NAME

drool - DNS Replay Tool

SYNOPSIS

drool respdiff [ options ] path name file name host port

DESCRIPTION

This tool is to be used in conjunction with the tool-chain respdiff by CZ.NIC (see https://gitlab.labs.nic.cz/knot/respdiff).

It will replay DNS queries found in the PCAP, but only if a correlating response is also found, against the target host and port. The query, original response and the received response is then stored into a LMDB database located at path. The name before the PCAP file and the name before the target host are stored in the meta table which should correspond with the configuration use for respdiff in order for it to be able to read the results correctly.

OPTIONS

These options are specific for the respdiff command, see drool(1) for generic options.

-D: Show DNS queries and responses as processing goes.
--no-tcp: Do not use TCP.
--no-udp: Do not use UDP.
-T --threads: Use threads.
--tcp-threads N: Set the number of TCP threads to use, default 2.
--udp-threads N: Set the number of UDP threads to use, default 4.
--timeout N.N: Set timeout for waiting on responses [seconds.nanoseconds], default 10.0.
--size BYTES: Set the size (in bytes, multiple of OS page size) of the LMDB database, default 10485760.

DATABASE SIZE

Note that you will need to set a database size that is large enough for all queries, all original responses, all received responses and all analysis done by respdiff tool-chain in order for a successful analysis to be done.

EXAMPLE

This example replays a PCAP file against localhost and then uses the respdiff tool-chain to analyze the results.

$ drool respdiff /lmdb/path pcap file.pcap target 127.0.0.1 53
$ msgdiff.py /lmdb/path
$ diffsum.py /lmdb/path

AUTHORS

Jerry Lundström, DNS-OARC

Maintained by DNS-OARC

https://www.dns-oarc.net/

BUGS

For issues and feature requests please use:

https://github.com/DNS-OARC/drool/issues

For question and help please use:

admin@dns-oarc.net