dnstap-read: add sorting option
Description
dnstap-read
currently prints the DNS packets in the order in which they were stored in the file.
Unfortunately, the packets aren't necessarily stored in chronological order (probably due to the fact that dnstap logging is understandably a low-priority task for BIND).
For example:
09-Feb-2022 02:33:36.294 CQ 127.0.0.1:41718 -> 127.0.0.1:0 UDP 33b example.com/IN/MX
09-Feb-2022 02:33:36.334 RR 192.168.1.2:55163 <- 192.168.1.1:53 UDP 71b example.com/IN/MX
09-Feb-2022 02:33:36.294 RQ 192.168.1.2:55163 -> 192.168.1.1:53 UDP 33b example.com/IN/MX
09-Feb-2022 02:33:36.334 CR 127.0.0.1:41718 <- 127.0.0.1:0 UDP 102b example.com/IN/MX
09-Feb-2022 02:33:38.453 CQ 127.0.0.1:57293 -> 127.0.0.1:0 UDP 33b example.com/IN/MX
09-Feb-2022 02:33:38.453 CR 127.0.0.1:57293 <- 127.0.0.1:0 UDP 102b example.com/IN/MX
Obviously the resolver query (RQ) comes before the resolver response (RR), and while the timestamps reflect this, the ordering does not. This can make reading the logs rather confusing, especially when piping dnstap-read -p
or dnstap-read -y
through a pager - when I'm looking at the RQ, then I expect to be able to search for the RR e.g. with /55163
, but as /
searches forward, I won't find it.
Request
Add the ability to sort the packets chronologically, with a switch.