#!/usr/bin/perl -p use Sys::Hostname; $myhost = hostname; #$myhost =~ s/^([^.]+).*/$1/ ; # tinydns log formatting utility # based on Faried Nawaz's logfile formatter for dnscache # by Kenji Rikitake 29-JUL-2000 # please put this on dnscache.com ftp site. # convert addresses in hex to dotted decimal notation. ## - wthout ipv6 patch ## - #s/\b([a-f0-9]{8})\b/join(".", unpack("C*", pack("H8", $1)))/eg; ## - within ipv6 ## - #s/[a-f0-9]{24}([a-f0-9]{8})/join(".", unpack("C*", pack("H8", $1)))/eg; ### clean up some messages # convert stuff like 127.0.0.2:0422:05be to something more descriptive. # query tai64n host:port:qid flag qtype thing # keep tai64n header as is - use tai64nlocal to convert it to TAI #s/^(@[a-f0-9]+) \b([\d.]+):(\w+):(\w+) ([\+\-\I\/]) \b([a-f0-9]+) \b([-.\w]+)/$1." ".printQueryLine($2,$3,$4,$5,$6,$7)/e; #s/^(@[a-f0-9]+) \b([\d.]+):(\w+):(\w+) ([\+\-CIX\/]?)\s?\b([a-f0-9]+) \b([-.\w]+)/$1." ".printQueryLine($2,$3,$4,$5,$6,$7)/e; ## - if original logfile will be parsed ## - #s/^(@[a-f0-9]+) \b([\d.]+):(\w+):(\w+) ([\+\-CIX\/]?)\s?\b([a-f0-9]+) ([-.\w]+)/$1." ".printQueryLine($2,$3,$4,$5,$6,$7)/e; ## - if logfile is tai65nlocal konverted ## - #s/^([^\.]+).([0-9]+) \b([\d.]+):(\w+):(\w+) ([\+\-\ICX\/]?)\s?\b([a-f0-9]+) ([-.\w]+)/$1." ".printQueryLine($3,$4,$5,$6,$7,$8)/e; ## - additional print (short) hostname ## - s/^([^\.]+).([0-9]+) \b([\w.]+):(\w+):(\w+) ([\+\-\ICX\/]?)\s?\b([a-f0-9]+) ([-.\w]+)/"[$myhost] ".$1." ".printQueryLine($3,$4,$5,$6,$7,$8)/e; ## - ipv6 embedded ipv4-addresses ## - #s/00000000000000000000ffff//; s/([a-f0-9]{4})([a-f0-9]{4})/$1:$2:/g; ### subs sub printQueryLine { my ($host, $port, $query_id, $flag, $query_type, $query) = @_; # pad hostname #my $ret = "$host:"; #$ret .= hex($port); #$ret .= ":" . hex($query_id); #$ret .= " " . $flag; my $ret = queryHandle($host, hex($port), hex($query_id), $flag); $ret .= " " . queryType(hex($query_type)) . " $query"; return $ret; } ## -sub queryType { ## - my ($type) = shift; ## - ## - my $ret = ""; ## - ## - # i only list the ones that are in dnscache's dns.h. ## - SWITCH: { ## - ($type == 1) && do { $ret = "A"; last SWITCH; }; ## - ($type == 2) && do { $ret = "NS"; last SWITCH; }; ## - ($type == 5) && do { $ret = "CNAME"; last SWITCH; }; ## - ($type == 6) && do { $ret = "SOA"; last SWITCH; }; ## - ($type == 11) && do { $ret = "WKS"; last SWITCH; }; ## - ($type == 12) && do { $ret = "PTR"; last SWITCH; }; ## - ($type == 13) && do { $ret = "HINFO"; last SWITCH; }; ## - ($type == 14) && do { $ret = "MINFo"; last SWITCH; }; ## - ($type == 15) && do { $ret = "MX"; last SWITCH; }; ## - ($type == 16) && do { $ret = "TXT"; last SWITCH; }; ## - ($type == 17) && do { $ret = "RP"; last SWITCH; }; ## - ($type == 18) && do { $ret = "AFSDB"; last SWITCH; }; ## - ($type == 20) && do { $ret = "ISDN"; last SWITCH; }; ## - ($type == 21) && do { $ret = "RT"; last SWITCH; }; ## - ($type == 22) && do { $ret = "NSAP"; last SWITCH; }; ## - ($type == 23) && do { $ret = "NSAP-PTR"; last SWITCH; }; ## - ($type == 24) && do { $ret = "SIG"; last SWITCH; }; ## - ($type == 25) && do { $ret = "KEY"; last SWITCH; }; ## - ($type == 26) && do { $ret = "PX"; last SWITCH; }; ## - ($type == 28) && do { $ret = "AAAA"; last SWITCH; }; ## - ($type == 29) && do { $ret = "LOC"; last SWITCH; }; ## - ($type == 30) && do { $ret = "NXT"; last SWITCH; }; ## - ($type == 33) && do { $ret = "SRV"; last SWITCH; }; ## - ($type == 35) && do { $ret = "NAPTR"; last SWITCH; }; ## - ($type == 36) && do { $ret = "KX"; last SWITCH; }; ## - ($type == 37) && do { $ret = "CERT"; last SWITCH; }; ## - ($type == 38) && do { $ret = "A6"; last SWITCH; }; ## - ($type == 42) && do { $ret = "APL"; last SWITCH; }; ## - ($type == 249) && do { $ret = "TKEY"; last SWITCH; }; ## - ($type == 250) && do { $ret = "TSIG"; last SWITCH; }; ## - ($type == 251) && do { $ret = "IXFR"; last SWITCH; }; ## - ($type == 252) && do { $ret = "AXFR"; last SWITCH; }; ## - ($type == 255) && do { $ret = "ANY"; last SWITCH; }; ## - do { $ret .= "$type "; last SWITCH; }; ## - } ## - return $ret; ## -} # DNS query type codes from the following RFCs: # 1035,1183,1348,1876,1995,2065,2163,2230,2535,2538,2845,2874,2915,2930,3123 %QTYPE = ( 1, "A", 2, "NS", 5, "CNAME", 6, "SOA", 11, "WKS", 12, "PTR", 13, "HINFO", 14, "MINFO", 15, "MX", 16, "TXT", 17, "RP", 18, "AFSDB", 20, "ISDN", 21, "RT", 22, "NSAP", 23, "NSAP-PTR", 24, "SIG", 25, "KEY", 26, "PX", 28, "AAAA", 29, "LOC", 30, "NXT", 33, "SRV", 35, "NAPTR", 36, "KX", 37, "CERT", 38, "A6", 42, "APL", 249, "TKEY", 250, "TSIG", 251, "IXFR", 252, "AXFR", 255, "ANY" ); sub queryType { my ($type) = shift; return $QTYPE{$type} || $type; } sub queryHandle { my ($q_host, $q_port, $q_id, $q_flag) = @_; my $ret = ""; # i only list the ones that are in dnscache's dns.h. SWITCH: { ($q_flag =~ m/\+/) && do { $ret = "sent response to $q_host:$q_port (id $q_id): "; last SWITCH; }; ($q_flag =~ m/-/) && do { $ret = "dropped query (no authority) from $q_host:$q_port (id $q_id): "; last SWITCH; }; ($q_flag =~ m#/#) && do { $ret = "dropped query (couldn't parse) from $q_host:$q_port (id $q_id): "; last SWITCH; }; ($q_flag =~ m#I#) && do { $ret = "[WARN] sent RCODE of 4 (NOTIMP) to $q_host:$q_port (id $q_id): "; last SWITCH; }; ($q_flag =~ m#C#) && do { $ret = "[WARN] sent RCODE of 1 (FORMERR) to $q_host:$q_port (id $q_id): "; last SWITCH; }; do { $ret .= "[??] $q_host:$q_port (id $q_id): $q_flag "; last SWITCH; }; } return $ret; }