1dpa(1) General Commands Manual dpa(1)
2
6 dpa - DNS Packet Analyzer. Analyze DNS packets in ip trace files
7
9 dpa [ OPTION ] TRACEFILE
10
13 dpa is used to analyze dns packets in trace files. It has 3 main
14 options: count, filter, and count uniques (i.e. count all different
15 occurences).
16
19 -c expressionlist
20 Count occurrences of matching expressions
21 -f expression
24 Filter: only process packets that match the expression
25 -h Show usage
28 -p Show the total number of correct DNS packets, and percentage of
31 -u and -c values (of the total of matching on the -f filter. if
32 no filter is given, percentages are on all correct dns packets)
33 -of file
36 Write all packets that match the -f flag to file, as pcap data.
37 -ofh file
40 Write all packets that match the -f flag to file, in hexadecimal
41 format, readable by drill.
42 -s Show possible match names
45 -s matchname
48 show possible match operators and values for name
49 -sf Only evaluate packets (in representation format) that match the
52 -f filter. If no -f was given, evaluate all correct dns pack‐
53 ets.
54 -u matchnamelist
57 Count every occurence of every value of the matchname (for
58 instance, count all packetsizes, see EXAMPLES in ldns-dpa(1) ).
59 -ua For every matchname in -u, show the average value of all
62 matches. Behaviour for match types that do not have an integer
63 value is undefined.
64 -uac For every matchname in -u, show the average number of times this
67 value was encountered.
68 -um number
71 Only show the results from -u for values that occurred more than
72 <number> times.
73 -v level
76 Set verbosity to level (1-5, 5 being the highest). Mostly used
77 for debugging.
78 -notip file
81 Write packets that were not recognized as IP packets to file (as
82 pcap data).
83 -baddns file
86 Write dns packets that were too mangled to parse to file (as
87 pcap data).
88 -version
91 Show version and exit
92
95 A <matchnamelist> is a comma separated list of match names (use -s to
96 see possible match names). A <expressionlist> is a comma separated
97 list of expressions.
98 An expression has the following form: <expr>: (<expr>)
100 <expr> | <expr>
101 <expr> & <expr>
102 <match>
103 <match>: <matchname> <operator> <value>
105 <operator>: = equal to <value> != not equal to <value>
107 > greater than <value> < lesser than <value>
108 >= greater than or equal to <value> <= lesser than or
109 equal to <value> ~= contains <value>
110 See the -s option for possible matchnames, operators and values.
112
115 ldns-dpa -u packetsize -p test.tr
116 Count all different packetsizes in test.tr and show the precent‐
117 ages.
118 ldns-dpa -f "edns=1&qr=0" -of edns.tr test.tr
121 Filter out all edns enable queries in test.tr and put them in
122 edns.tr
123 ldns-dpa -f edns=1 -c tc=1 -u rcode test.tr
126 For all edns packets, count the number of truncated packets and
127 all their rcodes in test.tr.
128 ldns-dpa -c tc=1,qr=0,qr=1,opcode=QUERY test.tr
131 For all packets, count the number of truncated packets, the num‐
132 ber of packets with qr=0, the number of packets with qr=1 and
133 the number of queries in test.tr.
134 ldns-dpa -u packetsize -ua test.tr
137 Show all packet sizes and the average packet size per packet.
138 ldns-dpa -u srcaddress -uac test.tr
141 Show all packet source addresses and the average number of pack‐
142 ets sent from this address.
143 sudo tcpdump -i eth0 -s 0 -U -w - port 53 | ldns-dpa -f qr=0 -sf
146 Print all query packets seen on the specified interface.
147
151 Written by Jelte Jansen for NLnetLabs.
152
155 Report bugs to <jelte@nlnetlabs.nl>.
156
159 Copyright (C) 2005 NLnet Labs. This is free software. There is NO war‐
160 ranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
161 POSE.
162 1 Nov 2005 dpa(1)