dnstop

Langue: en

Version: 385751 (fedora - 01/12/10)

Section: 8 (Commandes administrateur)


BSD mandoc

NAME

dnstop - displays various tables of DNS traffic on your network

SYNOPSIS

[-46apsQR ] [-b expression ] [-i address ] [-f filter ] [-r interval ] [device ] [savefile ]

DESCRIPTION

is a small tool to listen on device or to parse the file savefile and collect and print statistics on the local network's DNS traffic. You must have read access to /dev/bpf*

COMMAND LINE OPTIONS

The options are as follows:

-4
count only messages with IPv4 addresses
-6
count only messages with IPv6 addresses
-a
anonymize addresses
-b expression
BPF filter expression
(default: udp port 53)
-i address
ignore select addresses
-p
Do not put the interface into promiscuous mode.
-r
Redraw interval (seconds).
-l level
keep counts on names up to level domain name levels.

For example, with -l 2 (the default), will keep two tables: one with top-level domain names, and another with second-level domain names. Increasing the level provides more details, but also requires more memory and CPU.

-f
input filter name

The "unknown-tlds" filter includes only queries for TLDs that are bogus. Useful for identifying hosts/servers that leak queries for things like "localhost" or "workgroup."

The "A-for-A" filter includes only A queries for names that are already IP addresses. Certain Microsoft Windows DNS servers have a known bug that forward these queries.

The "rfc1918-ptr" filter includes only PTR queries for addresses in RFC1918 space. These should never leak from inside an organization.

-Q
count only DNS query messages
-R
count only DNS reply messages
savefile
a captured network trace in pcap format
device
ethernet device (ie fxp0)

RUN TIME OPTIONS

While running, the following options are available to alter the display:

s
display the source address table
d
display the destination address table
t
display the breakdown of query types seen
o
display the breakdown of opcodes seen
1
show 1st level query names
2
show 2nd level query names
3
show 3rd level query names
4
show 4th level query names
5
show 5th level query names
6
show 6th level query names
7
show 7th level query names
8
show 8th level query names
9
show 9th level query names
!
show sources + 1st level query names
@
show sources + 2nd level query names
#
show sources + 3rd level query names
$
show sources + 4th level query names
%
show sources + 5th level query names
^
show sources + 6th level query names
&
show sources + 7th level query names
*
show sources + 8th level query names
(
show sources + 9th level query names
^R
reset the counters
^X
exit the program
space
redraw
?
help

NON-INTERACTIVE MODE

If stdout is not a tty, runs in non-interactive mode. In this case, you must supply a savefile for reading, instead of capturing live packets. After reading the entire savefile, prints the top 50 entries for each table.

AUTHORS

Duane Wessels (wessels@measurement-factory.com)
Mark Foster (mark@foster.cc)
Jose Nazario (jose@monkey.org)
Sam Norris <@ChangeIP.com>
Max Horn <@quendi.de>
John Morrissey <jwm@horde.net>
Florian Forster <octo@verplant.org>
Dave Plonka <plonka@cs.wisc.edu>
http://dnstop.measurement-factory.com/

BUGS

Does not support TCP at this time.