DNSQuerySniffer v1.35 Copyright (c) 2013 - 2014 Nir Sofer Web site: http://www.nirsoft.net Description =========== DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. You can easily export the DNS queries information to csv/tab-delimited/xml/html file, or copy the DNS queries to the clipboard, and then paste them into Excel or other spreadsheet application. System Requirements =================== * This utility works on any version of Windows, starting from Windows 2000, and up to Windows 8. Both 32-bit and 64-bit systems are supported. * On some systems, capturing packets with the 'Raw Sockets' method may not work properly, and thus you'll need to install the WinPcap capture driver or the Network Monitor driver. Even if the 'Raw Sockets' method works properly on your system, it's recommended to install the WinPcap capture driver or Microsoft Network Monitor driver (version 3.4 or later) in order to get more accurate date/time information ('Request Time', 'Response Time', and 'Duration' columns) * In order to use the Network Monitor driver on 64-bit systems, you have to download the x64 version of DNSQuerySniffer. Versions History ================ * Version 1.35 o Added 'TTL Display Mode' option, which allows you to display the TTL value of every DNS response. * Version 1.30 o Added integration with IPNetInfo utility * Version 1.28: o Added secondary sorting support: You can now get a secondary sorting, by holding down the shift key while clicking the column header. Be aware that you only have to hold down the shift key when clicking the second/third/fourth column. To sort the first column you should not hold down the Shift key. * Version 1.27: o Added 'Copy Host Names' option. * Version 1.26: o Added 'Always On Top' option. * Version 1.25: o DNSQuerySniffer now allows you to automatically add it to the allowed programs list of Windows firewall when starting to capture and remove it when you stop capturing. This option is needed when using the 'Raw Socket' capture method while Windows firewall is turned on, because if DNSQuerySniffer is not added to Windows firewall, the incoming traffic is not captured. * Version 1.21: o Added columns names ('IP Address' and 'Adapter Name') to the adapters list on the 'Capture Options' window. * Version 1.20: o Added 'Put Icon On Tray' option. * Version 1.15: o Added 'IP Country' column, which displays the country of the IP addresses found in the A records of the DNS response. Requires to download Ip-To-Country database file separately. See the 'IP Address Country/City Information' section for more information. * Version 1.10: o Added 'Sort On Every Update' option. * Version 1.08: o Fixed bug: The 'Promiscuous Mode' check-box in the 'Capture Options' window was not saved to the configuration file. * Version 1.07: o Added 'Show Time In GMT' option. * Version 1.06: o Added option to choose another font to use on the main window. * Version 1.05: o Added 'Source Address' and 'Destination Address' columns. * Version 1.00 - First release. Start Using DNSQuerySniffer =========================== Except of a capture driver that you may need to install, DNSQuerySniffer doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - DNSQuerySniffer.exe After running DNSQuerySniffer in the first time, the 'Capture Options' window appears on the screen, and you're requested to choose the capture method and the desired network adapter. In the next time that you use DNSQuerySniffer, it'll automatically start capturing packets with the capture method and the network adapter that you previously selected. You can always change the 'Capture Options' again by pressing F9. After choosing the capture method and network adapter, DNSQuerySniffer starts the displays the detail of every DNS query sent on your system. You can press F6 to stop the DNS capture, F5 to start it again, or Ctrl+X to clear the current DNS queries list. You can select one or more DNS query lines, and then use the 'Save Selected Items' option to export them into csv/tab-delimited/xml/html file. You can also copy the selected DNS queries to the clipboard (Ctrl+C) and then paste them (Ctrl+V) into Excel or other spreedsheet application. DNSQuerySniffer Columns ======================= * Host Name: The host name to query * Port Number: The client UDP port that was used to send the DNS query. * Query ID: The ID of the query. * Request Type: The type of the DNS request - A, AAAA, NS, MX, and so on... * Request Time: The exact time that the DNS request was sent. The time is specified in absolute date/time or relative to the capture start, depending on what you choose in Options -> Time Display Mode. Be aware that this column displays more accurate result when using WinPcap driver or Microsoft Network Monitor driver, version 3.4 or later. * Response Time: The exact time that the DNS response was received. The time is specified in absolute date/time or relative to the capture start, depending on what you choose in Options -> Time Display Mode. Be aware that this column displays more accurate result when using WinPcap driver or Microsoft Network Monitor driver, version 3.4 or later. * Duration: The time difference in milliseconds between the Request Time and Response Time. * Response Code: The returned response code. If the response code is not 'Ok', it means that the DNS server returned an error, and the bullet icon will be in red instead of green. * Records Count: Total number of records returned by the DNS server. * A: Displays the IP addresses list (IPv4) returned by the DNS server. * AAAA: Displays the IP addresses list (IPv6) returned by the DNS server. * CNAME: Displays the CNAME record returned by the DNS server. * NS: Displays the NS records returned by the DNS server. * MX: Displays the MX records returned by the DNS server. * PTR: Displays the PTR records returned by the DNS server. * SOA: Displays the SOA record returned by the DNS server. * Source Address: The IP address of the client that sent the DNS query. * Destination Address: The IP address of the DNS server that received the DNS query. IP Address Country/City Information =================================== DNSQuerySniffer allows you to view country/city information for every IP address found in the A records of the DNS response ('IP Country' column). In order to activate this feature, you have to download one of the following external files, and put the file in the same folder of DNSQuerySniffer.exe: * http://software77.net/geo-ip/: Download the IPv4 CSV file, extract it from the zip/gz file, and put it in the same folder of DNSQuerySniffer.exe as IpToCountry.csv * GeoLite City database: Download the GeoLite City in Binary / gzip (GeoLiteCity.dat.gz) and put it in the same folder of DNSQuerySniffer.exe If you want to get faster loading process, extract the GeoLiteCity.dat from the GeoLiteCity.dat.gz and put it in the same folder of DNSQuerySniffer.exe Integration with IPNetInfo utility ================================== If you want to get more information about the IP address displayed in the DNS A record, you can use the Integration with IPNetInfo utility in order to easily view the IP address information loaded directly from WHOIS servers: 1. Download and run the latest version of IPNetInfo utility. 2. Select the desired items, and then choose "IPNetInfo - A Record" from the File menu (or simply click Ctrl+I). 3. IPNetInfo will retrieve the information about IP addresses of the selected items. Translating DNSQuerySniffer to other languages ============================================== In order to translate DNSQuerySniffer to other language, follow the instructions below: 1. Run DNSQuerySniffer with /savelangfile parameter: DNSQuerySniffer.exe /savelangfile A file named DNSQuerySniffer_lng.ini will be created in the folder of DNSQuerySniffer utility. 2. Open the created language file in Notepad or in any other text editor. 3. Translate all string entries to the desired language. Optionally, you can also add your name and/or a link to your Web site. (TranslatorName and TranslatorURL values) If you add this information, it'll be used in the 'About' window. 4. After you finish the translation, Run DNSQuerySniffer, and all translated strings will be loaded from the language file. If you want to run DNSQuerySniffer without the translation, simply rename the language file, or move it to another folder. License ======= This utility is released as freeware. You are allowed to freely distribute this utility via floppy disk, CD-ROM, Internet, or in any other way, as long as you don't charge anything for this and you don't sell it or distribute it as a part of commercial product. If you distribute this utility, you must include all files in the distribution package, without any modification ! Disclaimer ========== The software is provided "AS IS" without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason. Feedback ======== If you have any problem, suggestion, comment, or you found a bug in my utility, you can send a message to nirsofer@yahoo.com