gbucchino/dns-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update

Browse Source
This commit is contained in:
geoffrey 2025-02-02 18:31:52 +01:00
parent aa64b8f160
commit adbff3257a
5 changed files with 17703 additions and 52759 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
dns-trace
View File

Binary file not shown.

BIN
jvetter.pcap Normal file
View File

Binary file not shown.

74
src/dns-trace.c
View File

@ -214,13 +214,13 @@ static char *mapType(const int type){
static void print_query(struct event *s_event){ static void print_query(struct event *s_event){
char *req_type, *class, *type; char *req_type, *class, *type;
printf("%s:%-10d", inet_ntoa(*(struct in_addr*)&s_event->client), s_event->dport);
printf("%-5x", s_event->tid);
req_type = mapReqType(s_event->req_type); req_type = mapReqType(s_event->req_type);
printf("%-10s", req_type); printf("%s ", req_type);
free(req_type); free(req_type);
printf("%5s:%d\t", inet_ntoa(*(struct in_addr*)&s_event->client), s_event->dport);
printf("%-5x", s_event->tid);
printf("%-30s", s_event->qname); printf("%-30s", s_event->qname);
class = mapClass(s_event->class); class = mapClass(s_event->class);
@ -230,7 +230,6 @@ static void print_query(struct event *s_event){
type = mapType(s_event->type); type = mapType(s_event->type);
printf("%-5s", type); printf("%-5s", type);
free(type); free(type);
} }
static void get_labels(unsigned char *buf, char *qname){ static void get_labels(unsigned char *buf, char *qname){
int pos = 0; int pos = 0;
@ -245,6 +244,40 @@ static void get_labels(unsigned char *buf, char *qname){
} }
qname[pos - 1] = '\0'; qname[pos - 1] = '\0';
} }
static void print_answer_hdr(struct event *s_event, int *pos, uint16_t *type, uint16_t *size, uint32_t *ttl){
int p = *pos;
uint16_t msg = s_event->buf[p++];
msg |= s_event->buf[p++] << 8;
char *req_type;
req_type = mapReqType(s_event->req_type);
printf("%s ", req_type);
free(req_type);
printf("%5s:%5d\t", inet_ntoa(*(struct in_addr*)&s_event->client), s_event->dport);
printf("%-10x", s_event->tid);
*type = s_event->buf[p++];
*type |= s_event->buf[p++] << 8;
uint16_t class = s_event->buf[p++];
class |= s_event->buf[p++] << 8;
*ttl = s_event->buf[p++];
*ttl |= s_event->buf[p++] << 8;
*ttl |= s_event->buf[p++] << 16;
*ttl |= s_event->buf[p++] << 24;
*size = s_event->buf[p++];
*size |= s_event->buf[p++] << 8;
*type = ntohs(*type);
class = ntohs(class);
*ttl = ntohl(*ttl);
*size = ntohs(*size);
*pos = p;
}
int handle_event(void *ctx, void *data, size_t data_sz){ int handle_event(void *ctx, void *data, size_t data_sz){
struct event *s_event = (struct event*)data; struct event *s_event = (struct event*)data;
if (s_event->req_type == REQ_QUERY){ if (s_event->req_type == REQ_QUERY){
@ -252,31 +285,12 @@ int handle_event(void *ctx, void *data, size_t data_sz){
} }
if (s_event->req_type == REQ_ANSWER){ if (s_event->req_type == REQ_ANSWER){
int pos = 0; int pos = 0;
/*for (int i = 0; i < 50; i++)
printf("%d ", s_event->buf[i]);
printf("\n");*/
for (int i = 0; i < s_event->numAns; i++){ for (int i = 0; i < s_event->numAns; i++){
print_query(s_event); // print_query(s_event);
uint16_t type, size;
uint32_t ttl;
print_answer_hdr(s_event, &pos, &type, &size, &ttl);
uint16_t msg = s_event->buf[pos++];
msg |= s_event->buf[pos++] << 8;
uint16_t type = s_event->buf[pos++];
type |= s_event->buf[pos++] << 8;
uint16_t class = s_event->buf[pos++];
class |= s_event->buf[pos++] << 8;
uint32_t ttl = s_event->buf[pos++];
ttl |= s_event->buf[pos++] << 8;
ttl |= s_event->buf[pos++] << 16;
ttl |= s_event->buf[pos++] << 24;
uint16_t size = s_event->buf[pos++];
size |= s_event->buf[pos++] << 8;
type = ntohs(type);
class = ntohs(class);
ttl = ntohl(ttl);
size = ntohs(size);
if (type == 1) { // -> A if (type == 1) { // -> A
uint32_t ip = s_event->buf[pos] + (s_event->buf[pos+1] << 8) + (s_event->buf[pos+2] << 16) + (s_event->buf[pos+3] << 24); uint32_t ip = s_event->buf[pos] + (s_event->buf[pos+1] << 8) + (s_event->buf[pos+2] << 16) + (s_event->buf[pos+3] << 24);
printf("%s (%d)%5d", inet_ntoa(*(struct in_addr*)&ip), type, ttl); printf("%s (%d)%5d", inet_ntoa(*(struct in_addr*)&ip), type, ttl);
@ -351,9 +365,9 @@ int main(int argc, char *argv[]){
} }
bpf_program__attach(programSkb); bpf_program__attach(programSkb);
// int sock = open_raw_sock("wlp0s20f3"); int sock = open_raw_sock("wlp0s20f3");
//int sock = open_raw_sock("enx98e743c667fc"); //int sock = open_raw_sock("enx98e743c667fc");
int sock = open_raw_sock("lo"); //int sock = open_raw_sock("lo");
printf("Socket: %d\n", sock); printf("Socket: %d\n", sock);
int prog_fd = bpf_program__fd(programSkb); int prog_fd = bpf_program__fd(programSkb);
printf("Program fd: %d\n", prog_fd); printf("Program fd: %d\n", prog_fd);

BIN
src/dns-trace.ebpf.o
View File

Binary file not shown.

70388
src/vmlinux.h
View File

File diff suppressed because it is too large Load Diff