[dns-operations] can you suggest dns test/log tool

Rick Jones rick.jones2 at hp.com
Tue Aug 29 20:04:57 UTC 2006

Stephane Bortzmeyer wrote:
> On Mon, Aug 14, 2006 at 06:51:16PM -0600,
>  Duane Wessels <wessels at packet-pushers.com> wrote 
>  a message of 20 lines which said:
>>William's question prompted me to clean up and publish a little tool
>>that I'd been working on previously.  As Florian also suggested, it
>>is a Perl script that uses Net::Pcap and Net::DNS.  You can get it
>>from http://dns.measurement-factory.com/tools/dnsdump/
> Thanks for that simple and useful tool.
> I like:
> * the way you can choose the output format, which is very nice for
> post-processing by your favorite tool.
> I dislike:
> * the fact that you cannot change the pcap filter (UDP is hardwired,
> for instance), this is something that it is probably easy to change.
> * and, moreover, the fact that it takes 100 % of the CPU on a server
> which serves thousands of requests per second. Apparently, the only
> way to filter a part of the DNS requests (say, for a given QNAME, or
> for a given QTYPE) is to filter with a grep-like tool after the
> formatting has been done by Perl for *every* packet.
> It is probably not easy to change (I do not think that pcap provides
> an easy way to dig into DNS data)

That may depend on the definition of easy.  Speculating as I type, I 
suspect that one can do something like udp[N] to access the N'th byte of 
UDP datagrams, (similarly for tcp) and if that was consistently a given 
part of a DNS message...  one of the examples in the tcpdump manpage 
uses tcp[13] as a way to get to the flags to filter based on 
SYN|FIN|RST, this would just be expanding on that idea.

rick jones

More information about the dns-operations mailing list