#!/usr/bin/perl
use strict; 

#----------------------------------------------------
# dnsmap.pl - DNS Request -> Response Mapper
# Created: 02MAY10
# Programmer: dn1nj4 at shadowserver dot org
# Purpose: Takes an ASCII text output line from:
#	tcpdump -r <pcap_file> -nn -vvv udp and port 53 | egrep " A "
#	and provides a listing for the requested domain
#	and any IP addresses.
# Usage: perl dnsmap.pl <input_line>
#----------------------------------------------------
# REV:
#----------------------------------------------------
#
#----------------------------------------------------
# GLOBALS
#----------------------------------------------------

#----------------------------------------------------
# SUBS
#----------------------------------------------------

#----------------------------------------------------
# MAIN
#----------------------------------------------------
my $line = shift;

my $req = "";
my %resp = ();
my $cnt = 0;

# Split the line on space to get all of the unique words
my @words = split(" ","$line");
foreach my $word (@words) {

	# When dealing with "A" records, tcpdump lists the 
	#	requested domain as the word immediately following
	#	"A?" and any IP responses immediately after "A"
	if ($word eq "A?") {
		$req = $words[$cnt+1];
	} elsif ($word eq "A") {

		my $ip = $words[$cnt+1];
		
		# IPs sometimes have "," after them.  Strip it out.
		$ip =~ s/,//g;
		
		# Add a hash entry for the IP, indicating that it
		#	was a response for this domain.
		$resp{$ip} = 1;

	} 
	
	$cnt++;
}

# Grab all of the IP addresses, stored as keys in the response
#	hash and print them out.
my @ips = keys(%resp);
print "Domain: $req		Response: " . join(",",@ips) . "\n";