Reassemble DNS Messages from PCAP

reassembledns extracts DNS messages from *.pcap files and writes them to a binary *.dns file. IP fragments and DNS-over-TCP connections are reassembled into whole DNS messages for easy analysis of network traces.

Features

reassembledns function diagram

TCP Reassembly

DNS-over-TCP connections

DNS-over-TCP allows the transport of multiple DNS messages over one TCP connection. RFC 1035 specifies a protocol, which prepends each DNS message with its length. Unlike with UDP, DNS messages are not aligned to the underlying TCP segments. One data segment may contain part of a DNS message or more than one DNS message. reassembledns hides this complexity and returns whole DNS messages.

TCP duplicates

TCP connections are processed as undirectional TCP streams. Each TCP stream starts with a SYN or SYN/ACK segment and is concluded by a FIN or RST segment, but only if the sequence numbers match. Idle connections are force-closed after a 10 minutes timeout to avoid state bloat when parsing huge files. Duplicate or out-of-order data is handled in accordance with TCP sequence number arithmetic (RFC 793). Retransmitted data does not need to be aligned to the same segment sizes, i.e., partly overlapping segments are handled appropriately.

Usage

# Reassemble PCAP input into DNS output
python3 -m reassembledns.pcap input.pcap output.dns
# Parse DNS file
python3 -m reassembledns.parser output.dns

Custom analysis scripts can import reassembledns.parser and use the following functions to iterate over DNS messages:

The *.dns file format is documented in dns_file_format.txt.

Installation

Prerequisites

Download

Old version for Python 2.7: reassemble_dns.tar.gz