Adding upstream version 2.0.0+debian.

Signed-off-by: Daniel Baumann <daniel@debian.org>

plugins/Makefile.am

@@ -0,0 +1,6 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+
+SUBDIRS = pcapdump rssm txtout rzkeychange royparse anonmask ipcrypt \
+  anonaes128 cryptopan cryptopant eventlog
+
+EXTRA_DIST = template

plugins/anonaes128/Makefile.am

@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
+
+pkglib_LTLIBRARIES = anonaes128.la
+anonaes128_la_SOURCES = anonaes128.c
+anonaes128_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS)
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20181127.155200.414188 \
+  test4.tmp
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(anonaes128_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/anonaes128/anonaes128.c

@@ -0,0 +1,344 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "dnscap_common.h"
+
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H)
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#define USE_OPENSSL 1
+#endif
+
+static set_iaddr_t anonaes128_set_iaddr = 0;
+
+static logerr_t*     logerr;
+static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v4 = 0, decrypt = 0;
+static unsigned char key[16];
+static unsigned char iv[16];
+#ifdef USE_OPENSSL
+static EVP_CIPHER_CTX* ctx = 0;
+#endif
+
+enum plugin_type anonaes128_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "anonaes128.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void anonaes128_usage()
+{
+    fprintf(stderr,
+        "\nanonaes128.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <key>      A 16 character long key\n"
+        "\t-K <file>     Read the 16 first bytes from file and use as key\n"
+        "\t-i <key>      A 16 character long Initialisation Vector (IV)\n"
+        "\t-I <file>     Read the 16 first bytes from file and use as IV\n"
+        "\t-D            Decrypt IPv6 addresses\n"
+        "\t-c            Only en/de-crypt clients (port != 53)\n"
+        "\t-s            Only en/de-crypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-4            Encrypt IPv4 addresses, not default or recommended\n");
+}
+
+void anonaes128_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        anonaes128_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void anonaes128_getopt(int* argc, char** argv[])
+{
+    int           c, got_key = 0, got_iv = 0;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?k:K:i:I:Dcsp:4")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (strlen(optarg) != 16) {
+                usage("key must be 16 characters long");
+            }
+            memcpy(key, optarg, 16);
+            got_key = 1;
+            break;
+        case 'K': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open key file");
+            }
+            if ((r = read(fd, key, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from key file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from key file");
+            }
+            close(fd);
+            got_key = 1;
+            break;
+        }
+        case 'i':
+            if (strlen(optarg) != 16) {
+                usage("IV must be 16 characters long");
+            }
+            memcpy(iv, optarg, 16);
+            got_iv = 1;
+            break;
+        case 'I': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open IV file");
+            }
+            if ((r = read(fd, iv, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from IV file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from IV file");
+            }
+            close(fd);
+            got_iv = 1;
+            break;
+        }
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case '4':
+            encrypt_v4 = 1;
+            break;
+        case '?':
+            anonaes128_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (!got_key || !got_iv) {
+        usage("must have key (-k/-K) and IV (-i/-I)");
+    }
+    if (decrypt && encrypt_v4) {
+        usage("decryption (-D) can not be done for IPv4 addresses (-4)");
+    }
+
+#ifdef USE_OPENSSL
+    if (!(ctx = EVP_CIPHER_CTX_new())) {
+        usage("unable to create openssl cipher context");
+    }
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, iv, decrypt ? 0 : 1)) {
+        unsigned long e = ERR_get_error();
+        fprintf(stderr, "%s:%s:%s", ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e));
+        usage("unable to initialize AES128 cipher");
+    }
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+#else
+    usage("no openssl support built in, can't encrypt IP addresses");
+#endif
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+}
+
+int anonaes128_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void anonaes128_stop()
+{
+#ifdef USE_OPENSSL
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = 0;
+#endif
+}
+
+int anonaes128_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonaes128_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonaes128_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+#ifdef USE_OPENSSL
+    unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
+    int           outlen = 0;
+
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET6:
+            if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&from->u.a6, 16)) {
+                logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                exit(1);
+            }
+            if (outlen != 16) {
+                logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                exit(1);
+            }
+            memcpy(&from->u.a6, outbuf, 16);
+            break;
+        case AF_INET:
+            if (encrypt_v4) {
+                memcpy(((uint8_t*)&from->u.a6) + 4, &from->u.a4, 4);
+                memcpy(((uint8_t*)&from->u.a6) + 8, &from->u.a4, 4);
+                memcpy(((uint8_t*)&from->u.a6) + 12, &from->u.a4, 4);
+
+                if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&from->u.a6, 16)) {
+                    logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                    exit(1);
+                }
+                if (outlen != 16) {
+                    logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                    exit(1);
+                }
+                memcpy(&from->u.a4, outbuf, 4);
+                break;
+            }
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET6:
+            if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&to->u.a6, 16)) {
+                logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                exit(1);
+            }
+            if (outlen != 16) {
+                logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                exit(1);
+            }
+            memcpy(&to->u.a6, outbuf, 16);
+            break;
+        case AF_INET:
+            if (encrypt_v4) {
+                memcpy(((uint8_t*)&to->u.a6) + 4, &to->u.a4, 4);
+                memcpy(((uint8_t*)&to->u.a6) + 8, &to->u.a4, 4);
+                memcpy(((uint8_t*)&to->u.a6) + 12, &to->u.a4, 4);
+
+                if (!EVP_CipherUpdate(ctx, outbuf, &outlen, (unsigned char*)&to->u.a6, 16)) {
+                    logerr("anonaes128.so: error en/de-crypting IP address: %s", ERR_reason_error_string(ERR_get_error()));
+                    exit(1);
+                }
+                if (outlen != 16) {
+                    logerr("anonaes128.so: error en/de-crypted output is not 16 bytes");
+                    exit(1);
+                }
+                memcpy(&to->u.a4, outbuf, 4);
+                break;
+            }
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (anonaes128_set_iaddr && (from || to)) {
+        anonaes128_set_iaddr(from, to);
+    }
+#endif
+    return 0;
+}

plugins/anonaes128/test1.sh

@@ -0,0 +1,26 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -k "some 16-byte key" -i "some 16-byte key" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"

plugins/anonaes128/test2.gold

@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[4a92:a508:d567:5c16:d07:5236:4b51:417e].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [4a92:a508:d567:5c16:d07:5236:4b51:417e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [6733:3377:d5f:662b:299f:6a97:c7fe:d424].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[6733:3377:d5f:662b:299f:6a97:c7fe:d424].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/anonaes128/test2.sh

@@ -0,0 +1,30 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"

plugins/anonaes128/test3.gold

@@ -0,0 +1,11 @@
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/anonaes128/test3.sh

@@ -0,0 +1,29 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -w test3.pcap -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" 2>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -D -k "some 16-byte key" -i "some 16-byte key" 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"

plugins/anonaes128/test4.sh

@@ -0,0 +1,24 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonaes128.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonaes128 plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i tooshort
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 -K "$srcdir/test4.sh" -I "$srcdir/test4.sh"
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I does_not_exist
+rm -f test4.tmp
+touch test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -D -4 -k "some 16-byte key" -i "some 16-byte key"

plugins/anonmask/Makefile.am

@@ -0,0 +1,23 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = anonmask.la
+anonmask_la_SOURCES = anonmask.c
+anonmask_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh test2.sh test3.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold
+CLEANFILES += test1.out test2.out
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(anonmask_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/anonmask/anonmask.c

@@ -0,0 +1,244 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "dnscap_common.h"
+
+static set_iaddr_t anonmask_set_iaddr = 0;
+
+static logerr_t*       logerr;
+static int             only_clients = 0, only_servers = 0, mask_port = 53, mask_v4 = 24, mask_v6 = 48;
+static struct in_addr  in4  = { INADDR_ANY };
+static struct in6_addr in6  = IN6ADDR_ANY_INIT;
+static uint32_t*       in6p = (uint32_t*)&in6;
+
+enum plugin_type anonmask_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "anonmask.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void anonmask_usage()
+{
+    fprintf(stderr,
+        "\nanonmask.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-c            Only mask clients (port != 53)\n"
+        "\t-s            Only mask servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s masking, default 53\n"
+        "\t-4 <netmask>  The /mask for IPv4 addresses, default /24\n"
+        "\t-6 <netmask>  The /mask for IPv6 addresses, default /48\n");
+}
+
+void anonmask_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        anonmask_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void anonmask_getopt(int* argc, char** argv[])
+{
+    int           c;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?csp:4:6:")) != EOF) {
+        switch (c) {
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            mask_port = (unsigned)ul;
+            break;
+        case '4':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 31U)
+                usage("IPv4 mask must be an integer 0..31");
+            mask_v4 = (unsigned)ul;
+            break;
+        case '6':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 127U)
+                usage("IPv6 mask must be an integer 0..127");
+            mask_v6 = (unsigned)ul;
+            break;
+        case '?':
+            anonmask_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+
+    if (mask_v4) {
+        in4.s_addr = htonl(0xffffffff << (32 - mask_v4));
+    }
+
+    if (mask_v6) {
+        if (mask_v6 <= 32) {
+            in6p[0] = htonl(0xffffffff << (32 - mask_v6));
+        } else if (mask_v6 <= 64) {
+            in6p[0] = 0xffffffff;
+            in6p[1] = htonl(0xffffffff << (64 - mask_v6));
+        } else if (mask_v6 <= 96) {
+            in6p[0] = 0xffffffff;
+            in6p[1] = 0xffffffff;
+            in6p[2] = htonl(0xffffffff << (96 - mask_v6));
+        } else {
+            in6p[0] = 0xffffffff;
+            in6p[1] = 0xffffffff;
+            in6p[2] = 0xffffffff;
+            in6p[3] = htonl(0xffffffff << (128 - mask_v6));
+        }
+    }
+}
+
+int anonmask_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void anonmask_stop()
+{
+}
+
+int anonmask_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonmask_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int anonmask_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    uint32_t* p6;
+
+    for (;;) {
+        if (only_clients && sport == mask_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != mask_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            from->u.a4.s_addr &= in4.s_addr;
+            break;
+        case AF_INET6:
+            p6 = (uint32_t*)&from->u.a6;
+            p6[0] &= in6p[0];
+            p6[1] &= in6p[1];
+            p6[2] &= in6p[2];
+            p6[3] &= in6p[3];
+            break;
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == mask_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != mask_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            to->u.a4.s_addr &= in4.s_addr;
+            break;
+        case AF_INET6:
+            p6 = (uint32_t*)&to->u.a6;
+            p6[0] &= in6p[0];
+            p6[1] &= in6p[1];
+            p6[2] &= in6p[2];
+            p6[3] &= in6p[3];
+            break;
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (anonmask_set_iaddr && (from || to)) {
+        anonmask_set_iaddr(from, to);
+    }
+
+    return 0;
+}

plugins/anonmask/test1.sh

@@ -0,0 +1,24 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonmask.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonmask plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 16 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"

plugins/anonmask/test2.gold

@@ -0,0 +1,77 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0::].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:300::].51972 [2001:4800::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4800::].53 [2a01:300::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0::].51972 [2001:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860::].53 [2a01:3f0::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0:0:57::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0:0:57::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0::].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0::].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/anonmask/test2.sh

@@ -0,0 +1,34 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonmask.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonmask plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 24 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 32 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 64 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 96 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"

plugins/anonmask/test3.sh

@@ -0,0 +1,16 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'anonmask.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the anonmask plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 99
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -6 999
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1

plugins/cryptopan/Makefile.am

@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
+
+pkglib_LTLIBRARIES = cryptopan.la
+cryptopan_la_SOURCES = cryptopan.c
+cryptopan_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS)
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \
+  test3.pcap.20181127.155200.414188 test4.tmp
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(cryptopan_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/cryptopan/cryptopan.c

@@ -0,0 +1,475 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Crypto-PAn encryption based on submitted extension by David Stott (Lucent)
+ * https://www.cc.gatech.edu/computing/Networking/projects/cryptopan/lucent.shtml
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "dnscap_common.h"
+
+#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H)
+#include <openssl/conf.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#define USE_OPENSSL 1
+#endif
+
+static set_iaddr_t cryptopan_set_iaddr = 0;
+
+static logerr_t*     logerr;
+static int           only_clients = 0, only_servers = 0, dns_port = 53, encrypt_v6 = 0, decrypt = 0;
+static unsigned char key[16];
+static unsigned char iv[16];
+static unsigned char pad[16];
+#ifdef USE_OPENSSL
+static EVP_CIPHER_CTX* ctx = 0;
+#endif
+
+enum plugin_type cryptopan_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "cryptopan.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void cryptopan_usage()
+{
+    fprintf(stderr,
+        "\ncryptopan.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <key>      A 16 character long key\n"
+        "\t-K <file>     Read the 16 first bytes from file and use as key\n"
+        "\t-i <key>      A 16 character long Initialisation Vector (IV)\n"
+        "\t-I <file>     Read the 16 first bytes from file and use as IV\n"
+        "\t-a <key>      A 16 character long padding\n"
+        "\t-A <file>     Read the 16 first bytes from file and use as padding\n"
+        "\t-D            Decrypt IP addresses\n"
+        "\t-c            Only en/de-crypt clients (port != 53)\n"
+        "\t-s            Only en/de-crypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n");
+}
+
+void cryptopan_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        cryptopan_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void cryptopan_getopt(int* argc, char** argv[])
+{
+    int           c, got_key = 0, got_iv = 0, got_pad = 0;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?k:K:i:I:a:A:Dcsp:6")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (strlen(optarg) != 16) {
+                usage("key must be 16 characters long");
+            }
+            memcpy(key, optarg, 16);
+            got_key = 1;
+            break;
+        case 'K': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open key file");
+            }
+            if ((r = read(fd, key, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from key file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from key file");
+            }
+            close(fd);
+            got_key = 1;
+            break;
+        }
+        case 'i':
+            if (strlen(optarg) != 16) {
+                usage("IV must be 16 characters long");
+            }
+            memcpy(iv, optarg, 16);
+            got_iv = 1;
+            break;
+        case 'I': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open IV file");
+            }
+            if ((r = read(fd, iv, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from IV file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from IV file");
+            }
+            close(fd);
+            got_iv = 1;
+            break;
+        }
+        case 'a':
+            if (strlen(optarg) != 16) {
+                usage("padding must be 16 characters long");
+            }
+            memcpy(pad, optarg, 16);
+            got_pad = 1;
+            break;
+        case 'A': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open padding file");
+            }
+            if ((r = read(fd, pad, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from padding file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from padding file");
+            }
+            close(fd);
+            got_pad = 1;
+            break;
+        }
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case '6':
+            encrypt_v6 = 1;
+            break;
+        case '?':
+            cryptopan_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (!got_key || !got_iv || !got_pad) {
+        usage("must have key (-k/-K), IV (-i/-I) and padding (-a/-A)");
+    }
+
+#ifdef USE_OPENSSL
+    if (!(ctx = EVP_CIPHER_CTX_new())) {
+        usage("unable to create openssl cipher context");
+    }
+    if (!EVP_CipherInit_ex(ctx, EVP_aes_128_ecb(), NULL, key, iv, 1)) {
+        unsigned long e = ERR_get_error();
+        fprintf(stderr, "%s:%s:%s\n", ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e));
+        usage("unable to initialize AES128 cipher");
+    }
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
+    {
+        unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
+        int           outlen = 0;
+
+        if (!EVP_CipherUpdate(ctx, outbuf, &outlen, pad, 16)) {
+            fprintf(stderr, "cryptopan.so: error encrypting padding: %s\n", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            fprintf(stderr, "cryptopan.so: error encrypted padding is not 16 bytes\n");
+            exit(1);
+        }
+        memcpy(&pad, outbuf, 16);
+    }
+#else
+    usage("no openssl support built in, can't encrypt IP addresses");
+#endif
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+}
+
+int cryptopan_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void cryptopan_stop()
+{
+#ifdef USE_OPENSSL
+    EVP_CIPHER_CTX_free(ctx);
+    ctx = 0;
+#endif
+}
+
+int cryptopan_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int cryptopan_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+#ifdef USE_OPENSSL
+struct input {
+    union {
+        unsigned char input[16];
+        uint32_t      ui32;
+    } u;
+};
+struct output {
+    union {
+        unsigned char outbuf[16 + EVP_MAX_BLOCK_LENGTH];
+        uint32_t      ui32;
+    } u;
+};
+static inline void _encrypt(uint32_t* in)
+{
+    struct input  input;
+    struct output output;
+    int           outlen = 0, pos;
+    uint32_t      orig, result = 0, pad4b, mask = 0;
+
+    memcpy(input.u.input, pad, 16);
+    orig = ntohl(*in);
+    memcpy(&pad4b, pad, 4);
+
+    // First pass with padding only
+
+    input.u.ui32 = htonl(pad4b);
+
+    if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+        fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+        exit(1);
+    }
+    if (outlen != 16) {
+        fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+        exit(1);
+    }
+
+    result |= ntohl(output.u.ui32) & 0x80000000;
+    mask >>= 1;
+    mask |= 0x80000000;
+
+    for (pos = 1; pos < 32; pos++) {
+        input.u.ui32 = htonl(((pad4b << pos) | (pad4b >> (32 - pos))) ^ (orig & mask));
+
+        if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+            fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+            exit(1);
+        }
+
+        result |= (ntohl(output.u.ui32) & 0x80000000) >> pos;
+        mask >>= 1;
+        mask |= 0x80000000;
+    }
+
+    *in = htonl(result ^ orig);
+}
+
+static inline void _decrypt(uint32_t* in)
+{
+    struct input  input;
+    struct output output;
+    int           outlen = 0, pos;
+    uint32_t      orig, pad4b, mask = 0;
+
+    memcpy(input.u.input, pad, 16);
+    orig = ntohl(*in);
+    memcpy(&pad4b, pad, 4);
+
+    // First pass with padding only
+
+    input.u.ui32 = htonl(pad4b);
+
+    if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+        fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+        exit(1);
+    }
+    if (outlen != 16) {
+        fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+        exit(1);
+    }
+
+    orig ^= ntohl(output.u.ui32) & 0x80000000;
+    mask >>= 1;
+    mask |= 0x80000000;
+
+    for (pos = 1; pos < 32; pos++) {
+        input.u.ui32 = htonl(((pad4b << pos) | (pad4b >> (32 - pos))) ^ (orig & mask));
+
+        if (!EVP_CipherUpdate(ctx, output.u.outbuf, &outlen, input.u.input, 16)) {
+            fprintf(stderr, "cryptopan.so: error encrypting: %s\n", ERR_reason_error_string(ERR_get_error()));
+            exit(1);
+        }
+        if (outlen != 16) {
+            fprintf(stderr, "cryptopan.so: error encrypted result is not 16 bytes\n");
+            exit(1);
+        }
+
+        orig ^= (ntohl(output.u.ui32) & 0x80000000) >> pos;
+        mask >>= 1;
+        mask |= 0x80000000;
+    }
+
+    *in = htonl(orig);
+}
+#endif
+
+int cryptopan_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+#ifdef USE_OPENSSL
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint32_t*)&from->u.a4) : _encrypt((uint32_t*)&from->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint32_t*)&from->u.a6);
+                    _decrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                } else {
+                    _encrypt((uint32_t*)&from->u.a6);
+                    _encrypt(((uint32_t*)&from->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&from->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&from->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                }
+                break;
+            }
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint32_t*)&to->u.a4) : _encrypt((uint32_t*)&to->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint32_t*)&to->u.a6);
+                    _decrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _decrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                } else {
+                    _encrypt((uint32_t*)&to->u.a6);
+                    _encrypt(((uint32_t*)&to->u.a6) + 1); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&to->u.a6) + 2); // lgtm [cpp/suspicious-pointer-scaling]
+                    _encrypt(((uint32_t*)&to->u.a6) + 3); // lgtm [cpp/suspicious-pointer-scaling]
+                }
+                break;
+            }
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (cryptopan_set_iaddr && (from || to)) {
+        cryptopan_set_iaddr(from, to);
+    }
+#endif
+    return 0;
+}

plugins/cryptopan/test1.sh

@@ -0,0 +1,27 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i "some 16-byte key" 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"

plugins/cryptopan/test2.gold

@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [11eb:460f:2668:8b63:2668:8b2a:2668:8948].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[1845:9ab2:426f:b370:2668:8b2a:2668:33ab].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/cryptopan/test2.sh

@@ -0,0 +1,30 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"

plugins/cryptopan/test3.gold

@@ -0,0 +1,725 @@
+[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/cryptopan/test3.sh

@@ -0,0 +1,32 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" 2>test3.out
+../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -6 2>>test3.out
+../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -D 2>>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "some 16-byte key" -i "some 16-byte key" -a "some 16-byte key" -6 -D 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"

plugins/cryptopan/test4.sh

@@ -0,0 +1,26 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopan.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopan plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a tooshort
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K "$srcdir/test4.sh" -I "$srcdir/test4.sh" -A "$srcdir/test4.sh"
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -A does_not_exist
+rm -f test4.tmp
+touch test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -K test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -I test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -A test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1

plugins/cryptopant/Makefile.am

@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libcrypto_CFLAGS)
+
+pkglib_LTLIBRARIES = cryptopant.la
+cryptopant_la_SOURCES = cryptopant.c
+cryptopant_la_LDFLAGS = -module -avoid-version $(libcrypto_LIBS)
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold keyfile test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \
+  test3.pcap.20181127.155200.414188
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(cryptopant_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/cryptopant/cryptopant.c

@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+
+#include "dnscap_common.h"
+
+#if defined(HAVE_LIBCRYPTOPANT) && defined(HAVE_CRYPTOPANT_H)
+#include <cryptopANT.h>
+#define USE_CRYPTOPANT 1
+#endif
+
+static set_iaddr_t cryptopant_set_iaddr = 0;
+
+static logerr_t* logerr;
+static int       only_clients = 0, only_servers = 0, dns_port = 53, pass4 = 0, pass6 = 0, decrypt = 0;
+
+enum plugin_type cryptopant_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "cryptopant.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void cryptopant_usage()
+{
+    fprintf(stderr,
+        "\ncryptopant.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <file>     Keyfile to use (generated by scramble_ips -G)\n"
+        "\t-4 <num>      pass <num> higher bits of IPv4 through unchanged\n"
+        "\t-6 <num>      pass <num> higher bits of IPv6 through unchanged\n"
+        "\t-D            Decrypt IP addresses\n"
+        "\t-c            Only encrypt clients (port != 53)\n"
+        "\t-s            Only encrypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n");
+}
+
+void cryptopant_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        cryptopant_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void cryptopant_getopt(int* argc, char** argv[])
+{
+    int           c;
+    unsigned long ul;
+    char *        p, *keyfile = 0;
+
+    while ((c = getopt(*argc, *argv, "?k:4:6:Dcsp:")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (keyfile) {
+                free(keyfile);
+            }
+            keyfile = strdup(optarg);
+            break;
+        case '4':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 31U)
+                usage("pass IPv4 bits must be an integer 0..31");
+            pass4 = (unsigned)ul;
+            break;
+        case '6':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul > 127U)
+                usage("pass IPv6 bits must be an integer 0..127");
+            pass6 = (unsigned)ul;
+            break;
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case '?':
+            cryptopant_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+#ifdef USE_CRYPTOPANT
+    if (!keyfile) {
+        usage("must have a -k keyfile");
+    }
+
+    if (scramble_init_from_file(keyfile, SCRAMBLE_NONE, SCRAMBLE_NONE, 0)) {
+        usage("unable to initialize cryptopANT");
+    }
+#else
+    usage("no cryptopANT support built in, can't encrypt IP addresses");
+#endif
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+
+    if (keyfile) {
+        free(keyfile);
+    }
+}
+
+int cryptopant_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void cryptopant_stop()
+{
+}
+
+int cryptopant_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int cryptopant_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int cryptopant_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+#ifdef USE_CRYPTOPANT
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            from->u.a4.s_addr = decrypt ? unscramble_ip4(from->u.a4.s_addr, pass4) : scramble_ip4(from->u.a4.s_addr, pass4);
+            break;
+        case AF_INET6:
+            decrypt ? unscramble_ip6(&from->u.a6, pass6) : scramble_ip6(&from->u.a6, pass6);
+            break;
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            to->u.a4.s_addr = decrypt ? unscramble_ip4(to->u.a4.s_addr, pass4) : scramble_ip4(to->u.a4.s_addr, pass4);
+            break;
+        case AF_INET6:
+            decrypt ? unscramble_ip6(&to->u.a6, pass6) : scramble_ip6(&to->u.a6, pass6);
+            break;
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (cryptopant_set_iaddr && (from || to)) {
+        cryptopant_set_iaddr(from, to);
+    }
+#endif
+    return 0;
+}

plugins/cryptopant/keyfile

@@ -0,0 +1 @@
+02:02:cd6adc7b7dcaf5b926c657190ab7e05a:1df8f74f976ad7ff7a443ce7d2e2ce44235fa2a7080107b19a6785698064f121::54d9e7a215dbd120f70f054a176ca398

plugins/cryptopant/test1.sh

@@ -0,0 +1,31 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out || true
+if grep -q "no cryptopANT support built in" test1.out 2>/dev/null; then
+    echo "No cryptopANT support, skipping tests"
+    exit 0
+fi
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -4 8 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"

plugins/cryptopant/test2.gold

@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3a0:52c7:8483:3fd2:892c:443c:197e].51972 [2001:48e7:eb7b:8330:a6b3:e29f:c7a1:a114].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:48e7:eb7b:8330:a6b3:e29f:c7a1:a114].53 [2a01:3a0:52c7:8483:3fd2:892c:443c:197e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[f97c:c1a0:52c7:8483:3fd2:892c:443c:197e].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [f97c:c1a0:52c7:8483:3fd2:892c:443c:197e].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [f29a:ede7:eb7b:8330:a6b3:e29f:c7a1:a114].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[f29a:ede7:eb7b:8330:a6b3:e29f:c7a1:a114].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/cryptopant/test2.sh

@@ -0,0 +1,37 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" 2>test2.out || true
+if grep -q "no cryptopANT support built in" test2.out 2>/dev/null; then
+    echo "No cryptopANT support, skipping tests"
+    exit 0
+fi
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -6 24 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -k "$srcdir/keyfile" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"

plugins/cryptopant/test3.gold

@@ -0,0 +1,725 @@
+[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/cryptopant/test3.sh

@@ -0,0 +1,38 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test3.out || true
+if grep -q "no cryptopANT support built in" test3.out 2>/dev/null; then
+    echo "No cryptopANT support, skipping tests"
+    exit 0
+fi
+
+../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "$srcdir/keyfile" 2>test3.out
+../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "$srcdir/keyfile" 2>>test3.out
+../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "$srcdir/keyfile" -D 2>>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "$srcdir/keyfile" -D 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"

plugins/cryptopant/test4.sh

@@ -0,0 +1,22 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'cryptopant.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the cryptopant plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+# ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out || true
+# if grep -q "no cryptopANT support built in" test1.out 2>/dev/null; then
+#     echo "No cryptopANT support, skipping tests"
+#     exit 0
+# fi
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -4 99
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -6 999

plugins/eventlog/Makefile.am

@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = eventlog.la
+eventlog_la_SOURCES = eventlog.c
+eventlog_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(eventlog_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/eventlog/eventlog.c

@@ -0,0 +1,425 @@
+/* eventlog.c
+ *
+ * Byron Darrah - May 20, 2020
+ * Version 1.0
+ *
+ * This is a plugin for dnscap, based on the txtout plugin.
+ *
+ * This plugin generates one line of output for each packet, with a human-
+ * readable timestamp, and includes the results of A and AAAA queries (which
+ * is either a list of IP addresses, or an NXDOMAIN flag).
+ *
+ * Below is the original copyright notice from txtout.c.
+ */
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <ctype.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+static logerr_t* logerr;
+static char*     opt_o = NULL;
+static int       opt_s = 0;
+static FILE*     out   = 0;
+static int       opt_t = 0;
+static char*     opt_n = NULL;
+
+output_t eventlog_output;
+
+void eventlog_usage()
+{
+    fprintf(stderr,
+        "\neventlog.so options:\n"
+        "   -?         print these instructions and exit\n"
+        "   -o <arg>   output file name\n"
+        "   -s         short output, only QTYPE/QNAME for IN\n"
+        "   -t         prefix event messages with DNS packet timestamp\n"
+        "   -n <arg>   include name with each event message\n\n"
+        "Produces a line of text per packet suitable for event logging,\n"
+        "including IP addresses from query responses.\n");
+}
+
+void eventlog_getopt(int* argc, char** argv[])
+{
+    /*
+     * The "getopt" function will be called from the parent to
+     * process plugin options.
+     */
+    int c;
+    while ((c = getopt(*argc, *argv, "?so:tn:")) != EOF) {
+        switch (c) {
+        case 'o':
+            if (opt_o)
+                free(opt_o);
+            opt_o = strdup(optarg);
+            break;
+        case 's':
+            opt_s = 1;
+            break;
+        case 't':
+            opt_t = 1;
+            break;
+        case 'n':
+            opt_n = strdup(optarg);
+            break;
+        case '?':
+            eventlog_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int eventlog_start(logerr_t* a_logerr)
+{
+    /*
+     * The "start" function is called once, when the program
+     * starts.  It is used to initialize the plugin.  If the
+     * plugin wants to write debugging and or error messages,
+     * it should save the a_logerr pointer passed from the
+     * parent code.
+     */
+    logerr = a_logerr;
+    if (opt_o) {
+        out = fopen(opt_o, "a");
+        if (0 == out) {
+            logerr("%s: %s\n", opt_o, strerror(errno));
+            exit(1);
+        }
+    } else {
+        out = stdout;
+    }
+    setbuf(out, 0);
+
+    if (opt_t) {
+        time_t    curtime;
+        char      time_text[25];
+        struct tm res;
+        curtime = time(NULL);
+        if (strftime(time_text, 25, "%G %m/%d %T", localtime_r(&curtime, &res)) > 0) {
+            fprintf(out, "%s ", time_text);
+        } else {
+            fprintf(out, "**ERROR reading time** ");
+        }
+    }
+    if (opt_n) {
+        fprintf(out, "%s ", opt_n);
+    }
+    fprintf(out, "DNS event logging started.\n");
+
+    return 0;
+}
+
+void eventlog_stop()
+{
+    /*
+     * The "start" function is called once, when the program
+     * is exiting normally.  It might be used to clean up state,
+     * free memory, etc.
+     */
+    if (out != stdout)
+        fclose(out);
+}
+
+int eventlog_open(my_bpftimeval ts)
+{
+    /*
+     * The "open" function is called at the start of each
+     * collection interval, which might be based on a period
+     * of time or a number of packets.  In the original code,
+     * this is where we opened an output pcap file.
+     */
+    return 0;
+}
+
+int eventlog_close(my_bpftimeval ts)
+{
+    /*
+     * The "close" function is called at the end of each
+     * collection interval, which might be based on a period
+     * of time or on a number of packets.  In the original code
+     * this is where we closed an output pcap file.
+     */
+    return 0;
+}
+
+ia_str_t           ia_str           = 0;
+tcpstate_getcurr_t tcpstate_getcurr = 0;
+tcpstate_reset_t   tcpstate_reset   = 0;
+
+void eventlog_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        ia_str = (ia_str_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_GETCURR:
+        tcpstate_getcurr = (tcpstate_getcurr_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_RESET:
+        tcpstate_reset = (tcpstate_reset_t)arg;
+        break;
+    }
+}
+
+static void eventlog_output_ipbytes(size_t len, const uint8_t* data)
+{
+
+    /* If there are 4 bytes, print them as an IPv4 address. */
+    if (len == 4) {
+        fprintf(out, "%u.%u.%u.%u", data[0], data[1], data[2], data[3]);
+    }
+
+    /* If there are 16 bytes, print them as an IPv6 address. */
+    else if (len == 16) {
+        /* If there are 16 bytes, print them as an IPv6 address. */
+        fprintf(out, "%x:%x:%x:%x:%x:%x:%x:%x",
+            ((unsigned int)data[0]) << 8 | data[1],
+            ((unsigned int)data[2]) << 8 | data[3],
+            ((unsigned int)data[4]) << 8 | data[5],
+            ((unsigned int)data[6]) << 8 | data[7],
+            ((unsigned int)data[8]) << 8 | data[9],
+            ((unsigned int)data[10]) << 8 | data[11],
+            ((unsigned int)data[12]) << 8 | data[13],
+            ((unsigned int)data[14]) << 8 | data[15]);
+    }
+}
+
+void eventlog_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, unsigned olen,
+    const u_char* payload, unsigned payloadlen)
+{
+
+    /* Do not output anything if there is no DNS info to report. */
+    if (!(flags & DNSCAP_OUTPUT_ISDNS)) {
+        return;
+    }
+    ldns_pkt* pkt;
+    if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+        if (tcpstate_getcurr && tcpstate_reset)
+            tcpstate_reset(tcpstate_getcurr(), "");
+        return;
+    }
+    ldns_buffer* buf = ldns_buffer_new(512);
+    if (!buf) {
+        logerr("out of memmory\n");
+        exit(1);
+    }
+
+    /*
+     * Output the packet timestamp
+     */
+    if (opt_t) {
+        char      time_text[25];
+        struct tm res;
+        if (strftime(time_text, 25, "%G %m/%d %T", localtime_r(&ts.tv_sec, &res)) > 0) {
+            fprintf(out, "%s ", time_text);
+        } else {
+            fprintf(out, "**ERROR reading packet time** ");
+        }
+    }
+    if (opt_n) {
+        fprintf(out, "%s ", opt_n);
+    }
+
+    /*
+     * Short output, only print QTYPE and QNAME for IN records
+     */
+    if (opt_s) {
+        ldns_rr_list* qds = ldns_pkt_question(pkt);
+        if (qds) {
+            ldns_rr* qd = ldns_rr_list_rr(qds, 0);
+
+            if (qd && ldns_rr_get_class(qd) == LDNS_RR_CLASS_IN) {
+                if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, "%s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, "ERR");
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s\n", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, "ERR\n");
+                }
+            }
+        }
+        ldns_pkt_free(pkt);
+        ldns_buffer_free(buf);
+        return;
+    }
+
+    /*
+     * IP Stuff
+     */
+    fprintf(out, "src=%s spt=%u ", ia_str(from), sport);
+    fprintf(out, "dst=%s dpt=%u ", ia_str(to), dport);
+    switch (proto) {
+    case 17:
+        fprintf(out, "proto=UDP");
+        break;
+    case 6:
+        fprintf(out, "proto=TCP");
+        break;
+    default:
+        fprintf(out, "proto=%hhu", proto);
+        break;
+    }
+
+    /*
+     * DNS Header
+     */
+    fprintf(out, " mid=%u", ldns_pkt_id(pkt));
+    fprintf(out, " op=%u", ldns_pkt_get_opcode(pkt));
+    fprintf(out, " fl=|");
+    if (ldns_pkt_qr(pkt))
+        fprintf(out, "QR|");
+    if (ldns_pkt_aa(pkt))
+        fprintf(out, "AA|");
+    if (ldns_pkt_tc(pkt))
+        fprintf(out, "TC|");
+    if (ldns_pkt_rd(pkt))
+        fprintf(out, "RD|");
+    if (ldns_pkt_ra(pkt))
+        fprintf(out, "RA|");
+    if (ldns_pkt_ad(pkt))
+        fprintf(out, "AD|");
+    if (ldns_pkt_cd(pkt))
+        fprintf(out, "CD|");
+    switch (ldns_pkt_get_rcode(pkt)) {
+    case LDNS_RCODE_NOERROR:
+        fprintf(out, " rc=OK");
+        break;
+    case LDNS_RCODE_NXDOMAIN:
+        fprintf(out, " rc=NXDOMAIN");
+        break;
+    case LDNS_RCODE_SERVFAIL:
+        fprintf(out, " rc=SRVFAIL");
+        break;
+    default:
+        fprintf(out, " rc=%u", ldns_pkt_get_rcode(pkt));
+        break;
+    }
+
+    ldns_rr_list* qds = ldns_pkt_question(pkt);
+    ldns_rr*      qd;
+    if (qds && (qd = ldns_rr_list_rr(qds, 0))) {
+        if (ldns_rr_class2buffer_str(buf, ldns_rr_get_class(qd)) == LDNS_STATUS_OK) {
+            fprintf(out, " cl=%s", (char*)ldns_buffer_begin(buf));
+        } else {
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+
+        ldns_buffer_clear(buf);
+        if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+            fprintf(out, " tp=%s", (char*)ldns_buffer_begin(buf));
+        } else {
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+
+        ldns_buffer_clear(buf);
+        if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+            fprintf(out, " name=%s\n", (char*)ldns_buffer_begin(buf));
+        } else {
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+    }
+
+    /* output the query answers */
+    ldns_rr_list* ans = ldns_pkt_answer(pkt);
+    if (ans) {
+        const char* delim = " ans=";
+        size_t      i, n;
+        for (i = 0, n = ldns_rr_list_rr_count(ans); i < n; i++) {
+            ldns_rr* rr = ldns_rr_list_rr(ans, i);
+
+            if (rr) {
+                switch (ldns_rr_get_type(rr)) {
+                case LDNS_RR_TYPE_A:
+                case LDNS_RR_TYPE_AAAA: {
+                    ldns_rdf* rdf = ldns_rr_rdf(rr, 0);
+                    if (rdf) {
+                        fprintf(out, "%s", delim);
+                        delim = ",";
+                        eventlog_output_ipbytes(ldns_rdf_size(rdf), ldns_rdf_data(rdf));
+                        continue;
+                    }
+                    break;
+                }
+                default:
+                    continue;
+                }
+            }
+
+            fprintf(out, " **ERROR parsing response record**\n");
+            ldns_pkt_free(pkt);
+            ldns_buffer_free(buf);
+            return;
+        }
+    }
+
+    /*
+     * Done
+     */
+    fprintf(out, "\n");
+    ldns_pkt_free(pkt);
+    ldns_buffer_free(buf);
+}

plugins/eventlog/test1.sh

@@ -0,0 +1,22 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'eventlog.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the eventlog plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+ln -fs "$srcdir/../../src/test/dnso1tcp.pcap" dnso1tcp.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -o test1.out -o test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -t
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -n test
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin"
+../../src/dnscap -T -r dnso1tcp.pcap-dist -g -P "$plugin"

plugins/ipcrypt/Makefile.am

@@ -0,0 +1,24 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = ipcrypt.la
+ipcrypt_la_SOURCES = ipcrypt.c
+ipcrypt_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh test2.sh test3.sh test4.sh
+
+EXTRA_DIST = $(TESTS) test1.gold test2.gold test3.gold
+CLEANFILES += test1.out test2.out test3.out test3.pcap.20161020.152301.075993 \
+  test3.pcap.20181127.155200.414188 test4.tmp
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(ipcrypt_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/ipcrypt/ipcrypt.c

@@ -0,0 +1,351 @@
+/*
+ * Copyright (c) 2018-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+#include "dnscap_common.h"
+
+static set_iaddr_t ipcrypt_set_iaddr = 0;
+
+static logerr_t* logerr;
+static int       only_clients = 0, only_servers = 0, dns_port = 53, iterations = 1, encrypt_v6 = 0, decrypt = 0;
+static uint8_t   key[16];
+
+/*
+ * ipcrypt based on Python and Go code at https://github.com/veorq/ipcrypt
+ * by Jean-Philippe Aumasson jeanphilippe.aumasson@gmail.com
+ */
+
+static inline uint8_t rotl(uint8_t b, int r)
+{
+    return (b << r) | (b >> (8 - r));
+}
+
+static inline void permute_fwd(uint8_t* state)
+{
+    state[0] += state[1];
+    state[2] += state[3];
+    state[1] = rotl(state[1], 2) ^ state[0];
+    state[3] = rotl(state[3], 5) ^ state[2];
+    // state[1] ^= state[0];
+    // state[3] ^= state[2];
+    state[0] = rotl(state[0], 4) + state[3];
+    // state[0] += state[3];
+    state[2] += state[1];
+    state[1] = rotl(state[1], 3) ^ state[2];
+    state[3] = rotl(state[3], 7) ^ state[0];
+    // state[1] ^= state[2];
+    // state[3] ^= state[0];
+    state[2] = rotl(state[2], 4);
+}
+
+static inline void permute_bwd(uint8_t* state)
+{
+    state[2] = rotl(state[2], 4);
+    state[1] ^= state[2];
+    state[3] ^= state[0];
+    state[1] = rotl(state[1], 5);
+    state[3] = rotl(state[3], 1);
+    state[0] -= state[3];
+    state[2] -= state[1];
+    state[0] = rotl(state[0], 4);
+    state[1] ^= state[0];
+    state[3] ^= state[2];
+    state[1] = rotl(state[1], 6);
+    state[3] = rotl(state[3], 3);
+    state[0] -= state[1];
+    state[2] -= state[3];
+}
+
+static inline void xor4(uint8_t* x, uint8_t* y)
+{
+    *(uint32_t*)x ^= *(uint32_t*)y;
+    // x[0] ^= y[0];
+    // x[1] ^= y[1];
+    // x[2] ^= y[2];
+    // x[3] ^= y[3];
+}
+
+static inline void _encrypt(uint8_t* ip)
+{
+    int i = iterations;
+    for (; i; i--) {
+        xor4(ip, key);
+        permute_fwd(ip);
+        xor4(ip, &key[4]);
+        permute_fwd(ip);
+        xor4(ip, &key[8]);
+        permute_fwd(ip);
+        xor4(ip, &key[12]);
+    }
+}
+
+static inline void _decrypt(uint8_t* ip)
+{
+    int i = iterations;
+    for (; i; i--) {
+        xor4(ip, &key[12]);
+        permute_bwd(ip);
+        xor4(ip, &key[8]);
+        permute_bwd(ip);
+        xor4(ip, &key[4]);
+        permute_bwd(ip);
+        xor4(ip, key);
+    }
+}
+
+enum plugin_type ipcrypt_type()
+{
+    return plugin_filter;
+}
+
+void usage(const char* msg)
+{
+    fprintf(stderr, "ipcrypt.so usage error: %s\n", msg);
+    exit(1);
+}
+
+void ipcrypt_usage()
+{
+    fprintf(stderr,
+        "\nipcrypt.so options:\n"
+        "\t-?            print these instructions and exit\n"
+        "\t-k <key>      A 16 character long key\n"
+        "\t-f <file>     Read the 16 first bytes from file and use as key\n"
+        "\t-D            Decrypt IP addresses\n"
+        "\t-c            Only en/de-crypt clients (port != 53)\n"
+        "\t-s            Only en/de-crypt servers (port == 53)\n"
+        "\t-p <port>     Set port for -c/-s, default 53\n"
+        "\t-i <num>      Number of en/de-cryption iterations, default 1\n"
+        "\t-6            En/de-crypt IPv6 addresses, not default or recommended\n");
+}
+
+void ipcrypt_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_SET_IADDR:
+        ipcrypt_set_iaddr = (set_iaddr_t)arg;
+        break;
+    }
+}
+
+void ipcrypt_getopt(int* argc, char** argv[])
+{
+    int           c, got_key = 0;
+    unsigned long ul;
+    char*         p;
+
+    while ((c = getopt(*argc, *argv, "?k:f:Dcsp:i:6")) != EOF) {
+        switch (c) {
+        case 'k':
+            if (strlen(optarg) != 16) {
+                usage("key must be 16 characters long");
+            }
+            memcpy(key, optarg, 16);
+            got_key = 1;
+            break;
+        case 'f': {
+            int     fd;
+            ssize_t r;
+            if ((fd = open(optarg, O_RDONLY)) < 0) {
+                perror("open()");
+                usage("unable to open key file");
+            }
+            if ((r = read(fd, key, 16)) < 0) {
+                perror("read()");
+                usage("unable to read from key file");
+            }
+            if (r != 16) {
+                usage("unable to read 16 bytes from key file");
+            }
+            close(fd);
+            got_key = 1;
+            break;
+        }
+        case 'D':
+            decrypt = 1;
+            break;
+        case 'c':
+            only_clients = 1;
+            break;
+        case 's':
+            only_servers = 1;
+            break;
+        case 'p':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("port must be an integer 1..65535");
+            dns_port = (unsigned)ul;
+            break;
+        case 'i':
+            ul = strtoul(optarg, &p, 0);
+            if (*p != '\0' || ul < 1U || ul > 65535U)
+                usage("iterations must be an integer 1..65535");
+            iterations = (unsigned)ul;
+            break;
+        case '6':
+            encrypt_v6 = 1;
+            break;
+        case '?':
+            ipcrypt_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+
+    if (!got_key) {
+        usage("must have -k <key> or -f <file>");
+    }
+
+    if (only_clients && only_servers) {
+        usage("-c and -s options are mutually exclusive");
+    }
+}
+
+int ipcrypt_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void ipcrypt_stop()
+{
+}
+
+int ipcrypt_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int ipcrypt_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int ipcrypt_filter(const char* descr, iaddr* from, iaddr* to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    for (;;) {
+        if (only_clients && sport == dns_port) {
+            from = 0;
+            break;
+        }
+        if (only_servers && sport != dns_port) {
+            from = 0;
+            break;
+        }
+
+        switch (from->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint8_t*)&from->u.a4) : _encrypt((uint8_t*)&from->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint8_t*)&from->u.a6);
+                    _decrypt(((uint8_t*)&from->u.a6) + 4);
+                    _decrypt(((uint8_t*)&from->u.a6) + 8);
+                    _decrypt(((uint8_t*)&from->u.a6) + 12);
+                } else {
+                    _encrypt((uint8_t*)&from->u.a6);
+                    _encrypt(((uint8_t*)&from->u.a6) + 4);
+                    _encrypt(((uint8_t*)&from->u.a6) + 8);
+                    _encrypt(((uint8_t*)&from->u.a6) + 12);
+                }
+                break;
+            }
+        default:
+            from = 0;
+            break;
+        }
+        break;
+    }
+
+    for (;;) {
+        if (only_clients && dport == dns_port) {
+            to = 0;
+            break;
+        }
+        if (only_servers && dport != dns_port) {
+            to = 0;
+            break;
+        }
+
+        switch (to->af) {
+        case AF_INET:
+            decrypt ? _decrypt((uint8_t*)&to->u.a4) : _encrypt((uint8_t*)&to->u.a4);
+            break;
+        case AF_INET6:
+            if (encrypt_v6) {
+                if (decrypt) {
+                    _decrypt((uint8_t*)&to->u.a6);
+                    _decrypt(((uint8_t*)&to->u.a6) + 4);
+                    _decrypt(((uint8_t*)&to->u.a6) + 8);
+                    _decrypt(((uint8_t*)&to->u.a6) + 12);
+                } else {
+                    _encrypt((uint8_t*)&to->u.a6);
+                    _encrypt(((uint8_t*)&to->u.a6) + 4);
+                    _encrypt(((uint8_t*)&to->u.a6) + 8);
+                    _encrypt(((uint8_t*)&to->u.a6) + 12);
+                }
+                break;
+            }
+        default:
+            to = 0;
+            break;
+        }
+        break;
+    }
+
+    if (ipcrypt_set_iaddr && (from || to)) {
+        ipcrypt_set_iaddr(from, to);
+    }
+
+    return 0;
+}

plugins/ipcrypt/test1.sh

@@ -0,0 +1,24 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" 2>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c 2>>test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -s 2>>test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k "some 16-byte key" -c -s 2>>test1.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test1.out test1.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test1.out.old > test1.out
+    rm test1.out.old
+fi
+
+diff test1.out "$srcdir/test1.gold"

plugins/ipcrypt/test2.gold

@@ -0,0 +1,33 @@
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[2001:4860:4860::8888].53 [150a:8a55:31dc:6eac:cbc:bc41:5a09:3606].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
+[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
+	[2a01:3f0:0:57::245].51972 [830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
+	[830c:987b:b17f:8b55:cbc:bc41:6b7c:2e56].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/ipcrypt/test2.sh

@@ -0,0 +1,30 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" 2>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -c 2>>test2.out
+../../src/dnscap -r dns6.pcap-dist -g -P "$plugin" -6 -k "some 16-byte key" -s 2>>test2.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test2.out test2.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test2.out.old > test2.out
+    rm test2.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test2.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test2.new
+mv test2.new test2.out
+
+diff test2.out "$srcdir/test2.gold"

plugins/ipcrypt/test3.gold

@@ -0,0 +1,725 @@
+[56] 2016-10-20 15:23:01.075993 [#0 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53199 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59311,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.077982 [#1 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53199  \
+	dns QUERY,NOERROR,59311,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns4.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[73] 2016-10-20 15:23:01.082865 [#2 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].57822 [8.8.8.8].53  \
+	dns QUERY,NOERROR,35665,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:01.084107 [#3 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].57822  \
+	dns QUERY,NOERROR,35665,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10 \
+	ns2.google.com.,IN,A,157880,216.239.34.10
+[56] 2016-10-20 15:23:01.087291 [#4 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40043 [8.8.8.8].53  \
+	dns QUERY,NOERROR,5337,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:01.088733 [#5 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40043  \
+	dns QUERY,NOERROR,5337,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,44,216.58.218.206 \
+	4 google.com.,IN,NS,157880,ns1.google.com. \
+	google.com.,IN,NS,157880,ns2.google.com. \
+	google.com.,IN,NS,157880,ns3.google.com. \
+	google.com.,IN,NS,157880,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157880,216.239.34.10 \
+	ns1.google.com.,IN,A,331882,216.239.32.10 \
+	ns3.google.com.,IN,A,157880,216.239.36.10 \
+	ns4.google.com.,IN,A,157880,216.239.38.10
+[56] 2016-10-20 15:23:10.322117 [#6 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22982,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:10.323399 [#7 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37953  \
+	dns QUERY,NOERROR,22982,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,34,216.58.218.206 \
+	4 google.com.,IN,NS,157870,ns4.google.com. \
+	google.com.,IN,NS,157870,ns1.google.com. \
+	google.com.,IN,NS,157870,ns2.google.com. \
+	google.com.,IN,NS,157870,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157870,216.239.34.10 \
+	ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10
+[73] 2016-10-20 15:23:10.328324 [#8 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].48658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18718,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:10.329572 [#9 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].48658  \
+	dns QUERY,NOERROR,18718,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331872,216.239.32.10 \
+	ns3.google.com.,IN,A,157870,216.239.36.10 \
+	ns4.google.com.,IN,A,157870,216.239.38.10 \
+	ns2.google.com.,IN,A,157870,216.239.34.10
+[56] 2016-10-20 15:23:52.860937 [#10 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40953 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22531,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:52.863771 [#11 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40953  \
+	dns QUERY,NOERROR,22531,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,297,216.58.218.206 \
+	4 google.com.,IN,NS,157828,ns2.google.com. \
+	google.com.,IN,NS,157828,ns4.google.com. \
+	google.com.,IN,NS,157828,ns1.google.com. \
+	google.com.,IN,NS,157828,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157828,216.239.34.10 \
+	ns1.google.com.,IN,A,331830,216.239.32.10 \
+	ns3.google.com.,IN,A,157828,216.239.36.10 \
+	ns4.google.com.,IN,A,157828,216.239.38.10
+[56] 2016-10-20 15:23:59.083869 [#12 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45174 [8.8.8.8].53  \
+	dns QUERY,NOERROR,58510,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:23:59.086104 [#13 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45174  \
+	dns QUERY,NOERROR,58510,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,291,216.58.218.206 \
+	4 google.com.,IN,NS,157822,ns2.google.com. \
+	google.com.,IN,NS,157822,ns3.google.com. \
+	google.com.,IN,NS,157822,ns1.google.com. \
+	google.com.,IN,NS,157822,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157822,216.239.34.10 \
+	ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10
+[73] 2016-10-20 15:23:59.090911 [#14 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33916 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45248,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:23:59.092204 [#15 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33916  \
+	dns QUERY,NOERROR,45248,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331824,216.239.32.10 \
+	ns3.google.com.,IN,A,157822,216.239.36.10 \
+	ns4.google.com.,IN,A,157822,216.239.38.10 \
+	ns2.google.com.,IN,A,157822,216.239.34.10
+[56] 2016-10-20 15:24:04.323868 [#16 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].43559 [8.8.8.8].53  \
+	dns QUERY,NOERROR,49483,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:04.325597 [#17 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].43559  \
+	dns QUERY,NOERROR,49483,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,285,216.58.218.206 \
+	4 google.com.,IN,NS,157816,ns4.google.com. \
+	google.com.,IN,NS,157816,ns3.google.com. \
+	google.com.,IN,NS,157816,ns1.google.com. \
+	google.com.,IN,NS,157816,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157816,216.239.34.10 \
+	ns1.google.com.,IN,A,331818,216.239.32.10 \
+	ns3.google.com.,IN,A,157816,216.239.36.10 \
+	ns4.google.com.,IN,A,157816,216.239.38.10
+[56] 2016-10-20 15:24:06.332239 [#18 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].54859 [8.8.8.8].53  \
+	dns QUERY,NOERROR,31669,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:06.333743 [#19 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].54859  \
+	dns QUERY,NOERROR,31669,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,283,216.58.218.206 \
+	4 google.com.,IN,NS,157814,ns2.google.com. \
+	google.com.,IN,NS,157814,ns1.google.com. \
+	google.com.,IN,NS,157814,ns4.google.com. \
+	google.com.,IN,NS,157814,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157814,216.239.34.10 \
+	ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10
+[73] 2016-10-20 15:24:06.339145 [#20 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].58176 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25433,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:06.340820 [#21 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].58176  \
+	dns QUERY,NOERROR,25433,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331816,216.239.32.10 \
+	ns3.google.com.,IN,A,157814,216.239.36.10 \
+	ns4.google.com.,IN,A,157814,216.239.38.10 \
+	ns2.google.com.,IN,A,157814,216.239.34.10
+[56] 2016-10-20 15:24:07.346429 [#22 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41266 [8.8.8.8].53  \
+	dns QUERY,NOERROR,63798,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:07.348160 [#23 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41266  \
+	dns QUERY,NOERROR,63798,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,282,216.58.218.206 \
+	4 google.com.,IN,NS,157813,ns4.google.com. \
+	google.com.,IN,NS,157813,ns1.google.com. \
+	google.com.,IN,NS,157813,ns3.google.com. \
+	google.com.,IN,NS,157813,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157813,216.239.34.10 \
+	ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10
+[73] 2016-10-20 15:24:07.353123 [#24 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34607 [8.8.8.8].53  \
+	dns QUERY,NOERROR,8470,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:07.354682 [#25 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34607  \
+	dns QUERY,NOERROR,8470,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331815,216.239.32.10 \
+	ns3.google.com.,IN,A,157813,216.239.36.10 \
+	ns4.google.com.,IN,A,157813,216.239.38.10 \
+	ns2.google.com.,IN,A,157813,216.239.34.10
+[56] 2016-10-20 15:24:08.360528 [#26 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60437 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60258,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:08.362206 [#27 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60437  \
+	dns QUERY,NOERROR,60258,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,281,216.58.218.206 \
+	4 google.com.,IN,NS,157812,ns3.google.com. \
+	google.com.,IN,NS,157812,ns2.google.com. \
+	google.com.,IN,NS,157812,ns4.google.com. \
+	google.com.,IN,NS,157812,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157812,216.239.34.10 \
+	ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10
+[73] 2016-10-20 15:24:08.368516 [#28 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37149 [8.8.8.8].53  \
+	dns QUERY,NOERROR,44985,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:08.370119 [#29 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37149  \
+	dns QUERY,NOERROR,44985,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331814,216.239.32.10 \
+	ns3.google.com.,IN,A,157812,216.239.36.10 \
+	ns4.google.com.,IN,A,157812,216.239.38.10 \
+	ns2.google.com.,IN,A,157812,216.239.34.10
+[56] 2016-10-20 15:24:09.375942 [#30 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53820 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45512,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:09.378425 [#31 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53820  \
+	dns QUERY,NOERROR,45512,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,280,216.58.218.206 \
+	4 google.com.,IN,NS,157811,ns3.google.com. \
+	google.com.,IN,NS,157811,ns4.google.com. \
+	google.com.,IN,NS,157811,ns1.google.com. \
+	google.com.,IN,NS,157811,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157811,216.239.34.10 \
+	ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10
+[73] 2016-10-20 15:24:09.384057 [#32 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].52368 [8.8.8.8].53  \
+	dns QUERY,NOERROR,22980,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:09.385463 [#33 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].52368  \
+	dns QUERY,NOERROR,22980,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331813,216.239.32.10 \
+	ns3.google.com.,IN,A,157811,216.239.36.10 \
+	ns4.google.com.,IN,A,157811,216.239.38.10 \
+	ns2.google.com.,IN,A,157811,216.239.34.10
+[56] 2016-10-20 15:24:10.391358 [#34 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].47637 [8.8.8.8].53  \
+	dns QUERY,NOERROR,1834,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:10.392886 [#35 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].47637  \
+	dns QUERY,NOERROR,1834,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,279,216.58.218.206 \
+	4 google.com.,IN,NS,157810,ns1.google.com. \
+	google.com.,IN,NS,157810,ns2.google.com. \
+	google.com.,IN,NS,157810,ns4.google.com. \
+	google.com.,IN,NS,157810,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157810,216.239.34.10 \
+	ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10
+[73] 2016-10-20 15:24:10.398099 [#36 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].34426 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25431,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:10.400317 [#37 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].34426  \
+	dns QUERY,NOERROR,25431,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331812,216.239.32.10 \
+	ns3.google.com.,IN,A,157810,216.239.36.10 \
+	ns4.google.com.,IN,A,157810,216.239.38.10 \
+	ns2.google.com.,IN,A,157810,216.239.34.10
+[56] 2016-10-20 15:24:11.406297 [#38 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41059 [8.8.8.8].53  \
+	dns QUERY,NOERROR,48432,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:11.407460 [#39 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41059  \
+	dns QUERY,NOERROR,48432,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,278,216.58.218.206 \
+	4 google.com.,IN,NS,157809,ns3.google.com. \
+	google.com.,IN,NS,157809,ns4.google.com. \
+	google.com.,IN,NS,157809,ns2.google.com. \
+	google.com.,IN,NS,157809,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157809,216.239.34.10 \
+	ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10
+[73] 2016-10-20 15:24:11.412133 [#40 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].51181 [8.8.8.8].53  \
+	dns QUERY,NOERROR,47411,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:11.413370 [#41 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].51181  \
+	dns QUERY,NOERROR,47411,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331811,216.239.32.10 \
+	ns3.google.com.,IN,A,157809,216.239.36.10 \
+	ns4.google.com.,IN,A,157809,216.239.38.10 \
+	ns2.google.com.,IN,A,157809,216.239.34.10
+[56] 2016-10-20 15:24:12.419936 [#42 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].32976 [8.8.8.8].53  \
+	dns QUERY,NOERROR,12038,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:12.421228 [#43 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].32976  \
+	dns QUERY,NOERROR,12038,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,277,216.58.218.206 \
+	4 google.com.,IN,NS,157808,ns2.google.com. \
+	google.com.,IN,NS,157808,ns3.google.com. \
+	google.com.,IN,NS,157808,ns1.google.com. \
+	google.com.,IN,NS,157808,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157808,216.239.34.10 \
+	ns1.google.com.,IN,A,331810,216.239.32.10 \
+	ns3.google.com.,IN,A,157808,216.239.36.10 \
+	ns4.google.com.,IN,A,157808,216.239.38.10
+[56] 2016-10-20 15:24:14.428524 [#44 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].53467 [8.8.8.8].53  \
+	dns QUERY,NOERROR,11614,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:14.429863 [#45 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].53467  \
+	dns QUERY,NOERROR,11614,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,275,216.58.218.206 \
+	4 google.com.,IN,NS,157806,ns3.google.com. \
+	google.com.,IN,NS,157806,ns1.google.com. \
+	google.com.,IN,NS,157806,ns4.google.com. \
+	google.com.,IN,NS,157806,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157806,216.239.34.10 \
+	ns1.google.com.,IN,A,331808,216.239.32.10 \
+	ns3.google.com.,IN,A,157806,216.239.36.10 \
+	ns4.google.com.,IN,A,157806,216.239.38.10
+[56] 2016-10-20 15:24:16.435733 [#46 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].41532 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59173,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:16.437471 [#47 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].41532  \
+	dns QUERY,NOERROR,59173,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,273,216.58.218.206 \
+	4 google.com.,IN,NS,157804,ns1.google.com. \
+	google.com.,IN,NS,157804,ns3.google.com. \
+	google.com.,IN,NS,157804,ns2.google.com. \
+	google.com.,IN,NS,157804,ns4.google.com. \
+	4 ns2.google.com.,IN,A,157804,216.239.34.10 \
+	ns1.google.com.,IN,A,331806,216.239.32.10 \
+	ns3.google.com.,IN,A,157804,216.239.36.10 \
+	ns4.google.com.,IN,A,157804,216.239.38.10
+[56] 2016-10-20 15:24:18.445519 [#48 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44982 [8.8.8.8].53  \
+	dns QUERY,NOERROR,45535,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:18.446775 [#49 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44982  \
+	dns QUERY,NOERROR,45535,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,271,216.58.218.206 \
+	4 google.com.,IN,NS,157802,ns4.google.com. \
+	google.com.,IN,NS,157802,ns2.google.com. \
+	google.com.,IN,NS,157802,ns1.google.com. \
+	google.com.,IN,NS,157802,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157802,216.239.34.10 \
+	ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10
+[73] 2016-10-20 15:24:18.452451 [#50 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].40224 [8.8.8.8].53  \
+	dns QUERY,NOERROR,60808,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:18.454030 [#51 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].40224  \
+	dns QUERY,NOERROR,60808,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331804,216.239.32.10 \
+	ns3.google.com.,IN,A,157802,216.239.36.10 \
+	ns4.google.com.,IN,A,157802,216.239.38.10 \
+	ns2.google.com.,IN,A,157802,216.239.34.10
+[56] 2016-10-20 15:24:19.460087 [#52 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45658 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64325,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:19.462224 [#53 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45658  \
+	dns QUERY,NOERROR,64325,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,270,216.58.218.206 \
+	4 google.com.,IN,NS,157801,ns1.google.com. \
+	google.com.,IN,NS,157801,ns3.google.com. \
+	google.com.,IN,NS,157801,ns4.google.com. \
+	google.com.,IN,NS,157801,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157801,216.239.34.10 \
+	ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10
+[73] 2016-10-20 15:24:19.467324 [#54 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60457 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25543,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:19.468895 [#55 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60457  \
+	dns QUERY,NOERROR,25543,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331803,216.239.32.10 \
+	ns3.google.com.,IN,A,157801,216.239.36.10 \
+	ns4.google.com.,IN,A,157801,216.239.38.10 \
+	ns2.google.com.,IN,A,157801,216.239.34.10
+[56] 2016-10-20 15:24:20.475086 [#56 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].59762 [8.8.8.8].53  \
+	dns QUERY,NOERROR,20736,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:20.476841 [#57 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].59762  \
+	dns QUERY,NOERROR,20736,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,269,216.58.218.206 \
+	4 google.com.,IN,NS,157800,ns3.google.com. \
+	google.com.,IN,NS,157800,ns1.google.com. \
+	google.com.,IN,NS,157800,ns4.google.com. \
+	google.com.,IN,NS,157800,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157800,216.239.34.10 \
+	ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10
+[73] 2016-10-20 15:24:20.482188 [#58 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].56022 [8.8.8.8].53  \
+	dns QUERY,NOERROR,25911,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:20.483927 [#59 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].56022  \
+	dns QUERY,NOERROR,25911,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
+	4 ns1.google.com.,IN,A,331802,216.239.32.10 \
+	ns3.google.com.,IN,A,157800,216.239.36.10 \
+	ns4.google.com.,IN,A,157800,216.239.38.10 \
+	ns2.google.com.,IN,A,157800,216.239.34.10
+[56] 2016-10-20 15:24:21.489468 [#60 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].37669 [8.8.8.8].53  \
+	dns QUERY,NOERROR,64358,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:21.490573 [#61 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].37669  \
+	dns QUERY,NOERROR,64358,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,268,216.58.218.206 \
+	4 google.com.,IN,NS,157799,ns2.google.com. \
+	google.com.,IN,NS,157799,ns1.google.com. \
+	google.com.,IN,NS,157799,ns4.google.com. \
+	google.com.,IN,NS,157799,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157799,216.239.34.10 \
+	ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10
+[73] 2016-10-20 15:24:21.495324 [#62 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42978 [8.8.8.8].53  \
+	dns QUERY,NOERROR,37698,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:21.496815 [#63 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42978  \
+	dns QUERY,NOERROR,37698,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331801,216.239.32.10 \
+	ns3.google.com.,IN,A,157799,216.239.36.10 \
+	ns4.google.com.,IN,A,157799,216.239.38.10 \
+	ns2.google.com.,IN,A,157799,216.239.34.10
+[56] 2016-10-20 15:24:22.502667 [#64 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].49829 [8.8.8.8].53  \
+	dns QUERY,NOERROR,54706,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:22.504738 [#65 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].49829  \
+	dns QUERY,NOERROR,54706,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,267,216.58.218.206 \
+	4 google.com.,IN,NS,157798,ns2.google.com. \
+	google.com.,IN,NS,157798,ns4.google.com. \
+	google.com.,IN,NS,157798,ns3.google.com. \
+	google.com.,IN,NS,157798,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157798,216.239.34.10 \
+	ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10
+[73] 2016-10-20 15:24:22.510176 [#66 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].50599 [8.8.8.8].53  \
+	dns QUERY,NOERROR,32142,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:22.511746 [#67 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].50599  \
+	dns QUERY,NOERROR,32142,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
+	4 ns1.google.com.,IN,A,331800,216.239.32.10 \
+	ns3.google.com.,IN,A,157798,216.239.36.10 \
+	ns4.google.com.,IN,A,157798,216.239.38.10 \
+	ns2.google.com.,IN,A,157798,216.239.34.10
+[56] 2016-10-20 15:24:23.520203 [#68 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].44980 [8.8.8.8].53  \
+	dns QUERY,NOERROR,41808,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:23.521976 [#69 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].44980  \
+	dns QUERY,NOERROR,41808,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,266,216.58.218.206 \
+	4 google.com.,IN,NS,157797,ns2.google.com. \
+	google.com.,IN,NS,157797,ns4.google.com. \
+	google.com.,IN,NS,157797,ns1.google.com. \
+	google.com.,IN,NS,157797,ns3.google.com. \
+	4 ns2.google.com.,IN,A,157797,216.239.34.10 \
+	ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10
+[73] 2016-10-20 15:24:23.527449 [#70 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60063 [8.8.8.8].53  \
+	dns QUERY,NOERROR,18886,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:23.529385 [#71 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60063  \
+	dns QUERY,NOERROR,18886,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331799,216.239.32.10 \
+	ns3.google.com.,IN,A,157797,216.239.36.10 \
+	ns4.google.com.,IN,A,157797,216.239.38.10 \
+	ns2.google.com.,IN,A,157797,216.239.34.10
+[56] 2016-10-20 15:24:24.537264 [#72 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].42042 [8.8.8.8].53  \
+	dns QUERY,NOERROR,10624,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:24.539398 [#73 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].42042  \
+	dns QUERY,NOERROR,10624,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,265,216.58.218.206 \
+	4 google.com.,IN,NS,157796,ns3.google.com. \
+	google.com.,IN,NS,157796,ns4.google.com. \
+	google.com.,IN,NS,157796,ns1.google.com. \
+	google.com.,IN,NS,157796,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157796,216.239.34.10 \
+	ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10
+[73] 2016-10-20 15:24:24.544538 [#74 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].60469 [8.8.8.8].53  \
+	dns QUERY,NOERROR,33139,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:24.546172 [#75 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].60469  \
+	dns QUERY,NOERROR,33139,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
+	4 ns1.google.com.,IN,A,331798,216.239.32.10 \
+	ns3.google.com.,IN,A,157796,216.239.36.10 \
+	ns4.google.com.,IN,A,157796,216.239.38.10 \
+	ns2.google.com.,IN,A,157796,216.239.34.10
+[56] 2016-10-20 15:24:25.554744 [#76 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].45703 [8.8.8.8].53  \
+	dns QUERY,NOERROR,61415,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:25.556513 [#77 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].45703  \
+	dns QUERY,NOERROR,61415,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,264,216.58.218.206 \
+	4 google.com.,IN,NS,157795,ns3.google.com. \
+	google.com.,IN,NS,157795,ns4.google.com. \
+	google.com.,IN,NS,157795,ns2.google.com. \
+	google.com.,IN,NS,157795,ns1.google.com. \
+	4 ns2.google.com.,IN,A,157795,216.239.34.10 \
+	ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10
+[73] 2016-10-20 15:24:25.562608 [#78 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].33507 [8.8.8.8].53  \
+	dns QUERY,NOERROR,59258,rd \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
+[289] 2016-10-20 15:24:25.564509 [#79 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].33507  \
+	dns QUERY,NOERROR,59258,qr|rd|ra \
+	1 206.218.58.216.in-addr.arpa.,IN,PTR \
+	2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
+	206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
+	4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
+	218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
+	4 ns1.google.com.,IN,A,331797,216.239.32.10 \
+	ns3.google.com.,IN,A,157795,216.239.36.10 \
+	ns4.google.com.,IN,A,157795,216.239.38.10 \
+	ns2.google.com.,IN,A,157795,216.239.34.10
+[56] 2016-10-20 15:24:26.572784 [#80 test3.pcap.20161020.152301.075993 4095] \
+	[172.17.0.10].46798 [8.8.8.8].53  \
+	dns QUERY,NOERROR,17700,rd \
+	1 google.com.,IN,A 0 0 0
+[208] 2016-10-20 15:24:26.574350 [#81 test3.pcap.20161020.152301.075993 4095] \
+	[8.8.8.8].53 [172.17.0.10].46798  \
+	dns QUERY,NOERROR,17700,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,263,216.58.218.206 \
+	4 google.com.,IN,NS,157794,ns1.google.com. \
+	google.com.,IN,NS,157794,ns4.google.com. \
+	google.com.,IN,NS,157794,ns3.google.com. \
+	google.com.,IN,NS,157794,ns2.google.com. \
+	4 ns2.google.com.,IN,A,157794,216.239.34.10 \
+	ns1.google.com.,IN,A,331796,216.239.32.10 \
+	ns3.google.com.,IN,A,157794,216.239.36.10 \
+	ns4.google.com.,IN,A,157794,216.239.38.10
+[87] 2018-11-27 15:52:00.414188 [#0 test3.pcap.20181127.155200.414188 4095] \
+	[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53  \
+	dns QUERY,NOERROR,51420,rd|ad \
+	1 google.com.,IN,A 0 0 \
+	1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
+[103] 2018-11-27 15:52:00.428453 [#1 test3.pcap.20181127.155200.414188 4095] \
+	[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972  \
+	dns QUERY,NOERROR,51420,qr|rd|ra \
+	1 google.com.,IN,A \
+	1 google.com.,IN,A,299,172.217.20.46 0 \
+	1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

plugins/ipcrypt/test3.sh

@@ -0,0 +1,32 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+ln -fs "$srcdir/../../src/test/dns6.pcap" dns6.pcap-dist
+
+../../src/dnscap -w test3.pcap -r dns.pcap-dist -P "$plugin" -k "some 16-byte key" 2>test3.out
+../../src/dnscap -w test3.pcap -r dns6.pcap-dist -P "$plugin" -k "some 16-byte key" -6 2>>test3.out
+../../src/dnscap -r test3.pcap.20161020.152301.075993 -g -P "$plugin" -k "some 16-byte key" -D 2>>test3.out
+../../src/dnscap -r test3.pcap.20181127.155200.414188 -g -P "$plugin" -k "some 16-byte key" -6 -D 2>>test3.out
+
+osrel=`uname -s`
+if [ "$osrel" = "OpenBSD" ]; then
+    mv test3.out test3.out.old
+    grep -v "^dnscap.*WARNING.*symbol.*relink" test3.out.old > test3.out
+    rm test3.out.old
+fi
+
+# TODO: Remove when #133 is fixed
+cat test3.out | \
+  sed 's%,CLASS4096,OPT,%,4096,4096,%' | \
+  sed 's%,CLASS512,OPT,%,512,512,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=4096,%,4096,4096,0,edns0[len=0,UDP=4096,%' | \
+  sed 's%,41,41,0,edns0\[len=0,UDP=512,%,512,512,0,edns0[len=0,UDP=512,%' >test3.new
+mv test3.new test3.out
+
+diff test3.out "$srcdir/test3.gold"

plugins/ipcrypt/test4.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'ipcrypt.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the ipcrypt plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k tooshort
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -f does_not_exist
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -i 0
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 0
+rm -f test4.tmp
+touch test4.tmp
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -f test4.tmp
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -p 1 -i 1 -f "$srcdir/test4.sh"

plugins/pcapdump/Makefile.am

@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = pcapdump.la
+pcapdump_la_SOURCES = pcapdump.c
+pcapdump_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out* *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(pcapdump_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/pcapdump/pcapdump.c

@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <pcap.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#if HAVE_ARPA_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+
+#include "dnscap_common.h"
+
+#define SNAPLEN 65536
+#define THOUSAND 1000
+#define MILLION (THOUSAND * THOUSAND)
+
+output_t pcapdump_output;
+
+static logerr_t*      logerr       = 0;
+char*                 dump_base    = 0;
+static int            to_stdout    = 0;
+static int            dbg_lvl      = 0;
+static char*          dumpname     = 0;
+static char*          dumpnamepart = 0;
+static pcap_t*        pcap_dead    = 0;
+static pcap_dumper_t* dumper       = 0;
+static char*          kick_cmd     = 0;
+static int            flush        = 0;
+static int            dir_wanted   = DIR_INITIATE | DIR_RESPONSE;
+
+void pcapdump_usage()
+{
+    fprintf(stderr,
+        "\npcapdump.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-d         increase debugging\n"
+        "\t-f         flush output on every packet\n"
+        "\t-k <cmd>   kick off <cmd> when each dump closes\n"
+        "\t-s [ir]    select sides: initiations, responses\n"
+        "\t-w <base>  dump to <base>.<timesec>.<timeusec>\n");
+}
+
+void pcapdump_getopt(int* argc, char** argv[])
+{
+    int         c;
+    int         u;
+    const char* p;
+    while ((c = getopt(*argc, *argv, "?dfk:s:w:")) != EOF) {
+        switch (c) {
+        case 'd':
+            dbg_lvl++;
+            break;
+        case 'f':
+            flush = 1;
+            break;
+        case 'k':
+            if (kick_cmd)
+                free(kick_cmd);
+            kick_cmd = strdup(optarg);
+            break;
+        case 's':
+            u = 0;
+            for (p = optarg; *p; p++)
+                switch (*p) {
+                case 'i':
+                    u |= DIR_INITIATE;
+                    break;
+                case 'r':
+                    u |= DIR_RESPONSE;
+                    break;
+                default:
+                    fprintf(stderr, "-s takes only [ir]\n");
+                    pcapdump_usage();
+                    break;
+                }
+            dir_wanted = u;
+            break;
+        case 'w':
+            if (!strcmp(optarg, "-"))
+                to_stdout = 1;
+            else {
+                if (dump_base)
+                    free(dump_base);
+                dump_base = strdup(optarg);
+            }
+            break;
+        case '?':
+            pcapdump_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+    if (!to_stdout && !dump_base) {
+        fprintf(stderr, "-w basename argument is required\n");
+        pcapdump_usage();
+        exit(1);
+    }
+    if (to_stdout && kick_cmd) {
+        fprintf(stderr, "Can't use -k when dumping to stdout\n");
+        pcapdump_usage();
+        exit(1);
+    }
+}
+
+int pcapdump_start(logerr_t* a_logerr)
+{
+    logerr    = a_logerr;
+    pcap_dead = pcap_open_dead(DLT_RAW, SNAPLEN);
+    return 0;
+}
+
+void pcapdump_stop()
+{
+    pcap_close(pcap_dead);
+    pcap_dead = 0;
+}
+
+int pcapdump_open(my_bpftimeval ts)
+{
+    const char* t = NULL;
+    if (to_stdout) {
+        t = "-";
+    } else {
+        char      sbuf[64];
+        struct tm tm;
+        while (ts.tv_usec >= MILLION) {
+            ts.tv_sec++;
+            ts.tv_usec -= MILLION;
+        }
+        gmtime_r((time_t*)&ts.tv_sec, &tm);
+        strftime(sbuf, 64, "%Y%m%d.%H%M%S", &tm);
+        if (asprintf(&dumpname, "%s.%s.%06lu",
+                dump_base, sbuf, (u_long)ts.tv_usec)
+                < 0
+            || asprintf(&dumpnamepart, "%s.part", dumpname) < 0) {
+            logerr("asprintf: %s", strerror(errno));
+            return 1;
+        }
+        t = dumpnamepart;
+    }
+    dumper = pcap_dump_open(pcap_dead, t);
+    if (dumper == NULL) {
+        logerr("pcap dump open: %s", pcap_geterr(pcap_dead));
+        return 1;
+    }
+    return 0;
+}
+
+int pcapdump_close(my_bpftimeval ts)
+{
+    int ret = 0;
+#if 0
+    if (print_pcap_stats)
+    do_pcap_stats();
+#endif
+    pcap_dump_close(dumper);
+    dumper = 0;
+    if (to_stdout) {
+        assert(dumpname == 0);
+        assert(dumpnamepart == 0);
+        if (dbg_lvl >= 1)
+            logerr("breaking");
+        ret = 0;
+    } else {
+        char* cmd = NULL;
+        if (dbg_lvl >= 1)
+            logerr("closing %s", dumpname);
+        if (rename(dumpnamepart, dumpname)) {
+            logerr("rename: %s", strerror(errno));
+            return 1;
+        }
+        if (kick_cmd != NULL)
+            if (asprintf(&cmd, "%s %s &", kick_cmd, dumpname) < 0) {
+                logerr("asprintf: %s", strerror(errno));
+                cmd = NULL;
+            }
+        free(dumpnamepart);
+        dumpnamepart = NULL;
+        free(dumpname);
+        dumpname = NULL;
+        if (cmd != NULL) {
+            int x = system(cmd);
+            if (x) {
+                logerr("system %s returned %d", cmd, x);
+            }
+            free(cmd);
+        }
+        if (kick_cmd == NULL)
+            ret = 0;
+    }
+    return ret;
+}
+
+void pcapdump_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen, const u_char* payload, const unsigned payloadlen)
+{
+    struct pcap_pkthdr h;
+    if (flags & DNSCAP_OUTPUT_ISLAYER)
+        return;
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        HEADER* dns = (HEADER*)payload;
+        if (0 == dns->qr && 0 == (dir_wanted & DIR_INITIATE))
+            return;
+        if (1 == dns->qr && 0 == (dir_wanted & DIR_RESPONSE))
+            return;
+    }
+    memset(&h, 0, sizeof h);
+    h.ts  = ts;
+    h.len = h.caplen = olen;
+    pcap_dump((u_char*)dumper, &h, pkt_copy);
+    if (flush)
+        pcap_dump_flush(dumper);
+}

plugins/pcapdump/test1.sh

@@ -0,0 +1,16 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'pcapdump.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the pcapdump plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -w test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -f -w test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -s r -w test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -dddd -s i -w test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X

plugins/royparse/Makefile.am

@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = royparse.la
+royparse_la_SOURCES = royparse.c
+royparse_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out* *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(royparse_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/royparse/royparse.c

@@ -0,0 +1,272 @@
+/*
+ * Author Roy Arends
+ *
+ * Copyright (c) 2017-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include "dnscap_common.h"
+
+#include <errno.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <pcap.h>
+#include <ldns/ldns.h>
+
+static logerr_t* logerr;
+static char*     opt_q = 0;
+static char*     opt_r = 0;
+
+pcap_t*        pcap;
+pcap_dumper_t* q_out = 0;
+static FILE*   r_out = 0;
+
+output_t royparse_output;
+ia_str_t royparse_ia_str = 0;
+
+void royparse_usage()
+{
+    fprintf(stderr,
+        "\nroyparse splits a pcap into two streams: queries in pcap format and responses in ASCII format.\n"
+        "\nroyparse.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-q <arg>   query pcap stream output file name (default: no output)\n"
+        "\t-r <arg>   royparse output file name (default: stdout)\n");
+}
+
+void royparse_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        royparse_ia_str = (ia_str_t)arg;
+        break;
+    }
+}
+
+void royparse_getopt(int* argc, char** argv[])
+{
+    int c;
+
+    while ((c = getopt(*argc, *argv, "?q:r:")) != EOF) {
+        switch (c) {
+        case 'q':
+            if (opt_q)
+                free(opt_q);
+            opt_q = strdup(optarg);
+            break;
+        case 'r':
+            if (opt_r)
+                free(opt_r);
+            opt_r = strdup(optarg);
+            break;
+        case '?':
+            royparse_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int royparse_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+
+    if (opt_q) {
+        pcap  = pcap_open_dead(DLT_RAW, 65535);
+        q_out = pcap_dump_open(pcap, opt_q);
+        if (q_out == 0) {
+            logerr("%s: %s\n", opt_q, strerror(errno));
+            exit(1);
+        }
+    }
+    if (opt_r) {
+        r_out = fopen(opt_r, "w");
+        if (r_out == 0) {
+            logerr("%s: %s\n", opt_r, strerror(errno));
+            exit(1);
+        }
+    } else {
+        r_out = stdout;
+    }
+    setbuf(r_out, 0);
+
+    return 0;
+}
+
+void royparse_stop()
+{
+    if (q_out != 0) {
+        pcap_close(pcap);
+        pcap_dump_close(q_out);
+    }
+    if (r_out != stdout)
+        fclose(r_out);
+}
+
+int royparse_open(my_bpftimeval ts)
+{
+    return 0;
+}
+
+int royparse_close(my_bpftimeval ts)
+{
+    return 0;
+}
+
+void royparse_normalize(char* str)
+{
+    /*
+     * The "normalize" function converts upper case characters to lower case,
+     * and replaces the space and comma characters with a question mark.
+     */
+
+    for (; *str; str++) {
+        if (('A' <= *str) && (*str <= 'Z')) {
+            *str |= 32;
+        } else if ((*str == ',') || (*str == ' ')) {
+            *str = '?';
+        }
+    }
+}
+
+void royparse_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, unsigned olen,
+    const u_char* payload, unsigned payloadlen)
+{
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        ldns_buffer* buf = ldns_buffer_new(512);
+        if (!buf) {
+            logerr("out of memmory\n");
+            exit(1);
+        }
+
+        ldns_pkt* pkt;
+        if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+            fprintf(r_out, "ERR\n");
+            ldns_buffer_free(buf);
+            return;
+        }
+        if (ldns_pkt_qr(pkt) && sport == 53) {
+            fprintf(r_out, "%cD_", ldns_pkt_rd(pkt) ? 'R' : 'N');
+
+            switch (ldns_pkt_get_opcode(pkt)) {
+            case LDNS_PACKET_QUERY:
+                fprintf(r_out, "QUERY");
+                break;
+            case LDNS_PACKET_NOTIFY:
+                fprintf(r_out, "NOTIFY");
+                break;
+            case LDNS_PACKET_UPDATE:
+                fprintf(r_out, "UPDATE");
+                break;
+            default:
+                fprintf(r_out, "ELSE");
+            }
+
+            fprintf(r_out, "_%u_%cA_", ldns_pkt_ancount(pkt) ? 1 : 0, ldns_pkt_aa(pkt) ? 'A' : 'N');
+
+            switch (ldns_pkt_get_rcode(pkt)) {
+            case LDNS_RCODE_NOERROR:
+                fprintf(r_out, "NOERROR");
+                break;
+            case LDNS_RCODE_FORMERR:
+                fprintf(r_out, "FORMERR");
+                break;
+            case LDNS_RCODE_NXDOMAIN:
+                fprintf(r_out, "NXDOMAIN");
+                break;
+            case LDNS_RCODE_NOTIMPL:
+                fprintf(r_out, "NOTIMP");
+                break;
+            case LDNS_RCODE_REFUSED:
+                fprintf(r_out, "REFUSED");
+                break;
+            case LDNS_RCODE_NOTAUTH:
+                fprintf(r_out, "NOTAUTH");
+                break;
+            default:
+                fprintf(r_out, "ELSE");
+            }
+
+            fprintf(r_out, " %s,", royparse_ia_str(to));
+
+            ldns_rr_list* qds = ldns_pkt_question(pkt);
+            ldns_rr*      qd;
+            if (qds && (qd = ldns_rr_list_rr(qds, 0))) {
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                    royparse_normalize((char*)ldns_buffer_begin(buf));
+                    fprintf(r_out, "%s%s,%u", (char*)ldns_buffer_begin(buf),
+                        ((char*)ldns_buffer_begin(buf))[0] == '.' ? "" : ".",
+                        ldns_rr_get_type(qd));
+                } else {
+                    fprintf(r_out, "ERR,ERR");
+                }
+            } else
+                fprintf(r_out, ",");
+
+            fprintf(r_out, ",%zu,%s%s%s%s", ldns_pkt_size(pkt), ldns_pkt_id(pkt) < 256 ? "-L" : "",
+                ldns_pkt_tc(pkt) ? "-TC" : "",
+                ldns_pkt_ad(pkt) ? "-AD" : "",
+                ldns_pkt_cd(pkt) ? "-CD" : "");
+            if (ldns_pkt_edns(pkt)) {
+                fprintf(r_out, "-%c", ldns_pkt_edns_do(pkt) ? 'D' : 'E');
+            }
+            fprintf(r_out, "\n");
+        } else if (opt_q != 0 && !ldns_pkt_qr(pkt) && dport == 53) {
+            struct pcap_pkthdr h;
+            if (flags & DNSCAP_OUTPUT_ISLAYER) {
+                ldns_pkt_free(pkt);
+                ldns_buffer_free(buf);
+                return;
+            }
+            memset(&h, 0, sizeof h);
+            h.ts  = ts;
+            h.len = h.caplen = olen;
+            pcap_dump((u_char*)q_out, &h, pkt_copy);
+        }
+        ldns_pkt_free(pkt);
+        ldns_buffer_free(buf);
+    }
+}

plugins/royparse/test1.sh

@@ -0,0 +1,15 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'royparse.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the royparse plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -q test1.out
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -r test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X

plugins/rssm/.gitignore

@@ -0,0 +1 @@
+hashtbl.c

plugins/rssm/Makefile.am

@@ -0,0 +1,42 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = $(srcdir)/hashtbl.c \
+    hashtbl.c *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) \
+    $(libldns_CFLAGS)
+
+pkglib_LTLIBRARIES = rssm.la
+rssm_la_SOURCES = rssm.c
+nodist_rssm_la_SOURCES = hashtbl.c
+BUILT_SOURCES = hashtbl.c
+rssm_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
+TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh
+EXTRA_DIST = $(TESTS) test1.gold test2.gold dnscap-rssm-rssac002.1.in \
+  test3.gold test5.gold
+dist_bin_SCRIPTS = dnscap-rssm-rssac002
+man1_MANS = dnscap-rssm-rssac002.1
+CLEANFILES += test1.20161020.152301.075993 test2.out $(man1_MANS) \
+  test3.20181127.155200.414188 test4.*20161020.152301.075993 \
+  test5.20180110.112241.543825
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(rssm_la_SOURCES) $(nodist_rssm_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif
+
+hashtbl.c: $(top_srcdir)/src/hashtbl.c
+	cp $(top_srcdir)/src/hashtbl.c ./
+
+$(srcdir)/hashtbl.c: $(top_srcdir)/src/hashtbl.c
+	cp $(top_srcdir)/src/hashtbl.c $(srcdir)/
+
+dnscap-rssm-rssac002.1: dnscap-rssm-rssac002.1.in Makefile
+	sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \
+        -e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
+        -e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
+        < $(srcdir)/dnscap-rssm-rssac002.1.in > dnscap-rssm-rssac002.1

plugins/rssm/README.md

@@ -0,0 +1,41 @@
+# Root Server Scaling Measurement (RSSM) plugin
+
+This plugin collects data as described by the [RSSAC002v3 specification](https://www.icann.org/en/system/files/files/rssac-002-measurements-root-06jun16-en.pdf)
+which has been created by [ICANN Root Server System Advisory Committee](https://www.icann.org/groups/rssac) (RSSAC).
+
+## Additions
+
+As the RSSAC002v3 specification states that measurements should be saved per
+24 hours interval, this plugin produces additional metrics that can be used
+to compile the 24 hours measurements allowing for variable time between
+output generation.
+
+Metric `dnscap-rssm-sources` has a hash entry called `sources` which lists
+IP addresses and the number of times they appeared.
+
+Metric `dnscap-rssm-aggregated-sources` has a hash entry called `aggregated-sources`
+which lists the aggregated IPv6 addresses by a /64 net and the number of times
+it has appeared.
+
+## Merge Tool
+
+The Perl script `dnscap-rssm-rssac002` is included and installed with `dnscap`
+and can be used to multiple combine RSSM plugin RSSAC002v3 YAML output files
+into one file.
+
+The script will merge and remove metric specific to this plugin and replace
+others to fill in correct values for the new time period. The earliest
+`start-period` found will be used for all metrics.
+
+**NOTE** no parsing of `start-period` is performed, it is up to the operator
+to only give input files related to the same 24 hour period.
+
+Options:
+- `--no-recompile`: Disabled the combining of metrics and the removal of
+  metrics specific to this plugin
+- `--keep-dnscap-rssm`: Do the combining but keep the metrics specific to
+  this plugin
+- `--sort`: Output will always start with `version:`, `service:`,
+  `start-period:` and `metric:`, rest of the values are not ordered by label.
+  This option enabled sorting of them, which is not required by the
+  specification but may help in debugging and testing cases.

plugins/rssm/dnscap-rssm-rssac002

@@ -0,0 +1,209 @@
+#!/usr/bin/env perl
+#
+# Copyright (c) 2018-2021, OARC, Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. Neither the name of the copyright holder nor the names of its
+#    contributors may be used to endorse or promote products derived
+#    from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+
+use strict;
+use warnings;
+use YAML;
+
+unless (scalar @ARGV > 1) {
+    print "usage: dnscap-rssm-rssac002 [--no-recompile|--keep-dnscap-rssm|--sort] <YAML files to merge...>\n";
+    exit(1);
+}
+
+my %service = ();
+my $earliest_start_period;
+my $recompile = 1;
+my $keep_dnscap_rssm = 0;
+my $sort = 0;
+
+foreach my $file (@ARGV) {
+    if ($file eq '--no-recompile') {
+        $recompile = 0;
+        next;
+    } elsif ($file eq '--keep-dnscap-rssm') {
+        $keep_dnscap_rssm = 1;
+        next;
+    } elsif ($file eq '--sort') {
+        $sort = 1;
+        next;
+    }
+    foreach my $doc (YAML::LoadFile($file)) {
+        my $version = delete $doc->{version};
+        my $service = delete $doc->{service};
+        my $start_period = delete $doc->{'start-period'};
+        my $metric = delete $doc->{metric};
+        unless ($version) {
+            die "$file: not valid RSSAC002 YAML, missing version";
+        }
+        unless ($service) {
+            die "$file: not valid RSSAC002 YAML, missing service";
+        }
+        unless ($start_period) {
+            die "$file: not valid RSSAC002 YAML, missing start-period";
+        }
+        unless ($metric) {
+            die "$file: not valid RSSAC002 YAML, missing metric";
+        }
+        unless ($version eq 'rssac002v3') {
+            die "$file: unsupported RSSAC002 version $version";
+        }
+
+        push(@{$service{$service}->{$metric}}, $doc);
+
+        if (!$earliest_start_period or $start_period lt $earliest_start_period) {
+            $earliest_start_period = $start_period;
+        }
+    }
+}
+
+foreach my $service (keys %service) {
+    foreach my $metric (keys %{$service{$service}}) {
+        my %doc = ();
+        foreach (@{$service{$service}->{$metric}}) {
+            eval {
+                merge(\%doc, $_);
+            };
+            if ($@) {
+                die "service $service metric $metric: $@";
+            }
+        }
+        $service{$service}->{$metric} = \%doc;
+    }
+}
+
+if ($recompile) {
+    foreach my $service (keys %service) {
+        my ($ipv4, $ipv6, $aggregated) = (0, 0, 0);
+        my $metric;
+
+        if ($keep_dnscap_rssm) {
+            $metric = $service{$service}->{'dnscap-rssm-sources'};
+        } else {
+            $metric = delete $service{$service}->{'dnscap-rssm-sources'};
+        }
+        if ($metric) {
+            if (ref($metric->{sources}) eq 'HASH') {
+                foreach my $ip (keys %{$metric->{sources}}) {
+                    if ($ip =~ /:/o) {
+                        $ipv6++;
+                    } else {
+                        $ipv4++;
+                    }
+                }
+            }
+        }
+
+        if ($keep_dnscap_rssm) {
+            $metric = $service{$service}->{'dnscap-rssm-aggregated-sources'};
+        } else {
+            $metric = delete $service{$service}->{'dnscap-rssm-aggregated-sources'};
+        }
+        if ($metric) {
+            if (ref($metric->{'aggregated-sources'}) eq 'HASH') {
+                my @keys = keys %{$metric->{'aggregated-sources'}};
+                $aggregated += scalar @keys;
+            }
+        }
+
+        $service{$service}->{'unique-sources'} = {
+            'num-sources-ipv4' => $ipv4,
+            'num-sources-ipv6' => $ipv6,
+            'num-sources-ipv6-aggregate' => $aggregated,
+        };
+    }
+}
+
+if ($sort) {
+    my $first = 1;
+    $YAML::SortKeys = 1;
+    foreach my $service (sort keys %service) {
+        foreach my $metric (sort keys %{$service{$service}}) {
+            if ($first) {
+                $first = 0;
+            } else {
+                print "\n";
+            }
+            print YAML::Dump({
+                version => "rssac002v3",
+                service => $service,
+                'start-period' => $earliest_start_period,
+                metric => $metric,
+                %{ $service{$service}->{$metric} },
+            });
+        }
+    }
+} else {
+    my $first = 1;
+    $YAML::SortKeys = 0;
+    foreach my $service (keys %service) {
+        foreach my $metric (keys %{$service{$service}}) {
+            if ($first) {
+                $first = 0;
+            } else {
+                print "\n";
+            }
+            print YAML::Dump({
+                version => "rssac002v3",
+                service => $service,
+                'start-period' => $earliest_start_period,
+                metric => $metric,
+                %{ $service{$service}->{$metric} },
+            });
+        }
+    }
+}
+
+sub merge {
+    my ( $doc, $measurements ) = @_;
+
+    foreach my $key (keys %$measurements) {
+        if (ref($doc->{$key}) eq 'HASH') {
+            unless (ref($measurements->{$key}) eq 'HASH') {
+                die "invalid measurement types for key $key: not a hash";
+            }
+            eval {
+                merge($doc->{$key}, $measurements->{$key});
+            };
+            die $@ if ($@);
+            next;
+        }
+        if (defined($doc->{$key})) {
+            if (defined($measurements->{$key}) and $measurements->{$key} ne '') {
+                $doc->{$key} += $measurements->{$key};
+            }
+        } else {
+            $doc->{$key} = $measurements->{$key};
+        }
+    }
+}

plugins/rssm/dnscap-rssm-rssac002.1.in

@@ -0,0 +1,98 @@
+.\" Copyright (c) 2017-2021, OARC, Inc.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. Neither the name of the copyright holder nor the names of its
+.\"    contributors may be used to endorse or promote products derived
+.\"    from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+.\" COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.TH dnscap-rssm-rssac002 1 "dnscap-v@PACKAGE_VERSION@" "dnscap RSSAC002v3 Tool"
+.SH NAME
+dnscap-rssm-rssac002 \- Combine RSSAC002v3 YAML files
+.SH SYNOPSIS
+.B dnscap-rssm-rssac002
+[
+.B \--no-recompile
+.B \--keep-dnscap-rssm
+.B \--sort
+]
+.I files...
+.SH DESCRIPTION
+This Perl script will merge and remove metric specific to this plugin and
+replace others to fill in correct values for the new time period.
+The earliest
+.I start-period
+found will be used for all metrics.
+.LP
+.B NOTE
+no parsing of
+.I start-period
+is performed, it is up to the operator to only give input files related
+to the same 24 hour period.
+.SH OPTIONS
+.TP
+.B \--no-recompile
+Disabled the combining of metrics and the removal of metrics specific to
+this plugin.
+.TP
+.B \--keep-dnscap-rssm
+Do the combining but keep the metrics specific to this plugin.
+.TP
+.B \--sort
+Output will always start with
+.IR version: ,
+.IR service: ,
+.I start-period:
+and
+.IR metric: ,
+rest of the values are not ordered by label.
+This option enabled sorting of them, which is not required by the
+specification but may help in debugging and testing cases.
+.SH SEE ALSO
+.BR dnscap (1)
+.SH AUTHORS
+Jerry Lundström, DNS-OARC
+.LP
+Maintained by DNS-OARC
+.LP
+.RS
+.I https://www.dns-oarc.net/
+.RE
+.LP
+.SH BUGS
+For issues and feature requests please use:
+.LP
+.RS
+\fI@PACKAGE_URL@\fP
+.RE
+.LP
+For question and help please use:
+.LP
+.RS
+\fI@PACKAGE_BUGREPORT@\fP
+.RE
+.LP

plugins/rssm/rssm.c

@@ -0,0 +1,696 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <arpa/nameser.h>
+#if HAVE_ARPA_NAMESER_COMPAT_H
+#include <arpa/nameser_compat.h>
+#endif
+
+#include <netinet/in_systm.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+#include "hashtbl.h"
+
+static logerr_t*     logerr;
+static my_bpftimeval open_ts;
+static my_bpftimeval close_ts;
+#define COUNTS_PREFIX_DEFAULT "rssm"
+static char* counts_prefix            = 0;
+static char* sources_prefix           = 0;
+static char* aggregated_prefix        = 0;
+static int   dont_fork_on_close       = 0;
+static int   sources_into_counters    = 0;
+static int   aggregated_into_counters = 0;
+static char* service_name             = 0;
+static int   rssac002v3_yaml          = 0;
+
+output_t rssm_output;
+
+#define MAX_SIZE_INDEX 4096
+#define MSG_SIZE_SHIFT 4
+#define MAX_TBL_ADDRS 2000000
+#define MAX_TBL_ADDRS2 200000
+#define MAX_RCODE (1 << 12)
+
+typedef struct {
+    hashtbl*     tbl;
+    iaddr        addrs[MAX_TBL_ADDRS];
+    uint64_t     count[MAX_TBL_ADDRS];
+    unsigned int num_addrs;
+} my_hashtbl;
+
+typedef struct {
+    hashtbl*     tbl;
+    iaddr        addrs[MAX_TBL_ADDRS2];
+    uint64_t     count[MAX_TBL_ADDRS2];
+    unsigned int num_addrs;
+} my_hashtbl2;
+
+struct {
+    uint64_t    dns_udp_queries_received_ipv4;
+    uint64_t    dns_udp_queries_received_ipv6;
+    uint64_t    dns_tcp_queries_received_ipv4;
+    uint64_t    dns_tcp_queries_received_ipv6;
+    uint64_t    dns_udp_responses_sent_ipv4;
+    uint64_t    dns_udp_responses_sent_ipv6;
+    uint64_t    dns_tcp_responses_sent_ipv4;
+    uint64_t    dns_tcp_responses_sent_ipv6;
+    uint64_t    udp_query_size[MAX_SIZE_INDEX];
+    uint64_t    tcp_query_size[MAX_SIZE_INDEX];
+    uint64_t    udp_response_size[MAX_SIZE_INDEX];
+    uint64_t    tcp_response_size[MAX_SIZE_INDEX];
+    uint64_t    rcodes[MAX_RCODE];
+    my_hashtbl  sources;
+    my_hashtbl2 aggregated;
+    uint64_t    num_ipv4_sources;
+    uint64_t    num_ipv6_sources;
+} counts;
+
+static unsigned int
+iaddr_hash(const void* key)
+{
+    const iaddr* ia = (const iaddr*)key;
+
+    if (AF_INET == ia->af)
+        return ia->u.a4.s_addr >> 8;
+    else if (AF_INET6 == ia->af) {
+        uint16_t* h = (uint16_t*)&ia->u;
+        return h[2] + h[3] + h[4];
+    } else
+        return 0;
+}
+
+static int
+iaddr_cmp(const void* _a, const void* _b)
+{
+    const iaddr *a = (const iaddr*)_a, *b = (const iaddr*)_b;
+
+    if (a->af == b->af) {
+        if (AF_INET == a->af)
+            return memcmp(&a->u.a4.s_addr, &b->u.a4.s_addr, sizeof(a->u.a4.s_addr));
+        if (AF_INET6 == a->af)
+            return memcmp(&a->u.a6.s6_addr, &b->u.a6.s6_addr, sizeof(a->u.a6.s6_addr));
+        return 0;
+    }
+    if (a->af < b->af)
+        return -1;
+    return 1;
+}
+
+ia_str_t ia_str = 0;
+
+void rssm_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        ia_str = (ia_str_t)arg;
+        break;
+    }
+}
+
+void rssm_usage()
+{
+    fprintf(stderr,
+        "\nrssm.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-w <name>  write basic counters to <name>.<timesec>.<timeusec>\n"
+        "\t-Y         use RSSAC002v3 YAML format when writing counters, the\n"
+        "\t           file will contain multiple YAML documents, one for each\n"
+        "\t           RSSAC002v3 metric\n"
+        "\t           Used with; -S adds custom metric \"dnscap-rssm-sources\"\n"
+        "\t           and -A adds \"dnscap-rssm-aggregated-sources\"\n"
+        "\t-n <name>  the service name to use in RSSAC002v3 YAML\n"
+        "\t-S         write source IPs into counters file with the prefix\n"
+        "\t           \"source\" or ...\n"
+        "\t-s <name>  write source IPs to <name>.<timesec>.<timeusec>\n"
+        "\t-A         write aggregated IPv6(/64) sources into counters file\n"
+        "\t           with the prefix \"aggregated-source\" or ...\n"
+        "\t-a <name>  write aggregated IPv6(/64) sources to\n"
+        "\t           <name>.<timesec>.<timeusec>\n"
+        "\t-D         don't fork on close\n");
+}
+
+void rssm_getopt(int* argc, char** argv[])
+{
+    int c;
+    while ((c = getopt(*argc, *argv, "?w:Yn:Ss:Aa:D")) != EOF) {
+        switch (c) {
+        case 'w':
+            if (counts_prefix)
+                free(counts_prefix);
+            counts_prefix = strdup(optarg);
+            break;
+        case 'Y':
+            rssac002v3_yaml = 1;
+            break;
+        case 'n':
+            if (service_name)
+                free(service_name);
+            service_name = strdup(optarg);
+            break;
+        case 'S':
+            sources_into_counters = 1;
+            break;
+        case 's':
+            if (sources_prefix)
+                free(sources_prefix);
+            sources_prefix = strdup(optarg);
+            break;
+        case 'A':
+            aggregated_into_counters = 1;
+            break;
+        case 'a':
+            if (aggregated_prefix)
+                free(aggregated_prefix);
+            aggregated_prefix = strdup(optarg);
+            break;
+        case 'D':
+            dont_fork_on_close = 1;
+            break;
+        case '?':
+            rssm_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+    if (sources_into_counters && sources_prefix) {
+        fprintf(stderr, "rssm: -S and -s can not be used at the same time!\n");
+        rssm_usage();
+        exit(1);
+    }
+    if (aggregated_into_counters && aggregated_prefix) {
+        fprintf(stderr, "rssm: -A and -a can not be used at the same time!\n");
+        rssm_usage();
+        exit(1);
+    }
+    if (rssac002v3_yaml && !service_name) {
+        fprintf(stderr, "rssm: service name (-n) needed for RSSAC002v3 YAML (-Y) output!\n");
+        rssm_usage();
+        exit(1);
+    }
+}
+
+int rssm_start(logerr_t* a_logerr)
+{
+    logerr = a_logerr;
+    return 0;
+}
+
+void rssm_stop()
+{
+}
+
+int rssm_open(my_bpftimeval ts)
+{
+    open_ts = ts;
+    if (counts.sources.tbl)
+        hash_destroy(counts.sources.tbl);
+    if (counts.aggregated.tbl)
+        hash_destroy(counts.aggregated.tbl);
+    memset(&counts, 0, sizeof(counts));
+    if (!(counts.sources.tbl = hash_create(65536, iaddr_hash, iaddr_cmp, 0))) {
+        return -1;
+    }
+    if (!(counts.aggregated.tbl = hash_create(4096, iaddr_hash, iaddr_cmp, 0))) {
+        return -1;
+    }
+    return 0;
+}
+
+void rssm_save_counts(const char* sbuf)
+{
+    FILE* fp;
+    int   i;
+    char* tbuf = 0;
+    i          = asprintf(&tbuf, "%s.%s.%06lu", counts_prefix ? counts_prefix : COUNTS_PREFIX_DEFAULT, sbuf, (u_long)open_ts.tv_usec);
+    if (i < 1 || !tbuf) {
+        logerr("asprintf: out of memory");
+        return;
+    }
+    fprintf(stderr, "rssm: saving counts in %s\n", tbuf);
+    fp = fopen(tbuf, "w");
+    if (!fp) {
+        logerr("%s: %s", sbuf, strerror(errno));
+        free(tbuf);
+        return;
+    }
+    if (rssac002v3_yaml) {
+        char      tz[21];
+        struct tm tm;
+
+        gmtime_r((time_t*)&open_ts.tv_sec, &tm);
+        if (!strftime(tz, sizeof(tz), "%Y-%m-%dT%H:%M:%SZ", &tm)) {
+            logerr("rssm: strftime failed");
+            fclose(fp);
+            free(tbuf);
+            return;
+        }
+
+        fprintf(fp, "---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: traffic-volume\n", service_name, tz);
+        fprintf(fp, "dns-udp-queries-received-ipv4: %" PRIu64 "\n", counts.dns_udp_queries_received_ipv4);
+        fprintf(fp, "dns-udp-queries-received-ipv6: %" PRIu64 "\n", counts.dns_udp_queries_received_ipv6);
+        fprintf(fp, "dns-tcp-queries-received-ipv4: %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv4);
+        fprintf(fp, "dns-tcp-queries-received-ipv6: %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv6);
+        fprintf(fp, "dns-udp-responses-sent-ipv4: %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv4);
+        fprintf(fp, "dns-udp-responses-sent-ipv6: %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv6);
+        fprintf(fp, "dns-tcp-responses-sent-ipv4: %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv4);
+        fprintf(fp, "dns-tcp-responses-sent-ipv6: %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv6);
+
+        fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: traffic-sizes\n", service_name, tz);
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.udp_query_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "udp-request-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.udp_query_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.udp_query_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "udp-request-sizes: {}\n");
+        }
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.udp_response_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "udp-response-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.udp_response_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.udp_response_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "udp-response-sizes: {}\n");
+        }
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.tcp_query_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "tcp-request-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.tcp_query_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.tcp_query_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "tcp-request-sizes: {}\n");
+        }
+        i = 0;
+        for (; i < MAX_SIZE_INDEX; i++) {
+            if (counts.tcp_response_size[i]) {
+                break;
+            }
+        }
+        if (i < MAX_SIZE_INDEX) {
+            fprintf(fp, "tcp-response-sizes:\n");
+            for (; i < MAX_SIZE_INDEX; i++) {
+                if (counts.tcp_response_size[i]) {
+                    fprintf(fp, "  %d-%d: %" PRIu64 "\n",
+                        i << MSG_SIZE_SHIFT,
+                        ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                        counts.tcp_response_size[i]);
+                }
+            }
+        } else {
+            fprintf(fp, "tcp-response-sizes: {}\n");
+        }
+
+        fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: rcode-volume\n", service_name, tz);
+        for (i = 0; i < MAX_RCODE; i++) {
+            if (counts.rcodes[i]) {
+                fprintf(fp, "%d: %" PRIu64 "\n", i, counts.rcodes[i]);
+            }
+        }
+
+        fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: unique-sources\n", service_name, tz);
+        fprintf(fp, "num-sources-ipv4: %" PRIu64 "\n", counts.num_ipv4_sources);
+        fprintf(fp, "num-sources-ipv6: %" PRIu64 "\n", counts.num_ipv6_sources);
+        fprintf(fp, "num-sources-ipv6-aggregate: %u\n", counts.aggregated.num_addrs);
+
+        if (sources_into_counters) {
+            fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: dnscap-rssm-sources\n", service_name, tz);
+            if (counts.sources.num_addrs) {
+                fprintf(fp, "sources:\n");
+                for (i = 0; i < counts.sources.num_addrs; i++) {
+                    fprintf(fp, "  %s: %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]);
+                }
+            } else {
+                fprintf(fp, "sources: {}\n");
+            }
+        }
+
+        if (aggregated_into_counters) {
+            fprintf(fp, "\n---\nversion: rssac002v3\nservice: %s\nstart-period: %s\nmetric: dnscap-rssm-aggregated-sources\n", service_name, tz);
+            if (counts.aggregated.num_addrs) {
+                fprintf(fp, "aggregated-sources:\n");
+                for (i = 0; i < counts.aggregated.num_addrs; i++) {
+                    fprintf(fp, "  %s: %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]);
+                }
+            } else {
+                fprintf(fp, "aggregated-sources: {}\n");
+            }
+        }
+    } else {
+        fprintf(fp, "first-packet-time %ld\n", (long)open_ts.tv_sec);
+        fprintf(fp, "last-packet-time %ld\n", (long)close_ts.tv_sec);
+        fprintf(fp, "dns-udp-queries-received-ipv4 %" PRIu64 "\n", counts.dns_udp_queries_received_ipv4);
+        fprintf(fp, "dns-udp-queries-received-ipv6 %" PRIu64 "\n", counts.dns_udp_queries_received_ipv6);
+        fprintf(fp, "dns-tcp-queries-received-ipv4 %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv4);
+        fprintf(fp, "dns-tcp-queries-received-ipv6 %" PRIu64 "\n", counts.dns_tcp_queries_received_ipv6);
+        fprintf(fp, "dns-udp-responses-sent-ipv4 %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv4);
+        fprintf(fp, "dns-udp-responses-sent-ipv6 %" PRIu64 "\n", counts.dns_udp_responses_sent_ipv6);
+        fprintf(fp, "dns-tcp-responses-sent-ipv4 %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv4);
+        fprintf(fp, "dns-tcp-responses-sent-ipv6 %" PRIu64 "\n", counts.dns_tcp_responses_sent_ipv6);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.udp_query_size[i])
+                fprintf(fp, "dns-udp-query-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.udp_query_size[i]);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.tcp_query_size[i])
+                fprintf(fp, "dns-tcp-query-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.tcp_query_size[i]);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.udp_response_size[i])
+                fprintf(fp, "dns-udp-response-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.udp_response_size[i]);
+        for (i = 0; i < MAX_SIZE_INDEX; i++)
+            if (counts.tcp_response_size[i])
+                fprintf(fp, "dns-tcp-response-size %d-%d %" PRIu64 "\n",
+                    i << MSG_SIZE_SHIFT,
+                    ((i + 1) << MSG_SIZE_SHIFT) - 1,
+                    counts.tcp_response_size[i]);
+        for (i = 0; i < MAX_RCODE; i++)
+            if (counts.rcodes[i])
+                fprintf(fp, "dns-rcode %d %" PRIu64 "\n",
+                    i, counts.rcodes[i]);
+        fprintf(fp, "num-sources %u\n", counts.sources.num_addrs);
+        if (sources_into_counters) {
+            for (i = 0; i < counts.sources.num_addrs; i++) {
+                fprintf(fp, "source %s %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]);
+            }
+        }
+        if (aggregated_into_counters) {
+            for (i = 0; i < counts.aggregated.num_addrs; i++) {
+                fprintf(fp, "aggregated-source %s %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]);
+            }
+        }
+    }
+    fclose(fp);
+    fprintf(stderr, "rssm: done\n");
+    free(tbuf);
+}
+
+void rssm_save_sources(const char* sbuf)
+{
+    FILE* fp;
+    char* tbuf = 0;
+    int   i;
+    i = asprintf(&tbuf, "%s.%s.%06lu", sources_prefix, sbuf, (u_long)open_ts.tv_usec);
+    if (i < 1 || !tbuf) {
+        logerr("asprintf: out of memory");
+        return;
+    }
+    fprintf(stderr, "rssm: saving %u sources in %s\n", counts.sources.num_addrs, tbuf);
+    fp = fopen(tbuf, "w");
+    if (!fp) {
+        logerr("%s: %s", tbuf, strerror(errno));
+        free(tbuf);
+        return;
+    }
+    for (i = 0; i < counts.sources.num_addrs; i++) {
+        fprintf(fp, "%s %" PRIu64 "\n", ia_str(counts.sources.addrs[i]), counts.sources.count[i]);
+    }
+    fclose(fp);
+    fprintf(stderr, "rssm: done\n");
+    free(tbuf);
+}
+
+void rssm_save_aggregated(const char* sbuf)
+{
+    FILE* fp;
+    char* tbuf = 0;
+    int   i;
+    i = asprintf(&tbuf, "%s.%s.%06lu", aggregated_prefix, sbuf, (u_long)open_ts.tv_usec);
+    if (i < 1 || !tbuf) {
+        logerr("asprintf: out of memory");
+        return;
+    }
+    fprintf(stderr, "rssm: saving %u aggregated in %s\n", counts.aggregated.num_addrs, tbuf);
+    fp = fopen(tbuf, "w");
+    if (!fp) {
+        logerr("%s: %s", tbuf, strerror(errno));
+        free(tbuf);
+        return;
+    }
+    for (i = 0; i < counts.aggregated.num_addrs; i++) {
+        fprintf(fp, "%s %" PRIu64 "\n", ia_str(counts.aggregated.addrs[i]), counts.aggregated.count[i]);
+    }
+    fclose(fp);
+    fprintf(stderr, "rssm: done\n");
+    free(tbuf);
+}
+
+/*
+ * Fork a separate process so that we don't block the main dnscap.  Use double-fork
+ * to avoid zombies for the main dnscap process.
+ */
+int rssm_close(my_bpftimeval ts)
+{
+    char      sbuf[265];
+    pid_t     pid;
+    struct tm tm;
+
+    if (dont_fork_on_close) {
+        struct tm tm;
+        gmtime_r((time_t*)&open_ts.tv_sec, &tm);
+        strftime(sbuf, sizeof(sbuf), "%Y%m%d.%H%M%S", &tm);
+        close_ts = ts;
+        rssm_save_counts(sbuf);
+        if (sources_prefix)
+            rssm_save_sources(sbuf);
+        if (aggregated_prefix)
+            rssm_save_aggregated(sbuf);
+        return 0;
+    }
+
+    pid = fork();
+    if (pid < 0) {
+        logerr("rssm.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* parent */
+        waitpid(pid, NULL, 0);
+        return 0;
+    }
+    /* 1st gen child continues */
+    pid = fork();
+    if (pid < 0) {
+        logerr("rssm.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* 1st gen child exits */
+        exit(0);
+    }
+    /* grandchild (2nd gen) continues */
+    gmtime_r((time_t*)&open_ts.tv_sec, &tm);
+    strftime(sbuf, sizeof(sbuf), "%Y%m%d.%H%M%S", &tm);
+    close_ts = ts;
+    rssm_save_counts(sbuf);
+    if (sources_prefix)
+        rssm_save_sources(sbuf);
+    if (aggregated_prefix)
+        rssm_save_aggregated(sbuf);
+    exit(0);
+}
+
+static void
+find_or_add(iaddr ia)
+{
+    uint64_t* c = hash_find(&ia, counts.sources.tbl);
+    if (c) {
+        (*c)++;
+    } else {
+        if (counts.sources.num_addrs == MAX_TBL_ADDRS)
+            return;
+        counts.sources.addrs[counts.sources.num_addrs] = ia;
+        if (hash_add(&counts.sources.addrs[counts.sources.num_addrs], &counts.sources.count[counts.sources.num_addrs], counts.sources.tbl)) {
+            logerr("rssm.so: unable to add address to hash");
+            return;
+        }
+        counts.sources.count[counts.sources.num_addrs]++;
+        counts.sources.num_addrs++;
+        if (ia.af == AF_INET) {
+            counts.num_ipv4_sources++;
+        } else {
+            counts.num_ipv6_sources++;
+        }
+    }
+
+    if (ia.af == AF_INET6) {
+        iaddr v6agg = ia;
+
+        memset(((uint8_t*)&v6agg.u.a6) + 8, 0, 8);
+        c = hash_find(&v6agg, counts.aggregated.tbl);
+        if (c) {
+            (*c)++;
+        } else {
+            if (counts.aggregated.num_addrs == MAX_TBL_ADDRS2)
+                return;
+            counts.aggregated.addrs[counts.aggregated.num_addrs] = v6agg;
+            if (hash_add(&counts.aggregated.addrs[counts.aggregated.num_addrs], &counts.aggregated.count[counts.aggregated.num_addrs], counts.aggregated.tbl)) {
+                logerr("rssm.so: unable to add aggregated address to hash");
+                return;
+            }
+            counts.aggregated.count[counts.aggregated.num_addrs]++;
+            counts.aggregated.num_addrs++;
+        }
+    }
+}
+
+void rssm_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    unsigned  dnslen;
+    ldns_pkt* pkt = 0;
+
+    if (!(flags & DNSCAP_OUTPUT_ISDNS))
+        return;
+
+    if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+        return;
+    }
+
+    dnslen = payloadlen >> MSG_SIZE_SHIFT;
+    if (dnslen >= MAX_SIZE_INDEX)
+        dnslen = MAX_SIZE_INDEX - 1;
+
+    if (!ldns_pkt_qr(pkt)) {
+        find_or_add(from);
+        if (IPPROTO_UDP == proto) {
+            counts.udp_query_size[dnslen]++;
+        } else if (IPPROTO_TCP == proto) {
+            counts.tcp_query_size[dnslen]++;
+        }
+        if (AF_INET == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_queries_received_ipv4++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_queries_received_ipv4++;
+            }
+        } else if (AF_INET6 == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_queries_received_ipv6++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_queries_received_ipv6++;
+            }
+        }
+    } else {
+        uint16_t rcode = ldns_pkt_get_rcode(pkt);
+        if (IPPROTO_UDP == proto) {
+            counts.udp_response_size[dnslen]++;
+        } else if (IPPROTO_TCP == proto) {
+            counts.tcp_response_size[dnslen]++;
+        }
+        if (AF_INET == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_responses_sent_ipv4++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_responses_sent_ipv4++;
+            }
+        } else if (AF_INET6 == from.af) {
+            if (IPPROTO_UDP == proto) {
+                counts.dns_udp_responses_sent_ipv6++;
+            } else if (IPPROTO_TCP == proto) {
+                counts.dns_tcp_responses_sent_ipv6++;
+            }
+        }
+        if (ldns_pkt_arcount(pkt)) {
+            rcode |= ((uint16_t)ldns_pkt_edns_extended_rcode(pkt) << 4);
+        }
+        counts.rcodes[rcode]++;
+    }
+
+    ldns_pkt_free(pkt);
+}

plugins/rssm/test1.gold

@@ -0,0 +1,58 @@
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: traffic-volume
+dns-udp-queries-received-ipv4: 41
+dns-udp-queries-received-ipv6: 0
+dns-tcp-queries-received-ipv4: 0
+dns-tcp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 41
+dns-udp-responses-sent-ipv6: 0
+dns-tcp-responses-sent-ipv4: 0
+dns-tcp-responses-sent-ipv6: 0
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: traffic-sizes
+udp-request-sizes:
+  16-31: 24
+  32-47: 17
+udp-response-sizes:
+  176-191: 24
+  256-271: 17
+tcp-request-sizes: {}
+tcp-response-sizes: {}
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: rcode-volume
+0: 41
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: unique-sources
+num-sources-ipv4: 1
+num-sources-ipv6: 0
+num-sources-ipv6-aggregate: 0
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: dnscap-rssm-sources
+sources:
+  172.17.0.10: 41
+
+---
+version: rssac002v3
+service: test1
+start-period: 2016-10-20T15:23:01Z
+metric: dnscap-rssm-aggregated-sources
+aggregated-sources: {}

plugins/rssm/test1.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -N -T -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -w test1 -Y -n test1 -A -S -D
+
+diff test1.20161020.152301.075993 "$srcdir/test1.gold"

plugins/rssm/test2.gold

@@ -0,0 +1,43 @@
+---
+0: 123
+metric: rcode-volume
+service: test1
+start-period: 2016-10-20T15:23:01Z
+version: rssac002v3
+
+---
+metric: traffic-sizes
+service: test1
+start-period: 2016-10-20T15:23:01Z
+tcp-request-sizes: {}
+tcp-response-sizes: {}
+udp-request-sizes:
+  16-31: 72
+  32-47: 51
+udp-response-sizes:
+  176-191: 72
+  256-271: 51
+version: rssac002v3
+
+---
+dns-tcp-queries-received-ipv4: 0
+dns-tcp-queries-received-ipv6: 0
+dns-tcp-responses-sent-ipv4: 0
+dns-tcp-responses-sent-ipv6: 0
+dns-udp-queries-received-ipv4: 123
+dns-udp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 123
+dns-udp-responses-sent-ipv6: 0
+metric: traffic-volume
+service: test1
+start-period: 2016-10-20T15:23:01Z
+version: rssac002v3
+
+---
+metric: unique-sources
+num-sources-ipv4: 1
+num-sources-ipv6: 0
+num-sources-ipv6-aggregate: 0
+service: test1
+start-period: 2016-10-20T15:23:01Z
+version: rssac002v3

plugins/rssm/test2.sh

@@ -0,0 +1,5 @@
+#!/bin/sh -xe
+
+"$srcdir"/dnscap-rssm-rssac002 --sort "$srcdir/test1.gold" "$srcdir/test1.gold" "$srcdir/test1.gold" > test2.out
+
+diff test2.out "$srcdir/test2.gold"

plugins/rssm/test3.gold

@@ -0,0 +1,57 @@
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: traffic-volume
+dns-udp-queries-received-ipv4: 0
+dns-udp-queries-received-ipv6: 1
+dns-tcp-queries-received-ipv4: 0
+dns-tcp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 0
+dns-udp-responses-sent-ipv6: 1
+dns-tcp-responses-sent-ipv4: 0
+dns-tcp-responses-sent-ipv6: 0
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: traffic-sizes
+udp-request-sizes:
+  32-47: 1
+udp-response-sizes:
+  48-63: 1
+tcp-request-sizes: {}
+tcp-response-sizes: {}
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: rcode-volume
+0: 1
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: unique-sources
+num-sources-ipv4: 0
+num-sources-ipv6: 1
+num-sources-ipv6-aggregate: 1
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: dnscap-rssm-sources
+sources:
+  2a01:3f0:0:57::245: 1
+
+---
+version: rssac002v3
+service: test3
+start-period: 2018-11-27T15:52:00Z
+metric: dnscap-rssm-aggregated-sources
+aggregated-sources:
+  2a01:3f0:0:57::: 1

plugins/rssm/test3.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -N -T -r "$srcdir/../../src/test/dns6.pcap" -P "$plugin" -w test3 -Y -n test3 -A -S -D
+
+diff test3.20181127.155200.414188 "$srcdir/test3.gold"

plugins/rssm/test4.sh

@@ -0,0 +1,14 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -?
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -X
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -s s -s s -S
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -a a -a a -A
+! ../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -Y
+../../src/dnscap -r "$srcdir/../../src/test/dns.pcap" -P "$plugin" -D -w test4 -w test4 -n n -n n -s test4.src -a test4.agg

plugins/rssm/test5.gold

@@ -0,0 +1,58 @@
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: traffic-volume
+dns-udp-queries-received-ipv4: 0
+dns-udp-queries-received-ipv6: 0
+dns-tcp-queries-received-ipv4: 41
+dns-tcp-queries-received-ipv6: 0
+dns-udp-responses-sent-ipv4: 0
+dns-udp-responses-sent-ipv6: 0
+dns-tcp-responses-sent-ipv4: 41
+dns-tcp-responses-sent-ipv6: 0
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: traffic-sizes
+udp-request-sizes: {}
+udp-response-sizes: {}
+tcp-request-sizes:
+  16-31: 24
+  32-47: 17
+tcp-response-sizes:
+  32-47: 24
+  128-143: 17
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: rcode-volume
+0: 41
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: unique-sources
+num-sources-ipv4: 1
+num-sources-ipv6: 0
+num-sources-ipv6-aggregate: 0
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: dnscap-rssm-sources
+sources:
+  172.17.0.8: 41
+
+---
+version: rssac002v3
+service: test5
+start-period: 2018-01-10T11:22:41Z
+metric: dnscap-rssm-aggregated-sources
+aggregated-sources: {}

plugins/rssm/test5.sh

@@ -0,0 +1,11 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rssm.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the RSSM plugin"
+    exit 1
+fi
+
+../../src/dnscap -N -T -r "$srcdir/../../src/test/dnso1tcp.pcap" -P "$plugin" -w test5 -Y -n test5 -A -S -D
+
+diff test5.20180110.112241.543825 "$srcdir/test5.gold"

plugins/rzkeychange/Makefile.am

@@ -0,0 +1,23 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) \
+    $(libldns_CFLAGS)
+
+pkglib_LTLIBRARIES = rzkeychange.la
+rzkeychange_la_SOURCES = rzkeychange.c
+rzkeychange_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(rzkeychange_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/rzkeychange/rzkeychange.c

@@ -0,0 +1,470 @@
+/*
+ * Author Duane Wessels
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <memory.h>
+#include <time.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <assert.h>
+#include <sys/wait.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <arpa/nameser.h>
+
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netinet/ip6.h>
+#include <netinet/ip_icmp.h>
+
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+static logerr_t*      logerr           = 0;
+static my_bpftimeval  open_ts          = { 0, 0 };
+static my_bpftimeval  clos_ts          = { 0, 0 };
+static char*          report_zone      = 0;
+static char*          report_server    = 0;
+static char*          report_node      = 0;
+static char*          keytag_zone      = 0;
+static unsigned short resolver_port    = 0;
+static unsigned int   resolver_use_tcp = 0;
+static ldns_resolver* res;
+
+static int dry_run = 0;
+
+output_t       rzkeychange_output;
+is_responder_t rzkeychange_is_responder = 0;
+ia_str_t       rzkeychange_ia_str       = 0;
+
+#define MAX_KEY_TAG_SIGNALS 500
+static unsigned int num_key_tag_signals;
+struct {
+    iaddr       addr;
+    uint8_t     flags;
+    const char* signal;
+} key_tag_signals[MAX_KEY_TAG_SIGNALS];
+
+#define KEYTAG_FLAG_DO 1
+#define KEYTAG_FLAG_CD 2
+#define KEYTAG_FLAG_RD 4
+
+struct {
+    uint64_t dnskey;
+    uint64_t tc_bit;
+    uint64_t tcp;
+    uint64_t icmp_unreach_frag;
+    uint64_t icmp_timxceed_reass;
+    uint64_t icmp_timxceed_intrans;
+    uint64_t total;
+} counts;
+
+#define MAX_NAMESERVERS 10
+static unsigned int num_ns_addrs = 0;
+static char*        ns_addrs[MAX_NAMESERVERS];
+
+void rzkeychange_usage()
+{
+    fprintf(stderr,
+        "\nrzkeychange.so options:\n"
+        "\t-?           print these instructions and exit\n"
+        "\t-D           dry run, just print queries\n"
+        "\t-z <zone>    Report counters to DNS zone <zone> (required)\n"
+        "\t-s <server>  Data is from server <server> (required)\n"
+        "\t-n <node>    Data is from site/node <node> (required)\n"
+        "\t-k <zone>    Report RFC 8145 key tag signals to <zone>\n"
+        "\t-a <addr>    Send DNS queries to this addr\n"
+        "\t-p <port>    Send DNS queries to this port\n"
+        "\t-t           Use TCP for DNS queries\n");
+}
+
+void rzkeychange_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IS_RESPONDER:
+        rzkeychange_is_responder = (is_responder_t)arg;
+        break;
+    case DNSCAP_EXT_IA_STR:
+        rzkeychange_ia_str = (ia_str_t)arg;
+        break;
+    }
+}
+
+void rzkeychange_getopt(int* argc, char** argv[])
+{
+    int c;
+    while ((c = getopt(*argc, *argv, "?a:k:n:p:s:tz:D")) != EOF) {
+        switch (c) {
+        case 'n':
+            if (report_node)
+                free(report_node);
+            report_node = strdup(optarg);
+            if (!report_node) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 's':
+            if (report_server)
+                free(report_server);
+            report_server = strdup(optarg);
+            if (!report_server) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 'z':
+            if (report_zone)
+                free(report_zone);
+            report_zone = strdup(optarg);
+            if (!report_zone) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 'k':
+            if (keytag_zone)
+                free(keytag_zone);
+            keytag_zone = strdup(optarg);
+            if (!keytag_zone) {
+                fprintf(stderr, "strdup() out of memory\n");
+                exit(1);
+            }
+            break;
+        case 'a':
+            if (num_ns_addrs < MAX_NAMESERVERS) {
+                ns_addrs[num_ns_addrs] = strdup(optarg);
+                if (!ns_addrs[num_ns_addrs]) {
+                    fprintf(stderr, "strdup() out of memory\n");
+                    exit(1);
+                }
+                num_ns_addrs++;
+            } else {
+                fprintf(stderr, "too many nameservers\n");
+                exit(1);
+            }
+            break;
+        case 'p':
+            resolver_port = strtoul(optarg, 0, 10);
+            break;
+        case 't':
+            resolver_use_tcp = 1;
+            break;
+        case 'D':
+            dry_run = 1;
+            break;
+        case '?':
+            rzkeychange_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+    if (!report_zone || !report_server || !report_node) {
+        rzkeychange_usage();
+        exit(1);
+    }
+}
+
+ldns_pkt*
+dns_query(const char* name, ldns_rr_type type)
+{
+    fprintf(stderr, "%s\n", name);
+    if (dry_run) {
+        return 0;
+    }
+
+    ldns_rdf* domain = ldns_dname_new_frm_str(name);
+    if (0 == domain) {
+        fprintf(stderr, "bad query name: '%s'\n", name);
+        exit(1);
+    }
+    ldns_pkt* pkt = ldns_resolver_query(res,
+        domain,
+        type,
+        LDNS_RR_CLASS_IN,
+        LDNS_RD);
+    ldns_rdf_deep_free(domain);
+    return pkt;
+}
+
+static void
+add_resolver_nameserver(const char* s)
+{
+    ldns_rdf* nsaddr;
+    fprintf(stderr, "adding nameserver '%s' to resolver config\n", s);
+    if (strchr(s, ':'))
+        nsaddr = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_AAAA, s);
+    else
+        nsaddr = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, s);
+    if (!nsaddr) {
+        logerr("rzkeychange.so: invalid IP address '%s'", s);
+        exit(1);
+    }
+    assert(LDNS_STATUS_OK == ldns_resolver_push_nameserver(res, nsaddr));
+}
+
+int rzkeychange_start(logerr_t* a_logerr)
+{
+    ldns_pkt*      pkt;
+    struct timeval to;
+    char           qname[256];
+    logerr = a_logerr;
+    if (LDNS_STATUS_OK != ldns_resolver_new_frm_file(&res, NULL)) {
+        fprintf(stderr, "Failed to initialize ldns resolver\n");
+        exit(1);
+    }
+    if (num_ns_addrs) {
+        unsigned int i;
+        ldns_resolver_set_nameserver_count(res, 0);
+        for (i = 0; i < num_ns_addrs; i++)
+            add_resolver_nameserver(ns_addrs[i]);
+    }
+    if (0 == ldns_resolver_nameserver_count(res))
+        add_resolver_nameserver("127.0.0.1");
+    if (resolver_port)
+        ldns_resolver_set_port(res, resolver_port);
+    if (resolver_use_tcp)
+        ldns_resolver_set_usevc(res, 1);
+
+    if (dry_run) {
+        return 0;
+    }
+
+    fprintf(stderr, "Testing reachability of zone '%s'\n", report_zone);
+    pkt = dns_query(report_zone, LDNS_RR_TYPE_TXT);
+    if (!pkt) {
+        fprintf(stderr, "Test of zone '%s' failed\n", report_zone);
+        exit(1);
+    }
+    if (0 != ldns_pkt_get_rcode(pkt)) {
+        fprintf(stderr, "Query to zone '%s' returned rcode %d\n", report_zone, ldns_pkt_get_rcode(pkt));
+        exit(1);
+    }
+    fprintf(stderr, "Success.\n");
+    if (pkt)
+        ldns_pkt_free(pkt);
+    /*
+     * For all subsequent queries we don't actually care about the response
+     * and don't wait to wait very long for it so  the timeout is set really low.
+     */
+    to.tv_sec  = 0;
+    to.tv_usec = 500000;
+    ldns_resolver_set_timeout(res, to);
+    snprintf(qname, sizeof(qname), "ts-elapsed-tot-dnskey-tcp-tc-unreachfrag-texcfrag-texcttl.%s.%s.%s", report_node, report_server, report_zone);
+    pkt = dns_query(qname, LDNS_RR_TYPE_TXT);
+    if (pkt)
+        ldns_pkt_free(pkt);
+    return 0;
+}
+
+void rzkeychange_stop()
+{
+}
+
+int rzkeychange_open(my_bpftimeval ts)
+{
+    open_ts = clos_ts.tv_sec ? clos_ts : ts;
+    memset(&counts, 0, sizeof(counts));
+    memset(&key_tag_signals, 0, sizeof(key_tag_signals));
+    num_key_tag_signals = 0;
+    return 0;
+}
+
+void rzkeychange_submit_counts(void)
+{
+    char      qname[256];
+    ldns_pkt* pkt;
+    double    elapsed = (double)clos_ts.tv_sec - (double)open_ts.tv_sec + 0.000001 * clos_ts.tv_usec - 0.000001 * open_ts.tv_usec; //NOSONAR
+    int       k;
+
+    k = snprintf(qname, sizeof(qname), "%lu-%u-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 "-%" PRIu64 ".%s.%s.%s",
+        (u_long)open_ts.tv_sec,
+        (unsigned int)(elapsed + 0.5),
+        counts.total,
+        counts.dnskey,
+        counts.tcp,
+        counts.tc_bit,
+        counts.icmp_unreach_frag,
+        counts.icmp_timxceed_reass,
+        counts.icmp_timxceed_intrans,
+        report_node,
+        report_server,
+        report_zone);
+
+    if (k < sizeof(qname)) {
+        pkt = dns_query(qname, LDNS_RR_TYPE_TXT);
+        if (pkt)
+            ldns_pkt_free(pkt);
+    }
+
+    if (keytag_zone != 0) {
+        unsigned int i;
+
+        for (i = 0; i < num_key_tag_signals; i++) {
+            char* s = strdup(rzkeychange_ia_str(key_tag_signals[i].addr));
+            char* t;
+
+            if (0 == s) {
+                /*
+                 * Apparently out of memory.  This function is called in
+                 * a child process which will exit right after this we
+                 * break from the loop and return from this function.
+                 */
+                break;
+            }
+
+            for (t = s; *t; t++)
+                if (*t == '.' || *t == ':')
+                    *t = '-';
+
+            k = snprintf(qname, sizeof(qname), "%lu.%s.%hhx.%s.%s.%s.%s",
+                (u_long)open_ts.tv_sec,
+                s,
+                key_tag_signals[i].flags,
+                key_tag_signals[i].signal,
+                report_node,
+                report_server,
+                keytag_zone);
+            free(s);
+
+            if (k >= sizeof(qname))
+                continue; // qname was truncated in snprintf()
+
+            pkt = dns_query(qname, LDNS_RR_TYPE_TXT);
+            if (pkt)
+                ldns_pkt_free(pkt);
+        }
+    }
+}
+
+/*
+ * Fork a separate process so that we don't block the main dnscap.  Use
+ * double-fork to avoid zombies for the main dnscap process.
+ */
+int rzkeychange_close(my_bpftimeval ts)
+{
+    pid_t pid;
+    pid = fork();
+    if (pid < 0) {
+        logerr("rzkeychange.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* parent */
+        waitpid(pid, NULL, 0);
+        return 0;
+    }
+    /* 1st gen child continues */
+    pid = fork();
+    if (pid < 0) {
+        logerr("rzkeychange.so: fork: %s", strerror(errno));
+        return 1;
+    } else if (pid) {
+        /* 1st gen child exits */
+        exit(0);
+    }
+    /* grandchild (2nd gen) continues */
+    clos_ts = ts;
+    rzkeychange_submit_counts();
+    exit(0);
+}
+
+void rzkeychange_keytagsignal(const ldns_pkt* pkt, const ldns_rr* question_rr, iaddr addr)
+{
+    ldns_rdf* qn;
+    char*     qn_str = 0;
+    if (LDNS_RR_TYPE_NULL != ldns_rr_get_type(question_rr))
+        return;
+    if (num_key_tag_signals == MAX_KEY_TAG_SIGNALS)
+        return;
+    qn = ldns_rr_owner(question_rr);
+    if (qn == 0)
+        return;
+    qn_str = ldns_rdf2str(qn);
+    if (qn_str == 0)
+        return;
+    if (0 != strncasecmp(qn_str, "_ta-", 4))
+        goto keytagsignal_done;
+    qn_str[strlen(qn_str) - 1] = 0; // ldns always adds terminating dot
+    if (strchr(qn_str, '.')) // dont want non-root keytag signals
+        goto keytagsignal_done;
+    key_tag_signals[num_key_tag_signals].addr   = addr;
+    key_tag_signals[num_key_tag_signals].signal = strdup(qn_str);
+    assert(key_tag_signals[num_key_tag_signals].signal);
+    if (ldns_pkt_rd(pkt))
+        key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_RD;
+    if (ldns_pkt_cd(pkt))
+        key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_CD;
+    if (ldns_pkt_edns_do(pkt))
+        key_tag_signals[num_key_tag_signals].flags |= KEYTAG_FLAG_DO;
+    num_key_tag_signals++;
+keytagsignal_done:
+    if (qn_str)
+        free(qn_str);
+}
+
+void rzkeychange_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    ldns_pkt*     pkt              = 0;
+    ldns_rr_list* question_rr_list = 0;
+    ldns_rr*      question_rr      = 0;
+    if (!(flags & DNSCAP_OUTPUT_ISDNS)) {
+        if (IPPROTO_ICMP == proto && payloadlen >= 4) {
+            struct icmp* icmp;
+            if (rzkeychange_is_responder && !rzkeychange_is_responder(to))
+                goto done;
+            icmp = (void*)payload;
+            if (ICMP_UNREACH == icmp->icmp_type) {
+                if (ICMP_UNREACH_NEEDFRAG == icmp->icmp_code)
+                    counts.icmp_unreach_frag++;
+            } else if (ICMP_TIMXCEED == icmp->icmp_type) {
+                if (ICMP_TIMXCEED_INTRANS == icmp->icmp_code)
+                    counts.icmp_timxceed_intrans++;
+                else if (ICMP_TIMXCEED_REASS == icmp->icmp_code)
+                    counts.icmp_timxceed_reass++;
+            }
+        }
+        goto done;
+    }
+    if (LDNS_STATUS_OK != ldns_wire2pkt(&pkt, payload, payloadlen))
+        return;
+    if (0 == ldns_pkt_qr(pkt))
+        goto done;
+    counts.total++;
+    if (IPPROTO_UDP == proto) {
+        if (0 != ldns_pkt_tc(pkt))
+            counts.tc_bit++;
+    } else if (IPPROTO_TCP == proto) {
+        counts.tcp++;
+    }
+    if (LDNS_PACKET_QUERY != ldns_pkt_get_opcode(pkt))
+        goto done;
+    question_rr_list = ldns_pkt_question(pkt);
+    if (0 == question_rr_list)
+        goto done;
+    question_rr = ldns_rr_list_rr(question_rr_list, 0);
+    if (0 == question_rr)
+        goto done;
+    if (LDNS_RR_CLASS_IN == ldns_rr_get_class(question_rr))
+        if (LDNS_RR_TYPE_DNSKEY == ldns_rr_get_type(question_rr))
+            counts.dnskey++;
+    if (keytag_zone != 0)
+        rzkeychange_keytagsignal(pkt, question_rr, to); // 'to' here because plugin should be processing responses
+done:
+    ldns_pkt_free(pkt);
+}

plugins/rzkeychange/test1.sh

@@ -0,0 +1,21 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'rzkeychange.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the rzkeychange plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -n text -n text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s text -s text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -z text -z text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -k text -k text
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -a 1 -a 2 -a 3 -a 4 -a 5 -a 6 -a 7 -a 8 -a 9 -a 10 -a 11
+
+# LDNS resolver needs /etc/resolv.conf
+test -f /etc/resolv.conf || exit 0
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -D -t -p 5353 -a 127.0.0.1 -n n -s s -z example.com -k k

plugins/template/Makefile.am

@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS)
+
+pkglib_LTLIBRARIES = template.la
+template_la_SOURCES = template.c
+template_la_LDFLAGS = -module -avoid-version
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(template_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/template/template.c

@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include "dnscap_common.h"
+
+static logerr_t*   logerr;
+static int         opt_f = 0;
+static const char* opt_x = 0;
+
+output_t template_output;
+
+void template_usage()
+{
+    fprintf(stderr,
+        "\ntemplate.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-f         flag option\n"
+        "\t-x <arg>   option with argument\n");
+}
+
+void template_getopt(int* argc, char** argv[])
+{
+    /*
+     * The "getopt" function will be called from the parent to
+     * process plugin options.
+     */
+    int c;
+    while ((c = getopt(*argc, *argv, "?fx:")) != EOF) {
+        switch (c) {
+        case 'f':
+            opt_f = 1;
+            break;
+        case 'x':
+            opt_x = strdup(optarg);
+            break;
+        case '?':
+            template_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int template_start(logerr_t* a_logerr)
+{
+    /*
+     * The "start" function is called once, when the program
+     * starts.  It is used to initialize the plugin.  If the
+     * plugin wants to write debugging and or error messages,
+     * it should save the a_logerr pointer passed from the
+     * parent code.
+     */
+    logerr = a_logerr;
+    return 0;
+}
+
+void template_stop()
+{
+    /*
+     * The "start" function is called once, when the program
+     * is exiting normally.  It might be used to clean up state,
+     * free memory, etc.
+     */
+}
+
+int template_open(my_bpftimeval ts)
+{
+    /*
+     * The "open" function is called at the start of each
+     * collection interval, which might be based on a period
+     * of time or a number of packets.  In the original code,
+     * this is where we opened an output pcap file.
+     */
+    return 0;
+}
+
+int template_close(my_bpftimeval ts)
+{
+    /*
+     * The "close" function is called at the end of each
+     * collection interval, which might be based on a period
+     * of time or on a number of packets.  In the original code
+     * this is where we closed an output pcap file.
+     */
+    return 0;
+}
+
+void template_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, const unsigned olen,
+    const u_char* payload, const unsigned payloadlen)
+{
+    /*
+     * Here you can "process" a packet.  The function is named
+     * "output" because in the original code this is where
+     * packets were outputted.
+     *
+     * if flags & PCAP_OUTPUT_ISDNS != 0 then payload is the start of a DNS message.
+     *
+     * if flags & PCAP_OUTPUT_ISFRAG != 0 then the packet is a fragment.
+     *
+     * if flags & PCAP_OUTPUT_ISLAYER != 0 then the pkt_copy is the same as payload.
+     */
+}

plugins/template/test1.sh

@@ -0,0 +1,13 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'template.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the template plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X

plugins/txtout/Makefile.am

@@ -0,0 +1,22 @@
+MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
+CLEANFILES = *.gcda *.gcno *.gcov
+
+AM_CFLAGS = -I$(srcdir) \
+    -I$(top_srcdir)/src \
+    -I$(top_srcdir)/isc \
+    $(SECCOMPFLAGS) $(libldns_CFLAGS)
+
+pkglib_LTLIBRARIES = txtout.la
+txtout_la_SOURCES = txtout.c
+txtout_la_LDFLAGS = -module -avoid-version $(libldns_LIBS)
+
+TESTS = test1.sh
+EXTRA_DIST = $(TESTS)
+CLEANFILES += test1.out *.pcap-dist
+
+if ENABLE_GCOV
+gcov-local:
+	for src in $(txtout_la_SOURCES); do \
+	  gcov -o .libs -l -r -s "$(srcdir)" "$$src"; \
+	done
+endif

plugins/txtout/test1.sh

@@ -0,0 +1,15 @@
+#!/bin/sh -xe
+
+plugin=`find . -name 'txtout.so' | head -n 1`
+if [ -z "$plugin" ]; then
+    echo "Unable to find the txtout plugin"
+    exit 1
+fi
+
+ln -fs "$srcdir/../../src/test/dns.pcap" dns.pcap-dist
+
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -?
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin"
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -s
+../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -o test1.out
+! ../../src/dnscap -r dns.pcap-dist -g -P "$plugin" -X

plugins/txtout/txtout.c

@@ -0,0 +1,299 @@
+/*
+ * Copyright (c) 2016-2021, OARC, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <ctype.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <ldns/ldns.h>
+
+#include "dnscap_common.h"
+
+static logerr_t* logerr;
+static char*     opt_o = 0;
+static int       opt_s = 0;
+static FILE*     out   = 0;
+
+output_t txtout_output;
+
+void txtout_usage()
+{
+    fprintf(stderr,
+        "\ntxtout.so options:\n"
+        "\t-?         print these instructions and exit\n"
+        "\t-o <arg>   output file name\n"
+        "\t-s         short output, only QTYPE/QNAME for IN\n");
+}
+
+void txtout_getopt(int* argc, char** argv[])
+{
+    /*
+     * The "getopt" function will be called from the parent to
+     * process plugin options.
+     */
+    int c;
+    while ((c = getopt(*argc, *argv, "?so:")) != EOF) {
+        switch (c) {
+        case 'o':
+            if (opt_o)
+                free(opt_o);
+            opt_o = strdup(optarg);
+            break;
+        case 's':
+            opt_s = 1;
+            break;
+        case '?':
+            txtout_usage();
+            if (!optopt || optopt == '?') {
+                exit(0);
+            }
+            // fallthrough
+        default:
+            exit(1);
+        }
+    }
+}
+
+int txtout_start(logerr_t* a_logerr)
+{
+    /*
+     * The "start" function is called once, when the program
+     * starts.  It is used to initialize the plugin.  If the
+     * plugin wants to write debugging and or error messages,
+     * it should save the a_logerr pointer passed from the
+     * parent code.
+     */
+    logerr = a_logerr;
+    if (opt_o) {
+        out = fopen(opt_o, "w");
+        if (0 == out) {
+            logerr("%s: %s\n", opt_o, strerror(errno));
+            exit(1);
+        }
+    } else {
+        out = stdout;
+    }
+    setbuf(out, 0);
+    return 0;
+}
+
+void txtout_stop()
+{
+    /*
+     * The "start" function is called once, when the program
+     * is exiting normally.  It might be used to clean up state,
+     * free memory, etc.
+     */
+    if (out != stdout)
+        fclose(out);
+}
+
+int txtout_open(my_bpftimeval ts)
+{
+    /*
+     * The "open" function is called at the start of each
+     * collection interval, which might be based on a period
+     * of time or a number of packets.  In the original code,
+     * this is where we opened an output pcap file.
+     */
+    return 0;
+}
+
+int txtout_close(my_bpftimeval ts)
+{
+    /*
+     * The "close" function is called at the end of each
+     * collection interval, which might be based on a period
+     * of time or on a number of packets.  In the original code
+     * this is where we closed an output pcap file.
+     */
+    return 0;
+}
+
+ia_str_t           ia_str           = 0;
+tcpstate_getcurr_t tcpstate_getcurr = 0;
+tcpstate_reset_t   tcpstate_reset   = 0;
+
+void txtout_extension(int ext, void* arg)
+{
+    switch (ext) {
+    case DNSCAP_EXT_IA_STR:
+        ia_str = (ia_str_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_GETCURR:
+        tcpstate_getcurr = (tcpstate_getcurr_t)arg;
+        break;
+    case DNSCAP_EXT_TCPSTATE_RESET:
+        tcpstate_reset = (tcpstate_reset_t)arg;
+        break;
+    }
+}
+
+void txtout_output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
+    unsigned sport, unsigned dport, my_bpftimeval ts,
+    const u_char* pkt_copy, unsigned olen,
+    const u_char* payload, unsigned payloadlen)
+{
+    /*
+     * Short output, only print QTYPE and QNAME for IN records
+     */
+    if (opt_s) {
+        if (flags & DNSCAP_OUTPUT_ISDNS) {
+            ldns_pkt* pkt;
+
+            if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+                if (tcpstate_getcurr && tcpstate_reset)
+                    tcpstate_reset(tcpstate_getcurr(), "");
+                return;
+            }
+
+            ldns_rr_list* qds = ldns_pkt_question(pkt);
+            if (qds) {
+                ldns_rr* qd = ldns_rr_list_rr(qds, 0);
+
+                if (qd && ldns_rr_get_class(qd) == LDNS_RR_CLASS_IN) {
+                    ldns_buffer* buf = ldns_buffer_new(512);
+                    if (!buf) {
+                        logerr("out of memmory\n");
+                        exit(1);
+                    }
+
+                    if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+                        fprintf(out, "%s", (char*)ldns_buffer_begin(buf));
+                    } else {
+                        fprintf(out, "ERR");
+                    }
+
+                    ldns_buffer_clear(buf);
+                    if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                        fprintf(out, " %s\n", (char*)ldns_buffer_begin(buf));
+                    } else {
+                        fprintf(out, "ERR\n");
+                    }
+                    ldns_buffer_free(buf);
+                }
+            }
+            ldns_pkt_free(pkt);
+        }
+        return;
+    }
+
+    /*
+     * IP Stuff
+     */
+    fprintf(out, "%10ld.%06ld", (long)ts.tv_sec, (long)ts.tv_usec);
+    fprintf(out, " %s %u", ia_str(from), sport);
+    fprintf(out, " %s %u", ia_str(to), dport);
+    fprintf(out, " %hhu", proto);
+
+    if (flags & DNSCAP_OUTPUT_ISDNS) {
+        ldns_pkt* pkt;
+
+        if (ldns_wire2pkt(&pkt, payload, payloadlen) != LDNS_STATUS_OK) {
+            if (tcpstate_getcurr && tcpstate_reset)
+                tcpstate_reset(tcpstate_getcurr(), "");
+            fprintf(out, "\n");
+            return;
+        }
+
+        /*
+         * DNS Header
+         */
+        fprintf(out, " %u", ldns_pkt_id(pkt));
+        fprintf(out, " %u", ldns_pkt_get_opcode(pkt));
+        fprintf(out, " %u", ldns_pkt_get_rcode(pkt));
+        fprintf(out, " |");
+        if (ldns_pkt_qr(pkt))
+            fprintf(out, "QR|");
+        if (ldns_pkt_aa(pkt))
+            fprintf(out, "AA|");
+        if (ldns_pkt_tc(pkt))
+            fprintf(out, "TC|");
+        if (ldns_pkt_rd(pkt))
+            fprintf(out, "RD|");
+        if (ldns_pkt_ra(pkt))
+            fprintf(out, "RA|");
+        if (ldns_pkt_ad(pkt))
+            fprintf(out, "AD|");
+        if (ldns_pkt_cd(pkt))
+            fprintf(out, "CD|");
+
+        ldns_rr_list* qds = ldns_pkt_question(pkt);
+        if (qds) {
+            ldns_rr* qd = ldns_rr_list_rr(qds, 0);
+
+            if (qd) {
+                ldns_buffer* buf = ldns_buffer_new(512);
+                if (!buf) {
+                    logerr("out of memmory\n");
+                    exit(1);
+                }
+
+                if (ldns_rr_class2buffer_str(buf, ldns_rr_get_class(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, " ERR");
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rr_type2buffer_str(buf, ldns_rr_get_type(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, " ERR");
+                }
+
+                ldns_buffer_clear(buf);
+                if (ldns_rdf2buffer_str(buf, ldns_rr_owner(qd)) == LDNS_STATUS_OK) {
+                    fprintf(out, " %s", (char*)ldns_buffer_begin(buf));
+                } else {
+                    fprintf(out, "ERR");
+                }
+                ldns_buffer_free(buf);
+            }
+        }
+        ldns_pkt_free(pkt);
+    }
+    /*
+     * Done
+     */
+    fprintf(out, "\n");
+}