1[ 2 { 3 "table_name": "result-0", 4 "query": "select qname as CertainQnames, qtype as Qtype, count(1) as count from dns where (qname='localhost' or qname like '%.root-servers.net') and qr==0 group by CertainQnames,Qtype order by count desc;", 5 "head": [ 6 { "name": "CertainQnames","type": "text" }, 7 { "name": "Qtype","type": "int" }, 8 { "name": "count","type": "int" } 9 ], 10 "data": [ 11 ] 12 } 13] 14[ 15 { 16 "table_name": "result-0", 17 "query": "select qtype as Qtype, qname as Qname, count(1) as count from dns where qclass==3 and qr==0 group by Qtype,Qname order by count desc;", 18 "head": [ 19 { "name": "Qtype","type": "int" }, 20 { "name": "Qname","type": "text" }, 21 { "name": "count","type": "int" } 22 ], 23 "data": [ 24 ] 25 } 26] 27[ 28 { 29 "table_name": "result-0", 30 "query": "select rcode as Rcode, if(qr==1,dst_addr,src_addr) as ClientAddr, count(1) as count from dns where qr==1 group by Rcode,ClientAddr order by count,Rcode,ClientAddr desc limit 50;", 31 "head": [ 32 { "name": "Rcode","type": "int" }, 33 { "name": "ClientAddr","type": "text" }, 34 { "name": "count","type": "int" } 35 ], 36 "data": [ 37 [3,"172.18.24.52",1], 38 [0,"172.18.24.52",3] 39 ] 40 } 41] 42[ 43 { 44 "table_name": "result-0", 45 "query": "select 'ALL' as All, if(ether_type==34525,rsplit(src_addr,7,':')||':'||rsplit(src_addr,6,':')||':'||rsplit(src_addr,5,':')||':'||rsplit(src_addr,4,':')||':'||rsplit(src_addr,3,':')||'::',rsplit(src_addr,3)||'.'||rsplit(src_addr,2)||'.'||rsplit(src_addr,1)||'.0') as ClientSubnet, count(1) as count from dns where qr==0 group by All,ClientSubnet order by count,ClientSubnet desc limit 200;", 46 "head": [ 47 { "name": "All","type": "text" }, 48 { "name": "ClientSubnet","type": "text" }, 49 { "name": "count","type": "int" } 50 ], 51 "data": [ 52 ["ALL","172.18.24.0",4] 53 ] 54 } 55] 56[ 57 { 58 "table_name": "result-0", 59 "query": "select if(rsplit(qname,1)='de','ok','non-auth-tld') as Class, if(ether_type==34525,rsplit(src_addr,7,':')||':'||rsplit(src_addr,6,':')||':'||rsplit(src_addr,5,':')||':'||rsplit(src_addr,4,':')||':'||rsplit(src_addr,3,':')||'::',rsplit(src_addr,3)||'.'||rsplit(src_addr,2)||'.'||rsplit(src_addr,1)||'.0') as ClientSubnet, count(1) as count from dns where qr==0 group by Class,ClientSubnet order by count,ClientSubnet,Class desc limit 200;", 60 "head": [ 61 { "name": "Class","type": "text" }, 62 { "name": "ClientSubnet","type": "text" }, 63 { "name": "count","type": "int" } 64 ], 65 "data": [ 66 ["non-auth-tld","172.18.24.0",4] 67 ] 68 } 69] 70[ 71 { 72 "table_name": "result-0", 73 "query": "select if(qr==1,'sent','recv') as Direction, if(protocol==6,'tcp',if(protocol==17,'udp',if(protocol==1,'icmp',if(protocol==58,'ipv6-icmp',protocol)))) as IPProto, count(1) as count from dns group by Direction,IPProto order by count,Direction,IPProto desc;", 74 "head": [ 75 { "name": "Direction","type": "text" }, 76 { "name": "IPProto","type": "text" }, 77 { "name": "count","type": "int" } 78 ], 79 "data": [ 80 ["recv","udp",4], 81 ["sent","udp",4] 82 ] 83 } 84] 85[ 86 { 87 "table_name": "result-0", 88 "query": "select if(ether_type==34525,'IPv6','IPv4') as IPVersion, qtype as Qtype, count(1) as count from dns where qr==0 group by IPVersion,Qtype order by count,IPVersion,Qtype desc;", 89 "head": [ 90 { "name": "IPVersion","type": "text" }, 91 { "name": "Qtype","type": "int" }, 92 { "name": "count","type": "int" } 93 ], 94 "data": [ 95 ["IPv4",12,2], 96 ["IPv4",1,2] 97 ] 98 } 99] 100[ 101 { 102 "table_name": "result-0", 103 "query": "select 'ALL' as All, do, edns0, edns_version, extended_rcode, z, if(do==1,'set','clr') as D0, count(1) as count from dns where qr==0 group by All,do,D0,edns0,edns_version,extended_rcode,z order by count desc;", 104 "head": [ 105 { "name": "All","type": "text" }, 106 { "name": "do","type": "bool" }, 107 { "name": "edns0","type": "bool" }, 108 { "name": "edns_version","type": "int" }, 109 { "name": "extended_rcode","type": "int" }, 110 { "name": "z","type": "int" }, 111 { "name": "D0","type": "text" }, 112 { "name": "count","type": "int" } 113 ], 114 "data": [ 115 ["ALL",0,0,0,0,0,"clr",4] 116 ] 117 } 118] 119[ 120 { 121 "table_name": "result-0", 122 "query": "select 'ALL' as All, if(edns0,edns_version,'none') as EDNSVersion, count(1) as count from dns where qr==0 group by All,EDNSVersion order by count desc;", 123 "head": [ 124 { "name": "All","type": "text" }, 125 { "name": "EDNSVersion","type": "text" }, 126 { "name": "count","type": "int" } 127 ], 128 "data": [ 129 ["ALL","none",4] 130 ] 131 } 132] 133[ 134 { 135 "table_name": "result-0", 136 "query": "select 'ALL' as All, if(qname like 'xn--%','idn','normal') as IDNQname, count(1) as count from dns where qr==0 group by All,IDNQname order by count desc;", 137 "head": [ 138 { "name": "All","type": "text" }, 139 { "name": "IDNQname","type": "text" }, 140 { "name": "count","type": "int" } 141 ], 142 "data": [ 143 ["ALL","normal",4] 144 ] 145 } 146] 147[ 148 { 149 "table_name": "result-0", 150 "query": "select 'ALL' as All, lower(rsplit(qname,1)) as TLD, count(1) as count from dns where qr==0 and (qname like 'xn--%') group by All,TLD order by count,TLD desc;", 151 "head": [ 152 { "name": "All","type": "text" }, 153 { "name": "TLD","type": "text" }, 154 { "name": "count","type": "int" } 155 ], 156 "data": [ 157 ] 158 } 159] 160[ 161 { 162 "table_name": "result-0", 163 "query": "select 'ALL' as All, if(qr==1,dst_addr,src_addr) as ClientAddr, count(1) as count from dns where qr==0 and (qtype=28 or qtype=38) and (qname like '%.root-servers.net') group by All,ClientAddr order by count desc limit 50;", 164 "head": [ 165 { "name": "All","type": "text" }, 166 { "name": "ClientAddr","type": "text" }, 167 { "name": "count","type": "int" } 168 ], 169 "data": [ 170 ] 171 } 172] 173[ 174 { 175 "table_name": "result-0", 176 "query": "select 'ALL' as All, opcode as Opcode, count(1) as count from dns where qr==0 group by All,Opcode order by count,Opcode desc;", 177 "head": [ 178 { "name": "All","type": "text" }, 179 { "name": "Opcode","type": "int" }, 180 { "name": "count","type": "int" } 181 ], 182 "data": [ 183 ["ALL",0,4] 184 ] 185 } 186] 187[ 188 { 189 "table_name": "result-0", 190 "query": "select 'ALL' as All, qtype as Qtype, count(1) as count from dns where qr==0 group by All,Qtype order by count,Qtype desc;", 191 "head": [ 192 { "name": "All","type": "text" }, 193 { "name": "Qtype","type": "int" }, 194 { "name": "count","type": "int" } 195 ], 196 "data": [ 197 ["ALL",12,2], 198 ["ALL",1,2] 199 ] 200 } 201] 202[ 203 { 204 "table_name": "result-0", 205 "query": "select qtype as Qtype, len(qname) as QnameLen, count(1) as count from dns where qr==0 group by Qtype,QnameLen order by count,QnameLen,Qtype desc;", 206 "head": [ 207 { "name": "Qtype","type": "int" }, 208 { "name": "QnameLen","type": "int" }, 209 { "name": "count","type": "int" } 210 ], 211 "data": [ 212 [1,7,1], 213 [1,13,1], 214 [12,25,1], 215 [12,27,1] 216 ] 217 } 218] 219[ 220 { 221 "table_name": "result-0", 222 "query": "select qtype as Qtype, lower(rsplit(qname,1)) as TLD, count(1) as count from dns where qr==0 and (qtype=1 or qtype=2 or qtype=5 or qtype=6 or qtype=12 or qtype=15 or qtype=28 or qtype=38 or qtype=255) group by Qtype,TLD order by count,TLD,Qtype desc limit 200;", 223 "head": [ 224 { "name": "Qtype","type": "int" }, 225 { "name": "TLD","type": "text" }, 226 { "name": "count","type": "int" } 227 ], 228 "data": [ 229 [1,"org",1], 230 [1,"se",1], 231 [12,"arpa",2] 232 ] 233 } 234] 235[ 236 { 237 "table_name": "result-0", 238 "query": "select 'ALL' as All, rcode as Rcode, count(1) as count from dns where qr==1 group by All,Rcode order by count,Rcode desc;", 239 "head": [ 240 { "name": "All","type": "text" }, 241 { "name": "Rcode","type": "int" }, 242 { "name": "count","type": "int" } 243 ], 244 "data": [ 245 ["ALL",3,1], 246 ["ALL",0,3] 247 ] 248 } 249] 250[ 251 { 252 "table_name": "result-0", 253 "query": "select rcode as Rcode, msg_size as ReplyLen, count(1) as count from dns where qr==1 group by Rcode,ReplyLen order by count,Rcode,ReplyLen desc;", 254 "head": [ 255 { "name": "Rcode","type": "int" }, 256 { "name": "ReplyLen","type": "int" }, 257 { "name": "count","type": "int" } 258 ], 259 "data": [ 260 [0,96,1], 261 [0,78,1], 262 [0,40,1], 263 [3,119,1] 264 ] 265 } 266] 267[ 268 { 269 "table_name": "result-0", 270 "query": "select 'ALL' as All, rd as RD, count(1) as count from dns where qr==0 group by All,RD order by count desc;", 271 "head": [ 272 { "name": "All","type": "text" }, 273 { "name": "RD","type": "bool" }, 274 { "name": "count","type": "int" } 275 ], 276 "data": [ 277 ["ALL",1,4] 278 ] 279 } 280] 281[ 282 { 283 "table_name": "result-0", 284 "query": "select if(protocol==6,'tcp',if(protocol==17,'udp',protocol)) as Transport, qtype as Qtype, count(1) as count from dns where qr==0 group by Transport,Qtype order by Transport,Qtype,count desc;", 285 "head": [ 286 { "name": "Transport","type": "text" }, 287 { "name": "Qtype","type": "int" }, 288 { "name": "count","type": "int" } 289 ], 290 "data": [ 291 ["udp",1,2], 292 ["udp",12,2] 293 ] 294 } 295] 296[ 297 { 298 "table_name": "result-0", 299 "query": "select s, dst_addr as Dst_addr, qtype as questiontype, lower(src_addr) as lower_src, if(1 and s < 1 or s <= 1 or s > 1 or s >= 1, 't', 'f'), trim(trim('foofoo' || rsplit(src_addr, 1) || 'foofoo', 'foo'), 'bar'), count(*), len(src_addr), sum(msg_size + -1 - 2 % 4 << 3 >> 2 | 3 & ~4) + 1, min(msg_size), max(msg_size), truncate(1.1) as integer, 1.1 as float, sum(src_port + 1.0 - 2.0 / 1.5 * -2.5) + 1.0, max(src_port + 1.0), min(src_port + 1.0), avg(src_port), stdev(src_port), name('rcode', 0) from dns where src_addr like '%' and (qr or not qr) group by src_addr, s having s >= 0 order by s, dst_addr, lower_src, integer, float;", 300 "head": [ 301 { "name": "s","type": "int" }, 302 { "name": "Dst_addr","type": "text" }, 303 { "name": "questiontype","type": "int" }, 304 { "name": "lower_src","type": "text" }, 305 { "name": "if((1and((((s<1)or(s<=1))or(s>1))or(s>=1))),t,f)","type": "text" }, 306 { "name": "trim(trim(((foofoo||rsplit(src_addr,1))||foofoo),foo),bar)","type": "text" }, 307 { "name": "count(1)","type": "int" }, 308 { "name": "len(src_addr)","type": "int" }, 309 { "name": "(sum((msg_size+-((((((1-(2%4))<<3)>>2)|3)&~(4)))))+1)","type": "int" }, 310 { "name": "min(msg_size)","type": "int" }, 311 { "name": "max(msg_size)","type": "int" }, 312 { "name": "integer","type": "int" }, 313 { "name": "float","type": "float" }, 314 { "name": "(sum(((src_port+1.0)-((2.0/1.5)*-(2.5))))+1.0)","type": "float" }, 315 { "name": "max((src_port+1.0))","type": "float" }, 316 { "name": "min((src_port+1.0))","type": "float" }, 317 { "name": "avg(src_port)","type": "float" }, 318 { "name": "stdev(src_port)","type": "float" }, 319 { "name": "name(rcode,0)","type": "text" } 320 ], 321 "data": [ 322 [1297433016,"172.18.24.52",12,"212.247.204.2","t","204",1,13,125,119,119,1,1.1,58.3333,54,54,53,0,"NoError"], 323 [1297433016,"212.247.204.2",12,"172.18.24.52","t","24",1,12,48,42,42,1,1.1,52271.3,52267,52267,52266,0,"NoError"], 324 [1297433026,"212.247.204.2",1,"172.18.24.52","t","24",1,12,36,30,30,1,1.1,54066.3,54062,54062,54061,0,"NoError"], 325 [1297433027,"172.18.24.52",1,"212.247.204.2","t","204",1,13,84,78,78,1,1.1,58.3333,54,54,53,0,"NoError"], 326 [1297433030,"172.18.24.52",1,"212.247.204.2","t","204",1,13,46,40,40,1,1.1,58.3333,54,54,53,0,"NoError"], 327 [1297433030,"212.247.204.2",1,"172.18.24.52","t","24",1,12,30,24,24,1,1.1,59489.3,59485,59485,59484,0,"NoError"], 328 [1297433038,"212.247.204.2",12,"172.18.24.52","t","24",1,12,50,44,44,1,1.1,49372.3,49368,49368,49367,0,"NoError"], 329 [1297433039,"172.18.24.52",12,"212.247.204.2","t","204",1,13,102,96,96,1,1.1,58.3333,54,54,53,0,"NoError"] 330 ] 331 } 332] 333[ 334 { 335 "table_name": "result-0", 336 "query": "select name( 'qtype' , qtype ) as qt, count(*) as count from dns group by qtype order by count, qt desc;", 337 "head": [ 338 { "name": "qt","type": "text" }, 339 { "name": "count","type": "int" } 340 ], 341 "data": [ 342 ["PTR",4], 343 ["A",4] 344 ] 345 } 346] 347[ 348 { 349 "table_name": "result-0", 350 "query": "select * from icmp;", 351 "head": [ 352 { "name": "id","type": "int" }, 353 { "name": "s","type": "int" }, 354 { "name": "us","type": "int" }, 355 { "name": "ether_type","type": "int" }, 356 { "name": "src_port","type": "int" }, 357 { "name": "dst_port","type": "int" }, 358 { "name": "src_addr","type": "text" }, 359 { "name": "dst_addr","type": "text" }, 360 { "name": "protocol","type": "int" }, 361 { "name": "ip_ttl","type": "int" }, 362 { "name": "ip_version","type": "int" }, 363 { "name": "fragments","type": "int" }, 364 { "name": "type","type": "int" }, 365 { "name": "code","type": "int" }, 366 { "name": "echo_identifier","type": "int" }, 367 { "name": "echo_sequence","type": "int" }, 368 { "name": "du_protocol","type": "int" }, 369 { "name": "du_src_addr","type": "text" }, 370 { "name": "du_dst_addr","type": "text" }, 371 { "name": "desc","type": "text" } 372 ], 373 "data": [ 374 ] 375 } 376] 377[ 378 { 379 "table_name": "result-0", 380 "query": "select count(*) from icmp;", 381 "head": [ 382 { "name": "count(1)","type": "int" } 383 ], 384 "data": [ 385 ] 386 } 387] 388