Hello,
according to RFC 1035, section 4.2.1 (UDP usage):
Messages carried by UDP are restricted to 512 bytes (not counting the IP
or UDP headers). Longer messages are truncated and the TC bit is set in
the header.
Ethereal shows this kind of packets as malformed (you can do a quick
check by trying to query the "
my.calendars.net" domain, it has that
many address records that they don't fit in 512 bytes, so for example
dig has to fall back to TCP), which is correct, but I think it would be
good to also specify that the packet is truncated (something like
"malformed packet - truncated", or simply "truncated DNS packet")
- this is much clearer to the user. I can always check the truncation
flag in the dissected DNS message, but that would help differentiate
between packets that are truncated and packets which are simply, well,
malformed.