[dnstap] Python sample to read DNSTAP log or from UNIX socket

[joff.thyer at cybercovenant.com]

Hello all,

Having recently enabled DNSTAP on my local name server, I was wondering if there was any available Python script to read the binary log structure?

I managed to use “protoc” to create the Python module from the “dnstap.proto” definition as follows:

protoc --python_out=. dnstap.proto

Now I have “dnstap_pb2.py” which I can import into Python3 as follows…  but when I tried to “ParseFromString()”, I get an error message.    Please note that “dnstap.log” below was produced by “fstrm_capture”.

My questions:

(1) Is there another way to approach this?
(2) Should I consider reading directly from unix socket instead?

Please see output below:

Python 3.6.7 (default, Oct 22 2018, 11:32:17)
[GCC 8.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> f = open("dnstap.log", "rb")
>>> contents = f.read()
>>> f.close()
>>>
>>> import dnstap_pb2
>>> a = dnstap_pb2.Dnstap()
>>> a.ParseFromString(contents)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/jsthyer/Project/dnstap.pb/google/protobuf/message.py", line 187, in ParseFromString
return self.MergeFromString(serialized)
File "/home/jsthyer/Project/dnstap.pb/google/protobuf/internal/python_message.py", line 1128, in MergeFromString
if self._InternalParse(serialized, 0, length) != length:
File "/home/jsthyer/Project/dnstap.pb/google/protobuf/internal/python_message.py", line 1180, in InternalParse
buffer, new_pos, wire_type) # pylint: disable=protected-access
File "/home/jsthyer/Project/dnstap.pb/google/protobuf/internal/decoder.py", line 952, in _DecodeUnknownField
raise _DecodeError('Wrong wire type in tag.')
google.protobuf.message.DecodeError: Wrong wire type in tag.




Joff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.redbarn.org/pipermail/dnstap/attachments/20190529/018a7c3e/attachment-0001.htm>