Parse DNS log

Posted on 2016-10-26
Medium Priority
Last Modified: 2016-10-27
Hi all,

I have a problem parse DNS log. (On Linux)
Can you help me parse DNS log with tcpdump with the format?


Thank you very much.
Question by:ldvhai
  • 2
LVL 81

Expert Comment

ID: 41860404
tcpdump is a packet capture.

post a line from the dns log.
and see what passing the line through to the command below returns.
awk ' { print $1,$2,$8,$10 } '
The $1,$2 should be the date/time, $8 IP, $10 domain  not sure MAC is included in a log from DNS

Author Comment

ID: 41861680
Hi arnold,

These log messages: ( tcpdump -i eth0 -l -vvve dst port 53 )

13:50:03.255611 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 3104, offset 0, flags [none], proto UDP (17), length 65)
    CHRayT530.lan.65371 > HONEYNET.lan.53: [udp sum ok] 27141+ A? clients5.google.com. (37)
13:50:03.266929 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3105, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.52645 > HONEYNET.lan.53: [udp sum ok] 5364+ A? plus.google.com. (33)
13:50:03.270809 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3106, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.63995 > HONEYNET.lan.53: [udp sum ok] 54501+ A? www.gstatic.com. (33)
13:50:04.080532 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3107, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.51048 > HONEYNET.lan.53: [udp sum ok] 17380+ A? apis.google.com. (33)


Help me!

LVL 81

Accepted Solution

arnold earned 2000 total points
ID: 41862621
Position $1 is the time stamp
Position $2 is the source of the packet
Position $5 is the destination of the packet

This is not a log, this is a tcpdump packet revord, you can enable DNS logging
What are you after, try using rndc on your DNS server to set its logging level and see if that is the information you are after.

Featured Post

Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Virtualization software lets you run different versions of Windows, Ubuntu Linux and other versions of Linux all at the same time, rather than running each one directly from your computer's hard drive.
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question