Solved

Parse DNS log

Posted on 2016-10-26
3
53 Views
Last Modified: 2016-10-27
Hi all,

I have a problem parse DNS log. (On Linux)
Can you help me parse DNS log with tcpdump with the format?

timestap;ip;mac;domain

Thank you very much.
0
Comment
Question by:ldvhai
  • 2
3 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 41860404
tcpdump is a packet capture.

post a line from the dns log.
and see what passing the line through to the command below returns.
awk ' { print $1,$2,$8,$10 } '
The $1,$2 should be the date/time, $8 IP, $10 domain  not sure MAC is included in a log from DNS
0
 
LVL 2

Author Comment

by:ldvhai
ID: 41861680
Hi arnold,

These log messages: ( tcpdump -i eth0 -l -vvve dst port 53 )

13:50:03.255611 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 3104, offset 0, flags [none], proto UDP (17), length 65)
    CHRayT530.lan.65371 > HONEYNET.lan.53: [udp sum ok] 27141+ A? clients5.google.com. (37)
13:50:03.266929 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3105, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.52645 > HONEYNET.lan.53: [udp sum ok] 5364+ A? plus.google.com. (33)
13:50:03.270809 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3106, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.63995 > HONEYNET.lan.53: [udp sum ok] 54501+ A? www.gstatic.com. (33)
13:50:04.080532 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3107, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.51048 > HONEYNET.lan.53: [udp sum ok] 17380+ A? apis.google.com. (33)


Format:
timestap;ip;mac;domain

Help me!

Thanks,
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 41862621
Position $1 is the time stamp
Position $2 is the source of the packet
Position $5 is the destination of the packet

This is not a log, this is a tcpdump packet revord, you can enable DNS logging
What are you after, try using rndc on your DNS server to set its logging level and see if that is the information you are after.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Background Still having to process all these year-end "csv" files received from all these sources (including Government entities), sometimes we have the need to examine the contents due to data error, etc... As a "Unix" shop, our only readily …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now