dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) and other format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. DNS-OARC uses dnscap for DITL data collections.
Some of its features include:
- Understands both IPv4 and IPv6
- Captures UDP, TCP, and IP fragments.
- Collect only queries, responses, or both (
- Collect for only certain source/destination addresses (
- Periodically creates new pcap files (
- Spawns an upload script after closing a pcap file (
- Will start and stop collecting at specific times (
dnscap has a non-optional dependency on the PCAP library and optional dependencies on LDNS. BIND library libbind is considered optional but it is needed under OpenBSD for various arpa/nameser* include headers.
To install the dependencies under Debian/Ubuntu:
apt-get install -y libpcap-dev libldns-dev libbind-dev zlib1g-dev
To install the dependencies under CentOS (with EPEL enabled):
yum install -y libpcap-devel ldns-devel openssl-devel bind-devel zlib-devel
For the following OS you will need to install some of the dependencies from source or Ports, these instructions are not included.
To install some of the dependencies under FreeBSD 10+ using
pkg install -y libpcap ldns
To install some of the dependencies under OpenBSD 5+ using
Building from source tarball
The source tarball from DNS-OARC comes prepared with
tar zxvf dnscap-version.tar.gz cd dnscap-version ./configure [options] make make install
Limitations, deviations and issues
Since this is still experimental there are of course some issues:
- RDATA is in binary format
- DNS packet are parsed by LDNS which can fail if malformed packets
dateSecondsis added as a C
doublewhich might loose some of the time percision