blob: d5672e9b83c71b75fd278d2249954c77ac97959b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
To use queryparse, you need one or more files containing pcap-formatted packet
captures, such as those generated by tcpdump via the -w switch.
Once you have such a file, call queryparse as follows:
queryparse -i tcpdump.raw -o outputfile
where "tcpdump.raw" is the name of the pcap-formatted packet capture file, and
"outputfile" is the name you wish to call the saved output of queryparse.
When queryparse finishes, it will print to STDOUT a count of each type of query
encountered during its run. For example:
Statistics:
A: 1175140
SOA: 23639
NAPTR: 113
NS: 1329
CNAME: 1667
NONE: 38
PTR: 186053
AAAA: 50858
ANY: 2117
SRV: 49470
KEY: 218
A6: 245
TXT: 24243
MX: 517510
-------------------------
TOTAL: 2032640
The resulting output is in a format suitable as input to resperf or dnsperf.
For example:
example.biz. A
example.net. MX
foo.example.tv. A
example.enc. MX
example[2].txt. MX
foo.]. MX
Note that there are both valid and invalid host names in the output: Neither
queryparse nor resperf or dnsperf discriminate on the basis of a host name's
adherence to RFCs. If the query was put on the wire and can be recognized as a
properly-formed query, it will be saved. If this does not meet your needs, you
may wish to parse the resulting output file to eliminate nonconforming host
names.
|
