Based on PR 41779 by Fredrik Pettai.
Version 20090128:
I added a new feature to dnstop today that filters on "refused" response codes.
This might be useful in tracking the ongoing DNS-based DDoS attacks.
To use this new feature:
dnstop -R -f refused eth0
Version 20080321:
The interesting changes came in a patch from Dave Plonka:
Fixed a bug that cause dnstop to Memory fault when processing
a DNS packet greater than PCAP_SNAPLEN (previously 1460) bytes
in size.
Raised PCAP_SNAPLEN to 65535 to avoid truncating large DNS
packets.
Eliminated unnecessary stack buffers and memcpy calls when
handling packets.
Also some variables have been added to the Makefile at the request
of a packager so that it may be easier to customize where files are
installed, etc.
Patch provided by Martin Wilke via PR 34425.
- Changelog
A few fixes for OS X.
1) select()ing on a pcap FD doesn't always work. Advice from
tcpdump mailing list archive is to put it into non-blocking
mode and ignore the select() return value.
2) Added $(LDFLAGS) to link command line in Makefile to have
dnstop linked with specific libraries. LDFLAGS will be
picked up from the environment.
3) OS X needs to #include <arpa/nameser_compat.h>
2006/04/24 Duane Wessels
Adriaan Peeters reported that the list of known TLDs is
out-of-date. In particular, the .EU domain is not in the list.
2005/04/05 Duane Wessels
Mark Foster found a bug with the source+SLD list. It was being
updated for 3RD-level domain names as well. Mark also suggested
that the '@' key should display the source+SLD screen, just as
'3' and '#' work for 3RD-level.
2005/01/21 Sam Norris
Added support for third-level domain statistics. Use the -t
command line option to enable collection of 3rd-level stats,
and use '3' while running to display them. Note that enabling
3rd-level stats collection does not automatically also enable
2nd-level stats.
2005/01/13 Duane Wessels
Added a non-interactive mode. If you specify a savefile and
stdout is not a TTY, dnstop prints each table at the end.
2004/03/09 Duane Wessels
Added filter support. Filters can be used to restrict the input
stream to queries with certain characteristics. The currently
defined filters are:
unknown-tlds Only includes queries for TLDs that are
bogus. Useful for identifying hosts/servers
that leak queries for things like "localhost"
or "workgroup."
A-for-A Only includes A queries for names that are
already IP addresses. Certain Microsoft
Windows DNS servers have a known bug that
forward these queries.
rfc1918-ptr PTR queries for addresses in RFC1918 space.
These should never leak from inside an
organization.
2003/11/13 Mark Foster <mark@foster.cc>
Added 'c' to display options. This screen will combine the
source and sld fields to show "who is querying for what" -
reason: we see alot of duplicate querys for whatever reason.
This will help separate the legitimate queries from the broken
resolvers, etc. See http://www.circleid.com/article/102_0_1_0_C/
for more about that.
Closes PR 29807.
tables of DNS traffic on your network. Currently dnstop displays
tables of:
* Source IP addresses
* Destination IP addresses
* Query types
* Top level domains
* Second level domains
http://dnstop.measurement-factory.com/