Created
March 17, 2017 21:41
-
-
Save dgulinobw/5c5b9e096d1315819aede2105eaaa4bc to your computer and use it in GitHub Desktop.
Create a list of timestamp,name,response_time (do_dump_report=True), either/or/and a list of name,total queries, response time avg (do_avg_report=True). Use: /usr/sbin/tcpdump -vvv -s 0 -l port 53 -w log.pcap; python parse_tcpdump_udp_53.py log.pcap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| from __future__ import print_function | |
| import sys | |
| import pyshark | |
| from collections import defaultdict | |
| filename = sys.argv[1] | |
| do_dump_report=False | |
| do_avg_report=True | |
| cap = pyshark.FileCapture(filename) | |
| queries = defaultdict(lambda: defaultdict(dict)) | |
| def print_dns_info(pkt): | |
| try: | |
| resp_name = pkt.dns.resp_name | |
| except: | |
| queries[pkt.dns.id]["request"] = { "src": pkt.ip.src, "name" : pkt.dns.qry_name, "time": pkt.sniff_time } | |
| try: | |
| if pkt.dns.resp_name: | |
| queries[pkt.dns.id]["response"] = { "src": pkt.ip.src, "name" : pkt.dns.resp_name, "time": pkt.sniff_time } | |
| except: | |
| pass | |
| cap.apply_on_packets(print_dns_info) | |
| report = defaultdict(lambda: defaultdict(dict)) | |
| for k, v in queries.items(): | |
| if v.get("response") and v.get("request"): | |
| request_time = v["request"]["time"] | |
| report[request_time]["rt"] = v["response"]["time"] - v["request"]["time"] | |
| report[request_time]["name"] = v["request"]["name"] | |
| if do_dump_report: | |
| print("%-30s : %-30s : %-20s" % ("request timestamp", "name", "response time(datetime)")) | |
| keys = report.keys() | |
| keys.sort() | |
| for key in keys: | |
| print("%-30s : %-30s : %-20s" % (key, report[key]["name"], report[key]["rt"])) | |
| if do_avg_report: | |
| avg_report = defaultdict(lambda: defaultdict(float)) | |
| for k, v in report.items(): | |
| avg_report[v["name"]]["total"] += v["rt"].total_seconds() | |
| avg_report[v["name"]]["count"] += 1.0 | |
| print("%-30s : %-20s: %-13s" % ("name", "count", "response time avg(s)")) | |
| keys = avg_report.keys() | |
| keys.sort() | |
| for key in keys: | |
| total = avg_report[key]["total"] | |
| count = avg_report[key]["count"] | |
| avg = total / count | |
| print("%-30s : %-20d: %-9.4f" % (key, int(avg_report[key]["count"]), avg)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment