dnstap-read: add incremental packet number to the output
Description
Currently, dnstap-read
doesn't print any kind of unique identifier per packet. E.g. if I'm using it without any options to get the short summary format:
09-Feb-2022 02:33:36.294 CQ 127.0.0.1:41718 -> 127.0.0.1:0 UDP 33b example.com/IN/MX
09-Feb-2022 02:33:36.334 RR 192.168.1.2:55163 <- 192.168.1.1:53 UDP 71b example.com/IN/MX
09-Feb-2022 02:33:36.294 RQ 192.168.1.2:55163 -> 192.168.1.1:53 UDP 33b example.com/IN/MX
09-Feb-2022 02:33:36.334 CR 127.0.0.1:41718 <- 127.0.0.1:0 UDP 102b example.com/IN/MX
09-Feb-2022 02:33:38.453 CQ 127.0.0.1:57293 -> 127.0.0.1:0 UDP 33b example.com/IN/MX
09-Feb-2022 02:33:38.453 CR 127.0.0.1:57293 <- 127.0.0.1:0 UDP 102b example.com/IN/MX
and then I want to lookup the details of one of these packets in the -p
format, I have to search for the whole line to find it.
It's even worse in the -y
format because contrary to the -p
format, the YAML representation doesn't contain the original summary line, and while the summary and -p
will print timestamps in the local timezone, -y
will print UTC timestamps.
Request
I would like dnstap-read
to prefix each packet with an incremental number in the summary and in the -p
output, so that the details for a packet can easily be searched. The YAML representation should contain the number in an additional YAML field.
Links / references
I like the way it works in tshark
- each line in the summary is prefixed with an incremental packet number:
server ~ # tshark -i ens3 -w test.pcap
Running as user "root" and group "root". This could be dangerous.
Capturing on 'ens3'
4 ^C
server ~ # tshark -r test.pcap
Running as user "root" and group "root". This could be dangerous.
1 2022-02-09 17:43:01,528756106 02:00:62:3e:71:f5 → 02:00:62:3e:71:f9 ARP 42 Who has 172.16.56.10? Tell 172.16.0.1
2 2022-02-09 17:43:01,528792938 02:00:62:3e:71:f9 → 02:00:62:3e:71:f5 ARP 42 172.16.56.10 is at 02:00:62:3e:71:f9
3 2022-02-09 17:43:02,068971390 172.16.56.10 → 172.21.0.10 SSH 102 Server: Encrypted packet (len=36)
4 2022-02-09 17:43:02,170798836 172.21.0.10 → 172.16.56.10 TCP 66 55798 → 22 [ACK] Seq=1 Ack=37 Win=990 Len=0 TSval=1691964300 TSecr=1370499909
When printing the capture file with the -V
option, the first line of each frame is prefixed with Frame n
, which makes it easy to search in a pager:
server ~ # tshark -r test.pcap -V | head -n 5
Running as user "root" and group "root". This could be dangerous.
Frame 1: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface 0
Interface id: 0 (ens3)
Interface name: ens3
Encapsulation type: Ethernet (1)
Arrival Time: Feb 9, 2022 17:43:01.528756106 CET