Feature request: CIDR aggregation

[johnhtodd]

It would be spectacularly useful to have CIDR aggregation for v4 and v6 prefixes so that instead of huge lists of individual /32 or /128's, the IP view would show aggregated counts based on the given CIDR prefix length(s).

I would probably pass out with joy if a real-time BGP feed or indirect feed (aka: https://www.team-cymru.com/ip-asn-mapping) could be used as well or in addition with even more sophisticated filtering, but I recognize that I should stop while I'm ahead with just the CIDR aggregation request since this project is pretty dusty in the first place and chances are low that this will be done unless I put some funds towards development.

[wessels]

You can give branch https://github.com/measurement-factory/dnstop/tree/cidr-aggregation a try. See new -C and -D options.

[johnhtodd]

Thanks!

1. The in-line help on the app doesn't yet show the new commands ("./dnstop -h")

2. I'm not quite sure how the view looks in the output, or if I'm interpreting things incorrectly. I ran "./dnstop en5 -C 24" and this is the output on the "source" view:

[snip]
Sources Count % cum%

---

192.168.1.39 15 93.8 93.8
192.168.1.50 1 6.2 100.0

I was expecting this to look something like:

192.168.1.0/24 16 100 100

Switching to "D"estination view has roughly the same output, even though the two destination addresses are in the same /24 but different /32's.

[wessels]

Sounds like you might not be running the modified version? It definitely in the -h output. The Sources display won't show /nn but it should masked addresses, like this

Queries: 47 new, 3888 total         Wed Oct 19 12:12:47 2022

Sources                        Count      %   cum%
-------------------------- --------- ------ ------
173.230.152.0                    152    3.9    3.9
186.203.163.0                     94    2.4    6.3
2600:3c01::f03c:91ff:0:0          68    1.7    8.1
212.142.48.0                      51    1.3    9.4
179.55.90.0                       38    1.0   10.4
198.142.152.0                     37    1.0   11.3
45.182.72.0                       35    0.9   12.2
12.121.91.0                       22    0.6   12.8
2804:14d:810:672:189:7::          21    0.5   13.3
77.20.151.0                       17    0.4   13.8
2001:b000:180:8002:0:2::          16    0.4   14.2

./dnstop: invalid option -- 'h'
usage: dnstop [opts] netdevice|savefile
        -4      Count IPv4 packets
        -6      Count IPv6 packets
        -Q      Count queries
        -R      Count responses
        -a      Anonymize IP Addrs
        -b expr BPF program code
        -B num  Use num hash table buckets (default 100057)
        -C len  Aggregate IPv4 addresses by prefix length
        -D len  Aggregate IPv6 addresses by prefix length

[johnhtodd]

My apologies - yes, I fumbled the branch checkout suffix. Works as intended after re-compile - this is very helpful, thanks!