If you are interested in malware related activity, you may not want to limit it to only port 53. You would have to write tcpdump filters around the specific flags that specify DNS traffic
On Tue, May 28, 2013 at 10:55 AM, Jon Molesa <[email protected]> wrote: > To create a pcap that contains only dns lookups tcpdump -vvv -i wan0 -s 0 > -l port 53 -w dns-only.pcap. > > To parse a larger pcap containing other protocols tcpdump -vvv -s 0 -l > port 53 -r alltraffic.pcap. > > > On Sun, May 26, 2013 at 9:53 PM, Tim Parker <[email protected]>wrote: > >> What's the best way to capture and analyze DNS queries and responses on >> my LAN? Are there any good tools out there for this? I can run a full >> capture on the WAN interface, but then what's good for automating the >> extraction of the DNS traffic? >> >> Thanks! >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > > -- > Jon Molesa > [email protected] > > Aoccdrnig to rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht > oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist > and lsat ltteer are in the rghit pclae. The rset can be a toatl mses and > you can sitll raed it wouthit a porbelm. Tihs is bcuseae we do not raed > ervey lteter by it slef but the wrod as a wlohe and the biran fguiers it > out aynawy. > > ... so please excuse me for every typo in the email above. > > Reference: https://github.com/Ettercap/ettercap/blob/master/README > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
