2010-05-13 00:36:13 +02:00
|
|
|
dnstop is a libpcap application (ala tcpdump) that displays various tables
|
|
|
|
of DNS traffic on your network. Currently dnstop displays tables of:
|
2010-05-11 20:01:31 +02:00
|
|
|
|
|
|
|
* Source IP addresses
|
|
|
|
* Destination IP addresses
|
|
|
|
* Query types
|
|
|
|
* Response codes
|
|
|
|
* Opcodes
|
|
|
|
* Top level domains
|
|
|
|
* Second level domains
|
|
|
|
* Third level domains
|
|
|
|
* etc...
|
|
|
|
|
|
|
|
dnstop supports both IPv4 and IPv6 addresses.
|
|
|
|
|
2010-05-13 00:36:13 +02:00
|
|
|
To help find especially undesirable DNS queries, dnstop provides a number of
|
|
|
|
filters. The filters tell dnstop to display only the following types of queries:
|
2010-05-11 20:01:31 +02:00
|
|
|
|
|
|
|
* For unknown/invalid TLDs
|
|
|
|
* A queries where the query name is already an IP address
|
|
|
|
* PTR queries for RFC1918 address space
|
|
|
|
|
2010-05-13 00:36:13 +02:00
|
|
|
dnstop can either read packets from the live capture device, or from a tcpdump
|
|
|
|
savefile.
|
2010-05-11 20:01:31 +02:00
|
|
|
|
|
|
|
--
|
|
|
|
Unless modified, this script compiles with PPP frame support.
|
|
|
|
|