I learn about dnstop when reading rolland's presentation slide, thanks to his comment in my blog.
You can find his presentation at -
http://homepage.mac.com/roland.dobbins/FileSharing5
The presentation title is Listening to the Network: Utilizing Telemetry to Detect and Classify Network Traffic, I enjoy reading it as I have learned some new tricks or two from his presentation. One of the tool he has mentioned in the presentation is dnstop and I figure it is available in either Ubuntu packages repository or FreeBSD ports, I decide to try it out.
Just like the top command in Unix based system, it can run as real time monitor for your dns traffic by listening to the network device or it can also do post processing by reading the pcap file. The command option for dnstop is pretty straight forward and you can find them in man dnstop. It also provides a set of run time option to show different results from the statistical analysis output. To perform real time monitoring of dns traffic, you can listen to the device -
shell>sudo dnstop -4 lnc0
You can find his presentation at -
http://homepage.mac.com/roland.dobbins/FileSharing5
The presentation title is Listening to the Network: Utilizing Telemetry to Detect and Classify Network Traffic, I enjoy reading it as I have learned some new tricks or two from his presentation. One of the tool he has mentioned in the presentation is dnstop and I figure it is available in either Ubuntu packages repository or FreeBSD ports, I decide to try it out.
Just like the top command in Unix based system, it can run as real time monitor for your dns traffic by listening to the network device or it can also do post processing by reading the pcap file. The command option for dnstop is pretty straight forward and you can find them in man dnstop. It also provides a set of run time option to show different results from the statistical analysis output. To perform real time monitoring of dns traffic, you can listen to the device -
shell>sudo dnstop -4 lnc0
It looks pretty straightforward, you can also read the pcap file by specifying them -
shell>dnstop -4 -b ip -l 9 testing.pcap
Queries: 1005 new, 34812 total Wed Apr 30 18:10:46 2008shell>dnstop -4 -b ip -l 9 testing.pcap
Sources Count %
-------------- --------- ------
192.168.42.149 3644 10.5
192.168.42.56 1965 5.6
192.168.42.33 1791 5.1
192.168.42.78 1790 5.1
192.168.42.163 1530 4.4
.....
I truncated the output here, then if you press 1, it will show the first level query names -
Queries: 44 new, 34856 total Wed Apr 30 18:11:55 2008
Query Name Count %
------------ --------- ------
com 13200 37.9
in-addr.arpa 8843 25.4
my 5950 17.1
org 3145 9.0
net 2630 7.5
biz 223 0.6
de 92 0.3
.....
If you press 3, it shows third level query names -
Queries: 0 new, 34856 total Wed Apr 30 18:13:10 2008
Query Name Count %
----------------------------- --------- ------
waumail.com 2805 8.0
208.218.in-addr.arpa 1883 5.4
excitedd.com.my 1388 4.0
sharishit.com.my 1112 3.2
sbl-xbl.spamhaus.org 938 2.7
.....
If you press !, it will show the sources that are performing first level query names -
Queries: 0 new, 34856 total Wed Apr 30 18:15:14 2008
Source Query Name Count %
-------------- ------------ --------- ------
192.168.42.149 in-addr.arpa 3007 8.6
192.168.42.78 in-addr.arpa 1009 2.9
192.168.42.56 in-addr.arpa 845 2.4
192.168.60.253 com 833 2.4
192.168.125.201 my 697 2.0
.....
There are many other options which you can figure it out yourself and this is really great tool for dns traffic analysis. For more information, you can find at its home page -
http://dns.measurement-factory.com/tools/dnstop/
Btw, I like the use of the word 'telemetry' here and enjoy some dns voodoo .....
Cheers (;])
http://dns.measurement-factory.com/tools/dnstop/
Btw, I like the use of the word 'telemetry' here and enjoy some dns voodoo .....
Cheers (;])