dns-analyzer(1) NLnet Labs dns-analyzer(1)
dns-analyzer - analyze DNS traffic from tcpdump(8) trace files.
dns-analyzer options tcpdumpfile...
Analyze the specified tcpdump(8) files. The order of the options is
significant as certain options use the current value of other options
-?, -h Print usage information and exit.
-A Print all aggregated data. See the -g option for more informa-
tion on aggregation.).
-a Anonymize the input data. Every unique IP number and hostname
is replaced by a unique numeric identifier.
Dump interesting packets to the specified file on exit. The
packets are dumped in tcpdump(8) format. Interesting packets
include packets that cause exceptions in the analyzer or packets
that contain strange or garbage values in certain fields (such
as the DNS query count field being greater than 1). Interesting
packets are only dumped if gathering interesting packets is
enabled using the -i option.
Count the packets with the same combination of fields. The
fields must be a comma separated list of field names, see FIELD
NAMES below). This option uses the current values specified by
the -A, -p, -q, -r, -T, and -t options.
-i Enable gathering of interesting packets. Packets are considered
interesting when they cause exceptions in the analyzer or cer-
tain fields contain strange or unexpected values.
Set the number of records written to an R(1) data file. If the
count is zero (the default) all packets are written to a single
file. Otherwise a new data file is started every count packets.
See the -w option for more information on writing R(1) data
Sets the number of packets to analyze before pruning the aggre-
gation data of low-volume field combinations. This is useful to
limit the memory usage of the dns-analyzer. Setting the count
to 0 (the default) disables pruning. Values smaller than 5000
should be avoided. See the -g option for more information on
-q Aggregate on DNS queries instead of DNS responses. See the -g
option for more information on aggregation.
-r Aggregate on DNS responses instead of DNS queries. This is the
default. See the -g option for more information on aggregation.
-s Measure the performance of the analyzer. The performance infor-
mation is printed on exit to the standard output.
Measure the number of aggregation combinations based on a time
interval. The intervals must be a comma separated list of a
time interval specified in seconds. Use an empty parameter
(e.g. '') to disable measurements based on time intervals. This
option is useful to detect traffic peaks based on certain field
combinations. The top combination is printed for every time
interval. See the -g option for more information on aggrega-
After aggregation print the top count combinations. See the -g
option for more information on aggregation.
Write R(1) data files to the file basename.data. If splitting
is enabled (see the -m option) the data is written to base-
name.nnn.data, where nnn is a three digit number starting at 000
containing the nnnth part of the split file.
-- Ignore all further options and treat them as tcpdump(8) input
This manual page documents the DNS Analyzer version 0.3.0. The DNS
Analyzer was originally written to analyze the traffic received by the
root DNS servers. The main intent was to find unnecessary traffic.
The main analyzation done is to count common combinations of data from
the DNS packets. Combinations that occur frequently are likely to be
unnecessary traffic, as the client should be caching the query results
and only ask the server once. You can specify the field combinations
to check for with the -g option.
Because of the high volume of data received by the root servers (up to
6000 queries per second at the time of this writing) the DNS analyzer
cannot count all combinations and keep the results in memory. Just a
ten minute trace for the K-root server contains about one gigabyte of
data. To handle this the DNS analyzer can prune combinations that
occur infrequently. You can specify the frequency of pruning with the
The results of the combination analysis can be printed in two ways:
- With the -A option all aggregated data is printed. For every
field combination present the number of occurances is printed.
- With the -t count option the top count combinations are printed
in increasing order.
A field name is composed of two parts separated by a dot (.). The
first part is the protocol layer and the second part is the field
within that protocol layer.
The following fields are currently defined:
ip.src The IP source address.
ip.dst The IP destination address.
The UDP source address. This is the same as ip.src but includes
the UDP source port number.
The UDP destination address. This is the same as ip.dst but
includes the UDP destination port number.
The UDP source port.
The UDP destination port
The query count of the DNS packet.
The type field of first query record in the DNS packet.
The class field of the first query record in the DNS packet.
The domain field of the first query record in the DNS packet.
The query flag of the DNS packet. This is 0 if the packet being
analyzed is a response packet and 1 if the packet is a query
The authoritative flag of the DNS packet.
The truncated flag of the DNS packet.
The response code of the DNS packet. Only useful when analyzing
DNS responses using the -r flag.
The IP address of the DNS server. When analyzing a DNS query
this is the same as udp.dst, otherwise it is the same as
The IP address of the DNS client. When analyzing a DNS query
this is the same as udp.src, otherwise it is the same as
Convert the tcpdump(8) file into an R(1) data file:
dns-analyzer -w r-file input.tcpdump
Generate the top 10 DNS clients using the DNS queries.
dns-analyzer -q -t 10 -g dns.client input.tcpdump
Generate the top 10 DNS clients and print all domains queried for based
on the DNS queries.
dns-analyzer -q -t 10 -g dns.client -t 0 -A dns.domain input.tcpdump
Measure the number of times a client queries the server over 1, 5, and
10 second intervals (only the client with the highest number of queries
during the shortest interval is printed).
dns-analyzer -q -T 1,5,10 -g dns.client input.tcpdump
Measure the speed of the analyzer without printing any other output.
dns-analyzer -s -g dns.client,dns.domain input.tcpdump
Written by Erik Rozendaal.
Report bugs to <firstname.lastname@example.org>.
The aggregation output format should be more structured and parseable
by other programs.
The program should support IPv6 but this has not been tested.
The program should support analyzing the traffic directly from a net-
work device instead of only analyzing tcpdump(8) files.
Copyright (C) 2002, 2003, NLnet Labs, All rights reserved.
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER-
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
DNS-Analyzer 0.3.0 March 4, 2003 dns-analyzer(1)