is a small tool to listen on or to parse the file and collect and print statistics on the local network's DNS traffic. You must have read access to The options are as follows: count only messages with IPv4 addresses count only messages with IPv6 addresses count only DNS query messages count only DNS reply messages anonymize addresses BPF filter expression (default: udp port 53) Aggregate IPv4 addresses by prefix Aggregate IPv6 addresses by prefix ignore select addresses Do not put the interface into promiscuous mode. Redraw interval (seconds). keep counts on names up to domain name levels. For example, with -l 2 (the default), will keep two tables: one with top-level domain names, and another with second-level domain names. Increasing the provides more details, but also requires more memory and CPU. input filter name The "unknown-tlds" filter includes only queries for TLDs that are bogus. Useful for identifying hosts/servers that leak queries for things like "localhost" or "workgroup." The "new-gtlds" filter includes only queries for the new gTLD program of 2013/2014. Useful for identifying hosts/servers that use names which may result in future collisions and problems when new gTLDs become active. The "A-for-A" filter includes only A queries for names that are already IP addresses. Certain Microsoft Windows DNS servers have a known bug that forward these queries. The "rfc1918-ptr" filter includes only PTR queries for addresses in RFC1918 space. These should never leak from inside an organization. The "refused" filter, when used with the option, tells to count only replies with rcode REFUSED. The "servfail" filter, when used with the option, tells to count only replies with rcode SERVFAIL. The "nxdomain" filter, when used with the option, tells to count only replies with rcode NXDOMAIN. The "qtype- any" filter tells to count only message of type ANY. Only count messages within the domain Print "progress" messages on stderr when in non- interactive mode. Use hash table buckets. Do not tabulate the sources + query name counters. This can significantly reduce memory usage on busy servers and large savefiles. a captured network trace in format ethernet device (ie fxp0) While running, the following options are available to alter the display: display the source address table display the destination address table display the breakdown of query types seen display the breakdown of response codes seen display the breakdown of opcodes seen show 1st level query names show 2nd level query names show 3rd level query names show 4th level query names show 5th level query names show 6th level query names show 7th level query names show 8th level query names show 9th level query names show sources + 1st level query names show sources + 2nd level query names show sources + 3rd level query names show sources + 4th level query names show sources + 5th level query names show sources + 6th level query names show sources + 7th level query names show sources + 8th level query names show sources + 9th level query names reset the counters exit the program redraw help If stdout is not a tty, runs in non-interactive mode. In this case, you must supply a savefile for reading, instead of capturing live packets. After reading the entire savefile, prints the top 50 entries for each table. By default examines only query messages and ignores replies. In this case the response code table is meaningless and will likely show 100% "Noerror." If you supply (only) the command line option, examines replies and ignores queries. This allows you to see meaningful response code values, as well as all the other tables. In this case all the query attributes (such as type and name) are taken from the Question section of the reply. Note, however, that it is common for a stream of DNS messages to contain more queries than replies. This could happen, for example, if the server is too busy to respond to every single query, or if the server is designed to ignore malformed query messages. Therefore, you might want to examine both queries and replies by giving both and command line options. In this case, only the response code counts are taken from the replies and all other attributes are taken from the queries. Does not support TCP at this time.
