SYNOPSIS

       dpa [ OPTION ] TRACEFILE

DESCRIPTION

       dpa  is  used  to  analyze  dns  packets  in trace files. It has 3 main
       options: count, filter, and count uniques  (i.e.  count  all  different
       occurences).

OPTIONS

       -c expressionlist
              Count occurrences of matching expressions


       -f expression
              Filter: only process packets that match the expression


       -h     Show usage


       -p     Show  the total number of correct DNS packets, and percentage of
              -u and -c values  (of the total of matching on the -f filter. if
              no filter is given, percentages are on all correct dns packets)


       -of file
              Write all packets (IP wire data) that match the -f flag to file.


       -s     Show possible match names


       -s matchname
              show possible match operators and values for name


       -sf    Only evaluate packets (in representation format) that match  the
              -f filter. If no -f was given, evaluate all correct dns packets.


       -u matchnamelist
              Count every occurence of  every  value  of  the  matchname  (for
              instance, count all packetsizes, see EXAMPLES).


       -ua    For  every  matchname in -u, show the average value all packets.
              Behaviour for match types that do not have an integer  value  is
              undefined.

LIST AND MATCHES

       A <matchnamelist> is a comma separated list of match names (use  -s  to
       see  possible  match  names).   A <expressionlist> is a comma separated
       list of expressions.

       An expression has the following form: <expr>: (<expr>)
               <expr> | <expr>
               <expr> & <expr>
               <match>

       <match>:        <matchname> <operator> <value>

       <operator>:      =    equal to <value>      !=   not equal  to  <value>
            >    greater    than   <value>        <    lesser   than   <value>
            >=   greater than or equal to  <value>       <=   lesser  than  or
       equal to <value>      ~=   contains <value>

       See the -s option for possible matchnames, operators and values.

EXAMPLES

       dpa -u packetsize -p test.tr
              Count all different packetsizes in test.tr and show the precent-
              ages.


       dpa -f "edns=1&qr=0" -of edns.tr test.tr
              Filter out all edns enable queries in test.tr and  put  them  in
              edns.tr


       dpa -f edns=1 -c tc=1 -u rcode test.tr
              For  all edns packets, count the number of truncated packets and
              all their rcodes in test.tr.


       dpa -c tc=1,qr=0,qr=1,opcode=QUERY test.tr
              For all packets, count the number of truncated packets, the num-
              ber  of  packets  with qr=0, the number of packets with qr=1 and
              the number of queries in test.tr.


       dpa -u packetsize -ua test.tr
              Show all packet sizes and the average packet size per packet.


       dpa -u srcaddress -uac test.tr
              Show all packet source addresses and the average number of pack-
              ets sent from this address.

AUTHOR

                                  1 Nov 2005                            dpa(1)