search

gamelinux / passivedns

A network sniffer that logs all DNS server replies for use in a passive DNS setup
http://gamelinux.org/
1.67k stars 372 forks source link

Problem with big pcap file #49

Closed mazkopolo closed 9 years ago

mazkopolo commented 9 years ago

Hi, First of all, I'd like to thank for sharing passivedns with us. It is , without any doubt, an amazing work. I received a pcap file (all dns) and I can not use your tool to open it. Here is the output:

-- Total DNS records allocated : 0 -- Total DNS assets allocated : 0 -- Total DNS packets over IPv4/TCP : 0 -- Total DNS packets over IPv6/TCP : 0 -- Total DNS packets over TCP decoded : 0 -- Total DNS packets over TCP failed : 0 -- Total DNS packets over IPv4/UDP : 0 -- Total DNS packets over IPv6/UDP : 0 -- Total DNS packets over UDP decoded : 0 -- Total DNS packets over UDP failed : 0 -- Total packets received from libpcap : 0 -- Total Ethernet packets received : 0 -- Total VLAN packets received : 0

I can use tshark, tcpdump to open the file but I can not use passivedns for some reasons. I'd highly appreciate it if you could consider my request asap.

gamelinux commented 9 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi, My guess is that this is pcap-ng file format?

file yourfile.pcap

If its pcap-ng format, you need to convert it to lipcap format.

E

On 05/14/2015 08:32 AM, Maziar Janbeglou wrote:

Hi, First of all, I'd like to thank for sharing passivedns with us. It is , without any doubt, an amazing work. I received a pcap file (all dns) and I can not use your tool to open it. Here is the output:

-- Total DNS records allocated : 0 -- Total DNS assets allocated : 0 -- Total DNS packets over IPv4/TCP : 0 -- Total DNS packets over IPv6/TCP : 0 -- Total DNS packets over TCP decoded : 0 -- Total DNS packets over TCP failed : 0 -- Total DNS packets over IPv4/UDP : 0 -- Total DNS packets over IPv6/UDP : 0 -- Total DNS packets over UDP decoded : 0 -- Total DNS packets over UDP failed : 0 -- Total packets received from libpcap : 0 -- Total Ethernet packets received : 0 -- Total VLAN packets received : 0

I can use tshark, tcpdump to open the file but I can not use passivedns for some reasons. I'd highly appreciate it if you could consider my request asap.

--- Reply to this email directly or view it on GitHub: https://github.com/gamelinux/passivedns/issues/49

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEcBAEBAgAGBQJVVEaDAAoJEAf3kNGaI009TWIH/R2EZfOv+3bTDZezc2Zo7X5i HzwboVjNm5QcM/RK04c6KDO7M0Qveh+t0m5v5LbTFACs5Lu6COT2rO6ksvNSIRjI /qehbb5nZKj//ZoaLC2aOGZR5kGR2qNZZtvSO5ZrV+QsdBJMYRTpIE5fblMY/vSq DfM4A5AF2r6dmBdBkAnVCbPgeBp6tKsLaluTfgipn6rHVNxZFNwk2onEEoMECLav MJi6Gbg9Zi3K5xFCwe6mvGeQ/kxkcpLEQTcSLRjSGJ8Mr69RucOuK6Mbghsfrzo9 fPhK9e914HdYgj/i/oxjpGPuSJTTKoDoqidSKHgCNdyOrQ2SdI9t1M/sgHMMH1U= =fofs -----END PGP SIGNATURE-----

mazkopolo commented 9 years ago

Here is the result: file dns.pcap dns.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65536) I used tshark -r dns.pcap -w test.pcap and the same with tcpdump but got the same result.

gamelinux commented 9 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

OK,

Btw, how big is your pcap? Dont think that matters. If tcpdump can read it, so should pdns.

But from what you report, the only thing I can think of is that the traffic is encapsulated in something other than a Ethernet frame?

you can also try to dump the first say 1000 packets from the pcap with tcpdump (-c 1000 IIRC), and write it to a new file. see if pdns works then?

E

On 05/14/2015 09:02 AM, Maziar Janbeglou wrote:

Here is the result: file dns.pcap dns.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65536) I used tshark -r dns.pcap -w test.pcap and the same with tcpdump but got the same result.

--- Reply to this email directly or view it on GitHub: https://github.com/gamelinux/passivedns/issues/49#issuecomment-101945301

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEcBAEBAgAGBQJVVExcAAoJEAf3kNGaI009tF4H/i9W2myGFSzoJgv8V+culwAj w7gqPdwE60ZH0ZXkcZy+SFANQ6J9Xs88yTfaClFxLSrZbsMmAyj8k+Hn/TAWvo2v xE/fw+CEU1HFp45fw7ti0bBg1Sclor3z1LaEXAeNYt/LMpinFzeco9ey/U/nyQ6m zCV38YnBG9UKy060irow6kkJsP4Qoaw0OQz5q0G1I9DKwNHXRi/IFKjAtL9SVFu+ 7CNNTNlRmEztesG4bc4W7yhyN5U2UazEB8Rpx27I/mnaK2+D/Vo6oU4R7YJswYUw xmRJ39YPnFXynd3Xi6tfB7zmirBUZdj7oeUwH4k70UiVqUCIsysVZd5jQ+QptgI= =HjkP -----END PGP SIGNATURE-----

mazkopolo commented 9 years ago

It is about 87 MB

tcpdump -r dns.pcap -c 1000 -w 1000.pcap reading from file dns.pcap, link-type EN10MB (Ethernet)

gamelinux commented 9 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

lol, thats not big :P

so there should be something funky with the network traffic then. if you can, send me a -c 1 pcap, and ill have a look?

e

On 05/14/2015 09:25 AM, Maziar Janbeglou wrote:

It is about 87 MB

tcpdump -r dns.pcap -c 1000 -w 1000.pcap reading from file dns.pcap, link-type EN10MB (Ethernet)

--- Reply to this email directly or view it on GitHub: https://github.com/gamelinux/passivedns/issues/49#issuecomment-101950424

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEcBAEBAgAGBQJVVE5cAAoJEAf3kNGaI009Lt0H/1jlxTR6aCIeFZqJekcpLfqW 9g2Nk5jLeU7aOZ5I2F1bZmowx2BOI10NG2taos1jq1r4yWKQ9q38HfQ39KF7wEHN mi6GUpDnqfYt4CD4Deh3AjHLMKc3NfRLGcPXFOsSUQsgjEzj+InUvDAinsX24b/E mUpf1WrAQlj5vIoiSOidlYfMPhZCF2Sv6AhL6hnuz8JfDhR3QFczQB38KLAzHXbl 6rTzStlK1fN//D+KVmO3f5g/BSVJ2IWznl49Tqfi5PP17CCeungAtY3UkUgyoHqj zF+qI7UH3bn4WQAMVJ38HBfUB2a/J1h46TSIfKM/tjiFlFuT8yD3bGlkGsOLvhY= =vlUn -----END PGP SIGNATURE-----

mazkopolo commented 9 years ago

Sent you an email. I've just noticed the packet was captured from a VLAN. Does that ring a bell?

mazkopolo commented 9 years ago

Hey man, I've found the solution. Passivedns does not like van tags. I removed it with the following command: tcprewrite --enet-vlan=del --infile=dns.pcap --outfile=mcd.pcap and then it worked. You may want to fix it so that it accepts VLAN tags as well?!

gamelinux commented 9 years ago

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

It support vlan - just make your own bpf filer: like passivedns -b vlan

I saw the pcap, but did not eminently see the vlan header there, but it works if you add -b vlan.

E

On 05/14/2015 09:47 AM, Maziar Janbeglou wrote:

Hey man, I've found the solution. Passivedns does not like van tags. I removed it with the following command: tcprewrite --enet-vlan=del --infile=dns.pcap --outfile=mcd.pcap and then it worked. You may want to fix it so that it accepts VLAN tags as well?!

--- Reply to this email directly or view it on GitHub: https://github.com/gamelinux/passivedns/issues/49#issuecomment-101955691

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQEcBAEBAgAGBQJVVFVIAAoJEAf3kNGaI009togH/1ebHztMBveoj9uPD/SiNFLG cQjtrYoVRY7eFpaajOIli4wMQJFzqVN+LcIIEuc1ltIPrQU91p/vgqTAHOYIqo/f vVm//1IPf8ephHRVK3au4Yg9sTA2+/bLXvwsbQHVR3wGdeM9ZBQDWmYnBDY6qlEv /62P0/031k3fhNmcnzZ5jFF/TUguKTarXWvJUxEh5z1tUPLb1eIaH92Wulf3RQ8i uY0FRnuRqa6N/yNQLvPMz3z7B7H6m26NTFBQiOv33w3ZQyHf8x1PvG7tklOhWQZd EYqmW281n5qSgTx6fo5fX0Ksb9qgh0koWM/XexRA8m4RlCgHrciIj+4VaRqEczk= =zlCP -----END PGP SIGNATURE-----

mazkopolo commented 9 years ago

Awesome. Tested! and worked :)

thus commented 9 years ago

This was resolved, so closing the issue.