>> tcpdump -v -x udp and port 53 and 'udp[20] == 3' and 'udp[21] == 102' >> and 'udp[22] == 111' and 'udp[23] == 111' > > yow. looks WAY painful. have you tried dnscap? its CLI language has not > changed in the last six months, so if you were waiting for it to settle > out, now's your moment. https://www.dns-oarc.net/tools/dnscap has sources.
dnscap is excellent! Note that for my use case it would be preferable for the -e flag to default to showing everything (and hence not be needed) instead of discarding errors. Right now I execute `dnscap -e nytfsxir ...` which is certainly not as painful as the tcpdump example above but not something you want to type in all the time. Overall dnscap is a great tool for debugging. I recommend it for anyone who is looking at network streams. Cheers, ds