Linux Certif

Toute la documentation sur la certification Linux LPI

dns-analyzer

NAME

dns-analyzer - analyze DNS traffic from tcpdump(8) trace files.

SYNOPSIS

dns-analyzer options tcpdumpfile...

OPTIONS

Analyze the specified tcpdump(8) files. The order of the options is significant as certain options use the current value of other options to initialize.

-?, -h

Print usage information and exit.

-A

Print all aggregated data. See the -g option for more information on aggregation.).

-a

Anonymize the input data. Every unique IP number and hostname is replaced by a unique numeric identifier.

-d filename

Dump interesting packets to the specified file on exit. The packets are dumped in tcpdump(8) format. Interesting packets include packets that cause exceptions in the analyzer or packets that contain strange or garbage values in certain fields (such as the DNS query count field being greater than 1). Interesting packets are only dumped if gathering interesting packets is enabled using the -i option.

-g fields

Count the packets with the same combination of fields. The fields must be a comma separated list of field names, see FIELD NAMES below). This option uses the current values specified by the -A, -p, -q, -r, -T, and -t options.

-i

Enable gathering of interesting packets. Packets are considered interesting when they cause exceptions in the analyzer or certain fields contain strange or unexpected values.

-m count

Set the number of records written to an R(1) data file. If the count is zero (the default) all packets are written to a single file. Otherwise a new data file is started every count packets. See the -w option for more information on writing R(1) data files.

-p count

Sets the number of packets to analyze before pruning the aggregation data of low-volume field combinations. This is useful to limit the memory usage of the dns-analyzer. Setting the count to 0 (the default) disables pruning. Values smaller than 5000 should be avoided. See the -g option for more information on aggregation.

-q

Aggregate on DNS queries instead of DNS responses. See the -g option for more information on aggregation.

-r

Aggregate on DNS responses instead of DNS queries. This is the default. See the -g option for more information on aggregation.

-s

Measure the performance of the analyzer. The performance information is printed on exit to the standard output.

-T intervals

Measure the number of aggregation combinations based on a time interval. The intervals must be a comma separated list of a time interval specified in seconds. Use an empty parameter (e.g. '') to disable measurements based on time intervals. This option is useful to detect traffic peaks based on certain field combinations. The top combination is printed for every time interval. See the -g option for more information on aggregation.

-t count

After aggregation print the top count combinations. See the -g option for more information on aggregation.

-w basename

Write R(1) data files to the file basename.data. If splitting is enabled (see the -m option) the data is written to basename.nnn.data, where nnn is a three digit number starting at 000 containing the nnnth part of the split file.

--

Ignore all further options and treat them as tcpdump(8) input filenames.

DESCRIPTION

This manual page documents the DNS Analyzer version 0.3.0. The DNS Analyzer was originally written to analyze the traffic received by the root DNS servers. The main intent was to find unnecessary traffic. The main analyzation done is to count common combinations of data from the DNS packets. Combinations that occur frequently are likely to be unnecessary traffic, as the client should be caching the query results and only ask the server once. You can specify the field combinations to check for with the -g option.

Because of the high volume of data received by the root servers (up to 6000 queries per second at the time of this writing) the DNS analyzer cannot count all combinations and keep the results in memory. Just a ten minute trace for the K-root server contains about one gigabyte of data. To handle this the DNS analyzer can prune combinations that occur infrequently. You can specify the frequency of pruning with the -p option.

The results of the combination analysis can be printed in two ways:

-

With the -A option all aggregated data is printed. For every field combination present the number of occurances is printed.

-

With the -t count option the top count combinations are printed in increasing order.

FIELD NAMES

A field name is composed of two parts separated by a dot (.). The first part is the protocol layer and the second part is the field within that protocol layer.

The following fields are currently defined:

ip.src

The IP source address.

ip.dst

The IP destination address.

udp.src

The UDP source address. This is the same as ip.src but includes the UDP source port number.

udp.dst

The UDP destination address. This is the same as ip.dst but includes the UDP destination port number.

udp.src-port

The UDP source port.

udp.dst-port

The UDP destination port

dns.qcount

The query count of the DNS packet.

dns.type

The type field of first query record in the DNS packet.

dns.class

The class field of the first query record in the DNS packet.

dns.domain

The domain field of the first query record in the DNS packet.

dns.query

The query flag of the DNS packet. This is 0 if the packet being analyzed is a response packet and 1 if the packet is a query packet.

dns.authoritative

The authoritative flag of the DNS packet.

dns.truncated

The truncated flag of the DNS packet.

dns.rcode

The response code of the DNS packet. Only useful when analyzing DNS responses using the -r flag.

dns.server

The IP address of the DNS server. When analyzing a DNS query this is the same as udp.dst, otherwise it is the same as udp.src.

dns.client

The IP address of the DNS client. When analyzing a DNS query this is the same as udp.src, otherwise it is the same as udp.dst.

EXAMPLES

Convert the tcpdump(8) file into an R(1) data file:

dns-analyzer -w r-file input.tcpdump

Generate the top 10 DNS clients using the DNS queries.

dns-analyzer -q -t 10 -g dns.client input.tcpdump

Generate the top 10 DNS clients and print all domains queried for based on the DNS queries.

dns-analyzer -q -t 10 -g dns.client -t 0 -A dns.domain input.tcpdump

Measure the number of times a client queries the server over 1, 5, and 10 second intervals (only the client with the highest number of queries during the shortest interval is printed).

dns-analyzer -q -T 1,5,10 -g dns.client input.tcpdump

Measure the speed of the analyzer without printing any other output.

dns-analyzer -s -g dns.client,dns.domain input.tcpdump

AUTHOR

Written by Erik Rozendaal.

REPORTING BUGS

Report bugs to <erik@nlnetlabs.nl>.

BUGS

The aggregation output format should be more structured and parseable by other programs.

The program should support IPv6 but this has not been tested.

The program should support analyzing the traffic directly from a network device instead of only analyzing tcpdump(8) files.

COPYRIGHT

Copyright (C) 2002, 2003, NLnet Labs, All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA