Hey List!
Anyone know of a tool that can take a pcap file from wireshark that was used to collect dns queries and then spit out statistics about the queries such as RTT and timeouts?
Thanks!
Joseph
Not off the top of my head, but, you could use wireshark's Lua extension system to write a plugin to do this for you right within wireshark.
The wireshark/Lua stuff is quite powerful (though not super super fast), it's a really useful tool to have on hand.
It just so happens there is a tool aptly named DNS Analyzer by NLnet Labs.
I used it a while back but if I recall you could feed it a pcap and it could
spit out all kinds of useful statistical data.
I don't think it's being actively maintained at the moment but you should be
able to find it on the NLnet Labs site -
http://www.nlnetlabs.nl/projects/dns-analyzer/
HTHs.
Stefan Fouant
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
Hi!
Anyone know of a tool that can take a pcap file from wireshark that was
used to collect dns queries and then spit out statistics about the
queries such as RTT and timeouts?
It just so happens there is a tool aptly named DNS Analyzer by NLnet Labs.
I used it a while back but if I recall you could feed it a pcap and it could
spit out all kinds of useful statistical data.I don't think it's being actively maintained at the moment but you should be
able to find it on the NLnet Labs site -
http://www.nlnetlabs.nl/projects/dns-analyzer/
I very recently asked the maintainers of that package if its still under development but i heard if was unfortunately dropped.
Bye,
Raymond.
It would be nice if we could convince them to release the source code into
the public domain. I'm sure there are a few people who would find it highly
useful and would work on it to add to its utility.
Stefan Fouant
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
Stefan Fouant wrote:
Nothing with RTT and timeouts in this, but it could probably be adapted
with an additional, rudimentary subroutine to try summarizing that too:
<http://www.cymru.com/jtk/code/pcapsum.pl>
If you or no one else comes up with something or modifies this to do
it, give me a holler and I'll whip something up for you.
As is, it'll count DNS messages, header flags and give a top X list of
qnames seen. It uses the somewhat limited NetPacket modules, but it
would be easy to either switch wholesale to the Net::Packet modules or
pull in just those needed (e.g. VLAN and IPv6 support). It is what it
is, hopefully its of use.
John
I have a "DNSaudit" program that takes libpcap (wireshark/tcpdump)
files. Originally its purpose was to identify AnswersWithoutQuestions,
and QuestionsWithoutAnswers when we were having some routing issues
causing answers to return via a different ISP.
Later I added statistics for response time by server.
I suggest trying the other programs mentioned first, I am the only
user of my program...
Jon
Joseph Jackson (jjackson) writes:
Hey List!
Anyone know of a tool that can take a pcap file from wireshark that was used to collect dns queries and then spit out statistics about the queries such as RTT and timeouts?
I don't know if DSC does this, but check it out:
Dsc: A DNS Statistics Collector
Cheers,
Phil
I don't know if it'll do exactly what you want, but have a look at
https://www.dns-oarc.net/tools/dnscap
Tony.
dnscap paired with dpkt can quickly and elegantly accomplish what you
desire; if you know python (: