Submitted by admin on Sat, 02/15/2014 - 16:10


dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. OARC uses dnscap for DITL data collections. Some of its features include:

  • Understands both IPv4 and IPv6
  • Captures UDP, TCP, and IP fragments.
  • Collect only queries, responses, or both (-s option)
  • Collect for only certain source/destination addresses (-a -z -A -Z options)
  • Periodically creates new pcap files (-t option)
  • Spawns an upload script after closing a pcap file (-k option)
  • Will start and stop collecting at specific times (-B -E options)

Distribution Packages

Packages for Debian, Ubuntu and CentOS can be found here:

You can also find it in the FreeBSD ports system (dns/dnscap).


The following releases of the DNSCAP software are available for download along with the changelog.

File Date Size
dnscap-1.1.0.tar.gz October 11, 2016 103K
dnscap-20160205.tar.gz February 5, 2016 375K

See sha256.txt or sha512.txt for checksums.

The DNSCAP software is licensed under the BSD license.


See for instructions how to install the software and the included manual pages on how to run the software.

Code Repositories

You can clone the code repositories from GitHub:

$ git clone

Users Mailing List

Users interested in staying on top of dnscap development can subscribe to the dnscap-users mailing list.