Update project
This commit is contained in:
parent
eeb15e8f7b
commit
9a67b4f32c
BIN
cname.pcap
Normal file
BIN
cname.pcap
Normal file
Binary file not shown.
BIN
dns-trace
BIN
dns-trace
Binary file not shown.
@ -30,12 +30,14 @@ struct event {
|
||||
char qname[QNAME_SIZE];
|
||||
uint16_t class;
|
||||
uint16_t type;
|
||||
uint32_t ans;
|
||||
uint32_t ans[5];
|
||||
uint16_t numAns;
|
||||
uint32_t ttl;
|
||||
};
|
||||
|
||||
struct query_section{
|
||||
char qname[QNAME_SIZE];
|
||||
size_t qname_len;
|
||||
uint16_t class;
|
||||
uint16_t type;
|
||||
};
|
||||
|
||||
@ -217,16 +217,17 @@ int handle_event(void *ctx, void *data, size_t data_sz){
|
||||
printf("%-30s", s_event->qname);
|
||||
|
||||
class = mapClass(s_event->class);
|
||||
printf("%-10s", class);
|
||||
printf("%-5s", class);
|
||||
free(class);
|
||||
|
||||
type = mapType(s_event->type);
|
||||
printf("%-10s", type);
|
||||
printf("%-5s", type);
|
||||
free(type);
|
||||
|
||||
if (s_event->req_type == REQ_ANSWER){
|
||||
printf("%-15s", inet_ntoa(*(struct in_addr*)&s_event->ans));
|
||||
printf("%-5d", s_event->ttl);
|
||||
for (int i = 0; i < s_event->numAns; i++)
|
||||
printf("%s ", inet_ntoa(*(struct in_addr*)&s_event->ans[i]));
|
||||
printf("%5d", s_event->ttl);
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -55,6 +55,7 @@ static size_t get_labels2(struct __sk_buff *skb, size_t offset, struct event *s_
|
||||
}
|
||||
s_event->qname[qname_len - 1] = '\0';
|
||||
qname_len++;
|
||||
// dquery->qname_len = qname_len;
|
||||
// bpf_printk("qname: %s", s_event->qname);
|
||||
// bpf_printk("qname len: %d", qname_len);
|
||||
return qname_len;
|
||||
@ -117,7 +118,7 @@ static size_t get_query_section(struct __sk_buff *skb, struct event *s_event, ui
|
||||
|
||||
return len;
|
||||
}
|
||||
static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tlen){
|
||||
static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tlen, int index){
|
||||
size_t len = 0;
|
||||
unsigned char buf[25] = {0}; // Need to be unsigned, otherwise, the result is fffff
|
||||
|
||||
@ -148,30 +149,37 @@ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tl
|
||||
// Get the class and type
|
||||
uint16_t type, class;
|
||||
uint32_t ttl;
|
||||
bpf_printk("offset: %d", tlen);
|
||||
// bpf_printk("offset: %d", tlen);
|
||||
bpf_skb_load_bytes(skb, tlen, &type, sizeof(uint16_t));
|
||||
bpf_printk("type: %d", ntohs(type));
|
||||
tlen += 2;
|
||||
bpf_printk("offset: %d", tlen);
|
||||
// bpf_printk("offset: %d", tlen);
|
||||
bpf_skb_load_bytes(skb, tlen, &class, sizeof(uint16_t));
|
||||
tlen += 4;
|
||||
bpf_printk("offset: %d", tlen);
|
||||
bpf_printk("class %d", ntohs(class));
|
||||
// bpf_printk("offset: %d", tlen);
|
||||
// Get ttl
|
||||
bpf_skb_load_bytes(skb, tlen, &ttl, sizeof(uint32_t));
|
||||
tlen += 2;
|
||||
bpf_printk("offset: %d", tlen);
|
||||
// bpf_printk("offset: %d", tlen);
|
||||
s_event->ttl = ntohs(ttl);
|
||||
|
||||
// Get data size
|
||||
uint16_t size;
|
||||
bpf_skb_load_bytes(skb, tlen, &size, sizeof(uint16_t));
|
||||
bpf_printk("size: %d", ntohs(size));
|
||||
// bpf_printk("size: %d", ntohs(size));
|
||||
tlen += 2;
|
||||
|
||||
// if class is A, we push to an ipv4 map
|
||||
|
||||
// if class is AAAA, we push to an ipv6 map
|
||||
|
||||
// if class is SOa, we push to an soa map
|
||||
|
||||
// etc...
|
||||
|
||||
uint32_t data;
|
||||
bpf_skb_load_bytes(skb, tlen, &data, sizeof(uint32_t));
|
||||
s_event->ans = data;
|
||||
s_event->ans[index] = data;
|
||||
|
||||
}
|
||||
else {
|
||||
// get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event);
|
||||
@ -307,7 +315,7 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
|
||||
|
||||
/* Get answer section */
|
||||
uint16_t ans = ntohs(dns.nbAnswerRRs);
|
||||
if (ans < 0){
|
||||
if (ans <= 0){
|
||||
bpf_ringbuf_discard(s_event, 0);
|
||||
return;
|
||||
}
|
||||
@ -315,15 +323,18 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
|
||||
if (ntohs(dns.nbAnswerRRs) > 0){
|
||||
/*
|
||||
* We get a least the 5 last answer
|
||||
* In the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-4.2.1) the max udp payload is 512 bytes
|
||||
* In the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4) the max udp payload is 512 bytes
|
||||
* The program limit te size of the answer
|
||||
*/
|
||||
offset += sizeof(struct dnshdr) + query_len; // For the pos in the answer section in the skb
|
||||
for (uint16_t i = 0; i < ans; i++){
|
||||
get_answer(skb, s_event, offset);
|
||||
uint16_t i;
|
||||
for (i = 0; i < ans; i++){
|
||||
get_answer(skb, s_event, offset, i);
|
||||
// For eBPF verifier, to be sure we leave the loop
|
||||
if (i == ans || i == 5)
|
||||
break;
|
||||
}
|
||||
s_event->numAns = i;
|
||||
}
|
||||
if (ntohs(dns.nbAuthorityRRs) > 0){
|
||||
|
||||
|
||||
Binary file not shown.
193018
src/vmlinux.h
193018
src/vmlinux.h
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user