Capture of DNS statistics using dnscap and ithicap

On Linux, building the tool produces not only the regular and the test executable, but also the Dnscap extension "ithicap" (libithicap.so). This can be used as any other Dnscap extension, as in:

dnscap -i <interface> -c 2000000 -w - | dnscap -r - -P /path/to/libithicap.so -o <ithi-capture-file.csv>

The "-o" parameter specifies the output file, in CSV format. The "-P" parameter specifies the location of the "ithicap" extension; this depends on how you installed ithitools. The "-i" parameter points to the interface id, such as for example "eth0". The "-c" parameter directs dnscap to stop capture after a specified number of DNS packets.

Dnscap is maintained by DNS-OARC. One option is to clone and build from github. Another option is to get the tarball from DNS-OARC, and to follow the build step specified in the DNSCAP README on GitHub.

The list of ithicap parameters can be displayed by calling:

dnscap <dnscap-parameters> -P /path/to/libithicap.so -h

At the time of this writing, this will display the following list:

ITHICAP -- a DNSCAP plugin for ITHI data extraction.
Usage: ithitools <options>
Options:
  -o file.csv        output file containing the computed summary.
  -r root-addr.txt   text file containing the list of root server addresses.
  -a res-addr.txt    allowed list of resolver addresses. Traffic to or from
                     addresses in this list will not be filtered out by the
                     excessive traffic filtering mechanism.
  -x res-addr.txt    excluded list of resolver addresses. Traffic to or from
                     these addresses will be ignored when extracting traffic.
  -f                 Filter out address sources that generate too much traffic.
  -n number          Number of strings in the list of leaking domains(M332).
  -t tld-file.txt    Text file containing a list of registered TLD, one per line.
  -u tld-file.txt    Text file containing special usage TLD (RFC6761).