DNSTOP

DnsTop is a libpcap application. Like NGrep and tcpdump (covered in previous posts), it is an application that captures and analyses network traffic. DnsTop can be used to display various tables of DNS traffic on your network. As the site states, dnstop displays tables of:

• Source IP addresses
• Destination IP addresses
• Query types
• Response codes
• Opcodes
• Top level domains
• Second level domains
• Third level domains
• etc...

Compiling and installing varies (with some RPMs available). Generally this is a standard "./configure && make && make install" process. This is of course dependant on your system's installed libraries.

Running dnstop is simple. the '-4' option sets IPv4, the '-l 9' option sets the application with up to 9 tables. Remember, the more tables, the more process memory and CPU used. Usually this is not an issue. Finally, the interface or file is set. In this case eth0. A PCAP format file can also be used as the input.

dnstop -4 -l 9 eth0

This means you can capture a PCAP file using TCPDump, Snort or any other sniffer of your choice and feed the data to dnstop for analysis. For instance, we can review the file, "save.pcap" and display the dns query results from this.

dnstop -4 -l 9 save.pcap

If you start with level 9 (-l 9) as an option, you have a far greater range of options.

The program is interactive. Select the level and it will display the various output styles. For instance, in the saved data we have the output for level 1 (TLD):
The domains at level 2:
Servers at lower levels and we get to a level with source, hosts and counts displayed:
Using the type option (enter t) you can drill down into a summary of the DNS query types recieved:
or the summary of the opcodes (enter o in the interactive screen).

Next, BPF (Berkley Packet Filters).