dnsdump is a Perl script that captures and displays DNS messages on your network. Think of it as an alternative to running tcpdump port domain. You can control dnsdump's output using a printf-like format string.

Get The Code

You can download the latest version of dnsdump here.

dnsdump requires the following usually-not-installed-by-default Perl modules:

  • Net::Pcap
  • Net::Packet
  • Net::DNS


dnsdump -i ifname [-q] [-a] "%field %field ..."

dnsdump -r savefile [-q] [-a] "%field %field ..."

Either the -i ifname or -r savefile command line argument is required. If you don't know the name of your network interface, use netstat -i or ifconfig -a to see a list.

The -q option instructs dnsdump to print only queries. Similarly, the -a option prints only answers (replies).

dnsdump prints the fields that you specify in the format string. The fields and their meanings are:

timeTime that the packet was received
srcSource IP address
dstDestination IP address
sportSource port
dportDestination port
idQuery ID
qrQuery or Response (Query = 0, Response = 1)
opcodeOpcode (QUERY, NOTIFY, UPDATE, etc)
rcodeResponse code (NOERROR, NXDOMAIN, REFUSED, etc)
aaAuthoritative Answer bit
tcTruncation bit
rdRecursion Desired bit
raRecrusion Available bit
adAuthenticated Data bit
qcountCount of records in the Question section
ancountCount of records in the Answer section
nscountCount of records in the Authority section
adcountCount of records in the Additional section
qnameQuery Name (first Question only)
qtypeQuery Type (first Question only)
ansList of Answers (short form)
authList of Authority records (short form)
addlList of Additional records (short form)
questionList of Questions (long form)
answerList of Answers (long form)
authorityList of Authority records (long form)
additionalList of Additional records (long form)

Note that the format string may include literal text as well.

You may control the width of fields (in the style of printf) by inserting numbers between the "%" and field name. For example:


The question/answer/authority/additional fields often contain multiple resource records. To assist with parsing (both by humans and machines) you may tell dnsdump to print delimiters around individual RRs. To do so, add parentheses, brackets, braces, or angle brackets around the field name. For example:



Here are some typical ways to run dnsdump:

# dnsdump -i fxp0 "%time %src %dst %qtype? %qname %ans"
# dnsdump -i eth0 "%src:%sport > %dst:%dport %question %answer"

If you want the IP address and port fields to always line up, you might use:

# dnsdump -i eth0 \
"%16src:%-5sport %16dst:%-5dport %question %answer"

You can label fields with literal text in the format string: you might use:

# dnsdump -i em0 \
"%05id aa=%aa tc=%tc rd=%rd ra=%ra " \
QUERY: %qtype %qname ANSWERS: %[answer]"


dnsdump does not support DNS over TCP at this time.


dnsdump is licensed under the BSD license.


dnsdump is written and maintained by Duane Wessels of The Measurement Factory. Please send bug reports and other feedback to wessels at measurement dash factory dot com.

© 2014 The Measurement Factory.