dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. OARC uses dnscap for DITL data collections. Some of its features include:
- Understands both IPv4 and IPv6
- Captures UDP, TCP, and IP fragments.
- Collect only queries, responses, or both (-s option)
- Collect for only certain source/destination addresses (-a -z -A -Z options)
- Periodically creates new pcap files (-t option)
- Spawns an upload script after closing a pcap file (-k option)
- Will start and stop collecting at specific times (-B -E options)
Packages for Debian, Ubuntu and CentOS can be found here: https://dev.dns-oarc.net/packages/
You can also find it in the FreeBSD ports system (dns/dnscap).
The following releases of the DNSCAP software are available for download along with the changelog.
|dnscap-1.1.0.tar.gz||October 11, 2016||103K|
|dnscap-20160205.tar.gz||February 5, 2016||375K|
See README.md for instructions how to install the software and the included manual pages on how to run the software.
You can clone the code repositories from GitHub:
$ git clone https://github.com/DNS-OARC/dnscap.git
Users Mailing List
Users interested in staying on top of dnscap development can subscribe to the dnscap-users mailing list.