gbucchino/dns-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
geoffrey 2025-01-20 09:02:18 +01:00
parent 9712681972
commit 157577613a
2 changed files with 20 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/dns-trace.ebpf.c
View File

@ -216,7 +216,7 @@ static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip,
uint16_t tid = 0; uint16_t tid = 0;
//struct dns_answer s_dnsanswer; //struct dns_answer s_dnsanswer;
//struct query_section s_query = {0}; //struct query_section s_query = {0};
unsigned char buf[256] = {0}; unsigned char buf[256] = {0}; // Max dns domain name length
uint32_t offset = sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr); uint32_t offset = sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr);
__be16 udplen; __be16 udplen;
// uint32_t offset2 = sizeof(struct ethhdr) + sizeof(struct iphdr); // uint32_t offset2 = sizeof(struct ethhdr) + sizeof(struct iphdr);
@ -232,10 +232,14 @@ static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip,
/* Get DNS header */ /* Get DNS header */
//bpf_skb_load_bytes(skb, offset, &dns, sizeof(struct dnshdr)); //bpf_skb_load_bytes(skb, offset, &dns, sizeof(struct dnshdr));
if (udplen <= 0 || udplen > 256 || udplen < sizeof(struct dnshdr)) if (udplen < 0)
return 0;
if (udplen > 256 || udplen < sizeof(struct dnshdr))
udplen = sizeof(struct dnshdr); udplen = sizeof(struct dnshdr);
//return 0; //return 0;
//if (udplen == offset || udplen < offset) //if (udplen == offset || udplen < offset)
// udplen = sizeof(struct dnshdr); // udplen = sizeof(struct dnshdr);
@ -245,6 +249,7 @@ static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip,
//if (udplen > offset) // Works //if (udplen > offset) // Works
// return 0; // return 0;
if (udplen >= offset && udplen <= skb->len){ if (udplen >= offset && udplen <= skb->len){
} }
bpf_printk("ok"); bpf_printk("ok");
if (udplen < offset) if (udplen < offset)
@ -252,6 +257,10 @@ static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip,
udplen = sizeof(struct dnshdr); udplen = sizeof(struct dnshdr);
//return 0; //return 0;
if (udplen > offset)
udplen = sizeof(struct dnshdr);
//__u32 plen = bpf_ntohs(udp.len) - 8; //__u32 plen = bpf_ntohs(udp.len) - 8;
uint32_t plen = udplen & 0xff; uint32_t plen = udplen & 0xff;
bpf_printk("ok"); bpf_printk("ok");
@ -264,12 +273,12 @@ static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip,
bpf_printk("%d %d %d", offset, udplen, udplen - 8); bpf_printk("%d %d %d", offset, udplen, udplen - 8);
// bpf_printk("%d", offset + ntohs(udp.len) - 8); // -> we have 99 // bpf_printk("%d", offset + ntohs(udp.len) - 8); // -> we have 99
if (offset + ntohs(udp.len) > skb->len) { if (offset + udplen > skb->len) {
bpf_printk("outbound"); bpf_printk("outbound");
//return 0; //return 0;
plen = sizeof(struct dnshdr); plen = sizeof(struct dnshdr);
} }
// plen = 57;
if(bpf_skb_load_bytes(skb, offset, &buf, plen) < 0){ if(bpf_skb_load_bytes(skb, offset, &buf, plen) < 0){
bpf_printk("failed"); bpf_printk("failed");
// bpf_ringbuf_discard(s_event, 0); // bpf_ringbuf_discard(s_event, 0);
@ -333,11 +342,16 @@ static int dnsanswer(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip,
return 0; return 0;
} }
/*
* skb -> http://oldvger.kernel.org/~davem/skb_data.html
*/
SEC("socket") SEC("socket")
int detect_dns(struct __sk_buff *skb) { int detect_dns(struct __sk_buff *skb) {
//void *data = (void *)(long)skb->data; //void *data = (void *)(long)skb->data;
//void *data_end = (void *)(long)skb->data_end; //void *data_end = (void *)(long)skb->data_end;
//struct ethhdr *eth = data; //struct ethhdr *eth2 = data;
struct ethhdr eth = {0}; struct ethhdr eth = {0};
struct iphdr ip = {0}; struct iphdr ip = {0};
struct udphdr udp = {0}; struct udphdr udp = {0};
@ -347,6 +361,7 @@ int detect_dns(struct __sk_buff *skb) {
//if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) > data_end) //if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) > data_end)
// return 0; // return 0;
if (skb->len < sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr)) if (skb->len < sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr))
return 0; return 0;

BIN
src/dns-trace.ebpf.o
View File

Binary file not shown.