Solved

Parse DNS log

Posted on 2016-10-26
3
63 Views
Last Modified: 2016-10-27
Hi all,

I have a problem parse DNS log. (On Linux)
Can you help me parse DNS log with tcpdump with the format?

timestap;ip;mac;domain

Thank you very much.
0
Comment
Question by:ldvhai
  • 2
3 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 41860404
tcpdump is a packet capture.

post a line from the dns log.
and see what passing the line through to the command below returns.
awk ' { print $1,$2,$8,$10 } '
The $1,$2 should be the date/time, $8 IP, $10 domain  not sure MAC is included in a log from DNS
0
 
LVL 2

Author Comment

by:ldvhai
ID: 41861680
Hi arnold,

These log messages: ( tcpdump -i eth0 -l -vvve dst port 53 )

13:50:03.255611 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 3104, offset 0, flags [none], proto UDP (17), length 65)
    CHRayT530.lan.65371 > HONEYNET.lan.53: [udp sum ok] 27141+ A? clients5.google.com. (37)
13:50:03.266929 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3105, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.52645 > HONEYNET.lan.53: [udp sum ok] 5364+ A? plus.google.com. (33)
13:50:03.270809 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3106, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.63995 > HONEYNET.lan.53: [udp sum ok] 54501+ A? www.gstatic.com. (33)
13:50:04.080532 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3107, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.51048 > HONEYNET.lan.53: [udp sum ok] 17380+ A? apis.google.com. (33)


Format:
timestap;ip;mac;domain

Help me!

Thanks,
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 41862621
Position $1 is the time stamp
Position $2 is the source of the packet
Position $5 is the destination of the packet

This is not a log, this is a tcpdump packet revord, you can enable DNS logging
What are you after, try using rndc on your DNS server to set its logging level and see if that is the information you are after.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to remove superseded packages in windows w60 or w61 installation media (.wim) or online system to prevent unnecessary space. w60 means Windows Vista or Windows Server 2008. w61 means Windows 7 or Windows Server 2008 R2. There are various …
Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now