DNS Visualization

The pictures and live demos of the DNS visualization are nifty, but running the visualization against your own network traffic is where the real value is.

All you need is Processing, your own network capture, a python script and the Processing sketch.  Details below.

I’d appreciate feedback on how well this works for you:  thoughts, comments and suggestions.  Screenshots and stats on your traffic volume would be awesome.

Current version: 0.1, 8 Feb 09

Install

1. Get Processing.  You’ll also need Stephane Cousot’s UDP library.  Create a directory called “libraries” in your Processing sketch folder and unzip the UDP library there.
2. Download the packet parsing script.  You’ll need dpkt installed.  The script supports both reading from a pcap file and live off the wire.  If you read live off the wire, you’ll need pylibpcap, too.
3. Download the Processing sketch and unzip to your Processing sketch folder.

Run

1. Run the processing sketch, and hit ‘g’ to Go.
2. Run the python script, passing the path to your pcap file as an argument.  Or, if you’d prefer to read off your local interface pass the interface as the argument.

tranq:trunk tranq$ python dparse.py /path/to/capture.pcap
  or
tranq:trunk tranq$ sudo python dparse.py en1

By default, playback from a file is capture speed.  If you want things to go as quickly as possible, change the ‘realtime = True’  in the python script to False.  Processing runs a UDP server on localhost port 9000 to which the python script sends datagrams with parsed DNS stats.  If you’ve got a crazy firewall setup you’ll need to make sure the two can talk.

By giving the destination IP such predominance, we assume the packet capture is outside your external DNS server.  You can view captures from a single workstation, where the capture originates from your own machine.  It’s a lot more boring, but still provides valuable insight into your host’s DNS traffic.

Changelog:

8 Feb 09, v0.1: Initial release