On some systems, you will need to install a packet capture driver first, such as WinPcap. I installed it on the system on which I wished to use DNSQuerySniffer, since the developer mentioned "Even if the 'Raw Sockets' method works properly on your system, it's recommended to install the WinPcap capture driver or Microsoft Network Monitor driver (version 3.4 or later) in order to get more accurate date/time information ('Request Time', 'Response Time', and 'Duration' columns)". The developer also mentions "In order to use the Network Monitor driver on 64-bit systems, you have to download the x64 version of DNSQuerySniffer." Since I wished to run it on a 64-bit Microsoft Windows Professional system, I installed the 64-bit version of DNSQuerySniffer. There is no installation process needed for the software, you just extract the files within the zip file you downloaded to whatever directory you wish to hold the DNSQuerySniffer program.
The program is fairly small using only about 10 MB of disk drive space even when you use the IP to Country database, which you don't have to download and use with DNSQuerySniffer. The program without that database uses only a little over 200 KB of disk space.
C:\Program Files\NirSoft\dnsquerysniffer-x64>dir Volume in drive C is OS Volume Serial Number is 4445-F6ED Directory of C:\Program Files\NirSoft\dnsquerysniffer-x64 12/12/2014 10:46 PM <DIR> . 12/12/2014 10:46 PM <DIR> .. 12/12/2014 10:50 PM 1,092 DNSQuerySniffer.cfg 11/25/2014 10:06 PM 18,162 DNSQuerySniffer.chm 11/25/2014 10:06 PM 196,192 DNSQuerySniffer.exe 12/12/2014 06:40 AM 9,984,190 IpToCountry.csv 11/25/2014 10:06 PM 10,163 readme.txt 5 File(s) 10,209,799 bytes
The zip file you download contains DNSQuerySniffer.chm (the help file), DNSQuerySniffer.exe, and readme.txt. The DNSQuerySniffer.cfg file gets created the first time you run the program and configure it.
IP Address Country/City Information
DNSQuerySniffer allows you to view country/city information for every IP address found in the A records of the DNS response ('IP Country' column). In order to activate this feature, you have to download one of the following external files, and put the file in the same folder of DNSQuerySniffer.exe:
- http://software77.net/geo-ip/: Download the IPv4 CSV file, extract it from the zip/gz file, and put it in the same folder of DNSQuerySniffer.exe as IpToCountry.csv
- GeoLite City database: Download the GeoLite City in Binary / gzip (GeoLiteCity.dat.gz) and put it in the same folder of DNSQuerySniffer.exe
If you want to get faster loading process, extract the GeoLiteCity.dat from the GeoLiteCity.dat.gz and put it in the same folder of DNSQuerySniffer.exe
You can download the
IP to Country Database (IPV4 and IPV6) by going to the linked URL.
On the right-side of the page is a download link where you can specify
the format for the file you wish to download, e.g. "IPV4 CSV (gz)"; I chose
"IPV4 CSV (zip)" and then clicked on the "Download" button which gave
me a IpToCountry.csv.zip file. I unzipped the file and placed
the .csv file in the directory where I placed the DNSQuerySniffer.exe file.
The first time you start the software, you will be presented with a window
where you can select Capture Options. Since I had installed
the WinPcap Packet Capture Driver as recommended by the developer to
to get more accurate date/time information, I selected that as the
capture method rather than "Raw Sockets (Windows 2000/XP)", I also chose
the system's Realtek PCIe BBE Family Controller network interface card (NIC)
as the network adapter. Note: the IP address of 0.0.0.0 indicates
the program will monitor all IP addresses for the system.
When you open the program, it will start capturing the DNS queries issued by the system to a DNS server automatically and display them. The Host Name, local Port Number, Query ID, Request Type, Request Time, Response Time, and Duration are displayed for each query.
If you double-click on an entry, you will see further information on the entry.
The "IP Country" information won't be shown unless you put one of the IP to country databases in the same directory where you placed the DNSQuerySnifer program. If you place a database there while the program is running, you will have to close the program and reopen it for it to be able to associate an IP address with a country.
If you want to stop the capture of DNS queries, click on File and select Stop Capture.
You can click on File and Save Selected Items to save highligted items to a file. If you want to highlight all entries, hit Ctrl-A. You can use the standard methods for highlighting rows of data in Windows. E.g., you can highlight one item by clicking on it then moving the mouse to the lowest item in the list you wish to highlight and then clicking the mouse again while holding down the shift key. Or, if you don't want to highlight a continuous block of items, you can click on the first and then select others by holding down the Ctrl key to highlight them.
The formats from which you can choose for the output file are as follows:
An example text file for just one entry can be seen here. The destination address in the file is the IP address of the DNS server that was queried.
You can also get an HTML report by clicking on View and selecting "HTML Report - All Items" or "HTML Report - Selected Items". An HTML file will then be generated and placed in the folder in which you placed the DNSQuerySniffer program (example HTML report).
Created: Friday December 12, 2014