Capture DNS-data using the PCAP-format, e.g. using the tcpdump utility. The files can be compressed using one of the following compression algorithms: - gzip - xz
The PCAP-file extension must end with one of the following:
To create PCAP files containing network data the following example script can be used to capture data, each file will contain 5 minutes of data. Make sure that you do not create files that are too big, don’t create files bigger as 500MB. Larger files can cause the memory usage of ENTRADA to increase.
The example script captures DNS traffic for both TCP and (fragmented) UDP.
The ip[6:2] & 0x1fff != 0 part checks if it is a fragmented UDP packet. The second packet for a fragmented request does not contain a header with port number.
The PCAP decoder logic expects that PCAP files are compressed with gzip and have the following filename format <filename>.pcap.gz
Make sure the filename includes a timestamp e.g. example-file-2020-11-05:10:11:12.pcap.gz.
ENTRADA sorts the files based on the filename and to ensure correct transitions between file contents, the files
must be imported by ENTRADA in the order they have been created.
Use entrada.input.file.skipfirst option to prevent ENTRADA from reading the newest file, this file might still be written to.
Modify the HOST_V4 and HOST_V6 variables to contain the IP addresses of the name server. If no IPv6 address is available then remove all HOST_V6 references or use a dummy address. Change the HOSTNAME_PREFIX variable to match the hostname of the server.
#!/usr/bin/env bash
SCRIPT_DIR=$(dirname "$0")
source $SCRIPT_DIR/config.sh
#change the IP addresses to the correct servers addresses!
HOST_V4=xxx.xx.xxx.xxx
HOST_V6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
HOSTNAME_PREFIX=xxx
INTERFACE=eth1
use & 0x1fff != 0 to also capture fragmented packets
tcpdump -i $INTERFACE -w ${DUMPDIR}/$HOSTNAME_PREFIX_%Y-%m-%d_%H:%M.pcap -G 300 '(( port 53 or ip[6:2] & 0x1fff != 0) or icmp or icmp6 ) and ( host $HOST_V4 or host $HOST_V6 )'