On Thursday, February 2, 2017 7:56:15 AM PST Barry Raveendran Greene wrote:
>
> Has anyone done a good contrast between DNSTAP vs PCAP streaming?
DNSTAP is picking up momentum. The FAQ would be how it compares to PCAP.
Whereas PCAP is a low level packet storage and transfer format and
associated tools, 'dnstap' is a high-level DNS-specific telemetry
storage and transfer format and associated tools. The 'dnstap' format
for example does not carry the ISO-L2 ("ethernet") addresses associated
with queries and responses, and it can associate a query with its
response and store or transfer the resulting transaction as a single
atomic unit. Finally, since 'dnstap' resides in the DNS protocol agent
(client, server, or proxy) it can carry information that would never
otherwise appear "on the wire" outside of the DNS protocol agent. For
example, the "working delegation-point" of a transaction reported by
'dnstap' can be reported explicitly, whereas for a transaction whose
packets are witnessed via PCAP, the "working delegation-point" must be
imputed/guessed.
--
P. Vixie
BEGIN:VCARD
VERSION:3.0
EMAIL:[email protected]
FN:Paul Vixie
N:Vixie;Paul;;;
NICKNAME:PV
NOTE:PGP: BA9D F138 384E F216 1B0E 3F28 586A EF6A 3DDD 4158
TEL;TYPE=CELL:+1 650-393-3994
UID:cd07c5e3-5f6d-4c39-95ab-09b363687bbd
URL;TYPE=WORK:https://www.redbarn.org/
END:VCARD
_______________________________________________
dnstap mailing list
[email protected]
http://lists.redbarn.org/mailman/listinfo/dnstap
