pcaplist->pcap_thread->callback_ip)
+            pcaplist->pcap_thread->callback_ip(pcaplist->user, &packet, pkt, length);
+        else
+            pcap_thread_callback_ip((void*)pcaplist, &packet, pkt, length);
+        return;
+
+    case DLT_LINUX_SLL:
+        layer_trace("dlt_linux_sll");
+        packet.state = PCAP_THREAD_PACKET_INVALID_LINUX_SLL;
+        need16(packet.linux_sll.packet_type, pkt, length);
+        need16(packet.linux_sll.arp_hardware, pkt, length);
+        need16(packet.linux_sll.link_layer_address_length, pkt, length);
+        needxb(packet.linux_sll.link_layer_address, 8, pkt, length);
+        need16(packet.linux_sll.ether_type, pkt, length);
+        packet.state          = PCAP_THREAD_PACKET_OK;
+        packet.have_linux_sll = 1;
+
+        if (pcaplist->pcap_thread->callback_linux_sll)
+            pcaplist->pcap_thread->callback_linux_sll(pcaplist->user, &packet, pkt, length);
+        else
+            pcap_thread_callback_linux_sll((void*)pcaplist, &packet, pkt, length);
+        return;
+
+    /* TODO: These might be interesting to implement
+        case DLT_IPNET:
+        case DLT_PKTAP:
+        */
+
+    default:
+        packet.state = PCAP_THREAD_PACKET_UNSUPPORTED;
+        break;
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet.state == PCAP_THREAD_PACKET_OK)
+            packet.state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, &packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_linux_sll(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_linux_sll) {
+        layer_trace("have_linux_sll");
+        switch (packet->linux_sll.ether_type) {
+        case 0x8100: /* 802.1q */
+        case 0x88a8: /* 802.1ad */
+        case 0x9100: /* 802.1 QinQ non-standard */
+            if (packet->have_ieee802hdr)
+                break;
+
+            {
+                uint16_t tci;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_IEEE802;
+                need16(tci, payload, length);
+                packet->ieee802hdr.pcp = (tci & 0xe000) >> 13;
+                packet->ieee802hdr.dei = (tci & 0x1000) >> 12;
+                packet->ieee802hdr.vid = tci & 0x0fff;
+                need16(packet->ieee802hdr.ether_type, payload, length);
+                packet->state           = PCAP_THREAD_PACKET_OK;
+                packet->have_ieee802hdr = 1;
+            }
+
+            if (pcaplist->pcap_thread->callback_ieee802)
+                pcaplist->pcap_thread->callback_ieee802(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ieee802((void*)pcaplist, packet, payload, length);
+            return;
+
+        case ETHERTYPE_IP:
+        case ETHERTYPE_IPV6:
+            if (pcaplist->pcap_thread->callback_ip)
+                pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ip((void*)pcaplist, packet, payload, length);
+            return;
+
+        default:
+            packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_ether(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_ethhdr) {
+        layer_trace("have_ethhdr");
+        switch (packet->ethhdr.ether_type) {
+        case 0x8100: /* 802.1q */
+        case 0x88a8: /* 802.1ad */
+        case 0x9100: /* 802.1 QinQ non-standard */
+            if (packet->have_ieee802hdr)
+                break;
+
+            {
+                uint16_t tci;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_IEEE802;
+                need16(tci, payload, length);
+                packet->ieee802hdr.pcp = (tci & 0xe000) >> 13;
+                packet->ieee802hdr.dei = (tci & 0x1000) >> 12;
+                packet->ieee802hdr.vid = tci & 0x0fff;
+                need16(packet->ieee802hdr.ether_type, payload, length);
+                packet->state           = PCAP_THREAD_PACKET_OK;
+                packet->have_ieee802hdr = 1;
+            }
+
+            if (pcaplist->pcap_thread->callback_ieee802)
+                pcaplist->pcap_thread->callback_ieee802(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ieee802((void*)pcaplist, packet, payload, length);
+            return;
+
+        case ETHERTYPE_IP:
+        case ETHERTYPE_IPV6:
+            if (pcaplist->pcap_thread->callback_ip)
+                pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ip((void*)pcaplist, packet, payload, length);
+            return;
+
+        default:
+            packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_null(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_nullhdr) {
+        layer_trace("have_nullhdr");
+
+        /* From libpcap link types documentation:
+         *  containing a value of 2 for IPv4 packets, a value of either 24, 28,
+         *  or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23
+         *  for IPX packets. All of the IPv6 values correspond to IPv6 packets;
+         *  code reading files should check for all of them.
+         */
+
+        switch (packet->nullhdr.family) {
+        case 2:
+        case 24:
+        case 28:
+        case 30:
+            if (pcaplist->pcap_thread->callback_ip)
+                pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ip((void*)pcaplist, packet, payload, length);
+            return;
+
+        default:
+            packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_loop(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_loophdr) {
+        layer_trace("have_loophdr");
+
+        /* From libpcap link types documentation:
+         *  containing a value of 2 for IPv4 packets, a value of either 24, 28,
+         *  or 30 for IPv6 packets, a value of 7 for OSI packets, or a value of 23
+         *  for IPX packets. All of the IPv6 values correspond to IPv6 packets;
+         *  code reading files should check for all of them.
+         */
+
+        switch (packet->loophdr.family) {
+        case 2:
+        case 24:
+        case 28:
+        case 30:
+            if (pcaplist->pcap_thread->callback_ip)
+                pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ip((void*)pcaplist, packet, payload, length);
+            return;
+
+        default:
+            packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_ieee802(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_ieee802hdr) {
+        layer_trace("have_ieee802hdr");
+
+        switch (packet->ieee802hdr.ether_type) {
+        case 0x88a8: /* 802.1ad */
+        case 0x9100: /* 802.1 QinQ non-standard */
+        {
+            pcap_thread_packet_t ieee802pkt;
+            uint16_t             tci;
+
+            memset(&ieee802pkt, 0, sizeof(ieee802pkt));
+            ieee802pkt.prevpkt      = packet;
+            ieee802pkt.have_prevpkt = 1;
+
+            packet->state = PCAP_THREAD_PACKET_INVALID_IEEE802;
+            need16(tci, payload, length);
+            ieee802pkt.ieee802hdr.pcp = (tci & 0xe000) >> 13;
+            ieee802pkt.ieee802hdr.dei = (tci & 0x1000) >> 12;
+            ieee802pkt.ieee802hdr.vid = tci & 0x0fff;
+            need16(ieee802pkt.ieee802hdr.ether_type, payload, length);
+            packet->state              = PCAP_THREAD_PACKET_OK;
+            ieee802pkt.have_ieee802hdr = 1;
+
+            if (pcaplist->pcap_thread->callback_ieee802)
+                pcaplist->pcap_thread->callback_ieee802(pcaplist->user, &ieee802pkt, payload, length);
+            else
+                pcap_thread_callback_ieee802((void*)pcaplist, &ieee802pkt, payload, length);
+            return;
+        }
+
+        case ETHERTYPE_IP:
+        case ETHERTYPE_IPV6:
+            if (pcaplist->pcap_thread->callback_ip)
+                pcaplist->pcap_thread->callback_ip(pcaplist->user, packet, payload, length);
+            else
+                pcap_thread_callback_ip((void*)pcaplist, packet, payload, length);
+            return;
+
+        default:
+            packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_gre(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_grehdr) {
+        pcap_thread_packet_t grepkt;
+
+        layer_trace("have_grehdr");
+
+        memset(&grepkt, 0, sizeof(grepkt));
+        grepkt.prevpkt      = packet;
+        grepkt.have_prevpkt = 1;
+
+        for (;;) {
+            packet->state = PCAP_THREAD_PACKET_INVALID_GRE;
+            if (packet->grehdr.gre_flags & 0x1) {
+                need16(packet->gre.checksum, payload, length);
+            }
+            if (packet->grehdr.gre_flags & 0x4) {
+                need16(packet->gre.key, payload, length);
+            }
+            if (packet->grehdr.gre_flags & 0x8) {
+                need16(packet->gre.sequence, payload, length);
+            }
+            packet->state    = PCAP_THREAD_PACKET_OK;
+            packet->have_gre = 1;
+
+            switch (packet->grehdr.ether_type) {
+            case ETHERTYPE_IP:
+            case ETHERTYPE_IPV6:
+                if (pcaplist->pcap_thread->callback_ip)
+                    pcaplist->pcap_thread->callback_ip(pcaplist->user, &grepkt, payload, length);
+                else
+                    pcap_thread_callback_ip((void*)pcaplist, &grepkt, payload, length);
+                return;
+
+            default:
+                packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+                break;
+            }
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_ip(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (!packet->have_iphdr && !packet->have_ip6hdr) {
+        layer_trace("checking for ip");
+
+        for (;;) {
+            packet->state = PCAP_THREAD_PACKET_INVALID_IP;
+            need4x2(packet->iphdr.ip_v, packet->iphdr.ip_hl, payload, length);
+            if (packet->iphdr.ip_v == 4) {
+                packet->state = PCAP_THREAD_PACKET_INVALID_IPV4;
+                need8(packet->iphdr.ip_tos, payload, length);
+                need16(packet->iphdr.ip_len, payload, length);
+                need16(packet->iphdr.ip_id, payload, length);
+                need16(packet->iphdr.ip_off, payload, length);
+                need8(packet->iphdr.ip_ttl, payload, length);
+                need8(packet->iphdr.ip_p, payload, length);
+                need16(packet->iphdr.ip_sum, payload, length);
+                needxb(&(packet->iphdr.ip_src.s_addr), 4, payload, length);
+                needxb(&(packet->iphdr.ip_dst.s_addr), 4, payload, length);
+
+                /* TODO: IPv4 options */
+
+                if (packet->iphdr.ip_hl < 5)
+                    break;
+                if (packet->iphdr.ip_hl > 5) {
+                    advancexb((packet->iphdr.ip_hl - 5) * 4, payload, length);
+                }
+
+                packet->state      = PCAP_THREAD_PACKET_OK;
+                packet->have_iphdr = 1;
+
+                if (pcaplist->pcap_thread->callback_ipv4)
+                    pcaplist->pcap_thread->callback_ipv4(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_ipv4((void*)pcaplist, packet, payload, length);
+                return;
+            } else if (packet->iphdr.ip_v == 6) {
+                /*
+                 * Clear IPv4 headers and reverse reading one byte
+                 */
+                packet->iphdr.ip_v  = 0;
+                packet->iphdr.ip_hl = 0;
+                payload--;
+                length++;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_IPV6;
+                need32(packet->ip6hdr.ip6_flow, payload, length);
+                need16(packet->ip6hdr.ip6_plen, payload, length);
+                need8(packet->ip6hdr.ip6_nxt, payload, length);
+                need8(packet->ip6hdr.ip6_hlim, payload, length);
+                needxb(&(packet->ip6hdr.ip6_src), 16, payload, length);
+                needxb(&(packet->ip6hdr.ip6_dst), 16, payload, length);
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_ip6hdr = 1;
+
+                if (pcaplist->pcap_thread->callback_ipv6)
+                    pcaplist->pcap_thread->callback_ipv6(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_ipv6((void*)pcaplist, packet, payload, length);
+                return;
+            }
+
+            packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_ipv4(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist     = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig         = payload;
+    size_t                  origlength   = length;
+    int                     release_frag = 0;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_iphdr) {
+        layer_trace("have_iphdr");
+
+        for (;;) {
+            /* Check reported length for missing payload or padding */
+            if (packet->iphdr.ip_len < (packet->iphdr.ip_hl * 4)) {
+                layer_trace("ip_len < ip header");
+                packet->state = PCAP_THREAD_PACKET_INVALID_IPV4;
+                break;
+            }
+            if (length < (packet->iphdr.ip_len - (packet->iphdr.ip_hl * 4))) {
+                layer_trace("length < (ip_len - ip header)");
+                packet->state = PCAP_THREAD_PACKET_INVALID_IPV4;
+                break;
+            }
+            if (length > (packet->iphdr.ip_len - (packet->iphdr.ip_hl * 4))) {
+                layer_trace("have_ippadding");
+                packet->ippadding      = length - (packet->iphdr.ip_len - (packet->iphdr.ip_hl * 4));
+                packet->have_ippadding = 1;
+                length -= packet->ippadding;
+            }
+
+            /* Check if packet wants more fragments or has an offset */
+            if (packet->iphdr.ip_off & 0x2000 || packet->iphdr.ip_off & 0x1fff) {
+                layer_trace("is_v4_frag");
+
+                if (pcaplist->pcap_thread->callback_ipv4_frag.reassemble) {
+                    pcap_thread_packet_t* whole_packet  = 0;
+                    const u_char*         whole_payload = 0;
+                    size_t                whole_length  = 0;
+
+                    packet->state = pcaplist->pcap_thread->callback_ipv4_frag.reassemble(pcaplist->ipv4_frag_ctx, packet, payload, length, &whole_packet, &whole_payload, &whole_length);
+
+                    /* Defragmentation failed some how, we return packet as invalid */
+                    if (packet->state != PCAP_THREAD_PACKET_OK) {
+                        break;
+                    }
+
+                    /* No whole/defragmented packet return, need more */
+                    if (!whole_packet || !whole_payload || !whole_length) {
+                        return;
+                    }
+
+                    layer_tracef("v4_reasm %p %p %lu", whole_packet, whole_payload, whole_length);
+
+                    packet       = whole_packet;
+                    payload      = whole_payload;
+                    length       = whole_length;
+                    release_frag = 1;
+                } else {
+                    /*
+                     * Mark packet as fragment and send it to the next user
+                     * layer (if any) or return it as invalid.
+                     */
+                    packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT;
+
+                    switch (packet->iphdr.ip_p) {
+                    case IPPROTO_GRE:
+                        layer_trace("ipproto_gre frag");
+
+                        if (!(packet->iphdr.ip_off & 0x1fff)) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_GREHDR;
+                                need16(packet->grehdr.gre_flags, payload, length);
+                                need16(packet->grehdr.ether_type, payload, length);
+                                packet->state       = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_grehdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_gre) {
+                            pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    case IPPROTO_ICMP:
+                        layer_trace("ipproto_icmp frag");
+
+                        if (!(packet->iphdr.ip_off & 0x1fff)) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_ICMPHDR;
+                                need8(packet->icmphdr.type, payload, length);
+                                need8(packet->icmphdr.code, payload, length);
+                                need16(packet->icmphdr.checksum, payload, length);
+                                packet->state        = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_icmphdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_icmp) {
+                            pcaplist->pcap_thread->callback_icmp(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    case IPPROTO_UDP:
+                        layer_trace("ipproto_udp frag");
+
+                        if (!(packet->iphdr.ip_off & 0x1fff)) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR;
+                                need16(packet->udphdr.uh_sport, payload, length);
+                                need16(packet->udphdr.uh_dport, payload, length);
+                                need16(packet->udphdr.uh_ulen, payload, length);
+                                need16(packet->udphdr.uh_sum, payload, length);
+                                packet->state       = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_udphdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_udp) {
+                            pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    case IPPROTO_TCP:
+                        layer_trace("ipproto_tcp frag");
+
+                        if (!(packet->iphdr.ip_off & 0x1fff)) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR;
+                                need16(packet->tcphdr.th_sport, payload, length);
+                                need16(packet->tcphdr.th_dport, payload, length);
+                                need32(packet->tcphdr.th_seq, payload, length);
+                                need32(packet->tcphdr.th_ack, payload, length);
+                                need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length);
+                                need8(packet->tcphdr.th_flags, payload, length);
+                                need16(packet->tcphdr.th_win, payload, length);
+                                need16(packet->tcphdr.th_sum, payload, length);
+                                need16(packet->tcphdr.th_urp, payload, length);
+                                if (packet->tcphdr.th_off > 5) {
+                                    packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4;
+                                    needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length);
+                                    packet->have_tcpopts = 1;
+                                }
+                                packet->state       = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_tcphdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_tcp) {
+                            pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    default:
+                        break;
+                    }
+                    break;
+                }
+            }
+
+            switch (packet->iphdr.ip_p) {
+            case IPPROTO_GRE:
+                layer_trace("ipproto_gre");
+
+                if (packet->have_grehdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_GRE;
+                need16(packet->grehdr.gre_flags, payload, length);
+                need16(packet->grehdr.ether_type, payload, length);
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_grehdr = 1;
+
+                if (pcaplist->pcap_thread->callback_gre)
+                    pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_gre((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            case IPPROTO_ICMP:
+                layer_trace("ipproto_icmp");
+
+                if (packet->have_icmphdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_ICMP;
+                need8(packet->icmphdr.type, payload, length);
+                need8(packet->icmphdr.code, payload, length);
+                need16(packet->icmphdr.checksum, payload, length);
+                packet->state        = PCAP_THREAD_PACKET_OK;
+                packet->have_icmphdr = 1;
+
+                if (pcaplist->pcap_thread->callback_icmp)
+                    pcaplist->pcap_thread->callback_icmp(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_icmp((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            case IPPROTO_UDP:
+                layer_trace("ipproto_udp");
+
+                if (packet->have_udphdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_UDP;
+                need16(packet->udphdr.uh_sport, payload, length);
+                need16(packet->udphdr.uh_dport, payload, length);
+                need16(packet->udphdr.uh_ulen, payload, length);
+                need16(packet->udphdr.uh_sum, payload, length);
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_udphdr = 1;
+
+                if (pcaplist->pcap_thread->callback_udp)
+                    pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_udp((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            case IPPROTO_TCP:
+                layer_trace("ipproto_tcp");
+
+                if (packet->have_tcphdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_TCP;
+                need16(packet->tcphdr.th_sport, payload, length);
+                need16(packet->tcphdr.th_dport, payload, length);
+                need32(packet->tcphdr.th_seq, payload, length);
+                need32(packet->tcphdr.th_ack, payload, length);
+                need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length);
+                need8(packet->tcphdr.th_flags, payload, length);
+                need16(packet->tcphdr.th_win, payload, length);
+                need16(packet->tcphdr.th_sum, payload, length);
+                need16(packet->tcphdr.th_urp, payload, length);
+                if (packet->tcphdr.th_off > 5) {
+                    packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4;
+                    needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length);
+                    packet->have_tcpopts = 1;
+                }
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_tcphdr = 1;
+
+                if (pcaplist->pcap_thread->callback_tcp)
+                    pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_tcp((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            default:
+                packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+                break;
+            }
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        if (release_frag)
+            pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, payload, length);
+        else
+            pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+
+    if (release_frag) {
+        pcaplist->pcap_thread->callback_ipv4_frag.release(pcaplist->ipv4_frag_ctx, packet, payload, length);
+    }
+}
+
+static void pcap_thread_callback_ipv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist     = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig         = payload;
+    size_t                  origlength   = length;
+    int                     release_frag = 0;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    if (packet->have_ip6hdr) {
+        struct ip6_ext ext;
+        size_t         already_advanced = 0;
+
+        layer_trace("have_ip6hdr");
+
+        /* Check reported length for missing payload or padding */
+        if (length < packet->ip6hdr.ip6_plen) {
+            layer_trace("length < ip6_plen");
+            packet->state = PCAP_THREAD_PACKET_INVALID_IPV6;
+            if (pcaplist->pcap_thread->callback_invalid) {
+                pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+            }
+            return;
+        }
+        if (length > packet->ip6hdr.ip6_plen) {
+            layer_trace("have_ip6padding");
+            packet->ip6padding      = length - packet->ip6hdr.ip6_plen;
+            packet->have_ip6padding = 1;
+            length -= packet->ip6padding;
+        }
+
+        ext.ip6e_nxt = packet->ip6hdr.ip6_nxt;
+        ext.ip6e_len = 0;
+        while (ext.ip6e_nxt != IPPROTO_NONE
+               && ext.ip6e_nxt != IPPROTO_GRE
+               && ext.ip6e_nxt != IPPROTO_ICMPV6
+               && ext.ip6e_nxt != IPPROTO_UDP
+               && ext.ip6e_nxt != IPPROTO_TCP) {
+            packet->state = PCAP_THREAD_PACKET_INVALID_IPV6HDR;
+
+            /*
+             * Advance to the start of next header, this may not be needed
+             * if it's the first header or if the header is supported.
+             */
+            if (ext.ip6e_len) {
+                if (ext.ip6e_len < already_advanced) {
+                    /* Header length is invalid */
+                    layer_trace("ip6hdr invalid");
+                    break;
+                }
+                /* Advance if not already there */
+                else if (ext.ip6e_len > already_advanced) {
+                    advancexb((ext.ip6e_len - already_advanced) * 8, payload, length);
+                }
+                already_advanced = 0;
+            } else if (already_advanced) {
+                /* Already advanced but header has no length */
+                layer_trace("ip6hdr already advanced");
+                break;
+            }
+
+            /* TODO: Store IPv6 headers? */
+
+            /* Handle supported headers */
+            if (ext.ip6e_nxt == IPPROTO_FRAGMENT) {
+                if (packet->have_ip6frag) {
+                    layer_trace("dup ip6frag");
+                    break;
+                }
+                layer_trace("ip6frag");
+                need8(ext.ip6e_nxt, payload, length);
+                need8(packet->ip6frag.ip6f_reserved, payload, length);
+                need16(packet->ip6frag.ip6f_offlg, payload, length);
+                need32(packet->ip6frag.ip6f_ident, payload, length);
+                packet->have_ip6frag = 1;
+                ext.ip6e_len         = 1;
+                already_advanced     = 1;
+            } else if (ext.ip6e_nxt == IPPROTO_ROUTING) {
+                struct ip6_rthdr rthdr;
+                struct in6_addr  rt[255];
+
+                if (packet->have_ip6rtdst) {
+                    layer_trace("dup ip6rtdst");
+                    break;
+                }
+                need8(ext.ip6e_nxt, payload, length);
+                need8(ext.ip6e_len, payload, length);
+                need8(rthdr.ip6r_type, payload, length);
+                need8(rthdr.ip6r_segleft, payload, length);
+                if (!rthdr.ip6r_type) {
+                    if (rthdr.ip6r_segleft > ext.ip6e_len)
+                        break;
+                    for (rthdr.ip6r_len = 0; rthdr.ip6r_len < ext.ip6e_len; rthdr.ip6r_len++, already_advanced += 2) {
+                        needxb(&rt[rthdr.ip6r_len], 16, payload, length);
+                    }
+                    if (!rthdr.ip6r_len || rthdr.ip6r_len != ext.ip6e_len) {
+                        break;
+                    }
+                    if (rthdr.ip6r_segleft) {
+                        packet->ip6rtdst      = rt[rthdr.ip6r_segleft];
+                        packet->have_ip6rtdst = 1;
+                    }
+                }
+            } else {
+                /* Nonsupported header */
+                layer_trace("ip6hdr?");
+                need8(ext.ip6e_nxt, payload, length);
+                need8(ext.ip6e_len, payload, length);
+            }
+
+            packet->state = PCAP_THREAD_PACKET_OK;
+
+            if (!ext.ip6e_len)
+                break;
+        }
+
+        for (; packet->state == PCAP_THREAD_PACKET_OK;) {
+            if (packet->have_ip6frag) {
+                packet->ip6frag_payload = ext.ip6e_nxt;
+
+                layer_trace("is_v6_frag");
+
+                if (pcaplist->pcap_thread->callback_ipv6_frag.reassemble) {
+                    pcap_thread_packet_t* whole_packet  = 0;
+                    const u_char*         whole_payload = 0;
+                    size_t                whole_length  = 0;
+
+                    packet->state = pcaplist->pcap_thread->callback_ipv6_frag.reassemble(pcaplist->ipv6_frag_ctx, packet, payload, length, &whole_packet, &whole_payload, &whole_length);
+
+                    /* Defragmentation failed some how, we return packet as invalid */
+                    if (packet->state != PCAP_THREAD_PACKET_OK) {
+                        break;
+                    }
+
+                    /* No whole/defragmented packet return, need more */
+                    if (!whole_packet || !whole_payload || !whole_length) {
+                        return;
+                    }
+
+                    layer_tracef("v6_reasm %p %p %lu", whole_packet, whole_payload, whole_length);
+
+                    packet       = whole_packet;
+                    payload      = whole_payload;
+                    length       = whole_length;
+                    release_frag = 1;
+                } else {
+                    /*
+                     * Mark packet as fragment and send it to the next user
+                     * layer (if any) or return it as invalid.
+                     */
+                    packet->state = PCAP_THREAD_PACKET_IS_FRAGMENT;
+
+                    switch (ext.ip6e_nxt) {
+                    case IPPROTO_GRE:
+                        layer_trace("ipproto_gre frag");
+
+                        if (!packet->ip6frag.ip6f_offlg) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_GREHDR;
+                                need16(packet->grehdr.gre_flags, payload, length);
+                                need16(packet->grehdr.ether_type, payload, length);
+                                packet->state       = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_grehdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_gre) {
+                            pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    case IPPROTO_ICMPV6:
+                        layer_trace("ipproto_icmpv6 frag");
+
+                        if (!packet->ip6frag.ip6f_offlg) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_ICMPV6HDR;
+                                need8(packet->icmpv6hdr.icmp6_type, payload, length);
+                                need8(packet->icmpv6hdr.icmp6_code, payload, length);
+                                need16(packet->icmpv6hdr.icmp6_cksum, payload, length);
+                                packet->state          = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_icmpv6hdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_icmpv6) {
+                            pcaplist->pcap_thread->callback_icmpv6(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    case IPPROTO_UDP:
+                        layer_trace("ipproto_udp frag");
+
+                        if (!packet->ip6frag.ip6f_offlg) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR;
+                                need16(packet->udphdr.uh_sport, payload, length);
+                                need16(packet->udphdr.uh_dport, payload, length);
+                                need16(packet->udphdr.uh_ulen, payload, length);
+                                need16(packet->udphdr.uh_sum, payload, length);
+                                packet->state       = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_udphdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_udp) {
+                            pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    case IPPROTO_TCP:
+                        layer_trace("ipproto_tcp frag");
+
+                        if (!packet->ip6frag.ip6f_offlg) {
+                            for (;;) {
+                                packet->state = PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR;
+                                need16(packet->tcphdr.th_sport, payload, length);
+                                need16(packet->tcphdr.th_dport, payload, length);
+                                need32(packet->tcphdr.th_seq, payload, length);
+                                need32(packet->tcphdr.th_ack, payload, length);
+                                need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length);
+                                need8(packet->tcphdr.th_flags, payload, length);
+                                need16(packet->tcphdr.th_win, payload, length);
+                                need16(packet->tcphdr.th_sum, payload, length);
+                                need16(packet->tcphdr.th_urp, payload, length);
+                                if (packet->tcphdr.th_off > 5) {
+                                    packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4;
+                                    needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length);
+                                    packet->have_tcpopts = 1;
+                                }
+                                packet->state       = PCAP_THREAD_PACKET_IS_FRAGMENT;
+                                packet->have_tcphdr = 1;
+                                break;
+                            }
+                        }
+
+                        if (pcaplist->pcap_thread->callback_tcp) {
+                            pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length);
+                            return;
+                        }
+                        break;
+
+                    default:
+                        break;
+                    }
+                    break;
+                }
+            }
+
+            switch (ext.ip6e_nxt) {
+            case IPPROTO_GRE:
+                if (packet->have_grehdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_GRE;
+                need16(packet->grehdr.gre_flags, payload, length);
+                need16(packet->grehdr.ether_type, payload, length);
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_grehdr = 1;
+
+                if (pcaplist->pcap_thread->callback_gre)
+                    pcaplist->pcap_thread->callback_gre(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_gre((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            case IPPROTO_ICMPV6:
+                layer_trace("ipproto_icmpv6");
+
+                if (packet->have_icmpv6hdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_ICMPV6;
+                need8(packet->icmpv6hdr.icmp6_type, payload, length);
+                need8(packet->icmpv6hdr.icmp6_code, payload, length);
+                need16(packet->icmpv6hdr.icmp6_cksum, payload, length);
+                packet->state          = PCAP_THREAD_PACKET_OK;
+                packet->have_icmpv6hdr = 1;
+
+                if (pcaplist->pcap_thread->callback_icmpv6)
+                    pcaplist->pcap_thread->callback_icmpv6(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_icmpv6((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            case IPPROTO_UDP:
+                if (packet->have_udphdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_UDP;
+                need16(packet->udphdr.uh_sport, payload, length);
+                need16(packet->udphdr.uh_dport, payload, length);
+                need16(packet->udphdr.uh_ulen, payload, length);
+                need16(packet->udphdr.uh_sum, payload, length);
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_udphdr = 1;
+
+                if (pcaplist->pcap_thread->callback_udp)
+                    pcaplist->pcap_thread->callback_udp(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_udp((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            case IPPROTO_TCP:
+                if (packet->have_tcphdr)
+                    break;
+
+                packet->state = PCAP_THREAD_PACKET_INVALID_TCP;
+                need16(packet->tcphdr.th_sport, payload, length);
+                need16(packet->tcphdr.th_dport, payload, length);
+                need32(packet->tcphdr.th_seq, payload, length);
+                need32(packet->tcphdr.th_ack, payload, length);
+                need4x2(packet->tcphdr.th_off, packet->tcphdr.th_x2, payload, length);
+                need8(packet->tcphdr.th_flags, payload, length);
+                need16(packet->tcphdr.th_win, payload, length);
+                need16(packet->tcphdr.th_sum, payload, length);
+                need16(packet->tcphdr.th_urp, payload, length);
+                if (packet->tcphdr.th_off > 5) {
+                    packet->tcpopts_len = (packet->tcphdr.th_off - 5) * 4;
+                    needxb(&(packet->tcpopts[0]), packet->tcpopts_len, payload, length);
+                    packet->have_tcpopts = 1;
+                }
+                packet->state       = PCAP_THREAD_PACKET_OK;
+                packet->have_tcphdr = 1;
+
+                if (pcaplist->pcap_thread->callback_tcp)
+                    pcaplist->pcap_thread->callback_tcp(pcaplist->user, packet, payload, length);
+                else
+                    pcap_thread_callback_tcp((void*)pcaplist, packet, payload, length);
+
+                if (release_frag) {
+                    pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length);
+                }
+                return;
+
+            default:
+                packet->state = PCAP_THREAD_PACKET_UNSUPPORTED;
+                break;
+            }
+            break;
+        }
+    }
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        if (release_frag)
+            pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, payload, length);
+        else
+            pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+
+    if (release_frag) {
+        pcaplist->pcap_thread->callback_ipv6_frag.release(pcaplist->ipv6_frag_ctx, packet, payload, length);
+    }
+}
+
+static void pcap_thread_callback_icmp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    /* TODO: Higher layer support? */
+    packet->state = PCAP_THREAD_PACKET_UNPROCESSED;
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_icmpv6(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    /* TODO: Higher layer support? */
+    packet->state = PCAP_THREAD_PACKET_UNPROCESSED;
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_udp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    /* TODO: Higher layer support? */
+    packet->state = PCAP_THREAD_PACKET_UNPROCESSED;
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+static void pcap_thread_callback_tcp(u_char* user, pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    pcap_thread_pcaplist_t* pcaplist   = (pcap_thread_pcaplist_t*)user;
+    const u_char*           orig       = payload;
+    size_t                  origlength = length;
+
+    if (!pcaplist) {
+        return;
+    }
+    if (!pcaplist->pcap_thread) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (!payload) {
+        return;
+    }
+    if (!length) {
+        return;
+    }
+
+    /* TODO: Higher layer support? */
+    packet->state = PCAP_THREAD_PACKET_UNPROCESSED;
+
+    if (pcaplist->pcap_thread->callback_invalid) {
+        if (packet->state == PCAP_THREAD_PACKET_OK)
+            packet->state = PCAP_THREAD_PACKET_INVALID;
+        pcaplist->pcap_thread->callback_invalid(pcaplist->user, packet, orig, origlength);
+    }
+}
+
+/*
+ * Open/Close
+ */
+
+static pcap_thread_pcaplist_t _pcaplist_defaults = PCAP_THREAD_PCAPLIST_T_INIT;
+
+int pcap_thread_open(pcap_thread_t* pcap_thread, const char* device, void* user)
+{
+    pcap_t*                 pcap;
+    pcap_thread_pcaplist_t* pcaplist;
+    int                     snapshot;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!device) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    if (!(pcaplist = malloc(sizeof(pcap_thread_pcaplist_t)))) {
+        return PCAP_THREAD_ENOMEM;
+    }
+    memcpy(pcaplist, &_pcaplist_defaults, sizeof(pcap_thread_pcaplist_t));
+    if (!(pcaplist->name = strdup(device))) {
+        free(pcaplist);
+        return PCAP_THREAD_ENOMEM;
+    }
+
+#ifdef HAVE_PCAP_CREATE
+    if (!(pcap = pcap_create(pcaplist->name, pcap_thread->errbuf))) {
+        free(pcaplist->name);
+        free(pcaplist);
+        return PCAP_THREAD_EPCAP;
+    }
+
+    if (pcap_thread->monitor) {
+        pcap_thread->status = pcap_can_set_rfmon(pcap);
+        if (pcap_thread->status == 0) {
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            return PCAP_THREAD_ENOMON;
+        }
+        if (pcap_thread->status != 1) {
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_can_set_rfmon()");
+            return PCAP_THREAD_EPCAP;
+        }
+    }
+
+#ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
+    if (pcap_thread->have_timestamp_precision && (pcap_thread->status = pcap_set_tstamp_precision(pcap, pcap_thread->timestamp_precision))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_tstamp_precision()");
+        return PCAP_THREAD_EPCAP;
+    }
+#endif
+#ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
+    if (pcap_thread->immediate_mode && (pcap_thread->status = pcap_set_immediate_mode(pcap, 1))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_immediate_mode()");
+        return PCAP_THREAD_EPCAP;
+    }
+#endif
+
+    if (pcap_thread->monitor && (pcap_thread->status = pcap_set_rfmon(pcap, 1))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_rfmon()");
+        return PCAP_THREAD_EPCAP;
+    }
+    if (pcap_thread->snaplen && (pcap_thread->status = pcap_set_snaplen(pcap, pcap_thread->snaplen))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_snaplen()");
+        return PCAP_THREAD_EPCAP;
+    }
+    if (pcap_thread->promiscuous && (pcap_thread->status = pcap_set_promisc(pcap, pcap_thread->promiscuous))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_promisc()");
+        return PCAP_THREAD_EPCAP;
+    }
+    if (pcap_thread->timeout && (pcap_thread->status = pcap_set_timeout(pcap, pcap_thread->timeout))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_timeout()");
+        return PCAP_THREAD_EPCAP;
+    }
+    if (pcap_thread->buffer_size && (pcap_thread->status = pcap_set_buffer_size(pcap, pcap_thread->buffer_size))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_buffer_size()");
+        return PCAP_THREAD_EPCAP;
+    }
+
+#ifdef HAVE_PCAP_SET_TSTAMP_TYPE
+    if (pcap_thread->have_timestamp_type && (pcap_thread->status = pcap_set_tstamp_type(pcap, pcap_thread->timestamp_type))) {
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_set_tstamp_type()");
+        return PCAP_THREAD_EPCAP;
+    }
+#endif
+
+    if (pcap_thread->activate_mode == PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE) {
+        if ((pcap_thread->status = pcap_activate(pcap))) {
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_activate()");
+            return PCAP_THREAD_EPCAP;
+        }
+
+#ifdef HAVE_PCAP_SETDIRECTION
+#ifdef HAVE_PCAP_DIRECTION_T
+        if (pcap_thread->have_direction && (pcap_thread->status = pcap_setdirection(pcap, pcap_thread->direction))) {
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setdirection()");
+            return PCAP_THREAD_EPCAP;
+        }
+#endif
+#endif
+    }
+#else /* HAVE_PCAP_CREATE */
+    if (!(pcap = pcap_open_live(pcaplist->name, pcap_thread->snaplen, pcap_thread->promiscuous, pcap_thread->timeout, pcap_thread->errbuf))) {
+        free(pcaplist->name);
+        free(pcaplist);
+        return PCAP_THREAD_EPCAP;
+    }
+#endif
+
+    if (pcap_thread->activate_mode == PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE) {
+        if (pcap_thread->filter) {
+            if ((pcap_thread->status = pcap_compile(pcap, &(pcaplist->bpf), pcap_thread->filter, pcap_thread->filter_optimize, pcap_thread->filter_netmask))) {
+                pcap_close(pcap);
+                free(pcaplist->name);
+                free(pcaplist);
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_compile()");
+                return PCAP_THREAD_EPCAP;
+            }
+            pcaplist->have_bpf        = 1;
+            pcap_thread->filter_errno = 0;
+            errno                     = 0;
+            if ((pcap_thread->status = pcap_setfilter(pcap, &(pcaplist->bpf)))) {
+                pcap_freecode(&(pcaplist->bpf));
+                pcap_close(pcap);
+                free(pcaplist->name);
+                free(pcaplist);
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setfilter()");
+                return PCAP_THREAD_EPCAP;
+            }
+            pcap_thread->filter_errno = errno;
+        }
+
+        if ((snapshot = pcap_snapshot(pcap)) < 0) {
+            pcap_thread->status = snapshot;
+            if (pcaplist->have_bpf)
+                pcap_freecode(&(pcaplist->bpf));
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_snapshot()");
+            return PCAP_THREAD_EPCAP;
+        }
+        if (snapshot > pcap_thread->snapshot) {
+            pcap_thread->snapshot = snapshot;
+        }
+    }
+
+    pcaplist->pcap = pcap;
+    pcaplist->user = user;
+    if (pcap_thread->callback_ipv4_frag.new) {
+        pcaplist->ipv4_frag_ctx      = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, user);
+        pcaplist->have_ipv4_frag_ctx = 1;
+    }
+    if (pcap_thread->callback_ipv6_frag.new) {
+        pcaplist->ipv6_frag_ctx      = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, user);
+        pcaplist->have_ipv6_frag_ctx = 1;
+    }
+    if (pcap_thread->pcaplist) {
+        pcaplist->next = pcap_thread->pcaplist;
+    }
+    pcap_thread->pcaplist = pcaplist;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_open_offline(pcap_thread_t* pcap_thread, const char* file, void* user)
+{
+    pcap_t*                 pcap;
+    pcap_thread_pcaplist_t* pcaplist;
+    int                     snapshot;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!file) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    if (!(pcaplist = malloc(sizeof(pcap_thread_pcaplist_t)))) {
+        return PCAP_THREAD_ENOMEM;
+    }
+    memcpy(pcaplist, &_pcaplist_defaults, sizeof(pcap_thread_pcaplist_t));
+    pcaplist->is_offline = 1;
+    if (!(pcaplist->name = strdup(file))) {
+        free(pcaplist);
+        return PCAP_THREAD_ENOMEM;
+    }
+
+#ifdef HAVE_PCAP_OPEN_OFFLINE_WITH_TSTAMP_PRECISION
+    if (pcap_thread->have_timestamp_precision) {
+        if (!(pcap = pcap_open_offline_with_tstamp_precision(pcaplist->name, pcap_thread->timestamp_precision, pcap_thread->errbuf))) {
+            free(pcaplist->name);
+            free(pcaplist);
+            return PCAP_THREAD_EPCAP;
+        }
+    } else
+#endif
+    {
+        if (!(pcap = pcap_open_offline(pcaplist->name, pcap_thread->errbuf))) {
+            free(pcaplist->name);
+            free(pcaplist);
+            return PCAP_THREAD_EPCAP;
+        }
+    }
+
+    if (pcap_thread->filter) {
+        if ((pcap_thread->status = pcap_compile(pcap, &(pcaplist->bpf), pcap_thread->filter, pcap_thread->filter_optimize, pcap_thread->filter_netmask))) {
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_compile()");
+            return PCAP_THREAD_EPCAP;
+        }
+        pcaplist->have_bpf        = 1;
+        pcap_thread->filter_errno = 0;
+        errno                     = 0;
+        if ((pcap_thread->status = pcap_setfilter(pcap, &(pcaplist->bpf)))) {
+            pcap_freecode(&(pcaplist->bpf));
+            pcap_close(pcap);
+            free(pcaplist->name);
+            free(pcaplist);
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setfilter()");
+            return PCAP_THREAD_EPCAP;
+        }
+        pcap_thread->filter_errno = errno;
+    }
+
+    if ((snapshot = pcap_snapshot(pcap)) < 0) {
+        pcap_thread->status = snapshot;
+        if (pcaplist->have_bpf)
+            pcap_freecode(&(pcaplist->bpf));
+        pcap_close(pcap);
+        free(pcaplist->name);
+        free(pcaplist);
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_snapshot()");
+        return PCAP_THREAD_EPCAP;
+    }
+    if (snapshot > pcap_thread->snapshot) {
+        pcap_thread->snapshot = snapshot;
+    }
+
+    pcaplist->pcap = pcap;
+    pcaplist->user = user;
+    if (pcap_thread->callback_ipv4_frag.new) {
+        pcaplist->ipv4_frag_ctx      = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, user);
+        pcaplist->have_ipv4_frag_ctx = 1;
+    }
+    if (pcap_thread->callback_ipv6_frag.new) {
+        pcaplist->ipv6_frag_ctx      = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, user);
+        pcaplist->have_ipv6_frag_ctx = 1;
+    }
+    if (pcap_thread->pcaplist) {
+        pcaplist->next = pcap_thread->pcaplist;
+    }
+    pcap_thread->pcaplist = pcaplist;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_add(pcap_thread_t* pcap_thread, const char* name, pcap_t* pcap, void* user)
+{
+    (void)pcap_thread;
+    (void)name;
+    (void)pcap;
+    (void)user;
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    return PCAP_THREAD_EOBSOLETE;
+}
+
+int pcap_thread_activate(pcap_thread_t* pcap_thread)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+    int                     snapshot;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    pcap_thread->filter_errno = 0;
+    for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+        if (pcaplist->is_offline) {
+            continue;
+        }
+
+#ifdef HAVE_PCAP_ACTIVATE
+        if ((pcap_thread->status = pcap_activate(pcaplist->pcap))) {
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_activate()");
+            return PCAP_THREAD_EPCAP;
+        }
+#endif
+
+#ifdef HAVE_PCAP_SETDIRECTION
+#ifdef HAVE_PCAP_DIRECTION_T
+        if (pcap_thread->have_direction && (pcap_thread->status = pcap_setdirection(pcaplist->pcap, pcap_thread->direction))) {
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setdirection()");
+            return PCAP_THREAD_EPCAP;
+        }
+#endif
+#endif
+
+        if (pcap_thread->filter) {
+            if (pcaplist->have_bpf)
+                pcap_freecode(&(pcaplist->bpf));
+            if ((pcap_thread->status = pcap_compile(pcaplist->pcap, &(pcaplist->bpf), pcap_thread->filter, pcap_thread->filter_optimize, pcap_thread->filter_netmask))) {
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_compile()");
+                return PCAP_THREAD_EPCAP;
+            }
+            pcaplist->have_bpf = 1;
+            errno              = 0;
+            if ((pcap_thread->status = pcap_setfilter(pcaplist->pcap, &(pcaplist->bpf)))) {
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_setfilter()");
+                return PCAP_THREAD_EPCAP;
+            }
+            if (errno && !pcap_thread->filter_errno)
+                pcap_thread->filter_errno = errno;
+        }
+
+        if ((snapshot = pcap_snapshot(pcaplist->pcap)) < 0) {
+            pcap_thread->status = snapshot;
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_snapshot()");
+            return PCAP_THREAD_EPCAP;
+        }
+        if (snapshot > pcap_thread->snapshot) {
+            pcap_thread->snapshot = snapshot;
+        }
+    }
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_close(pcap_thread_t* pcap_thread)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    while (pcap_thread->pcaplist) {
+        pcaplist              = pcap_thread->pcaplist;
+        pcap_thread->pcaplist = pcaplist->next;
+
+        if (pcap_thread->callback_ipv4_frag.free && pcaplist->have_ipv4_frag_ctx) {
+            pcap_thread->callback_ipv4_frag.free(pcaplist->ipv4_frag_ctx);
+        }
+        if (pcap_thread->callback_ipv6_frag.free && pcaplist->have_ipv6_frag_ctx) {
+            pcap_thread->callback_ipv6_frag.free(pcaplist->ipv6_frag_ctx);
+        }
+
+        if (pcaplist->pcap) {
+            pcap_close(pcaplist->pcap);
+        }
+        if (pcaplist->have_bpf) {
+            pcap_freecode(&(pcaplist->bpf));
+        }
+        if (pcaplist->name) {
+            free(pcaplist->name);
+        }
+        free(pcaplist);
+    }
+    pcap_thread->step = 0;
+
+#ifdef HAVE_PTHREAD
+    if (pcap_thread->pkthdr) {
+        free(pcap_thread->pkthdr);
+        pcap_thread->pkthdr = 0;
+    }
+    if (pcap_thread->pkt) {
+        free(pcap_thread->pkt);
+        pcap_thread->pkt = 0;
+    }
+    if (pcap_thread->pcaplist_pkt) {
+        free(pcap_thread->pcaplist_pkt);
+        pcap_thread->pcaplist_pkt = 0;
+    }
+#endif
+
+    return PCAP_THREAD_OK;
+}
+
+/*
+ * Engine
+ */
+
+#ifdef HAVE_PTHREAD
+static void _callback(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+    pcap_thread_t*          pcap_thread;
+
+    pthread_testcancel();
+
+    if (!user) {
+        return;
+    }
+    pcaplist = (pcap_thread_pcaplist_t*)user;
+
+    if (!pcaplist->pcap_thread) {
+        pcaplist->running = 0;
+        return;
+    }
+    pcap_thread = pcaplist->pcap_thread;
+
+    if (pkthdr->caplen > pcap_thread->snapshot) {
+        if (pcap_thread->dropback) {
+            pcap_thread->dropback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+        }
+        return;
+    }
+
+    if (pcap_thread->queue_mode == PCAP_THREAD_QUEUE_MODE_DIRECT) {
+        if (pcap_thread->callback) {
+            pcap_thread->callback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+        } else if (pcaplist->layer_callback) {
+            pcaplist->layer_callback((void*)pcaplist, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+        } else if (pcap_thread->dropback) {
+            pcap_thread->dropback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+        }
+        return;
+    }
+
+    if (pthread_mutex_lock(&(pcap_thread->mutex))) {
+        if (pcap_thread->dropback) {
+            pcap_thread->dropback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+        }
+        return;
+    }
+
+    while (pcaplist->running && pcap_thread->running) {
+        if (pcap_thread->pkts < pcap_thread->queue_size) {
+            pcap_thread->pcaplist_pkt[pcap_thread->write_pos] = pcaplist;
+            memcpy(&(pcap_thread->pkthdr[pcap_thread->write_pos]), pkthdr, sizeof(struct pcap_pkthdr));
+            memcpy(&(pcap_thread->pkt[pcap_thread->write_pos * pcap_thread->snapshot]), pkt, pkthdr->caplen);
+            pcap_thread->write_pos++;
+            if (pcap_thread->write_pos == pcap_thread->queue_size) {
+                pcap_thread->write_pos = 0;
+            }
+            pcap_thread->pkts++;
+
+            pthread_cond_signal(&(pcap_thread->have_packets));
+            break;
+        }
+
+        if (pthread_cond_wait(&(pcap_thread->can_write), &(pcap_thread->mutex))) {
+            pcaplist->running = 0;
+            pcap_breakloop(pcaplist->pcap);
+            return;
+        }
+        continue;
+    }
+
+    if (pthread_mutex_unlock(&(pcap_thread->mutex))) {
+        pcaplist->running = 0;
+        pcap_breakloop(pcaplist->pcap);
+        return;
+    }
+}
+
+static void* _thread(void* vp)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+    int                     ret = 0;
+
+    /*pthread_detach(pthread_self());*/
+
+    if (!vp) {
+        return 0;
+    }
+    pcaplist = (pcap_thread_pcaplist_t*)vp;
+
+    if (!pcaplist->pcap_thread) {
+        pcaplist->running = 0;
+        return 0;
+    }
+
+    /*
+     * pcap_loop() might return -2 to indicate pcap_breakloop() was called
+     * but we do not need to act on that because either this thread has
+     * been cancelled or running has been cleared
+     */
+    while (pcaplist->running) {
+        pthread_testcancel();
+        ret = pcap_loop(pcaplist->pcap, -1, _callback, (u_char*)pcaplist);
+        if (ret == -1) {
+            /* TODO: Store pcap_loop() error */
+            break;
+        }
+        if (!ret)
+            break;
+    }
+
+    pcaplist->running = 0;
+
+    pthread_mutex_lock(&(pcaplist->pcap_thread->mutex));
+    pthread_cond_signal(&(pcaplist->pcap_thread->have_packets));
+    pthread_mutex_unlock(&(pcaplist->pcap_thread->mutex));
+
+    return 0;
+}
+#endif
+
+static void _callback2(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+
+    if (!user) {
+        return;
+    }
+    pcaplist = (pcap_thread_pcaplist_t*)user;
+
+    if (!pcaplist->pcap_thread) {
+        pcaplist->running = 0;
+        return;
+    }
+    if (pcaplist->pcap_thread->callback) {
+        pcaplist->pcap_thread->callback(pcaplist->user, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+    } else if (pcaplist->layer_callback) {
+        pcaplist->layer_callback((void*)pcaplist, pkthdr, pkt, pcaplist->name, pcap_datalink(pcaplist->pcap));
+    } else {
+        pcaplist->running = 0;
+    }
+}
+
+int pcap_thread_run(pcap_thread_t* pcap_thread)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+    int                     run = 1, timedrun = 0;
+    struct timeval          start = { 0, 0 };
+    struct timespec         end   = { 0, 0 };
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!pcap_thread->pcaplist) {
+        return PCAP_THREAD_NOPCAPS;
+    }
+    if (!pcap_thread->callback && !pcap_thread->use_layers) {
+        return PCAP_THREAD_NOCALLBACK;
+    }
+    if (pcap_thread->use_layers
+        && !(pcap_thread->callback_linux_sll
+               || pcap_thread->callback_ether
+               || pcap_thread->callback_null
+               || pcap_thread->callback_loop
+               || pcap_thread->callback_ieee802
+               || pcap_thread->callback_gre
+               || pcap_thread->callback_ip
+               || pcap_thread->callback_ipv4
+               || pcap_thread->callback_ipv6
+               || pcap_thread->callback_icmp
+               || pcap_thread->callback_icmpv6
+               || pcap_thread->callback_udp
+               || pcap_thread->callback_tcp)) {
+        return PCAP_THREAD_NOCALLBACK;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    if (pcap_thread->timedrun.tv_sec || pcap_thread->timedrun.tv_usec) {
+        timedrun = 1;
+        if (gettimeofday(&start, 0)) {
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "gettimeofday()");
+            return PCAP_THREAD_ERRNO;
+        }
+
+        end.tv_sec = start.tv_sec + pcap_thread->timedrun.tv_sec
+                     + ((start.tv_usec + pcap_thread->timedrun.tv_usec) / 1000000);
+        end.tv_nsec = ((start.tv_usec + pcap_thread->timedrun.tv_usec) % 1000000) * 1000;
+    } else if (pcap_thread->timedrun_to.tv_sec) {
+        timedrun = 1;
+
+        end.tv_sec  = pcap_thread->timedrun_to.tv_sec;
+        end.tv_nsec = pcap_thread->timedrun_to.tv_usec * 1000;
+    }
+
+#ifdef HAVE_PTHREAD
+    if (pcap_thread->use_threads) {
+        int err, all_offline;
+
+        switch (pcap_thread->queue_mode) {
+        case PCAP_THREAD_QUEUE_MODE_COND:
+        case PCAP_THREAD_QUEUE_MODE_DIRECT:
+            if ((err = pthread_mutex_lock(&(pcap_thread->mutex)))) {
+                errno = err;
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_mutex_lock()");
+                return PCAP_THREAD_ERRNO;
+            }
+            break;
+        case PCAP_THREAD_QUEUE_MODE_WAIT:
+        case PCAP_THREAD_QUEUE_MODE_YIELD:
+        case PCAP_THREAD_QUEUE_MODE_DROP:
+            return PCAP_THREAD_EOBSOLETE;
+        default:
+            return PCAP_THREAD_EINVAL;
+        }
+
+        if (pcap_thread->running) {
+            pthread_mutex_unlock(&(pcap_thread->mutex));
+            return PCAP_THREAD_ERUNNING;
+        }
+
+        if (pcap_thread->pkthdr) {
+            free(pcap_thread->pkthdr);
+        }
+        if (!(pcap_thread->pkthdr = calloc(pcap_thread->queue_size, sizeof(struct pcap_pkthdr)))) {
+            pthread_mutex_unlock(&(pcap_thread->mutex));
+            return PCAP_THREAD_ENOMEM;
+        }
+
+        if (pcap_thread->pkt) {
+            free(pcap_thread->pkt);
+        }
+        if (!(pcap_thread->pkt = calloc(pcap_thread->queue_size, pcap_thread->snapshot))) {
+            pthread_mutex_unlock(&(pcap_thread->mutex));
+            return PCAP_THREAD_ENOMEM;
+        }
+
+        if (pcap_thread->pcaplist_pkt) {
+            free(pcap_thread->pcaplist_pkt);
+        }
+        if (!(pcap_thread->pcaplist_pkt = calloc(pcap_thread->queue_size, sizeof(pcap_thread_pcaplist_t*)))) {
+            pthread_mutex_unlock(&(pcap_thread->mutex));
+            return PCAP_THREAD_ENOMEM;
+        }
+
+        pcap_thread->read_pos  = 0;
+        pcap_thread->write_pos = 0;
+        pcap_thread->pkts      = 0;
+
+        all_offline = 1;
+        for (pcaplist = pcap_thread->pcaplist; all_offline && pcaplist; pcaplist = pcaplist->next) {
+            if (!pcaplist->is_offline) {
+                all_offline = 0;
+                break;
+            }
+        }
+
+        pcap_thread->running     = 1;
+        pcap_thread->was_stopped = 0;
+        err                      = PCAP_THREAD_OK;
+
+        for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+            pcaplist->pcap_thread = pcap_thread;
+            if (pcap_thread->use_layers) {
+                pcaplist->layer_callback = &pcap_thread_callback;
+            }
+            if (pcap_thread->callback_ipv4_frag.new && !pcaplist->have_ipv4_frag_ctx) {
+                pcaplist->ipv4_frag_ctx      = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, pcaplist->user);
+                pcaplist->have_ipv4_frag_ctx = 1;
+            }
+            if (pcap_thread->callback_ipv6_frag.new && !pcaplist->have_ipv6_frag_ctx) {
+                pcaplist->ipv6_frag_ctx      = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, pcaplist->user);
+                pcaplist->have_ipv6_frag_ctx = 1;
+            }
+            pcaplist->running = 1;
+
+            if ((err = pthread_create(&(pcaplist->thread), 0, _thread, (void*)pcaplist))) {
+                errno = err;
+                err   = PCAP_THREAD_ERRNO;
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_create()");
+                break;
+            }
+        }
+
+        while (err == PCAP_THREAD_OK && run && pcap_thread->running) {
+            while (pcap_thread->pkts) {
+                if (!pcap_thread->pcaplist_pkt[pcap_thread->read_pos]) {
+                    err = PCAP_THREAD_ENOPCAPLIST;
+                    break;
+                }
+
+                if (pcap_thread->callback) {
+                    pcap_thread->callback(
+                        pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->user,
+                        &(pcap_thread->pkthdr[pcap_thread->read_pos]),
+                        &(pcap_thread->pkt[pcap_thread->read_pos * pcap_thread->snapshot]),
+                        pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->name,
+                        pcap_datalink(pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->pcap));
+                } else {
+                    pcap_thread_callback(
+                        (void*)pcap_thread->pcaplist_pkt[pcap_thread->read_pos],
+                        &(pcap_thread->pkthdr[pcap_thread->read_pos]),
+                        &(pcap_thread->pkt[pcap_thread->read_pos * pcap_thread->snapshot]),
+                        pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->name,
+                        pcap_datalink(pcap_thread->pcaplist_pkt[pcap_thread->read_pos]->pcap));
+                }
+
+                pcap_thread->pcaplist_pkt[pcap_thread->read_pos] = 0;
+                pcap_thread->read_pos++;
+                if (pcap_thread->read_pos == pcap_thread->queue_size) {
+                    pcap_thread->read_pos = 0;
+                }
+                pcap_thread->pkts--;
+            }
+
+            if (err != PCAP_THREAD_OK)
+                break;
+
+            if ((err = pthread_cond_broadcast(&(pcap_thread->can_write)))) {
+                errno = err;
+                err   = PCAP_THREAD_ERRNO;
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_cond_broadcast()");
+                break;
+            }
+
+            run = 0;
+            for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+                if (pcaplist->running) {
+                    run = 1;
+                }
+            }
+            if (!run)
+                break;
+
+            if (timedrun) {
+                struct timeval now;
+
+                if (gettimeofday(&now, 0)) {
+                    err = PCAP_THREAD_ERRNO;
+                    PCAP_THREAD_SET_ERRBUF(pcap_thread, "gettimeofday()");
+                    break;
+                }
+
+                if (now.tv_sec > end.tv_sec
+                    || (now.tv_sec == end.tv_sec && (now.tv_usec * 1000) >= end.tv_nsec)) {
+                    break;
+                }
+
+                err = pthread_cond_timedwait(&(pcap_thread->have_packets), &(pcap_thread->mutex), &end);
+                if (err == ETIMEDOUT) {
+                    err = PCAP_THREAD_OK;
+                } else if (err) {
+                    errno = err;
+                    err   = PCAP_THREAD_ERRNO;
+                    PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_cond_timedwait()");
+                    break;
+                }
+            } else {
+                if ((err = pthread_cond_wait(&(pcap_thread->have_packets), &(pcap_thread->mutex)))) {
+                    errno = err;
+                    err   = PCAP_THREAD_ERRNO;
+                    PCAP_THREAD_SET_ERRBUF(pcap_thread, "pthread_cond_wait()");
+                    break;
+                }
+            }
+        }
+
+        for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+            pcaplist->running = 0;
+            pcap_breakloop(pcaplist->pcap);
+            if (pcaplist->thread) {
+                pthread_cancel(pcaplist->thread);
+            }
+        }
+
+        pthread_mutex_unlock(&(pcap_thread->mutex));
+
+        for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+            if (pcaplist->thread) {
+                pthread_join(pcaplist->thread, 0);
+                pcaplist->thread = 0;
+            }
+        }
+
+        pcap_thread->running = 0;
+        return err;
+    } else
+#endif
+    {
+        fd_set         fds, rfds;
+        int            max_fd = 0;
+        struct timeval t1, t2;
+
+        pcap_thread->running     = 1;
+        pcap_thread->was_stopped = 0;
+
+        FD_ZERO(&fds);
+        for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+            int fd = pcap_get_selectable_fd(pcaplist->pcap);
+
+            FD_SET(fd, &fds);
+            if (fd > max_fd)
+                max_fd = fd;
+
+            if (!pcaplist->is_offline && (pcap_thread->status = pcap_setnonblock(pcaplist->pcap, 1, pcap_thread->errbuf))) {
+                pcap_thread->running = 0;
+                return PCAP_THREAD_EPCAP;
+            }
+            pcaplist->pcap_thread = pcap_thread;
+            if (pcap_thread->use_layers) {
+                pcaplist->layer_callback = &pcap_thread_callback;
+            }
+            if (pcap_thread->callback_ipv4_frag.new && !pcaplist->have_ipv4_frag_ctx) {
+                pcaplist->ipv4_frag_ctx      = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, pcaplist->user);
+                pcaplist->have_ipv4_frag_ctx = 1;
+            }
+            if (pcap_thread->callback_ipv6_frag.new && !pcaplist->have_ipv6_frag_ctx) {
+                pcaplist->ipv6_frag_ctx      = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, pcaplist->user);
+                pcaplist->have_ipv6_frag_ctx = 1;
+            }
+            pcaplist->running = 1;
+        }
+
+        t1.tv_sec  = pcap_thread->timeout / 1000;
+        t1.tv_usec = (pcap_thread->timeout % 1000) * 1000;
+        max_fd++;
+        while (run) {
+            rfds = fds;
+            t2   = t1;
+            if (timedrun) {
+                struct timeval now;
+                struct timeval diff;
+
+                if (gettimeofday(&now, 0)) {
+                    PCAP_THREAD_SET_ERRBUF(pcap_thread, "gettimeofday()");
+                    pcap_thread->running = 0;
+                    return PCAP_THREAD_ERRNO;
+                }
+                if (now.tv_sec > end.tv_sec
+                    || (now.tv_sec == end.tv_sec && (now.tv_usec * 1000) >= end.tv_nsec)) {
+                    break;
+                }
+
+                if (end.tv_sec > now.tv_sec) {
+                    diff.tv_sec  = end.tv_sec - now.tv_sec - 1;
+                    diff.tv_usec = 1000000 - now.tv_usec;
+                    diff.tv_usec += end.tv_nsec / 1000;
+                    if (diff.tv_usec > 1000000) {
+                        diff.tv_sec += diff.tv_usec / 1000000;
+                        diff.tv_usec %= 1000000;
+                    }
+                } else {
+                    diff.tv_sec = 0;
+                    if (end.tv_sec == now.tv_sec && (end.tv_nsec / 1000) > now.tv_usec) {
+                        diff.tv_usec = (end.tv_nsec / 1000) - now.tv_usec;
+                    } else {
+                        diff.tv_usec = 0;
+                    }
+                }
+
+                if (diff.tv_sec < t1.tv_sec || (diff.tv_sec == t1.tv_sec && diff.tv_usec < t1.tv_usec)) {
+                    t2 = diff;
+                }
+            }
+            if (select(max_fd, &rfds, 0, 0, &t2) == -1) {
+                PCAP_THREAD_SET_ERRBUF(pcap_thread, "select()");
+                pcap_thread->running = 0;
+                return PCAP_THREAD_ERRNO;
+            }
+
+            run = 0;
+            for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+                int packets;
+
+                if (!pcaplist->running) {
+                    continue;
+                } else {
+                    run = 1;
+                }
+
+                packets = pcap_dispatch(pcaplist->pcap, -1, _callback2, (u_char*)pcaplist);
+                if (packets == -1) {
+                    pcap_thread->status = -1;
+                    PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_dispatch()");
+                    pcap_thread->running = 0;
+                    return PCAP_THREAD_EPCAP;
+                } else if (packets == -2 || (pcaplist->is_offline && !packets)) {
+                    pcaplist->running = 0;
+                }
+            }
+        }
+
+        pcap_thread->running = 0;
+    }
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_next(pcap_thread_t* pcap_thread)
+{
+    const u_char*      pkt;
+    struct pcap_pkthdr pkthdr;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!pcap_thread->callback && !pcap_thread->use_layers) {
+        return PCAP_THREAD_NOCALLBACK;
+    }
+    if (pcap_thread->use_layers
+        && !(pcap_thread->callback_linux_sll
+               || pcap_thread->callback_ether
+               || pcap_thread->callback_null
+               || pcap_thread->callback_loop
+               || pcap_thread->callback_ieee802
+               || pcap_thread->callback_gre
+               || pcap_thread->callback_ip
+               || pcap_thread->callback_ipv4
+               || pcap_thread->callback_ipv6
+               || pcap_thread->callback_icmp
+               || pcap_thread->callback_icmpv6
+               || pcap_thread->callback_udp
+               || pcap_thread->callback_tcp)) {
+        return PCAP_THREAD_NOCALLBACK;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+    if (!pcap_thread->pcaplist) {
+        return PCAP_THREAD_NOPCAPS;
+    }
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    if (!pcap_thread->step) {
+        pcap_thread->step = pcap_thread->pcaplist;
+    }
+    if (!pcap_thread->step) {
+        return PCAP_THREAD_OK;
+    }
+
+    pcap_thread->step->pcap_thread = pcap_thread;
+    if (pcap_thread->callback_ipv4_frag.new && !pcap_thread->step->have_ipv4_frag_ctx) {
+        pcap_thread->step->ipv4_frag_ctx      = pcap_thread->callback_ipv4_frag.new(pcap_thread->callback_ipv4_frag.conf, pcap_thread->step->user);
+        pcap_thread->step->have_ipv4_frag_ctx = 1;
+    }
+    if (pcap_thread->callback_ipv6_frag.new && !pcap_thread->step->have_ipv6_frag_ctx) {
+        pcap_thread->step->ipv6_frag_ctx      = pcap_thread->callback_ipv6_frag.new(pcap_thread->callback_ipv6_frag.conf, pcap_thread->step->user);
+        pcap_thread->step->have_ipv6_frag_ctx = 1;
+    }
+
+    if (!(pkt = pcap_next(pcap_thread->step->pcap, &pkthdr))) {
+        pcap_thread->status = -1;
+        PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_next()");
+        return PCAP_THREAD_EPCAP;
+    }
+    if (pcap_thread->callback) {
+        pcap_thread->callback(pcap_thread->step->user, &pkthdr, pkt, pcap_thread->step->name, pcap_datalink(pcap_thread->step->pcap));
+    } else {
+        pcap_thread_callback((void*)pcap_thread->step, &pkthdr, pkt, pcap_thread->step->name, pcap_datalink(pcap_thread->step->pcap));
+    }
+    pcap_thread->step = pcap_thread->step->next;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_next_reset(pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (pcap_thread->running) {
+        return PCAP_THREAD_ERUNNING;
+    }
+    if (!pcap_thread->pcaplist) {
+        return PCAP_THREAD_NOPCAPS;
+    }
+
+    pcap_thread->step = 0;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_stop(pcap_thread_t* pcap_thread)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!pcap_thread->pcaplist) {
+        return PCAP_THREAD_NOPCAPS;
+    }
+
+    for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+        pcaplist->running = 0;
+        pcap_breakloop(pcaplist->pcap);
+    }
+    pcap_thread->running     = 0;
+    pcap_thread->was_stopped = 1;
+
+#ifdef HAVE_PTHREAD
+    pthread_cond_broadcast(&(pcap_thread->have_packets));
+    pthread_cond_broadcast(&(pcap_thread->can_write));
+#endif
+
+    return PCAP_THREAD_OK;
+}
+
+/*
+ * Stats
+ */
+
+int pcap_thread_stats(pcap_thread_t* pcap_thread, pcap_thread_stats_callback_t callback, u_char* user)
+{
+    pcap_thread_pcaplist_t* pcaplist;
+    struct pcap_stat        stats;
+
+    if (!pcap_thread) {
+        return PCAP_THREAD_EINVAL;
+    }
+    if (!callback) {
+        return PCAP_THREAD_NOCALLBACK;
+    }
+    if (!pcap_thread->pcaplist) {
+        return PCAP_THREAD_NOPCAPS;
+    }
+
+    if (pcap_thread->errbuf[0]) {
+        memset(pcap_thread->errbuf, 0, sizeof(pcap_thread->errbuf));
+    }
+    pcap_thread->status = 0;
+
+    for (pcaplist = pcap_thread->pcaplist; pcaplist; pcaplist = pcaplist->next) {
+        if (pcaplist->is_offline)
+            continue;
+        if ((pcap_thread->status = pcap_stats(pcaplist->pcap, &stats))) {
+            PCAP_THREAD_SET_ERRBUF(pcap_thread, "pcap_stats()");
+            return PCAP_THREAD_EPCAP;
+        }
+        callback(user, &stats, pcaplist->name, pcap_datalink(pcaplist->pcap));
+    }
+
+    return PCAP_THREAD_OK;
+}
+
+/*
+ * Error handling
+ */
+
+int pcap_thread_status(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return 0;
+    }
+
+    return pcap_thread->status;
+}
+
+const char* pcap_thread_errbuf(const pcap_thread_t* pcap_thread)
+{
+    if (!pcap_thread) {
+        return 0;
+    }
+
+    return pcap_thread->errbuf;
+}
+
+const char* pcap_thread_strerr(int error)
+{
+    switch (error) {
+    case PCAP_THREAD_OK:
+        return 0;
+    case PCAP_THREAD_EPCAP:
+        return PCAP_THREAD_EPCAP_STR;
+    case PCAP_THREAD_ENOMEM:
+        return PCAP_THREAD_ENOMEM_STR;
+    case PCAP_THREAD_ENOMON:
+        return PCAP_THREAD_ENOMON_STR;
+    case PCAP_THREAD_ENODIR:
+        return PCAP_THREAD_ENODIR_STR;
+    case PCAP_THREAD_EINVAL:
+        return PCAP_THREAD_EINVAL_STR;
+    case PCAP_THREAD_EWOULDBLOCK:
+        return PCAP_THREAD_EWOULDBLOCK_STR;
+    case PCAP_THREAD_NOPCAPS:
+        return PCAP_THREAD_NOPCAPS_STR;
+    case PCAP_THREAD_NOCALLBACK:
+        return PCAP_THREAD_NOCALLBACK_STR;
+    case PCAP_THREAD_ERRNO:
+        return PCAP_THREAD_ERRNO_STR;
+    case PCAP_THREAD_NOYIELD:
+        return PCAP_THREAD_NOYIELD_STR;
+    case PCAP_THREAD_EOBSOLETE:
+        return PCAP_THREAD_EOBSOLETE_STR;
+    case PCAP_THREAD_ERUNNING:
+        return PCAP_THREAD_ERUNNING_STR;
+    case PCAP_THREAD_ENOPCAPLIST:
+        return PCAP_THREAD_ENOPCAPLIST_STR;
+    case PCAP_THREAD_ELAYERCB:
+        return PCAP_THREAD_ELAYERCB_STR;
+    }
+    return "UNKNOWN";
+}
diff --git a/src/pcap-thread/pcap_thread.h b/src/pcap-thread/pcap_thread.h
new file mode 100644
index 0000000..ce43b5a
--- /dev/null
+++ b/src/pcap-thread/pcap_thread.h
@@ -0,0 +1,640 @@
+/*
+ * Author Jerry Lundström <jerry@dns-oarc.net>
+ * Copyright (c) 2016-2017, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __pcap_thread_h
+#define __pcap_thread_h
+
+#ifdef HAVE_PTHREAD
+#include <pthread.h>
+#endif
+#include <pcap/pcap.h>
+#include <sys/socket.h>
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#else
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <net/if_arp.h>
+#include <netinet/if_ether.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#ifdef HAVE_ENDIAN_H
+#include <endian.h>
+#endif
+#ifdef HAVE_SYS_ENDIAN_H
+#include <sys/endian.h>
+#endif
+#ifdef HAVE_MACHINE_ENDIAN_H
+#include <machine/endian.h>
+#endif
+
+#ifndef __BYTE_ORDER
+#if defined(BYTE_ORDER)
+#define __BYTE_ORDER BYTE_ORDER
+#elif defined(_BYTE_ORDER)
+#define __BYTE_ORDER _BYTE_ORDER
+#else
+#error "No endian byte order define, please fix"
+#endif
+#endif
+#ifndef __LITTLE_ENDIAN
+#if defined(LITTLE_ENDIAN)
+#define __LITTLE_ENDIAN LITTLE_ENDIAN
+#elif defined(_LITTLE_ENDIAN)
+#define __LITTLE_ENDIAN _LITTLE_ENDIAN
+#else
+#error "No little endian define, please fix"
+#endif
+#endif
+#ifndef __BIG_ENDIAN
+#if defined(BIG_ENDIAN)
+#define __BIG_ENDIAN BIG_ENDIAN
+#elif defined(_BIG_ENDIAN)
+#define __BIG_ENDIAN _BIG_ENDIAN
+#else
+#error "No big endian define, please fix"
+#endif
+#endif
+
+#ifndef PCAP_NETMASK_UNKNOWN
+#define PCAP_NETMASK_UNKNOWN 0xffffffff
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* clang-format off */
+
+#define PCAP_THREAD_VERSION_STR     "4.0.0"
+#define PCAP_THREAD_VERSION_MAJOR   4
+#define PCAP_THREAD_VERSION_MINOR   0
+#define PCAP_THREAD_VERSION_PATCH   0
+
+#define PCAP_THREAD_DEFAULT_TIMEOUT       1000
+#define PCAP_THREAD_DEFAULT_QUEUE_SIZE    64
+#define PCAP_THREAD_DEFAULT_QUEUE_MODE    PCAP_THREAD_QUEUE_MODE_COND
+#define PCAP_THREAD_DEFAULT_ACTIVATE_MODE PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE
+
+#define PCAP_THREAD_OK              0
+#define PCAP_THREAD_EPCAP           1
+#define PCAP_THREAD_ENOMEM          2
+#define PCAP_THREAD_ENOMON          3
+#define PCAP_THREAD_ENODIR          4
+#define PCAP_THREAD_EINVAL          5
+#define PCAP_THREAD_EWOULDBLOCK     6
+#define PCAP_THREAD_NOPCAPS         7
+#define PCAP_THREAD_NOCALLBACK      8
+#define PCAP_THREAD_ERRNO           9
+#define PCAP_THREAD_NOYIELD         10
+#define PCAP_THREAD_EOBSOLETE       11
+#define PCAP_THREAD_ERUNNING        12
+#define PCAP_THREAD_ENOPCAPLIST     13
+#define PCAP_THREAD_ELAYERCB        14
+
+#define PCAP_THREAD_EPCAP_STR       "libpcap error"
+#define PCAP_THREAD_ENOMEM_STR      "out of memory"
+#define PCAP_THREAD_ENOMON_STR      "monitor mode requested but not supported"
+#define PCAP_THREAD_ENODIR_STR      "direction specified but not supported"
+#define PCAP_THREAD_EINVAL_STR      "invalid argument"
+#define PCAP_THREAD_EWOULDBLOCK_STR "nonblocking pcap can not be added"
+#define PCAP_THREAD_NOPCAPS_STR     "nothing to capture on"
+#define PCAP_THREAD_NOCALLBACK_STR  "no callback set"
+#define PCAP_THREAD_ERRNO_STR       "system error, check errno"
+#define PCAP_THREAD_NOYIELD_STR     "queue more yield requested but not supported"
+#define PCAP_THREAD_EOBSOLETE_STR   "obsolete function or feature"
+#define PCAP_THREAD_ERUNNING_STR    "pcap thread are running, can not complete task"
+#define PCAP_THREAD_ENOPCAPLIST_STR "no internal reference to the pcap that captured the packet"
+#define PCAP_THREAD_ELAYERCB_STR    "layer callback already set in lower or higher segment"
+
+/* clang-format on */
+
+struct pcap_thread_linux_sll {
+    uint16_t packet_type;
+    uint16_t arp_hardware;
+    uint16_t link_layer_address_length;
+    uint8_t  link_layer_address[8];
+    uint16_t ether_type;
+};
+struct pcap_thread_null_hdr {
+    uint32_t family;
+};
+struct pcap_thread_loop_hdr {
+    uint32_t family;
+};
+struct pcap_thread_ieee802_hdr {
+    uint16_t       tpid;
+    unsigned short pcp : 3;
+    unsigned short dei : 1;
+    unsigned short vid : 12;
+    uint16_t       ether_type;
+};
+struct pcap_thread_gre_hdr {
+    uint16_t gre_flags;
+    uint16_t ether_type;
+};
+struct pcap_thread_gre {
+    uint16_t checksum;
+    uint16_t key;
+    uint16_t sequence;
+};
+typedef enum pcap_thread_packet_state pcap_thread_packet_state_t;
+enum pcap_thread_packet_state {
+    PCAP_THREAD_PACKET_OK = 0,
+    PCAP_THREAD_PACKET_INVALID,
+    PCAP_THREAD_PACKET_UNSUPPORTED,
+    PCAP_THREAD_PACKET_UNPROCESSED,
+    PCAP_THREAD_PACKET_INVALID_ETHER,
+    PCAP_THREAD_PACKET_INVALID_LINUX_SLL,
+    PCAP_THREAD_PACKET_INVALID_NULL,
+    PCAP_THREAD_PACKET_INVALID_LOOP,
+    PCAP_THREAD_PACKET_INVALID_IEEE802,
+    PCAP_THREAD_PACKET_INVALID_GRE,
+    PCAP_THREAD_PACKET_INVALID_IP,
+    PCAP_THREAD_PACKET_INVALID_IPV4,
+    PCAP_THREAD_PACKET_INVALID_IPV6,
+    PCAP_THREAD_PACKET_INVALID_IPV6HDR,
+    PCAP_THREAD_PACKET_INVALID_ICMP,
+    PCAP_THREAD_PACKET_INVALID_ICMPV6,
+    PCAP_THREAD_PACKET_INVALID_UDP,
+    PCAP_THREAD_PACKET_INVALID_TCP,
+    PCAP_THREAD_PACKET_IS_FRAGMENT,
+    PCAP_THREAD_PACKET_INVALID_FRAGMENT,
+    PCAP_THREAD_PACKET_ENOMEM,
+    PCAP_THREAD_PACKET_EMUTEX,
+    PCAP_THREAD_PACKET_FRAGMENTED_GREHDR,
+    PCAP_THREAD_PACKET_FRAGMENTED_ICMPHDR,
+    PCAP_THREAD_PACKET_FRAGMENTED_ICMPV6HDR,
+    PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR,
+    PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR
+};
+
+typedef struct pcap_thread_packet pcap_thread_packet_t;
+struct pcap_thread_packet {
+    unsigned short have_prevpkt : 1;
+    unsigned short have_pkthdr : 1;
+    unsigned short have_linux_sll : 1;
+    unsigned short have_ethhdr : 1;
+    unsigned short have_nullhdr : 1;
+    unsigned short have_loophdr : 1;
+    unsigned short have_ieee802hdr : 1;
+    unsigned short have_grehdr : 1;
+    unsigned short have_gre : 1;
+    unsigned short have_iphdr : 1;
+    unsigned short have_ip6hdr : 1;
+    unsigned short have_ip6frag : 1;
+    unsigned short have_ip6rtdst : 1;
+    unsigned short have_icmphdr : 1;
+    unsigned short have_icmpv6hdr : 1;
+    unsigned short have_udphdr : 1;
+    unsigned short have_tcphdr : 1;
+    unsigned short have_tcpopts : 1;
+    unsigned short have_ippadding : 1;
+    unsigned short have_ip6padding : 1;
+
+    const char*                    name;
+    int                            dlt;
+    pcap_thread_packet_t*          prevpkt;
+    struct pcap_pkthdr             pkthdr;
+    struct pcap_thread_linux_sll   linux_sll;
+    struct ether_header            ethhdr;
+    struct pcap_thread_null_hdr    nullhdr;
+    struct pcap_thread_loop_hdr    loophdr;
+    struct pcap_thread_ieee802_hdr ieee802hdr;
+    struct pcap_thread_gre_hdr     grehdr;
+    struct pcap_thread_gre         gre;
+    struct ip                      iphdr;
+    struct ip6_hdr                 ip6hdr;
+    struct ip6_frag                ip6frag;
+    uint8_t                        ip6frag_payload;
+    struct in6_addr                ip6rtdst;
+    struct {
+        u_int8_t  type;
+        u_int8_t  code;
+        u_int16_t checksum;
+    } icmphdr;
+    struct {
+        u_int8_t  icmp6_type;
+        u_int8_t  icmp6_code;
+        u_int16_t icmp6_cksum;
+    } icmpv6hdr;
+    struct {
+        union {
+            struct {
+                u_int16_t uh_sport;
+                u_int16_t uh_dport;
+                u_int16_t uh_ulen;
+                u_int16_t uh_sum;
+            };
+            struct {
+                u_int16_t source;
+                u_int16_t dest;
+                u_int16_t len;
+                u_int16_t check;
+            };
+        };
+    } udphdr;
+    struct {
+        union {
+            struct {
+                u_int16_t th_sport;
+                u_int16_t th_dport;
+                u_int32_t th_seq;
+                u_int32_t th_ack;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+                u_int8_t th_x2 : 4;
+                u_int8_t th_off : 4;
+#endif
+#if __BYTE_ORDER == __BIG_ENDIAN
+                u_int8_t th_off : 4;
+                u_int8_t th_x2 : 4;
+#endif
+                u_int8_t  th_flags;
+                u_int16_t th_win;
+                u_int16_t th_sum;
+                u_int16_t th_urp;
+            };
+            struct {
+                u_int16_t source;
+                u_int16_t dest;
+                u_int32_t seq;
+                u_int32_t ack_seq;
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+                u_int16_t res1 : 4;
+                u_int16_t doff : 4;
+                u_int16_t fin : 1;
+                u_int16_t syn : 1;
+                u_int16_t rst : 1;
+                u_int16_t psh : 1;
+                u_int16_t ack : 1;
+                u_int16_t urg : 1;
+                u_int16_t res2 : 2;
+#elif __BYTE_ORDER == __BIG_ENDIAN
+                u_int16_t doff : 4;
+                u_int16_t res1 : 4;
+                u_int16_t res2 : 2;
+                u_int16_t urg : 1;
+                u_int16_t ack : 1;
+                u_int16_t psh : 1;
+                u_int16_t rst : 1;
+                u_int16_t syn : 1;
+                u_int16_t fin : 1;
+#endif
+                u_int16_t window;
+                u_int16_t check;
+                u_int16_t urg_ptr;
+            };
+        };
+    } tcphdr;
+    u_int8_t tcpopts[64];
+    size_t   tcpopts_len;
+
+    size_t ippadding;
+    size_t ip6padding;
+
+    pcap_thread_packet_state_t state;
+};
+
+typedef enum pcap_thread_queue_mode pcap_thread_queue_mode_t;
+typedef struct pcap_thread          pcap_thread_t;
+typedef void (*pcap_thread_callback_t)(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt);
+typedef void (*pcap_thread_layer_callback_t)(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+typedef void (*pcap_thread_stats_callback_t)(u_char* user, const struct pcap_stat* stats, const char* name, int dlt);
+#ifndef HAVE_PCAP_DIRECTION_T
+typedef int pcap_direction_t;
+#endif
+typedef struct pcap_thread_pcaplist    pcap_thread_pcaplist_t;
+typedef enum pcap_thread_activate_mode pcap_thread_activate_mode_t;
+
+enum pcap_thread_queue_mode {
+    PCAP_THREAD_QUEUE_MODE_COND,
+    PCAP_THREAD_QUEUE_MODE_WAIT,
+    PCAP_THREAD_QUEUE_MODE_YIELD,
+    PCAP_THREAD_QUEUE_MODE_DROP,
+    PCAP_THREAD_QUEUE_MODE_DIRECT
+};
+
+enum pcap_thread_activate_mode {
+    PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE,
+    PCAP_THREAD_ACTIVATE_MODE_DELAYED
+};
+
+#ifdef HAVE_PCAP_DIRECTION_T
+#define PCAP_THREAD_T_INIT_DIRECTION_T 0,
+#else
+#define PCAP_THREAD_T_INIT_DIRECTION_T
+#endif
+
+#ifdef HAVE_PTHREAD
+#define PCAP_THREAD_T_INIT_QUEUE PTHREAD_COND_INITIALIZER, PTHREAD_COND_INITIALIZER, PTHREAD_MUTEX_INITIALIZER, \
+                                 0, 0, 0, 0, 0, 0,
+#else
+#define PCAP_THREAD_T_INIT_QUEUE
+#endif
+
+#ifdef PCAP_TSTAMP_PRECISION_MICRO
+#define PCAP_THREAD_T_INIT_PRECISION PCAP_TSTAMP_PRECISION_MICRO
+#else
+#define PCAP_THREAD_T_INIT_PRECISION 0
+#endif
+
+typedef void* (*pcap_thread_layer_callback_frag_new_t)(void* conf, u_char* user);
+typedef void (*pcap_thread_layer_callback_frag_free_t)(void* ctx);
+typedef pcap_thread_packet_state_t (*pcap_thread_layer_callback_frag_reassemble_t)(void* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length);
+typedef void (*pcap_thread_layer_callback_frag_release_t)(void* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+
+/* clang-format off */
+#define PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT { \
+    0, 0, 0, 0, 0, \
+}
+/* clang-format on */
+
+typedef struct pcap_thread_layer_callback_frag pcap_thread_layer_callback_frag_t;
+struct pcap_thread_layer_callback_frag {
+    void* conf;
+    pcap_thread_layer_callback_frag_new_t new;
+    pcap_thread_layer_callback_frag_free_t       free;
+    pcap_thread_layer_callback_frag_reassemble_t reassemble;
+    pcap_thread_layer_callback_frag_release_t    release;
+};
+
+/* clang-format off */
+#define PCAP_THREAD_T_INIT { \
+    0, 0, 0, 0, \
+    0, 1, 0, PCAP_THREAD_DEFAULT_QUEUE_MODE, PCAP_THREAD_DEFAULT_QUEUE_SIZE, \
+    PCAP_THREAD_T_INIT_QUEUE \
+    0, 0, 0, 0, PCAP_THREAD_DEFAULT_TIMEOUT, \
+    0, 0, PCAP_THREAD_T_INIT_PRECISION, 0, \
+    PCAP_THREAD_T_INIT_DIRECTION_T \
+    0, 0, 0, 1, PCAP_NETMASK_UNKNOWN, \
+    0, 0, \
+    0, "", 0, 0, \
+    { 0, 0 }, { 0, 0 }, \
+    PCAP_THREAD_DEFAULT_ACTIVATE_MODE, \
+    0, 0, 0, 0, 0, 0, 0, 0, PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT, 0, PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT, 0, 0, 0, 0, \
+    0 \
+}
+/* clang-format on */
+
+struct pcap_thread {
+    unsigned short have_timestamp_precision : 1;
+    unsigned short have_timestamp_type : 1;
+    unsigned short have_direction : 1;
+    unsigned short was_stopped : 1;
+
+    int                      running;
+    int                      use_threads;
+    int                      use_layers;
+    pcap_thread_queue_mode_t queue_mode;
+    size_t                   queue_size;
+
+#ifdef HAVE_PTHREAD
+    pthread_cond_t  have_packets;
+    pthread_cond_t  can_write;
+    pthread_mutex_t mutex;
+
+    struct pcap_pkthdr*      pkthdr;
+    u_char*                  pkt;
+    pcap_thread_pcaplist_t** pcaplist_pkt;
+    size_t                   read_pos;
+    size_t                   write_pos;
+    size_t                   pkts;
+#endif
+
+    int snapshot;
+    int snaplen;
+    int promiscuous;
+    int monitor;
+    int timeout;
+
+    int buffer_size;
+    int timestamp_type;
+    int timestamp_precision;
+    int immediate_mode;
+
+#ifdef HAVE_PCAP_DIRECTION_T
+    pcap_direction_t direction;
+#endif
+
+    char*       filter;
+    size_t      filter_len;
+    int         filter_errno;
+    int         filter_optimize;
+    bpf_u_int32 filter_netmask;
+
+    pcap_thread_callback_t callback;
+    pcap_thread_callback_t dropback;
+
+    int                     status;
+    char                    errbuf[PCAP_ERRBUF_SIZE];
+    pcap_thread_pcaplist_t* pcaplist;
+    pcap_thread_pcaplist_t* step;
+
+    struct timeval timedrun;
+    struct timeval timedrun_to;
+
+    pcap_thread_activate_mode_t activate_mode;
+
+    pcap_thread_layer_callback_t      callback_linux_sll;
+    pcap_thread_layer_callback_t      callback_ether;
+    pcap_thread_layer_callback_t      callback_null;
+    pcap_thread_layer_callback_t      callback_loop;
+    pcap_thread_layer_callback_t      callback_ieee802;
+    pcap_thread_layer_callback_t      callback_gre;
+    pcap_thread_layer_callback_t      callback_ip;
+    pcap_thread_layer_callback_t      callback_ipv4;
+    pcap_thread_layer_callback_frag_t callback_ipv4_frag;
+    pcap_thread_layer_callback_t      callback_ipv6;
+    pcap_thread_layer_callback_frag_t callback_ipv6_frag;
+    pcap_thread_layer_callback_t      callback_icmp;
+    pcap_thread_layer_callback_t      callback_icmpv6;
+    pcap_thread_layer_callback_t      callback_udp;
+    pcap_thread_layer_callback_t      callback_tcp;
+
+    pcap_thread_layer_callback_t callback_invalid;
+};
+
+#define PCAP_THREAD_SET_ERRBUF(x, y) strncpy(x->errbuf, y, sizeof(x->errbuf) - 1)
+
+#ifdef HAVE_PTHREAD
+#define PCAP_THREAD_PCAPLIST_T_INIT_THREAD 0,
+#else
+#define PCAP_THREAD_PCAPLIST_T_INIT_THREAD
+#endif
+
+/* clang-format off */
+#define PCAP_THREAD_PCAPLIST_T_INIT { \
+    0, 0, 0, \
+    0, 0, 0, 0, 0, 0, 0, 0, \
+    0, \
+    PCAP_THREAD_PCAPLIST_T_INIT_THREAD \
+    { 0, 0 }, \
+    0, \
+}
+/* clang-format on */
+
+struct pcap_thread_pcaplist {
+    unsigned short have_bpf : 1;
+    unsigned short have_ipv4_frag_ctx : 1;
+    unsigned short have_ipv6_frag_ctx : 1;
+
+    pcap_thread_pcaplist_t* next;
+    char*                   name;
+    pcap_t*                 pcap;
+    void*                   user;
+    int                     running;
+    int                     is_offline;
+    void*                   ipv4_frag_ctx;
+    void*                   ipv6_frag_ctx;
+
+    pcap_thread_t* pcap_thread;
+
+#ifdef HAVE_PTHREAD
+    pthread_t thread;
+#endif
+
+    struct bpf_program bpf;
+
+    pcap_thread_callback_t layer_callback;
+};
+
+const char* pcap_thread_version_str(void);
+
+int pcap_thread_version_major(void);
+int pcap_thread_version_minor(void);
+int pcap_thread_version_patch(void);
+
+pcap_thread_t* pcap_thread_create(void);
+void pcap_thread_free(pcap_thread_t* pcap_thread);
+
+int pcap_thread_use_threads(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_use_threads(pcap_thread_t* pcap_thread, const int use_threads);
+int pcap_thread_use_layers(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_use_layers(pcap_thread_t* pcap_thread, const int use_layers);
+pcap_thread_queue_mode_t pcap_thread_queue_mode(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t queue_mode);
+struct timeval pcap_thread_queue_wait(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_queue_wait(pcap_thread_t* pcap_thread, const struct timeval queue_wait);
+pcap_thread_queue_mode_t pcap_thread_callback_queue_mode(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_callback_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t callback_queue_mode);
+struct timeval pcap_thread_callback_queue_wait(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_callback_queue_wait(pcap_thread_t* pcap_thread, const struct timeval callback_queue_wait);
+int pcap_thread_snapshot(const pcap_thread_t* pcap_thread);
+int pcap_thread_snaplen(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_snaplen(pcap_thread_t* pcap_thread, const int snaplen);
+int pcap_thread_promiscuous(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_promiscuous(pcap_thread_t* pcap_thread, const int promiscuous);
+int pcap_thread_monitor(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_monitor(pcap_thread_t* pcap_thread, const int monitor);
+int pcap_thread_timeout(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_timeout(pcap_thread_t* pcap_thread, const int timeout);
+int pcap_thread_buffer_size(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_buffer_size(pcap_thread_t* pcap_thread, const int buffer_size);
+int pcap_thread_timestamp_type(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_timestamp_type(pcap_thread_t* pcap_thread, const int timestamp_type);
+int pcap_thread_timestamp_precision(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_timestamp_precision(pcap_thread_t* pcap_thread, const int timestamp_precision);
+int pcap_thread_immediate_mode(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_immediate_mode(pcap_thread_t* pcap_thread, const int immediate_mode);
+pcap_direction_t pcap_thread_direction(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_direction(pcap_thread_t* pcap_thread, const pcap_direction_t direction);
+const char* pcap_thread_filter(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_filter(pcap_thread_t* pcap_thread, const char* filter, const size_t filter_len);
+int pcap_thread_clear_filter(pcap_thread_t* pcap_thread);
+int pcap_thread_filter_errno(const pcap_thread_t* pcap_thread);
+int pcap_thread_filter_optimize(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_filter_optimize(pcap_thread_t* pcap_thread, const int filter_optimize);
+bpf_u_int32 pcap_thread_filter_netmask(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_filter_netmask(pcap_thread_t* pcap_thread, const bpf_u_int32 filter_netmask);
+struct timeval pcap_thread_timedrun(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_timedrun(pcap_thread_t* pcap_thread, const struct timeval timedrun);
+struct timeval pcap_thread_timedrun_to(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_timedrun_to(pcap_thread_t* pcap_thread, const struct timeval timedrun_to);
+pcap_thread_activate_mode_t pcap_thread_activate_mode(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_activate_mode(pcap_thread_t* pcap_thread, const pcap_thread_activate_mode_t activate_mode);
+int pcap_thread_was_stopped(const pcap_thread_t* pcap_thread);
+
+size_t pcap_thread_queue_size(const pcap_thread_t* pcap_thread);
+int pcap_thread_set_queue_size(pcap_thread_t* pcap_thread, const size_t queue_size);
+
+int pcap_thread_set_callback(pcap_thread_t* pcap_thread, pcap_thread_callback_t callback);
+int pcap_thread_set_dropback(pcap_thread_t* pcap_thread, pcap_thread_callback_t dropback);
+
+int pcap_thread_set_callback_linux_sll(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_linux_sll);
+int pcap_thread_set_callback_ether(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ether);
+int pcap_thread_set_callback_null(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_null);
+int pcap_thread_set_callback_loop(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_loop);
+int pcap_thread_set_callback_ieee802(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ieee802);
+int pcap_thread_set_callback_gre(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_gre);
+int pcap_thread_set_callback_ip(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ip);
+int pcap_thread_set_callback_ipv4(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv4);
+int pcap_thread_set_callback_ipv4_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv4_frag);
+int pcap_thread_set_callback_ipv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv6);
+int pcap_thread_set_callback_ipv6_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv6_frag);
+int pcap_thread_set_callback_icmp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmp);
+int pcap_thread_set_callback_icmpv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmpv6);
+int pcap_thread_set_callback_udp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_udp);
+int pcap_thread_set_callback_tcp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp);
+int pcap_thread_set_callback_invalid(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp);
+
+int pcap_thread_open(pcap_thread_t* pcap_thread, const char* device, void* user);
+int pcap_thread_open_offline(pcap_thread_t* pcap_thread, const char* file, void* user);
+int pcap_thread_add(pcap_thread_t* pcap_thread, const char* name, pcap_t* pcap, void* user);
+int pcap_thread_activate(pcap_thread_t* pcap_thread);
+int pcap_thread_close(pcap_thread_t* pcap_thread);
+
+int pcap_thread_run(pcap_thread_t* pcap_thread);
+int pcap_thread_next(pcap_thread_t* pcap_thread);
+int pcap_thread_next_reset(pcap_thread_t* pcap_thread);
+int pcap_thread_stop(pcap_thread_t* pcap_thread);
+
+int pcap_thread_stats(pcap_thread_t* pcap_thread, pcap_thread_stats_callback_t callback, u_char* user);
+
+int pcap_thread_status(const pcap_thread_t* pcap_thread);
+const char* pcap_thread_errbuf(const pcap_thread_t* pcap_thread);
+const char* pcap_thread_strerr(int error);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __pcap_thread_h */
diff --git a/src/pcap-thread/pcap_thread_ext_frag.c b/src/pcap-thread/pcap_thread_ext_frag.c
new file mode 100644
index 0000000..6593e92
--- /dev/null
+++ b/src/pcap-thread/pcap_thread_ext_frag.c
@@ -0,0 +1,1013 @@
+/*
+ * Author Jerry Lundström <jerry@dns-oarc.net>
+ * Copyright (c) 2016-2017, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "pcap_thread_ext_frag.h"
+
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_PTHREAD
+#include <pthread.h>
+#endif
+
+#ifndef PCAP_THREAD_EXT_FRAG_TRACE
+#define PCAP_THREAD_EXT_FRAG_TRACE 0
+#endif
+
+/*
+ * Forward declares for callbacks
+ */
+
+static void* pcap_thread_layer_callback_frag_new(void* conf, u_char* user);
+static void pcap_thread_layer_callback_frag_free(void* _ctx);
+static pcap_thread_packet_state_t pcap_thread_layer_callback_frag_reassemble(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length);
+static void pcap_thread_layer_callback_frag_release(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
+
+/*
+ * Create/Free
+ */
+
+static pcap_thread_ext_frag_conf_t _conf_defaults = PCAP_THREAD_EXT_FRAG_CONF_T_INIT;
+
+pcap_thread_ext_frag_conf_t* pcap_thread_ext_frag_conf_new(void)
+{
+    pcap_thread_ext_frag_conf_t* conf = calloc(1, sizeof(pcap_thread_ext_frag_conf_t));
+    if (conf) {
+        memcpy(conf, &_conf_defaults, sizeof(pcap_thread_ext_frag_conf_t));
+    }
+
+    return conf;
+}
+
+void pcap_thread_ext_frag_conf_free(pcap_thread_ext_frag_conf_t* conf)
+{
+    if (conf) {
+        free(conf);
+    }
+}
+
+/*
+ * Get/Set
+ */
+
+int pcap_thread_ext_frag_conf_reject_overlap(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return 0;
+    }
+
+    return conf->reject_overlap;
+}
+
+int pcap_thread_ext_frag_conf_set_reject_overlap(pcap_thread_ext_frag_conf_t* conf, const int reject_overlap)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->reject_overlap = reject_overlap ? 1 : 0;
+
+    return PCAP_THREAD_OK;
+}
+
+int pcap_thread_ext_frag_conf_check_timeout(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return 0;
+    }
+
+    return conf->check_timeout;
+}
+
+int pcap_thread_ext_frag_conf_set_check_timeout(pcap_thread_ext_frag_conf_t* conf, const int check_timeout)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->check_timeout = check_timeout ? 1 : 0;
+
+    return PCAP_THREAD_OK;
+}
+
+pcap_thread_ext_frag_reassemble_mode_t pcap_thread_ext_frag_conf_reassemble_mode(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791;
+    }
+
+    return conf->reassemble_mode;
+}
+
+int pcap_thread_ext_frag_conf_set_reassemble_mode(pcap_thread_ext_frag_conf_t* conf, const pcap_thread_ext_frag_reassemble_mode_t reassemble_mode)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    switch (reassemble_mode) {
+    case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791:
+    case PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD:
+        break;
+    case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815:
+    /* TODO: Implement */
+    default:
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->reassemble_mode = reassemble_mode;
+
+    return PCAP_THREAD_OK;
+}
+
+size_t pcap_thread_ext_frag_conf_fragments(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return -1;
+    }
+
+    return conf->fragments;
+}
+
+int pcap_thread_ext_frag_conf_set_fragments(pcap_thread_ext_frag_conf_t* conf, const size_t fragments)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->fragments = fragments;
+
+    return PCAP_THREAD_OK;
+}
+
+size_t pcap_thread_ext_frag_conf_per_packet(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return -1;
+    }
+
+    return conf->per_packet;
+}
+
+int pcap_thread_ext_frag_conf_set_per_packet(pcap_thread_ext_frag_conf_t* conf, const size_t per_packet)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->per_packet = per_packet;
+
+    return PCAP_THREAD_OK;
+}
+
+struct timeval pcap_thread_ext_frag_conf_timeout(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        struct timeval ret = { 0, 0 };
+        return ret;
+    }
+
+    return conf->timeout;
+}
+
+int pcap_thread_ext_frag_conf_set_timeout(pcap_thread_ext_frag_conf_t* conf, const struct timeval timeout)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->timeout = timeout;
+
+    return PCAP_THREAD_OK;
+}
+
+pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_overlap_callback(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return 0;
+    }
+
+    return conf->overlap_callback;
+}
+
+int pcap_thread_ext_frag_conf_set_overlap_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t overlap_callback)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->overlap_callback = overlap_callback;
+
+    return PCAP_THREAD_OK;
+}
+
+pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_timeout_callback(const pcap_thread_ext_frag_conf_t* conf)
+{
+    if (!conf) {
+        return 0;
+    }
+
+    return conf->timeout_callback;
+}
+
+int pcap_thread_ext_frag_conf_set_timeout_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t timeout_callback)
+{
+    if (!conf) {
+        return PCAP_THREAD_EINVAL;
+    }
+
+    conf->timeout_callback = timeout_callback;
+
+    return PCAP_THREAD_OK;
+}
+
+/*
+ * Init
+ */
+
+pcap_thread_layer_callback_frag_t pcap_thread_ext_frag_layer_callback(pcap_thread_ext_frag_conf_t* conf)
+{
+    pcap_thread_layer_callback_frag_t callback = PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT;
+
+    if (conf) {
+        callback.conf       = (void*)conf;
+        callback.new        = pcap_thread_layer_callback_frag_new;
+        callback.free       = pcap_thread_layer_callback_frag_free;
+        callback.reassemble = pcap_thread_layer_callback_frag_reassemble;
+        callback.release    = pcap_thread_layer_callback_frag_release;
+    }
+
+    return callback;
+}
+
+/*
+ * Callbacks
+ */
+
+#if PCAP_THREAD_EXT_FRAG_TRACE
+#include <stdio.h>
+#define layer_trace(msg) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__)
+#define layer_tracef(msg, args...) printf("LT %s:%d: " msg "\n", __FILE__, __LINE__, args)
+#else
+#define layer_trace(msg)
+#define layer_tracef(msg, args...)
+#endif
+
+/* TODO:
+typedef struct _hole _hole_t;
+struct _hole {
+    _hole_t* next;
+
+    size_t first, last;
+};
+*/
+
+#ifdef HAVE_PTHREAD
+#define PCAP_THREAD_EXT_FRAG_CTX_T_INIT_MUTEX PTHREAD_MUTEX_INITIALIZER,
+#else
+#define PCAP_THREAD_EXT_FRAG_CTX_T_INIT_MUTEX
+#endif
+
+/* clang-format off */
+#define PCAP_THREAD_EXT_FRAG_CTX_T_INIT { \
+    PCAP_THREAD_EXT_FRAG_CTX_T_INIT_MUTEX \
+    PCAP_THREAD_EXT_FRAG_CONF_T_INIT, 0, 0 \
+}
+/* clang-format on */
+
+typedef struct _ctx _ctx_t;
+struct _ctx {
+#ifdef HAVE_PTHREAD
+    pthread_mutex_t mutex;
+#endif
+    pcap_thread_ext_frag_conf_t       conf;
+    pcap_thread_ext_frag_fragments_t* fragments;
+    size_t                            num_fragments;
+};
+
+static _ctx_t _ctx_defaults = PCAP_THREAD_EXT_FRAG_CTX_T_INIT;
+
+static void* pcap_thread_layer_callback_frag_new(void* conf, u_char* user)
+{
+    _ctx_t* ctx = calloc(1, sizeof(_ctx_t));
+    if (ctx) {
+        layer_tracef("new ctx %p", ctx);
+        memcpy(ctx, &_ctx_defaults, sizeof(_ctx_t));
+        if (conf) {
+            memcpy(&(ctx->conf), conf, sizeof(pcap_thread_ext_frag_conf_t));
+        }
+    }
+
+    return ctx;
+}
+
+static void pcap_thread_layer_callback_frag_free(void* _ctx)
+{
+    _ctx_t* ctx = (_ctx_t*)_ctx;
+    if (ctx) {
+        layer_tracef("free ctx %p", ctx);
+        while (ctx->fragments) {
+            pcap_thread_ext_frag_fragments_t* frags = ctx->fragments;
+            ctx->fragments                          = frags->next;
+
+            while (frags->fragments) {
+                pcap_thread_ext_frag_fragment_t* frag = frags->fragments;
+                frags->fragments                      = frag->next;
+
+                if (frag->payload) {
+                    free(frag->payload);
+                }
+                free(frag);
+            }
+
+            if (frags->payload) {
+                free(frags->payload);
+            }
+            free(frags);
+        }
+    }
+}
+
+static pcap_thread_packet_state_t reassemble(_ctx_t* ctx, const pcap_thread_packet_t* packet, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length, pcap_thread_ext_frag_fragments_t* frags, pcap_thread_ext_frag_fragment_t* frag)
+{
+    pcap_thread_ext_frag_fragment_t *f, *f_prev;
+    int                              missing_frag = 0;
+    /* TODO:
+    int rfc815_seen_no_more_frags = 0;
+    */
+
+    if ((frag->offset + frag->length) > frags->length) {
+        frags->length = frag->offset + frag->length;
+    }
+
+    layer_tracef("new frag len %lu off %lu mf %d (frags len %lu)", frag->length, frag->offset, frag->flag_more_fragments, frags->length);
+
+    /* Place the fragment in the fragments list */
+    switch (ctx->conf.reassemble_mode) {
+    case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791:
+        for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) {
+            layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+
+            if (f->offset > frag->offset) {
+                if (f_prev) {
+                    f_prev->next = frag;
+                } else {
+                    frags->fragments = frag;
+                }
+                frag->next = f;
+                f          = frag;
+                break;
+            }
+            if (f_prev && (f_prev->offset + f_prev->length) < f->offset) {
+                missing_frag = 1;
+            }
+        }
+        if (!f) {
+            if (f_prev) {
+                f_prev->next = frag;
+                if ((f_prev->offset + f_prev->length) < frag->offset) {
+                    missing_frag = 1;
+                }
+            } else {
+                frags->fragments = frag;
+            }
+            /* New frag is now last frag */
+            f_prev = frag;
+        } else if (!missing_frag) {
+            for (; f; f_prev = f, f = f->next) {
+                layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+                if (f_prev && (f_prev->offset + f_prev->length) < f->offset) {
+                    missing_frag = 1;
+                    break;
+                }
+            }
+        }
+        /*
+         * If first is not offset zero or last have more fragments flag,
+         * we are missing fragments.
+         */
+        if (!missing_frag && (frags->fragments->offset || (f_prev && f_prev->flag_more_fragments))) {
+            missing_frag = 1;
+        }
+        break;
+    case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815:
+        /* TODO:
+        for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) {
+            layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+
+            if (!f->flag_more_fragments) {
+                rfc815_seen_no_more_frags = 1;
+            }
+        }
+        */
+        free(frag->payload);
+        free(frag);
+        return PCAP_THREAD_EINVAL;
+        break;
+    case PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD:
+        for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) {
+            layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+
+            if (f->offset > frag->offset) {
+                if (f_prev) {
+                    f_prev->next = frag;
+                } else {
+                    frags->fragments = frag;
+                }
+                frag->next = f;
+                f          = frag;
+                break;
+            }
+            if (f_prev && (f->offset + f->length) < f_prev->offset) {
+                missing_frag = 1;
+            }
+        }
+        if (!f) {
+            if (f_prev) {
+                f_prev->next = frag;
+                if ((frag->offset + frag->length) < f_prev->offset) {
+                    missing_frag = 1;
+                }
+            } else {
+                frags->fragments = frag;
+            }
+        } else if (!missing_frag) {
+            for (; f; f_prev = f, f = f->next) {
+                layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+                if (f_prev && (f->offset + f->length) < f_prev->offset) {
+                    missing_frag = 1;
+                    break;
+                }
+            }
+        }
+        /*
+         * If first (last on list) is not offset zero or last (first on
+         * list) have more fragments flag, we are missing fragments.
+         */
+        if (!missing_frag && ((f_prev && f_prev->offset) || frags->fragments->flag_more_fragments)) {
+            missing_frag = 1;
+        }
+        break;
+    }
+    frags->num_fragments++;
+
+    if (missing_frag) {
+        layer_trace("need more frags");
+        return PCAP_THREAD_PACKET_OK;
+    }
+
+    if (!frags->length) {
+        layer_trace("frags complete but no size");
+        return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+    }
+
+    if (ctx->conf.reject_overlap) {
+        switch (ctx->conf.reassemble_mode) {
+        case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791:
+            for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) {
+                layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+                if (f_prev && (f_prev->offset + f_prev->length) > f->offset) {
+                    layer_trace("overlapping fragment");
+                    if (ctx->conf.overlap_callback)
+                        ctx->conf.overlap_callback(packet, frag->payload, frag->length, frags);
+                    return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+                }
+            }
+            break;
+        case PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815:
+            /* TODO:
+            */
+            break;
+        case PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD:
+            for (f_prev = 0, f = frags->fragments; f; f_prev = f, f = f->next) {
+                layer_tracef("checking frag %p len %lu off %lu mf %d next %p", f, f->length, f->offset, f->flag_more_fragments, f->next);
+                if (f_prev && (f->offset + f->length) > f_prev->offset) {
+                    layer_trace("overlapping fragment");
+                    if (ctx->conf.overlap_callback)
+                        ctx->conf.overlap_callback(packet, frag->payload, frag->length, frags);
+                    return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+                }
+            }
+            break;
+        }
+    }
+
+    /*
+     * Reassemble packet
+     */
+    if (!(frags->payload = calloc(1, frags->length))) {
+        layer_trace("nomem frags payload");
+        return PCAP_THREAD_PACKET_ENOMEM;
+    }
+    for (f = frags->fragments; f; f = f->next) {
+        memcpy(frags->payload + f->offset, f->payload, f->length);
+    }
+
+    frags->packet.name   = packet->name;
+    frags->packet.dlt    = packet->dlt;
+    frags->packet.pkthdr = packet->pkthdr;
+    /*
+     * We add the total payload length minus current fragment, since it is
+     * already included, to the pkthdr lengths in order to return correct
+     * total packet length (header + payload).
+     */
+    frags->packet.pkthdr.len += frags->length - frag->length;
+    frags->packet.pkthdr.caplen += frags->length - frag->length;
+    frags->packet.have_pkthdr = packet->have_pkthdr;
+
+    *whole_packet  = &(frags->packet);
+    *whole_payload = frags->payload;
+    *whole_length  = frags->length;
+
+    return PCAP_THREAD_PACKET_OK;
+}
+
+static pcap_thread_packet_state_t reassemble_ipv4(_ctx_t* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length)
+{
+    pcap_thread_ext_frag_fragments_t *frags, *frags_prev;
+    pcap_thread_ext_frag_fragment_t*  frag;
+
+    if (!packet->have_pkthdr) {
+        layer_trace("no pkthdr");
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+
+    layer_tracef("ipv4 ctx %p", ctx);
+
+    /* Find packet fragments */
+    for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) {
+        if (frags->packet.have_iphdr
+            && packet->iphdr.ip_id == frags->packet.iphdr.ip_id
+            && packet->iphdr.ip_p == frags->packet.iphdr.ip_p
+            && packet->iphdr.ip_src.s_addr == frags->packet.iphdr.ip_src.s_addr
+            && packet->iphdr.ip_dst.s_addr == frags->packet.iphdr.ip_dst.s_addr) {
+
+            layer_tracef("frags %d found", packet->iphdr.ip_id);
+
+            /* Found it, remove from list */
+            if (frags_prev) {
+                frags_prev->next = frags->next;
+            }
+            if (ctx->fragments == frags) {
+                ctx->fragments = frags->next;
+            }
+            frags->next = 0;
+            break;
+        }
+    }
+
+    /* Check if frags is timed out */
+    if (ctx->conf.check_timeout && frags) {
+        struct timeval ts;
+
+        ts = frags->packet.pkthdr.ts;
+        ts.tv_sec += ctx->conf.timeout.tv_sec;
+        ts.tv_usec += ctx->conf.timeout.tv_usec;
+        ts.tv_usec %= 1000000;
+        if (packet->pkthdr.ts.tv_sec > ts.tv_sec
+            || (packet->pkthdr.ts.tv_sec == ts.tv_sec
+                   && packet->pkthdr.ts.tv_usec > ts.tv_usec)) {
+
+            pcap_thread_ext_frag_fragment_t* f;
+
+            layer_tracef("frags timed out (last: %lu.%lu, this: %lu.%lu)",
+                frags->packet.pkthdr.ts.tv_sec, frags->packet.pkthdr.ts.tv_usec,
+                packet->pkthdr.ts.tv_sec, packet->pkthdr.ts.tv_usec);
+
+            if (ctx->conf.timeout_callback)
+                ctx->conf.timeout_callback(packet, payload, length, frags);
+
+            for (f = frags->fragments; f;) {
+                frag = f;
+                f    = f->next;
+                if (frag->payload) {
+                    free(frag->payload);
+                }
+                free(frag);
+            }
+
+            if (frags->payload) {
+                free(frags->payload);
+            }
+            free(frags);
+            frags = 0;
+        } else {
+            frags->packet.pkthdr.ts = packet->pkthdr.ts;
+        }
+    }
+
+    /* No fragments found, create new */
+    if (!frags) {
+        if (ctx->num_fragments >= ctx->conf.fragments) {
+            layer_trace("too many frags");
+            return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+        }
+
+        if (!(frags = calloc(1, sizeof(pcap_thread_ext_frag_fragments_t)))) {
+            layer_trace("nomem frags");
+            return PCAP_THREAD_PACKET_ENOMEM;
+        }
+
+        layer_tracef("new frags %d", packet->iphdr.ip_id);
+
+        // TODO: How to handle prevpkt
+        memcpy(&(frags->packet.iphdr), &(packet->iphdr), sizeof(struct ip));
+        frags->packet.have_iphdr = 1;
+        frags->packet.pkthdr.ts  = packet->pkthdr.ts;
+
+        ctx->num_fragments++;
+    }
+    /* Put the fragments first on the list */
+    frags->next    = ctx->fragments;
+    ctx->fragments = frags;
+
+    if (frags->payload) {
+        layer_trace("already reassembled");
+        return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+    }
+
+    if (frags->num_fragments >= ctx->conf.per_packet) {
+        layer_trace("too many frags frag");
+        return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+    }
+
+    /* Allocate for the new fragment */
+    if (!(frag = calloc(1, sizeof(pcap_thread_ext_frag_fragment_t)))) {
+        layer_trace("nomem frag");
+        return PCAP_THREAD_PACKET_ENOMEM;
+    }
+    if (!(frag->payload = calloc(1, length))) {
+        free(frag);
+        layer_trace("nomem frag");
+        return PCAP_THREAD_PACKET_ENOMEM;
+    }
+    memcpy(frag->payload, payload, length);
+    frag->length              = length;
+    frag->offset              = (packet->iphdr.ip_off & 0x1fff) * 8;
+    frag->flag_more_fragments = packet->iphdr.ip_off & 0x2000 ? 1 : 0;
+
+    return reassemble(ctx, packet, whole_packet, whole_payload, whole_length, frags, frag);
+}
+
+static pcap_thread_packet_state_t reassemble_ipv6(_ctx_t* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length)
+{
+    pcap_thread_ext_frag_fragments_t *frags, *frags_prev;
+    pcap_thread_ext_frag_fragment_t*  frag;
+
+    layer_tracef("ipv6 ctx %p", ctx);
+
+    /* Find packet fragments */
+    for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) {
+        if (frags->packet.have_ip6hdr
+            && packet->ip6frag.ip6f_ident == frags->packet.ip6frag.ip6f_ident
+            && !memcmp(&(packet->ip6hdr.ip6_src), &(frags->packet.ip6hdr.ip6_src), sizeof(struct in6_addr))
+            && ((!packet->have_ip6rtdst && !memcmp(&(packet->ip6hdr.ip6_dst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr)))
+                   || (packet->have_ip6rtdst && !memcmp(&(packet->ip6rtdst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))))) {
+
+            layer_tracef("frags %x found", packet->ip6frag.ip6f_ident);
+
+            /* Found it, remove from list */
+            if (frags_prev) {
+                frags_prev->next = frags->next;
+            }
+            if (ctx->fragments == frags) {
+                ctx->fragments = frags->next;
+            }
+            frags->next = 0;
+            break;
+        }
+    }
+
+    /* Check if frags is timed out */
+    if (ctx->conf.check_timeout && frags) {
+        struct timeval ts;
+
+        ts = frags->packet.pkthdr.ts;
+        ts.tv_sec += ctx->conf.timeout.tv_sec;
+        ts.tv_usec += ctx->conf.timeout.tv_usec;
+        ts.tv_usec %= 1000000;
+        if (packet->pkthdr.ts.tv_sec > ts.tv_sec
+            || (packet->pkthdr.ts.tv_sec == ts.tv_sec
+                   && packet->pkthdr.ts.tv_usec > ts.tv_usec)) {
+
+            pcap_thread_ext_frag_fragment_t* f;
+
+            layer_tracef("frags timed out (last: %lu.%lu, this: %lu.%lu)",
+                frags->packet.pkthdr.ts.tv_sec, frags->packet.pkthdr.ts.tv_usec,
+                packet->pkthdr.ts.tv_sec, packet->pkthdr.ts.tv_usec);
+
+            if (ctx->conf.timeout_callback)
+                ctx->conf.timeout_callback(packet, payload, length, frags);
+
+            for (f = frags->fragments; f;) {
+                frag = f;
+                f    = f->next;
+                if (frag->payload) {
+                    free(frag->payload);
+                }
+                free(frag);
+            }
+
+            if (frags->payload) {
+                free(frags->payload);
+            }
+            free(frags);
+            frags = 0;
+        } else {
+            frags->packet.pkthdr.ts = packet->pkthdr.ts;
+        }
+    }
+
+    /* No fragments found, create new */
+    if (!frags) {
+        if (ctx->num_fragments >= ctx->conf.fragments) {
+            layer_trace("too many frags");
+            return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+        }
+
+        if (!(frags = calloc(1, sizeof(pcap_thread_ext_frag_fragments_t)))) {
+            layer_trace("nomem frags");
+            return PCAP_THREAD_PACKET_ENOMEM;
+        }
+
+        layer_tracef("new frags %x", packet->ip6frag.ip6f_ident);
+
+        // TODO: How to handle prevpkt
+        memcpy(&(frags->packet.ip6hdr), &(packet->ip6hdr), sizeof(struct ip6_hdr));
+        frags->packet.have_ip6hdr = 1;
+        memcpy(&(frags->packet.ip6frag), &(packet->ip6frag), sizeof(struct ip6_frag));
+        frags->packet.have_ip6frag    = 1;
+        frags->packet.ip6frag_payload = packet->ip6frag_payload;
+        if (packet->have_ip6rtdst) {
+            frags->packet.ip6hdr.ip6_dst = packet->ip6rtdst;
+        }
+        frags->packet.pkthdr.ts = packet->pkthdr.ts;
+
+        ctx->num_fragments++;
+    } else {
+        if (frags->packet.ip6frag_payload != packet->ip6frag_payload) {
+            layer_trace("wrong payload");
+            return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+        }
+    }
+    /* Put the fragments first on the list */
+    frags->next    = ctx->fragments;
+    ctx->fragments = frags;
+
+    if (frags->payload) {
+        layer_trace("already reassembled");
+        return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+    }
+
+    if (frags->num_fragments >= ctx->conf.per_packet) {
+        layer_trace("too many frags frag");
+        return PCAP_THREAD_PACKET_INVALID_FRAGMENT;
+    }
+
+    /* Allocate for the new fragment */
+    if (!(frag = calloc(1, sizeof(pcap_thread_ext_frag_fragment_t)))) {
+        layer_trace("nomem frag");
+        return PCAP_THREAD_PACKET_ENOMEM;
+    }
+    if (!(frag->payload = calloc(1, length))) {
+        free(frag);
+        layer_trace("nomem frag");
+        return PCAP_THREAD_PACKET_ENOMEM;
+    }
+    memcpy(frag->payload, payload, length);
+    frag->length              = length;
+    frag->offset              = ((packet->ip6frag.ip6f_offlg & 0xfff8) >> 3) * 8;
+    frag->flag_more_fragments = packet->ip6frag.ip6f_offlg & 0x1 ? 1 : 0;
+
+    return reassemble(ctx, packet, whole_packet, whole_payload, whole_length, frags, frag);
+}
+
+#ifdef HAVE_PTHREAD /* _release() is only used when mutex functions fails */
+static void _release(_ctx_t* ctx, const pcap_thread_packet_t* packet)
+{
+    pcap_thread_ext_frag_fragments_t *frags, *frags_prev;
+
+    layer_tracef("release ctx %p", ctx);
+
+    /* Find packet fragments */
+    for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) {
+        if (frags->packet.have_iphdr
+            && packet->iphdr.ip_id == frags->packet.iphdr.ip_id
+            && packet->iphdr.ip_p == frags->packet.iphdr.ip_p
+            && packet->iphdr.ip_src.s_addr == frags->packet.iphdr.ip_src.s_addr
+            && packet->iphdr.ip_dst.s_addr == frags->packet.iphdr.ip_dst.s_addr) {
+
+            layer_tracef("release frags %d", packet->iphdr.ip_id);
+            break;
+        } else if (frags->packet.have_ip6hdr
+                   && packet->ip6frag.ip6f_ident == frags->packet.ip6frag.ip6f_ident
+                   && !memcmp(&(packet->ip6hdr.ip6_src), &(frags->packet.ip6hdr.ip6_src), sizeof(struct in6_addr))
+                   && ((!packet->have_ip6rtdst && !memcmp(&(packet->ip6hdr.ip6_dst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr)))
+                          || (packet->have_ip6rtdst && !memcmp(&(packet->ip6rtdst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr))))) {
+
+            layer_tracef("release frags %x", packet->ip6frag.ip6f_ident);
+            break;
+        }
+    }
+
+    if (frags) {
+        pcap_thread_ext_frag_fragment_t *frag, *f;
+
+        /* Found it, remove from list */
+        if (frags_prev) {
+            frags_prev->next = frags->next;
+        }
+        if (ctx->fragments == frags) {
+            ctx->fragments = frags->next;
+        }
+        frags->next = 0;
+        ctx->num_fragments--;
+
+        for (f = frags->fragments; f;) {
+            frag = f;
+            f    = f->next;
+            if (frag->payload) {
+                free(frag->payload);
+            }
+            free(frag);
+        }
+
+        if (frags->payload) {
+            free(frags->payload);
+        }
+        free(frags);
+    }
+}
+#endif
+
+static pcap_thread_packet_state_t pcap_thread_layer_callback_frag_reassemble(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length)
+{
+    _ctx_t*                    ctx   = (_ctx_t*)_ctx;
+    pcap_thread_packet_state_t state = PCAP_THREAD_PACKET_INVALID;
+
+    if (!ctx) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+    if (!packet) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+    if (!payload) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+    if (!length) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+    if (!whole_packet) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+    if (!whole_payload) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+    if (!whole_length) {
+        return PCAP_THREAD_PACKET_INVALID;
+    }
+
+    if (ctx && packet && payload && length
+        && whole_packet && whole_payload && whole_length) {
+        if (packet->have_iphdr) {
+#ifdef HAVE_PTHREAD
+            if (pthread_mutex_lock(&(ctx->mutex))) {
+                return PCAP_THREAD_PACKET_EMUTEX;
+            }
+#endif
+            state = reassemble_ipv4(ctx, packet, payload, length, whole_packet, whole_payload, whole_length);
+#ifdef HAVE_PTHREAD
+            if (pthread_mutex_unlock(&(ctx->mutex))) {
+                if (state == PCAP_THREAD_PACKET_OK && *whole_packet && *whole_payload && *whole_length) {
+                    _release(ctx, *whole_packet);
+                }
+                return PCAP_THREAD_PACKET_EMUTEX;
+            }
+#endif
+        } else if (packet->have_ip6hdr && packet->have_ip6frag) {
+#ifdef HAVE_PTHREAD
+            if (pthread_mutex_lock(&(ctx->mutex))) {
+                return PCAP_THREAD_PACKET_EMUTEX;
+            }
+#endif
+            state = reassemble_ipv6(ctx, packet, payload, length, whole_packet, whole_payload, whole_length);
+#ifdef HAVE_PTHREAD
+            if (pthread_mutex_unlock(&(ctx->mutex))) {
+                if (state == PCAP_THREAD_PACKET_OK && *whole_packet && *whole_payload && *whole_length) {
+                    _release(ctx, *whole_packet);
+                }
+                return PCAP_THREAD_PACKET_EMUTEX;
+            }
+#endif
+        }
+    }
+
+    return state;
+}
+
+static void pcap_thread_layer_callback_frag_release(void* _ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length)
+{
+    _ctx_t*                           ctx = (_ctx_t*)_ctx;
+    pcap_thread_ext_frag_fragments_t *frags, *frags_prev;
+
+    if (!ctx) {
+        return;
+    }
+    if (!packet) {
+        return;
+    }
+    if (packet->have_ip6hdr) {
+        if (!packet->have_ip6frag) {
+            return;
+        }
+    } else if (!packet->have_iphdr) {
+        return;
+    }
+
+#ifdef HAVE_PTHREAD
+    if (pthread_mutex_lock(&(ctx->mutex))) {
+        return;
+    }
+#endif
+
+    /* Find packet fragments */
+    for (frags_prev = 0, frags = ctx->fragments; frags; frags_prev = frags, frags = frags->next) {
+        if ((frags->packet.have_iphdr
+                && packet->iphdr.ip_id == frags->packet.iphdr.ip_id
+                && packet->iphdr.ip_p == frags->packet.iphdr.ip_p
+                && packet->iphdr.ip_src.s_addr == frags->packet.iphdr.ip_src.s_addr
+                && packet->iphdr.ip_dst.s_addr == frags->packet.iphdr.ip_dst.s_addr)
+            || (frags->packet.have_ip6hdr
+                   && packet->ip6frag.ip6f_ident == frags->packet.ip6frag.ip6f_ident
+                   && !memcmp(&(packet->ip6hdr.ip6_src), &(frags->packet.ip6hdr.ip6_src), sizeof(struct in6_addr))
+                   && ((!packet->have_ip6rtdst && !memcmp(&(packet->ip6hdr.ip6_dst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr)))
+                          || (packet->have_ip6rtdst && !memcmp(&(packet->ip6rtdst), &(frags->packet.ip6hdr.ip6_dst), sizeof(struct in6_addr)))))) {
+
+            /* Found it, remove from list */
+            if (frags_prev) {
+                frags_prev->next = frags->next;
+            }
+            if (ctx->fragments == frags) {
+                ctx->fragments = frags->next;
+            }
+            frags->next = 0;
+            ctx->num_fragments--;
+            break;
+        }
+    }
+
+#ifdef HAVE_PTHREAD
+    pthread_mutex_unlock(&(ctx->mutex));
+#endif
+
+    if (frags) {
+        pcap_thread_ext_frag_fragment_t *frag, *f;
+
+        for (f = frags->fragments; f;) {
+            frag = f;
+            f    = f->next;
+            if (frag->payload) {
+                free(frag->payload);
+            }
+            free(frag);
+        }
+
+        if (frags->payload) {
+            free(frags->payload);
+        }
+        free(frags);
+    }
+}
diff --git a/src/pcap-thread/pcap_thread_ext_frag.h b/src/pcap-thread/pcap_thread_ext_frag.h
new file mode 100644
index 0000000..dfa151a
--- /dev/null
+++ b/src/pcap-thread/pcap_thread_ext_frag.h
@@ -0,0 +1,131 @@
+/*
+ * Author Jerry Lundström <jerry@dns-oarc.net>
+ * Copyright (c) 2016-2017, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "pcap_thread.h"
+
+#ifndef __pcap_thread_ext_frag_h
+#define __pcap_thread_ext_frag_h
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * RFC791 - Handle fragments in an offset ascending order, allow fragments to overlap
+ * RFC815 - Handle fragments in a receiving order, allow fragments to overlap
+ * BSD    - Handle fragments in an offset descending order, allow fragments to overlap
+ */
+typedef enum pcap_thread_ext_frag_reassemble_mode pcap_thread_ext_frag_reassemble_mode_t;
+enum pcap_thread_ext_frag_reassemble_mode {
+    PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791 = 0,
+    PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815,
+    PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD
+};
+
+typedef struct pcap_thread_ext_frag_fragment pcap_thread_ext_frag_fragment_t;
+struct pcap_thread_ext_frag_fragment {
+    pcap_thread_ext_frag_fragment_t* next;
+
+    unsigned short flag_more_fragments : 1;
+
+    u_char* payload;
+    size_t  length;
+    size_t  offset;
+};
+
+typedef struct pcap_thread_ext_frag_fragments pcap_thread_ext_frag_fragments_t;
+struct pcap_thread_ext_frag_fragments {
+    pcap_thread_ext_frag_fragments_t* next;
+
+    pcap_thread_packet_t             packet;
+    pcap_thread_ext_frag_fragment_t* fragments;
+    size_t                           num_fragments;
+    u_char*                          payload;
+    size_t                           length;
+};
+
+typedef void (*pcap_thread_ext_frag_callback_t)(const pcap_thread_packet_t* packet, const u_char* payload, size_t length, const pcap_thread_ext_frag_fragments_t* fragments);
+
+/* clang-format off */
+#define PCAP_THREAD_EXT_FRAG_CONF_T_INIT { \
+    0, 0, \
+    PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791, \
+    100, 10, { 30, 0 }, \
+    0, 0 \
+}
+/* clang-format on */
+
+typedef struct pcap_thread_ext_frag_conf pcap_thread_ext_frag_conf_t;
+struct pcap_thread_ext_frag_conf {
+    unsigned short reject_overlap : 1;
+    unsigned short check_timeout : 1;
+
+    pcap_thread_ext_frag_reassemble_mode_t reassemble_mode;
+
+    size_t         fragments;
+    size_t         per_packet;
+    struct timeval timeout;
+
+    pcap_thread_ext_frag_callback_t overlap_callback;
+    pcap_thread_ext_frag_callback_t timeout_callback;
+};
+
+pcap_thread_ext_frag_conf_t* pcap_thread_ext_frag_conf_new(void);
+void pcap_thread_ext_frag_conf_free(pcap_thread_ext_frag_conf_t* conf);
+
+int pcap_thread_ext_frag_conf_reject_overlap(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_reject_overlap(pcap_thread_ext_frag_conf_t* conf, const int reject_overlap);
+int pcap_thread_ext_frag_conf_check_timeout(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_check_timeout(pcap_thread_ext_frag_conf_t* conf, const int check_timeout);
+pcap_thread_ext_frag_reassemble_mode_t pcap_thread_ext_frag_conf_reassemble_mode(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_reassemble_mode(pcap_thread_ext_frag_conf_t* conf, const pcap_thread_ext_frag_reassemble_mode_t reassemble_mode);
+size_t pcap_thread_ext_frag_conf_fragments(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_fragments(pcap_thread_ext_frag_conf_t* conf, const size_t fragments);
+size_t pcap_thread_ext_frag_conf_per_packet(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_per_packet(pcap_thread_ext_frag_conf_t* conf, const size_t per_packet);
+struct timeval pcap_thread_ext_frag_conf_timeout(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_timeout(pcap_thread_ext_frag_conf_t* conf, const struct timeval timeout);
+pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_overlap_callback(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_overlap_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t overlap_callback);
+pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_timeout_callback(const pcap_thread_ext_frag_conf_t* conf);
+int pcap_thread_ext_frag_conf_set_timeout_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t timeout_callback);
+
+pcap_thread_layer_callback_frag_t pcap_thread_ext_frag_layer_callback(pcap_thread_ext_frag_conf_t* conf);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __pcap_thread_ext_frag_h */
diff --git a/src/pcaps.c b/src/pcaps.c
new file mode 100644
index 0000000..9cb6b7b
--- /dev/null
+++ b/src/pcaps.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "pcaps.h"
+#include "log.h"
+#include "network.h"
+
+#include "pcap-thread/pcap_thread_ext_frag.h"
+
+static void
+drop_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt)
+{
+    mypcap_ptr mypcap = (mypcap_ptr)user;
+
+    pcap_drops++;
+    if (mypcap) {
+        mypcap->drops++;
+    }
+}
+
+void print_pcap_thread_error(const char* func, int err)
+{
+    if (err == PCAP_THREAD_EPCAP) {
+        fprintf(stderr, "%s: pcap_thread libpcap error [%d] %s: %s (%s)\n",
+            ProgramName,
+            pcap_thread_status(&pcap_thread),
+            func,
+            pcap_statustostr(pcap_thread_status(&pcap_thread)),
+            pcap_thread_errbuf(&pcap_thread));
+    } else if (err != PCAP_THREAD_OK) {
+        fprintf(stderr, "%s: pcap_thread error [%d] %s: %s\n",
+            ProgramName,
+            err,
+            func,
+            pcap_thread_strerr(err));
+    }
+}
+
+static pcap_thread_ext_frag_conf_t frag_conf_v4 = PCAP_THREAD_EXT_FRAG_CONF_T_INIT;
+static pcap_thread_ext_frag_conf_t frag_conf_v6 = PCAP_THREAD_EXT_FRAG_CONF_T_INIT;
+
+void open_pcaps(void)
+{
+    mypcap_ptr mypcap;
+    int        err;
+
+    if ((err = pcap_thread_set_snaplen(&pcap_thread, SNAPLEN)) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_snaplen()", err);
+        exit(1);
+    }
+    if ((err = pcap_thread_set_promiscuous(&pcap_thread, promisc)) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_promiscuous()", err);
+        exit(1);
+    }
+    if ((err = pcap_thread_set_monitor(&pcap_thread, monitor_mode)) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_monitor()", err);
+        exit(1);
+    }
+    if ((err = pcap_thread_set_immediate_mode(&pcap_thread, immediate_mode)) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_immediate_mode()", err);
+        exit(1);
+    }
+    if (options.use_layers) {
+        if ((err = pcap_thread_set_callback_icmp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
+            print_pcap_thread_error("pcap_thread_set_callback_icmp()", err);
+            exit(1);
+        }
+        if ((err = pcap_thread_set_callback_icmpv6(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
+            print_pcap_thread_error("pcap_thread_set_callback_icmpv6()", err);
+            exit(1);
+        }
+        if ((err = pcap_thread_set_callback_udp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
+            print_pcap_thread_error("pcap_thread_set_callback_udp()", err);
+            exit(1);
+        }
+        if ((err = pcap_thread_set_callback_tcp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
+            print_pcap_thread_error("pcap_thread_set_callback_tcp()", err);
+            exit(1);
+        }
+
+        if ((err = pcap_thread_set_use_layers(&pcap_thread, 1)) != PCAP_THREAD_OK) {
+            print_pcap_thread_error("pcap_thread_set_use_layers()", err);
+            exit(1);
+        }
+
+        if (options.defrag_ipv4) {
+            if (options.max_ipv4_fragments > 0 && (err = pcap_thread_ext_frag_conf_set_fragments(&frag_conf_v4, options.max_ipv4_fragments)) != PCAP_THREAD_OK) {
+                print_pcap_thread_error("pcap_thread_ext_frag_conf_set_fragments()", err);
+                exit(1);
+            }
+            if (options.max_ipv4_fragments_per_packet > 0 && (err = pcap_thread_ext_frag_conf_set_per_packet(&frag_conf_v4, options.max_ipv4_fragments_per_packet)) != PCAP_THREAD_OK) {
+                print_pcap_thread_error("pcap_thread_ext_frag_conf_set_per_packet()", err);
+                exit(1);
+            }
+            if ((err = pcap_thread_set_callback_ipv4_frag(&pcap_thread, pcap_thread_ext_frag_layer_callback(&frag_conf_v4))) != PCAP_THREAD_OK) {
+                print_pcap_thread_error("pcap_thread_set_callback_ipv4_frag()", err);
+                exit(1);
+            }
+        }
+        if (options.defrag_ipv6) {
+            if (options.max_ipv6_fragments > 0 && (err = pcap_thread_ext_frag_conf_set_fragments(&frag_conf_v6, options.max_ipv6_fragments)) != PCAP_THREAD_OK) {
+                print_pcap_thread_error("pcap_thread_ext_frag_conf_set_fragments()", err);
+                exit(1);
+            }
+            if (options.max_ipv6_fragments_per_packet > 0 && (err = pcap_thread_ext_frag_conf_set_per_packet(&frag_conf_v6, options.max_ipv6_fragments_per_packet)) != PCAP_THREAD_OK) {
+                print_pcap_thread_error("pcap_thread_ext_frag_conf_set_per_packet()", err);
+                exit(1);
+            }
+            if ((err = pcap_thread_set_callback_ipv6_frag(&pcap_thread, pcap_thread_ext_frag_layer_callback(&frag_conf_v6))) != PCAP_THREAD_OK) {
+                print_pcap_thread_error("pcap_thread_set_callback_ipv6_frag()", err);
+                exit(1);
+            }
+        }
+    } else {
+        if ((err = pcap_thread_set_callback(&pcap_thread, dl_pkt)) != PCAP_THREAD_OK) {
+            print_pcap_thread_error("pcap_thread_set_callback()", err);
+            exit(1);
+        }
+    }
+    if ((err = pcap_thread_set_dropback(&pcap_thread, drop_pkt)) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_dropback()", err);
+        exit(1);
+    }
+    if ((err = pcap_thread_set_filter(&pcap_thread, bpft, strlen(bpft))) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_filter()", err);
+        exit(1);
+    }
+    if (options.pcap_buffer_size && (err = pcap_thread_set_buffer_size(&pcap_thread, options.pcap_buffer_size)) != PCAP_THREAD_OK) {
+        print_pcap_thread_error("pcap_thread_set_buffer_size()", err);
+        exit(1);
+    }
+
+    assert(!EMPTY(mypcaps));
+    for (mypcap = HEAD(mypcaps);
+         mypcap != NULL;
+         mypcap = NEXT(mypcap, link)) {
+        if (pcap_offline)
+            err = pcap_thread_open_offline(&pcap_thread, mypcap->name, (u_char*)mypcap);
+        else
+            err = pcap_thread_open(&pcap_thread, mypcap->name, (u_char*)mypcap);
+
+        if (err == PCAP_THREAD_EPCAP) {
+            fprintf(stderr, "%s: pcap_thread libpcap error [%d]: %s (%s)\n",
+                ProgramName,
+                pcap_thread_status(&pcap_thread),
+                pcap_statustostr(pcap_thread_status(&pcap_thread)),
+                pcap_thread_errbuf(&pcap_thread));
+            exit(1);
+        }
+        if (err) {
+            fprintf(stderr, "%s: pcap_thread error [%d]: %s\n",
+                ProgramName,
+                err,
+                pcap_thread_strerr(err));
+            exit(1);
+        }
+    }
+    pcap_dead = pcap_open_dead(DLT_RAW, SNAPLEN);
+}
+
+void poll_pcaps(void)
+{
+    pcap_thread_run(&pcap_thread);
+    main_exit = TRUE;
+}
+
+void breakloop_pcaps(void)
+{
+    pcap_thread_stop(&pcap_thread);
+}
+
+void close_pcaps(void)
+{
+    pcap_thread_close(&pcap_thread);
+}
+
+static void stat_callback(u_char* user, const struct pcap_stat* stats, const char* name, int dlt)
+{
+    mypcap_ptr mypcap;
+    for (mypcap = HEAD(mypcaps);
+         mypcap != NULL;
+         mypcap = NEXT(mypcap, link)) {
+        if (!strcmp(name, mypcap->name))
+            break;
+    }
+
+    if (mypcap) {
+        mypcap->ps0 = mypcap->ps1;
+        mypcap->ps1 = *stats;
+        logerr("%s: %u recv %u drop %u total ptdrop %lu",
+            mypcap->name,
+            mypcap->ps1.ps_recv - mypcap->ps0.ps_recv,
+            mypcap->ps1.ps_drop - mypcap->ps0.ps_drop,
+            mypcap->ps1.ps_recv + mypcap->ps1.ps_drop - mypcap->ps0.ps_recv - mypcap->ps0.ps_drop,
+            mypcap->drops);
+    }
+}
+
+void do_pcap_stats()
+{
+    logerr("total drops: %lu", pcap_drops);
+    pcap_thread_stats(&pcap_thread, stat_callback, 0);
+}
diff --git a/src/pcaps.h b/src/pcaps.h
new file mode 100644
index 0000000..6e1e075
--- /dev/null
+++ b/src/pcaps.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_pcaps_h
+#define __dnscap_pcaps_h
+
+void print_pcap_thread_error(const char* func, int err);
+void open_pcaps(void);
+void poll_pcaps(void);
+void breakloop_pcaps(void);
+void close_pcaps(void);
+void do_pcap_stats();
+
+#endif /* __dnscap_pcaps_h */
diff --git a/src/sig.c b/src/sig.c
new file mode 100644
index 0000000..7e7376e
--- /dev/null
+++ b/src/sig.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "sig.h"
+#include "log.h"
+#include "dumper.h"
+#include "pcaps.h"
+
+void setsig(int sig, int oneshot)
+{
+    struct sigaction sa;
+
+    memset(&sa, 0, sizeof sa);
+    if (oneshot) {
+        sa.sa_handler = sigbreak;
+        sa.sa_flags   = SA_RESETHAND;
+    } else {
+        sa.sa_handler = sigclose;
+        sa.sa_flags   = SA_RESTART;
+    }
+    if (sigaction(sig, &sa, NULL) < 0) {
+        logerr("sigaction: %s", strerror(errno));
+        exit(1);
+    }
+}
+
+void sigclose(int signum)
+{
+    if (0 == last_ts.tv_sec)
+        gettimeofday(&last_ts, NULL);
+    if (signum == SIGALRM)
+        alarm_set = FALSE;
+    if (dumper_close(last_ts))
+        breakloop_pcaps();
+}
+
+void sigbreak(int signum __attribute__((unused)))
+{
+    logerr("%s: signalled break", ProgramName);
+    main_exit = TRUE;
+    breakloop_pcaps();
+}
+
+void* sigthread(void* arg)
+{
+#if HAVE_PTHREAD
+    sigset_t* set = (sigset_t*)arg;
+    int       sig, err;
+
+    while (1) {
+        if ((err = sigwait(set, &sig))) {
+            logerr("sigwait: %s", strerror(err));
+            return 0;
+        }
+
+        switch (sig) {
+        case SIGALRM:
+            sigclose(sig);
+            break;
+
+        default:
+            sigbreak(sig);
+            break;
+        }
+    }
+#endif
+
+    return 0;
+}
diff --git a/src/sig.h b/src/sig.h
new file mode 100644
index 0000000..c7b1296
--- /dev/null
+++ b/src/sig.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_sig_h
+#define __dnscap_sig_h
+
+void  setsig(int sig, int oneshot);
+void  sigclose(int signum);
+void  sigbreak(int signum __attribute__((unused)));
+void* sigthread(void* arg);
+
+#endif /* __dnscap_sig_h */
diff --git a/src/tcpreasm.c b/src/tcpreasm.c
new file mode 100644
index 0000000..ce37b10
--- /dev/null
+++ b/src/tcpreasm.c
@@ -0,0 +1,547 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "tcpreasm.h"
+#include "log.h"
+#include "network.h"
+
+#include <stdlib.h>
+#include <ldns/ldns.h>
+
+#define dfprintf(a, b...)      \
+    if (dumptrace >= 3) {      \
+        fprintf(stderr, b);    \
+        fprintf(stderr, "\n"); \
+    }
+#define dsyslogf(a, b...) logerr(b)
+#define nptohs(p) ((((uint8_t*)(p))[0] << 8) | ((uint8_t*)(p))[1])
+
+#define BFB_BUF_SIZE (0xffff + 0xffff + 2 + 2)
+
+/*
+ * Originally from DSC:
+ *
+ * TCP Reassembly.
+ *
+ * When we see a SYN, we allocate a new tcpstate for the connection, and
+ * establish the initial sequence number of the first dns message (seq_start)
+ * on the connection.  We assume that no other segment can arrive before the
+ * SYN (if one does, it is discarded, and if is not repeated the message it
+ * belongs to can never be completely reassembled).
+ *
+ * Then, for each segment that arrives on the connection:
+ * - If it's the first segment of a message (containing the 2-byte message
+ *   length), we allocate a msgbuf, and check for any held segments that might
+ *   belong to it.
+ * - If the first byte of the segment belongs to any msgbuf, we fill
+ *   in the holes of that message.  If the message has no more holes, we
+ *   handle the complete dns message.  If the tail of the segment was longer
+ *   than the hole, we recurse on the tail.
+ * - Otherwise, if the segment could be within the tcp window, we hold onto it
+ *   pending the creation of a matching msgbuf.
+ *
+ * This algorithm handles segments that arrive out of order, duplicated or
+ * overlapping (including segments from different dns messages arriving out of
+ * order), and dns messages that do not necessarily start on segment
+ * boundaries.
+ *
+ */
+
+static int dns_protocol_handler(tcpreasm_t* t, u_char* segment, uint16_t dnslen, uint32_t seq)
+{
+    int m;
+
+    if (options.reassemble_tcp_bfbparsedns) {
+        int       s;
+        ldns_pkt* pkt;
+        size_t    at, len;
+
+        if (!t->bfb_buf && !(t->bfb_buf = malloc(BFB_BUF_SIZE))) {
+            dfprintf(1, "dns_protocol_handler: no memory for bfb_buf");
+            return 1;
+        }
+
+        /* if this is the first segment, add it to the processing buffer
+           and move up to next wanted segment */
+        if (seq == t->seq_bfb + 2) {
+            dfprintf(1, "dns_protocol_handler: first bfb_seg: seq = %u, len = %d", seq, dnslen);
+            if ((BFB_BUF_SIZE - t->bfb_at) < (dnslen + 2)) {
+                dfprintf(1, "dns_protocol_handler: out of space in bfb_buf");
+                return 1;
+            }
+
+            t->bfb_buf[t->bfb_at++] = dnslen >> 8;
+            t->bfb_buf[t->bfb_at++] = dnslen & 0xff; //NOSONAR
+            memcpy(&t->bfb_buf[t->bfb_at], segment, dnslen);
+            t->bfb_at += dnslen;
+            t->seq_bfb += 2 + dnslen;
+        } else {
+            /* add segment for later processing */
+            dfprintf(1, "dns_protocol_handler: add bfb_seg: seq = %u, len = %d", seq, dnslen);
+            for (s = 0; s < MAX_TCP_SEGS; s++) {
+                if (t->bfb_seg[s])
+                    continue;
+                t->bfb_seg[s]      = calloc(1, sizeof(tcp_segbuf_t) + dnslen);
+                t->bfb_seg[s]->seq = seq;
+                t->bfb_seg[s]->len = dnslen;
+                memcpy(t->bfb_seg[s]->buf, segment, dnslen);
+                dfprintf(1, "dns_protocol_handler: new bfbseg %d: seq = %u, len = %d",
+                    s, t->bfb_seg[s]->seq, t->bfb_seg[s]->len);
+                break;
+            }
+            if (s >= MAX_TCP_SEGS) {
+                dfprintf(1, "dns_protocol_handler: out of bfbsegs");
+                return 1;
+            }
+            return 0;
+        }
+
+        for (;;) {
+            /* process the buffer, extract dnslen and try and parse */
+            at  = 0;
+            len = t->bfb_at;
+            for (;;) {
+                dfprintf(1, "dns_protocol_handler: processing at = %zu, len = %zu", at, len);
+                if (len < 2) {
+                    dfprintf(1, "dns_protocol_handler: bfb need more for dnslen");
+                    break;
+                }
+                dnslen = nptohs(&t->bfb_buf[at]) & 0xffff;
+                if (dnslen > 11) {
+                    /* 12 bytes minimum DNS header, other lengths should be invalid */
+                    if (len < dnslen + 2) {
+                        dfprintf(1, "dns_protocol_handler: bfb need %zu more", dnslen - len);
+                        break;
+                    }
+
+                    if (ldns_wire2pkt(&pkt, &t->bfb_buf[at + 2], dnslen) == LDNS_STATUS_OK) {
+                        ldns_pkt_free(pkt);
+                        dfprintf(1, "dns_protocol_handler: dns at %zu len %u", at + 2, dnslen);
+
+                        for (m = 0; t->dnsmsg[m];) {
+                            if (++m >= MAX_TCP_DNS_MSG) {
+                                dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs");
+                                return 1;
+                            }
+                        }
+                        if (!(t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen))) {
+                            dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen);
+                            return 1;
+                        }
+                        t->dnsmsgs++;
+                        t->dnsmsg[m]->dnslen = dnslen;
+                        memcpy(t->dnsmsg[m]->dnspkt, &t->bfb_buf[at + 2], dnslen);
+                        dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen);
+
+                        at += 2 + dnslen;
+                        len -= 2 + dnslen;
+                        continue;
+                    }
+                    if (errno == EMSGSIZE) {
+                        size_t l = calcdnslen(&t->bfb_buf[at + 2], dnslen);
+                        if (l > 0 && l < dnslen && ldns_wire2pkt(&pkt, &t->bfb_buf[at + 2], l) == LDNS_STATUS_OK) {
+                            ldns_pkt_free(pkt);
+                            dfprintf(1, "dns_protocol_handler: dns at %zu len %u (real len %zu)", at + 2, dnslen, l);
+
+                            for (m = 0; t->dnsmsg[m];) {
+                                if (++m >= MAX_TCP_DNS_MSG) {
+                                    dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs");
+                                    return 1;
+                                }
+                            }
+                            if (!(t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen))) {
+                                dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen);
+                                return 1;
+                            }
+                            t->dnsmsgs++;
+                            t->dnsmsg[m]->dnslen = dnslen;
+                            memcpy(t->dnsmsg[m]->dnspkt, &t->bfb_buf[at + 2], dnslen);
+                            dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen);
+
+                            at += 2 + dnslen;
+                            len -= 2 + dnslen;
+                            continue;
+                        }
+                    }
+                }
+                dfprintf(1, "dns_protocol_handler: bfb dns parse failed at %zu", at);
+                at += 2;
+                len -= 2;
+            }
+
+            /* check for leftovers in the buffer */
+            if (!len) {
+                dfprintf(1, "dns_protocol_handler: bfb all buf parsed, reset at");
+                t->bfb_at = 0;
+            } else if (len && at) {
+                dfprintf(1, "dns_protocol_handler: bfb move %zu len %zu", at, len);
+                memmove(t->bfb_buf, &t->bfb_buf[at], len);
+                t->bfb_at = len;
+            }
+
+            dfprintf(1, "dns_protocol_handler: bfb fill at %zu", t->bfb_at);
+            /* see if we can fill the buffer */
+            for (s = 0; s < MAX_TCP_SEGS; s++) {
+                if (!t->bfb_seg[s])
+                    continue;
+
+                if (t->bfb_seg[s]->seq == t->seq_bfb + 2) {
+                    tcp_segbuf_t* seg = t->bfb_seg[s];
+                    dfprintf(1, "dns_protocol_handler: next bfb_seg %d: seq = %u, len = %d", s, seg->seq, seg->len);
+                    if ((BFB_BUF_SIZE - t->bfb_at) < (seg->len + 2)) {
+                        dfprintf(1, "dns_protocol_handler: out of space in bfb_buf");
+                        return 1;
+                    }
+                    t->bfb_seg[s]           = 0;
+                    t->bfb_buf[t->bfb_at++] = seg->len >> 8;
+                    t->bfb_buf[t->bfb_at++] = seg->len & 0xff;
+                    memcpy(&t->bfb_buf[t->bfb_at], seg->buf, seg->len);
+                    t->bfb_at += seg->len;
+                    t->seq_bfb += 2 + seg->len;
+                    free(seg);
+                    break;
+                }
+            }
+            if (s >= MAX_TCP_SEGS) {
+                dfprintf(1, "dns_protocol_handler: bfb need next seg");
+                return 0;
+            }
+        }
+    }
+
+    for (m = 0; t->dnsmsg[m];) {
+        if (++m >= MAX_TCP_DNS_MSG) {
+            dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs");
+            return 1;
+        }
+    }
+    t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen);
+    if (NULL == t->dnsmsg[m]) {
+        dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen);
+        return 1;
+    }
+    t->dnsmsgs++;
+    t->dnsmsg[m]->segments_seen = t->segments_seen;
+    t->dnsmsg[m]->dnslen        = dnslen;
+    memcpy(t->dnsmsg[m]->dnspkt, segment, dnslen);
+    dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen);
+    t->segments_seen = 0;
+    return 0;
+}
+
+int pcap_handle_tcp_segment(u_char* segment, int len, uint32_t seq, tcpstate_ptr _tcpstate)
+{
+    int         i, m, s, ret;
+    uint16_t    dnslen;
+    int         segoff, seglen;
+    tcpreasm_t* tcpstate = _tcpstate->reasm;
+
+    dfprintf(1, "pcap_handle_tcp_segment: seq=%u, len=%d", seq, len);
+
+    if (len <= 0) /* there is no more payload */
+        return 0;
+
+    tcpstate->segments_seen++;
+
+    if (seq - tcpstate->seq_start < 2) {
+        /* this segment contains all or part of the 2-byte DNS length field */
+        uint32_t o = seq - tcpstate->seq_start;
+        int      l = (len > 1 && o == 0) ? 2 : 1;
+        dfprintf(1, "pcap_handle_tcp_segment: copying %d bytes to dnslen_buf[%d]", l, o);
+        memcpy(&tcpstate->dnslen_buf[o], segment, l);
+        if (l == 2)
+            tcpstate->dnslen_bytes_seen_mask = 3;
+        else
+            tcpstate->dnslen_bytes_seen_mask |= (1 << o);
+        len -= l;
+        segment += l;
+        seq += l;
+    }
+
+    if (3 == tcpstate->dnslen_bytes_seen_mask) {
+        /* We have the dnslen stored now */
+        dnslen = nptohs(tcpstate->dnslen_buf) & 0xffff;
+        /*
+         * Next we poison the mask to indicate we are in to the message body.
+         * If one doesn't remember we're past the then,
+         * one loops forever getting more msgbufs rather than filling
+         * in the contents of THIS message.
+         *
+         * We need to later reset that mask when we process the message
+         * (method: tcpstate->dnslen_bytes_seen_mask = 0).
+         */
+        tcpstate->dnslen_bytes_seen_mask = 7;
+        tcpstate->seq_start += sizeof(uint16_t) + dnslen;
+        dfprintf(1, "pcap_handle_tcp_segment: first segment; dnslen = %d", dnslen);
+        if (len >= dnslen) {
+            /* this segment contains a complete message - avoid the reassembly
+             * buffer and just handle the message immediately */
+            ret = dns_protocol_handler(tcpstate, segment, dnslen, seq);
+
+            tcpstate->dnslen_bytes_seen_mask = 0; /* go back for another message in this tcp connection */
+            /* handle the trailing part of the segment? */
+            if (len > dnslen) {
+                dfprintf(1, "pcap_handle_tcp_segment: %s", "segment tail");
+                ret |= pcap_handle_tcp_segment(segment + dnslen, len - dnslen, seq + dnslen, _tcpstate);
+            }
+            return ret;
+        }
+        /*
+         * At this point we KNOW we have an incomplete message and need to do reassembly.
+         * i.e.:  assert(len < dnslen);
+         */
+        dfprintf(2, "pcap_handle_tcp_segment: %s", "buffering segment");
+        /* allocate a msgbuf for reassembly */
+        for (m = 0; tcpstate->msgbuf[m];) {
+            if (++m >= MAX_TCP_MSGS) {
+                dfprintf(1, "pcap_handle_tcp_segment: %s", "out of msgbufs");
+                return 1;
+            }
+        }
+        tcpstate->msgbuf[m] = calloc(1, sizeof(tcp_msgbuf_t) + dnslen);
+        if (NULL == tcpstate->msgbuf[m]) {
+            dsyslogf(LOG_ERR, "out of memory for tcp_msgbuf (%d)", dnslen);
+            return 1;
+        }
+        tcpstate->msgbufs++;
+        tcpstate->msgbuf[m]->seq           = seq;
+        tcpstate->msgbuf[m]->dnslen        = dnslen;
+        tcpstate->msgbuf[m]->holes         = 1;
+        tcpstate->msgbuf[m]->hole[0].start = len;
+        tcpstate->msgbuf[m]->hole[0].len   = dnslen - len;
+        dfprintf(1,
+            "pcap_handle_tcp_segment: new msgbuf %d: seq = %u, dnslen = %d, hole start = %d, hole len = %d", m,
+            tcpstate->msgbuf[m]->seq, tcpstate->msgbuf[m]->dnslen, tcpstate->msgbuf[m]->hole[0].start,
+            tcpstate->msgbuf[m]->hole[0].len);
+        /* copy segment to appropriate location in reassembly buffer */
+        memcpy(tcpstate->msgbuf[m]->buf, segment, len);
+
+        /* Now that we know the length of this message, we must check any held
+         * segments to see if they belong to it. */
+        ret = 0;
+        for (s = 0; s < MAX_TCP_SEGS; s++) {
+            if (!tcpstate->segbuf[s])
+                continue;
+            /* TODO: seq >= 0 */
+            if (tcpstate->segbuf[s]->seq - seq > 0 && tcpstate->segbuf[s]->seq - seq < dnslen) {
+                tcp_segbuf_t* segbuf = tcpstate->segbuf[s];
+                tcpstate->segbuf[s]  = NULL;
+                dfprintf(1, "pcap_handle_tcp_segment: %s", "message reassembled");
+                ret |= pcap_handle_tcp_segment(segbuf->buf, segbuf->len, segbuf->seq, _tcpstate);
+                /*
+                 * Note that our recursion will also cover any tail messages (I hope).
+                 * Thus we do not need to do so here and can return.
+                 */
+                free(segbuf);
+            }
+        }
+        return ret;
+    }
+
+    /*
+     * Welcome to reassembly-land.
+     */
+    /* find the message to which the first byte of this segment belongs */
+    for (m = 0; m < MAX_TCP_MSGS; m++) {
+        if (!tcpstate->msgbuf[m])
+            continue;
+        segoff = seq - tcpstate->msgbuf[m]->seq;
+        if (segoff >= 0 && segoff < tcpstate->msgbuf[m]->dnslen) {
+            /* segment starts in this msgbuf */
+            dfprintf(1, "pcap_handle_tcp_segment: seg matches msg %d: seq = %u, dnslen = %d",
+                m, tcpstate->msgbuf[m]->seq, tcpstate->msgbuf[m]->dnslen);
+            if (segoff + len > tcpstate->msgbuf[m]->dnslen) {
+                /* segment would overflow msgbuf */
+                seglen = tcpstate->msgbuf[m]->dnslen - segoff;
+                dfprintf(1, "pcap_handle_tcp_segment: using partial segment %d", seglen);
+            } else {
+                seglen = len;
+            }
+            break;
+        }
+    }
+    if (m >= MAX_TCP_MSGS) {
+        /* seg does not match any msgbuf; just hold on to it. */
+        dfprintf(1, "pcap_handle_tcp_segment: %s", "seg does not match any msgbuf");
+
+        if (seq - tcpstate->seq_start > MAX_TCP_WINDOW_SIZE) {
+            dfprintf(1, "pcap_handle_tcp_segment: %s %u %u", "seg is outside window; discarding", seq, tcpstate->seq_start);
+            return 1;
+        }
+        for (s = 0; s < MAX_TCP_SEGS; s++) {
+            if (tcpstate->segbuf[s])
+                continue;
+            tcpstate->segbuf[s]      = calloc(1, sizeof(tcp_segbuf_t) + len);
+            tcpstate->segbuf[s]->seq = seq;
+            tcpstate->segbuf[s]->len = len;
+            memcpy(tcpstate->segbuf[s]->buf, segment, len);
+            dfprintf(1, "pcap_handle_tcp_segment: new segbuf %d: seq = %u, len = %d",
+                s, tcpstate->segbuf[s]->seq, tcpstate->segbuf[s]->len);
+            return 0;
+        }
+        dfprintf(1, "pcap_handle_tcp_segment: %s", "out of segbufs");
+        return 1;
+    }
+
+    /* Reassembly algorithm adapted from RFC 815. */
+    for (i = 0; i < MAX_TCP_HOLES; i++) {
+        tcphole_t* newhole;
+        uint16_t   hole_start, hole_len;
+        if (tcpstate->msgbuf[m]->hole[i].len == 0)
+            continue; /* hole descriptor is not in use */
+        hole_start = tcpstate->msgbuf[m]->hole[i].start;
+        hole_len   = tcpstate->msgbuf[m]->hole[i].len;
+        if (segoff >= hole_start + hole_len)
+            continue; /* segment is totally after hole */
+        if (segoff + seglen <= hole_start)
+            continue; /* segment is totally before hole */
+        /* The segment overlaps this hole.  Delete the hole. */
+        dfprintf(1, "pcap_handle_tcp_segment: overlaping hole %d: %d %d", i, hole_start, hole_len);
+        tcpstate->msgbuf[m]->hole[i].len = 0;
+        tcpstate->msgbuf[m]->holes--;
+        if (segoff + seglen < hole_start + hole_len) {
+            /* create a new hole after the segment (common case) */
+            newhole        = &tcpstate->msgbuf[m]->hole[i]; /* hole[i] is guaranteed free */
+            newhole->start = segoff + seglen;
+            newhole->len   = (hole_start + hole_len) - newhole->start;
+            tcpstate->msgbuf[m]->holes++;
+            dfprintf(1, "pcap_handle_tcp_segment: new post-hole %d: %d %d", i, newhole->start, newhole->len);
+        }
+        if (segoff > hole_start) {
+            /* create a new hole before the segment */
+            int j;
+            for (j = 0; j < MAX_TCP_HOLES; j++) {
+                if (tcpstate->msgbuf[m]->hole[j].len == 0) {
+                    newhole = &tcpstate->msgbuf[m]->hole[j];
+                    break;
+                }
+            }
+            if (j >= MAX_TCP_HOLES) {
+                dfprintf(1, "pcap_handle_tcp_segment: %s", "out of hole descriptors");
+                return 1;
+            }
+            tcpstate->msgbuf[m]->holes++;
+            newhole->start = hole_start;
+            newhole->len   = segoff - hole_start;
+            dfprintf(1, "pcap_handle_tcp_segment: new pre-hole %d: %d %d", j, newhole->start, newhole->len);
+        }
+        if (segoff >= hole_start && (hole_len == 0 || segoff + seglen < hole_start + hole_len)) {
+            /* The segment does not extend past hole boundaries; there is
+             * no need to look for other matching holes. */
+            break;
+        }
+    }
+
+    /* copy payload to appropriate location in reassembly buffer */
+    memcpy(&tcpstate->msgbuf[m]->buf[segoff], segment, seglen);
+
+    dfprintf(1, "pcap_handle_tcp_segment: holes remaining: %d", tcpstate->msgbuf[m]->holes);
+
+    ret = 0;
+    if (tcpstate->msgbuf[m]->holes == 0) {
+        /* We now have a completely reassembled dns message */
+        dfprintf(2, "pcap_handle_tcp_segment: %s", "reassembly to dns_protocol_handler");
+        ret |= dns_protocol_handler(tcpstate, tcpstate->msgbuf[m]->buf, tcpstate->msgbuf[m]->dnslen, tcpstate->msgbuf[m]->seq);
+        tcpstate->dnslen_bytes_seen_mask = 0; /* go back for another message in this tcp connection */
+        free(tcpstate->msgbuf[m]);
+        tcpstate->msgbuf[m] = NULL;
+        tcpstate->msgbufs--;
+    }
+
+    if (seglen < len) {
+        dfprintf(1, "pcap_handle_tcp_segment: %s", "segment tail after reassembly");
+        ret |= pcap_handle_tcp_segment(segment + seglen, len - seglen, seq + seglen, _tcpstate);
+    } else {
+        dfprintf(1, "pcap_handle_tcp_segment: %s", "nothing more after reassembly");
+    }
+
+    return ret;
+}
+
+void tcpreasm_free(tcpreasm_t* tcpreasm)
+{
+    int i;
+
+    if (tcpreasm) {
+        for (i = 0; i < MAX_TCP_MSGS; i++) {
+            if (tcpreasm->msgbuf[i]) {
+                free(tcpreasm->msgbuf[i]);
+            }
+        }
+        for (i = 0; i < MAX_TCP_SEGS; i++) {
+            if (tcpreasm->segbuf[i]) {
+                free(tcpreasm->segbuf[i]);
+            }
+            if (tcpreasm->bfb_seg[i]) {
+                free(tcpreasm->bfb_seg[i]);
+            }
+        }
+        for (i = 0; i < MAX_TCP_DNS_MSG; i++) {
+            if (tcpreasm->dnsmsg[i]) {
+                free(tcpreasm->dnsmsg[i]);
+            }
+        }
+        free(tcpreasm->bfb_buf);
+        free(tcpreasm);
+    }
+}
+
+void tcpreasm_reset(tcpreasm_t* tcpreasm)
+{
+    int i;
+
+    if (tcpreasm) {
+        for (i = 0; i < MAX_TCP_MSGS; i++) {
+            if (tcpreasm->msgbuf[i]) {
+                free(tcpreasm->msgbuf[i]);
+            }
+        }
+        for (i = 0; i < MAX_TCP_SEGS; i++) {
+            if (tcpreasm->segbuf[i]) {
+                free(tcpreasm->segbuf[i]);
+            }
+            if (tcpreasm->bfb_seg[i]) {
+                free(tcpreasm->bfb_seg[i]);
+            }
+        }
+        for (i = 0; i < MAX_TCP_DNS_MSG; i++) {
+            if (tcpreasm->dnsmsg[i]) {
+                free(tcpreasm->dnsmsg[i]);
+            }
+        }
+        memset(tcpreasm, 0, sizeof(tcpreasm_t));
+    }
+}
diff --git a/src/tcpreasm.h b/src/tcpreasm.h
new file mode 100644
index 0000000..6418fb2
--- /dev/null
+++ b/src/tcpreasm.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_tcpreasm_h
+#define __dnscap_tcpreasm_h
+
+int  pcap_handle_tcp_segment(u_char* segment, int len, uint32_t seq, tcpstate_ptr _tcpstate);
+void tcpreasm_free(tcpreasm_t* tcpreasm);
+void tcpreasm_reset(tcpreasm_t* tcpreasm);
+
+#endif /* __dnscap_tcpreasm_h */
diff --git a/src/tcpstate.c b/src/tcpstate.c
new file mode 100644
index 0000000..bfc5198
--- /dev/null
+++ b/src/tcpstate.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include "tcpstate.h"
+#include "iaddr.h"
+#include "log.h"
+#include "tcpreasm.h"
+
+#define MAX_TCP_IDLE_TIME 600
+#define MAX_TCP_IDLE_COUNT 4096
+#define TCP_GC_TIME 60
+
+tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t)
+{
+    static time_t next_gc = 0;
+    tcpstate_ptr  tcpstate;
+
+    for (tcpstate = HEAD(tcpstates);
+         tcpstate != NULL;
+         tcpstate = NEXT(tcpstate, link)) {
+        if (ia_equal(tcpstate->saddr, from) && ia_equal(tcpstate->daddr, to) && tcpstate->sport == sport && tcpstate->dport == dport)
+            break;
+    }
+    if (tcpstate != NULL) {
+        tcpstate->last_use = t;
+        if (tcpstate != HEAD(tcpstates)) {
+            /* move to beginning of list */
+            UNLINK(tcpstates, tcpstate, link);
+            PREPEND(tcpstates, tcpstate, link);
+        }
+    }
+
+    if (t >= next_gc || tcpstate_count > MAX_TCP_IDLE_COUNT) {
+        /* garbage collect stale states */
+        time_t min_last_use = t - MAX_TCP_IDLE_TIME;
+        while ((tcpstate = TAIL(tcpstates)) && tcpstate->last_use < min_last_use) {
+            UNLINK(tcpstates, tcpstate, link);
+            tcpstate_count--;
+        }
+        next_gc = t + TCP_GC_TIME;
+    }
+
+    return tcpstate;
+}
+
+tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport)
+{
+
+    tcpstate_ptr tcpstate = calloc(1, sizeof *tcpstate);
+    if (tcpstate == NULL) {
+        /* Out of memory; recycle the least recently used */
+        logerr("warning: out of memory, "
+               "discarding some TCP state early");
+        tcpstate = TAIL(tcpstates);
+        assert(tcpstate != NULL);
+    } else {
+        tcpstate_count++;
+    }
+    tcpstate->saddr = from;
+    tcpstate->daddr = to;
+    tcpstate->sport = sport;
+    tcpstate->dport = dport;
+    INIT_LINK(tcpstate, link);
+    PREPEND(tcpstates, tcpstate, link);
+    return tcpstate;
+}
+
+/* Discard this packet.  If it's part of TCP stream, all subsequent pkts on
+ * the same tcp stream will also be discarded. */
+void tcpstate_discard(tcpstate_ptr tcpstate, const char* msg)
+{
+    if (dumptrace >= 3 && msg)
+        fprintf(stderr, "discarding packet: %s\n", msg);
+    if (tcpstate) {
+        UNLINK(tcpstates, tcpstate, link);
+        if (tcpstate->reasm) {
+            tcpreasm_free(tcpstate->reasm);
+        }
+        free(tcpstate);
+        tcpstate_count--;
+        return;
+    }
+}
+
+tcpstate_ptr _curr_tcpstate = 0;
+
+tcpstate_ptr tcpstate_getcurr(void)
+{
+    return _curr_tcpstate;
+}
+
+void tcpstate_reset(tcpstate_ptr tcpstate, const char* msg)
+{
+    if (options.allow_reset_tcpstate && tcpstate) {
+        if (dumptrace >= 3 && msg)
+            fprintf(stderr, "resetting tcpstate: %s\n", msg);
+
+        tcpstate->start   = tcpstate->currseq;
+        tcpstate->maxdiff = 0;
+        tcpstate->dnslen  = 0;
+        tcpstate->lastdns = tcpstate->currseq + tcpstate->currlen;
+
+        if (tcpstate->reasm) {
+            tcpreasm_reset(tcpstate->reasm);
+            tcpstate->reasm->seq_start = tcpstate->start;
+        }
+    }
+}
diff --git a/src/tcpstate.h b/src/tcpstate.h
new file mode 100644
index 0000000..ac3dd56
--- /dev/null
+++ b/src/tcpstate.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "dnscap.h"
+
+#ifndef __dnscap_tcpstate_h
+#define __dnscap_tcpstate_h
+
+tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t);
+tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport);
+void         tcpstate_discard(tcpstate_ptr tcpstate, const char* msg);
+tcpstate_ptr tcpstate_getcurr(void);
+void         tcpstate_reset(tcpstate_ptr tcpstate, const char* msg);
+
+#endif /* __dnscap_tcpstate_h */
diff --git a/src/test/.gitignore b/src/test/.gitignore
new file mode 100644
index 0000000..7eaa8b0
--- /dev/null
+++ b/src/test/.gitignore
@@ -0,0 +1,4 @@
+dns.out
+dns.pcap.dist
+test*.log
+test*.trs
diff --git a/src/test/1qtcpnosyn.pcap b/src/test/1qtcpnosyn.pcap
new file mode 100644
index 0000000..d8de79b
Binary files /dev/null and b/src/test/1qtcpnosyn.pcap differ
diff --git a/src/test/1qtcppadd.pcap b/src/test/1qtcppadd.pcap
new file mode 100644
index 0000000..652234d
Binary files /dev/null and b/src/test/1qtcppadd.pcap differ
diff --git a/src/test/Makefile.am b/src/test/Makefile.am
new file mode 100644
index 0000000..83d8621
--- /dev/null
+++ b/src/test/Makefile.am
@@ -0,0 +1,68 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+
+CLEANFILES = test*.log test*.trs \
+  *.pcap-dist \
+  dns.out \
+  no-layers.out layers.out \
+  frags.out \
+  padding-no-layers.out padding-layers.out \
+  vlan11.out \
+  dnspad.out \
+  test7.out test7.layer.out \
+  test8.out \
+  test9.out \
+  test10.out \
+  test11.out \
+  test12.out test12.20161020.152301.075993.gz \
+  test13.out \
+  test14.out
+
+TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh test6.sh test7.sh \
+  test8.sh test9.sh test10.sh test11.sh test12.sh test13.sh test14.sh
+
+test1.sh: dns.pcap-dist
+
+test2.sh: dns.pcap-dist
+
+test3.sh: frags.pcap-dist
+
+test4.sh: 1qtcppadd.pcap-dist
+
+test5.sh: vlan11.pcap-dist
+
+test6.sh: dnspad.pcap-dist
+
+test7.sh: 1qtcpnosyn.pcap-dist dnso1tcp.pcap-dist \
+  do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist
+
+test8.sh: dnsotcp-many1pkt.pcap-dist dnsotcp-manyopkts.pcap-dist \
+  dnso1tcp-bighole.pcap-dist
+
+test9.sh: dns.pcap-dist
+
+test10.sh: dns6.pcap-dist
+
+test11.sh: dns.pcap-dist
+
+test12.sh: dns.pcap-dist
+
+test13.sh: dns.pcap-dist
+
+test14.sh: dns.pcap-dist
+
+.pcap.pcap-dist:
+	cp "$<" "$@"
+
+EXTRA_DIST = $(TESTS) \
+  dns.gold dns.pcap \
+  frags.pcap \
+  1qtcppadd.pcap \
+  vlan11.gold vlan11.pcap \
+  dnspad.gold dnspad.pcap \
+  test7.gold 1qtcpnosyn.pcap dnso1tcp.pcap do1t-nosyn-1nolen.pcap \
+  dnso1tcp-midmiss.pcap \
+  test8.gold dnsotcp-many1pkt.pcap dnsotcp-manyopkts.pcap \
+  dnso1tcp-bighole.pcap \
+  test9.gold \
+  dns6.pcap test10.gold \
+  test14.gold
diff --git a/src/test/dns.gold b/src/test/dns.gold
new file mode 100644
index 0000000..b1cdd8f
--- /dev/null
+++ b/src/test/dns.gold
@@ -0,0 +1,714 @@
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
diff --git a/src/test/dns.pcap b/src/test/dns.pcap
new file mode 100644
index 0000000..a0e585c
Binary files /dev/null and b/src/test/dns.pcap differ
diff --git a/src/test/dns6.pcap b/src/test/dns6.pcap
new file mode 100644
index 0000000..5fa3af8
Binary files /dev/null and b/src/test/dns6.pcap differ
diff --git a/src/test/dnso1tcp-bighole.pcap b/src/test/dnso1tcp-bighole.pcap
new file mode 100644
index 0000000..66bf30b
Binary files /dev/null and b/src/test/dnso1tcp-bighole.pcap differ
diff --git a/src/test/dnso1tcp-midmiss.pcap b/src/test/dnso1tcp-midmiss.pcap
new file mode 100644
index 0000000..c99b0fb
Binary files /dev/null and b/src/test/dnso1tcp-midmiss.pcap differ
diff --git a/src/test/dnso1tcp.pcap b/src/test/dnso1tcp.pcap
new file mode 100644
index 0000000..47dd663
Binary files /dev/null and b/src/test/dnso1tcp.pcap differ
diff --git a/src/test/dnsotcp-many1pkt.pcap b/src/test/dnsotcp-many1pkt.pcap
new file mode 100644
index 0000000..c43ce03
Binary files /dev/null and b/src/test/dnsotcp-many1pkt.pcap differ
diff --git a/src/test/dnsotcp-manyopkts.pcap b/src/test/dnsotcp-manyopkts.pcap
new file mode 100644
index 0000000..e232bac
Binary files /dev/null and b/src/test/dnsotcp-manyopkts.pcap differ
diff --git a/src/test/dnspad.gold b/src/test/dnspad.gold
new file mode 100644
index 0000000..8a5275a
--- /dev/null
+++ b/src/test/dnspad.gold
@@ -0,0 +1,8 @@
+[59] 2016-10-20 15:23:01.075993 [#0 dnspad.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[59] 2016-10-20 15:23:01.075993 [#0 dnspad.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
diff --git a/src/test/dnspad.pcap b/src/test/dnspad.pcap
new file mode 100644
index 0000000..df2b574
Binary files /dev/null and b/src/test/dnspad.pcap differ
diff --git a/src/test/do1t-nosyn-1nolen.pcap b/src/test/do1t-nosyn-1nolen.pcap
new file mode 100644
index 0000000..cd20a74
Binary files /dev/null and b/src/test/do1t-nosyn-1nolen.pcap differ
diff --git a/src/test/frags.pcap b/src/test/frags.pcap
new file mode 100644
index 0000000..5d44810
Binary files /dev/null and b/src/test/frags.pcap differ
diff --git a/src/test/test1.sh b/src/test/test1.sh
new file mode 100755
index 0000000..03142c9
--- /dev/null
+++ b/src/test/test1.sh
@@ -0,0 +1,9 @@
+#!/bin/sh -xe
+
+../dnscap -g -r dns.pcap-dist 2>dns.out
+
+mv dns.out dns.out.old
+grep -v "^libgcov profiling error:" dns.out.old > dns.out
+rm dns.out.old
+
+diff dns.out "$srcdir/dns.gold"
diff --git a/src/test/test10.gold b/src/test/test10.gold
new file mode 100644
index 0000000..69f51ef
--- /dev/null
+++ b/src/test/test10.gold
@@ -0,0 +1,22 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
diff --git a/src/test/test10.sh b/src/test/test10.sh
new file mode 100755
index 0000000..2779cb0
--- /dev/null
+++ b/src/test/test10.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+
+../dnscap -r dns6.pcap-dist -g 2>test10.out
+../dnscap -r dns6.pcap-dist -o use_layers=yes -g 2>>test10.out
+
+diff test10.out "$srcdir/test10.gold"
diff --git a/src/test/test11.sh b/src/test/test11.sh
new file mode 100755
index 0000000..7f58c89
--- /dev/null
+++ b/src/test/test11.sh
@@ -0,0 +1,79 @@
+#!/bin/sh -xe
+
+../dnscap -?
+! ../dnscap -j
+
+! ../dnscap -o testing
+! ../dnscap -o testing=
+! ../dnscap -o testing=a
+../dnscap -o user=user -o user=user -o group=group -o group=group \
+  -o dump_format=pcap -o dump_format=cbor -o dump_format=cds \
+  -F pcap -F cbor -F cds \
+  -?
+../dnscap -b -N -p -d -1 -I -i fake -m q -m u -m n -s i -s r -h i -h r \
+  -e n -e y -e t -e f -e s -e x -e i -e r -w - -W a -W a -t 1 -c 1 -C 1 \
+  -x '.*' -S -U fake -U fake -M -D -?
+../dnscap -w fake -k false -?
+! ../dnscap -m X
+! ../dnscap -s X
+! ../dnscap -h X
+! ../dnscap -e X
+! ../dnscap -k false
+! ../dnscap -F invalid
+! ../dnscap -t invalid
+! ../dnscap -c invalid
+! ../dnscap -C invalid
+! ../dnscap -x '('
+! ../dnscap -B invalid
+! ../dnscap -E invalid
+! ../dnscap -P invalid
+if ! ../dnscap -y -? 2>test11.out; then
+    grep -qF "seccomp-bpf not enabled" test11.out
+fi
+! ../dnscap -w fake -o use_layers=yes
+! ../dnscap -g -f -h i
+! ../dnscap -g -l 1 -L 1
+! ../dnscap -g -b -d -g
+! ../dnscap -g -b -g
+! ../dnscap -g -B "2020-01-01 00:00:00" -E "2019-01-01 00:00:00"
+! ../dnscap -g -o defrag_ipv4=yes
+! ../dnscap -g -o defrag_ipv6=yes
+! ../dnscap -g -o reassemble_tcp_bfbparsedns=yes
+
+../dnscap -V
+
+../dnscap -r dns.pcap-dist -g -ddddd
+../dnscap -r dns.pcap-dist -x '.*' -X '.*' -g -ddddd
+
+! ../dnscap -r dns.pcap-dist -i fake 2>test11.out
+cat test11.out
+grep -qF -- "-i makes no sense after -r" test11.out
+! ../dnscap -i fake -r dns.pcap-dist 2>test11.out
+cat test11.out
+grep -qF -- "-r makes no sense after -i" test11.out
+
+all_opts=
+for opt in cbor_chunk_size cds_cbor_size cds_message_size cds_max_rlabels \
+cds_min_rlabel_size cds_rdata_index_min_size cds_rdata_rindex_size \
+cds_rdata_rindex_min_size pcap_buffer_size max_ipv4_fragments \
+max_ipv6_fragments max_ipv6_fragments_per_packet reassemble_tcp_faultreset; \
+do
+    ! ../dnscap -o "$opt=0"
+    all_opts="$all_opts -o $opt=1"
+done
+
+../dnscap $all_opts -?
+
+all_opts=
+for opt in cds_use_rdata_rindex cds_use_rdata_index defrag_ipv6 \
+reassemble_tcp_bfbparsedns bpf_hosts_apply_all; \
+do
+    ! ../dnscap -o "$opt=f"
+    all_opts="$all_opts -o $opt=yes"
+done
+
+../dnscap $all_opts -?
+
+! ../dnscap -l 0 -l 4095 -l 4096
+! ../dnscap -L 0 -L 4095 -L 4096
+! ../dnscap -u 5353 -u 65536
diff --git a/src/test/test12.sh b/src/test/test12.sh
new file mode 100755
index 0000000..76b0e01
--- /dev/null
+++ b/src/test/test12.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+
+if ! ../dnscap -g -r dns.pcap-dist -w test12 -W .gz 2>test12.out; then
+    grep -qF "gzip compression requested but not supported" test12.out && exit 0
+    exit 1
+fi
diff --git a/src/test/test13.sh b/src/test/test13.sh
new file mode 100755
index 0000000..4749a92
--- /dev/null
+++ b/src/test/test13.sh
@@ -0,0 +1,28 @@
+#!/bin/sh -xe
+
+test -f /etc/resolv.conf || exit 0
+
+! ../dnscap -a "fake_host-should+not/work" 2>test13.out
+cat test13.out
+grep -qF "invalid host address" test13.out
+
+if [ "`uname`" = "OpenBSD" ]; then
+    # IPv6 addresses in BPF seems to segfault on OpenBSD and doing host and
+    # not host throws generic pcap_compile error
+    ../dnscap -a 127.0.0.1 -r dns.pcap-dist -g -dddd
+    ../dnscap -z 127.0.0.1 -r dns.pcap-dist -g -dddd
+    ../dnscap -A 127.0.0.1 -r dns.pcap-dist -g -dddd
+    ../dnscap -Z 127.0.0.1 -r dns.pcap-dist -g -dddd
+    ../dnscap -Y 127.0.0.1 -r dns.pcap-dist -g -dddd
+else
+    ../dnscap -a 127.0.0.1 -a ::1 -r dns.pcap-dist -g -dddd
+    ../dnscap -z 127.0.0.1 -z ::1 -r dns.pcap-dist -g -dddd
+    ../dnscap -A 127.0.0.1 -A ::1 -r dns.pcap-dist -g -dddd
+    ../dnscap -Z 127.0.0.1 -Z ::1 -r dns.pcap-dist -g -dddd
+    ../dnscap -Y 127.0.0.1 -Y ::1 -r dns.pcap-dist -g -dddd
+fi
+if [ "$TEST_DNSCAP_WITH_NETWORK" = "1" ]; then
+    ../dnscap -a google.com -r dns.pcap-dist -g -dddd
+fi
+../dnscap -Y 127.0.0.1 -r dns.pcap-dist -g
+../dnscap -Y 8.8.8.8 -r dns.pcap-dist -g
diff --git a/src/test/test14.gold b/src/test/test14.gold
new file mode 100644
index 0000000..fb342e2
--- /dev/null
+++ b/src/test/test14.gold
@@ -0,0 +1,2864 @@
+-- only 1
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+-- not 1
+[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+-- only PTR
+[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+-- not PTR
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+-- only 1
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+-- not 1
+[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+-- only PTR
+[73] 2016-10-20 15:23:01.082865 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[73] 2016-10-20 15:23:10.328324 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[73] 2016-10-20 15:24:06.339145 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[73] 2016-10-20 15:24:07.353123 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[73] 2016-10-20 15:24:08.368516 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[73] 2016-10-20 15:24:09.384057 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[73] 2016-10-20 15:24:10.398099 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[73] 2016-10-20 15:24:11.412133 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[73] 2016-10-20 15:24:18.452451 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[73] 2016-10-20 15:24:19.467324 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[73] 2016-10-20 15:24:20.482188 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[73] 2016-10-20 15:24:21.495324 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[73] 2016-10-20 15:24:22.510176 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[73] 2016-10-20 15:24:23.527449 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[73] 2016-10-20 15:24:24.544538 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[73] 2016-10-20 15:24:25.562608 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+-- not PTR
+[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:01.087291 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[56] 2016-10-20 15:23:52.860937 [#6 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#7 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#8 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#9 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[56] 2016-10-20 15:24:04.323868 [#10 dns.pcap-dist 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#11 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#12 dns.pcap-dist 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#13 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[56] 2016-10-20 15:24:07.346429 [#14 dns.pcap-dist 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#15 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[56] 2016-10-20 15:24:08.360528 [#16 dns.pcap-dist 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#17 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[56] 2016-10-20 15:24:09.375942 [#18 dns.pcap-dist 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#19 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[56] 2016-10-20 15:24:10.391358 [#20 dns.pcap-dist 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#21 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[56] 2016-10-20 15:24:11.406297 [#22 dns.pcap-dist 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#23 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[56] 2016-10-20 15:24:12.419936 [#24 dns.pcap-dist 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#25 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#26 dns.pcap-dist 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#27 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#28 dns.pcap-dist 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#29 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#30 dns.pcap-dist 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#31 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[56] 2016-10-20 15:24:19.460087 [#32 dns.pcap-dist 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#33 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[56] 2016-10-20 15:24:20.475086 [#34 dns.pcap-dist 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#35 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[56] 2016-10-20 15:24:21.489468 [#36 dns.pcap-dist 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#37 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[56] 2016-10-20 15:24:22.502667 [#38 dns.pcap-dist 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#39 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[56] 2016-10-20 15:24:23.520203 [#40 dns.pcap-dist 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#41 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[56] 2016-10-20 15:24:24.537264 [#42 dns.pcap-dist 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#43 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[56] 2016-10-20 15:24:25.554744 [#44 dns.pcap-dist 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#45 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[56] 2016-10-20 15:24:26.572784 [#46 dns.pcap-dist 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#47 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
diff --git a/src/test/test14.sh b/src/test/test14.sh
new file mode 100755
index 0000000..1788f10
--- /dev/null
+++ b/src/test/test14.sh
@@ -0,0 +1,25 @@
+#!/bin/sh -xe
+
+echo "-- only 1" >test14.out
+../dnscap -g -q 1 -r dns.pcap-dist 2>>test14.out
+echo "-- not 1" >>test14.out
+../dnscap -g -Q 1 -r dns.pcap-dist 2>>test14.out
+echo "-- only PTR" >>test14.out
+../dnscap -g -q PTR -r dns.pcap-dist 2>>test14.out
+echo "-- not PTR" >>test14.out
+../dnscap -g -Q PTR -r dns.pcap-dist 2>>test14.out
+
+echo "-- only 1" >>test14.out
+../dnscap -g -o use_layers=yes -q 1 -r dns.pcap-dist 2>>test14.out
+echo "-- not 1" >>test14.out
+../dnscap -g -o use_layers=yes -Q 1 -r dns.pcap-dist 2>>test14.out
+echo "-- only PTR" >>test14.out
+../dnscap -g -o use_layers=yes -q PTR -r dns.pcap-dist 2>>test14.out
+echo "-- not PTR" >>test14.out
+../dnscap -g -o use_layers=yes -Q PTR -r dns.pcap-dist 2>>test14.out
+
+mv test14.out test14.out.old
+grep -v "^libgcov profiling error:" test14.out.old > test14.out
+rm test14.out.old
+
+diff test14.out "$srcdir/test14.gold"
diff --git a/src/test/test2.sh b/src/test/test2.sh
new file mode 100755
index 0000000..83cc8c0
--- /dev/null
+++ b/src/test/test2.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+
+../dnscap -g -r dns.pcap-dist 2>no-layers.out
+../dnscap -g -r dns.pcap-dist -o use_layers=yes 2>layers.out
+
+diff no-layers.out layers.out
diff --git a/src/test/test3.sh b/src/test/test3.sh
new file mode 100755
index 0000000..4b65121
--- /dev/null
+++ b/src/test/test3.sh
@@ -0,0 +1,13 @@
+#!/bin/sh -xe
+
+../dnscap -g -f -r frags.pcap-dist -o use_layers=yes -o defrag_ipv4=yes -o max_ipv4_fragments_per_packet=64 2>frags.out
+
+# remove timestamp
+sed -i -e 's%^\(\[[0-9]*\]\)[^\[]*\[%\1 [%g' frags.out
+
+# create gold file
+cp "$srcdir/dns.gold" frags.gold
+sed -i -e 's%^\(\[[0-9]*\]\)[^\[]*\[%\1 [%g' frags.gold
+sed -i -e 's%dns.pcap-dist%frags.pcap-dist%g' frags.gold
+
+diff frags.out frags.gold
diff --git a/src/test/test4.sh b/src/test/test4.sh
new file mode 100755
index 0000000..7cdf34e
--- /dev/null
+++ b/src/test/test4.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+
+../dnscap -g -T -r 1qtcppadd.pcap-dist 2>padding-no-layers.out
+../dnscap -g -T -r 1qtcppadd.pcap-dist -o use_layers=yes 2>padding-layers.out
+
+diff padding-no-layers.out padding-layers.out
diff --git a/src/test/test5.sh b/src/test/test5.sh
new file mode 100755
index 0000000..a4789d7
--- /dev/null
+++ b/src/test/test5.sh
@@ -0,0 +1,20 @@
+#!/bin/sh -xe
+
+osrel=`uname -s`
+
+../dnscap -g -r vlan11.pcap-dist 2>vlan11.out
+test -f vlan11.out && ! test -s vlan11.out
+../dnscap -g -r vlan11.pcap-dist -L 10 2>vlan11.out
+test -f vlan11.out && ! test -s vlan11.out
+../dnscap -g -r vlan11.pcap-dist -L 4095 2>vlan11.out
+diff vlan11.out "$srcdir/vlan11.gold"
+../dnscap -g -r vlan11.pcap-dist -L 11 2>vlan11.out
+diff vlan11.out "$srcdir/vlan11.gold"
+../dnscap -g -r vlan11.pcap-dist -o use_layers=yes 2>vlan11.out
+test -f vlan11.out && ! test -s vlan11.out
+../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 10 2>vlan11.out
+test -f vlan11.out && ! test -s vlan11.out
+../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 4095 2>vlan11.out
+diff vlan11.out "$srcdir/vlan11.gold"
+../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 11 2>vlan11.out
+diff vlan11.out "$srcdir/vlan11.gold"
diff --git a/src/test/test6.sh b/src/test/test6.sh
new file mode 100755
index 0000000..f05713b
--- /dev/null
+++ b/src/test/test6.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+
+../dnscap -g -r dnspad.pcap-dist 2>dnspad.out
+../dnscap -o use_layers=yes -g -r dnspad.pcap-dist 2>>dnspad.out
+
+diff dnspad.out "$srcdir/dnspad.gold"
diff --git a/src/test/test7.gold b/src/test/test7.gold
new file mode 100644
index 0000000..c3bb683
--- /dev/null
+++ b/src/test/test7.gold
@@ -0,0 +1,1417 @@
+[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:41.616663 [#8 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.659921 [#9 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.663576 [#10 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.663734 [#11 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.706183 [#12 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.709680 [#13 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.709779 [#14 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.754101 [#15 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.757876 [#16 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:41.758191 [#17 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.804255 [#18 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.809483 [#19 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.809780 [#20 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.854113 [#21 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.857788 [#22 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.858002 [#23 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.902165 [#24 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.905802 [#25 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:41.905918 [#26 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.950164 [#27 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.954138 [#28 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.954452 [#29 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.999121 [#30 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.002657 [#31 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.002831 [#32 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.047148 [#33 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.052425 [#34 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.052901 [#35 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.097899 [#36 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.101443 [#37 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.101553 [#38 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.145005 [#39 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.148639 [#40 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.148770 [#41 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.192777 [#42 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.196256 [#43 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.196471 [#44 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.240395 [#45 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.245103 [#46 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.245585 [#47 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.290257 [#48 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.293978 [#49 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.294300 [#50 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.337985 [#51 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.341559 [#52 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.341648 [#53 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.385009 [#54 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.389082 [#55 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.389343 [#56 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.433458 [#57 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.438748 [#58 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.439060 [#59 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.484005 [#60 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.487697 [#61 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.488035 [#62 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.532414 [#63 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.537574 [#64 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.537941 [#65 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.583021 [#66 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.586898 [#67 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.587050 [#68 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.630221 [#69 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.633808 [#70 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.634006 [#71 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.679168 [#72 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.682888 [#73 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.683273 [#74 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.727254 [#75 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.732703 [#76 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.733029 [#77 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.777184 [#78 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.781053 [#79 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.781416 [#80 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.824222 [#81 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.828050 [#82 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.828346 [#83 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.872186 [#84 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.875911 [#85 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.876226 [#86 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.920231 [#87 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.923917 [#88 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.924082 [#89 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.968961 [#90 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.972662 [#91 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.972972 [#92 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.017364 [#93 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.022591 [#94 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.022938 [#95 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.066765 [#96 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.070349 [#97 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.070484 [#98 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.114332 [#99 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.119538 [#100 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.119857 [#101 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.163857 [#102 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.167576 [#103 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.167733 [#104 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.211417 [#105 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.216686 [#106 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.217042 [#107 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.260995 [#108 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.265047 [#109 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.265399 [#110 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.310017 [#111 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.313596 [#112 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.313685 [#113 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.356802 [#114 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.360685 [#115 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.360864 [#116 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.406308 [#117 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.410191 [#118 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.410440 [#119 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.454193 [#120 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.458191 [#121 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.458511 [#122 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.503242 [#123 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.506884 [#124 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[52] 2018-01-10 11:22:43.507821 [#125 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[52] 2018-01-10 11:22:43.511351 [#126 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6
+1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com.
+1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com.
+1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.616460 8.8.8.8 53 172.17.0.8 51388 6 35665 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.616663 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.659921 172.17.0.8 51388 8.8.8.8 53 6 5337 0 0 |RD| IN A google.com.
+1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 5337 0 0 |QR|RD|RA| IN A google.com.
+1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 22982 0 0 |RD| IN A google.com.
+1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 22982 0 0 |QR|RD|RA| IN A google.com.
+1515583361.709779 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.754101 172.17.0.8 51388 8.8.8.8 53 6 18718 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.757876 8.8.8.8 53 172.17.0.8 51388 6 18718 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.758191 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.804255 172.17.0.8 51388 8.8.8.8 53 6 22531 0 0 |RD| IN A google.com.
+1515583361.809483 8.8.8.8 53 172.17.0.8 51388 6 22531 0 0 |QR|RD|RA| IN A google.com.
+1515583361.809780 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.854113 172.17.0.8 51388 8.8.8.8 53 6 58510 0 0 |RD| IN A google.com.
+1515583361.857788 8.8.8.8 53 172.17.0.8 51388 6 58510 0 0 |QR|RD|RA| IN A google.com.
+1515583361.858002 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.902165 172.17.0.8 51388 8.8.8.8 53 6 45248 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.905802 8.8.8.8 53 172.17.0.8 51388 6 45248 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.905918 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.950164 172.17.0.8 51388 8.8.8.8 53 6 49483 0 0 |RD| IN A google.com.
+1515583361.954138 8.8.8.8 53 172.17.0.8 51388 6 49483 0 0 |QR|RD|RA| IN A google.com.
+1515583361.954452 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.999121 172.17.0.8 51388 8.8.8.8 53 6 31669 0 0 |RD| IN A google.com.
+1515583362.002657 8.8.8.8 53 172.17.0.8 51388 6 31669 0 0 |QR|RD|RA| IN A google.com.
+1515583362.002831 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.047148 172.17.0.8 51388 8.8.8.8 53 6 25433 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.052425 8.8.8.8 53 172.17.0.8 51388 6 25433 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.052901 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.097899 172.17.0.8 51388 8.8.8.8 53 6 63798 0 0 |RD| IN A google.com.
+1515583362.101443 8.8.8.8 53 172.17.0.8 51388 6 63798 0 0 |QR|RD|RA| IN A google.com.
+1515583362.101553 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.145005 172.17.0.8 51388 8.8.8.8 53 6 8470 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.148639 8.8.8.8 53 172.17.0.8 51388 6 8470 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.148770 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.192777 172.17.0.8 51388 8.8.8.8 53 6 60258 0 0 |RD| IN A google.com.
+1515583362.196256 8.8.8.8 53 172.17.0.8 51388 6 60258 0 0 |QR|RD|RA| IN A google.com.
+1515583362.196471 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.240395 172.17.0.8 51388 8.8.8.8 53 6 44985 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.245103 8.8.8.8 53 172.17.0.8 51388 6 44985 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.245585 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.290257 172.17.0.8 51388 8.8.8.8 53 6 45512 0 0 |RD| IN A google.com.
+1515583362.293978 8.8.8.8 53 172.17.0.8 51388 6 45512 0 0 |QR|RD|RA| IN A google.com.
+1515583362.294300 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.337985 172.17.0.8 51388 8.8.8.8 53 6 22980 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.341559 8.8.8.8 53 172.17.0.8 51388 6 22980 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.341648 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.385009 172.17.0.8 51388 8.8.8.8 53 6 1834 0 0 |RD| IN A google.com.
+1515583362.389082 8.8.8.8 53 172.17.0.8 51388 6 1834 0 0 |QR|RD|RA| IN A google.com.
+1515583362.389343 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.433458 172.17.0.8 51388 8.8.8.8 53 6 25431 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.438748 8.8.8.8 53 172.17.0.8 51388 6 25431 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.439060 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.484005 172.17.0.8 51388 8.8.8.8 53 6 48432 0 0 |RD| IN A google.com.
+1515583362.487697 8.8.8.8 53 172.17.0.8 51388 6 48432 0 0 |QR|RD|RA| IN A google.com.
+1515583362.488035 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.532414 172.17.0.8 51388 8.8.8.8 53 6 47411 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.537574 8.8.8.8 53 172.17.0.8 51388 6 47411 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.537941 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.583021 172.17.0.8 51388 8.8.8.8 53 6 12038 0 0 |RD| IN A google.com.
+1515583362.586898 8.8.8.8 53 172.17.0.8 51388 6 12038 0 0 |QR|RD|RA| IN A google.com.
+1515583362.587050 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.630221 172.17.0.8 51388 8.8.8.8 53 6 11614 0 0 |RD| IN A google.com.
+1515583362.633808 8.8.8.8 53 172.17.0.8 51388 6 11614 0 0 |QR|RD|RA| IN A google.com.
+1515583362.634006 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.679168 172.17.0.8 51388 8.8.8.8 53 6 59173 0 0 |RD| IN A google.com.
+1515583362.682888 8.8.8.8 53 172.17.0.8 51388 6 59173 0 0 |QR|RD|RA| IN A google.com.
+1515583362.683273 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.727254 172.17.0.8 51388 8.8.8.8 53 6 45535 0 0 |RD| IN A google.com.
+1515583362.732703 8.8.8.8 53 172.17.0.8 51388 6 45535 0 0 |QR|RD|RA| IN A google.com.
+1515583362.733029 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.777184 172.17.0.8 51388 8.8.8.8 53 6 60808 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.781053 8.8.8.8 53 172.17.0.8 51388 6 60808 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.781416 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.824222 172.17.0.8 51388 8.8.8.8 53 6 64325 0 0 |RD| IN A google.com.
+1515583362.828050 8.8.8.8 53 172.17.0.8 51388 6 64325 0 0 |QR|RD|RA| IN A google.com.
+1515583362.828346 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.872186 172.17.0.8 51388 8.8.8.8 53 6 25543 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.875911 8.8.8.8 53 172.17.0.8 51388 6 25543 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.876226 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.920231 172.17.0.8 51388 8.8.8.8 53 6 20736 0 0 |RD| IN A google.com.
+1515583362.923917 8.8.8.8 53 172.17.0.8 51388 6 20736 0 0 |QR|RD|RA| IN A google.com.
+1515583362.924082 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.968961 172.17.0.8 51388 8.8.8.8 53 6 25911 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.972662 8.8.8.8 53 172.17.0.8 51388 6 25911 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.972972 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.017364 172.17.0.8 51388 8.8.8.8 53 6 64358 0 0 |RD| IN A google.com.
+1515583363.022591 8.8.8.8 53 172.17.0.8 51388 6 64358 0 0 |QR|RD|RA| IN A google.com.
+1515583363.022938 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.066765 172.17.0.8 51388 8.8.8.8 53 6 37698 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.070349 8.8.8.8 53 172.17.0.8 51388 6 37698 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.070484 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.114332 172.17.0.8 51388 8.8.8.8 53 6 54706 0 0 |RD| IN A google.com.
+1515583363.119538 8.8.8.8 53 172.17.0.8 51388 6 54706 0 0 |QR|RD|RA| IN A google.com.
+1515583363.119857 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.163857 172.17.0.8 51388 8.8.8.8 53 6 32142 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.167576 8.8.8.8 53 172.17.0.8 51388 6 32142 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.167733 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.211417 172.17.0.8 51388 8.8.8.8 53 6 41808 0 0 |RD| IN A google.com.
+1515583363.216686 8.8.8.8 53 172.17.0.8 51388 6 41808 0 0 |QR|RD|RA| IN A google.com.
+1515583363.217042 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.260995 172.17.0.8 51388 8.8.8.8 53 6 18886 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.265047 8.8.8.8 53 172.17.0.8 51388 6 18886 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.265399 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.310017 172.17.0.8 51388 8.8.8.8 53 6 10624 0 0 |RD| IN A google.com.
+1515583363.313596 8.8.8.8 53 172.17.0.8 51388 6 10624 0 0 |QR|RD|RA| IN A google.com.
+1515583363.313685 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.356802 172.17.0.8 51388 8.8.8.8 53 6 33139 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.360685 8.8.8.8 53 172.17.0.8 51388 6 33139 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.360864 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.406308 172.17.0.8 51388 8.8.8.8 53 6 61415 0 0 |RD| IN A google.com.
+1515583363.410191 8.8.8.8 53 172.17.0.8 51388 6 61415 0 0 |QR|RD|RA| IN A google.com.
+1515583363.410440 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.454193 172.17.0.8 51388 8.8.8.8 53 6 59258 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.458191 8.8.8.8 53 172.17.0.8 51388 6 59258 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.458511 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.503242 172.17.0.8 51388 8.8.8.8 53 6 17700 0 0 |RD| IN A google.com.
+1515583363.506884 8.8.8.8 53 172.17.0.8 51388 6 17700 0 0 |QR|RD|RA| IN A google.com.
+1515583363.507821 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.511351 8.8.8.8 53 172.17.0.8 51388 6
+[52] 2017-12-11 13:59:04.957247 [#0 1qtcpnosyn.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53 
+[52] 2017-12-11 13:59:04.960230 [#1 1qtcpnosyn.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.9].48613 
+1513000744.957247 172.17.0.9 48613 8.8.8.8 53 6
+1513000744.960230 8.8.8.8 53 172.17.0.9 48613 6
+[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[98] 2018-01-10 11:22:41.663576 [#7 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[54] 2018-01-10 11:22:41.663734 [#8 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.706183 [#9 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[98] 2018-01-10 11:22:41.709680 [#10 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6
+1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com.
+1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com.
+1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6
+1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6
+
+Enabling parse_ongoing_tcp and allow_reset_tcpstate
+
+[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:41.616663 [#8 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.659921 [#9 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.663576 [#10 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.663734 [#11 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.706183 [#12 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.709680 [#13 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.709779 [#14 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.754101 [#15 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.757876 [#16 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:41.758191 [#17 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.804255 [#18 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.809483 [#19 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.809780 [#20 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.854113 [#21 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.857788 [#22 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.858002 [#23 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.902165 [#24 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.905802 [#25 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:41.905918 [#26 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.950164 [#27 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.954138 [#28 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.954452 [#29 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.999121 [#30 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.002657 [#31 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.002831 [#32 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.047148 [#33 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.052425 [#34 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.052901 [#35 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.097899 [#36 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.101443 [#37 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.101553 [#38 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.145005 [#39 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.148639 [#40 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.148770 [#41 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.192777 [#42 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.196256 [#43 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.196471 [#44 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.240395 [#45 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.245103 [#46 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.245585 [#47 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.290257 [#48 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.293978 [#49 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.294300 [#50 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.337985 [#51 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.341559 [#52 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.341648 [#53 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.385009 [#54 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.389082 [#55 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.389343 [#56 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.433458 [#57 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.438748 [#58 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.439060 [#59 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.484005 [#60 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.487697 [#61 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.488035 [#62 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.532414 [#63 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.537574 [#64 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.537941 [#65 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.583021 [#66 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.586898 [#67 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.587050 [#68 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.630221 [#69 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.633808 [#70 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.634006 [#71 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.679168 [#72 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.682888 [#73 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.683273 [#74 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.727254 [#75 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.732703 [#76 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.733029 [#77 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.777184 [#78 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.781053 [#79 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.781416 [#80 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.824222 [#81 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.828050 [#82 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.828346 [#83 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.872186 [#84 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.875911 [#85 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.876226 [#86 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.920231 [#87 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.923917 [#88 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[54] 2018-01-10 11:22:42.924082 [#89 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.968961 [#90 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.972662 [#91 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:42.972972 [#92 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.017364 [#93 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.022591 [#94 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.022938 [#95 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.066765 [#96 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.070349 [#97 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.070484 [#98 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.114332 [#99 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.119538 [#100 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.119857 [#101 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.163857 [#102 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.167576 [#103 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.167733 [#104 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.211417 [#105 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.216686 [#106 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.217042 [#107 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.260995 [#108 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.265047 [#109 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.265399 [#110 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.310017 [#111 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.313596 [#112 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.313685 [#113 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.356802 [#114 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.360685 [#115 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.360864 [#116 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.406308 [#117 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.410191 [#118 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[54] 2018-01-10 11:22:43.410440 [#119 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.454193 [#120 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.458191 [#121 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[54] 2018-01-10 11:22:43.458511 [#122 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.503242 [#123 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.506884 [#124 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[52] 2018-01-10 11:22:43.507821 [#125 dnso1tcp.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[52] 2018-01-10 11:22:43.511351 [#126 dnso1tcp.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6
+1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com.
+1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com.
+1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.616460 8.8.8.8 53 172.17.0.8 51388 6 35665 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.616663 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.659921 172.17.0.8 51388 8.8.8.8 53 6 5337 0 0 |RD| IN A google.com.
+1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 5337 0 0 |QR|RD|RA| IN A google.com.
+1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 22982 0 0 |RD| IN A google.com.
+1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 22982 0 0 |QR|RD|RA| IN A google.com.
+1515583361.709779 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.754101 172.17.0.8 51388 8.8.8.8 53 6 18718 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.757876 8.8.8.8 53 172.17.0.8 51388 6 18718 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.758191 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.804255 172.17.0.8 51388 8.8.8.8 53 6 22531 0 0 |RD| IN A google.com.
+1515583361.809483 8.8.8.8 53 172.17.0.8 51388 6 22531 0 0 |QR|RD|RA| IN A google.com.
+1515583361.809780 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.854113 172.17.0.8 51388 8.8.8.8 53 6 58510 0 0 |RD| IN A google.com.
+1515583361.857788 8.8.8.8 53 172.17.0.8 51388 6 58510 0 0 |QR|RD|RA| IN A google.com.
+1515583361.858002 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.902165 172.17.0.8 51388 8.8.8.8 53 6 45248 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.905802 8.8.8.8 53 172.17.0.8 51388 6 45248 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.905918 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.950164 172.17.0.8 51388 8.8.8.8 53 6 49483 0 0 |RD| IN A google.com.
+1515583361.954138 8.8.8.8 53 172.17.0.8 51388 6 49483 0 0 |QR|RD|RA| IN A google.com.
+1515583361.954452 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.999121 172.17.0.8 51388 8.8.8.8 53 6 31669 0 0 |RD| IN A google.com.
+1515583362.002657 8.8.8.8 53 172.17.0.8 51388 6 31669 0 0 |QR|RD|RA| IN A google.com.
+1515583362.002831 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.047148 172.17.0.8 51388 8.8.8.8 53 6 25433 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.052425 8.8.8.8 53 172.17.0.8 51388 6 25433 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.052901 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.097899 172.17.0.8 51388 8.8.8.8 53 6 63798 0 0 |RD| IN A google.com.
+1515583362.101443 8.8.8.8 53 172.17.0.8 51388 6 63798 0 0 |QR|RD|RA| IN A google.com.
+1515583362.101553 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.145005 172.17.0.8 51388 8.8.8.8 53 6 8470 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.148639 8.8.8.8 53 172.17.0.8 51388 6 8470 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.148770 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.192777 172.17.0.8 51388 8.8.8.8 53 6 60258 0 0 |RD| IN A google.com.
+1515583362.196256 8.8.8.8 53 172.17.0.8 51388 6 60258 0 0 |QR|RD|RA| IN A google.com.
+1515583362.196471 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.240395 172.17.0.8 51388 8.8.8.8 53 6 44985 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.245103 8.8.8.8 53 172.17.0.8 51388 6 44985 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.245585 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.290257 172.17.0.8 51388 8.8.8.8 53 6 45512 0 0 |RD| IN A google.com.
+1515583362.293978 8.8.8.8 53 172.17.0.8 51388 6 45512 0 0 |QR|RD|RA| IN A google.com.
+1515583362.294300 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.337985 172.17.0.8 51388 8.8.8.8 53 6 22980 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.341559 8.8.8.8 53 172.17.0.8 51388 6 22980 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.341648 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.385009 172.17.0.8 51388 8.8.8.8 53 6 1834 0 0 |RD| IN A google.com.
+1515583362.389082 8.8.8.8 53 172.17.0.8 51388 6 1834 0 0 |QR|RD|RA| IN A google.com.
+1515583362.389343 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.433458 172.17.0.8 51388 8.8.8.8 53 6 25431 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.438748 8.8.8.8 53 172.17.0.8 51388 6 25431 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.439060 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.484005 172.17.0.8 51388 8.8.8.8 53 6 48432 0 0 |RD| IN A google.com.
+1515583362.487697 8.8.8.8 53 172.17.0.8 51388 6 48432 0 0 |QR|RD|RA| IN A google.com.
+1515583362.488035 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.532414 172.17.0.8 51388 8.8.8.8 53 6 47411 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.537574 8.8.8.8 53 172.17.0.8 51388 6 47411 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.537941 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.583021 172.17.0.8 51388 8.8.8.8 53 6 12038 0 0 |RD| IN A google.com.
+1515583362.586898 8.8.8.8 53 172.17.0.8 51388 6 12038 0 0 |QR|RD|RA| IN A google.com.
+1515583362.587050 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.630221 172.17.0.8 51388 8.8.8.8 53 6 11614 0 0 |RD| IN A google.com.
+1515583362.633808 8.8.8.8 53 172.17.0.8 51388 6 11614 0 0 |QR|RD|RA| IN A google.com.
+1515583362.634006 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.679168 172.17.0.8 51388 8.8.8.8 53 6 59173 0 0 |RD| IN A google.com.
+1515583362.682888 8.8.8.8 53 172.17.0.8 51388 6 59173 0 0 |QR|RD|RA| IN A google.com.
+1515583362.683273 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.727254 172.17.0.8 51388 8.8.8.8 53 6 45535 0 0 |RD| IN A google.com.
+1515583362.732703 8.8.8.8 53 172.17.0.8 51388 6 45535 0 0 |QR|RD|RA| IN A google.com.
+1515583362.733029 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.777184 172.17.0.8 51388 8.8.8.8 53 6 60808 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.781053 8.8.8.8 53 172.17.0.8 51388 6 60808 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.781416 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.824222 172.17.0.8 51388 8.8.8.8 53 6 64325 0 0 |RD| IN A google.com.
+1515583362.828050 8.8.8.8 53 172.17.0.8 51388 6 64325 0 0 |QR|RD|RA| IN A google.com.
+1515583362.828346 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.872186 172.17.0.8 51388 8.8.8.8 53 6 25543 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.875911 8.8.8.8 53 172.17.0.8 51388 6 25543 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.876226 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.920231 172.17.0.8 51388 8.8.8.8 53 6 20736 0 0 |RD| IN A google.com.
+1515583362.923917 8.8.8.8 53 172.17.0.8 51388 6 20736 0 0 |QR|RD|RA| IN A google.com.
+1515583362.924082 172.17.0.8 51388 8.8.8.8 53 6
+1515583362.968961 172.17.0.8 51388 8.8.8.8 53 6 25911 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.972662 8.8.8.8 53 172.17.0.8 51388 6 25911 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583362.972972 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.017364 172.17.0.8 51388 8.8.8.8 53 6 64358 0 0 |RD| IN A google.com.
+1515583363.022591 8.8.8.8 53 172.17.0.8 51388 6 64358 0 0 |QR|RD|RA| IN A google.com.
+1515583363.022938 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.066765 172.17.0.8 51388 8.8.8.8 53 6 37698 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.070349 8.8.8.8 53 172.17.0.8 51388 6 37698 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.070484 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.114332 172.17.0.8 51388 8.8.8.8 53 6 54706 0 0 |RD| IN A google.com.
+1515583363.119538 8.8.8.8 53 172.17.0.8 51388 6 54706 0 0 |QR|RD|RA| IN A google.com.
+1515583363.119857 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.163857 172.17.0.8 51388 8.8.8.8 53 6 32142 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.167576 8.8.8.8 53 172.17.0.8 51388 6 32142 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.167733 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.211417 172.17.0.8 51388 8.8.8.8 53 6 41808 0 0 |RD| IN A google.com.
+1515583363.216686 8.8.8.8 53 172.17.0.8 51388 6 41808 0 0 |QR|RD|RA| IN A google.com.
+1515583363.217042 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.260995 172.17.0.8 51388 8.8.8.8 53 6 18886 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.265047 8.8.8.8 53 172.17.0.8 51388 6 18886 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.265399 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.310017 172.17.0.8 51388 8.8.8.8 53 6 10624 0 0 |RD| IN A google.com.
+1515583363.313596 8.8.8.8 53 172.17.0.8 51388 6 10624 0 0 |QR|RD|RA| IN A google.com.
+1515583363.313685 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.356802 172.17.0.8 51388 8.8.8.8 53 6 33139 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.360685 8.8.8.8 53 172.17.0.8 51388 6 33139 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.360864 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.406308 172.17.0.8 51388 8.8.8.8 53 6 61415 0 0 |RD| IN A google.com.
+1515583363.410191 8.8.8.8 53 172.17.0.8 51388 6 61415 0 0 |QR|RD|RA| IN A google.com.
+1515583363.410440 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.454193 172.17.0.8 51388 8.8.8.8 53 6 59258 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.458191 8.8.8.8 53 172.17.0.8 51388 6 59258 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+1515583363.458511 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.503242 172.17.0.8 51388 8.8.8.8 53 6 17700 0 0 |RD| IN A google.com.
+1515583363.506884 8.8.8.8 53 172.17.0.8 51388 6 17700 0 0 |QR|RD|RA| IN A google.com.
+1515583363.507821 172.17.0.8 51388 8.8.8.8 53 6
+1515583363.511351 8.8.8.8 53 172.17.0.8 51388 6
+[93] 2017-12-11 13:59:04.953122 [#0 1qtcpnosyn.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53  \
+	dns QUERY,NOERROR,4815,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[109] 2017-12-11 13:59:04.956698 [#1 1qtcpnosyn.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.9].48613  \
+	dns QUERY,NOERROR,4815,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,47,172.217.22.174 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[52] 2017-12-11 13:59:04.957247 [#2 1qtcpnosyn.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53 
+[52] 2017-12-11 13:59:04.960230 [#3 1qtcpnosyn.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.9].48613 
+1513000744.953122 172.17.0.9 48613 8.8.8.8 53 6 4815 0 0 |RD|AD| IN A google.com.
+1513000744.956698 8.8.8.8 53 172.17.0.9 48613 6 4815 0 0 |QR|RD|RA| IN A google.com.
+1513000744.957247 172.17.0.9 48613 8.8.8.8 53 6
+1513000744.960230 8.8.8.8 53 172.17.0.9 48613 6
+[80] 2018-01-10 11:22:41.552406 [#0 do1t-nosyn-1nolen.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns Label length overflow
+[98] 2018-01-10 11:22:41.555912 [#1 do1t-nosyn-1nolen.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.556032 [#2 do1t-nosyn-1nolen.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.600183 [#3 do1t-nosyn-1nolen.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.616460 [#4 do1t-nosyn-1nolen.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com.
+1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.616460 8.8.8.8 53 172.17.0.8 51388 6 35665 0 0 |QR|RD|RA| IN PTR 206.218.58.216.in-addr.arpa.
+[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[54] 2018-01-10 11:22:41.548947 [#2 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.552406 [#3 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.556032 [#5 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.600183 [#6 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[98] 2018-01-10 11:22:41.663576 [#7 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[54] 2018-01-10 11:22:41.663734 [#8 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.706183 [#9 dnso1tcp-midmiss.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.709680 [#10 dnso1tcp-midmiss.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+1515583361.543825 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.548834 8.8.8.8 53 172.17.0.8 51388 6
+1515583361.548947 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.552406 172.17.0.8 51388 8.8.8.8 53 6 59311 0 0 |RD| IN A google.com.
+1515583361.555912 8.8.8.8 53 172.17.0.8 51388 6 59311 0 0 |QR|RD|RA| IN A google.com.
+1515583361.556032 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.600183 172.17.0.8 51388 8.8.8.8 53 6 35665 0 0 |RD| IN PTR 206.218.58.216.in-addr.arpa.
+1515583361.663576 8.8.8.8 53 172.17.0.8 51388 6 5337 0 0 |QR|RD|RA| IN A google.com.
+1515583361.663734 172.17.0.8 51388 8.8.8.8 53 6
+1515583361.706183 172.17.0.8 51388 8.8.8.8 53 6 22982 0 0 |RD| IN A google.com.
+1515583361.709680 8.8.8.8 53 172.17.0.8 51388 6 22982 0 0 |QR|RD|RA| IN A google.com.
diff --git a/src/test/test7.sh b/src/test/test7.sh
new file mode 100755
index 0000000..6c9a4ec
--- /dev/null
+++ b/src/test/test7.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -xe
+
+txtout="../../plugins/txtout/.libs/txtout.so"
+
+rm -f test7.out test7.layer.out
+
+for what in dnso1tcp.pcap-dist 1qtcpnosyn.pcap-dist do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist; do
+    ../dnscap -r "$what" -g -T 2>>test7.out
+    ../dnscap -r "$what" -g -T -o use_layers=yes 2>>test7.layer.out
+    if [ -f "$txtout" ]; then
+        ../dnscap -r "$what" -T -P "$txtout" >>test7.out
+        ../dnscap -r "$what" -T -o use_layers=yes -P "$txtout" >>test7.layer.out
+    fi
+done
+
+echo "" >>test7.out
+echo "Enabling parse_ongoing_tcp and allow_reset_tcpstate" >>test7.out
+echo "" >>test7.out
+echo "" >>test7.layer.out
+echo "Enabling parse_ongoing_tcp and allow_reset_tcpstate" >>test7.layer.out
+echo "" >>test7.layer.out
+
+for what in dnso1tcp.pcap-dist 1qtcpnosyn.pcap-dist do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist; do
+    ../dnscap -r "$what" -g -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes 2>>test7.out
+    ../dnscap -r "$what" -g -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes 2>>test7.layer.out
+    if [ -f "$txtout" ]; then
+        ../dnscap -r "$what" -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -P "$txtout" >>test7.out
+        ../dnscap -r "$what" -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes -P "$txtout" >>test7.layer.out
+    fi
+done
+
+diff test7.out "$srcdir/test7.gold"
+diff test7.layer.out "$srcdir/test7.gold"
diff --git a/src/test/test8.gold b/src/test/test8.gold
new file mode 100644
index 0000000..a4196e4
--- /dev/null
+++ b/src/test/test8.gold
@@ -0,0 +1,440 @@
+[60] 2017-12-11 13:59:04.949707 [#0 dnsotcp-many1pkt.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53 
+[60] 2017-12-11 13:59:04.953026 [#1 dnsotcp-many1pkt.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.9].48613 
+[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[109] 2017-12-11 13:59:04.956698 [#5 dnsotcp-many1pkt.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.9].48613  \
+	dns QUERY,NOERROR,4815,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,47,172.217.22.174 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[52] 2017-12-11 13:59:04.957247 [#6 dnsotcp-many1pkt.pcap-dist 4095] \
+	[172.17.0.9].48613 [8.8.8.8].53 
+[52] 2017-12-11 13:59:04.960230 [#7 dnsotcp-many1pkt.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.9].48613 
+[60] 2018-01-10 11:22:41.543825 [#0 dnsotcp-manyopkts.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[60] 2018-01-10 11:22:41.548834 [#1 dnsotcp-manyopkts.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[97] 2018-01-10 11:22:41.548947 [#2 dnsotcp-manyopkts.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
+[80] 2018-01-10 11:22:41.552406 [#2 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.552406 [#2 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,58,216.58.211.142 0 0
+[97] 2018-01-10 11:22:41.600183 [#5 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:41.600183 [#5 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:41.659921 [#8 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:41.659921 [#8 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[97] 2018-01-10 11:22:42.047148 [#10 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.047148 [#10 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[80] 2018-01-10 11:22:42.097899 [#12 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.097899 [#12 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[97] 2018-01-10 11:22:42.145005 [#14 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.145005 [#14 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[80] 2018-01-10 11:22:42.192777 [#16 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.192777 [#16 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[97] 2018-01-10 11:22:42.240395 [#18 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.240395 [#18 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.245103 [#20 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:42.290257 [#21 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.290257 [#21 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.293978 [#23 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[97] 2018-01-10 11:22:42.337985 [#24 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.337985 [#24 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.341559 [#26 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:42.385009 [#27 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.385009 [#27 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.389082 [#29 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[97] 2018-01-10 11:22:42.433458 [#30 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.433458 [#30 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.438748 [#32 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:42.484005 [#33 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.484005 [#33 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.487697 [#35 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[97] 2018-01-10 11:22:42.532414 [#36 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.532414 [#36 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.537574 [#38 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:42.583021 [#39 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.583021 [#39 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.586898 [#41 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[80] 2018-01-10 11:22:42.630221 [#42 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.630221 [#42 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.633808 [#44 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[80] 2018-01-10 11:22:42.679168 [#45 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.679168 [#45 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.682888 [#47 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[80] 2018-01-10 11:22:42.727254 [#48 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.727254 [#48 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.732703 [#50 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[97] 2018-01-10 11:22:42.777184 [#51 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.777184 [#51 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.781053 [#53 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:42.824222 [#54 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.824222 [#54 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.828050 [#56 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[97] 2018-01-10 11:22:42.872186 [#57 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.872186 [#57 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.875911 [#59 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:42.920231 [#60 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:42.920231 [#60 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:42.923917 [#62 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,57,216.58.211.142 0 0
+[97] 2018-01-10 11:22:42.968961 [#63 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:42.968961 [#63 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:42.972662 [#65 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:43.017364 [#66 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.017364 [#66 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.022591 [#68 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[97] 2018-01-10 11:22:43.066765 [#69 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.066765 [#69 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.070349 [#71 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:43.114332 [#72 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.114332 [#72 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.119538 [#74 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[97] 2018-01-10 11:22:43.163857 [#75 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.163857 [#75 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.167576 [#77 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:43.211417 [#78 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.211417 [#78 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.216686 [#80 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[97] 2018-01-10 11:22:43.260995 [#81 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.260995 [#81 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.265047 [#83 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:43.310017 [#84 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.310017 [#84 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.313596 [#86 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[97] 2018-01-10 11:22:43.356802 [#87 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.356802 [#87 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.360685 [#89 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:43.406308 [#90 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.406308 [#90 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.410191 [#92 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[97] 2018-01-10 11:22:43.454193 [#93 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[97] 2018-01-10 11:22:43.454193 [#93 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[197] 2018-01-10 11:22:43.458191 [#95 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
+[80] 2018-01-10 11:22:43.503242 [#96 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[80] 2018-01-10 11:22:43.503242 [#96 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[98] 2018-01-10 11:22:43.506884 [#98 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,56,216.58.211.142 0 0
+[52] 2018-01-10 11:22:43.507821 [#99 dnso1tcp-bighole.pcap-dist 4095] \
+	[172.17.0.8].51388 [8.8.8.8].53 
+[52] 2018-01-10 11:22:43.511351 [#100 dnso1tcp-bighole.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.8].51388 
diff --git a/src/test/test8.sh b/src/test/test8.sh
new file mode 100755
index 0000000..e091ff6
--- /dev/null
+++ b/src/test/test8.sh
@@ -0,0 +1,16 @@
+#!/bin/sh -xe
+
+rm -f test8.out test8.layer.out
+
+for what in dnsotcp-many1pkt.pcap-dist dnsotcp-manyopkts.pcap-dist; do
+    ../dnscap -r "$what" -g -T -o reassemble_tcp=yes 2>>test8.out
+    ../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o use_layers=yes 2>>test8.layer.out
+done
+
+for what in dnso1tcp-bighole.pcap-dist; do
+    ../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o allow_reset_tcpstate=yes 2>>test8.out
+    ../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes 2>>test8.layer.out
+done
+
+diff test8.out "$srcdir/test8.gold"
+diff test8.layer.out "$srcdir/test8.gold"
diff --git a/src/test/test9.gold b/src/test/test9.gold
new file mode 100644
index 0000000..1c50c70
--- /dev/null
+++ b/src/test/test9.gold
@@ -0,0 +1,104 @@
+[56] 2016-10-20 15:23:52.860937 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#0 dns.pcap-dist 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#1 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#2 dns.pcap-dist 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#3 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
diff --git a/src/test/test9.sh b/src/test/test9.sh
new file mode 100755
index 0000000..aff7610
--- /dev/null
+++ b/src/test/test9.sh
@@ -0,0 +1,6 @@
+#!/bin/sh -xe
+
+../dnscap -r dns.pcap-dist -g -B '2016-10-20 15:23:30' -E '2016-10-20 15:24:00' 2>test9.out
+../dnscap -r dns.pcap-dist -o use_layers=yes -g -B '2016-10-20 15:23:30' -E '2016-10-20 15:24:00' 2>>test9.out
+
+diff test9.out "$srcdir/test9.gold"
diff --git a/src/test/vlan11.gold b/src/test/vlan11.gold
new file mode 100644
index 0000000..92f8d39
--- /dev/null
+++ b/src/test/vlan11.gold
@@ -0,0 +1,714 @@
+[56] 2016-10-20 15:23:01.075993 [#0 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 vlan11.pcap-dist (vlan 11) 11] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 vlan11.pcap-dist (vlan 11) 11] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
diff --git a/src/test/vlan11.pcap b/src/test/vlan11.pcap
new file mode 100644
index 0000000..9e1f5be
Binary files /dev/null and b/src/test/vlan11.pcap differ
-- 
cgit v1.2.3