blob: c22d5b399c45f3050cabf744afe7ccf8ae9293a1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
Installation
------------
Queryparse requires the dnspython and pcapy python modules. Pcapy depends
upon the pcap library.
Libpcap may be obtained from http://www.tcpdump.org/
Dnspython may be obtained from http://www.dnspython.org/
Pcapy may be obtained from http://oss.coresecurity.com/projects/pcapy.html
Ensure queryparse is somewhere in your path.
Usage
-----
queryparse -i <input file> -o <output file>
-i <input file>: the tcpdump file that will be parsed to locate DNS
queries.
-o <output file>: the file to which you wish to save the queries parsed
from <input file>. When complete, this file is suitable
for use as input to dnsperf.
-r Keep packets whose RD flag is not set.
Use this flag when parsing captures from authoritative
servers. When parsing captures from caching servers,
do not use this flag unless you also want to parse the
queries the server itself is sending.
-R Parse response packets (QR=1), instead of query packets
(QR=0).
Queryparse takes as input a packet capture file as created by tcpdump (or any
other program that can save data in pcap format). It parses every UDP packet,
looking for DNS queries. When it finds a potential query, it makes every
effort to parse it as a valid query.
Once queryparse has finished, it will print a set of statistics regarding
the capture file to STDOUT.
NOTE: Currently, queryparse will correctly handle packets contained in either
Ethernet frames or Cisco HDLC frames. It is not guaranteed to work with other
framing formats.
|
