52 lines
1.4 KiB
Text
52 lines
1.4 KiB
Text
|
|
|
|
To use queryparse, you need one or more files containing pcap-formatted packet
|
|
captures, such as those generated by tcpdump via the -w switch.
|
|
|
|
Once you have such a file, call queryparse as follows:
|
|
|
|
queryparse -i tcpdump.raw -o outputfile
|
|
|
|
where "tcpdump.raw" is the name of the pcap-formatted packet capture file, and
|
|
"outputfile" is the name you wish to call the saved output of queryparse.
|
|
|
|
When queryparse finishes, it will print to STDOUT a count of each type of query
|
|
encountered during its run. For example:
|
|
|
|
Statistics:
|
|
A: 1175140
|
|
SOA: 23639
|
|
NAPTR: 113
|
|
NS: 1329
|
|
CNAME: 1667
|
|
NONE: 38
|
|
PTR: 186053
|
|
AAAA: 50858
|
|
ANY: 2117
|
|
SRV: 49470
|
|
KEY: 218
|
|
A6: 245
|
|
TXT: 24243
|
|
MX: 517510
|
|
-------------------------
|
|
TOTAL: 2032640
|
|
|
|
|
|
|
|
The resulting output is in a format suitable as input to resperf or dnsperf.
|
|
For example:
|
|
|
|
example.biz. A
|
|
example.net. MX
|
|
foo.example.tv. A
|
|
example.enc. MX
|
|
example[2].txt. MX
|
|
foo.]. MX
|
|
|
|
|
|
Note that there are both valid and invalid host names in the output: Neither
|
|
queryparse nor resperf or dnsperf discriminate on the basis of a host name's
|
|
adherence to RFCs. If the query was put on the wire and can be recognized as a
|
|
properly-formed query, it will be saved. If this does not meet your needs, you
|
|
may wish to parse the resulting output file to eliminate nonconforming host
|
|
names.
|