gbucchino/dns-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update project

Browse Source
This commit is contained in:
geoffrey 2025-01-26 18:52:33 +01:00
parent eeb15e8f7b
commit 9a67b4f32c
7 changed files with 69932 additions and 123136 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
cname.pcap Normal file
View File

Binary file not shown.

BIN
dns-trace
View File

Binary file not shown.

4
src/common.h
View File

@ -30,12 +30,14 @@ struct event {
char qname[QNAME_SIZE]; char qname[QNAME_SIZE];
uint16_t class; uint16_t class;
uint16_t type; uint16_t type;
uint32_t ans; uint32_t ans[5];
uint16_t numAns;
uint32_t ttl; uint32_t ttl;
}; };
struct query_section{ struct query_section{
char qname[QNAME_SIZE]; char qname[QNAME_SIZE];
size_t qname_len;
uint16_t class; uint16_t class;
uint16_t type; uint16_t type;
}; };

9
src/dns-trace.c
View File

@ -217,16 +217,17 @@ int handle_event(void *ctx, void *data, size_t data_sz){
printf("%-30s", s_event->qname); printf("%-30s", s_event->qname);
class = mapClass(s_event->class); class = mapClass(s_event->class);
printf("%-10s", class); printf("%-5s", class);
free(class); free(class);
type = mapType(s_event->type); type = mapType(s_event->type);
printf("%-10s", type); printf("%-5s", type);
free(type); free(type);
if (s_event->req_type == REQ_ANSWER){ if (s_event->req_type == REQ_ANSWER){
printf("%-15s", inet_ntoa(*(struct in_addr*)&s_event->ans)); for (int i = 0; i < s_event->numAns; i++)
printf("%-5d", s_event->ttl); printf("%s ", inet_ntoa(*(struct in_addr*)&s_event->ans[i]));
printf("%5d", s_event->ttl);
} }

37
src/dns-trace.ebpf.c
View File

@ -55,6 +55,7 @@ static size_t get_labels2(struct __sk_buff *skb, size_t offset, struct event *s_
} }
s_event->qname[qname_len - 1] = '\0'; s_event->qname[qname_len - 1] = '\0';
qname_len++; qname_len++;
// dquery->qname_len = qname_len;
// bpf_printk("qname: %s", s_event->qname); // bpf_printk("qname: %s", s_event->qname);
// bpf_printk("qname len: %d", qname_len); // bpf_printk("qname len: %d", qname_len);
return qname_len; return qname_len;
@ -117,7 +118,7 @@ static size_t get_query_section(struct __sk_buff *skb, struct event *s_event, ui
return len; return len;
} }
static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tlen){ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tlen, int index){
size_t len = 0; size_t len = 0;
unsigned char buf[25] = {0}; // Need to be unsigned, otherwise, the result is fffff unsigned char buf[25] = {0}; // Need to be unsigned, otherwise, the result is fffff
@ -148,30 +149,37 @@ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tl
// Get the class and type // Get the class and type
uint16_t type, class; uint16_t type, class;
uint32_t ttl; uint32_t ttl;
bpf_printk("offset: %d", tlen); // bpf_printk("offset: %d", tlen);
bpf_skb_load_bytes(skb, tlen, &type, sizeof(uint16_t)); bpf_skb_load_bytes(skb, tlen, &type, sizeof(uint16_t));
bpf_printk("type: %d", ntohs(type));
tlen += 2; tlen += 2;
bpf_printk("offset: %d", tlen); // bpf_printk("offset: %d", tlen);
bpf_skb_load_bytes(skb, tlen, &class, sizeof(uint16_t)); bpf_skb_load_bytes(skb, tlen, &class, sizeof(uint16_t));
tlen += 4; tlen += 4;
bpf_printk("offset: %d", tlen); // bpf_printk("offset: %d", tlen);
bpf_printk("class %d", ntohs(class));
// Get ttl // Get ttl
bpf_skb_load_bytes(skb, tlen, &ttl, sizeof(uint32_t)); bpf_skb_load_bytes(skb, tlen, &ttl, sizeof(uint32_t));
tlen += 2; tlen += 2;
bpf_printk("offset: %d", tlen); // bpf_printk("offset: %d", tlen);
s_event->ttl = ntohs(ttl); s_event->ttl = ntohs(ttl);
// Get data size // Get data size
uint16_t size; uint16_t size;
bpf_skb_load_bytes(skb, tlen, &size, sizeof(uint16_t)); bpf_skb_load_bytes(skb, tlen, &size, sizeof(uint16_t));
bpf_printk("size: %d", ntohs(size)); // bpf_printk("size: %d", ntohs(size));
tlen += 2; tlen += 2;
// if class is A, we push to an ipv4 map
// if class is AAAA, we push to an ipv6 map
// if class is SOa, we push to an soa map
// etc...
uint32_t data; uint32_t data;
bpf_skb_load_bytes(skb, tlen, &data, sizeof(uint32_t)); bpf_skb_load_bytes(skb, tlen, &data, sizeof(uint32_t));
s_event->ans = data; s_event->ans[index] = data;
} }
else { else {
// get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event); // get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event);
@ -307,7 +315,7 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
/* Get answer section */ /* Get answer section */
uint16_t ans = ntohs(dns.nbAnswerRRs); uint16_t ans = ntohs(dns.nbAnswerRRs);
if (ans < 0){ if (ans <= 0){
bpf_ringbuf_discard(s_event, 0); bpf_ringbuf_discard(s_event, 0);
return; return;
} }
@ -315,15 +323,18 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
if (ntohs(dns.nbAnswerRRs) > 0){ if (ntohs(dns.nbAnswerRRs) > 0){
/* /*
* We get a least the 5 last answer * We get a least the 5 last answer
* In the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-4.2.1) the max udp payload is 512 bytes * In the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4) the max udp payload is 512 bytes
* The program limit te size of the answer * The program limit te size of the answer
*/ */
offset += sizeof(struct dnshdr) + query_len; // For the pos in the answer section in the skb offset += sizeof(struct dnshdr) + query_len; // For the pos in the answer section in the skb
for (uint16_t i = 0; i < ans; i++){ uint16_t i;
get_answer(skb, s_event, offset); for (i = 0; i < ans; i++){
get_answer(skb, s_event, offset, i);
// For eBPF verifier, to be sure we leave the loop
if (i == ans || i == 5) if (i == ans || i == 5)
break; break;
} }
s_event->numAns = i;
} }
if (ntohs(dns.nbAuthorityRRs) > 0){ if (ntohs(dns.nbAuthorityRRs) > 0){

BIN
src/dns-trace.ebpf.o
View File

Binary file not shown.

193018
src/vmlinux.h
View File

File diff suppressed because it is too large Load Diff