1dpa(1)                      General Commands Manual                     dpa(1)
2
3
4

NAME

6       dpa - DNS Packet Analyzer. Analyze DNS packets in ip trace files
7

SYNOPSIS

9       dpa [ OPTION ] TRACEFILE
10
11

DESCRIPTION

13       dpa  is  used  to  analyze  dns  packets  in trace files. It has 3 main
14       options: count, filter, and count uniques  (i.e.  count  all  different
15       occurences).
16
17

OPTIONS

19       -c expressionlist
20              Count occurrences of matching expressions
21
22
23       -f expression
24              Filter: only process packets that match the expression
25
26
27       -h     Show usage
28
29
30       -p     Show  the total number of correct DNS packets, and percentage of
31              -u and -c values  (of the total of matching on the -f filter. if
32              no filter is given, percentages are on all correct dns packets)
33
34
35       -of file
36              Write all packets that match the -f flag to file, as pcap data.
37
38
39       -ofh file
40              Write all packets that match the -f flag to file, in hexadecimal
41              format, readable by drill.
42
43
44       -s     Show possible match names
45
46
47       -s matchname
48              show possible match operators and values for name
49
50
51       -sf    Only evaluate packets (in representation format) that match  the
52              -f  filter.   If no -f was given, evaluate all correct dns pack‐
53              ets.
54
55
56       -u matchnamelist
57              Count every occurence of  every  value  of  the  matchname  (for
58              instance, count all packetsizes, see EXAMPLES in ldns-dpa(1) ).
59
60
61       -ua    For  every  matchname  in  -u,  show  the  average  value of all
62              matches. Behaviour for match types that do not have  an  integer
63              value is undefined.
64
65
66       -uac   For every matchname in -u, show the average number of times this
67              value was encountered.
68
69
70       -um number
71              Only show the results from -u for values that occurred more than
72              <number> times.
73
74
75       -v level
76              Set  verbosity  to level (1-5, 5 being the highest). Mostly used
77              for debugging.
78
79
80       -notip file
81              Write packets that were not recognized as IP packets to file (as
82              pcap data).
83
84
85       -baddns file
86              Write  dns  packets  that  were too mangled to parse to file (as
87              pcap data).
88
89
90       -version
91              Show version and exit
92
93

LIST AND MATCHES

95       A <matchnamelist> is a comma separated list of match names (use  -s  to
96       see  possible  match  names).   A <expressionlist> is a comma separated
97       list of expressions.
98
99       An expression has the following form: <expr>: (<expr>)
100               <expr> | <expr>
101               <expr> & <expr>
102               <match>
103
104       <match>:        <matchname> <operator> <value>
105
106       <operator>:      =    equal to <value>      !=   not equal  to  <value>
107            >    greater    than   <value>        <    lesser   than   <value>
108            >=   greater than or equal to  <value>       <=   lesser  than  or
109       equal to <value>      ~=   contains <value>
110
111       See the -s option for possible matchnames, operators and values.
112
113

EXAMPLES

115       ldns-dpa -u packetsize -p test.tr
116              Count all different packetsizes in test.tr and show the precent‐
117              ages.
118
119
120       ldns-dpa -f "edns=1&qr=0" -of edns.tr test.tr
121              Filter out all edns enable queries in test.tr and  put  them  in
122              edns.tr
123
124
125       ldns-dpa -f edns=1 -c tc=1 -u rcode test.tr
126              For  all edns packets, count the number of truncated packets and
127              all their rcodes in test.tr.
128
129
130       ldns-dpa -c tc=1,qr=0,qr=1,opcode=QUERY test.tr
131              For all packets, count the number of truncated packets, the num‐
132              ber  of  packets  with qr=0, the number of packets with qr=1 and
133              the number of queries in test.tr.
134
135
136       ldns-dpa -u packetsize -ua test.tr
137              Show all packet sizes and the average packet size per packet.
138
139
140       ldns-dpa -u srcaddress -uac test.tr
141              Show all packet source addresses and the average number of pack‐
142              ets sent from this address.
143
144
145       sudo tcpdump -i eth0 -s 0 -U -w - port 53 | ldns-dpa -f qr=0 -sf
146              Print all query packets seen on the specified interface.
147
148
149

AUTHOR

151       Written by Jelte Jansen for NLnetLabs.
152
153

REPORTING BUGS

155       Report bugs to <jelte@nlnetlabs.nl>.
156
157
159       Copyright  (C) 2005 NLnet Labs. This is free software. There is NO war‐
160       ranty; not even for MERCHANTABILITY or FITNESS FOR  A  PARTICULAR  PUR‐
161       POSE.
162
163
164
165                                  1 Nov 2005                            dpa(1)
Impressum