Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Parse DNS log

Posted on 2016-10-26
3
Medium Priority
?
148 Views
Last Modified: 2016-10-27
Hi all,

I have a problem parse DNS log. (On Linux)
Can you help me parse DNS log with tcpdump with the format?

timestap;ip;mac;domain

Thank you very much.
0
Comment
Question by:ldvhai
  • 2
3 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 41860404
tcpdump is a packet capture.

post a line from the dns log.
and see what passing the line through to the command below returns.
awk ' { print $1,$2,$8,$10 } '
The $1,$2 should be the date/time, $8 IP, $10 domain  not sure MAC is included in a log from DNS
0
 
LVL 2

Author Comment

by:ldvhai
ID: 41861680
Hi arnold,

These log messages: ( tcpdump -i eth0 -l -vvve dst port 53 )

13:50:03.255611 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 3104, offset 0, flags [none], proto UDP (17), length 65)
    CHRayT530.lan.65371 > HONEYNET.lan.53: [udp sum ok] 27141+ A? clients5.google.com. (37)
13:50:03.266929 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3105, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.52645 > HONEYNET.lan.53: [udp sum ok] 5364+ A? plus.google.com. (33)
13:50:03.270809 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3106, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.63995 > HONEYNET.lan.53: [udp sum ok] 54501+ A? www.gstatic.com. (33)
13:50:04.080532 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3107, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.51048 > HONEYNET.lan.53: [udp sum ok] 17380+ A? apis.google.com. (33)


Format:
timestap;ip;mac;domain

Help me!

Thanks,
0
 
LVL 81

Accepted Solution

by:
arnold earned 2000 total points
ID: 41862621
Position $1 is the time stamp
Position $2 is the source of the packet
Position $5 is the destination of the packet

This is not a log, this is a tcpdump packet revord, you can enable DNS logging
What are you after, try using rndc on your DNS server to set its logging level and see if that is the information you are after.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses
Course of the Month15 days, 7 hours left to enroll

575 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question