dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) and other format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options. DNS-OARC uses dnscap for DITL data collections.
Some of its features include:
dnscap has a non-optional dependency on the PCAP library and optional dependencies on LDNS. BIND library libbind is considered optional but it is needed under OpenBSD for various arpa/nameser* include headers.
To install the dependencies under Debian/Ubuntu:
apt-get install -y libpcap-dev libldns-dev libbind-dev zlib1g-dev
To install the dependencies under CentOS (with EPEL enabled):
yum install -y libpcap-devel ldns-devel openssl-devel bind-devel zlib-devel
For the following OS you will need to install some of the dependencies from source or Ports, these instructions are not included.
To install some of the dependencies under FreeBSD 10+ using
pkg install -y libpcap ldns
To install some of the dependencies under OpenBSD 5+ using
The source tarball from DNS-OARC comes prepared with
tar zxvf dnscap-version.tar.gz cd dnscap-version ./configure [options] make make install
Since this is still experimental there are of course some issues:
dateSecondsis added as a C
doublewhich might loose some of the time percision