DNSCAP - DNS traffic capture utility

dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options.

OARC likes to use dnscap for DITL data collections. Some of its features include:

  • Understands both IPv4 and IPv6
  • Captures UDP, TCP, and IP fragments.
  • Collect only queries, responses, or both (-s option)
  • Collect for only certain source/destination addresses (-a -z -A -Z options)
  • Periodically creates new pcap files (-t option)
  • Spawns an upload script after closing a pcap file (-k option)
  • Will start and stop collecting at specific times (-B -E options)

Getting dnscap

You can get dnscap tarballs at dnscap.dns-oarc.net or via git from github.com.

$ git clone https://github.com/verisign/dnscap

You can also find it in the FreeBSD ports system (dns/dnscap).

Compiling dnscap

dnscap previously required libbind at compile-time. Now, libbind might required if you want to use the -x or -X options. On some systems (such as Ubuntu) the library functions required by -x/-X are included in the standard libresolv, so libbind is not required there at all.

Users List

Users interested in staying on top of dnscap development can subscribe to the dnscap-users mailing list.

Submitted by admin on Sat, 2014-02-15 16:10. categories [ ]