[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dns-operations
Subject:    Re: [dns-operations] A quick question for my peers re: 'dnscap'
From:       Jerry =?ISO-8859-1?Q?Lundstr=F6m?= <jerry () dns-oarc ! net>
Date:       2018-02-03 7:43:46
Message-ID: 1517643826.1.8.camel () dns-oarc ! net
[Download RAW message or body]

Hi Jake,

On Fri, 2018-02-02 at 20:54 +0000, Jake Zack wrote:
> Robert and I took this discussion off-list briefly.
> 
> He had me turn on dumptrace (-d flag) to analyze the BPF expression being
> used....
> 
> > dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 )
> > or ( udp port 53) )  and host ( 2001:500:a7::2 or 199.4.144.2 )) )"
> 
> In English this is saying "(any IPv4/IPv6 fragments) or (your host and
> tcp/udp port 53)".

So this is because that script uses '-f', which selects fragments also.

> So I guess I'm asking the community now if this is worth a bug report and/or
> feature request...

Since this is more related to the capturing script distributed for DITL then
dnscap, I would suggest you continue this discussion on the DITL mailing list.
If your not on it, reach out to William to join it.

As for bug or not, maybe it could be made optional or at least documented so it
is easier to understand what is captured using the DITL scripts.

> ...and further, to gather opinions on the question "If an IP fragment
> contains no question, but acknowledges the asking of a question from a
> particular source, is that still private data that will run the risk of
> running afoul of various privacy laws?

That would depend on your countries laws, in some even IP addresses are
considered identifiable information.

Cheers,
Jerry
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-operations mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[prev in list] [next in list] [prev in thread] [next in thread]