Thomas Biege - SuSE Security Team - Projects - DNS Transaction-ID Analyzer

This little tool extracts the transaction-id (TRXID) and UDP source-port number of DNS queries and saves the TRXID/port and the number of its appearence to a file.

This tool can help you to verify your DNS server updates for CVE-2008-1447.

# gcc -o tia tia.c dns_lib.c
# ./tia  spiral.ashpool.org # optional argument
will only monitor packets from host 'spiral.ashpool.org'
        spiral.ashpool.org:51462 -> gate.ashpool.org:53 - transID = 0x6c38
        spiral.ashpool.org:37125 -> gate.ashpool.org:53 - transID = 0xf9e0
        spiral.ashpool.org:44381 -> gate.ashpool.org:53 - transID = 0xbf78
        spiral.ashpool.org:55121 -> gate.ashpool.org:53 - transID = 0x9461
        spiral.ashpool.org:39565 -> gate.ashpool.org:53 - transID = 0xdc1d
        spiral.ashpool.org:45498 -> gate.ashpool.org:53 - transID = 0xa82c
        spiral.ashpool.org:38693 -> gate.ashpool.org:53 - transID = 0xc0b8
        spiral.ashpool.org:46716 -> gate.ashpool.org:53 - transID = 0x37cc
        spiral.ashpool.org:38961 -> gate.ashpool.org:53 - transID = 0x4178
        spiral.ashpool.org:49943 -> gate.ashpool.org:53 - transID = 0x0105
        spiral.ashpool.org:56857 -> gate.ashpool.org:53 - transID = 0x893c
        spiral.ashpool.org:57636 -> gate.ashpool.org:53 - transID = 0x8124
        spiral.ashpool.org:54454 -> gate.ashpool.org:53 - transID = 0xd79f
^C

# cat portnum-stat.txt
51462 1
37125 1
44381 1
55121 1
39565 1
45498 1
38693 1
46716 1
38961 1
49943 1
56857 1
57636 1
54454 1

# cat transid-stat.txt
0x6C38 1
0xF9E0 1
0xBF78 1
0x9461 1
0xDC1D 1
0xA82C 1
0xC0B8 1
0x37CC 1
0x4178 1
0x0105 1
0x893C 1
0x8124 1
0xD79F 1

# hex2bin transid-stat.txt > t.bin

# hex2bin portnum-stat.txt > p.bin

# ent t.bin
Entropy = 7.781153 bits per byte.

Optimum compression would reduce the size
of this 1020 byte file by 2 percent.

Chi square distribution for 1020 samples is 306.68, and randomly
would exceed this value 2.50 percent of the times.

Arithmetic mean value of data bytes is 129.0873 (127.5 = random).
Monte Carlo value for Pi is 2.988235294 (error 4.88 percent).
Serial correlation coefficient is 0.175137 (totally uncorrelated = 0.0).

# ent p.bin
Entropy = 6.636836 bits per byte.

Optimum compression would reduce the size
of this 474 byte file by 17 percent.

Chi square distribution for 474 samples is 750.91, and randomly
would exceed this value 0.01 percent of the times.

Arithmetic mean value of data bytes is 77.1498 (127.5 = random).
Monte Carlo value for Pi is 4.000000000 (error 27.32 percent).
Serial correlation coefficient is 0.901371 (totally uncorrelated = 0.0).

Code of 2008/07/24, version 1.1, it's working nothing more

Main Page