gbucchino/dns-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
geoffrey 2025-01-30 10:51:23 +00:00
parent edda1c6860
commit 8210e56090
4 changed files with 10 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
dns-trace
View File

Binary file not shown.

20
src/dns-trace.c
View File

@ -239,40 +239,29 @@ int handle_event(void *ctx, void *data, size_t data_sz){
}
if (s_event->req_type == REQ_ANSWER){
int pos = 0;
for(int i = 0; i < 32; i++)
printf("%d ", s_event->buf[i]);
printf("\n");
//for(int i = 0; i < 32; i++)
// printf("%d ", s_event->buf[i]);
//printf("\n");
for (int i = 0; i < s_event->numAns; i++){
print_query(s_event);
uint16_t type2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8);
uint16_t class2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8);
uint32_t ttl2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24);
uint16_t size2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8);
/*uint16_t type2 = (s_event->buf[0]) + (s_event->buf[1] << 8);
uint16_t class2 = (s_event->buf[2]) + (s_event->buf[3] << 8);
//uint32_t ttl2 = (s_event->buf[7]) + (s_event->buf[6] << 8) + (s_event->buf[5] << 16) + (s_event->buf[4] << 24);
uint32_t ttl2 = (s_event->buf[4]) + (s_event->buf[5] << 8) + (s_event->buf[6] << 16) + (s_event->buf[7] << 24);
uint16_t size2 = (s_event->buf[8]) + (s_event->buf[9] << 8);*/
type2 = ntohs(type2);
class2 = ntohs(class2);
ttl2 = ntohl(ttl2);
size2 = ntohs(size2);
if (type2 == 1) {// -> A
uint32_t ip = s_event->buf[pos++] + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24);
//uint32_t ip = s_event->buf[10] + (s_event->buf[11] << 8) + (s_event->buf[12] << 16) + (s_event->buf[13] << 24);
//printf("%d %d %d", s_event->ttl, ntohs(ttl2), ntohs(size2));
printf("%s (%d)%5d", inet_ntoa(*(struct in_addr*)&ip), type2, ttl2);
}
if (type2 == 28){ // -> AAAA
}
printf("\n");
//pos += 2;
printf("%d\n", pos);
}
/*for (int i = 0; i < s_event->numAns; i++)
printf("%s ", inet_ntoa(*(struct in_addr*)&s_event->ans[i]));
printf("%5d", s_event->ttl);*/
}
printf("\n");
@ -323,7 +312,8 @@ int main(int argc, char *argv[]){
bpf_program__attach(programSkb);
// int sock = open_raw_sock("wlp0s20f3");
int sock = open_raw_sock("enx98e743c667fc");
//int sock = open_raw_sock("enx98e743c667fc");
int sock = open_raw_sock("lo");
printf("Socket: %d\n", sock);
int prog_fd = bpf_program__fd(programSkb);
printf("Program fd: %d\n", prog_fd);

22
src/dns-trace.ebpf.c
View File

@ -39,7 +39,7 @@ struct {
static size_t get_labels2(struct __sk_buff *skb, size_t offset, struct event *s_event){
char c;
int qname_len = 0;
bpf_printk("labels off: %d", offset);
//bpf_printk("labels off: %d", offset);
bpf_skb_load_bytes(skb, offset, &c, 1); // Get the first byte, which is the length
int pos = 1;
while (c != '\0') {
@ -125,9 +125,8 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
// Get the 2 first bytes to identify if it's a message compression or not
if(bpf_skb_load_bytes(skb, tlen, &buf, 2) < 0)
return 0;
// bpf_printk("tlen: %d", tlen);
bpf_printk("Start at offset ans: %d", offset);
tlen += 2; // For the message compression
/*
* According to the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.4)
* In the section 4.1.4, message compression, the first two bits are set at 11 (0xc),
@ -147,7 +146,7 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
// Get the class and type
if ((void*)(offset) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
return 0;
// bpf_printk("offset: %d", offset);
bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint16_t));
uint16_t type = s_event->buf[0] + (s_event->buf[1] << 8);
tlen += 2;
@ -161,7 +160,6 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
tlen += 2;
if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
return 0;
//offset += 2;
// Get ttl
if(bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t)) < 0)
@ -169,7 +167,6 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
if ((void*)(offset += 4) >= MAX_UDP_PAYLOAD - sizeof(uint32_t))
return 0;
tlen += 4;
//offset += 4;
// Get data size
uint16_t size;
@ -183,23 +180,14 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
if (s_event->type == 1) { // -> A
bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t));
}
//offset += ntohs(size);
if ((void*)(offset += ntohs(size)) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
return 0;
tlen += ntohs(size);
//tlen += 2;
//offset += 2; // For the 2 first bytes (message compression)
//if ((void*)(offset += ntohs(size)) >= MAX_UDP_PAYLOAD - ntohs(size))
// return 0;
//if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
// return 0;
}
else {
// get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event);
}
//bpf_printk("tlen: %d", tlen);
bpf_printk("End offset ans: %d", offset);
bpf_printk("End offset: %d", offset);
return offset;
}
/*
@ -345,7 +333,7 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
unsigned int offset_ans = 0;
for (uint16_t i = 0; i < ans; i++){
offset_ans += get_answer(skb, s_event, offset, offset_ans);
offset += offset_ans + 2;
offset += offset_ans + 2; // +2 for the message compression
//offset_ans += offset_ans;
// For eBPF verifier, to be sure we leave the loop
if (i == ans || i == 5 || offset_ans >= 512)

BIN
src/dns-trace.ebpf.o
View File

Binary file not shown.