DNSTOP(8)		FreeBSD System Manager's Manual 	     DNSTOP(8)
NAME
dnstop -- displays various tables of DNS traffic on your network
SYNOPSIS
dnstop [-46apsQR] [-bexpression] [-iaddress] [-ffilter] [-rinterval]
	    [device] [savefile]
DESCRIPTION
dnstop is a small tool to listen on device or to parse the file savefile
     and collect and print statistics on the local network's DNS traffic. You
     must have read access to /dev/bpf*.
COMMAND LINE OPTIONS
     The options are as follows:
     -4      count only messages with IPv4 addresses
     -6      count only messages with IPv6 addresses
     -a      anonymize addresses
     -bexpression
	     BPF filter expression
	     (default: udp port 53)
     -iaddress
	     ignore select addresses
     -p      Do not put the interface into promiscuous mode.
     -r      Redraw interval (seconds).
     -llevel
	     keep counts on names up to level domain name levels.
	     For example, with -l 2 (the default), dnstop will keep two
	     tables: one with top-level domain names, and another with second-
	     level domain names.  Increasing the level provides more details,
	     but also requires more memory and CPU.
     -f      input filter name
	     The "unknown-tlds" filter includes only queries for TLDs that are
	     bogus.  Useful for identifying hosts/servers that leak queries
	     for things like "localhost" or "workgroup."
	     The "A-for-A" filter includes only A queries for names that are
	     already IP addresses.  Certain Microsoft Windows DNS servers have
	     a known bug that forward these queries.
	     The "rfc1918-ptr" filter includes only PTR queries for addresses
	     in RFC1918 space.	These should never leak from inside an organi-
	     zation.
     -Q      count only DNS query messages
     -R      count only DNS reply messages
     savefile
	     a captured network trace in pcap format
     device  ethernet device (ie fxp0)
RUN TIME OPTIONS
     While running, the following options are available to alter the display:
     s	     display the source address table
     d	     display the destination address table
     t	     display the breakdown of query types seen
     o	     display the breakdown of opcodes seen
     1	     show 1st level query names
     2	     show 2nd level query names
     3	     show 3rd level query names
     4	     show 4th level query names
     5	     show 5th level query names
     6	     show 6th level query names
     7	     show 7th level query names
     8	     show 8th level query names
     9	     show 9th level query names
     !	     show sources + 1st level query names
     @	     show sources + 2nd level query names
     #	     show sources + 3rd level query names
     $	     show sources + 4th level query names
     %	     show sources + 5th level query names
     ^	     show sources + 6th level query names
     &	     show sources + 7th level query names
     *	     show sources + 8th level query names
     (	     show sources + 9th level query names
     ^R      reset the counters
     ^X      exit the program
     space   redraw
     ?	     help
NON-INTERACTIVE MODE
     If stdout is not a tty, dnstop runs in non-interactive mode.  In this
     case, you must supply a savefile for reading, instead of capturing live
     packets.  After reading the entire savefile, dnstop prints the top 50
     entries for each table.
AUTHORS
DuaneWessels(wessels@measurement-factory.com)MarkFoster(mark@foster.cc)JoseNazario(jose@monkey.org)SamNorris<@ChangeIP.com>MaxHorn<@quendi.de>JohnMorrissey<jwm@horde.net>FlorianForster<octo@verplant.org>DavePlonka<plonka@cs.wisc.edu>http://dnstop.measurement-factory.com/
BUGS
     Unless compiled with -DUSE_PPP the program will not correctly decode PPP
     frames.
FreeBSD 5.5			21 March, 2008			   FreeBSD 5.5