Submitted by admin on Sat, 02/15/2014 - 16:10

dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. OARC uses dnscap for DITL data collections. Some of its features include:

  • Understands both IPv4 and IPv6
  • Captures UDP, TCP, and IP fragments.
  • Collect only queries, responses, or both (-s option)
  • Collect for only certain source/destination addresses (-a -z -A -Z options)
  • Periodically creates new pcap files (-t option)
  • Spawns an upload script after closing a pcap file (-k option)
  • Will start and stop collecting at specific times (-B -E options)

Getting dnscap

You can get dnscap tarballs at or via git from

$ git clone

You can also find it in the FreeBSD ports system (dns/dnscap).

Compiling dnscap

dnscap previously required libbind at compile-time. Now, libbind might required if you want to use the -x or -X options. On some systems (such as Ubuntu) the library functions required by -x/-X are included in the standard libresolv, so libbind is not required there at all.

Users List

Users interested in staying on top of dnscap development can subscribe to the dnscap-users mailing list.