Friday, December 11, 2009


I was doing some analysis of dns traffic, and using BPF's to pull certain fields out of the header today, when I did a search for a better header diagram than the one I had. I stumbled upon a program called dnscap. Don't know how I missed this great little tool, but it's part of my toolkit now.
dnscap is a sniffer, like tcpdump, but specifically written to parse dns. It's available from the Domain Name Systems Operations Analysis and Research Center (known as DNS-OARC), found here. If you do analysis on dns traffic on a regular basis, or even if you only have an occasional need to, I recommend you grab a copy and put it on your analysis boxes. If you're running Fedora, it's available via yum, and may be in the repositories for other flavors as well...

Here's part of the man page..

dnscap - DNS network traffic capture utility

dnscap [-ad1g?6vs] [-i if ...] [-o file] [-l vlan ...] [-p port]
[-x pat ...] [-m [quir]] [-h [ir]] [-e [ny]] [-q host ...]
[-r host ...] [-b base [-k cmd]] [-t lim] [-c lim]

dnscap is a network capture utility designed specifically for DNS traf-
fic. It normally produces binary data in pcap(3) format, either on stan-
dard output or in successive dump files (based on the -b command line
option.) This utility is similar to tcpdump(1), but has finer grained
packet recognition tailored to DNS transactions and protocol options.
dnscap is expected to be used for gathering continuous research or audit

No comments:

Blog Archive