Anyone know of a tool that can take a pcap file from wireshark that was usd to collect dns queries and then spit out statistics about the queries suh as RTT and timeouts?
Not off the top of my head, but, you could use wireshark's Lua
extension system to write a plugin to do this for you right within
The wireshark/Lua stuff is quite powerful (though not super super
fast), it's a really useful tool to have on hand.
It just so happens there is a tool aptly named DNS Analyzer by NLnet Labs.
I used it a while back but if I recall you could feed it a pcap and it could
spit out all kinds of useful statistical data.
I don't think it's being actively maintained at the moment but you should be
able to find it on the NLnet Labs site - http://www.nlnetlabs.nl/projects/dns-analyzer/
GPG Key ID: 0xB5E3803D
I very recently asked the maintainers of that package if its still under
development but i heard if was unfortunately dropped.
It would be nice if we could convince them to release the source code into
the public domain. I'm sure there are a few people who would find it highly
useful and would work on it to add to its utility.
GPG Key ID: 0xB5E3803D
The source (versions 0.2.0 and 0.3.0) is available at the above URL and
there is a GPL license in the tarball.
Jay Hennigan - CCIE #7880 - Network Engineering - jay*******
Impulse Internet Service - http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV
Nothing with RTT and timeouts in this, but it could probably be adapted
with an additional, rudimentary subroutine to try summarizing that too:
< http://www.cymru.com/jtk/code/pcapsum.pl> >
If you or no one else comes up with something or modifies this to do
it, give me a holler and I'll whip something up for you.
As is, it'll count DNS messages, header flags and give a top X list of
qnames seen. It uses the somewhat limited NetPacket modules, but it
would be easy to either switch wholesale to the Net::Packet modules or
pull in just those needed (e.g. VLAN and IPv6 support). It is what it
is, hopefully its of use.
I have a "DNSaudit" program that takes libpcap (wireshark/tcpdump)
files. Originally its purpose was to identify AnswersWithoutQuestions,
and QuestionsWithoutAnswers when we were having some routing issues
causing answers to return via a different ISP.
Later I added statistics for response time by server.
I suggest trying the other programs mentioned first, I am the only
user of my program...
I don't know if DSC does this, but check it out:
I don't know if it'll do exactly what you want, but have a look at
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.
dnscap paired with dpkt can quickly and elegantly accomplish what you
desire; if you know python (:
DNStop is a real good tool for what it does. It's an exceptionally useful tool and probably at the top of my list for deciphering DoS attacks targetting or amplifying against DNS resolvers. But for RTT and timeouts, errr not so good.
Sorry for the top post. Stupid Blackberry...