[dsc] Filter DSC statistiks according to TLD / SLD
Jakob Dhondt
jakob.dhondt at switch.ch
Tue Apr 3 16:15:16 UTC 2018
Hi Jerry,
oh, that was easy! Thank you very much!
Cheers,
Jakob
On 03.04.18 17:06, Jerry Lundström wrote:
> Hi Jakob,
>
> On Tue, 2018-04-03 at 16:35 +0200, Jakob Dhondt wrote:
>> recently I have migrated our dsc processes to a new host and changed
>> some things along the way. One thing that I tried is filtering the
>> traffic from a pcap-file according to TLD / SLD so that we can share
>> part of the data where we act as secondary. I haven't found an easy way
>> though. One thing I could imagine is to use bpf_filter but I couldn't
>> find a way that does not involve knowing the exact byte values of the
>> packages. So the only thing I have come up with for now is filtering the
>> pcap beforehand, e.g. with tshark, and then feeding it to dsc. But I was
>> wondering if there is a better solution.
> Have you tried the QNAME filter?
>
> Defines a custom QNAME-based filter for DNS messages. If
> you refer to this named filter on a dataset line, then only
> queries or replies for matching QNAMEs will be counted.
>
> In your case I'd guess something like:
>
> qname_filter TLD-Only \.tld$ ;
>
> Then add it to all datasets:
>
> dataset qtype dns All:null Qtype:qtype queries-only,TLD-Only;
> ...
>
> Cheers,
> Jerry
--
SWITCH
Jakob Dhondt, Security Engineer, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 23
jakob.dhondt at switch.ch, www.switch.ch
Security-News: securityblog.switch.ch
More information about the dsc
mailing list