Here is a quick little command line that you can use to capture all the DNS traffic seen by the analyzer:

tshark -n -i 5 -R ” dns.flags.response == 0″

Just replace the “-i 5″ with the appropriate interface for your analyzer. You can find out the interface numbers by using the following command:

tshark -D

If you want to get fancy, pipe this to a text file, or use a program such as klog.exe to send it to syslog. We have used this this in combination with Splunk to keep track of all the DNS queries. Splunk allows us to search the queries for specific data patterns. Great way to see when people are going, without a fancy proxy server.

Filed under: Tips | Date created: 11.12.2008 | RSS 2.0