Skip to content
No state-of-the-art Python. Just a bunch of scripts to get elementary information about DNS over TCP queries from pcap packet captures. Works well with DNS-OARC DITL data.
Python Shell
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
generate-trace.sh
par-analyse-trace.sh
par-pcap2trace.sh
qpp-analyse.py
qpp-graph-histogram.py
qpp-sum-histogram.py
qppmean-analyse.py
qppmean-graph.py
qppmean-sum.py
qps-analyse.py
qps-graph-histogram.py
qps-sum-clients.py
qps-sum-histogram.py
qps-txt-clients.py
requirements.txt

README.md

tcp-dns-stats

No state-of-the-art Python. Just bunch of scripts to get elementary information about DNS over TCP queries from pcap packet captures. Works well with DNS-OARC DITL data.

Dependencies

  • tshark
  • Python 2 (see requirements.txt)

Scripts

Convert pcap to a trace (CSV list) that can be later read by the other scripts in this repository:

$ generate-trace.sh ./capture.pcapng > trace.txt
$ cat trace.txt
frame.time_relative	tcp.stream	ip.src	ipv6.src	tcp.srcport	ip.dst	ipv6.dst	tcp.dstport	dns.id	dns.flags.response	dns.qry.type
0.000000000	0	203.0.113.123		51346	198.51.100.2		53
0.000040000	0	198.51.100.2		53	203.0.113.123		51346
0.001024000	0	203.0.113.123		51346	198.51.100.2		53
0.001113000	0	203.0.113.123		51346	198.51.100.2		53	0x0000e3b1	0	1
0.001135000	0	198.51.100.2		53	203.0.113.123		51346
0.002402000	0	198.51.100.2		53	203.0.113.123		51346	0x0000e3b1	1	1
0.003386000	0	203.0.113.123		51346	198.51.100.2		53
0.003432000	0	203.0.113.123		51346	198.51.100.2		53
0.003601000	0	198.51.100.2		53	203.0.113.123		51346
0.004587000	0	203.0.113.123		51346	198.51.100.2		53
...

Queries per session (connection) stats:

$ ./qps-analyse.py trace_1.txt > trace_1.json
$ ./qps-analyse.py trace_2.txt > trace_2.json
$ ./qps-sum-clients.py trace_*.json > sum_clients.json
$ ./qps-sum-histogram.py trace_*.json > sum_histogram.json
$ ./qps-graph-histogram.py sum_histogram.{json,png,txt}
$ cat sum_histogram.txt
# q/session	count (relative)	queries (relative)
0	24314732 (37.3044 %)	0 (0.0000 %)
1	37740432 (57.9024 %)	37740432 (80.6956 %)
2	1668266 (2.5595 %)	3336532 (7.1341 %)
...
$ ./qps-txt-clients.py sum_clients.json > info_clients.txt
$ cat info_clients.txt
# asn	queries_info	sessions_info	avg_qpsession	queries	sessions
AS 1111 (Corp A)	2 (0.000 %)	1 (0.000 %)	2.00	2	1
AS 2222 (Corp B)	8 (0.000 %)	4 (0.000 %)	2.00	8	4
AS 3333 (Corp C)	2 (0.000 %)	1 (0.000 %)	2.00	2	1
...

Queries per packet (not connection) stats:

$ qpp-analyse.py trace_1.txt > qpp_1.json
$ qpp-analyse.py trace_2.txt > qpp_2.json
$ qps-sum-clients qpp_*.json > sum_clients_qpp.json
$ qpp-sum-histogram qpp_*.json > sum_histogram_qpp.json
$ qpp-graph-histogram.py sum_histogarm_qpp.json qpp.png

Mean time between queries:

$ qppmean-analyse.py trace_1.txt > mean_1.json
$ qppmean-analyse.py trace_2.txt > mean_2.json
$ qppmean-sum.py mean_1.json mean_2.json > sum_mean.json
$ qppmean-graph.py sum_mean.json mean.png

Parallelize analysing traces:

$ command ls -1 ditl2016/org/server/*.pcap | parallel -j16 -n1 par-pcap2trace.sh ./traces
$ command ls -1 traces/*.txt | parallel -j16 -n par-analyse-trace.sh ./qps-analyse.py ./qps.results

License

Copyright 2016 Jan Vcelak

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
You can’t perform that action at this time.