Comparing capture with Wireshark and Dnscap

The ithitools allow for two ways of capturing information about DNS traffic:

• Capture a slice of traffic in a PCAP file, using for example Wireshark, and use "ithitools -c" to extract the relevant data;
• Or, use dnscap (https://www.dns-oarc.net/tools/dnscap) to capture DNS traffic, and use the "ithicap" extension to dnscap to extract the data.

Both tools will end up with the same result, but unless you need keep track of all traffic sent to the DNS server, using dnscap is much more economical. Compare the following data:

• The typical capture session aims at capture 1 million transactions, so we can get good statistics.
• With Wireshark, these transactions will be captured in a PCAP file, with 1 million queries and as many responses. Given the per packet overhead, this probably means a couple GB on disk.
• Once the capture is done, you will need to run "ithitools -o <capture-file.csv> -c <capture.pcap>" to extract the relevant data.
• In contrast, with dnscap, the capture is directly piped to the "ithicap" extension, as in "dnscap ... -P libithicap.so -o <capture-file.csv>". There is no need for a second step, and you only need to worry about the capture result, a CSV file containing a few KB of data.

There are other benefits to using dnscap for capture. For example, if you want to capture a million transactions, you can just say that using dnscap conrol parameters. With wireshark, you will have to let the capture run for some time, hoping that that time slice correspond to the desired number of transactions. Also, dnscap will allow you to capture both UDP and TCP transactions, while "ithitools -c" will only extract UDP transactions from the PCAP files.