DNSCAP Paul Vixie, ISC with Duane Wessels, Measurement Factory July 2007.

Slides:



Advertisements
Similar presentations
Appmon: a tool for monitoring of application jobs T2.1 Subtask: Monitoring of application jobs coordinator: A. Kryukov (SINP MSU), V. Edneral (SINP MSU),
Advertisements

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
1 Microsoft Access 2002 Tutorial 9 – Automating Tasks With Macros.
Pre-defined System Functions Simple IF & VLOOKUP.
System Design and Memory Limits. Problem  If you were integrating a feed of end of day stock price information (open, high, low, and closing price) for.
Linux+ Guide to Linux Certification, Second Edition
Automating Tasks With Macros. 2 Design a switchboard and dialog box for a graphical user interface Database developers interact directly with Access.
Guide To UNIX Using Linux Third Edition
Lecture 02CS311 – Operating Systems 1 1 CS311 – Lecture 02 Outline UNIX/Linux features – Redirection – pipes – Terminating a command – Running program.
SNMP Simple Network Management Protocol
Introduction to Unix – CS 21 Lecture 5. Lecture Overview Lab Review Useful commands that will illustrate today’s lecture Streams of input and output File.
Figure 1. Hit analysis in 2002 of database-driven web applications Hits by Category in 2002 N = 73,873 Results Reporting 27% GME 26% Research 20% Bed Availability.
Filters using Regular Expressions grep: Searching a Pattern.
Linux Networking Commands
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Linux Operations and Administration
Agenda  Terminal Handling in Unix File Descriptors Opening/Assigning & Closing Sockets Types of Sockets – Internal(Local) vs. Network(Internet) Programming.
Week 7 Working with the BASH Shell. Objectives  Redirect the input and output of a command  Identify and manipulate common shell environment variables.
Chapter Four UNIX File Processing. 2 Lesson A Extracting Information from Files.
Guide To UNIX Using Linux Fourth Edition
BIF703 stdin, stdout, stderr Redirection. stdin, stdout, stderr Recall the Unix philosophy “do one thing well”. Unix has over one thousand commands (utilities)
Copyright © 2007, Oracle. All rights reserved. Managing Concurrent Requests.
Chapter Three The UNIX Editors. 2 Lesson A The vi Editor.
Linux+ Guide to Linux Certification, Third Edition
Linux+ Guide to Linux Certification Chapter Eight Working with the BASH Shell.
Basic & Advanced Reporting in TIMSNT ** Part Two **
The Internet 8th Edition Tutorial 4 Searching the Web.
Stuart Wakefield Imperial College London Evolution of BOSS, a tool for job submission and tracking W. Bacchi, G. Codispoti, C. Grandi, INFN Bologna D.
Real-time multimedia and communication in packet networks Asterisk AGI and Manager Interface.
Agenda Getting Started: Using Unix Unix Structure / Features Elements of the Unix Philosophy Unix Command Structure Command Line Editing Online Unix Command.
MapReduce Kristof Bamps Wouter Deroey. Outline Problem overview MapReduce o overview o implementation o refinements o conclusion.
Microsoft FrontPage 2003 Illustrated Complete Creating a Form.
Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.
Manipulating Files Refresher. The touch Command touch is used to create a new, empty file. If the file already exists, touch updates the time and date.
Ralph Lange: CA Gateway Update CA Gateway Update Ralph Lange – EPICS Collaboration Meeting March SSRF.
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
Linux+ Guide to Linux Certification, Second Edition
Announcements Assignment 1 due Wednesday at 11:59PM Quiz 1 on Thursday 1.
© Copyright 2014 TONE SOFTWARE CORPORATION. Confidential and Proprietary. All rights reserved. ® Administrator Training – Release Alarms Administration.
BIF713 Introduction to Linux. Agenda Getting Started: Using Linux Unix and Linux - Structure / Features Elements of the Linux Philosophy Linux Command.
Basic Navigation in Oracle R12 BY: Muhammad Irfan.
Chapter 4: server services. The Complete Guide to Linux System Administration2 Objectives Configure network interfaces using command- line and graphical.
Linux Administration Working with the BASH Shell.
In this session, you will learn to: Create and manage views Implement a full-text search Implement batches Objectives.
1 Not just UNIQUE Jeff Davis Truviso, Inc.. 2 Why is UNIQUE so unique? ● Only constraint where two tuples can conflict with eachother – That is, the existence.
Emdeon Office Batch Management Services This document provides detailed information on Batch Import Services and other Batch features.
CIRC Summer School 2016 Baowei Liu
eInvoice Business Process
Development Environment
Partner Managed Inventory (PMI) Process
CS 330 Class 7 Comments on Exam Programming plan for today:
CIRC Summer School 2017 Baowei Liu
Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007
Network Commands 2 Linux Ubuntu A.S.
A Quick Guide to Ethereal/Wireshark
Guide To UNIX Using Linux Third Edition
stdin, stdout, stderr Redirection
SNORT.
DUCKS – Distributed User-mode Chirp-Knowledgeable Server
The Internet and HTTP and DNS Examples
What’s changed in the Shibboleth 1.2 Origin
Chapter Four UNIX File Processing.
Python’s Standard library part I
Network Analyzer :- Introduction to Wireshark
Network Analyzer :- Introduction to Wireshark
Power Efficiency for Individually Addressed Frames Reception
Virtual Private Network
LPI Linux Certification
Presentation transcript:

DNSCAP Paul Vixie, ISC with Duane Wessels, Measurement Factory July 2007

Things TCPDUMP Won't Do ➲ Close/reopen output files on a set schedule ➲ Search by DNS message type ➲ Select by DNS initiator or responder ➲ Listen to multiple interfaces ➲ Dump messages in DiG (text) format ➲ Select messages using regular expressions

Output File Scheduling ➲ Motivations: ● hourly (or some interval) output files ● megapacket (or some other size) output files ➲ Mechanisms: ● “-b xxx” option sets output file base name ● files are called xxx.$seconds.$microseconds ● (e.g., pcap-f-sfo ) ● also, “-k gzip” would fork/exec a gzip command with the file name as its argument, on close ● (usually -k refers to a more complex script that's also capable of scp'ing the new file to an analysis host)

Searching by DNS Msg Type ➲ Motivations: ● sometimes we only want queries, or updates, or (someday) notifies ● sometimes we only want initiations, or responses ● sometimes we want errors, sometimes not ➲ Mechanisms: ● “-m [quir]” selects queries, updates, initiations, responses ● “-e [yn]” selects noerrors, errors ● multiple types can be selected

Selecting Initiators & Responders ➲ Motivation: ● The BPF pattern for “all messages for which host xxx is the initiator” is quite complex ● Some user mode filtering is also required ➲ Mechanisms: ● “-q xxx” adds host xxx to the list of interesting initiators ● “-r yyy” adds host yyy to the list of interesting responders ● both sides of selected transactions are selected

Multiple Interfaces ➲ Motivations: ● on multihomed hosts and monitoring clusters, DNS packet data can appear on more than one network interface ● on Linux, there's a pseudointerface called “all” that sometimes matches expectations ➲ Mechanisms: ● “-i ifname” can be specified more than once ● each one opens a separate bpf file descriptor ● output packets are interspersed, mostly in order of receipt

Dumping in DiG Format ➲ Motivations: ● often we want to see the full DNS message in presentation (text) format ● TCPDUMP only shows a one-line summary ➲ Mechanisms: ● “-g” sends DiG-like output to stderr ➲ Design Notes: ● stdout already reserved for binary pcap output ● we might someday also teach DiG to read pcap

Regular Expression Searching ➲ Motivations: ● for security work, it's often desirable to select DNS messages based on regular expressions ● post-processing DiG-style output is painful ➲ Mechanisms: ● “-x pat” adds to a list of patterns which must match the presentation form of the qname or of one of the answer, authority, or additional RRs ● “-n” reverses the sense of all “-x”, so, messages must not match ● (this is per-message not per-transaction)

Status ➲ DNSCAP RC5 is available via anoncvs, see ➲ Have delayed the “final release” while the command line syntax evolves and settles ➲ It's time to declare that it's finished, and focus on other work (NCAP) ➲ These features and ideas should be revisited as part of a larger NCAP toolworks