From 68d796e03b49b07a8d4e15d3673948fafe10a8b1 Mon Sep 17 00:00:00 2001 From: Paul Ferrell Date: Wed, 20 Mar 2013 14:51:42 -0600 Subject: [PATCH] Added a README file. Added additional documentation to the -h output. --- README | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ dns_parse.c | 19 ++++++++++++++++--- 2 files changed, 64 insertions(+), 3 deletions(-) create mode 100644 README diff --git a/README b/README new file mode 100644 index 0000000..b8fb092 --- /dev/null +++ b/README @@ -0,0 +1,48 @@ +-- OVERVIEW -- +dns_parse takes as input a pcap of DNS data and produces a comple, trivially +parsable, human readable ASCII version of the same data. It's generally useful +for network monitoring (send the data to Splunk or similar). The most common +carrying are supported, as well as packet deduplication. + +-- SUPPORTED PROTOCOLS -- +Ethernet +MPLS +IPv4 (including fragment reassembly) +IPv6 (including fragment reassembly) +UDP +TCP (with flow state saving and loading between pcaps) +DNS (on any port) + +-- AUTHOR INFO -- +Paul Ferrell +pferrell@lanl.gov + +-- CONTENTS -- +Code to build bin/dns_parse. +init/dnscapture - An init script for running tcpdump on an interface as a +service to generate regular pcap files. +bin/dns_parse_cron - A python cron job script for periodically running dns_parse +on regularly output pcap files (generally from using the -C or -G options in +tcpdump). +pkgs/dns_parse.spec - An RPM spec file, for those dinosaurs that still use these +things (like me). +etc/* - example config files for init/dnscapture and bin/dns_parse_cron + +-- DEPENDENCIES -- +libpcap + +-- OS Dependencies -- +This has been tested primarily on x86_64 linux, but there shouldn't be any typing issues on 32 bit machines. + +-- BUILDING AND INSTALLING -- +make +make install + +-- Running -- +"./bin/dns_parse -h" should tell you everything you need to know. + +A reasonable set of options is: +./bin/dns_parse -m "" -t -r +This gets you newline separated resource records an empty main record separator, +pretty printed dates, and the shorthand for the record types (ie. A or CNAME). +Printing of additional and name server records is disabled (by default). diff --git a/dns_parse.c b/dns_parse.c index ab16811..4e86043 100644 --- a/dns_parse.c +++ b/dns_parse.c @@ -1,4 +1,3 @@ -//#include #include #include #include @@ -12,7 +11,7 @@ #include "strutils.h" // If you want a reasonable place to start walking through the code, -// go to the 'handler' function at the end. +// go to the 'handler' function. #define DEFAULT_TCP_STATE_PATH "/tmp/dnsparse_tcp.state" void handler(uint8_t *, const struct pcap_pkthdr *, const uint8_t *); @@ -224,7 +223,21 @@ int main(int argc, char **argv) { " record occurred via stderr when processing completes.\n" "-x\n" " Exclude the given reservation record types by \n" - " number. This option can be given multiple times.\n", + " number. This option can be given multiple times.\n" + "\n" + "Supported protocols:\n" + "DNS can ride on a number of protocols, and dns_parse supports\n" + "a fair number of them, including:\n" + "Ethernet, MPLS, IPv4, IPv6, UDP and TCP.\n" + "IPv4 and IPv6 fragments - fragments are reassembled, but data\n" + " may be lost if the fragments are split across multiple pcaps.\n" + "TCP reassembly - TCP packets are reassembled, but the resulting\n" + " data may be offset from their time of occurance. Partial flow\n" + " reassembly is supported; long flows are printed whenever a \n" + " a lull in that flow occurs (500 ms since the last packet, \n" + " this can only be changed at compile time).\n" + " TCP flow state is saved at the end of execution, and loaded\n" + " at the beginning. See the -S option to disable.\n", DEFAULT_TCP_STATE_PATH); return -1; }