PacketQ icon indicating copy to clipboard operation
PacketQ copied to clipboard

Published 20 hours ago verified publisher icon DNS-OARC

Improve handling of nested compression pointers and add columns for multiple answers, authorities and additionals.

Open alinari opened this issue 10 years ago • 3 comments

alinari avatar Oct 08 '14 20:10 alinari

@alinari I know it's been a few years but if you can please explain more about 3cc10d4d853f51f1ef9a341d160f6002d3f00d36, doesn't the code follow normal DNS name compressed labels?

jelu avatar May 23 '17 07:05 jelu

Add columns answers, authorties, and additionals, each of which which returns a comma delimeted list of qname, class and type for each RR in the response

For multi-valued columns like answers, I wonder if it would be more SQL-like to have a separate pseudo table e.g. dns_answers which you could join onto the dns table. There would need to be some unique key that joins the two (could just be pcap filename + offset)

This would allow you to more easily handle queries like: "show me all queries which resolved to A 1.2.3.4", which is difficult if the answer is a multi-valued, comma-separated list.

candlerb avatar Apr 02 '18 14:04 candlerb

@candlerb Unless you need to do it in SQL, dnsjit will be able to easily do it with a custom Lua filter

jelu avatar Apr 03 '18 08:04 jelu