DNSCAP - DNS traffic capture utility

dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump, but has a number of features tailored to DNS transactions and protocol options.
Some of its features include:

  • Understands both IPv4 and IPv6
  • Captures UDP, TCP, and IP fragments.
  • Collect only queries, responses, or both (-s option)
  • Collect for only certain source/destination addresses (-a -z -A -Z options)
  • Periodically creates new pcap files (-t option)
  • Spawns an upload script after closing a pcap file (-k option)
  • Will start and stop collecting at specific times (-B -E options)

Getting dnscap

You can get dnscap via anonymous subversion from here.
You can also find it in the FreeBSD ports system (dns/dnscap).
If you are installing dnscapfor the DITL-2009 data collection, please note that you should use the "branches/wessels" version from svn. Do not use the FreeBSD ports version because it lacks TCP support.
dnscap requires libbind, which might not be installed on your system even though you have BIND installed.

Note that you cannot use BIND-9.6 or later source code because libbind has been made a standalone package and is no longer included in BIND versions after 9.5. Furthermore, you cannot use the standalone libbind at this time because it installs include files into different directories.
When building BIND with libbind support you must specifically enable it as follows:
$ ./configure --enable-libbind
$ make
$ sudo make install

Be careful when installing BIND this way as you might overwrite existing BIND binaries.