DNS Analyzer


dns-analyzer(1)                   NLnet Labs                   dns-analyzer(1)




NAME

       dns-analyzer - analyze DNS traffic from tcpdump(8) trace files.


SYNOPSIS

       dns-analyzer options tcpdumpfile...


OPTIONS

       Analyze  the  specified  tcpdump(8) files.  The order of the options is
       significant as certain options use the current value of  other  options
       to initialize.

       -?, -h Print usage information and exit.

       -A     Print  all aggregated data.  See the -g option for more informa-
              tion on aggregation.).

       -a     Anonymize the input data.  Every unique IP number  and  hostname
              is replaced by a unique numeric identifier.

       -d filename
              Dump  interesting  packets  to  the specified file on exit.  The
              packets are dumped in tcpdump(8)  format.   Interesting  packets
              include packets that cause exceptions in the analyzer or packets
              that contain strange or garbage values in certain  fields  (such
              as the DNS query count field being greater than 1).  Interesting
              packets are only dumped  if  gathering  interesting  packets  is
              enabled using the -i option.

       -g fields
              Count  the  packets  with  the  same combination of fields.  The
              fields must be a comma separated list of field names, see  FIELD
              NAMES  below).  This option uses the current values specified by
              the -A, -p, -q, -r, -T, and -t options.

       -i     Enable gathering of interesting packets.  Packets are considered
              interesting  when  they cause exceptions in the analyzer or cer-
              tain fields contain strange or unexpected values.

       -m count
              Set the number of records written to an R(1) data file.  If  the
              count  is zero (the default) all packets are written to a single
              file.  Otherwise a new data file is started every count packets.
              See  the  -w  option  for  more information on writing R(1) data
              files.

       -p count
              Sets the number of packets to analyze before pruning the  aggre-
              gation data of low-volume field combinations.  This is useful to
              limit the memory usage of the dns-analyzer.  Setting  the  count
              to  0  (the default) disables pruning.  Values smaller than 5000
              should be avoided.  See the -g option for  more  information  on
              aggregation.

       -q     Aggregate  on  DNS queries instead of DNS responses.  See the -g
              option for more information on aggregation.

       -r     Aggregate on DNS responses instead of DNS queries.  This is  the
              default.  See the -g option for more information on aggregation.

       -s     Measure the performance of the analyzer.  The performance infor-
              mation is printed on exit to the standard output.

       -T intervals
              Measure  the  number of aggregation combinations based on a time
              interval.  The intervals must be a comma  separated  list  of  a
              time  interval  specified  in  seconds.   Use an empty parameter
              (e.g. '') to disable measurements based on time intervals.  This
              option  is useful to detect traffic peaks based on certain field
              combinations.  The top combination is  printed  for  every  time
              interval.   See  the  -g option for more information on aggrega-
              tion.

       -t count
              After aggregation print the top count combinations.  See the  -g
              option for more information on aggregation.

       -w basename
              Write  R(1)  data files to the file basename.data.  If splitting
              is enabled (see the -m option) the  data  is  written  to  base-
              name.nnn.data, where nnn is a three digit number starting at 000
              containing the nnnth part of the split file.

       --     Ignore all further options and treat them  as  tcpdump(8)  input
              filenames.


DESCRIPTION

       This  manual  page  documents  the DNS Analyzer version 0.3.0.  The DNS
       Analyzer was originally written to analyze the traffic received by  the
       root  DNS  servers.   The  main intent was to find unnecessary traffic.
       The main analyzation done is to count common combinations of data  from
       the  DNS  packets.  Combinations that occur frequently are likely to be
       unnecessary traffic, as the client should be caching the query  results
       and  only  ask the server once.  You can specify the field combinations
       to check for with the -g option.

       Because of the high volume of data received by the root servers (up  to
       6000  queries  per second at the time of this writing) the DNS analyzer
       cannot count all combinations and keep the results in memory.   Just  a
       ten  minute  trace for the K-root server contains about one gigabyte of
       data.  To handle this the DNS  analyzer  can  prune  combinations  that
       occur  infrequently.  You can specify the frequency of pruning with the
       -p option.

       The results of the combination analysis can be printed in two ways:

       -      With the -A option all aggregated data is  printed.   For  every
              field combination present the number of occurances is printed.

       -      With  the -t count option the top count combinations are printed
              in increasing order.


FIELD NAMES

       A field name is composed of two parts separated  by  a  dot  (.).   The
       first  part  is  the  protocol  layer  and the second part is the field
       within that protocol layer.

       The following fields are currently defined:

       ip.src The IP source address.

       ip.dst The IP destination address.

       udp.src
              The UDP source address.  This is the same as ip.src but includes
              the UDP source port number.

       udp.dst
              The  UDP  destination  address.   This is the same as ip.dst but
              includes the UDP destination port number.

       udp.src-port
              The UDP source port.

       udp.dst-port
              The UDP destination port

       dns.qcount
              The query count of the DNS packet.

       dns.type
              The type field of first query record in the DNS packet.

       dns.class
              The class field of the first query record in the DNS packet.

       dns.domain
              The domain field of the first query record in the DNS packet.

       dns.query
              The query flag of the DNS packet.  This is 0 if the packet being
              analyzed  is  a  response  packet and 1 if the packet is a query
              packet.

       dns.authoritative
              The authoritative flag of the DNS packet.

       dns.truncated
              The truncated flag of the DNS packet.

       dns.rcode
              The response code of the DNS packet.  Only useful when analyzing
              DNS responses using the -r flag.

       dns.server
              The  IP  address  of the DNS server.  When analyzing a DNS query
              this is the same  as  udp.dst,  otherwise  it  is  the  same  as
              udp.src.

       dns.client
              The  IP  address  of the DNS client.  When analyzing a DNS query
              this is the same  as  udp.src,  otherwise  it  is  the  same  as
              udp.dst.


EXAMPLES

       Convert the tcpdump(8) file into an R(1) data file:

       dns-analyzer -w r-file input.tcpdump

       Generate the top 10 DNS clients using the DNS queries.

       dns-analyzer -q -t 10 -g dns.client input.tcpdump

       Generate the top 10 DNS clients and print all domains queried for based
       on the DNS queries.

       dns-analyzer -q -t 10 -g dns.client -t 0 -A dns.domain input.tcpdump

       Measure the number of times a client queries the server over 1, 5,  and
       10 second intervals (only the client with the highest number of queries
       during the shortest interval is printed).

       dns-analyzer -q -T 1,5,10 -g dns.client input.tcpdump

       Measure the speed of the analyzer without printing any other output.

       dns-analyzer -s -g dns.client,dns.domain input.tcpdump


AUTHOR

       Written by Erik Rozendaal.


REPORTING BUGS

       Report bugs to <erik@nlnetlabs.nl>.


BUGS

       The aggregation output format should be more structured  and  parseable
       by other programs.

       The program should support IPv6 but this has not been tested.

       The  program  should support analyzing the traffic directly from a net-
       work device instead of only analyzing tcpdump(8) files.


COPYRIGHT

       Copyright (C) 2002, 2003, NLnet Labs, All rights reserved.

       This program is free software; you can redistribute it and/or modify it
       under  the  terms of the GNU General Public License as published by the
       Free Software Foundation; either version 2 of the License, or (at  your
       option) any later version.

       This  program  is  distributed  in the hope that it will be useful, but
       WITHOUT ANY  WARRANTY;  without  even  the  implied  warranty  of  MER-
       CHANTABILITY  or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
       Public License for more details.

       You should have received a copy of the GNU General Public License along
       with this program; if not, write to the Free Software Foundation, Inc.,
       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA



DNS-Analyzer 0.3.0               March 4, 2003                 dns-analyzer(1)

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.