net-mon
tcpdump’in, pcap’in, dnstap
dig into http headers
sudo tcpdump -A -s 0 -ni vethac55d08 'tcp dst port 8081 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
# mkdir /data
nohup tcpdump --no-promiscuous-mode -Ani ens2 -w /data/$(date -u '+%Y%m%d-%H%M%S').pcap 'host 10... and port (33002 || 33003)' &
tcpdump --immediate-mode --packet-buffered \
--time-stamp-type={host|adapter|adapter_unsynced} \
--time-stamp-precision={micro|nano} \
-w /tmp/tcpdump-vector
mkfifo /tmp/t2v.pcap.sock
tcpdump --immediate-mode --packet-buffered \
--time-stamp-type=host --time-stamp-precision=micro \
-c 3 --no-promiscuous-mode -ni eth0 -w /tmp/t2v.pcap.sock
tail -f /tmp/t2v-1.pcap | tcpdump --time-stamp-precision=nano -r -
dnstap
https://jpmens.net/2017/09/11/dns-query-response-logging-with-dnstap/
http://dnstap.info/slides/dnstap_vldss2014.pdf
Build with dnstap support:
./configure --enable-dnstap
make && make install
Execute the dnstap receiver with nsd user:
su - nsd -s /bin/bash -c "dnstap_receiver -u "/var/run/nsd/dnstap.sock""
— https://dmachard.github.io/posts/0001-dnstap-testing/#nlnetlabs---nsd
See also:
- Dnstap streams receiver in Python https://github.com/dmachard/python-dnstap-receiver
- Vector::dnstap Collect DNS logs from a dnstap-compatible server https://vector.dev/docs/reference/configuration/sources/dnstap/