Man Linux: Main Page and Category List

NAME

     dnstop - displays various tables of DNS traffic on your network

SYNOPSIS

     dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval]
            [device] [savefile]

DESCRIPTION

     dnstop is a small tool to listen on device or to parse the file savefile
     and collect and print statistics on the local network’s DNS traffic. You
     must have read access to /dev/bpf*.

COMMAND LINE OPTIONS

     The options are as follows:

     -4      count only messages with IPv4 addresses

     -6      count only messages with IPv6 addresses

     -a      anonymize addresses

     -b expression
             BPF filter expression
             (default: udp port 53)

     -i address
             ignore select addresses

     -p      Do not put the interface into promiscuous mode.

     -r      Redraw interval (seconds).

     -l level
             keep counts on names up to level domain name levels.

             For example, with -l 2 (the default), dnstop will keep two
             tables: one with top-level domain names, and another with second-
             level domain names.  Increasing the level provides more details,
             but also requires more memory and CPU.

     -f      input filter name

             The "unknown-tlds" filter includes only queries for TLDs that are
             bogus.  Useful for identifying hosts/servers that leak queries
             for things like "localhost" or "workgroup."

             The "A-for-A" filter includes only A queries for names that are
             already IP addresses.  Certain Microsoft Windows DNS servers have
             a known bug that forward these queries.

             The "rfc1918-ptr" filter includes only PTR queries for addresses
             in RFC1918 space.  These should never leak from inside an
             organization.

     -Q      count only DNS query messages

     -R      count only DNS reply messages

     savefile
             a captured network trace in pcap format

     device  ethernet device (ie fxp0)

RUN TIME OPTIONS

     While running, the following options are available to alter the display:

     s       display the source address table

     d       display the destination address table

     t       display the breakdown of query types seen

     o       display the breakdown of opcodes seen

     1       show 1st level query names

     2       show 2nd level query names

     3       show 3rd level query names

     4       show 4th level query names

     5       show 5th level query names

     6       show 6th level query names

     7       show 7th level query names

     8       show 8th level query names

     9       show 9th level query names

     !       show sources + 1st level query names

     @       show sources + 2nd level query names

     #       show sources + 3rd level query names

     $       show sources + 4th level query names

     %       show sources + 5th level query names

     ^       show sources + 6th level query names

     &       show sources + 7th level query names

     *       show sources + 8th level query names

     (       show sources + 9th level query names

     ^R      reset the counters

     ^X      exit the program

     space   redraw

     ?       help

NON-INTERACTIVE MODE

     If stdout is not a tty, dnstop runs in non-interactive mode.  In this
     case, you must supply a savefile for reading, instead of capturing live
     packets.  After reading the entire savefile, dnstop prints the top 50
     entries for each table.

AUTHORS

     Duane Wessels (wessels@measurement-factory.com)
     Mark Foster (mark@foster.cc)
     Jose Nazario (jose@monkey.org)
     Sam Norris <@ChangeIP.com>
     Max Horn <@quendi.de>
     John Morrissey <jwm@horde.net>
     Florian Forster <octo@verplant.org>
     Dave Plonka <plonka@cs.wisc.edu>
     http://dnstop.measurement-factory.com/

BUGS

     Unless compiled with -DUSE_PPP the program will not correctly decode PPP
     frames.