High‑performance DNS traffic analysis tools written in Go for parsing PCAP files and identifying high‑latency DNS queries.
Many network engineers and DevOps teams face complaints about slow DNS resolutions. Investigating large packet capture (PCAP) files with tools like Wireshark or tcpdump can be time‑intensive.
dnsgo‑traffic‑analysis provides command‑line utilities that process PCAPs, detect slow DNS queries or unusual traffic patterns, extract relevant packet subsets, and help accelerate diagnostics and root‑cause analysis.
This Go‑based toolkit is inspired by the Python version dns‑traffic‑analysis but optimized for larger captures, speed, and scalability.
Key capabilities:
- Read large PCAP files (1 GB+ scale) efficiently
- Identify DNS servers, clients, query counts, and traffic distribution
- Detect DNS queries with latency above a configurable threshold
- Extract packet subsets and produce summary reports
- CLI‑friendly with profiling support (CPU/memory) for performance tuning
- ⚙️ Multi‑tool suite:
traffic‑analyzer: scans PCAPs for slow DNS queriespacket‑reader: prints detailed DNS packet fieldspacket‑splitter: extracts packets for a given DNS query IDfind‑dns‑servers: identifies DNS servers, clients, and recursive serversad-keytabs: Read Active Directory keytab files for Realm, Keytype(supported encryption type), and KVNO
- 🚀 High performance: optimized for multi‑core environments and large PCAPs
- 🔍 Profiling support: built‑in
pprofflags to analyze CPU/memory use - 🧰 Minimal external dependencies (uses Go’s ecosystem and
gopacket) - 📊 Generates summary output files: slow query logs, traffic reports
dnsgo‑traffic‑analysis/
├── ad-keytabs/ # Go module to Active Directory Keytabs
├── find‑dns‑servers/ # Go module to find DNS servers and clients
├── packet‑reader/ # Go module to parse and print DNS packets
├── packet‑splitter/ # Go module to extract PCAP subset by query ID
├── traffic‑analyzer/ # Go module to detect slow DNS queries in PCAP
├── go.mod
├── go.sum
└── README.md # This file
- Go version 1.22+
- PCAP capture file(s) containing DNS traffic (e.g., captured via
tcpdump,Wireshark) - Optionally: large memory and SSD storage for high‑volume processing
git clone https://github.com/mragusa/dnsgo‑traffic‑analysis.git
cd dnsgo‑traffic‑analysis
go mod tidyTo build each tool individually:
cd traffic‑analyzer
go build -o traffic‑analyzer traffic‑analyzer.goSimilarly for ad-keytabs, packet‑reader, packet‑splitter, and find‑dns‑servers.
./traffic‑analyzer -file path/to/traffic.pcap -source 10.249.12.135 -time 0.5Flags overview:
-file string: Traffic capture file (PCAP)-source string: DNS server IP address (optional)-time float: Latency threshold in seconds, defaults to 0.5-output string: Path for slow‑queries output (default:slow_queries.txt)-report string: Path for query traffic count summary (default:query_traffic_count.txt)-cpuprofile string,-memprofile string: Profiling output-verbose: Enable verbose logging
Example output:
| File Name | traffic.pcap |
| Total Packets | 5013134 |
| Queries Received | 1045666 |
| Query Responses | 755193 |
| Slow Queries | 451213 |
...
./packet‑reader -file path/to/traffic.pcapPrints detailed DNS packet fields: source/destination IPs & ports, DNS ID, flags, question/answer counts, packet timestamps.
./packet‑splitter -file traffic.pcap -qid 13451 -output 13451.pcapExtracts all packets matching DNS query ID 13451 into a separate PCAP file for further inspection.
./find‑dns‑servers -file traffic.pcap -dns -clients -recursive -reportIdentifies DNS servers, clients, and recursive servers based on PCAP traffic.
./ad-keytabs.go -keytab /path/to/fileFlags overview:
-aes-only: Show only AES enctypes (17, 18)-json: Print raw JSON from kt.JSON() and exit-keytab: Path to keytab file (required)-principle: Filter to a specific principal, e.g. DNS/ns.example.com@EXAMPLE.COM
- For massive PCAP files (> 1 GB), ensure you run on a system with sufficient RAM and fast I/O.
- Use the
-timeflag to adjust for realistic DNS latency thresholds (e.g., 1 s for WAN environments). - Use profiling flags (
-cpuprofile,-memprofile) to optimize performance or debug memory use. - After exporting slow‑query results, analyze them by query name, client, or timestamp to find recurring offenders.
- Securely handle PCAPs—they may contain sensitive network data.
Contributions are encouraged! Whether you want to enhance packet analysis, add filtering options, or optimize performance — you’re welcome to help improve the toolset.
To contribute:
- Fork the repository
- Create a feature branch (
git checkout -b feature/my‑tool) - Commit your improvements and tests
- Submit a Pull Request
Follow Go best practices (gofmt, golint, go vet) and update documentation for new features.
This project is licensed under the BSD‑2‑Clause License.
- Go (golang) — programming language used for this project
- gopacket — PCAP parsing library used
- tcpdump — for capturing PCAP files
- Wireshark — for detailed packet and DNS inspection
If you encounter bugs or have feature ideas, please open an issue.
For extended use or enterprise integration, feel free to reach out.
Maintained by Mike Ragusa