dnscap and ncap (Re: how to log all recursive query responses?)
Paul Vixie
vixie at isc.org
Sat Aug 9 02:48:11 UTC 2008
kcd at chrysler.com (Kevin Darcy) writes:
> If there is a *specific* name you want to focus on, it's possible to do
> that with tcpdump, but it's rather painful, e.g.
>
> tcpdump -v -x udp and port 53 and 'udp[20] == 3' and 'udp[21] == 102'
> and 'udp[22] == 111' and 'udp[23] == 111'
>
> would limit the capture to only packets with a Question Section
> containing a first label of "foo" (3 is the label size, 102 is the ASCII
> code for "f", 111 is the ASCII code for "o"). The Question Section is
> copied from the original query to the response, so this should catch
> responses too.
yow. looks WAY painful. have you tried dnscap? its CLI language has not
changed in the last six months, so if you were waiting for it to settle
out, now's your moment. https://www.dns-oarc.net/tools/dnscap has sources.
here's the top of "man dnscap":
---
NAME
dnscap -- DNS network traffic capture utility
SYNOPSIS
dnscap [-pd1g?6f] [-i if ...] [-r file ...] [-l vlan ...] [-x pat ...]
[-X pat ...] [-m [qun]] [-s [ir]] [-h [ir]] [-e [nytfsxir]]
[-a host ...] [-z host ...] [-A host ...] [-Z host ...] [-u port]
[-w base [-k cmd]] [-t lim] [-c lim]
DESCRIPTION
dnscap is a network capture utility designed specifically for DNS traf-
fic. It normally produces binary data in pcap(3) format, either on stan-
dard output or in successive dump files (based on the -w command line
option.) This utility is similar to tcpdump(1), but has finer grained
packet recognition tailored to DNS transactions and protocol options.
dnscap is expected to be used for gathering continuous research or audit
traces.
---
the output of "dnscap -\?" is below.
---
dnscap: version V1.0-RC6 (October 2007)
usage: dnscap
[-?pd1g6f] [-i <if>]+ [-r <file>]+ [-l <vlan>]+
[-u <port>] [-m [qun]] [-e [nytfsxir]]
[-h [ir]] [-s [ir]]
[-a <host>]+ [-z <host>]+ [-A <host>]+ [-Z <host>]+
[-w <base> [-k <cmd>]] [-t <lim>] [-c <lim>]
[-x <pat>]+ [-X <pat>]+
[-B <datetime>]+ [-E <datetime>]+
options:
-? or -? print these instructions and exit
-p do not put interface in promiscuous mode
-d dump verbose trace information to stderr
-1 flush output on every packet
-g dump packets dig-style on stderr
-6 compensate for PCAP/BPF IPv6 bug
-f include fragmented packets
-i <if> select this live interface(s)
-r <file> read this pcap file
-l <vlan> select only these vlan(s)
-u <port> dns port (default: 53)
-m [qun] select messages: query, update, notify
-s [ir] select sides: initiations, responses
-h [ir] hide initiators and/or responders
-e [nytfsxir] select error/response code
n = no error
y = any error
t = truncated response
f = format error (rcode 1)
s = server failure (rcode 2)
x = nxdomain (rcode 3)
i = not implemented (rcode 4)
r = refused (rcode 5)
-a <host> want messages from these initiator(s)
-z <host> want messages from these responder(s)
-A <host> want messages not from these initiator(s)
-Z <host> want messages not from these responder(s)
-w <base> dump to <base>.<timesec>.<timeusec>
-k <cmd> kick off <cmd> when each dump closes
-t <lim> close dump or exit every/after <lim> secs
-c <lim> close dump or exit every/after <lim> pkts
-x <pat> select messages matching regex <pat>
-X <pat> select messages not matching regex <pat>
-B <datetime> begin collecting at this date and time
-X <datetime> end collecting at this date and time
---
note that dnscap is like tcpdump in that it does not reassemble IP fragments.
this is because its output format (pcap) doesn't easily represent them. if
you think you're missing something from dnscap or tcpdump because of fragments
then you need "ncap", see <https://www.dns-oarc.net/tools/ncap> for sources.
the ncaptool filtering language is deep rather than wide like dnscap. you
can still do almost all the same things, but it looks different.
---
# $Id: FILTERS,v 1.7 2008/07/29 01:20:38 edmonds Exp $
* Design notes for NCAP filter specifications
Generally, a filter specification is a sequence of filters, each being
introduced by its family name and containing one or more family-specific
rules. The point isn't to duplicate what BPF can do, but rather to make
it unnecessary to think in BPF. NCAP filter specifications are application
specific, and filter can internally generate BPF to save on context switches.
* Filter Family: "dns"
regex[=#]RE/opts
regex must match (or not) the presentation form of a message, with
options like "i" for ignore-case
initiator[=#]address[,...]
message initiator must be (or not) on this list
target[=#]address[,...]
message target must be (or not) on this list
flags[=#]tc,aa,ra,rd,qr
these message flags must be set (or unset)
rcode[=#]noerror,formerr,servfail,nxdomain,notimpl,refused
these message response codes are wanted (or unwanted)
(note, they are only checked on responses, not initiations)
opcode[=#]query,update,notify
these message opcodes are wanted (or unwanted)
* Filter Family: "icmp"
type[=#]echoreply,unreach,sourcequench,redirect,echorequest,routeradvert
type[=#]routersolicit,timxceed,paramproblem,tstamprequest,tstampreply,
type[=#]inforeq,inforeply,maskreq,maskreply,traceroute
these icmp types are wanted (or unwanted)
type[=#]<type>
where <type> is an integer in the range 0..255
this icmp type is wanted (or unwanted)
code[=#]<code>
where <code> is an integer in the range 0..255
this icmp code is wanted (or unwanted)
---
anyway the point is, tcpdump is no longer our only option for dns traffic
capture and analysis, even though libpcap and bpf is still at the heart of
everything.
--
Paul Vixie
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the bind-users
mailing list