description mod_urstate is an ncaptool dns message parsing plugin that attempts to detect unsolicited dns responses that may be indicative of cache poisoning attempts. it does this by statefully tracking the application layer state of the dns transactions between recursive and authoritative dns servers. it gracefully handles query retransmissions due to client timeouts and byte identical responses from dns authorities. installation instructions: install dependencies: bind9 configured with --enable-libbind on freebsd, the easiest way to do this seems to be to install the dns/bind94 port, edit the port's Makefile to add --enable-libbind to the CONFIGURE_ARGS variable, and compile and install the port with the "REPLACE_BASE" option selected. on debian, install the libbind-dev package. ncaptool: libpcap (freebsd: net/libpcap, debian: libpcap0.8-dev) mod_urstate: libJudy (freebsd: devel/judy, debian: libjudy-dev) fetch the software: ftp://ftp.isc.org/isc/ncap/ncaptool-1.0.0.tar.gz ftp://ftp.isc.org/isc/ncap/mod_urstate-1.1.0.tar.gz extract, build, and make install ncaptool. you may have to customize the ncaptool Makefile for your system. (on debian, `make -f Makefile.debian` instead.) extract, build, and make install mod_urstate. usage: example invocation, monitoring recursive traffic, storing data in /home/ncap and sniffing on interface eth0 promiscuously: OUT="/home/ncap/urstate" MODULE="-D/usr/local/lib/ncaptool/mod_urstate.so,-o $OUT -L 1048576" ncaptool -t 3600 -k gzip -i eth0+ "$MODULE" dns this will output ncap format files to /home/ncap prefixed with "urstate" and suffixed with a timestamp. every hour the file will be rotated and gzip will be invoked on the rotated file. a hard limit of 1048576 entries in the transaction cache will be enforced. to inspect a compressed ncap file, run something like this: zcat $FILE | ncaptool -n - -vmg -