GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
drool(1) FreeBSD General Commands Manual drool(1)

drool - DNS Replay Tool

drool [ -c [ type : ] config ] [ -l facility [ : level ] ] [ -L facility [ : level ] ] [ -f filter ] [ -i interface ] [ -r file.pcap ] [ -R mode ] [ -nvhV ]

drool can replay DNS traffic from packet capture (PCAP) files and send it to a specified server, with options such as to manipulate the timing between packets, as well as loop packets infinitely or for a set number of iterations. This tool's goal is to be able to produce a high amount of UDP packets per second and TCP sessions per second on common hardware.

The purpose can be to simulate Distributed Denial of Service (DDoS) attacks on the DNS and measure normal DNS querying. For example, the tool could enable you to take a snapshot of a DDoS and be able to replay it later to test if new code or hardening techniques are useful, safe & effective. Another example is to be able to replay a packet stream for a bug that is sequence- and/or timing-related in order to validate the efficacy of subsequent bug fixes.

Most of the functionality of this tool is controlled by the configuration used, please see drool.conf(5) for more information.

input -> context -+-> client pool -> target +-> client pool -> target +-> client pool -> target

Each file read or interface listen on is a context and runs in its own thread, parses the input for DNS queries and puts them into a queue within the context.

Each context can have one or more client pools.

Each client pool runs in its own thread, waits for DNS queries on the context queue and sends them to the target.

See drool.conf(5) for the current implementation limitations that exists.

-c [type:]config
Specify the configuration to use, if no type is given then config expects to be a file. Valid types are file and text. Can be given multiple times and will be processed in the given order. See drool.conf(5) for configuration syntax.
-l facility[:level]
Enable logging for facility, optional log level can be given to enable just that. Can be given multiple times and will be processed in the given order. See LOGGING for more information.
-L facility[:level]
Disable logging for facility, optional log level can be given to disable just that. Can be given multiple times and will be processed in the given order. See LOGGING for more information.
-f filter
Set the Berkeley Packet Filter to use.
-i interface
Capture packets from interface, can be given multiple times.
-r file.pcap
Read packets from PCAP file, can be given multiple times.
-R mode
Specify the mode for reading PCAP files, see READ MODES for available modes.
-n
Dry run mode, do not allocate any outbound sockets or generate any network traffic.
-v
Enable verbose, a simple way to enable logging. Can be given multiple times to increase verbosity level.
-h
Print help and exit.
-V
Print version and exit.

Logging is enabled and disabled in the order specified on the command line which allows for enabling of all logging and disabling of specific, for example:

drool -l all -L network:debug

The following logging facilities exists:

core
Log messages about initializing, configuration and start up.
network
Log messages about network related tasks.
all
Log messages for all facilities, this is only used to configure logging.

The following logging level exists for all facilities:

debug
Log messages about the very inner workings, use with caution since it generates a lot of messages.
info
Log messages of the informational kind that may not be interesting in normal operation.
notice
Log messages of the informational kind that may be interesting in normal operation.
warning
Log message of the warning kind that indicates possible disruption in operation.
error
Log messages of the error kind that will most likely result in termination of operation.
critical
Log messages of the critical kind that indicates termination of operation.
all
Log messages for all levels, this is only used to configure logging.

loop
Loop the given file(s) until interrupted.
iter:number
Iterate the given file(s) for number of times.

drool will exit once processing of PCAP files is complete or if interrupted (CTRL-C or SIGINT). If any interface is being processed or if loop read mode is being used, then drool must be interrupted in order to exit.

drool can be forcefully exited by interrupting (CTRL-C or SIGINT) twice.

0 - no error
1 - generic error
2 - unknown or invalid option
3 - conf file error
4 - signal setup or handling error
5 - signal received
6 - pcap-thread error
7 - out of memory

drool -vv -c 'text:timing multiply 0.5; client_pool target "127.0.0.1" "53"; client_pool sendas udp;' -r file.pcap

Send all DNS queries twice as fast as found in the PCAP file to localhost using UDP.

drool -vv -c 'text:filter "tcp"; client_pool target "127.0.0.1" "53";' -r file.pcap

Only look for DNS queries in TCP traffic and send it to localhost.

drool -vv -c 'text:filter "port 53"; client_pool target "172.16.1.2" "53";' -i eth0

Listen for DNS queries on eth0 and send them to an (assuming) internal server.

drool -vv -c 'text:filter "udp"; timing ignore; context client_pools 5; client_pool target "127.0.0.1" "53"; client_pool skip_reply;' -r file.pcap

Take all UDP DNS queries found in the PCAP file and send them as fast as possible to localhost by ignoring both timings, replies and starting 5 contexts (threads) that will simultaneously send queries.

drool.conf(5)

Jerry Lundström, DNS-OARC

Maintained by DNS-OARC

https://www.dns-oarc.net/

For issues and feature requests please use:

https://github.com/DNS-OARC/drool/issues

For question and help please use:

admin@dns-oarc.net
1.1.0 DNS Replay Tool

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.