[EMAIL PROTECTED] (Kevin Darcy) writes: > If there is a *specific* name you want to focus on, it's possible to do > that with tcpdump, but it's rather painful, e.g. > > tcpdump -v -x udp and port 53 and 'udp[20] == 3' and 'udp[21] == 102' > and 'udp[22] == 111' and 'udp[23] == 111' > > would limit the capture to only packets with a Question Section > containing a first label of "foo" (3 is the label size, 102 is the ASCII > code for "f", 111 is the ASCII code for "o"). The Question Section is > copied from the original query to the response, so this should catch > responses too.
yow. looks WAY painful. have you tried dnscap? its CLI language has not changed in the last six months, so if you were waiting for it to settle out, now's your moment. https://www.dns-oarc.net/tools/dnscap has sources. here's the top of "man dnscap": --- NAME dnscap -- DNS network traffic capture utility SYNOPSIS dnscap [-pd1g?6f] [-i if ...] [-r file ...] [-l vlan ...] [-x pat ...] [-X pat ...] [-m [qun]] [-s [ir]] [-h [ir]] [-e [nytfsxir]] [-a host ...] [-z host ...] [-A host ...] [-Z host ...] [-u port] [-w base [-k cmd]] [-t lim] [-c lim] DESCRIPTION dnscap is a network capture utility designed specifically for DNS traf- fic. It normally produces binary data in pcap(3) format, either on stan- dard output or in successive dump files (based on the -w command line option.) This utility is similar to tcpdump(1), but has finer grained packet recognition tailored to DNS transactions and protocol options. dnscap is expected to be used for gathering continuous research or audit traces. --- the output of "dnscap -\?" is below. --- dnscap: version V1.0-RC6 (October 2007) usage: dnscap [-?pd1g6f] [-i <if>]+ [-r <file>]+ [-l <vlan>]+ [-u <port>] [-m [qun]] [-e [nytfsxir]] [-h [ir]] [-s [ir]] [-a <host>]+ [-z <host>]+ [-A <host>]+ [-Z <host>]+ [-w <base> [-k <cmd>]] [-t <lim>] [-c <lim>] [-x <pat>]+ [-X <pat>]+ [-B <datetime>]+ [-E <datetime>]+ options: -? or -? print these instructions and exit -p do not put interface in promiscuous mode -d dump verbose trace information to stderr -1 flush output on every packet -g dump packets dig-style on stderr -6 compensate for PCAP/BPF IPv6 bug -f include fragmented packets -i <if> select this live interface(s) -r <file> read this pcap file -l <vlan> select only these vlan(s) -u <port> dns port (default: 53) -m [qun] select messages: query, update, notify -s [ir] select sides: initiations, responses -h [ir] hide initiators and/or responders -e [nytfsxir] select error/response code n = no error y = any error t = truncated response f = format error (rcode 1) s = server failure (rcode 2) x = nxdomain (rcode 3) i = not implemented (rcode 4) r = refused (rcode 5) -a <host> want messages from these initiator(s) -z <host> want messages from these responder(s) -A <host> want messages not from these initiator(s) -Z <host> want messages not from these responder(s) -w <base> dump to <base>.<timesec>.<timeusec> -k <cmd> kick off <cmd> when each dump closes -t <lim> close dump or exit every/after <lim> secs -c <lim> close dump or exit every/after <lim> pkts -x <pat> select messages matching regex <pat> -X <pat> select messages not matching regex <pat> -B <datetime> begin collecting at this date and time -X <datetime> end collecting at this date and time --- note that dnscap is like tcpdump in that it does not reassemble IP fragments. this is because its output format (pcap) doesn't easily represent them. if you think you're missing something from dnscap or tcpdump because of fragments then you need "ncap", see <https://www.dns-oarc.net/tools/ncap> for sources. the ncaptool filtering language is deep rather than wide like dnscap. you can still do almost all the same things, but it looks different. --- # $Id: FILTERS,v 1.7 2008/07/29 01:20:38 edmonds Exp $ * Design notes for NCAP filter specifications Generally, a filter specification is a sequence of filters, each being introduced by its family name and containing one or more family-specific rules. The point isn't to duplicate what BPF can do, but rather to make it unnecessary to think in BPF. NCAP filter specifications are application specific, and filter can internally generate BPF to save on context switches. * Filter Family: "dns" regex[=#]RE/opts regex must match (or not) the presentation form of a message, with options like "i" for ignore-case initiator[=#]address[,...] message initiator must be (or not) on this list target[=#]address[,...] message target must be (or not) on this list flags[=#]tc,aa,ra,rd,qr these message flags must be set (or unset) rcode[=#]noerror,formerr,servfail,nxdomain,notimpl,refused these message response codes are wanted (or unwanted) (note, they are only checked on responses, not initiations) opcode[=#]query,update,notify these message opcodes are wanted (or unwanted) * Filter Family: "icmp" type[=#]echoreply,unreach,sourcequench,redirect,echorequest,routeradvert type[=#]routersolicit,timxceed,paramproblem,tstamprequest,tstampreply, type[=#]inforeq,inforeply,maskreq,maskreply,traceroute these icmp types are wanted (or unwanted) type[=#]<type> where <type> is an integer in the range 0..255 this icmp type is wanted (or unwanted) code[=#]<code> where <code> is an integer in the range 0..255 this icmp code is wanted (or unwanted) --- anyway the point is, tcpdump is no longer our only option for dns traffic capture and analysis, even though libpcap and bpf is still at the heart of everything. -- Paul Vixie -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
