update

2025-01-30 10:19:38 +00:00 · 2025-01-30 10:19:38 +00:00 · edda1c6860
commit edda1c6860
parent 0a910af5bb
5 changed files with 52732 additions and 17645 deletions
--- a/BIN
+++ b/BIN
--- a/src/dns-trace.c
+++ b/src/dns-trace.c
@ -248,11 +248,18 @@ int handle_event(void *ctx, void *data, size_t data_sz){
            uint16_t class2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8);
            uint32_t ttl2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24);
            uint16_t size2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8);
+            /*uint16_t type2 = (s_event->buf[0]) + (s_event->buf[1] << 8);
+            uint16_t class2 = (s_event->buf[2]) + (s_event->buf[3] << 8);
+            //uint32_t ttl2 = (s_event->buf[7]) + (s_event->buf[6] << 8) + (s_event->buf[5] << 16) + (s_event->buf[4] << 24);
+            uint32_t ttl2 = (s_event->buf[4]) + (s_event->buf[5] << 8) + (s_event->buf[6] << 16) + (s_event->buf[7] << 24);
+            uint16_t size2 = (s_event->buf[8]) + (s_event->buf[9] << 8);*/
            type2 = ntohs(type2);
            class2 = ntohs(class2);
-            ttl2 = ntohs(ttl2);
+	    ttl2 = ntohl(ttl2);
+	    size2 = ntohs(size2);
            if (type2 == 1) {// -> A
                uint32_t ip = s_event->buf[pos++] + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24);
+                //uint32_t ip = s_event->buf[10] + (s_event->buf[11] << 8) + (s_event->buf[12] << 16) + (s_event->buf[13] << 24);
                //printf("%d %d %d", s_event->ttl, ntohs(ttl2), ntohs(size2)); 
                printf("%s (%d)%5d", inet_ntoa(*(struct in_addr*)&ip), type2, ttl2);
            }
@ -260,7 +267,7 @@ int handle_event(void *ctx, void *data, size_t data_sz){

            }
            printf("\n");
-            pos += 2;
+            //pos += 2;
            printf("%d\n", pos);
        }
        /*for (int i = 0; i < s_event->numAns; i++)
--- a/src/dns-trace.ebpf.c
+++ b/src/dns-trace.ebpf.c
@ -125,8 +125,9 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
    // Get the 2 first bytes to identify if it's a message compression or not
    if(bpf_skb_load_bytes(skb, tlen, &buf, 2) < 0)
        return 0;
-    bpf_printk("tlen: %d", tlen);
-    tlen += 4; // For the message compression
+    // bpf_printk("tlen: %d", tlen);
+    bpf_printk("Start at offset ans: %d", offset);
+    tlen += 2; // For the message compression
    /*
     * According to the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.4)
     * In the section 4.1.4, message compression, the first two bits are set at 11 (0xc),
@ -146,24 +147,29 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
        // Get the class and type
        if ((void*)(offset) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
            return 0;
-        bpf_printk("offset: %d", offset);
+        // bpf_printk("offset: %d", offset);
        bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint16_t));
        uint16_t type = s_event->buf[0] + (s_event->buf[1] << 8);
        tlen += 2;
-        offset += 2;
-
        if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
            return 0;
+        //offset += 2;
+
+	// For class
        if(bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint16_t)) < 0)
            return 0;
        tlen += 2;
+        if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
+            return 0;
+	//offset += 2;

        // Get ttl
        if(bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t)) < 0)
            return 0;
        if ((void*)(offset += 4) >= MAX_UDP_PAYLOAD - sizeof(uint32_t))
            return 0;
-        tlen += 2;
+        tlen += 4;
+	//offset += 4;

        // Get data size
        uint16_t size;
@ -178,6 +184,8 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
            bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t)); 
        }
        //offset += ntohs(size);
+        if ((void*)(offset += ntohs(size)) >= MAX_UDP_PAYLOAD - sizeof(uint16_t))
+            return 0;
        tlen += ntohs(size);

        //tlen += 2;
@ -190,7 +198,8 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz
    else {
        // get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event);
    }
-    bpf_printk("tlen: %d", tlen);
+    //bpf_printk("tlen: %d", tlen);
+    bpf_printk("End offset ans: %d", offset);
    return offset;
 }
 /*
@ -335,8 +344,9 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
        offset += sizeof(struct dnshdr) + query_len; // For the pos in the answer section in the skb
        unsigned int offset_ans = 0;
        for (uint16_t i = 0; i < ans; i++){
-            offset_ans = get_answer(skb, s_event, offset, offset_ans);
-            offset += offset_ans;
+            offset_ans += get_answer(skb, s_event, offset, offset_ans);
+	    offset += offset_ans + 2;
+            //offset_ans += offset_ans;
            // For eBPF verifier, to be sure we leave the loop
            if (i == ans || i == 5 || offset_ans >= 512)
                break;
--- a/src/dns-trace.ebpf.o
+++ b/src/dns-trace.ebpf.o
--- a/src/vmlinux.h
+++ b/src/vmlinux.h