0

I have a bind9 DNS server running, and I have it blocking ads through a block list for the whole network. I want to log the blocking, so I tried to listen to the UDP port. I used tcpdump and forwarded it with netcap, but it was packaged in a pcap format, which can't be read by the logging server I made since it only recognizes raw DNS request packets.

Is there any command line tool where I can pipe the tcpdump in between the netcap, which unwraps the packet from the pcap format?

This is the command I used: tcpdump -i $INTERFACE -U -s0 -w - "udp port 53" | nc -u $LOG_SERVER $LOG_PORT

I'm trying to find an elegant solution here, and I can't believe no one has made a command-line tool for this kind of purpose yet. If there's no luck, I will be forced to write the pcap packets to files, then read them with the Java library I'm using because it doesn't support directly reading pcap data.

Ron Lauren Hombre
  • 1

1 Answers1

0

I fixed this by decapsulating the PCAP data. Unfortunately, I couldn't get tshark working because it's not supported in OpenWRT, I believe. Anyways, too much hassle trying to make the work of others forcibly work together, so I made my own solution.

These are the references I used:

For PCAP Header and PCAP Records

For Ethernet Frames

For IPv4 Packets

For UDP Datagram Segment

For DNS Message Format

I mostly used the images as a reference and decoded them byte by byte, and by having a reference PCAP, which I loaded for every attempt, for consistency. In addition, I used ImHex to analyze the binary data.

There is too much code involved to share here. I might update this answer if I post the code on GitHub one day. Besides, my code is in Kotlin, which not many here might find useful.

Ron Lauren Hombre
  • 1