update
This commit is contained in:
		
							parent
							
								
									0a910af5bb
								
							
						
					
					
						commit
						edda1c6860
					
				
							
								
								
									
										
											BIN
										
									
								
								dns-trace
									
									
									
									
									
								
							
							
								
								
								
								
								
									
									
								
							
						
						
									
										
											BIN
										
									
								
								dns-trace
									
									
									
									
									
								
							
										
											Binary file not shown.
										
									
								
							| @ -248,11 +248,18 @@ int handle_event(void *ctx, void *data, size_t data_sz){ | ||||
|             uint16_t class2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8); | ||||
|             uint32_t ttl2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24); | ||||
|             uint16_t size2 = (s_event->buf[pos++]) + (s_event->buf[pos++] << 8); | ||||
|             /*uint16_t type2 = (s_event->buf[0]) + (s_event->buf[1] << 8);
 | ||||
|             uint16_t class2 = (s_event->buf[2]) + (s_event->buf[3] << 8); | ||||
|             //uint32_t ttl2 = (s_event->buf[7]) + (s_event->buf[6] << 8) + (s_event->buf[5] << 16) + (s_event->buf[4] << 24);
 | ||||
|             uint32_t ttl2 = (s_event->buf[4]) + (s_event->buf[5] << 8) + (s_event->buf[6] << 16) + (s_event->buf[7] << 24); | ||||
|             uint16_t size2 = (s_event->buf[8]) + (s_event->buf[9] << 8);*/ | ||||
|             type2 = ntohs(type2); | ||||
|             class2 = ntohs(class2); | ||||
|             ttl2 = ntohs(ttl2); | ||||
| 	    ttl2 = ntohl(ttl2); | ||||
| 	    size2 = ntohs(size2); | ||||
|             if (type2 == 1) {// -> A
 | ||||
|                 uint32_t ip = s_event->buf[pos++] + (s_event->buf[pos++] << 8) + (s_event->buf[pos++] << 16) + (s_event->buf[pos++] << 24); | ||||
|                 //uint32_t ip = s_event->buf[10] + (s_event->buf[11] << 8) + (s_event->buf[12] << 16) + (s_event->buf[13] << 24);
 | ||||
|                 //printf("%d %d %d", s_event->ttl, ntohs(ttl2), ntohs(size2)); 
 | ||||
|                 printf("%s (%d)%5d", inet_ntoa(*(struct in_addr*)&ip), type2, ttl2); | ||||
|             } | ||||
| @ -260,7 +267,7 @@ int handle_event(void *ctx, void *data, size_t data_sz){ | ||||
| 
 | ||||
|             } | ||||
|             printf("\n"); | ||||
|             pos += 2; | ||||
|             //pos += 2;
 | ||||
|             printf("%d\n", pos); | ||||
|         } | ||||
|         /*for (int i = 0; i < s_event->numAns; i++)
 | ||||
|  | ||||
| @ -125,8 +125,9 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz | ||||
|     // Get the 2 first bytes to identify if it's a message compression or not
 | ||||
|     if(bpf_skb_load_bytes(skb, tlen, &buf, 2) < 0) | ||||
|         return 0; | ||||
|     bpf_printk("tlen: %d", tlen); | ||||
|     tlen += 4; // For the message compression
 | ||||
|     // bpf_printk("tlen: %d", tlen);
 | ||||
|     bpf_printk("Start at offset ans: %d", offset); | ||||
|     tlen += 2; // For the message compression
 | ||||
|     /*
 | ||||
|      * According to the RFC 1035 (https://datatracker.ietf.org/doc/html/rfc1035#section-4.1.4)
 | ||||
|      * In the section 4.1.4, message compression, the first two bits are set at 11 (0xc), | ||||
| @ -146,24 +147,29 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz | ||||
|         // Get the class and type
 | ||||
|         if ((void*)(offset) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) | ||||
|             return 0; | ||||
|         bpf_printk("offset: %d", offset); | ||||
|         // bpf_printk("offset: %d", offset);
 | ||||
|         bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint16_t)); | ||||
|         uint16_t type = s_event->buf[0] + (s_event->buf[1] << 8); | ||||
|         tlen += 2; | ||||
|         offset += 2; | ||||
| 
 | ||||
|         if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) | ||||
|             return 0; | ||||
|         //offset += 2;
 | ||||
| 
 | ||||
| 	// For class
 | ||||
|         if(bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint16_t)) < 0) | ||||
|             return 0; | ||||
|         tlen += 2; | ||||
|         if ((void*)(offset += 2) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) | ||||
|             return 0; | ||||
| 	//offset += 2;
 | ||||
| 
 | ||||
|         // Get ttl
 | ||||
|         if(bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t)) < 0) | ||||
|             return 0; | ||||
|         if ((void*)(offset += 4) >= MAX_UDP_PAYLOAD - sizeof(uint32_t)) | ||||
|             return 0; | ||||
|         tlen += 2; | ||||
|         tlen += 4; | ||||
| 	//offset += 4;
 | ||||
| 
 | ||||
|         // Get data size
 | ||||
|         uint16_t size; | ||||
| @ -178,6 +184,8 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz | ||||
|             bpf_skb_load_bytes(skb, tlen, s_event->buf + offset, sizeof(uint32_t));  | ||||
|         } | ||||
|         //offset += ntohs(size);
 | ||||
|         if ((void*)(offset += ntohs(size)) >= MAX_UDP_PAYLOAD - sizeof(uint16_t)) | ||||
|             return 0; | ||||
|         tlen += ntohs(size); | ||||
| 
 | ||||
|         //tlen += 2;
 | ||||
| @ -190,7 +198,8 @@ static unsigned int get_answer(struct __sk_buff *skb, struct event *s_event, siz | ||||
|     else { | ||||
|         // get_labels2(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) + sizeof(struct dnshdr), s_event);
 | ||||
|     } | ||||
|     bpf_printk("tlen: %d", tlen); | ||||
|     //bpf_printk("tlen: %d", tlen);
 | ||||
|     bpf_printk("End offset ans: %d", offset); | ||||
|     return offset; | ||||
| } | ||||
| /*
 | ||||
| @ -335,8 +344,9 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp, | ||||
|         offset += sizeof(struct dnshdr) + query_len; // For the pos in the answer section in the skb
 | ||||
|         unsigned int offset_ans = 0; | ||||
|         for (uint16_t i = 0; i < ans; i++){ | ||||
|             offset_ans = get_answer(skb, s_event, offset, offset_ans); | ||||
|             offset += offset_ans; | ||||
|             offset_ans += get_answer(skb, s_event, offset, offset_ans); | ||||
| 	    offset += offset_ans + 2; | ||||
|             //offset_ans += offset_ans;
 | ||||
|             // For eBPF verifier, to be sure we leave the loop
 | ||||
|             if (i == ans || i == 5 || offset_ans >= 512) | ||||
|                 break; | ||||
|  | ||||
										
											Binary file not shown.
										
									
								
							
							
								
								
									
										70196
									
								
								src/vmlinux.h
									
									
									
									
									
								
							
							
								
								
								
								
								
									
									
								
							
						
						
									
										70196
									
								
								src/vmlinux.h
									
									
									
									
									
								
							
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
		Loading…
	
		Reference in New Issue
	
	Block a user