NAME
dnstop - displays various tables of DNS traffic on your network
SYNOPSIS
dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval]
[device] [savefile]
DESCRIPTION
dnstop is a small tool to listen on device or to parse the file savefile
and collect and print statistics on the local network’s DNS traffic. You
must have read access to /dev/bpf*.
COMMAND LINE OPTIONS
The options are as follows:
-4 count only messages with IPv4 addresses
-6 count only messages with IPv6 addresses
-a anonymize addresses
-b expression
BPF filter expression
(default: udp port 53)
-i address
ignore select addresses
-p Do not put the interface into promiscuous mode.
-r Redraw interval (seconds).
-l level
keep counts on names up to level domain name levels.
For example, with -l 2 (the default), dnstop will keep two
tables: one with top-level domain names, and another with second-
level domain names. Increasing the level provides more details,
but also requires more memory and CPU.
-f input filter name
The "unknown-tlds" filter includes only queries for TLDs that are
bogus. Useful for identifying hosts/servers that leak queries
for things like "localhost" or "workgroup."
The "A-for-A" filter includes only A queries for names that are
already IP addresses. Certain Microsoft Windows DNS servers have
a known bug that forward these queries.
The "rfc1918-ptr" filter includes only PTR queries for addresses
in RFC1918 space. These should never leak from inside an
organization.
-Q count only DNS query messages
-R count only DNS reply messages
savefile
a captured network trace in pcap format
device ethernet device (ie fxp0)
RUN TIME OPTIONS
While running, the following options are available to alter the display:
s display the source address table
d display the destination address table
t display the breakdown of query types seen
o display the breakdown of opcodes seen
1 show 1st level query names
2 show 2nd level query names
3 show 3rd level query names
4 show 4th level query names
5 show 5th level query names
6 show 6th level query names
7 show 7th level query names
8 show 8th level query names
9 show 9th level query names
! show sources + 1st level query names
@ show sources + 2nd level query names
# show sources + 3rd level query names
$ show sources + 4th level query names
% show sources + 5th level query names
^ show sources + 6th level query names
& show sources + 7th level query names
* show sources + 8th level query names
( show sources + 9th level query names
^R reset the counters
^X exit the program
space redraw
? help
NON-INTERACTIVE MODE
If stdout is not a tty, dnstop runs in non-interactive mode. In this
case, you must supply a savefile for reading, instead of capturing live
packets. After reading the entire savefile, dnstop prints the top 50
entries for each table.
AUTHORS
Duane Wessels (wessels@measurement-factory.com)
Mark Foster (mark@foster.cc)
Jose Nazario (jose@monkey.org)
Sam Norris <@ChangeIP.com>
Max Horn <@quendi.de>
John Morrissey <jwm@horde.net>
Florian Forster <octo@verplant.org>
Dave Plonka <plonka@cs.wisc.edu>
http://dnstop.measurement-factory.com/
BUGS
Unless compiled with -DUSE_PPP the program will not correctly decode PPP
frames.