Added a README file.

Added additional documentation to the -h output.
pflarr · Mar 20, 2013 · 68d796e · 68d796e
1 parent af28b78
commit 68d796e
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 3 deletions.
diff --git a/README b/README
@@ -0,0 +1,48 @@
+-- OVERVIEW --
+dns_parse takes as input a pcap of DNS data and produces a comple, trivially
+parsable, human readable ASCII version of the same data. It's generally useful
+for network monitoring (send the data to Splunk or similar). The most common
+carrying are supported, as well as packet deduplication.
+
+-- SUPPORTED PROTOCOLS --
+Ethernet
+MPLS
+IPv4 (including fragment reassembly)
+IPv6 (including fragment reassembly)
+UDP
+TCP (with flow state saving and loading between pcaps)
+DNS (on any port)
+
+-- AUTHOR INFO --
+Paul Ferrell
+pferrell@lanl.gov
+
+-- CONTENTS --
+Code to build bin/dns_parse.
+init/dnscapture - An init script for running tcpdump on an interface as a
+service to generate regular pcap files.
+bin/dns_parse_cron - A python cron job script for periodically running dns_parse
+on regularly output pcap files (generally from using the -C or -G options in
+tcpdump).
+pkgs/dns_parse.spec - An RPM spec file, for those dinosaurs that still use these
+things (like me).
+etc/* - example config files for init/dnscapture and bin/dns_parse_cron
+
+-- DEPENDENCIES --
+libpcap
+
+-- OS Dependencies --
+This has been tested primarily on x86_64 linux, but there shouldn't be any typing issues on 32 bit machines. 
+
+-- BUILDING AND INSTALLING --
+make
+make install
+
+-- Running --
+"./bin/dns_parse -h" should tell you everything you need to know.
+
+A reasonable set of options is:
+./bin/dns_parse -m "" -t -r <dns_captured.pcap>
+This gets you newline separated resource records an empty main record separator,
+pretty printed dates, and the shorthand for the record types (ie. A or CNAME).
+Printing of additional and name server records is disabled (by default).
diff --git a/dns_parse.c b/dns_parse.c
@@ -1,4 +1,3 @@
-//#include <arpa/inet.h>
 #include <getopt.h>
 #include <pcap.h>
 #include <stdio.h>
@@ -12,7 +11,7 @@
 #include "strutils.h"
 
 // If you want a reasonable place to start walking through the code, 
-// go to the 'handler' function at the end.
+// go to the 'handler' function.
 
 #define DEFAULT_TCP_STATE_PATH "/tmp/dnsparse_tcp.state"
 void handler(uint8_t *, const struct pcap_pkthdr *, const uint8_t *);
@@ -224,7 +223,21 @@ int main(int argc, char **argv) {
         "   record occurred via stderr when processing completes.\n"
         "-x\n"
         "   Exclude the given reservation record types by \n"
-        "   number. This option can be given multiple times.\n",
+        "   number. This option can be given multiple times.\n"
+        "\n"
+        "Supported protocols:\n"
+        "DNS can ride on a number of protocols, and dns_parse supports\n"
+        "a fair number of them, including:\n"
+        "Ethernet, MPLS, IPv4, IPv6, UDP and TCP.\n"
+        "IPv4 and IPv6 fragments - fragments are reassembled, but data\n"
+        "   may be lost if the fragments are split across multiple pcaps.\n"
+        "TCP reassembly - TCP packets are reassembled, but the resulting\n"
+        "   data may be offset from their time of occurance. Partial flow\n"
+        "   reassembly is supported; long flows are printed whenever a \n"
+        "   a lull in that flow occurs (500 ms since the last packet, \n"
+        "   this can only be changed at compile time).\n"
+        "   TCP flow state is saved at the end of execution, and loaded\n"
+        "   at the beginning. See the -S option to disable.\n",
         DEFAULT_TCP_STATE_PATH);
         return -1;
     }