summaryrefslogtreecommitdiffstats
path: root/CHANGES
blob: b8fc6a2dcd2a67a4c8ea552d810f496028883d2a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
2021-03-11 Jerry Lundström

    Release 2.0.1

    Fixed incorrect line break in eventlog's (plugin) output.

    5df363c remove trailing newline

2021-02-12 Jerry Lundström

    Release 2.0.0

    This major release contains three backward incompatible changes, two
    new command line options and a completely restructured man-page(!),
    please read the change notes carefully before upgrading!

    The first backward incompatible change has to do with the removal of
    libbind dependency. This library was causing segfaults on OpenBSD due to
    shared (and overwritten) symbols with OpenBSD's libc.
    It was replaced with LDNS and LDNS renders domain names as Fully
    Qualified Domain Names (FQDN, the trailing dot!) so every output of a
    domain name has been changed to a FQDN.
    This also changes `-X`/`-x`, which will now match against FQDNs.

    The second backward incompatible change is that `-6` has been removed.
    This was used to alter the BPF in order to "fix" it, dnscap adds
    specific filters to IP and UDP headers which does not work for IPv6
    traffic.
    The generated BPF has been changed to allow IPv6 to always pass, making
    the option obsolete. IPv6 filtering is then done in dnscap.

    The last backward incompatible change has to do with the output format
    of `-g` related to EDNS0 and is now more consistent with the rest of
    the parsable output:
    - No more spaces in the output
    - Fix incorrect `\` and extra empty new-line
    - All EDNS0 options are added after `edns0[...]` using comma separation, example: `edns0[],edns0opt[],...`
    - Client Subnet format: `edns0opt[ECS,family=nn,source=nn,scope=nn,addr=...]`
    - Unknown/unsupported code: `edns0opt[code=nn,codelen=nn]`
    - Parsing error messages have changed, they came from libbind, now comes from LDNS

    New options:
    - Add `-q` and `-Q` to filter on matched/not matched QTYPE

    Bugfixes:
    - Fix memory leak in EDNS0 ECS address parsing
    - `network`: Fix sonarcloud issues, potential `memcpy()` of null pointer

    Other changes:
    - Fix CBOR output inclusion, LDNS is always available now
    - Add macros for Apple and Windows endian functions
    - Restructure and correct the man-page

    557e5f5 man-page
    025529f v6bug, interval
    37b79e9 FQDN
    ebcf434 QTYPE match, args, tests
    0cb5562 v6bug
    75f6115 Endian
    aaeb213 Sonarcloud
    8685946 CBOR output
    3e26802 Sonarcloud
    30aa366 libbind
    3f94d0b Mattermost

2020-10-22 Jerry Lundström

    Release 1.12.0

    This release fixes the handling of `-?` option for dnscap and all plugins,
    previously the handling varied between places and depending on `getopt()`
    implementation an invalid option could return the wrong exit code.

    Other changes:
    - Fix typo in configure help text
    - `plugins/anonmask`: Fix typo in help text
    - `plugins/rzkeychange`:
      - Add `-D`, dry run mode, for testing
      - Fix handling of `-a` and error on too many

    KNOWN ISSUES:

    On OpenBSD the system library libc exports the same symbols as libbind
    does and this causes runtime warnings. Until now this has not caused any
    known problems but is now also causing segfaults if the packet filter used
    (BPF) includes IPv6 addresses.
    On all other platforms OARC supports, these symbols are macros and in so
    should not cause any problem.

    ee478c0 Known issues
    2f9d957 Tests
    3c663a2 Tests
    c88efc5 rzkeychange test
    f062f33 Tests

2020-08-20 Jerry Lundström

    Release 1.11.1

    This release fixes a lot of issues found by code analysis, adds a
    explicit memory zeroing function to remove account information (read
    when dropping privileges) and adds code coverage reporting.

    The `dnscap_memzero()` will use `explicit_bzero()` on FreeBSD and
    OpenBSD, or `memset_s()` (if supported), otherwise it will manually
    set the memory to zero. This will hopefully ensure that the memory
    is zeroed as compilers can optimize out `memset()`'s that is just
    before `free()`.

    The plugins exit code for the help option `-?` has been changed to 0
    to have the same as `dnscap -?`.

    d9747ee memzero
    1cf17c6 Coverage
    19c7120 Coverage
    7435676 Sonarcloud
    928e181 Sonarcloud
    ca4afd0 Sonarcloud
    028f5e0 Badges
    db0d6a1 LGTM

2020-06-01 Jerry Lundström

    Release 1.11.0

    This release includes a new plugin called `eventlog`, contributed
    by Byron Darrah (@ByronDarrah), output DNS activity as log events,
    including answers to A and AAAA queries.

    Other changes includes compile warning and code analysis fixes.

    382eac4 COPR
    4c03650 Compile warn
    21d6a67 Slight change -- wording now matches usage() output.
    dd19b0b Added the eventlog.so plugin...
    1ebf504 Added new dnscap plugin: evenlog.so...
    f3f9aaa Compile warnings

2020-03-02 Jerry Lundström

    Release 1.10.4

    Fixed a bug that would not drop privileges when not specifying any
    interface (which is equal to capturing on all interfaces).
    Added functionality to set the supplemental groups when dropping
    privileges and changing user, or clear them if that is not supported.
    Other changes includes corrected man-page about '-w' and update to
    documentation.

    a0285e4 drop privileges errors, initgroups/setgroups
    96336f3 daemon: Attempt to drop supplemental groups
    467a9a7 Drop privileges
    de940a8 man-page -w
    187ec43 README

2019-10-02 Jerry Lundström

    Release 1.10.3

    Fixed plugins inclusion in deb packages for Debian and Ubuntu.

    017ebb2 Deb packages
    cf59143 COPR, spec

2019-08-05 Jerry Lundström

    Release 1.10.2

    Fixed bug in the handling of defragmentation configuration which lead
    to the use of a local scope variable later on and caused unexpected
    behavior.

    91692b8 Frag conf
    6a74376 Package
    d0d1a6d Package

2019-07-08 Jerry Lundström

    Release 1.10.1

    Fix various issues found by code analysis tools, a few compiler warnings
    removed, undefined bit shift behavior fixed, parameter memory leaks
    plugged and documentation updates.

    Fixes:
    - `dump_dns`: Remove usage of `strcpy()` and use `snprintf()` instead
      of `sprintf()`
    - `bpft`:
      - Use `text_ptr->len` to store length of generated text
      - Use `memcpy()` instead of `strcat()`
      - Remove unneeded `realloc()` and `strcpy()`
    - `plugins/cryptopan`: Fix strict-aliasing warnings
    - `network`: Rework part of `dl_pkt()` to remove usage of `strcpy()`
      and use `snprintf()` instead of `sprintf()`
    - `plugins/anonaes128`: Use `a6` as dest when copying v4 addresses for
      readability and code analysis
    - `plugins/cryptopan`: Run first pass separate to eliminate a 32bit
      shift by 32 (undefined behavior)
    - `plugins/cryptopant`: Fix memory leak of `keyfile` if `-k` is
      specified more then once

    Documentation:
    - Update `README.md` with correction to building from git and note
      about PCAP on OpenBSD
    - Fix #190: Update link to `libbind` source

    074923c Funding
    5d2e84c libbind
    8ee9f2a Travis-CI
    6babd09 Fixes
    bb2d1c7 README, compile warnings
    0d9cd9c LGTM, Travis-CI

2018-12-03 Jerry Lundström

    Release 1.10.0

    This release adds a new plugin type "filter" and 5 new plugins that can
    do anonymization, deanonymization and masking of the IP addresses.

    New features:
    - Check plugins for `pluginname_type()` which returns `enum plugin_type`,
      if missing the plugin is counted as an "output" plugin
    - New plugin type "filter" which calls `pluginname_filter()` prior of
      outputting any data or calling of "output" plugins, if the new function
      returns non-zero then the packet is filtered out (dropped)
    - New extension `DNSCAP_EXT_SET_IADDR` that gives access to a function
      for setting the from and to IP addresses both in the extracted data
      and the wire

    New plugins:
    - `anonaes128`: Anonymize IP addresses using AES128
    - `anonmask`: Pseudo-anonymize IP addresses by masking them
    - `cryptopan`: Anonymize IP addresses using an extension to Crypto-PAn
      (College of Computing, Georgia Tech) made by David Stott (Lucent)
    - `cryptopant`: Anonymize IP addresses using cryptopANT, a different
      implementation of Crypto-PAn made by the ANT project at USC/ISI
    - `ipcrypt`: Anonymize IP addresses using ipcrypt create by
      Jean-Philippe Aumasson

    Bugfixes:
    - Fix changing `royparse` and `txtout` with other plugins (thanks to
      Duane Wessels and Paul Hoffman)
    - Free pointers to allocated strings in `text_free()` (thanks to Michał
      Kępień)
    - Fix IP checksum calculation

    Other changes:
    - `-B` and `-E` can be used without `-w` (thanks to Duane Wessels)
    - Use `pcap_findalldevs()` instead of `pcap_lookupdev()` (thanks to
      Michał Kępień)
    - Document and add `-?` option to all plugins
    - Fix clang `scan-build` bugs and LGTM alerts
    - Use `gmtime_r()` instead of `gmtime()`
    - Update `pcap-thread` to v4.0.0

    67d8e2c Fix
    fb0ed02 Plugin documentation
    a2c9a6c cryptopant
    39db1ca Deanonymize, IPv6 test
    afc7107 Crypto-PAn, cryptopANT
    f1912cc OpenSSL, anonaes128
    f2bab62 ipcrypt, anonmask
    158b1e7 anonmask help
    60ece58 anonmask
    8f1b138 Plugin types, filter plugin, set iaddr extension, anonymization
            by masking
    b7d7991 IP checksum
    641a23a Free pointers to allocated strings in text_free()
    4d313bf pcap_findalldevs()
    091e0ca Use pcap_findalldevs() instead of pcap_lookupdev()
    6a7b25e Clean up use of feature test macros on Linux
    cbba14c Configure, uninitialized
    f228c9c Code formatting
    3fd738c man-page
    770168a Test
    714e4f5 Fix -B <begin> so that it works when reading offline pcap files.
    8675bea Test
    911fec9 Implementing test9 as a test of -B and -E command line args.
    a7cc72d -B <begin> and -E <end> can work fine without -w <base>.
    04c4928 Made the same changes to txtout as were in 165a786
    165a786 Workaround for stdio mystery causing duplicate royparse output.

2018-02-28 Jerry Lundström

    Release 1.9.0

    This release adds a new option to change how the Berkeley Packet Filter
    is generated to include the host restrictions for all selections,
    previously this restriction would only apply to specific parts.

    Additional tweaks to the RSSM plugin has been made to conform to the
    RSSAC002v3 specification. One noticeable change is that the plugin now
    requires the DNS to be parsed before counted, any error in the parsing
    will result in the message being left out of the statistics.

    Changes:
    - Fix spacing in BPF filter to look better
    - Fix #146: Add `bpf_hosts_apply_all`, apply any host restriction to all
    - `plugin/rssm`:
      - Remove quoting of `start-period` and correctly handle empty hashes
      - Issue #152, Issue #91: Parse DNS before processing RSSM counters
    - `plugin/rssm/dnscap-rssm-rssac002`: Use `YAML::Dump()` for output

    47d892b Issue #152: RSSM YAML output
    d4f1466 Issue #152, Issue #91: Parse DNS before processing RSSM counters
    68fc1ff BPF, `bpf_hosts_apply_all`

2018-02-07 Jerry Lundström

    Release 1.8.0

    This release updates the TCP stream code in order to be able to look
    at more then just the first query, for handling already ongoing TCP
    connections without having seen SYN/ACK and for reassembly of the TCP
    stream prior of parsing it for DNS with an additional layer of parsing
    (see `reassemble_tcp_bfbparsedns`).

    Updates to the Root Server Scaling Measurement (RSSM) plugin have also
    been made to bring it up to date with RSSAC002v3 specification, be
    able to output the YAML format described and an additional script to
    merge YAML files if the interval is less then the RSSAC002v3 24 hour
    period. See "Updates to the RSSM plugin" below and
    `plugins/rssm/README.md`.

    New extended options:
    - `parse_ongoing_tcp`: Start tracking TCP connections even if SYN/ACK
      has not been seen
    - `allow_reset_tcpstate`: Allow external reset of TCP state
    - `reassemble_tcp`: Use to enable TCP stream reassembly
    - `reassemble_tcp_faultreset`: Number of faults before reseting TCP
      state when reassembly is enabled
    - `reassemble_tcp_bfbparsedns`: Enable an experimental additional layer
      of reassemble that uses `libbind` to parse the payload before accepting
      it. If the DNS is invalid it will move 2 bytes within the payload and
      treat it as a new payload, taking the DNS length again and restart
      the process. Requires `libbind` and `reassemble_tcp`.

    New extension functions for plugins:
    - `DNSCAP_EXT_TCPSTATE_GETCURR`: Function to get a pointer for the
      current TCP state
    - `DNSCAP_EXT_TCPSTATE_RESET`: Function to reset a TCP state

    New features:
    - Parse additional DNS queries in TCP connections
    - `-g` and the `txtout` plugin will reset TCP state (if allowed) on
      failure to parse DNS

    Bugfixes:
    - Fix `-g` output, separate error message with a space
    - Fix TCP packets wrongfully flagged as DNS when using layers.
    - Fix TCP debug output when using layers, `ia_str()` is not safe to call
      twice in the same `printf` because of local buffer.
    - Fix exported extension functions, need to be file local

    New tests for:
    - Multiple DNS queries in one TCP connection
    - Query over TCP without SYN
    - Queries over TCP with first query missing length
    - Queries over TCP with middle payloads missing
    - Add test with TCP stream that missing multiple packets in the middle

    Updates to the RSSM plugin (`plugins/rssm`):
    - Add info about saving counts and sources
    - Fix memory leak on `fopen()` errors
    - Update to RSSAC002v3 specification
    - New options:
      - `-D` to disable forking on close
      - `-Y`: Use RSSAC002v3 YAML format when writing counters, the file
        will contain multiple YAML documents, one for each RSSAC002v3 metric
        Used with; -S adds custom metric `dnscap-rssm-sources` and -A adds
        `dnscap-rssm-aggregated-sources`
      - `-n`: Set the service name to use in RSSAC002v3 YAML
      - `-S`: Write source IPs into counters file with the prefix `source`
      - `-A`: Write aggregated IPv6(/64) sources into counters file with
        the prefix `aggregated-source`
      - `-a`: Write aggregated IPv6(/64) sources to
        `<name>.<timesec>.<timeusec>`
    - Add `dnscap-rssm-rssac002` Perl script for merging RSSAC002v3 YAML files
    - Add README.md for the plugin man-page for `dnscap-rssm-rssac002`
    - Add test for YAML output and merging of YAML files

    c7058c8 Use file local functions for all extensions
    66b352d RSSM RSSAC002v3 YAML Tool
    b09efc2 `plugins/rssm` RSSAC002v3
    709aba6 Fix #89: Add additional reassembly layers that parses the
            payload byte for byte for valid DNS
    04fa013 Fix CID 1463944 (again)
    b1cf623 RSSM saving data and forking
    fb23305 Fix CID 1463944
    0fca1a8 Issue #89: TCP stream reassemble
    bb6428c CID 1463814: Check `ns_initparse()` for errors
    a57066f Fix #88: TCP handling

2017-12-27 Jerry Lundström

    Release 1.7.1

    The library used for parsing DNS (libbind) is unable to parse DNS
    messages when there is padding at the end (the UDP/TCP payload is larger
    then the DNS message). This has been fixed by trying to find the actual
    DNS message size, walking all labels and RR data, and then retry parsing.

    Other changes and bug-fixes:
    - Fix size when there is a VLAN to match output of `use_layers` yes/no
    - Add test of VLAN matching
    - Fix `hashtbl.c` building in `rssm`
    - Add test with padded DNS message

    49e5400 Fix #127: If `ns_initparse()` returns `EMSGSIZE`, try and get
            actual size and reparse
    99bda0b Fix #98: VLAN

2017-12-19 Jerry Lundström

    Release 1.7.0

    This release adds IP fragmentation handling by using layers in pcap-thread
    which also adds a new flag to output and modules. `DNSCAP_OUTPUT_ISLAYER`
    indicates that `pkt_copy` is equal to `payload` since the layers of the
    traffic have already been parsed. IP fragments are reassembled with the
    `pcap_thread_ext_frag` extension that is included in pcap-thread.

    New extended (`-o`) options:
    - `use_layers`: Use pcap-thread layers to handle the traffic
    - `defrag_ipv4`: Enabled IPv4 de-fragmentation
    - `defrag_ipv6`: Enabled IPv6 de-fragmentation
    - `max_ipv4_fragments`: Set maximum fragmented IPv4 packets to track
    - `max_ipv4_fragments_per_packet`: Set the maximum IPv4 fragments per
      tracked packet
    - `max_ipv6_fragments`: Set maximum fragmented IPv6 packets to track
    - `max_ipv6_fragments_per_packet`: Set the maximum IPv6 fragments per
      tracked packet

    Currently `-w` does not work with `use_layers` and the plugins `pcapdump`
    and `royparse` will discard output with the flag `DNSCAP_OUTPUT_ISLAYER`
    because they need access to the original packet.

    The `rzkeychange` plugin now encodes certain flag bits in the data that
    it reports for RFC8145 key tag signaling. The flags of interest are:
    `DO`, `CD`, and `RD`. These are encoded in an bit-mask as a hexadecimal
    value before the `_ta` component of the query name.

    Other changes and bug-fixes:
    - Fix #115: document `-g` output, see `OUTPUT FORMATS` `diagnostic` in
      `dnscap(1)` man-page
    - Add test to match output from non-layers runs with those using layers
    - Add test with fragmented DNS queries
    - Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2
    - Fix `ip->ip_len` byte order
    - Fix parsing of IP packets with padding or missing parts of payload

    0347f74 Add AUTHORS section in man-page
    ef1b68c Fix CID 1463073
    8a79f89 Layers
    a404d08 Update pcap-thread to v3.1.0, add test for padding fixes
    08402f1 Fix byte order bug.  ip->ip_len must be evaluated with ntohs().
    d6d2340 CBOR/CDS and formatting
    85ec2d8 Fix #87: IP fragmentation reassembly
    22bfd4a Documentation
    c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data.
            This may be useful to find "false" key tag signals from sources
            that don't actually perform DNSSEC validation.

2017-12-01 Jerry Lundström

    Release 1.6.0

    New additions to the plugins:
    - `rzkeychange` can now collect RFC8145 key tag signaling. Signals are
      saved during the collection interval, and then sent to the specified
      `-k <zone>`, one at a time, at the end of the interval. Only root zone
      signals are collected. Added by Duane Wessels (@wessels).
    - `royparse` is a new plugin to splits a PCAP into two streams, queries
      in PCAP format and responses in ASCII format. Created by Roy Arends
      (@RoyArends).
    - `txtout` new option `-s` for short output, only print QTYPE and QNAME
      for IN records. Added by Paul Hoffman (@paulehoffman)
    - The extension interface has been extended with `DNSCAP_EXT_IA_STR` to
      export the `ia_str()` function.

    Bugfixes and other changes:
    - Remove duplicated hashtbl code
    - `rssm`: fix bug where count in table was taken out as `uint16_t` but
      was a `uint64_t`
    - Handle return values from hashtbl functions
    - `txtout`: removed unused `-f` options
    - Change `ia_str()` to use buffers with correct sizes, thanks to
      @RoyArends for spotting this!

    Commits:
    3f78a31 Add copy/author text
    1bd914d Fix CID 1462343, 1462344, 1462345
    f9bb955 Fix `fprintf()` format for message size
    abedf84 Fix #105: `inet_ntop` buffers
    bfdcd0d Addresses the suggestions from Jerry.
    dda0996 royparse :)
    4f6520a royparse plugin finished
    f1aa4f2 Fix #103: Remove `opt_f`
    32355b7 Rearrange code to keep the change smaller and fix indentation
    d6612c1 Added -s to txtout for short output
    9d8d1ef Check return of `snprintf()`
    55f5aba Format code
    9f19ec3 Fixed memory leak in rzkeychange_keytagsignal()
    58b8784 Fix memory leaks and better return value checks in
            rzkeychange_submit_counts()
    b06659f Add server and node to keytag signal query name
    705a866 Always free response packets in rzkeychange plugin.
    e802843 Implement RFC8145 key tag signal collection in rzkeychange plugin
    5fbf6d0 Added extension for ia_str() so it can be used by rzkeychange
            plugin.
    3be8b8f Split `dnscap.c` into more files
    e431d14 Fix #92: hashtbl

2017-08-21 Jerry Lundström

    Release 1.5.1

    Compatibility fixes for FreeBSD 11.1+ which is now packing `struct ip`
    and for OpenBSD.

    Commits:
    17e3c92 FreeBSD is packing `struct ip`, need to `memcpy()`
    f8add66 Code formatting
    38cd585 Add documentation about libbind
    d1dd55b Fix #82: Update dependencies for OpenBSD

2017-06-06 Jerry Lundström

    Release 1.5.0

    Added support for writing gzipped PCAP if the `-W` suffix ends with
    `.gz` and made `-X` work without `-x`. New inteface for plugins to
    tell them what extensions are available and a new plugin `rzkeychange`.

    Plugin extensions:
    - Call `plugin_extension(ext, arg)` to tell plugin what extensions exists
    - Add extension for checking responder (`is_responder()`)

    The rzkeychange plugin was developed by Duane Wessels 2016 in support
    of the root zone ZSK size increase. It is also being used in support of
    the 2017 root KSK rollover and collects the following measurements:
    - total number of responses sent
    - number of responses with TC bit set
    - number of responses over TCP
    - number of DNSKEY responses
    - number of ICMP_UNREACH_NEEDFRAG messages received
    - number of ICMP_TIMXCEED_INTRANS messages received
    - number of ICMP_TIMXCEED_REASS messages received

    Other fixes (author Duane Wessels):
    - 232cbd0: Correct comment description for meaning of IPPROTO_AH
    - 181eaa4: Add #include <sys/time.h> for struct timeval on NetBSD

    Commits:

    1d894e2 Make -x and -X work correctly together and update man-page
    34bc54c Make the -X option work without requiring a -x option.
    f43222e Fix CID 1440488, 1440489, 1440490
    aa54395 Update pcap-thread to v2.1.3
    81174ce Prepare SPEC for OSB/COPR
    21d7468 New plugin rzkeychange and plugin extensions
    38491a3 Config header is generated by autotools
    419a8ab Small tweaks and fixes for gzip support
    1967abc updated for earlier BSD versions
    f135c90 added auto gzip if the -W suffix ends with .gz

    Commits during development of rzkeychange (author Duane Wessels):
    - 620828d: Add rzkeychange -z option to specify resolver IP addresses
    - 1f77987: Add -p and -t options to rzkeychange plugin to configure an
      alternate port and TCP. Useful for ssh tunnels.
    - 2a571f1: Split ICMP time exceeded counter into two counters for time
      exceeded due to TTL and another due to fragmentation
    - e4ee2d3: The rzkeychange data collection plugin uses
      `DNSCAP_EXT_IS_RESPONDER` extension to know if an IP address is a
      "responder" or not, because when dnscap is instructed to collect ICMP
      with -I, it processes all ICMP packets, not just those limited to
      responders (or initiators).
    - cee16b8: Add ICMP Time Exceeded to counters
    - ad8a227: Counting source IPs has performance impacts. #ifdef'd out for
      now add ICMP "frag needed" counts
    - c25e72b: Implemented DNS queries with ldns. First there will be some
      test queries to ensure the zone is reachable and configured to receive
      data. Then a query naming the fields, followed by the periodic queries
      delivering counts.
    - fd23be7: Make report zone, server, node command line argumements mandatory
    - 137789b: Adding rzkeychange plugin files

2017-03-29 Jerry Lundström

    Release 1.4.1

    Fixed an issue that when compiled with libpcap that had a specific
    feature enabled it would result in a runtime error which could not be
    worked around.

    Also fixed various compatibility issues and updated dependency
    documentation for CentOS.

    Commits:

    785d4c4 Fix compiler warnings
    2d4df8d Fix #65: Update pcap-thread to v2.1.2
    26d3fbc Fix #64: Add missing dependency
    55e6741 Update pcap-thread to v2.1.1, fix issue with libpcap timestamp
            type
    c6fdb7a Fix typo and remove unused variables

2017-02-27 Jerry Lundström

    Release 1.4.0

    Until it can be confirmed that the threaded code works as well as the
    non-threaded code it has been made optional and requires a configuration
    option to enable it during compilation.

    New extended option:
    - `-o pcap_buffer_size=<bytes>` can be used to increase the capture
      buffer within pcap-thread/libpcap, this can help mitigate dropped
      packets by the kernel during breaks (like when closing dump file).

    Commits:

    1c6fbb2 Update copyright year
    63ef665 Suppress OpenBSD warnings about symbols
    2c99946 pcap-thread v2.0.0, disable threads, errors handling
    4cade97 Fix #56: Update pcap-thread to v1.2.2 and add test

2016-12-23 Jerry Lundström

    Release 1.3.0

    Rare lockup has been fixed that could happen if a signal was received
    in the wrong thread at the wrong time due to `pcap_thread_stop()`
    canceling and waiting on threads to join again. The handling of signals
    have been improved for threaded and non-threaded operations.

    New features:
    - Experimental CBOR DNS Stream format output, see `CBOR_DNS_STREAM.md`
    - Extended options to specify user and group to use when dropping
      privileges, see EXTENDED OPTIONS in man-page

    Commits:

    a5fa14e Signal and threads
    3868104 Use old style C comments
    7946be5 Clarify building
    d5463b4 RPM spec and various automake fixes
    df206bf Resource data indexing and documentation
    0e2d0fe Fix #22, fix #43: Update README
    5921d73 Add stream option RLABELS and RLABEL_MIN_SIZE
    6dd6ec1 Implement experimental CBOR DNS Stream Format
    4baf695 Fix #37: Extended options to specifty user/group to use when
            dropping privileges
    61d830a Fix #35: Use `AC_HEADER_TIME` and fix warning

2016-10-27 Jerry Lundström

    Release 1.2.0

    Update `pcap-thread` to v1.2.0 to get the new callback queue mode which
    puts that mode into using pthread conditions if all pcaps are offline and
    keeps us from losing packets.

    Use `pcap_thread_dropback()` callback to get the notification when a
    packet was dropped because the queue was full, indicating that we can't
    process all the packets.  Added this stats to the `-S` output as total
    and per interface as `ptdrop`.  Changed the output for each interface
    to not cut of information, for example interface name was cut to
    4 characters.

    Other changes:

    - Add extended options `-o <option>=<value>` because we are running out
      of short options.
    - Better handling of library checks and automake rules
    - New option `-F <format>` to specify the format of the output in `-w`
    - Add experimental CBOR output support
      - LDNS is used to parse the packets
      - Tinycbor is used to construct the CBOR output
      - DNS-in-JSON draft [1] for representing the objects
      - Check CBOR topic in README.md for more information
    - When only reading offline pcap files it will not attempt to drop
      privileges and add new option `-N` to explicitly not drop privileges.

    Commits:

    f42e23f Extended options and CBOR output format
    a28f498 Fix #24: Handle packet drops
    2308eaa Fix #26: Unable to drop GID to nobody, exiting.
    82d65f2 Update pcap-thread to v1.1.2

    [1] https://datatracker.ietf.org/doc/draft-hoffman-dns-in-json/

2016-10-11 Jerry Lundström

    Release 1.1.0

    The ownership of DNSCAP was transferred from ISC to DNS-OARC in
    the summer of 2016 and this is the first release since that.

    This project now uses Semantic Versioning and these are the changes
    since the `dnscap-20160205` release (which can also be found using
    the tag `v0.0.0-20160205`).

    Highlights:
    - Restructure repository and use autotools
    - Compiled and tested on Debian, Ubuntu, CentOS, FreeBSD and OpenBSD
      using Jenkins and Travis-CI
    - Source code static analysis using Coverity Scan
    - Compatibility fixes for FreeBSD, OpenBSD and OS X
    - ABI change to `output()`, previous `isfrag` is now a `flags` that
      represents what the packet is through a bitmask
    - Use helper library `pcap-thread` when capturing to solve missing
      packets during very low traffic

    New command line options:
    - `-V`: Prints version and then exits
    - `-M`: Enable monitor mode on interfaces
    - `-D`: Enable immediate mode on interfaces
    - `-W`: Allow to specify a suffix for the pcap dump file
    - `-C`: Limit/rotate capture after a certain amount of bytes

    Special thanks to:
    - Duane Wessels
    - Paul Vixie
    - Klaus Darilion

    Commits:

    bc7eb22 Update license after ownership transfer from ISC to DNS-OARC,
            update contributors, add build badges and removed SuperFastHash
            since apparently it was not used.
    778e457 Add `-V` for displaying version and the exiting
    71c2d79 Fix #12: Sync man-page and help text
    33576ef Swap option C and D, C for this makes more sense. Also ensure
            that `capturedbytes` is zero on start.
    0077aff Correct dump trace with new `flags`
    f9cbba0 Do not use dump suffix unless it set
    4dd81d6 Update the man page
    7435c49 Change new option C to D because C was already taken
    813dddb Fix -B and -E, these options are supported only once
    76f19d1 fix usage of -W
    519b64f Add -Y option to short usage instructions
    348c738 Fix -C feature: capturedbytes was not increased
    3db6f94 Improve logging
    b567bef New option -C: limit/rotate capture after a certain amount
            of bytes
    341abdf Add -W feature: allow to specify a suffix for the pcap dump
            file, e. g.: '.pcap'
    097a3b4 Count every packet which is sent to output(), not only
            the normal ones.
    75e5968 Close PCAPs after dumper_close() to have statistics still
            available during dumper_close(). Otherwise we get a segfault
            on shutdown.
    c09d61a Add debian/ubuntu package files.
    020f2aa Forgot about the compiler warnings and fix the last
            Coverity Scan issue
    00c834d More Coverity Scan fixes
    ad2f230 Fix various Coverity Scan issues
    606f0cd Update pcap thread to version 1.1.1
    f065cd7 Fix #14: Add options `-M` and `-C` for monitor and
            immediate mode, update help and man-page.
    b872035 Update to pcap-thread version 1.1.0
    1f30637 Update pcap_thread to v1.0.1, add travis check that dnscap
            can run
    b19efaa Building from Git repository instructions
    b5460df Use `calloc()` instead of `malloc()` to be sure the memory
            is zeroed
    ae6a04d Use pcap_thread v1.0.0
    9426a2d Update pcap_thread and add pcap stats
    820b2f2 Update pcap_thread and support offline pcaps
    a47dd67 Update pcap_thread
    237a7a7 CentOS autoreconf complained
    7b5568c Use pcap_thread
    11d0388 Revert the changes on all lines that had NULL, 0 before.
    7d6a7e4 Passing IPv6 fragment payloads may not currently be safe.
            Needs more work. For now pass pkt=NULL to be safe for plugins.
    ea8f9a4 Make the family of output() functions future proof with a flags
            bitmask. Rather than separate 'isfrag' and 'isdns' flags,
            they are now set as bitmasks in a single 'flags' value passed
            to output() f
    472a172 A change to the interface of the family of output() functions.
    95a6e62 timeval.* are not unsigned
    d3f32de Fix #1: Use NS_*SZ
    e555871 Fix compiler warnings
    3ed8f29 Fix #1
    864cbd7 Can you change #ifdef __APPLE__ to check for the
            arpa/nameser_compat.h header and include it if it exists?
    796e8ea plugin/rssm needs to include arpa/nameser_compat.h for OS X
            so that the HEADER struct is declared.
    daf4bd3 In plugin/txtout silence compiler warnings about int vs short
    e5bc24b plugin/pcapdump needs to include arpa/nameser_compat.h for OS X
            so that the HEADER struct is declared.
    0061b57 Work around configure problem detecting libresolv on Mac OS X
            Without some #include files, the configure test won't find
            the symbol res_mkquery() in libresolv on OS X.  It is called
            res_9_mkquery()
    5309655 Mac OS X doesn't have setresuid() and setresgid().
            This patch adds configure checks for setreuid() and setregid()
            and will use those instead if the other versions are
            not available.
    d257a1c Fix compilation on FreeBSD and OpenBSD
    07b2a75 Restructure repository and move to Automake.