1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
.\" $Id: dnstop.8,v 1.10 2005/01/21 20:59:56 wessels Exp $
.\"
.\" manpage written by jose@monkey.org
.\"
.Dd 24 December, 2002
.Dt DNSTOP 8
.Os
.Sh NAME
.Nm dnstop
.Nd displays various tables of DNS traffic on your network
.Sh SYNOPSIS
.Nm
.Op Fl aps
.Op Fl b Ar expression
.Op Fl i Ar address
.Op Fl f Ar filter
.Op Ar device
.Op Ar savefile
.Sh DESCRIPTION
.Nm
is a small tool to listen on
.Ar device
or to parse the file
.Ar savefile
and collect and print statistics on the local network's DNS traffic. You
must have read access to
.Pa /dev/bpf\&* .
.Sh COMMAND LINE OPTIONS
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl a
anonymize addresses
.It Fl b Ar expression
BPF filter expression
.br
(default: udp dst port 53 and udp[10:2] & 0x8000 = 0)
.It Fl i Ar address
ignore select addresses
.It Fl p
Do not put the interface into promiscuous mode.
.It Fl s
collect second-level domain statistics
.It Fl t
collect third-level domain statistics
.\"
.It Fl f
input filter name
.Pp
The "unknown-tlds" filter
includes only queries for TLDs that are
bogus. Useful for identifying hosts/servers
that leak queries for things like "localhost"
or "workgroup."
.Pp
The "A-for-A" filter
includes only A queries for names that are
already IP addresses. Certain Microsoft
Windows DNS servers have a known bug that
forward these queries.
.Pp
The "rfc1918-ptr" filter
includes only PTR queries for addresses in RFC1918 space.
These should never leak from inside an
organization.
.\"
.It Ar savefile
a captured network trace in
.Cm pcap
format
.It Ar device
ethernet device (ie fxp0)
.El
.Sh RUN TIME OPTIONS
.Pp
While running, the following options are available to alter the display:
.Bl -tag -width Ds
.It s
display the source address table
.It d
display the destination address table
.It t
display the breakdown of query types seen
.It o
display the breakdown of opcodes seen
.It 1
show the TLD table
.It 2
show the SLD table
.It 3
show the 3LD table
.It c
show the SLD+source table
.It #
show the 3LD+source table
.It ^R
reset the counters
.It ^X
exit the program
.It ?
help
.El
.Pp
.Sh NON-INTERACTIVE MODE
If stdout is not a tty,
.Nm
runs in non-interactive mode. In this case, you must
supply a savefile for reading, instead of capturing
live packets. After reading the entire savefile,
.Nm
prints the top 50 entries for each table.
.Sh AUTHORS
.Bl -tag -width xx -compact
.It Pa Duane Wessels (wessels@measurement-factory.com)
.It Pa Mark Foster (mark@foster.cc)
.It Pa Jose Nazario (jose@monkey.org)
.It Pa Sam Norris <@ChangeIP.com>
.It Pa http://dnstop.measurement-factory.com/
.El
.Sh BUGS
Unless compiled with
.Tn -DUSE_PPP
the program will not correctly decode PPP frames.
|
