|
| DNSQuerySniffer v1.95
Copyright (c) 2013 - 2023 Nir Sofer
|
See Also
Description
DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system.
For every DNS query, the following information is displayed:
Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration,
Response Code, Number of records, and the content of the returned DNS records.
You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste
them into Excel or other spreadsheet application.
System Requirements
- This utility works on any version of Windows, starting from Windows 2000, and up to Windows 11.
Both 32-bit and 64-bit systems are supported.
- On some systems, capturing packets with the 'Raw Sockets' method may not work properly, and thus
you'll need to install the WinPcap capture driver or the Network Monitor driver.
Even if the 'Raw Sockets' method works properly on your system, it's recommended to install the
WinPcap capture driver or Microsoft Network Monitor driver (version 3.4 or later) in order to get more
accurate date/time information ('Request Time', 'Response Time', and 'Duration' columns)
- In order to use the Network Monitor driver on 64-bit systems, you have to download
the x64 version of DNSQuerySniffer.
Versions History
- Version 1.95
- Added support for using the IP-Location files from https://github.com/sapics/ip-location-db for viewing country/city information of IP addresses found in the A and AAAA records.
- In order to use these IP-Location files, simply download the desired file and put it in the same folder of DNSQuerySniffer.exe with its original filename (For example: asn-country-ipv4.csv , dbip-city-ipv4.csv, asn-country-ipv6.csv)
- Added 'Black Background' option (Under the View menu). When it's turned on, the main table is displayed in black background and white text, instead of default system colors.
- Version 1.91
- Fixed bug: DNSQuerySniffer randomly crashed when using the GeoLite2 City database.
- Version 1.90
- Added 'Show High Resolution Duration' option. When it's turned on, the values in the duration column are displayed in microsecond resolution (e.g: 1.524 ms)
- Version 1.85
- Added option to change the sorting column from the menu (View -> Sort By). Like the column header click sorting, if you click again the same sorting menu item, it'll switch between ascending and descending order. Also, if you hold down the shift key while choosing the sort menu item, you'll get a secondary sorting.
- Updated to work properly in high DPI mode.
- Version 1.81
- Added 'Select All' and 'Deselect All' to the 'Column Settings' window.
- Fixed the /cfg command-line option to load the .cfg file from the current directory if full path is not specified.
- Version 1.80
- Added support for GeoLite2 City and GeoLite2 Country database in CSV format (Both IPv4 and Ipv6 addresses are supported).
- In order to use it, you have to extract the files of GeoLite2 database into the folder of DNSQuerySniffer.exe
- Version 1.76
- Added new Quick Filter option: 'Find records that match the specified host name wildcard (comma-delimited list)'.
For example: if you specify '*.com', only .com hosts will be displayed.
- Version 1.75
- You can now specify wildcard in the host name filter list ('Advanced Options' window), for example: *.com, *.net
- Version 1.73
- Added 'Add Header Line To CSV/Tab-Delimited File' option (Turned on by default).
- Fixed bug: DNSQuerySniffer failed to remember the last size/position of the main window if it was not located in the primary monitor.
- Version 1.72
- Fixed bug from version 1.71: DNSQuerySniffer crashed when selecting loopback interface or other network interfaces without connection information.
- Version 1.71
- The information of the selected network adapter is now displayed in the window title.
- Version 1.70
- Added "Don't Delete Items On Capture Start" option (Under the Options menu).
- Added TEXT column for TEXT records.
- Version 1.65
- Added 'Quick Filter' feature (View -> Use Quick Filter or Ctrl+Q). When it's turned on, you can type a string in the text-box added under the toolbar and DNSQuerySniffer will instantly filter the DNS table, showing only lines that contain the string you typed.
- Version 1.62
- Added /cfg command-line option, which instructs DNSQuerySniffer to use a config file in another location instead if the default config file, for example:
DNSQuerySniffer.exe /cfg "%AppData%\DNSQuerySniffer.cfg"
- Version 1.61
- Added 'Show Only Failed Queries' option (Under the Options menu).
- Version 1.60
- Added option to add the DNS queries into a log file (Comma-delimited or tab-delimited file) in the 'Advanced Options' window.
- Version 1.58
- Added 'Save All Items' option.
- Version 1.57
- DNSQuerySniffer now automatically loads the new version of WinPCap driver from https://nmap.org/npcap/ if it's installed on your system.
- Version 1.56
- Added 'Align Numeric Columns To Right' option.
- Version 1.55
- Added new option: Show only records of the specified domains/host names (In 'Advanced Options' window).
- Added new option: Don't show records of the specified domains/host names (In 'Advanced Options' window).
- Version 1.51
- DNSQuerySniffer now tries to load the dll of Network Monitor Driver 3.x (NmApi.dll) according to the installation path specified in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Netmon3.
This change should solve the problem with loading the Network Monitor Driver 3.x on some systems.
- Version 1.50
- Added 4 columns to the adapters list in the 'Capture Options' window: 'Connection Name', 'MAC Address', 'Instance ID', 'Interface Guid'.
- When using WinPCap driver , DNSQuerySniffer now displays more accurate information in the adapters list of the 'Capture Options' window.
- Version 1.46
- Added 'Auto Size Columns On Every Update' option.
- Version 1.45
- Added option to capture DNS queries on loopback address (127.0.0.1), available in raw sockets capture method.
- Version 1.40
- Added 'Load From Capture File' option.
This option allows you to load a capture file created by WinPcap/Wireshark (Requires the WinPcap driver)
or a capture file created by Microsoft Network Monitor driver (Requires the Network Monitor driver 3.x)
- Version 1.35
- Added 'TTL Display Mode' option, which allows you to display the TTL value of every DNS response.
- Version 1.30
- Version 1.28:
- Added secondary sorting support: You can now get a secondary sorting, by holding down the shift key while clicking the column header. Be aware that you only have to hold down the shift key when clicking the second/third/fourth column. To sort the first column you should not hold down the Shift key.
- Version 1.27:
- Added 'Copy Host Names' option.
- Version 1.26:
- Added 'Always On Top' option.
- Version 1.25:
- DNSQuerySniffer now allows you to automatically add it to the allowed programs list of Windows firewall when starting to capture and remove it when you stop capturing. This option is needed when using the 'Raw Socket' capture method while Windows firewall is turned on, because if DNSQuerySniffer is not added to Windows firewall, the incoming traffic is not captured.
- Version 1.21:
- Added columns names ('IP Address' and 'Adapter Name') to the adapters list on the 'Capture Options' window.
- Version 1.20:
- Added 'Put Icon On Tray' option.
- Version 1.15:
- Added 'IP Country' column, which displays the country of the IP addresses found in the A records of the DNS response.
Requires to download Ip-To-Country database file separately. See the 'IP Address Country/City Information' section for more information.
- Version 1.10:
- Added 'Sort On Every Update' option.
- Version 1.08:
- Fixed bug: The 'Promiscuous Mode' check-box in the 'Capture Options' window was not saved to the configuration file.
- Version 1.07:
- Added 'Show Time In GMT' option.
- Version 1.06:
- Added option to choose another font to use on the main window.
- Version 1.05:
- Added 'Source Address' and 'Destination Address' columns.
- Version 1.00 - First release.
Start Using DNSQuerySniffer
Except of a capture driver that you may need to install, DNSQuerySniffer doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - DNSQuerySniffer.exe
After running DNSQuerySniffer in the first time, the 'Capture Options' window appears on the screen, and you're requested to choose the capture method and the desired network adapter. In the next time that you use DNSQuerySniffer, it'll automatically start capturing packets with the capture method and the network adapter that you previously selected. You can always change the 'Capture Options' again by pressing F9.
After choosing the capture method and network adapter, DNSQuerySniffer starts the displays the detail of every DNS query sent on your system.
You can press F6 to stop the DNS capture, F5 to start it again, or Ctrl+X to clear the current DNS queries list.
You can select one or more DNS query lines, and then use the 'Save Selected Items' option to export them into csv/tab-delimited/xml/html file.
You can also copy the selected DNS queries to the clipboard (Ctrl+C) and then paste them (Ctrl+V) into Excel or other spreedsheet application.
DNSQuerySniffer Columns
- Host Name:
The host name to query
- Port Number:
The client UDP port that was used to send the DNS query.
- Query ID:
The ID of the query.
- Request Type:
The type of the DNS request - A, AAAA, NS, MX, and so on...
- Request Time:
The exact time that the DNS request was sent. The time is specified in absolute date/time or
relative to the capture start, depending on what you choose in Options -> Time Display Mode.
Be aware that this column displays more accurate result when using WinPcap driver or Microsoft Network Monitor driver, version 3.4 or later.
- Response Time:
The exact time that the DNS response was received. The time is specified in absolute date/time or
relative to the capture start, depending on what you choose in Options -> Time Display Mode.
Be aware that this column displays more accurate result when using WinPcap driver or Microsoft Network Monitor driver, version 3.4 or later.
- Duration:
The time difference in milliseconds between the Request Time and Response Time.
- Response Code:
The returned response code. If the response code is not 'Ok', it means that the DNS server returned an error, and the bullet icon will be in red instead of green.
- Records Count:
Total number of records returned by the DNS server.
- A:
Displays the IP addresses list (IPv4) returned by the DNS server.
- AAAA:
Displays the IP addresses list (IPv6) returned by the DNS server.
- CNAME:
Displays the CNAME record returned by the DNS server.
- NS:
Displays the NS records returned by the DNS server.
- MX:
Displays the MX records returned by the DNS server.
- PTR:
Displays the PTR records returned by the DNS server.
- SOA:
Displays the SOA record returned by the DNS server.
- Source Address:
The IP address of the client that sent the DNS query.
- Destination Address:
The IP address of the DNS server that received the DNS query.
Meaning of icon color
- Green - Success response received from the DNS server.
- Red - Failed response received from the DNS server.
- Yellow - There is no any response from the DNS server.
IP Address Country/City Information
DNSQuerySniffer allows you to view country/city information for every IP address found in the A records and AAAA records of the DNS response ('IP Country' column).
In order to use this feature, simply download the desired city or country file from https://github.com/sapics/ip-location-db,
and then put it in the same folder of TcpLogView.exe with its original filename (For example: asn-country-ipv4.csv , asn-country-ipv6.csv)
Integration with IPNetInfo utility
If you want to get more information about the IP address displayed in the DNS A record,
you can use the Integration with IPNetInfo utility in order to easily view the IP address information loaded directly from WHOIS servers:
- Download and run the latest version of IPNetInfo utility.
- Select the desired items, and then choose "IPNetInfo - A Record" from the File menu (or simply click Ctrl+I).
- IPNetInfo will retrieve the information about IP addresses of the selected items.
Command-Line Options
/cfg <Filename>
|
Start DNSQuerySniffer with the specified configuration file.
For example:
DNSQuerySniffer.exe /cfg "c:\config\dqs.cfg"
DNSQuerySniffer.exe /cfg "%AppData%\DNSQuerySniffer.cfg"
|
Translating DNSQuerySniffer to other languages
In order to translate DNSQuerySniffer to other language, follow the instructions below:
- Run DNSQuerySniffer with /savelangfile parameter:
DNSQuerySniffer.exe /savelangfile
A file named DNSQuerySniffer_lng.ini will be created in the folder of DNSQuerySniffer utility.
- Open the created language file in Notepad or in any other text editor.
- Translate all string entries to the desired language.
Optionally, you can also add your name and/or a link to your Web site.
(TranslatorName and TranslatorURL values) If you add this information, it'll be
used in the 'About' window.
- After you finish the translation, Run DNSQuerySniffer, and all translated
strings will be loaded from the language file.
If you want to run DNSQuerySniffer without the translation, simply rename the language file, or move
it to another folder.
License
This utility is released as freeware.
You are allowed to freely distribute this utility via floppy disk, CD-ROM,
Internet, or in any other way, as long as you don't charge anything for this and you don't
sell it or distribute it as a part of commercial product.
If you distribute this utility, you must include all files in
the distribution package, without any modification !
Disclaimer
The software is provided "AS IS" without any warranty, either expressed or implied,
including, but not limited to, the implied warranties of merchantability and fitness
for a particular purpose. The author will not be liable for any special, incidental,
consequential or indirect damages due to loss of data or any other reason.
Feedback
If you have any problem, suggestion, comment, or you found a bug in my utility,
you can send a message to nirsofer@yahoo.com
DNSQuerySniffer is also available in other languages. In order to change the language of
DNSQuerySniffer, download the appropriate language zip file, extract the 'dnsquerysniffer_lng.ini',
and put it in the same folder that you Installed DNSQuerySniffer utility.
|
|