Vendor: ISC (1)

Type: dnsqr (2)

Definition: http://rsfcode.isc.org/git/nmsg/tree/nmsg/isc/dnsqr.proto

Description: A message type for capturing DNS query/response state

It has the following fields:

    * type (enum)
        One of the values UDP_INVALID, UDP_QUERY_RESPONSE,
        UDP_UNANSWERED_QUERY, UDP_UNSOLICITED_RESPONSE, TCP, or ICMP.

        UDP_QUERY_RESPONSE are pairs of query/response messages where the
        full 9-tuple of <query_ip, response_ip, IP protocol, query_port,
        response_port, DNS ID, qname, qtype, qclass> matches between query
        and response.

        UDP_UNANSWERED_QUERY are queries which were sent but never
        responded to within the state table window.

        UDP_UNSOLICITED_RESPONSE are responses which were received but for
        which no corresponding query could be found in the state table.

    A 9-tuple of fields associated with the transaction's state:

    * query_ip (ip)
    * response_ip (ip)
    * proto (uint16)
    * query_port (uint16)
    * response_port (uint16)
    * id (uint16)
    * qname (bytes)
    * qclass (bytes)
    * qtype (bytes)
        When the DNS QR flag is unset (i.e., the message is a query), the
        query IP and query port are the IP source address and source port
        and the response IP and response port are the IP destination
        address and destination port.

        When the DNS QR flag is set (i.e., the message is a response), the
        query IP and query port are the IP destination address and
        destination port and the response IP and response port are the IP
        source address and source port.

    * rcode (uint16)
        The DNS RCODE of the response.

    * query (bytes)
    * response (bytes)
        These are virtual fields which return the DNS query message and
        the DNS response message, which may have undergone IP reassembly.
        The original packets as seen on the wire are recorded in the
        following fields and may be accessed via the message API. (The
        "response" field is also accessible as the "dns" field for
        compatibility with the ISC/ncap message type.)

    * query_packet (bytes)
    * query_time_sec (int64)
    * query_time_nsec (int32)
    * response_packet (bytes)
    * response_time_sec (int64)
    * response_time_nsec (int32)
        The <http://rsfcode.isc.org/git/nmsg/tree/examples/nmsg-dnsqr2pcap.c> program
        reads these fields and can convert ISC/dnsqr NMSG files into
        standard DLT_RAW pcap savefiles.