dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) and other format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. DNS-OARC uses dnscap for DITL data collections.
Some of its features include:
Understands both IPv4 and IPv6
Captures UDP, TCP, and IP fragments.
Collect only queries, responses, or both (-s option)
Collect for only certain source/destination addresses (-a-z-A-Z options)
Periodically creates new pcap files (-t option)
Spawns an upload script after closing a pcap file (-k option)
Will start and stop collecting at specific times (-B-E options)
dnscap requires a couple of libraries beside a normal C compiling environment with autoconf, automake, libtool and pkgconfig.
dnscap has a non-optional dependency on the PCAP library and optional dependencies on LDNS. BIND library libbindis considered optional but it is needed under OpenBSD for various arpa/nameser* include headers, see Linking with libbind.
For DNS-OARC packages we build our own fork, with slight modifications to conform across distributions, of this library which is included in the same package repository as dnscap. The modifications and packaging files can be found here: https://github.com/DNS-OARC/cryptopANT .
Building from source tarball
The source tarball from DNS-OARC comes prepared with configure:
tar zxvf dnscap-version.tar.gz
cd dnscap-version
./configure [options]
make
make install
Building from Git repository
If you are building dnscap from it's Git repository you will first need to initiate the Git submodules that exists and later create autoconf/automake files, this will require a build environment with autoconf, automake, libtool and pkg-config to be installed.
git clone https://github.com/DNS-OARC/dnscap.git
cd dnscap
git submodule update --init
./autogen.sh
./configure [options]
make
make install
Linking with libbind
If you plan to use dnscap's -x/-X features, then you might need to have libbind installed. These features use functions such as ns_parserr(). On some systems these functions will be found in libresolv. If not, then you might need to install libbind. I suggest first building dnscap on your system as-is, then run
$ ./dnscap -x foo
If you see an error, install libbind either from your OS package system or by downloading the source from http://ftp.isc.org/isc/libbind/6.0/ .
64-bit libraries
If you need to link against 64-bit libraries found in non-standard locations, provide the location by setting LDFLAGS before running configure:
$ env LDFLAGS=-L/usr/lib64 ./configure
OpenBSD
For OpenBSD you probably installed libpcap and libbind in /usr/local so you will need to tell configure that and libbind might install it's libraries and header files in a subdirectory:
To enable this output please follow the instructions below for Enabling CBOR Output, note that this only requires Tinycbor.
Outputting to CBOR DNS Stream (CDS)
To output to the CDS format you tell dnscap to write to a file and set the format to CDS. CDS is a stream of CBOR objects and you can control how many objects are kept in memory until flushed to the file by setting cds_cbor_size, note that this is bytes of memory and not number of objects. When it reaches this limit it will write the output and start on a new file. Read dnscap's man page for all CDS extended options.
src/dnscap [...] -w -F cds [ -o cds_cbor_size= ]
CBOR
There is experimental support for CBOR output using LDNS and Tinycbor with a data structure described in the DNS-in-JSON draft.
To enable the CBOR output support you will need to install it's dependencies before running configure, LDNS exists for most distributions but Tinycbor is new so you need to download and compile it, you do not necessary need to install it as shown in the example below.
git clone https://github.com/DNS-OARC/dnscap.git
cd dnscap
git submodule update --init
git clone https://github.com/01org/tinycbor.git
cd tinycbor
git checkout v0.4.2
make
cd ..
sh autogen.sh
CFLAGS="-I$PWD/tinycbor/src" LDFLAGS="-L$PWD/tinycbor/lib" LIBS="-ltinycbor" ./configure
make
NOTE: Paths in CFLAGS and LDFLAGS must be absolute.
CBOR to JSON
Tinycbor comes with a tool to convert CBOR to JSON, check bin/cbordump -h in the Tinycbor directory after having compiled it.
Outputting to CBOR
To output to the CBOR format you tell dnscap to write to a file and set the format to CBOR. Since Tinycbor constructs everything in memory there is a limit and when it is reached it will write the output and start on a new file. You can control the number of bytes with the extended option cbor_chunk_size.
No comments:
Post a Comment