![[CAIDA - Center for Applied Internet Data Analysis logo]](/images/caida_globe_faded.png "Go to CAIDA home page")
dnstop is a libpcap application (ala tcpdump) that displays various tables of DNS traffic on your network, including tables of source and destination IP addresses, query types, top level domains and second level domains.
The dnstop tool is written by Duane Wessels and maintained at the Measurement Factory (http://dnstop.measurement-factory.com/)
About
dnstop is a libpcap application (a la tcpdump) that displays various tables of DNS traffic on your network. Currently dnstop displays tables of:
- Source IP addresses
- Destination IP addresses
- Query types
- Top level domains
- Second level domains
If people find dnstop useful and interesting, we plan to add additional tables, such as classification of legitimate/illegitimate queries.
Download and Compile
You can download the dnstop code at http://dnstop.measurement-factory.com/src/
dnstop is still relatively young, and perhaps not portable to all operating systems. It is known to compile and run on:
- FreeBSD 4.x (you can find net/dnstop in the Ports Collection)
- OpenBSD 3.0
- NetBSD 1.5 (you can find net/dnstop in the Packages Collection)
- Linux 2.2.x kernel
Please send compilation problems and other bugs to wessels at measurement-factory.com.
Usage
dnstop has the following command line options:
-a Anonymize IP addresses -b customize BPF filter parameters -i ignore a source IP address -p dont put interface in promiscuous mode -s collect second-level domain stats
dnstop has the following display commands while running:
S source address table D destination address table T query type table 1 TLD table 2 SLD table ^R Reset counters ^X Exit ? Help
dnstop was originally presented in a talk at NANOG 26 (Oct 2002), "Toward Lowering the Load on DNS Root Nameservers".