1DNSTOP(8) BSD System Manager's Manual DNSTOP(8)
2
4 dnstop — displays various tables of DNS traffic on your network
5
7 dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval]
8 [device] [savefile]
9
11 dnstop is a small tool to listen on device or to parse the file savefile
12 and collect and print statistics on the local network's DNS traffic. You
13 must have read access to /dev/bpf*.
14
16 The options are as follows:
17 -4 count only messages with IPv4 addresses
19 -6 count only messages with IPv6 addresses
21 -Q count only DNS query messages
23 -R count only DNS reply messages
25 -a anonymize addresses
27 -b expression
29 BPF filter expression
30 (default: udp port 53)
31 -i address
33 ignore select addresses
34 -p Do not put the interface into promiscuous mode.
36 -r Redraw interval (seconds).
38 -l level
40 keep counts on names up to level domain name levels.
41 For example, with -l 2 (the default), dnstop will keep two
43 tables: one with top-level domain names, and another with second-
44 level domain names. Increasing the level provides more details,
45 but also requires more memory and CPU.
46 -f input filter name
48 The "unknown-tlds" filter includes only queries for TLDs that are
50 bogus. Useful for identifying hosts/servers that leak queries
51 for things like "localhost" or "workgroup."
52 The "A-for-A" filter includes only A queries for names that are
54 already IP addresses. Certain Microsoft Windows DNS servers have
55 a known bug that forward these queries.
56 The "rfc1918-ptr" filter includes only PTR queries for addresses
58 in RFC1918 space. These should never leak from inside an organi‐
59 zation.
60 The "refused" filter, when used with the -R option, tells dnstop
62 to count only replies with rcode REFUSED.
63 -n name
65 Only count messages within the domain name
66 -P Print "progress" messages on stderr when in non-interactive mode.
68 -B buckets
70 Use buckets hash table buckets.
71 -X Do not tabulate the sources + query name counters. This can sig‐
73 nificantly reduce memory usage on busy servers and large save‐
74 files.
75 savefile
77 a captured network trace in pcap format
78 device ethernet device (ie fxp0)
80
82 While running, the following options are available to alter the display:
83 s display the source address table
85 d display the destination address table
87 t display the breakdown of query types seen
89 r display the breakdown of response codes seen
91 o display the breakdown of opcodes seen
93 1 show 1st level query names
95 2 show 2nd level query names
97 3 show 3rd level query names
99 4 show 4th level query names
101 5 show 5th level query names
103 6 show 6th level query names
105 7 show 7th level query names
107 8 show 8th level query names
109 9 show 9th level query names
111 ! show sources + 1st level query names
113 @ show sources + 2nd level query names
115 # show sources + 3rd level query names
117 $ show sources + 4th level query names
119 % show sources + 5th level query names
121 ^ show sources + 6th level query names
123 & show sources + 7th level query names
125 * show sources + 8th level query names
127 ( show sources + 9th level query names
129 ^R reset the counters
131 ^X exit the program
133 space redraw
135 ? help
137
139 If stdout is not a tty, dnstop runs in non-interactive mode. In this
140 case, you must supply a savefile for reading, instead of capturing live
141 packets. After reading the entire savefile, dnstop prints the top 50
142 entries for each table.
143
145 By default dnstop examines only query messages and ignores replies. In
146 this case the response code table is meaningless and will likely show
147 100% "Noerror."
148 If you supply (only) the -R command line option, dnstop examines replies
150 and ignores queries. This allows you to see meaningful response code
151 values, as well as all the other tables. In this case all the query
152 attributes (such as type and name) are taken from the Question section of
153 the reply.
154 Note, however, that it is common for a stream of DNS messages to contain
156 more queries than replies. This could happen, for example, if the server
157 is too busy to respond to every single query, or if the server is
158 designed to ignore malformed query messages. Therefore, you might want
159 to examine both queries and replies by giving both -R and -Q command line
160 options. In this case, only the response code counts are taken from the
161 replies and all other attributes are taken from the queries.
162
164 Duane Wessels (wessels@measurement-factory.com)
165 Mark Foster (mark@foster.cc)
166 Jose Nazario (jose@monkey.org)
167 Sam Norris <@ChangeIP.com>
168 Max Horn <@quendi.de>
169 John Morrissey <jwm@horde.net>
170 Florian Forster <octo@verplant.org>
171 Dave Plonka <plonka@cs.wisc.edu>
172 http://dnstop.measurement-factory.com/
173
175 Does not support TCP at this time.
176BSD 21 March, 2008 BSD