All Projects → DNS-OARC → Dnscap

DNS-OARC / Dnscap

Licence: other
Network capture utility designed specifically for DNS traffic

Programming Languages

c
50402 projects - #5 most used programming language

Projects that are alternatives of or similar to Dnscap

Pypcap
pypcap - python libpcap module, forked from code.google.com/p/pypcap, now actively maintained
Stars: ✭ 255 (+8.97%)
Mutual labels:  pcap, packet-capture
Scapy
Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
Stars: ✭ 6,932 (+2862.39%)
Mutual labels:  pcap, packet-capture
Packetq
A tool that provides a basic SQL-frontend to PCAP-files
Stars: ✭ 363 (+55.13%)
Mutual labels:  dns, pcap
arp-dns-attacks
ARP spoofing, HTTP redirection, DNS spoofing and DNS forging using pcap library
Stars: ✭ 25 (-89.32%)
Mutual labels:  dns, packet-capture
Tcpdump
the TCPdump network dissector
Stars: ✭ 1,731 (+639.74%)
Mutual labels:  pcap, packet-capture
SnifferUI
基于MFC和WinPcap库开发的网络抓包和协议分析软件
Stars: ✭ 86 (-63.25%)
Mutual labels:  pcap, packet-capture
Nfstream
NFStream: a Flexible Network Data Analysis Framework.
Stars: ✭ 622 (+165.81%)
Mutual labels:  pcap, packet-capture
tcpslice
tcpslice concatenates multiple pcap files together, or extracts time slices from one or more pcap files.
Stars: ✭ 48 (-79.49%)
Mutual labels:  pcap, packet-capture
Crafter
🔬 An R package to work with PCAPs
Stars: ✭ 27 (-88.46%)
Mutual labels:  pcap, packet-capture
Homer
HOMER - 100% Open-Source SIP / VoIP Packet Capture & Monitoring
Stars: ✭ 855 (+265.38%)
Mutual labels:  pcap, packet-capture
dsc
DNS Statistics Collector
Stars: ✭ 94 (-59.83%)
Mutual labels:  pcap, packet-capture
Cuishark
A protocol analyzer like a wireshark on CUI. cuishark is using libwireshark to analyze packets. https://cuishark.slankdev.net
Stars: ✭ 208 (-11.11%)
Mutual labels:  pcap, packet-capture
Arkime
Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.
Stars: ✭ 4,994 (+2034.19%)
Mutual labels:  pcap, packet-capture
Node pcap
libpcap bindings for node
Stars: ✭ 849 (+262.82%)
Mutual labels:  pcap, packet-capture
Libpcap
the LIBpcap interface to various kernel packet capture mechanism
Stars: ✭ 1,785 (+662.82%)
Mutual labels:  pcap, packet-capture
Passer
Passive service locator, a python sniffer that identifies servers, clients, names and much more
Stars: ✭ 144 (-38.46%)
Mutual labels:  dns, pcap
Maradns
MaraDNS: A small open-source DNS server | 2020 updates: Lua and blocklist support, etc.
Stars: ✭ 206 (-11.97%)
Mutual labels:  dns
Dnsprobe
DNSProb is a tool built on top of retryabledns that allows you to perform multiple dns queries of your choice with a list of user supplied resolvers.
Stars: ✭ 221 (-5.56%)
Mutual labels:  dns
Mercury
Mercury: network metadata capture and analysis
Stars: ✭ 203 (-13.25%)
Mutual labels:  packet-capture
Ts Dns
Telescope DNS,简单易用的DNS分组/转发器
Stars: ✭ 205 (-12.39%)
Mutual labels:  dns

dnscap

Build Status Total alerts Bugs Security Rating

dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) and other format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. DNS-OARC uses dnscap for DITL data collections.

Some of its features include:

  • Understands both IPv4 and IPv6
  • Captures UDP, TCP, and IP fragments.
  • Collect only queries, responses, or both (-s option)
  • Collect for only certain source/destination addresses (-a -z -A -Z options)
  • Periodically creates new pcap files (-t option)
  • Spawns an upload script after closing a pcap file (-k option)
  • Will start and stop collecting at specific times (-B -E options)

More information may be found here:

Issues should be reported here:

General support and discussion:

Dependencies

dnscap requires a couple of libraries beside a normal C compiling environment with autoconf, automake, libtool and pkgconfig.

dnscap has a non-optional dependency on the PCAP library and LDNS.

To install the dependencies under Debian/Ubuntu:

apt-get install -y libpcap-dev libldns-dev zlib1g-dev libyaml-perl libssl-dev

To install the dependencies under CentOS (with EPEL enabled):

yum install -y libpcap-devel ldns-devel openssl-devel zlib-devel perl-YAML

For the following OS you will need to install some of the dependencies from source or Ports, these instructions are not included.

To install some of the dependencies under FreeBSD 10+ using pkg:

pkg install -y libpcap ldns p5-YAML openssl-devel

To install some of the dependencies under OpenBSD 5+ using pkg_add:

pkg_add libldns p5-YAML

NOTE: It is recommended to install the PCAP library from source/ports on OpenBSD since the bundled version is an older and modified version.

Dependencies for cryptopant.so plugin

For this plugin a library call cryptopANT is required and the original can be found here: https://ant.isi.edu/software/cryptopANT/index.html .

For DNS-OARC packages we build our own fork, with slight modifications to conform across distributions, of this library which is included in the same package repository as dnscap. The modifications and packaging files can be found here: https://github.com/DNS-OARC/cryptopANT .

Building from source tarball

The source tarball from DNS-OARC comes prepared with configure:

tar zxvf dnscap-version.tar.gz
cd dnscap-version
./configure [options]
make
make install

Building from Git repository

If you are building dnscap from it's Git repository you will first need to initiate the Git submodules that exists and later create autoconf/automake files, this will require a build environment with autoconf, automake, libtool and pkg-config to be installed.

git clone https://github.com/DNS-OARC/dnscap.git
cd dnscap
git submodule update --init
./autogen.sh
./configure [options]
make
make install

64-bit libraries

If you need to link against 64-bit libraries found in non-standard locations, provide the location by setting LDFLAGS before running configure:

$ env LDFLAGS=-L/usr/lib64 ./configure

OpenBSD

For OpenBSD you probably installed libpcap in /usr/local so you will need to tell configure where to find the libraries and header files:

$ env CFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure

Plugins

dnscap comes bundled with a set of plugins, see -P option.

  • anonaes128.so: Anonymize IP addresses using AES128
  • anonmask.so: Pseudo-anonymize IP addresses by masking them
  • cryptopan.so: Anonymize IP addresses using an extension to Crypto-PAn (College of Computing, Georgia Tech) made by David Stott (Lucent)
  • cryptopant.so: Anonymize IP addresses using cryptopANT, a different implementation of Crypto-PAn made by the ANT project at USC/ISI
  • ipcrypt.so: Anonymize IP addresses using ipcrypt create by Jean-Philippe Aumasson
  • pcapdump.so: Dump DNS into a PCAP with some filtering options
  • royparse.so: Splits a PCAP into two streams; queries in PCAP format and responses in ASCII format
  • rssm.so: Root Server Scaling Measurement plugin, see it's README.md for more information
  • rzkeychange.so: RFC8145 key tag signal collection and reporting plugin
  • txtout.so: Dump DNS as one-line text
  • eventlog.so: Syslog style output for easy parsing, use with a SIEM, etc.

There is also a template plugin in the source repository to help others develop new plugins.

CBOR DNS Stream Format

This is an experimental format for representing DNS information in CBOR with the goals to:

  • Be able to stream the information
  • Support incomplete, broken and/or invalid DNS
  • Have close to no data quality and signature degradation
  • Support additional non-DNS meta data (such as ICMP/TCP attributes)

Read CBOR_DNS_STREAM.md for more information.

To enable this output please follow the instructions below for Enabling CBOR Output, note that this only requires Tinycbor.

Outputting to CBOR DNS Stream (CDS)

To output to the CDS format you tell dnscap to write to a file and set the format to CDS. CDS is a stream of CBOR objects and you can control how many objects are kept in memory until flushed to the file by setting cds_cbor_size, note that this is bytes of memory and not number of objects. When it reaches this limit it will write the output and start on a new file. Read dnscap's man page for all CDS extended options.

src/dnscap [...] -w <file> -F cds [ -o cds_cbor_size=<bytes> ]

CBOR

There is experimental support for CBOR output using LDNS and Tinycbor with a data structure described in the DNS-in-JSON draft.

https://datatracker.ietf.org/doc/draft-hoffman-dns-in-json/

Enabling CBOR Output

To enable the CBOR output support you will need to install it's dependencies before running configure, LDNS exists for most distributions but Tinycbor is new so you need to download and compile it, you do not necessary need to install it as shown in the example below.

git clone https://github.com/DNS-OARC/dnscap.git
cd dnscap
git submodule update --init
git clone https://github.com/01org/tinycbor.git
cd tinycbor
git checkout v0.4.2
make
cd ..
sh autogen.sh
CFLAGS="-I$PWD/tinycbor/src" LDFLAGS="-L$PWD/tinycbor/lib" LIBS="-ltinycbor" ./configure
make

NOTE: Paths in CFLAGS and LDFLAGS must be absolute.

CBOR to JSON

Tinycbor comes with a tool to convert CBOR to JSON, check bin/cbordump -h in the Tinycbor directory after having compiled it.

Outputting to CBOR

To output to the CBOR format you tell dnscap to write to a file and set the format to CBOR. Since Tinycbor constructs everything in memory there is a limit and when it is reached it will write the output and start on a new file. You can control the number of bytes with the extended option cbor_chunk_size.

src/dnscap [...] -w <file> -F cbor [ -o cbor_chunk_size=<bytes> ]

Additional attributes

There is currently an additional attribute added to the CBOR object which contains the IP information as following:

"ip": [
  <proto>,
  "<source ip address>",
  <source port>
  "<destination ip address>",
  <destination port>
]

Example:

"ip": [
  17,
  "127.0.0.1",
  34856,
  "127.0.0.1",
  53
]

Limitations, deviations and issues

Since this is still experimental there are of course some issues:

  • RDATA is in binary format
  • DNS packet are parsed by LDNS which can fail if malformed packets
  • dateSeconds is added as a C double which might loose some of the time precision
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].