[dnstap] DNSTAP vs PCAP

Barry Raveendran Greene bgreene at senki.org
Fri Feb 3 14:24:53 UTC 2017


Thanks Paul. Some conversations I’ve had say that PCAP will work just as well as DNSTAP. What how would we contrast the advantages with the way DNSTAP can be more effectively transported, aggregated, and pulled into the collector?


> On Feb 2, 2017, at 2:13 PM, Paul Vixie <paul at redbarn.org> wrote:
> 
> On Thursday, February 2, 2017 7:56:15 AM PST Barry Raveendran Greene wrote:
> 
>> 
> 
>> Has anyone done a good contrast between DNSTAP vs PCAP streaming?
> DNSTAP is picking up momentum. The FAQ would be how it compares to PCAP.
> 
> 
> 
> Whereas PCAP is a low level packet storage and transfer format and
> associated tools, 'dnstap' is a high-level DNS-specific telemetry
> storage and transfer format and associated tools. The 'dnstap' format
> for example does not carry the ISO-L2 ("ethernet") addresses associated
> with queries and responses, and it can associate a query with its
> response and store or transfer the resulting transaction as a single
> atomic unit. Finally, since 'dnstap' resides in the DNS protocol agent
> (client, server, or proxy) it can carry information that would never
> otherwise appear "on the wire" outside of the DNS protocol agent. For
> example, the "working delegation-point" of a transaction reported by
> 'dnstap' can be reported explicitly, whereas for a transaction whose
> packets are witnessed via PCAP, the "working delegation-point" must be
> imputed/guessed.
> 
> 
> 
> -- 
> 
> P. Vixie
> 
> <.vcf.vcf>_______________________________________________
> dnstap mailing list
> dnstap at lists.redbarn.org
> http://lists.redbarn.org/mailman/listinfo/dnstap



More information about the dnstap mailing list