diff --git a/dns-trace b/dns-trace index a72c4b8..94d36e2 100755 Binary files a/dns-trace and b/dns-trace differ diff --git a/src/dns-trace.c b/src/dns-trace.c index 8be044b..53199c3 100644 --- a/src/dns-trace.c +++ b/src/dns-trace.c @@ -239,40 +239,29 @@ int handle_event(void *ctx, void *data, size_t data_sz){ } if (s_event->req_type == REQ_ANSWER){ int pos = 0; - for(int i = 0; i < 32; i++) - printf("%d ", s_event->buf[i]); - printf("\n"); + //for(int i = 0; i < 32; i++) + // printf("%d ", s_event->buf[i]); + //printf("\n"); for (int i = 0; i < s_event->numAns; i++){ print_query(s_event); uint16_t type2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8); uint16_t class2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8); uint32_t ttl2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24); uint16_t size2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8); - /*uint16_t type2 = (s_event->buf[0]) + (s_event->buf[1] << 8); - uint16_t class2 = (s_event->buf[2]) + (s_event->buf[3] << 8); - //uint32_t ttl2 = (s_event->buf[7]) + (s_event->buf[6] << 8) + (s_event->buf[5] << 16) + (s_event->buf[4] << 24); - uint32_t ttl2 = (s_event->buf[4]) + (s_event->buf[5] << 8) + (s_event->buf[6] << 16) + (s_event->buf[7] << 24); - uint16_t size2 = (s_event->buf[8]) + (s_event->buf[9] << 8);*/ type2 = ntohs(type2); class2 = ntohs(class2); ttl2 = ntohl(ttl2); size2 = ntohs(size2); if (type2 == 1) {// -> A uint32_t ip = s_event->buf[pos++] + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24); - //uint32_t ip = s_event->buf[10] + (s_event->buf[11] << 8) + (s_event->buf[12] << 16) + (s_event->buf[13] << 24); - //printf("%d %d %d", s_event->ttl, ntohs(ttl2), ntohs(size2)); printf("%s (%d)%5d", inet_ntoa(*(struct in_addr*)&ip), type2, ttl2); } if (type2 == 28){ // -> AAAA } printf("\n"); - //pos += 2; printf("%d\n", pos); } - /*for (int i = 0; i < s_event->numAns; i++) - printf("%s ", inet_ntoa(*(struct in_addr*)&s_event->ans[i])); - printf("%5d", s_event->ttl);*/ } printf("\n"); @@ -323,7 +312,8 @@ int main(int argc, char *argv[]){ bpf_program__attach(programSkb); // int sock = open_raw_sock("wlp0s20f3"); - int sock = open_raw_sock("enx98e743c667fc"); + //int sock = open_raw_sock("enx98e743c667fc"); + int sock = open_raw_sock("lo"); printf("Socket: %d\n", sock); int prog_fd = bpf_program__fd(programSkb); printf("Program fd: %d\n", prog_fd); diff --git a/src/dns-trace.ebpf.c b/src/dns-trace.ebpf.c index 5297f24..55821cc 100644 --- a/src/dns-trace.ebpf.c +++ b/src/dns-trace.ebpf.c @@ -39,7 +39,7 @@ struct { static size_t get_labels2(struct __sk_buff *skb, size_t offset, struct event *s_event){ char c; int qname_len = 0; - bpf_printk("labels off: %d", offset); + //bpf_printk("labels off: %d", offset); bpf_skb_load_bytes(skb, offset, &c, 1); // Get the first byte, which is the length int pos = 1; while (c != '\0') { @@ -125,9 +125,8 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz // Get the 2 first bytes to identify if it's a message compression or not if(bpf_skb_load_bytes(skb, tlen, &buf, 2) < 0) return 0; - // bpf_printk("tlen: %d", tlen); - bpf_printk("Start at offset ans: %d", offset); tlen += 2; // For the message compression + /* * According to the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.4) * In the section 4.1.4, message compression, the first two bits are set at 11 (0xc), @@ -147,7 +146,7 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz // Get the class and type if ((void*)(offset) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) return 0; - // bpf_printk("offset: %d", offset); + bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint16_t)); uint16_t type = s_event->buf[0] + (s_event->buf[1] << 8); tlen += 2; @@ -161,7 +160,6 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz tlen += 2; if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) return 0; - //offset += 2; // Get ttl if(bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t)) < 0) @@ -169,7 +167,6 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz if ((void*)(offset += 4) >= MAX_UDP_PAYLOAD - sizeof(uint32_t)) return 0; tlen += 4; - //offset += 4; // Get data size uint16_t size; @@ -183,23 +180,14 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz if (s_event->type == 1) { // -> A bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t)); } - //offset += ntohs(size); if ((void*)(offset += ntohs(size)) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) return 0; tlen += ntohs(size); - - //tlen += 2; - //offset += 2; // For the 2 first bytes (message compression) - //if ((void*)(offset += ntohs(size)) >= MAX_UDP_PAYLOAD - ntohs(size)) - // return 0; - //if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) - // return 0; } else { // get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event); } - //bpf_printk("tlen: %d", tlen); - bpf_printk("End offset ans: %d", offset); + bpf_printk("End offset: %d", offset); return offset; } /* @@ -345,7 +333,7 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp, unsigned int offset_ans = 0; for (uint16_t i = 0; i < ans; i++){ offset_ans += get_answer(skb, s_event, offset, offset_ans); - offset += offset_ans + 2; + offset += offset_ans + 2; // +2 for the message compression //offset_ans += offset_ans; // For eBPF verifier, to be sure we leave the loop if (i == ans || i == 5 || offset_ans >= 512) diff --git a/src/dns-trace.ebpf.o b/src/dns-trace.ebpf.o index fcfd45a..e86850e 100644 Binary files a/src/dns-trace.ebpf.o and b/src/dns-trace.ebpf.o differ