Releases: DNS-OARC/dnscap
Release 1.12.0
This release fixes the handling of -?
option for dnscap and all plugins, previously the handling varied between places and depending on getopt()
implementation an invalid option could return the wrong exit code.
Other changes:
- Fix typo in configure help text
plugins/anonmask
: Fix typo in help textplugins/rzkeychange
:- Add
-D
, dry run mode, for testing - Fix handling of
-a
and error on too many
- Add
KNOWN ISSUES:
On OpenBSD the system library libc exports the same symbols as libbind does and this causes runtime warnings. Until now this has not caused any known problems but is now also causing segfaults if the packet filter used (BPF) includes IPv6 addresses.
On all other platforms OARC supports, these symbols are macros and in so should not cause any problem.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.12.0.tar.gz
sha256: 564deb3b7abc5197950bf223bdc9ed7d2a2a04fbadf2f04ed7cd7d57e9d175c7
Packages are available at: https://dev.dns-oarc.net/packages/
ee478c0 Known issues
2f9d957 Tests
3c663a2 Tests
c88efc5 rzkeychange test
f062f33 Tests
Release 1.11.1
This release fixes a lot of issues found by code analysis, adds a explicit memory zeroing function to remove account information (read when dropping privileges) and adds code coverage reporting.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.11.1.tar.gz
sha256: c1bd61012c6733e2e9aef6cc67cda25462cf8f81cd656968bdb988e80cc68a1f
Packages are available at: https://dev.dns-oarc.net/packages/
The dnscap_memzero()
will use explicit_bzero()
on FreeBSD and OpenBSD, or memset_s()
(if supported), otherwise it will manually set the memory to zero. This will hopefully ensure that the memory is zeroed as compilers can optimize out memset()
's that is just before free()
.
The plugins exit code for the help option -?
has been changed to 0 to have the same as dnscap -?
.
d9747ee memzero
1cf17c6 Coverage
19c7120 Coverage
7435676 Sonarcloud
928e181 Sonarcloud
ca4afd0 Sonarcloud
028f5e0 Badges
db0d6a1 LGTM
Release 1.11.0
This release includes a new plugin called eventlog
, contributed by Byron Darrah (@ByronDarrah), output DNS activity as log events, including answers to A and AAAA queries.
Other changes includes compile warning and code analysis fixes.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.11.0.tar.gz
sha256: 1207b75c9d532b4e9359d12c15e681e381310ff71824c75404632b383a625725
Packages are available at: https://dev.dns-oarc.net/packages/
382eac4 COPR
4c03650 Compile warn
21d6a67 Slight change -- wording now matches usage() output.
dd19b0b Added the eventlog.so plugin...
1ebf504 Added new dnscap plugin: evenlog.so...
f3f9aaa Compile warnings
Release 1.10.4
Fixed a bug that would not drop privileges when not specifying any interface (which is equal to capturing on all interfaces). Added functionality to set the supplemental groups when dropping privileges and changing user, or clear them if that is not supported. Other changes includes corrected man-page about '-w' and update to documentation.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.10.4.tar.gz
sha256: e24c05c8e3f65fdbf3e40ce34acc1a3b97829d91b4f20da34041042b9dbb4269
Packages are available at: https://dev.dns-oarc.net/packages/
a0285e4 drop privileges errors, initgroups/setgroups
96336f3 daemon: Attempt to drop supplemental groups
467a9a7 Drop privileges
de940a8 man-page -w
187ec43 README
Release 1.10.3
Fixed plugins inclusion in deb packages for Debian and Ubuntu.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.10.3.tar.gz
sha256: 1be6fa745c8654fb99fd951e767d0dddb50131c96806fa920a92a294f8f36e18
Packages are available at: https://dev.dns-oarc.net/packages/
Release 1.10.2
Fixed bug in the handling of defragmentation configuration which lead to the use of a local scope variable later on and caused unexpected behavior.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.10.2.tar.gz
sha256: fabeb5e037b80f572808e10aafcbf12190e0e62a89c2695d0cc52bd7de30c28b
Packages are available at: https://dev.dns-oarc.net/packages/
Release 1.10.1
Fix various issues found by code analysis tools, a few compiler warnings removed, undefined bit shift behavior fixed, parameter memory leaks plugged and documentation updates.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.10.1.tar.gz
sha256: f919e6a8494e35b4a3428999fe4665ecb35c2ae1452d0c35da823f608c77a84f
Packages are available at: https://dev.dns-oarc.net/packages/
Fixes:
dump_dns
: Remove usage ofstrcpy()
and usesnprintf()
instead ofsprintf()
bpft
:- Use
text_ptr->len
to store length of generated text - Use
memcpy()
instead ofstrcat()
- Remove unneeded
realloc()
andstrcpy()
- Use
plugins/cryptopan
: Fix strict-aliasing warningsnetwork
: Rework part ofdl_pkt()
to remove usage ofstrcpy()
and usesnprintf()
instead ofsprintf()
plugins/anonaes128
: Usea6
as dest when copying v4 addresses for readability and code analysisplugins/cryptopan
: Run first pass separate to eliminate a 32bit shift by 32 (undefined behavior)plugins/cryptopant
: Fix memory leak ofkeyfile
if-k
is specified more then once
Documentation:
- Update
README.md
with correction to building from git and note about PCAP on OpenBSD - Fix #190: Update link to
libbind
source
074923c Funding
5d2e84c libbind
8ee9f2a Travis-CI
6babd09 Fixes
bb2d1c7 README, compile warnings
0d9cd9c LGTM, Travis-CI
Release 1.10.0
This release adds a new plugin type "filter" and 5 new plugins that can do anonymization, deanonymization and masking of the IP addresses.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.10.0.tar.gz
sha256: 00f4b04a179e2a7c81a426c72ab228efe408868c1caf0c6cb0aa7906055222f4
Packages are available at: https://dev.dns-oarc.net/packages/
New features:
- Check plugins for
pluginname_type()
which returnsenum plugin_type
, if missing the plugin is counted as an "output" plugin - New plugin type "filter" which calls
pluginname_filter()
prior of outputting any data or calling of "output" plugins, if the new function returns non-zero then the packet is filtered out (dropped) - New extension
DNSCAP_EXT_SET_IADDR
that gives access to a function for setting the from and to IP addresses both in the extracted data and the wire
New plugins:
anonaes128
: Anonymize IP addresses using AES128anonmask
: Pseudo-anonymize IP addresses by masking themcryptopan
: Anonymize IP addresses using an extension to Crypto-PAn (College of Computing, Georgia Tech) made by David Stott (Lucent)cryptopant
: Anonymize IP addresses using cryptopANT, a different implementation of Crypto-PAn made by the ANT project at USC/ISIipcrypt
: Anonymize IP addresses using ipcrypt create by Jean-Philippe Aumasson @veorq
Bugfixes:
- Fix changing
royparse
andtxtout
with other plugins (thanks to Duane Wessels @wessels and Paul Hoffman @paulehoffman) - Free pointers to allocated strings in
text_free()
(thanks to Michał Kępień @kempniu) - Fix IP checksum calculation
Other changes:
-B
and-E
can be used without-w
(thanks to Duane Wessels @wessels)- Use
pcap_findalldevs()
instead ofpcap_lookupdev()
(thanks to Michał Kępień @kempniu) - Document and add
-?
option to all plugins - Fix clang
scan-build
bugs and LGTM alerts - Use
gmtime_r()
instead ofgmtime()
- Update
pcap-thread
to v4.0.0
67d8e2c Fix
fb0ed02 Plugin documentation
a2c9a6c cryptopant
39db1ca Deanonymize, IPv6 test
afc7107 Crypto-PAn, cryptopANT
f1912cc OpenSSL, anonaes128
f2bab62 ipcrypt, anonmask
158b1e7 anonmask help
60ece58 anonmask
8f1b138 Plugin types, filter plugin, set iaddr extension, anonymization by masking
b7d7991 IP checksum
641a23a Free pointers to allocated strings in text_free()
4d313bf pcap_findalldevs()
091e0ca Use pcap_findalldevs() instead of pcap_lookupdev()
6a7b25e Clean up use of feature test macros on Linux
cbba14c Configure, uninitialized
f228c9c Code formatting
3fd738c man-page
770168a Test
714e4f5 Fix -B so that it works when reading offline pcap files.
8675bea Test
911fec9 Implementing test9 as a test of -B and -E command line args.
a7cc72d -B and -E can work fine without -w .
04c4928 Made the same changes to txtout as were in 165a786
165a786 Workaround for stdio mystery causing duplicate royparse output.
Release 1.9.0
This release adds a new option to change how the Berkeley Packet Filter is generated to include the host restrictions for all selections, previously this restriction would only apply to specific parts.
Additional tweaks to the RSSM plugin has been made to conform to the RSSAC002v3 specification. One noticeable change is that the plugin now requires the DNS to be parsed before counted, any error in the parsing will result in the message being left out of the statistics.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.9.0.tar.gz
sha256: 1c3793a65948e90be65730c915d808cfdc894ec3b61ee9a266c080eb1fac5382
Packages are available at: https://dev.dns-oarc.net/packages/
Changes:
- Fix spacing in BPF filter to look better
- Fix #146: Add
bpf_hosts_apply_all
, apply any host restriction to all plugin/rssm
:plugin/rssm/dnscap-rssm-rssac002
: UseYAML::Dump()
for output
47d892b Issue #152: RSSM YAML output
d4f1466 Issue #152, Issue #91: Parse DNS before processing RSSM counters
68fc1ff BPF, bpf_hosts_apply_all
Release 1.8.0
This release updates the TCP stream code in order to be able to look at more then just the first query, for handling already ongoing TCP connections without having seen SYN/ACK and for reassembly of the TCP stream prior of parsing it for DNS with an additional layer of parsing (see reassemble_tcp_bfbparsedns
).
Updates to the Root Server Scaling Measurement (RSSM) plugin have also been made to bring it up to date with RSSAC002v3 specification, be able to output the YAML format described and an additional script to merge YAML files if the interval is less then the RSSAC002v3 24 hour period. See "Updates to the RSSM plugin" below and plugins/rssm/README.md
.
Due to submodules in the repository please download this tarball:
https://www.dns-oarc.net/files/dnscap/dnscap-1.8.0.tar.gz
sha256: 5440fecc1a3f98948207e23549afe0c102b45eda5cde2a2b80ed446d88457558
Packages are available at: https://dev.dns-oarc.net/packages/
New extended options:
parse_ongoing_tcp
: Start tracking TCP connections even if SYN/ACK has not been seenallow_reset_tcpstate
: Allow external reset of TCP statereassemble_tcp
: Use to enable TCP stream reassemblyreassemble_tcp_faultreset
: Number of faults before reseting TCP state when reassembly is enabledreassemble_tcp_bfbparsedns
: Enable an experimental additional layer of reassemble that useslibbind
to parse the payload before accepting it. If the DNS is invalid it will move 2 bytes within the payload and treat it as a new payload, taking the DNS length again and restart the process. Requireslibbind
andreassemble_tcp
.
New extension functions for plugins:
DNSCAP_EXT_TCPSTATE_GETCURR
: Function to get a pointer for the current TCP stateDNSCAP_EXT_TCPSTATE_RESET
: Function to reset a TCP state
New features:
- Parse additional DNS queries in TCP connections
-g
and thetxtout
plugin will reset TCP state (if allowed) on failure to parse DNS
Bugfixes:
- Fix
-g
output, separate error message with a space - Fix TCP packets wrongfully flagged as DNS when using layers.
- Fix TCP debug output when using layers,
ia_str()
is not safe to call twice in the sameprintf
because of local buffer. - Fix exported extension functions, need to be file local
New tests for:
- Multiple DNS queries in one TCP connection
- Query over TCP without SYN
- Queries over TCP with first query missing length
- Queries over TCP with middle payloads missing
- Add test with TCP stream that missing multiple packets in the middle
Updates to the RSSM plugin (plugins/rssm
):
- Add info about saving counts and sources
- Fix memory leak on
fopen()
errors - Update to RSSAC002v3 specification
- New options:
-D
to disable forking on close-Y
: Use RSSAC002v3 YAML format when writing counters, the file will contain multiple YAML documents, one for each RSSAC002v3 metric
Used with; -S adds custom metricdnscap-rssm-sources
and -A addsdnscap-rssm-aggregated-sources
-n
: Set the service name to use in RSSAC002v3 YAML-S
: Write source IPs into counters file with the prefixsource
-A
: Write aggregated IPv6(/64) sources into counters file with the prefixaggregated-source
-a
: Write aggregated IPv6(/64) sources to<name>.<timesec>.<timeusec>
- Add
dnscap-rssm-rssac002
Perl script for merging RSSAC002v3 YAML files - Add README.md for the plugin man-page for
dnscap-rssm-rssac002
- Add test for YAML output and merging of YAML files
c7058c8 Use file local functions for all extensions
66b352d RSSM RSSAC002v3 YAML Tool
b09efc2 plugins/rssm
RSSAC002v3
709aba6 Fix #89: Add additional reassembly layers that parses the payload byte for byte for valid DNS
04fa013 Fix CID 1463944 (again)
b1cf623 RSSM saving data and forking
fb23305 Fix CID 1463944
0fca1a8 Issue #89: TCP stream reassemble
bb6428c CID 1463814: Check ns_initparse()
for errors
a57066f Fix #88: TCP handling