The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.


dnstop is a libpcap application (ala tcpdump) that displays various tables of DNS traffic on your network, including tables of source and destination IP addresses, query types, top level domains and second level domains.

The dnstop tool is written by Duane Wessels and maintained at the Measurement Factory (


dnstop is a libpcap application (a la tcpdump) that displays various tables of DNS traffic on your network. Currently dnstop displays tables of:

  • Source IP addresses
  • Destination IP addresses
  • Query types
  • Top level domains
  • Second level domains

If people find dnstop useful and interesting, we plan to add additional tables, such as classification of legitimate/illegitimate queries.

Download and Compile

You can download the dnstop code at

dnstop is still relatively young, and perhaps not portable to all operating systems. It is known to compile and run on:

  • FreeBSD 4.x (you can find net/dnstop in the Ports Collection)
  • OpenBSD 3.0
  • NetBSD 1.5 (you can find net/dnstop in the Packages Collection)
  • Linux 2.2.x kernel

Please send compilation problems and other bugs to wessels at


dnstop has the following command line options:

-aAnonymize IP addresses
-bcustomize BPF filter parameters
-iignore a source IP address
-pdont put interface in promiscuous mode
-scollect second-level domain stats

dnstop has the following display commands while running:

Ssource address table
Ddestination address table
Tquery type table
1TLD table
2SLD table
^RReset counters

dnstop was originally presented in a talk at NANOG 26 (Oct 2002), "Toward Lowering the Load on DNS Root Nameservers".

Related Objects

See to explore related objects to this document in the CAIDA Resource Catalog.
Last Modified