Solved

Parse DNS log

Posted on 2016-10-26
3
83 Views
Last Modified: 2016-10-27
Hi all,

I have a problem parse DNS log. (On Linux)
Can you help me parse DNS log with tcpdump with the format?

timestap;ip;mac;domain

Thank you very much.
0
Comment
Question by:ldvhai
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 41860404
tcpdump is a packet capture.

post a line from the dns log.
and see what passing the line through to the command below returns.
awk ' { print $1,$2,$8,$10 } '
The $1,$2 should be the date/time, $8 IP, $10 domain  not sure MAC is included in a log from DNS
0
 
LVL 2

Author Comment

by:ldvhai
ID: 41861680
Hi arnold,

These log messages: ( tcpdump -i eth0 -l -vvve dst port 53 )

13:50:03.255611 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 79: (tos 0x0, ttl 128, id 3104, offset 0, flags [none], proto UDP (17), length 65)
    CHRayT530.lan.65371 > HONEYNET.lan.53: [udp sum ok] 27141+ A? clients5.google.com. (37)
13:50:03.266929 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3105, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.52645 > HONEYNET.lan.53: [udp sum ok] 5364+ A? plus.google.com. (33)
13:50:03.270809 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3106, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.63995 > HONEYNET.lan.53: [udp sum ok] 54501+ A? www.gstatic.com. (33)
13:50:04.080532 27:54:ec:89:9b:48 (oui Unknown) > 50:2d:a1:4b:d2:16 (oui Unknown), ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 3107, offset 0, flags [none], proto UDP (17), length 61)
    CHRayT530.lan.51048 > HONEYNET.lan.53: [udp sum ok] 17380+ A? apis.google.com. (33)


Format:
timestap;ip;mac;domain

Help me!

Thanks,
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 41862621
Position $1 is the time stamp
Position $2 is the source of the packet
Position $5 is the destination of the packet

This is not a log, this is a tcpdump packet revord, you can enable DNS logging
What are you after, try using rndc on your DNS server to set its logging level and see if that is the information you are after.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Recover Lacie Edmini data. 11 65
Disabling security updates Ubuntu 3 45
Advice on ESXi 5.1 Health / Storage 1 45
Skype for Business server 6 45
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question