dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. OARC uses dnscap for DITL data collections. Some of its features include:
- Understands both IPv4 and IPv6
- Captures UDP, TCP, and IP fragments.
- Collect only queries, responses, or both (-s option)
- Collect for only certain source/destination addresses (-a -z -A -Z options)
- Periodically creates new pcap files (-t option)
- Spawns an upload script after closing a pcap file (-k option)
- Will start and stop collecting at specific times (-B -E options)
$ git clone https://github.com/DNS-OARC/dnscap.git
You can also find it in the FreeBSD ports system (dns/dnscap).
dnscap previously required libbind at compile-time. Now, libbind might required if you want to use the -x or -X options. On some systems (such as Ubuntu) the library functions required by -x/-X are included in the standard libresolv, so libbind is not required there at all.
Users interested in staying on top of dnscap development can subscribe to the dnscap-users mailing list.