[dsc] qtype dataset is empty
andrew.ruthven at catalyst.net.nz
Wed May 20 16:59:46 MDT 2009
On Wed, 2009-05-20 at 16:50 -0600, Duane Wessels wrote:
> On Thu, 21 May 2009, Andrew Ruthven wrote:
> > I've applied it, but it didn't produce any output. However, I played
> > around with tcpdump and it seems that the required bpf filter has
> > changed. Using "vlan 1" no longer caught in-bound packets (even though
> > they're in vlan 1). I removed that and now I'm seeing Qtypes again!
> I've experience similar strangeness with VLANs and BPF as well.
> But originally you said that you were getting data in other datasets
> and that only qtype data was empty. Was that really the case??
The vlan is only set for the queries, not for the replies (go figure).
It turns out that the other datasets I'd checked were only looking at
the replies. I hadn't checked other datasets that looked at queries
(except for all the other Qtype datasets). But looking back through the
presenter the other datasets that inspected queries are empty as well.
> The VLAN checks are applied before any DNS message inspection. I guess
> I could believe that you were seeing some IP-layer datasets but if
> the filter was choking on VLANs then all of the DNS datasets should
> have been empty I think.
Agreed, except for the replies not having the vlan tags.
Andrew Ruthven, Wellington, New Zealand
At work: andrew.ruthven at catalyst.net.nz
At home: andrew at etc.gen.nz
GPG fpr: 34CA 12A3 C6F8 B156 72C2 D0D7 D286 CE0C 0C62 B791
More information about the dsc