Thursday, December 17, 2009


Round 5 of Netwars has begun. What is Netwars? It's a network security game sponsored by SANS designed to help you learn how to handle real-world scenarios, sharpen your skills, and learn new techniques for penetrating (and therefore learning to defend) your network.
Full information is available at the SANS Netwars site found here.

Friday, December 11, 2009


I was doing some analysis of dns traffic, and using BPF's to pull certain fields out of the header today, when I did a search for a better header diagram than the one I had. I stumbled upon a program called dnscap. Don't know how I missed this great little tool, but it's part of my toolkit now.
dnscap is a sniffer, like tcpdump, but specifically written to parse dns. It's available from the Domain Name Systems Operations Analysis and Research Center (known as DNS-OARC), found here. If you do analysis on dns traffic on a regular basis, or even if you only have an occasional need to, I recommend you grab a copy and put it on your analysis boxes. If you're running Fedora, it's available via yum, and may be in the repositories for other flavors as well...

Here's part of the man page..

dnscap - DNS network traffic capture utility

dnscap [-ad1g?6vs] [-i if ...] [-o file] [-l vlan ...] [-p port]
[-x pat ...] [-m [quir]] [-h [ir]] [-e [ny]] [-q host ...]
[-r host ...] [-b base [-k cmd]] [-t lim] [-c lim]

dnscap is a network capture utility designed specifically for DNS traf-
fic. It normally produces binary data in pcap(3) format, either on stan-
dard output or in successive dump files (based on the -b command line
option.) This utility is similar to tcpdump(1), but has finer grained
packet recognition tailored to DNS transactions and protocol options.
dnscap is expected to be used for gathering continuous research or audit

Blog Archive