A Python-based tool for analyzing DNS packets from pcap files to detect potential DNS attacks, malformed queries, and volumetric query patterns.
- Continuous Directory Monitoring: Automatically processes new pcap/pcapng files as they appear
- DNS Field Extraction: Extracts source IP, destination IP, query/response status, domain, TTL, answers, and timestamps
- Non-DNS TCP Detection: Identifies and flags suspicious TCP packets without DNS layer
- Detailed CSV Reports: One row per DNS packet with all extracted fields
- Summary CSV Reports: Aggregated analysis with query counts and rates (tab-delimited)
- Volumetric Analysis: Calculates query rates per unique domain to detect attack patterns
- Python 3.8+
- Wireshark (tshark and editcap must be in PATH)
- Required Python packages (see requirements.txt)
Run the setup script to automatically configure the environment:
./setup.shThis will:
- Check Python 3.8+ installation
- Verify tshark and editcap availability
- Create a Python virtual environment
- Install all required dependencies
- Create output directories
- Validate the installation
If you prefer to install manually:
- Install Python dependencies:
pip install -r requirements.txt- Ensure tshark and editcap are installed and accessible:
which tshark
which editcapNote: On macOS, you may need to use a virtual environment:
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtpython dns_analyzer.py --input-dir /path/to/pcap/files --output-dir /path/to/output--input-dir: Directory to watch for pcap/pcapng files (required)--output-dir: Directory for output CSVs and JSONs (default: ./output)--keep-json: Keep intermediate JSON files after CSV generation (default: True)
output/
├── detailed/ # Detailed CSV files (one per pcap)
├── summary/ # Summary CSV files (tab-delimited, one per pcap)
└── json/ # Intermediate JSON files (if kept)
Contains one row per DNS packet with the following columns:
| Column | Description | Example |
|---|---|---|
| Timestamp | When the packet was captured | 2024-11-07T10:30:45 |
| Source IP | IP address initiating the request | 192.168.1.100 |
| Destination IP | IP address receiving the request | 8.8.8.8 |
| Query/Response | Indicates if packet is a query or response | Query, Response |
| Domain | The domain name being queried | example.com |
| TTL | Time-to-live in seconds (responses only) | 300 |
| Answer | The resolved IP address(es) (responses only) | 93.184.216.34 |
| Packet Type | Type of packet | DNS |
Aggregated statistics for each unique client/server/domain combination:
| Column | Description | Example |
|---|---|---|
| Client IP | IP address of the DNS client | 192.168.1.100 |
| DNS Server IP | IP address of the DNS server | 8.8.8.8 |
| Domain | The queried domain name | example.com |
| Query Type | Whether these are queries or responses | Query |
| Total Count | Number of packets for this combination | 1500 |
| Rate (qps) | Queries per second | 125.5 |
| First Seen | Timestamp of first occurrence | 2024-11-07 10:30:45 |
| Last Seen | Timestamp of last occurrence | 2024-11-07 10:42:45 |
| Time Window (s) | Duration between first and last seen | 720 |
Captures suspicious TCP packets without DNS layer:
| Column | Description |
|---|---|
| Timestamp | When the packet was captured |
| Source IP | Source IP address |
| Destination IP | Destination IP address |
| Source Port | TCP source port |
| Destination Port | TCP destination port (53 indicates DNS) |
| Packet Type | "TCP (Non-DNS)" |
Look for unusually high rates in the summary CSV:
# Normal: 1-10 queries per second per client
# Suspicious: >100 qps from a single client
# Attack: >1000 qps from a single clientDetection: Sort summary CSV by "Rate (qps)" column descending. Any client with >100 qps warrants investigation.
Indicators of DNS tunneling include:
- Long domain names: Domains >50 characters (e.g.,
a7f3b2c9d4e5f6.suspicious-domain.com) - High entropy domains: Random-looking subdomain strings
- Unusual TLDs: Non-standard top-level domains
- Large response sizes: DNS responses with unusually large answers
Detection: Look for domains with suspicious patterns in the detailed CSV.
Look for:
- Multiple responses for the same query from different servers
- Responses with very low or very high TTL values (<60 or >86400)
- Responses arriving before queries
Detection: Check for duplicate domains with different answers or unusual TTL values.
Characteristics:
- Small queries generating large responses
- Queries for TXT, ANY, or DNSSEC records
- Repeated queries to the same domain
Detection: High query rates combined with specific query types (would need additional query type logging).
DGA domains typically show:
- Random alphanumeric patterns
- Similar length domains
- High frequency of failed resolutions (NXDOMAIN)
- Clusters of queries in short time windows
Detection: Look for patterns of similar-length random domains in the detailed CSV.
Signs include:
- Known domains resolving to unexpected IPs
- Private IP responses for public domains
- Responses from unauthorized DNS servers
Detection: Compare answer IPs for well-known domains against expected values.
Patterns indicating reconnaissance:
- Sequential queries for related domains
- Queries for mail servers (MX), name servers (NS)
- Zone transfer attempts (AXFR)
- Version queries (version.bind)
Detection: Look for systematic querying patterns from single sources.
# Sort summary CSV by count (5th column)
sort -t$'\t' -k5 -nr *_summary.csv | head -20# Find clients with >100 queries per second
awk -F'\t' '$6 > 100 {print $1, $3, $6}' *_summary.csv# Find domains longer than 50 characters
awk -F',' 'length($5) > 50 {print $1, $2, $5}' *_detailed.csv# Check non-DNS TCP CSV for suspicious activity
grep "TCP (Non-DNS)" *_non_dns_tcp.csv | grep ":53"- Baseline Normal Behavior: Establish what's normal for your network before identifying anomalies
- Correlate Multiple Indicators: Single indicators may have false positives; multiple indicators increase confidence
- Time-based Analysis: Look for patterns that emerge during specific time windows
- Cross-reference Sources: Compare against threat intelligence feeds for known malicious domains
- Monitor Trends: Track changes in query patterns over time
- Directory Monitoring: Uses watchdog library to monitor the input directory for new
.pcapand.pcapngfiles - Packet Processing: Uses tshark to extract DNS fields and convert to JSON
- Data Extraction: Parses JSON to extract relevant DNS fields and identify packet types
- CSV Generation: Creates detailed and summary CSV files for analysis
- Volumetric Analysis: Calculates query rates to identify high-volume patterns
- Validates tshark/editcap availability on startup
- Handles malformed pcap files gracefully
- Skips files that are still being written
- Logs errors without stopping continuous processing
To set up regular pushes to GitHub, see GIT_SETUP.md for detailed instructions.
Quick start:
# Initialize git (if not already done)
git init
git remote add origin https://github.com/Gamechiefx/DNS-Automator.git
# Use the helper script for easy pushes
./git_push.sh "Your commit message"The .gitignore file excludes output files, logs, and virtual environments from version control.