Skip to content

Release 1.7.0
Compare
Choose a tag to compare
@jelu jelu released this 19 Dec 15:40
· 306 commits to develop since this release
v1.7.0
3ce8c4e

This release adds IP fragmentation handling by using layers in pcap-thread which also adds a new flag to output and modules. DNSCAP_OUTPUT_ISLAYER indicates that pkt_copy is equal to payload since the layers of the traffic have already been parsed. IP fragments are reassembled with the pcap_thread_ext_frag extension that is included in pcap-thread.

Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.7.0.tar.gz
sha256: 422fa923746387dd2fa38aecbee217476d03ad43f8a8845a074b347d179c6d98

Packages are available at: https://dev.dns-oarc.net/packages/

New extended (-o) options:

  • use_layers: Use pcap-thread layers to handle the traffic
  • defrag_ipv4: Enabled IPv4 de-fragmentation
  • defrag_ipv6: Enabled IPv6 de-fragmentation
  • max_ipv4_fragments: Set maximum fragmented IPv4 packets to track
  • max_ipv4_fragments_per_packet: Set the maximum IPv4 fragments per tracked packet
  • max_ipv6_fragments: Set maximum fragmented IPv6 packets to track
  • max_ipv6_fragments_per_packet: Set the maximum IPv6 fragments per tracked packet

Currently -w does not work with use_layers and the plugins pcapdump and royparse will discard output with the flag DNSCAP_OUTPUT_ISLAYER because they need access to the original packet.

The rzkeychange plugin now encodes certain flag bits in the data that it reports for RFC8145 key tag signaling. The flags of interest are: DO, CD, and RD. These are encoded in an bit-mask as a hexadecimal value before the _ta component of the query name.

Other changes and bug-fixes:

  • Fix #115: document -g output, see OUTPUT FORMATS diagnostic in dnscap(1) man-page
  • Add test to match output from non-layers runs with those using layers
  • Add test with fragmented DNS queries
  • Fix #120: CBOR/CDS compiles again, update tinycbor to v0.4.2
  • Fix ip->ip_len byte order
  • Fix parsing of IP packets with padding or missing parts of payload

0347f74 Add AUTHORS section in man-page
ef1b68c Fix CID 1463073
8a79f89 Layers
a404d08 Update pcap-thread to v3.1.0, add test for padding fixes
08402f1 Fix byte order bug. ip->ip_len must be evaluated with ntohs().
d6d2340 CBOR/CDS and formatting
85ec2d8 Fix #87: IP fragmentation reassembly
22bfd4a Documentation
c35f19f Adding flag bits to rzkeychange RFC8145 key tag signaling data. This may be useful to find "false" key tag signals from sources that don't actually perform DNSSEC validation.

Assets 2
Loading