"dns" plugin

This plugin has a similar functionality to dnstop: It uses libpcap to get a copy of all traffic from/to port UDP/53 (that's the DNS port), interprets the packets and collects statistics of your DNS traffic. The interface it should listen on and whether or not the packets sent by the own host should be collected or not can be set in the configuration file. The details are documented in the collectd.conf(5) manpage.

Since with this plugin collectd acts as a packet sniffer, tools like chkrootkit may start reporting collectd as "suspicious program". Please don't be alarmed - if you load this plugin collectd is supposed to sniff packets. Nothing is done with the sniffed data except counting various aspects of DNS traffic, as you can see below. But you don't have to take my word for it: Let the source code do the convincing ;)

The metrics collected by this plugin are:

• OpCode
  Number of packets with a specific opcode, e. g. the number of packets that contained a query.
• QType
  Number of queries for each record type. Common record types are for example A, AAAA, MX, and NS.
• RCode
  Number of response codes seen. Common response codes are for example NOERROR (query was successful) and NXDOMAIN (domain or subdomain doesn't exist).
• Octets
  Number of octets sent/received.

Example graphs

Dependencies

• libpcap