DNSTOP(8)
NAME
dnstop -- displays various tables of DNS traffic on your network
SYNOPSIS
dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval] [device] [savefile]
DESCRIPTION
dnstop is a small tool to listen on device or to parse the file savefile
and collect and print statistics on the local network's DNS traffic. You
must have read access to /dev/bpf*.
COMMAND LINE OPTIONS
The options are as follows:
-4 count only messages with IPv4 addresses
-6 count only messages with IPv6 addresses
-a anonymize addresses
- -b expression
- BPF filter expression
(default: udp port 53) - -i address
- ignore select addresses
- -p Do not put the interface into promiscuous mode.
- -r Redraw interval (seconds).
- -l level
- keep counts on names up to level domain name levels.
- For example, with -l 2 (the default), dnstop will keep two tables: one with top-level domain names, and another with secondlevel domain names. Increasing the level provides more details, but also requires more memory and CPU.
- -f input filter name
The "unknown-tlds" filter includes only queries for TLDs that are bogus. Useful for identifying hosts/servers that leak queries
for things like "localhost" or "workgroup."- The "A-for-A" filter includes only A queries for names that are
already IP addresses. Certain Microsoft Windows DNS servers have a known bug that forward these queries. - The "rfc1918-ptr" filter includes only PTR queries for addresses in RFC1918 space. These should never leak from inside an organization.
- -Q count only DNS query messages
- -R count only DNS reply messages
- savefile
- a captured network trace in pcap format
- device ethernet device (ie fxp0)
RUN TIME OPTIONS
While running, the following options are available to alter the display:
s display the source address table
d display the destination address table
t display the breakdown of query types seen
o display the breakdown of opcodes seen
1 show 1st level query names
2 show 2nd level query names
3 show 3rd level query names
4 show 4th level query names
5 show 5th level query names
6 show 6th level query names
7 show 7th level query names
8 show 8th level query names
9 show 9th level query names
! show sources + 1st level query names
@ show sources + 2nd level query names
# show sources + 3rd level query names
$ show sources + 4th level query names
% show sources + 5th level query names
^ show sources + 6th level query names
& show sources + 7th level query names
* show sources + 8th level query names
( show sources + 9th level query names
^R reset the counters
^X exit the program
space redraw
? help
NON-INTERACTIVE MODE
If stdout is not a tty, dnstop runs in non-interactive mode. In this
case, you must supply a savefile for reading, instead of capturing live
packets. After reading the entire savefile, dnstop prints the top 50
entries for each table.
AUTHORS
Duane Wessels (wessels@measurement-factory.com)
Mark Foster (mark@foster.cc)
Jose Nazario (jose@monkey.org)
Sam Norris <@ChangeIP.com>
Max Horn <@quendi.de>
John Morrissey <jwm@horde.net>
Florian Forster <octo@verplant.org>
Dave Plonka <plonka@cs.wisc.edu>
http://dnstop.measurement-factory.com/
BUGS
- Unless compiled with -DUSE_PPP the program will not correctly decode PPP
frames.