Netwars

Round 5 of Netwars has begun. What is Netwars? It's a network security game sponsored by SANS designed to help you learn how to handle real-world scenarios, sharpen your skills, and learn new techniques for penetrating (and therefore learning to defend) your network.
Full information is available at the SANS Netwars site found here.

DNSCAP

I was doing some analysis of dns traffic, and using BPF's to pull certain fields out of the header today, when I did a search for a better header diagram than the one I had. I stumbled upon a program called dnscap. Don't know how I missed this great little tool, but it's part of my toolkit now.

dnscap is a sniffer, like tcpdump, but specifically written to parse dns. It's available from the Domain Name Systems Operations Analysis and Research Center (known as DNS-OARC), found here. If you do analysis on dns traffic on a regular basis, or even if you only have an occasional need to, I recommend you grab a copy and put it on your analysis boxes. If you're running Fedora, it's available via yum, and may be in the repositories for other flavors as well...

Here's part of the man page..

NAME

dnscap - DNS network traffic capture utility

SYNOPSIS

dnscap [-ad1g?6vs] [-i if ...] [-o file] [-l vlan ...] [-p port]

[-x pat ...] [-m [quir]] [-h [ir]] [-e [ny]] [-q host ...]

[-r host ...] [-b base [-k cmd]] [-t lim] [-c lim]

DESCRIPTION

dnscap is a network capture utility designed specifically for DNS traf-

fic. It normally produces binary data in pcap(3) format, either on stan-

dard output or in successive dump files (based on the -b command line

option.) This utility is similar to tcpdump(1), but has finer grained

packet recognition tailored to DNS transactions and protocol options.

dnscap is expected to be used for gathering continuous research or audit

traces.