#!/usr/bin/env python

# 1250, Mon 19 Jan 15 (NZDT)
# p12_dns_server_users.py:  Count users of a nameserver

import plt, pldns

fn = "pcapfile:1kp-dns-anon.pcap.gz"  # Data file name
t = plt.trace(fn);  t.start()

ns = ipp.from_s("82.166.5.2/32")  # 'Target' nameserver

n = 0;  hosts = {}
for pkt in t:
    n += 1  # Wireshark uses 1-org packet numbers
#    if n == 20:
#        break  # # Terminate the loop

    udp = pkt.udp
    if not udp:
        continue  # Not UDP
    ip = pkt.ip
    if not ip:
        continue  # Not IP

    ldns_obj = pldns.ldns(udp.payload)
    if ldns_obj.is_response:  # Only look at Queries
        continue

    dst = ip.dst_prefix
    dst.length = 32
    if dst == ns:     # Query to target nameserver
        h = str(ip.src_prefix)
        if h in hosts:
            hosts[h] += 1   # Count it
        else:
            hosts[h] = 1    # New nameserver
            print "%5d  %s -> %s" % (n, ip.src_prefix, ip.dst_prefix)

t.close()

print "%d packets read" % n
for h in sorted(hosts, key=hosts.get, reverse=True):
    print "  %20s  %d" % (h, hosts[h])