You should upload compressed DNS pcap files to capture.ditl.dns-oarc.net This is, in fact, a cluster of machines (4) with multiple DNS A records.

Although we do not recommend this exact command, it demonstrates how you can upload data:

# tcpdump -s 0 -n -w - port 53 \
     | gzip -c \
     | ssh -i ~/.ssh/id_oarc oarc-test@capture.ditl.dns-oarc.net pcap $nodename

In addition to gzip, we also accept lzop-compressed pcap files.

If you already have your own tools for collecting data from your nodes, then you should be able to script some way to upload them to OARC. If not then we recommend that you use dnscap and our sample dnscap-submit-to-oarc.sh to upload the files.

After downloading dnscap-submit-to-oarc.sh, edit it and set the SSH_ID, OARC_MEMBER, and NODE_ID variables at least.

To collect and upload data you might use a command like this:

# dnscap \
        -i eth0 \
        -z 192.168.0.1 \
        -s i \
	-6 \
        -w $nodename \
        -t 600 \
        -k /root/dnscap-submit-to-oarc.sh \
	--start '2008-03-17 23:00:00' \
	--stop '2008-03-20 01:00:00' \

Note that the dnscap-submit-to-oarc.sh removes files after they have been uploaded.

If you want to send both queries and responses then remove the dnscap -s i option.

If your DNS server has an IPV6 address, please use the -6 option. It disables certain bpf filter expressions that might cause IPv6 data to be lost. If you have IPv6 and use the -z option to dnscap, make sure to add another -z option with the IPv6 address. You can also just omit the -z option to include all responder addresses.

The -t 600 option tells dnscap to write ten-minute-long files. If you have a lot of data, you might be more comfortable with smaller files. Feel free to choose a smaller time limit value.

Here are some things to double check and keep in mind for DITL data collection:

• double check that your nodes have NTP up and running and clocks are in sync.
• Check timezone settings. Last year we had some nodes starting and stopping that the wrong times (via cron) because the machine was not using the GMT/UTC time zone (even though NTP was in sync).
• If you serve data via IPV6 make sure dnscap knows the server's IPV6 address as well.
• If you use tcpdump, make sure to use '-s 0' to avoid truncated packets.
• You may want to compare the rate of data collection to the rate at which data can be uploaded to OARC. If uploading is slower than collecting, you will need to buffer the data on local disk. Note that the 'dnscap -k' feature sort of assumes that uploading is faster than collecting. It will spawn a new child process every interval even if previous child processes have not yet exited.

If you have the time to send some practice data, please do. If you want test that the SSH key is working, you can use a command like this:

$ ssh -i ~/.ssh/ditl oarc-foo@capture.ditl.dns-oarc.net pcap

You should see this output:

usage: pcap id [md5]

You can reach me via jabber at wessels@dns-oarc.net. There is a jabber room at ditl@conference.dns-oarc.net

Compiling dnscap

If you get this error (on Linux):

dnscap.c:639: warning: implicit declaration of function 'strptime'

Then you can work around it by adding this around line 117 of dnscap.c:

extern char *strptime(const char *s, const char *format, struct tm *tm);