Monitor Outbound DNS (Website) Traffic
I'd consider using Wireshark or Microsoft's Network Monitor with a capture filter of sufficient granularity to limit capture to the DNS traffic you're looking for. Once you've got the data captured you can go back and perform analysis.
I'd probably use the tshark
command-line program in Wireshark to capture traffic into relatively small files, then use tshark
again on another machine to dump the files and grep through them. A capture command line might be something like:
tshark -i <inteface number here> -b filesize:32768 -w dns_capture udp and dst port 53 and dst host x.x.x.x
You can get your machine's interface number using tshark -D
. The -b filesize:32768
argument specifies capturing into a buffer of 32,768KB (32MB) before starting a new capture file. The -w dns_capture
specifies a base output filename of dns_capture
(which will have an incremental count and timestamp added as each file fills). The udp and dst port 53 and dst host x.x.x.x
is a tcpdump capture filter that specifies that only udp packets with destination port 53 and a destination address of x.x.x.x
(where you should substitute the DNS server's IP address) will be captured.
Once you've got the files you could use any number of PCAP file analysis tools. Personally, I'd just use tshark
with the -r
argument to read files and dump them out as human-readable text using the -T text
argument. Then I'd just grep the output. (I'd do this mainly because I have all the tools ready to go. There are lots of other ways you could do it, too.)