[dnstap] DNSTAP vs PCAP

Paul Vixie paul at redbarn.org
Thu Feb 2 22:13:17 UTC 2017

On Thursday, February 2, 2017 7:56:15 AM PST Barry Raveendran Greene wrote:


> Has anyone done a good contrast between DNSTAP vs PCAP streaming?
DNSTAP is picking up momentum. The FAQ would be how it compares to PCAP.


Whereas PCAP is a low level packet storage and transfer format and
associated tools, 'dnstap' is a high-level DNS-specific telemetry
storage and transfer format and associated tools. The 'dnstap' format
for example does not carry the ISO-L2 ("ethernet") addresses associated
with queries and responses, and it can associate a query with its
response and store or transfer the resulting transaction as a single
atomic unit. Finally, since 'dnstap' resides in the DNS protocol agent
(client, server, or proxy) it can carry information that would never
otherwise appear "on the wire" outside of the DNS protocol agent. For
example, the "working delegation-point" of a transaction reported by
'dnstap' can be reported explicitly, whereas for a transaction whose
packets are witnessed via PCAP, the "working delegation-point" must be



P. Vixie

-------------- next part --------------
A non-text attachment was scrubbed...
Name: .vcf
Type: text/vcard
Size: 269 bytes
Desc: not available
URL: <http://lists.redbarn.org/pipermail/dnstap/attachments/20170202/0e0e512d/attachment.bin>

More information about the dnstap mailing list