Skip to content

pflarr/dns_parse

3 Branches3 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

pflarrpflarr
Merge pull request #11 from pflarr/pflarr-patch-1
Dec 16, 2016
75c532f · Dec 16, 2016

History

110 Commits
bin
bin
Mar 19, 2013
etc
etc
Dec 14, 2010
init
init
Jul 19, 2011
pkgs
pkgs
Apr 5, 2013
.gitignore
.gitignore
Apr 4, 2013
LICENSE
LICENSE
Mar 20, 2013
Makefile
Makefile
Jul 5, 2013
README
README
Mar 22, 2013
dns_parse.c
dns_parse.c
Dec 15, 2016
dns_parse.h
dns_parse.h
Dec 15, 2016
network.c
network.c
Sep 13, 2016
network.h
network.h
Jul 22, 2013
rtypes.c
rtypes.c
Dec 16, 2016
rtypes.h
rtypes.h
Mar 5, 2013
strutils.c
strutils.c
Dec 13, 2016
strutils.h
strutils.h
Mar 5, 2013
tcp.c
tcp.c
May 24, 2015
tcp.h
tcp.h
Mar 5, 2013

Repository files navigation

-- OVERVIEW --
dns_parse takes as input a pcap of DNS data and produces a complete, trivially
parsable, human readable ASCII version of the same data. It's generally useful
for network monitoring (send the data to Splunk or similar). The most common
carrying protocols are supported, as well as packet deduplication.

-- SUPPORTED PROTOCOLS --
Ethernet
MPLS
IPv4 (including fragment reassembly)
IPv6 (including fragment reassembly)
UDP
TCP (with flow state saving and loading between pcaps)
DNS (on any port)

-- AUTHOR INFO --
Paul Ferrell
[email protected]

-- CONTENTS --
Code to build bin/dns_parse.
init/dnscapture - An init script for running tcpdump on an interface as a
service to generate regular pcap files.
bin/dns_parse_cron - A python cron job script for periodically running dns_parse
on regularly output pcap files (generally from using the -C or -G options in
tcpdump).
pkgs/dns_parse.spec - An RPM spec file, for those dinosaurs that still use these
things (like me).
etc/* - example config files for init/dnscapture and bin/dns_parse_cron

-- DEPENDENCIES --
libpcap

-- OS Dependencies --
This has been tested primarily on x86_64 linux, but there shouldn't be any typing issues on 32 bit machines. 

-- BUILDING AND INSTALLING --
make
make install

-- Running --
"./bin/dns_parse -h" should tell you everything you need to know.

A reasonable set of options is:
./bin/dns_parse -m "" -t -r <dns_captured.pcap>
This gets you newline separated resource records an empty main record separator,
pretty printed dates, and the shorthand for the record types (ie. A or CNAME).
Printing of additional and name server records is disabled (by default).
The output will look like this:

2013-02-13 14:56:06.002102,75.32.12.33,75.32.37.16,61,u,r,AA
? mass.blah.com A
! mass.blah.com A 75.32.37.40

2013-02-13 14:56:06.002471,33.53.3.59,112.78.117.89,54,u,q,NA
? getsystemsinc.com MX

2013-02-13 14:56:06.005718,75.32.207.52,75.32.12.33,53,u,q,NA
? 11.207.165.128.in-addr.arpa PTR

2013-02-13 14:56:06.006109,75.32.12.33,75.32.207.52,80,u,r,AA
? 11.207.165.128.in-addr.arpa PTR
! 11.207.165.128.in-addr.arpa PTR cato.blah.com

2013-02-13 14:56:06.006189,75.32.157.134,75.32.12.33,47,u,q,NA
? blerg-dd.blah.com A

2013-02-13 14:56:06.006212,192.12.184.7,33.53.3.1,42,u,q,NA
? api.flyertown.ca A

2013-02-13 14:56:06.006570,75.32.12.33,75.32.157.134,63,u,r,AA
? blerg-dd.blah.com A
! blerg-dd.blah.com A 172.16.236.126

About

A fast parser for DNS pcap data.

Resources

Readme

License

View license
Activity

Stars

70 stars

Watchers

6 watching

Forks

21 forks
Report repository

Releases

3 tags

Packages

No packages published

Contributors 4

Languages