xref: /freebsd/contrib/tcpdump/print-domain.c (revision 4b50c451720d8b427757a6da1dd2bb4c52cd9e35)
1 /*
2  * Copyright (c) 1988, 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that: (1) source code distributions
7  * retain the above copyright notice and this paragraph in its entirety, (2)
8  * distributions including binary code include the above copyright notice and
9  * this paragraph in its entirety in the documentation or other materials
10  * provided with the distribution, and (3) all advertising materials mentioning
11  * features or use of this software display the following acknowledgement:
12  * ``This product includes software developed by the University of California,
13  * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14  * the University nor the names of its contributors may be used to endorse
15  * or promote products derived from this software without specific prior
16  * written permission.
17  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20  */
21 
22 /* \summary: Domain Name System (DNS) printer */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include <netdissect-stdinc.h>
29 
30 #include "nameser.h"
31 
32 #include <string.h>
33 
34 #include "netdissect.h"
35 #include "addrtoname.h"
36 #include "addrtostr.h"
37 #include "extract.h"
38 
39 static const char *ns_ops[] = {
40 	"", " inv_q", " stat", " op3", " notify", " update", " op6", " op7",
41 	" op8", " updateA", " updateD", " updateDA",
42 	" updateM", " updateMA", " zoneInit", " zoneRef",
43 };
44 
45 static const char *ns_resp[] = {
46 	"", " FormErr", " ServFail", " NXDomain",
47 	" NotImp", " Refused", " YXDomain", " YXRRSet",
48 	" NXRRSet", " NotAuth", " NotZone", " Resp11",
49 	" Resp12", " Resp13", " Resp14", " NoChange",
50 };
51 
52 /* skip over a domain name */
53 static const u_char *
54 ns_nskip(netdissect_options *ndo,
55          register const u_char *cp)
56 {
57 	register u_char i;
58 
59 	if (!ND_TTEST2(*cp, 1))
60 		return (NULL);
61 	i = *cp++;
62 	while (i) {
63 		if ((i & INDIR_MASK) == INDIR_MASK)
64 			return (cp + 1);
65 		if ((i & INDIR_MASK) == EDNS0_MASK) {
66 			int bitlen, bytelen;
67 
68 			if ((i & ~INDIR_MASK) != EDNS0_ELT_BITLABEL)
69 				return(NULL); /* unknown ELT */
70 			if (!ND_TTEST2(*cp, 1))
71 				return (NULL);
72 			if ((bitlen = *cp++) == 0)
73 				bitlen = 256;
74 			bytelen = (bitlen + 7) / 8;
75 			cp += bytelen;
76 		} else
77 			cp += i;
78 		if (!ND_TTEST2(*cp, 1))
79 			return (NULL);
80 		i = *cp++;
81 	}
82 	return (cp);
83 }
84 
85 /* print a <domain-name> */
86 static const u_char *
87 blabel_print(netdissect_options *ndo,
88              const u_char *cp)
89 {
90 	int bitlen, slen, b;
91 	const u_char *bitp, *lim;
92 	char tc;
93 
94 	if (!ND_TTEST2(*cp, 1))
95 		return(NULL);
96 	if ((bitlen = *cp) == 0)
97 		bitlen = 256;
98 	slen = (bitlen + 3) / 4;
99 	lim = cp + 1 + slen;
100 
101 	/* print the bit string as a hex string */
102 	ND_PRINT((ndo, "\\[x"));
103 	for (bitp = cp + 1, b = bitlen; bitp < lim && b > 7; b -= 8, bitp++) {
104 		ND_TCHECK(*bitp);
105 		ND_PRINT((ndo, "%02x", *bitp));
106 	}
107 	if (b > 4) {
108 		ND_TCHECK(*bitp);
109 		tc = *bitp++;
110 		ND_PRINT((ndo, "%02x", tc & (0xff << (8 - b))));
111 	} else if (b > 0) {
112 		ND_TCHECK(*bitp);
113 		tc = *bitp++;
114 		ND_PRINT((ndo, "%1x", ((tc >> 4) & 0x0f) & (0x0f << (4 - b))));
115 	}
116 	ND_PRINT((ndo, "/%d]", bitlen));
117 	return lim;
118 trunc:
119 	ND_PRINT((ndo, ".../%d]", bitlen));
120 	return NULL;
121 }
122 
123 static int
124 labellen(netdissect_options *ndo,
125          const u_char *cp)
126 {
127 	register u_int i;
128 
129 	if (!ND_TTEST2(*cp, 1))
130 		return(-1);
131 	i = *cp;
132 	if ((i & INDIR_MASK) == EDNS0_MASK) {
133 		int bitlen, elt;
134 		if ((elt = (i & ~INDIR_MASK)) != EDNS0_ELT_BITLABEL) {
135 			ND_PRINT((ndo, "<ELT %d>", elt));
136 			return(-1);
137 		}
138 		if (!ND_TTEST2(*(cp + 1), 1))
139 			return(-1);
140 		if ((bitlen = *(cp + 1)) == 0)
141 			bitlen = 256;
142 		return(((bitlen + 7) / 8) + 1);
143 	} else
144 		return(i);
145 }
146 
147 const u_char *
148 ns_nprint(netdissect_options *ndo,
149           register const u_char *cp, register const u_char *bp)
150 {
151 	register u_int i, l;
152 	register const u_char *rp = NULL;
153 	register int compress = 0;
154 	int elt;
155 	u_int offset, max_offset;
156 
157 	if ((l = labellen(ndo, cp)) == (u_int)-1)
158 		return(NULL);
159 	if (!ND_TTEST2(*cp, 1))
160 		return(NULL);
161 	max_offset = (u_int)(cp - bp);
162 	if (((i = *cp++) & INDIR_MASK) != INDIR_MASK) {
163 		compress = 0;
164 		rp = cp + l;
165 	}
166 
167 	if (i != 0)
168 		while (i && cp < ndo->ndo_snapend) {
169 			if ((i & INDIR_MASK) == INDIR_MASK) {
170 				if (!compress) {
171 					rp = cp + 1;
172 					compress = 1;
173 				}
174 				if (!ND_TTEST2(*cp, 1))
175 					return(NULL);
176 				offset = (((i << 8) | *cp) & 0x3fff);
177 				/*
178 				 * This must move backwards in the packet.
179 				 * No RFC explicitly says that, but BIND's
180 				 * name decompression code requires it,
181 				 * as a way of preventing infinite loops
182 				 * and other bad behavior, and it's probably
183 				 * what was intended (compress by pointing
184 				 * to domain name suffixes already seen in
185 				 * the packet).
186 				 */
187 				if (offset >= max_offset) {
188 					ND_PRINT((ndo, "<BAD PTR>"));
189 					return(NULL);
190 				}
191 				max_offset = offset;
192 				cp = bp + offset;
193 				if ((l = labellen(ndo, cp)) == (u_int)-1)
194 					return(NULL);
195 				if (!ND_TTEST2(*cp, 1))
196 					return(NULL);
197 				i = *cp++;
198 				continue;
199 			}
200 			if ((i & INDIR_MASK) == EDNS0_MASK) {
201 				elt = (i & ~INDIR_MASK);
202 				switch(elt) {
203 				case EDNS0_ELT_BITLABEL:
204 					if (blabel_print(ndo, cp) == NULL)
205 						return (NULL);
206 					break;
207 				default:
208 					/* unknown ELT */
209 					ND_PRINT((ndo, "<ELT %d>", elt));
210 					return(NULL);
211 				}
212 			} else {
213 				if (fn_printn(ndo, cp, l, ndo->ndo_snapend))
214 					return(NULL);
215 			}
216 
217 			cp += l;
218 			ND_PRINT((ndo, "."));
219 			if ((l = labellen(ndo, cp)) == (u_int)-1)
220 				return(NULL);
221 			if (!ND_TTEST2(*cp, 1))
222 				return(NULL);
223 			i = *cp++;
224 			if (!compress)
225 				rp += l + 1;
226 		}
227 	else
228 		ND_PRINT((ndo, "."));
229 	return (rp);
230 }
231 
232 /* print a <character-string> */
233 static const u_char *
234 ns_cprint(netdissect_options *ndo,
235           register const u_char *cp)
236 {
237 	register u_int i;
238 
239 	if (!ND_TTEST2(*cp, 1))
240 		return (NULL);
241 	i = *cp++;
242 	if (fn_printn(ndo, cp, i, ndo->ndo_snapend))
243 		return (NULL);
244 	return (cp + i);
245 }
246 
247 /* http://www.iana.org/assignments/dns-parameters */
248 const struct tok ns_type2str[] = {
249 	{ T_A,		"A" },			/* RFC 1035 */
250 	{ T_NS,		"NS" },			/* RFC 1035 */
251 	{ T_MD,		"MD" },			/* RFC 1035 */
252 	{ T_MF,		"MF" },			/* RFC 1035 */
253 	{ T_CNAME,	"CNAME" },		/* RFC 1035 */
254 	{ T_SOA,	"SOA" },		/* RFC 1035 */
255 	{ T_MB,		"MB" },			/* RFC 1035 */
256 	{ T_MG,		"MG" },			/* RFC 1035 */
257 	{ T_MR,		"MR" },			/* RFC 1035 */
258 	{ T_NULL,	"NULL" },		/* RFC 1035 */
259 	{ T_WKS,	"WKS" },		/* RFC 1035 */
260 	{ T_PTR,	"PTR" },		/* RFC 1035 */
261 	{ T_HINFO,	"HINFO" },		/* RFC 1035 */
262 	{ T_MINFO,	"MINFO" },		/* RFC 1035 */
263 	{ T_MX,		"MX" },			/* RFC 1035 */
264 	{ T_TXT,	"TXT" },		/* RFC 1035 */
265 	{ T_RP,		"RP" },			/* RFC 1183 */
266 	{ T_AFSDB,	"AFSDB" },		/* RFC 1183 */
267 	{ T_X25,	"X25" },		/* RFC 1183 */
268 	{ T_ISDN,	"ISDN" },		/* RFC 1183 */
269 	{ T_RT,		"RT" },			/* RFC 1183 */
270 	{ T_NSAP,	"NSAP" },		/* RFC 1706 */
271 	{ T_NSAP_PTR,	"NSAP_PTR" },
272 	{ T_SIG,	"SIG" },		/* RFC 2535 */
273 	{ T_KEY,	"KEY" },		/* RFC 2535 */
274 	{ T_PX,		"PX" },			/* RFC 2163 */
275 	{ T_GPOS,	"GPOS" },		/* RFC 1712 */
276 	{ T_AAAA,	"AAAA" },		/* RFC 1886 */
277 	{ T_LOC,	"LOC" },		/* RFC 1876 */
278 	{ T_NXT,	"NXT" },		/* RFC 2535 */
279 	{ T_EID,	"EID" },		/* Nimrod */
280 	{ T_NIMLOC,	"NIMLOC" },		/* Nimrod */
281 	{ T_SRV,	"SRV" },		/* RFC 2782 */
282 	{ T_ATMA,	"ATMA" },		/* ATM Forum */
283 	{ T_NAPTR,	"NAPTR" },		/* RFC 2168, RFC 2915 */
284 	{ T_KX,		"KX" },			/* RFC 2230 */
285 	{ T_CERT,	"CERT" },		/* RFC 2538 */
286 	{ T_A6,		"A6" },			/* RFC 2874 */
287 	{ T_DNAME,	"DNAME" },		/* RFC 2672 */
288 	{ T_SINK, 	"SINK" },
289 	{ T_OPT,	"OPT" },		/* RFC 2671 */
290 	{ T_APL, 	"APL" },		/* RFC 3123 */
291 	{ T_DS,		"DS" },			/* RFC 4034 */
292 	{ T_SSHFP,	"SSHFP" },		/* RFC 4255 */
293 	{ T_IPSECKEY,	"IPSECKEY" },		/* RFC 4025 */
294 	{ T_RRSIG, 	"RRSIG" },		/* RFC 4034 */
295 	{ T_NSEC,	"NSEC" },		/* RFC 4034 */
296 	{ T_DNSKEY,	"DNSKEY" },		/* RFC 4034 */
297 	{ T_SPF,	"SPF" },		/* RFC-schlitt-spf-classic-02.txt */
298 	{ T_UINFO,	"UINFO" },
299 	{ T_UID,	"UID" },
300 	{ T_GID,	"GID" },
301 	{ T_UNSPEC,	"UNSPEC" },
302 	{ T_UNSPECA,	"UNSPECA" },
303 	{ T_TKEY,	"TKEY" },		/* RFC 2930 */
304 	{ T_TSIG,	"TSIG" },		/* RFC 2845 */
305 	{ T_IXFR,	"IXFR" },		/* RFC 1995 */
306 	{ T_AXFR,	"AXFR" },		/* RFC 1035 */
307 	{ T_MAILB,	"MAILB" },		/* RFC 1035 */
308 	{ T_MAILA,	"MAILA" },		/* RFC 1035 */
309 	{ T_ANY,	"ANY" },
310 	{ 0,		NULL }
311 };
312 
313 const struct tok ns_class2str[] = {
314 	{ C_IN,		"IN" },		/* Not used */
315 	{ C_CHAOS,	"CHAOS" },
316 	{ C_HS,		"HS" },
317 	{ C_ANY,	"ANY" },
318 	{ 0,		NULL }
319 };
320 
321 /* print a query */
322 static const u_char *
323 ns_qprint(netdissect_options *ndo,
324           register const u_char *cp, register const u_char *bp, int is_mdns)
325 {
326 	register const u_char *np = cp;
327 	register u_int i, class;
328 
329 	cp = ns_nskip(ndo, cp);
330 
331 	if (cp == NULL || !ND_TTEST2(*cp, 4))
332 		return(NULL);
333 
334 	/* print the qtype */
335 	i = EXTRACT_16BITS(cp);
336 	cp += 2;
337 	ND_PRINT((ndo, " %s", tok2str(ns_type2str, "Type%d", i)));
338 	/* print the qclass (if it's not IN) */
339 	i = EXTRACT_16BITS(cp);
340 	cp += 2;
341 	if (is_mdns)
342 		class = (i & ~C_QU);
343 	else
344 		class = i;
345 	if (class != C_IN)
346 		ND_PRINT((ndo, " %s", tok2str(ns_class2str, "(Class %d)", class)));
347 	if (is_mdns) {
348 		ND_PRINT((ndo, i & C_QU ? " (QU)" : " (QM)"));
349 	}
350 
351 	ND_PRINT((ndo, "? "));
352 	cp = ns_nprint(ndo, np, bp);
353 	return(cp ? cp + 4 : NULL);
354 }
355 
356 /* print a reply */
357 static const u_char *
358 ns_rprint(netdissect_options *ndo,
359           register const u_char *cp, register const u_char *bp, int is_mdns)
360 {
361 	register u_int i, class, opt_flags = 0;
362 	register u_short typ, len;
363 	register const u_char *rp;
364 
365 	if (ndo->ndo_vflag) {
366 		ND_PRINT((ndo, " "));
367 		if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
368 			return NULL;
369 	} else
370 		cp = ns_nskip(ndo, cp);
371 
372 	if (cp == NULL || !ND_TTEST2(*cp, 10))
373 		return (ndo->ndo_snapend);
374 
375 	/* print the type/qtype */
376 	typ = EXTRACT_16BITS(cp);
377 	cp += 2;
378 	/* print the class (if it's not IN and the type isn't OPT) */
379 	i = EXTRACT_16BITS(cp);
380 	cp += 2;
381 	if (is_mdns)
382 		class = (i & ~C_CACHE_FLUSH);
383 	else
384 		class = i;
385 	if (class != C_IN && typ != T_OPT)
386 		ND_PRINT((ndo, " %s", tok2str(ns_class2str, "(Class %d)", class)));
387 	if (is_mdns) {
388 		if (i & C_CACHE_FLUSH)
389 			ND_PRINT((ndo, " (Cache flush)"));
390 	}
391 
392 	if (typ == T_OPT) {
393 		/* get opt flags */
394 		cp += 2;
395 		opt_flags = EXTRACT_16BITS(cp);
396 		/* ignore rest of ttl field */
397 		cp += 2;
398 	} else if (ndo->ndo_vflag > 2) {
399 		/* print ttl */
400 		ND_PRINT((ndo, " ["));
401 		unsigned_relts_print(ndo, EXTRACT_32BITS(cp));
402 		ND_PRINT((ndo, "]"));
403 		cp += 4;
404 	} else {
405 		/* ignore ttl */
406 		cp += 4;
407 	}
408 
409 	len = EXTRACT_16BITS(cp);
410 	cp += 2;
411 
412 	rp = cp + len;
413 
414 	ND_PRINT((ndo, " %s", tok2str(ns_type2str, "Type%d", typ)));
415 	if (rp > ndo->ndo_snapend)
416 		return(NULL);
417 
418 	switch (typ) {
419 	case T_A:
420 		if (!ND_TTEST2(*cp, sizeof(struct in_addr)))
421 			return(NULL);
422 		ND_PRINT((ndo, " %s", intoa(htonl(EXTRACT_32BITS(cp)))));
423 		break;
424 
425 	case T_NS:
426 	case T_CNAME:
427 	case T_PTR:
428 #ifdef T_DNAME
429 	case T_DNAME:
430 #endif
431 		ND_PRINT((ndo, " "));
432 		if (ns_nprint(ndo, cp, bp) == NULL)
433 			return(NULL);
434 		break;
435 
436 	case T_SOA:
437 		if (!ndo->ndo_vflag)
438 			break;
439 		ND_PRINT((ndo, " "));
440 		if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
441 			return(NULL);
442 		ND_PRINT((ndo, " "));
443 		if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
444 			return(NULL);
445 		if (!ND_TTEST2(*cp, 5 * 4))
446 			return(NULL);
447 		ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
448 		cp += 4;
449 		ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
450 		cp += 4;
451 		ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
452 		cp += 4;
453 		ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
454 		cp += 4;
455 		ND_PRINT((ndo, " %u", EXTRACT_32BITS(cp)));
456 		cp += 4;
457 		break;
458 	case T_MX:
459 		ND_PRINT((ndo, " "));
460 		if (!ND_TTEST2(*cp, 2))
461 			return(NULL);
462 		if (ns_nprint(ndo, cp + 2, bp) == NULL)
463 			return(NULL);
464 		ND_PRINT((ndo, " %d", EXTRACT_16BITS(cp)));
465 		break;
466 
467 	case T_TXT:
468 		while (cp < rp) {
469 			ND_PRINT((ndo, " \""));
470 			cp = ns_cprint(ndo, cp);
471 			if (cp == NULL)
472 				return(NULL);
473 			ND_PRINT((ndo, "\""));
474 		}
475 		break;
476 
477 	case T_SRV:
478 		ND_PRINT((ndo, " "));
479 		if (!ND_TTEST2(*cp, 6))
480 			return(NULL);
481 		if (ns_nprint(ndo, cp + 6, bp) == NULL)
482 			return(NULL);
483 		ND_PRINT((ndo, ":%d %d %d", EXTRACT_16BITS(cp + 4),
484 			EXTRACT_16BITS(cp), EXTRACT_16BITS(cp + 2)));
485 		break;
486 
487 	case T_AAAA:
488 	    {
489 		char ntop_buf[INET6_ADDRSTRLEN];
490 
491 		if (!ND_TTEST2(*cp, sizeof(struct in6_addr)))
492 			return(NULL);
493 		ND_PRINT((ndo, " %s",
494 		    addrtostr6(cp, ntop_buf, sizeof(ntop_buf))));
495 
496 		break;
497 	    }
498 
499 	case T_A6:
500 	    {
501 		struct in6_addr a;
502 		int pbit, pbyte;
503 		char ntop_buf[INET6_ADDRSTRLEN];
504 
505 		if (!ND_TTEST2(*cp, 1))
506 			return(NULL);
507 		pbit = *cp;
508 		pbyte = (pbit & ~7) / 8;
509 		if (pbit > 128) {
510 			ND_PRINT((ndo, " %u(bad plen)", pbit));
511 			break;
512 		} else if (pbit < 128) {
513 			if (!ND_TTEST2(*(cp + 1), sizeof(a) - pbyte))
514 				return(NULL);
515 			memset(&a, 0, sizeof(a));
516 			memcpy(&a.s6_addr[pbyte], cp + 1, sizeof(a) - pbyte);
517 			ND_PRINT((ndo, " %u %s", pbit,
518 			    addrtostr6(&a, ntop_buf, sizeof(ntop_buf))));
519 		}
520 		if (pbit > 0) {
521 			ND_PRINT((ndo, " "));
522 			if (ns_nprint(ndo, cp + 1 + sizeof(a) - pbyte, bp) == NULL)
523 				return(NULL);
524 		}
525 		break;
526 	    }
527 
528 	case T_OPT:
529 		ND_PRINT((ndo, " UDPsize=%u", class));
530 		if (opt_flags & 0x8000)
531 			ND_PRINT((ndo, " DO"));
532 		break;
533 
534 	case T_UNSPECA:		/* One long string */
535 		if (!ND_TTEST2(*cp, len))
536 			return(NULL);
537 		if (fn_printn(ndo, cp, len, ndo->ndo_snapend))
538 			return(NULL);
539 		break;
540 
541 	case T_TSIG:
542 	    {
543 		if (cp + len > ndo->ndo_snapend)
544 			return(NULL);
545 		if (!ndo->ndo_vflag)
546 			break;
547 		ND_PRINT((ndo, " "));
548 		if ((cp = ns_nprint(ndo, cp, bp)) == NULL)
549 			return(NULL);
550 		cp += 6;
551 		if (!ND_TTEST2(*cp, 2))
552 			return(NULL);
553 		ND_PRINT((ndo, " fudge=%u", EXTRACT_16BITS(cp)));
554 		cp += 2;
555 		if (!ND_TTEST2(*cp, 2))
556 			return(NULL);
557 		ND_PRINT((ndo, " maclen=%u", EXTRACT_16BITS(cp)));
558 		cp += 2 + EXTRACT_16BITS(cp);
559 		if (!ND_TTEST2(*cp, 2))
560 			return(NULL);
561 		ND_PRINT((ndo, " origid=%u", EXTRACT_16BITS(cp)));
562 		cp += 2;
563 		if (!ND_TTEST2(*cp, 2))
564 			return(NULL);
565 		ND_PRINT((ndo, " error=%u", EXTRACT_16BITS(cp)));
566 		cp += 2;
567 		if (!ND_TTEST2(*cp, 2))
568 			return(NULL);
569 		ND_PRINT((ndo, " otherlen=%u", EXTRACT_16BITS(cp)));
570 		cp += 2;
571 	    }
572 	}
573 	return (rp);		/* XXX This isn't always right */
574 }
575 
576 void
577 ns_print(netdissect_options *ndo,
578          register const u_char *bp, u_int length, int is_mdns)
579 {
580 	register const HEADER *np;
581 	register int qdcount, ancount, nscount, arcount;
582 	register const u_char *cp;
583 	uint16_t b2;
584 
585 	if(length < sizeof(*np)) {
586 		ND_PRINT((ndo, "domain"));
587 		ND_PRINT((ndo, " [length %u < %zu]", length, sizeof(*np)));
588 		ND_PRINT((ndo, " (invalid)"));
589 		return;
590 	}
591 
592 	np = (const HEADER *)bp;
593 	ND_TCHECK(*np);
594 	/* get the byte-order right */
595 	qdcount = EXTRACT_16BITS(&np->qdcount);
596 	ancount = EXTRACT_16BITS(&np->ancount);
597 	nscount = EXTRACT_16BITS(&np->nscount);
598 	arcount = EXTRACT_16BITS(&np->arcount);
599 
600 	if (DNS_QR(np)) {
601 		/* this is a response */
602 		ND_PRINT((ndo, "%d%s%s%s%s%s%s",
603 			EXTRACT_16BITS(&np->id),
604 			ns_ops[DNS_OPCODE(np)],
605 			ns_resp[DNS_RCODE(np)],
606 			DNS_AA(np)? "*" : "",
607 			DNS_RA(np)? "" : "-",
608 			DNS_TC(np)? "|" : "",
609 			DNS_AD(np)? "$" : ""));
610 
611 		if (qdcount != 1)
612 			ND_PRINT((ndo, " [%dq]", qdcount));
613 		/* Print QUESTION section on -vv */
614 		cp = (const u_char *)(np + 1);
615 		while (qdcount--) {
616 			if (qdcount < EXTRACT_16BITS(&np->qdcount) - 1)
617 				ND_PRINT((ndo, ","));
618 			if (ndo->ndo_vflag > 1) {
619 				ND_PRINT((ndo, " q:"));
620 				if ((cp = ns_qprint(ndo, cp, bp, is_mdns)) == NULL)
621 					goto trunc;
622 			} else {
623 				if ((cp = ns_nskip(ndo, cp)) == NULL)
624 					goto trunc;
625 				cp += 4;	/* skip QTYPE and QCLASS */
626 			}
627 		}
628 		ND_PRINT((ndo, " %d/%d/%d", ancount, nscount, arcount));
629 		if (ancount--) {
630 			if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
631 				goto trunc;
632 			while (cp < ndo->ndo_snapend && ancount--) {
633 				ND_PRINT((ndo, ","));
634 				if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
635 					goto trunc;
636 			}
637 		}
638 		if (ancount > 0)
639 			goto trunc;
640 		/* Print NS and AR sections on -vv */
641 		if (ndo->ndo_vflag > 1) {
642 			if (cp < ndo->ndo_snapend && nscount--) {
643 				ND_PRINT((ndo, " ns:"));
644 				if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
645 					goto trunc;
646 				while (cp < ndo->ndo_snapend && nscount--) {
647 					ND_PRINT((ndo, ","));
648 					if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
649 						goto trunc;
650 				}
651 			}
652 			if (nscount > 0)
653 				goto trunc;
654 			if (cp < ndo->ndo_snapend && arcount--) {
655 				ND_PRINT((ndo, " ar:"));
656 				if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
657 					goto trunc;
658 				while (cp < ndo->ndo_snapend && arcount--) {
659 					ND_PRINT((ndo, ","));
660 					if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
661 						goto trunc;
662 				}
663 			}
664 			if (arcount > 0)
665 				goto trunc;
666 		}
667 	}
668 	else {
669 		/* this is a request */
670 		ND_PRINT((ndo, "%d%s%s%s", EXTRACT_16BITS(&np->id), ns_ops[DNS_OPCODE(np)],
671 		    DNS_RD(np) ? "+" : "",
672 		    DNS_CD(np) ? "%" : ""));
673 
674 		/* any weirdness? */
675 		b2 = EXTRACT_16BITS(((const u_short *)np)+1);
676 		if (b2 & 0x6cf)
677 			ND_PRINT((ndo, " [b2&3=0x%x]", b2));
678 
679 		if (DNS_OPCODE(np) == IQUERY) {
680 			if (qdcount)
681 				ND_PRINT((ndo, " [%dq]", qdcount));
682 			if (ancount != 1)
683 				ND_PRINT((ndo, " [%da]", ancount));
684 		}
685 		else {
686 			if (ancount)
687 				ND_PRINT((ndo, " [%da]", ancount));
688 			if (qdcount != 1)
689 				ND_PRINT((ndo, " [%dq]", qdcount));
690 		}
691 		if (nscount)
692 			ND_PRINT((ndo, " [%dn]", nscount));
693 		if (arcount)
694 			ND_PRINT((ndo, " [%dau]", arcount));
695 
696 		cp = (const u_char *)(np + 1);
697 		if (qdcount--) {
698 			cp = ns_qprint(ndo, cp, (const u_char *)np, is_mdns);
699 			if (!cp)
700 				goto trunc;
701 			while (cp < ndo->ndo_snapend && qdcount--) {
702 				cp = ns_qprint(ndo, (const u_char *)cp,
703 					       (const u_char *)np,
704 					       is_mdns);
705 				if (!cp)
706 					goto trunc;
707 			}
708 		}
709 		if (qdcount > 0)
710 			goto trunc;
711 
712 		/* Print remaining sections on -vv */
713 		if (ndo->ndo_vflag > 1) {
714 			if (ancount--) {
715 				if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
716 					goto trunc;
717 				while (cp < ndo->ndo_snapend && ancount--) {
718 					ND_PRINT((ndo, ","));
719 					if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
720 						goto trunc;
721 				}
722 			}
723 			if (ancount > 0)
724 				goto trunc;
725 			if (cp < ndo->ndo_snapend && nscount--) {
726 				ND_PRINT((ndo, " ns:"));
727 				if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
728 					goto trunc;
729 				while (nscount-- && cp < ndo->ndo_snapend) {
730 					ND_PRINT((ndo, ","));
731 					if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
732 						goto trunc;
733 				}
734 			}
735 			if (nscount > 0)
736 				goto trunc;
737 			if (cp < ndo->ndo_snapend && arcount--) {
738 				ND_PRINT((ndo, " ar:"));
739 				if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
740 					goto trunc;
741 				while (cp < ndo->ndo_snapend && arcount--) {
742 					ND_PRINT((ndo, ","));
743 					if ((cp = ns_rprint(ndo, cp, bp, is_mdns)) == NULL)
744 						goto trunc;
745 				}
746 			}
747 			if (arcount > 0)
748 				goto trunc;
749 		}
750 	}
751 	ND_PRINT((ndo, " (%d)", length));
752 	return;
753 
754   trunc:
755 	ND_PRINT((ndo, "[|domain]"));
756 }
757