[dsc] Filter DSC statistiks according to TLD / SLD

Jakob Dhondt jakob.dhondt at switch.ch
Tue Apr 3 16:15:16 UTC 2018

Hi Jerry,

oh, that was easy! Thank you very much!



On 03.04.18 17:06, Jerry Lundström wrote:
> Hi Jakob,
> On Tue, 2018-04-03 at 16:35 +0200, Jakob Dhondt wrote:
>> recently I have migrated our dsc processes to a new host and changed
>> some things along the way. One thing that I tried is filtering the
>> traffic from a pcap-file according to TLD / SLD so that we can share
>> part of the data where we act as secondary. I haven't found an easy way
>> though. One thing I could imagine is to use bpf_filter but I couldn't
>> find a way that does not involve knowing the exact byte values of the
>> packages. So the only thing I have come up with for now is filtering the
>> pcap beforehand, e.g. with tshark, and then feeding it to dsc. But I was
>> wondering if there is a better solution.
> Have you tried the QNAME filter?
>   Defines a custom QNAME-based filter for DNS messages.  If
>   you refer to this named filter on a dataset line, then only
>   queries or replies for matching QNAMEs will be counted.
> In your case I'd guess something like:
>   qname_filter TLD-Only \.tld$ ;
> Then add it to all datasets:
>   dataset qtype dns All:null Qtype:qtype queries-only,TLD-Only;
>   ...
> Cheers,
> Jerry


Jakob Dhondt, Security Engineer, SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 15, direct +41 44 268 16 23
jakob.dhondt at switch.ch, www.switch.ch
Security-News: securityblog.switch.ch

More information about the dsc mailing list