[dns-operations] can you suggest dns test/log tool
Rick Jones
rick.jones2 at hp.com
Tue Aug 29 20:04:57 UTC 2006
Stephane Bortzmeyer wrote:
> On Mon, Aug 14, 2006 at 06:51:16PM -0600,
> Duane Wessels <wessels at packet-pushers.com> wrote
> a message of 20 lines which said:
>
>
>>William's question prompted me to clean up and publish a little tool
>>that I'd been working on previously. As Florian also suggested, it
>>is a Perl script that uses Net::Pcap and Net::DNS. You can get it
>>from http://dns.measurement-factory.com/tools/dnsdump/
>
>
> Thanks for that simple and useful tool.
>
> I like:
>
> * the way you can choose the output format, which is very nice for
> post-processing by your favorite tool.
>
> I dislike:
>
> * the fact that you cannot change the pcap filter (UDP is hardwired,
> for instance), this is something that it is probably easy to change.
>
> * and, moreover, the fact that it takes 100 % of the CPU on a server
> which serves thousands of requests per second. Apparently, the only
> way to filter a part of the DNS requests (say, for a given QNAME, or
> for a given QTYPE) is to filter with a grep-like tool after the
> formatting has been done by Perl for *every* packet.
>
> It is probably not easy to change (I do not think that pcap provides
> an easy way to dig into DNS data)
That may depend on the definition of easy. Speculating as I type, I
suspect that one can do something like udp[N] to access the N'th byte of
UDP datagrams, (similarly for tcp) and if that was consistently a given
part of a DNS message... one of the examples in the tcpdump manpage
uses tcp[13] as a way to get to the flags to filter based on
SYN|FIN|RST, this would just be expanding on that idea.
rick jones
More information about the dns-operations
mailing list