via pkgsrc-users@.
ok by wiz@.
Changes:
2014/09/12 Duane Wessels
Added 'new-gtlds' filter, which includes only queries for names
ending with one of the new (2013/2014) generic TLDs. This may
be useful to find hosts/servers using internal names which may
collide with new gTLDs once they become active. If you use
short (not fully qualified) names internally you may be uknownlying
relying on root (or other) name servers to return NXDOMAIN for
them. If so, "you're gonna have a bad time."
Along with this new feature, TLD lists are now hashed in the
code for faster lookups.
2012/11/30 Duane Wessels
Added more entries to the table of known query type names (HINFO,
AFSDB, PX, SSHFP, NSEC3, NSEC3PARAM, TLSA, DLV).
2012/10/15 Duane Wessels
The 'refused' filter only works on responses, which are not
processed by default. Now, if the 'refused' filter is specified,
dnstop will automatically process responses and ignore queries.
2012/06/11 Duane Wessels
Added "qtype-any" filter for displaying ANY queries which are
now fashionable in DNS based attacks.
2011/05/02 Duane Wessels
Anand Buddhev pointed out that LDFLAGS= is missing from Makefile.in.
Also updated known_tlds.h.
2011/01/27 Duane Wessels
Fixed some portability bugs (OpenBSD, gmake 3.82) and other
minor bugs.
Added a feature (-n option) to restrict counting to a given
query name.
2011/01/05 Duane Wessels
Found a fixed a few problems after spending some quality time
looking at the code.
1) Hash table performance was terrible and has been improved.
The hash table size is now configurable via command line
option.
2) Some things were double-counted when both -Q and -R were
given.
3) Added cumulative percentage totals to the tables
4) Added -X option to disable the source+queryname tables, which
could consume a lot of memory.
5) Imported "inX_addr" mini-library for storing IPv4/IPv6
addresses.
2010/12/27 Duane Wessels
Fixed a bug where if stdout was a TTY but stdin was not a TTY,
then dnstop would enter a loop on keyboard input and consume
100% CPU. Now it checks that stdin is a TTY as well.
Based on PR 41779 by Fredrik Pettai.
Version 20090128:
I added a new feature to dnstop today that filters on "refused" response codes.
This might be useful in tracking the ongoing DNS-based DDoS attacks.
To use this new feature:
dnstop -R -f refused eth0
Version 20080321:
The interesting changes came in a patch from Dave Plonka:
Fixed a bug that cause dnstop to Memory fault when processing
a DNS packet greater than PCAP_SNAPLEN (previously 1460) bytes
in size.
Raised PCAP_SNAPLEN to 65535 to avoid truncating large DNS
packets.
Eliminated unnecessary stack buffers and memcpy calls when
handling packets.
Also some variables have been added to the Makefile at the request
of a packager so that it may be easier to customize where files are
installed, etc.
INSTALLATION_DIRS, as well as all occurrences of ${PREFIX}/man with
${PREFIX}/${PKGMANDIR}.
Fixes PR 35265, although I did not use the patch provided therein.
Patch provided by Martin Wilke via PR 34425.
- Changelog
A few fixes for OS X.
1) select()ing on a pcap FD doesn't always work. Advice from
tcpdump mailing list archive is to put it into non-blocking
mode and ignore the select() return value.
2) Added $(LDFLAGS) to link command line in Makefile to have
dnstop linked with specific libraries. LDFLAGS will be
picked up from the environment.
3) OS X needs to #include <arpa/nameser_compat.h>
2006/04/24 Duane Wessels
Adriaan Peeters reported that the list of known TLDs is
out-of-date. In particular, the .EU domain is not in the list.
2005/04/05 Duane Wessels
Mark Foster found a bug with the source+SLD list. It was being
updated for 3RD-level domain names as well. Mark also suggested
that the '@' key should display the source+SLD screen, just as
'3' and '#' work for 3RD-level.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
2005/01/21 Sam Norris
Added support for third-level domain statistics. Use the -t
command line option to enable collection of 3rd-level stats,
and use '3' while running to display them. Note that enabling
3rd-level stats collection does not automatically also enable
2nd-level stats.
2005/01/13 Duane Wessels
Added a non-interactive mode. If you specify a savefile and
stdout is not a TTY, dnstop prints each table at the end.
2004/03/09 Duane Wessels
Added filter support. Filters can be used to restrict the input
stream to queries with certain characteristics. The currently
defined filters are:
unknown-tlds Only includes queries for TLDs that are
bogus. Useful for identifying hosts/servers
that leak queries for things like "localhost"
or "workgroup."
A-for-A Only includes A queries for names that are
already IP addresses. Certain Microsoft
Windows DNS servers have a known bug that
forward these queries.
rfc1918-ptr PTR queries for addresses in RFC1918 space.
These should never leak from inside an
organization.
2003/11/13 Mark Foster <mark@foster.cc>
Added 'c' to display options. This screen will combine the
source and sld fields to show "who is querying for what" -
reason: we see alot of duplicate querys for whatever reason.
This will help separate the legitimate queries from the broken
resolvers, etc. See http://www.circleid.com/article/102_0_1_0_C/
for more about that.
Closes PR 29807.
tables of DNS traffic on your network. Currently dnstop displays
tables of:
* Source IP addresses
* Destination IP addresses
* Query types
* Top level domains
* Second level domains
http://dnstop.measurement-factory.com/
