Update project
This commit is contained in:
gbucchino
parent
408ad6aef3
commit
eeb15e8f7b
BIN
dns-trace
BIN
dns-trace
Binary file not shown.
10
src/common.h
10
src/common.h
@ -28,19 +28,19 @@ struct event {
|
||||
uint16_t tid;
|
||||
int req_type;
|
||||
char qname[QNAME_SIZE];
|
||||
int class;
|
||||
int type;
|
||||
uint16_t class;
|
||||
uint16_t type;
|
||||
uint32_t ans;
|
||||
uint32_t ttl;
|
||||
};
|
||||
|
||||
struct query_section{
|
||||
char qname[QNAME_SIZE];
|
||||
int class;
|
||||
int type;
|
||||
uint16_t class;
|
||||
uint16_t type;
|
||||
};
|
||||
|
||||
struct dns_answer {
|
||||
uint16_t tid;
|
||||
char qname[QNAME_SIZE];
|
||||
char ip[32];
|
||||
int ttl;
|
||||
|
||||
107
src/dns-trace.c
107
src/dns-trace.c
@ -101,97 +101,136 @@ static int open_raw_sock(const char *name)
|
||||
return sock;
|
||||
}
|
||||
|
||||
static void mapReqType(const int req){
|
||||
static char *mapReqType(const int req){
|
||||
char *tmp = malloc(8);
|
||||
if (tmp == NULL)
|
||||
return NULL;
|
||||
|
||||
switch(req){
|
||||
case 0x00:
|
||||
printf("Query\n");
|
||||
strncpy(tmp, "Query", 6);
|
||||
break;
|
||||
case 0x01:
|
||||
printf("Answer\n");
|
||||
strncpy(tmp, "Answer", 7);
|
||||
break;
|
||||
default:
|
||||
printf("Unknown");
|
||||
strncpy(tmp, "Unknown", 8);
|
||||
};
|
||||
return tmp;
|
||||
}
|
||||
static void mapClass(const int class){
|
||||
static char *mapClass(const int class){
|
||||
char *tmp = malloc(8);
|
||||
if (tmp == NULL)
|
||||
return NULL;
|
||||
|
||||
memset(tmp, 0, 8);
|
||||
switch(class){
|
||||
case 1:
|
||||
printf("IN\n");
|
||||
strncpy(tmp, "IN", 3);
|
||||
break;
|
||||
case 2:
|
||||
printf("CS\n");
|
||||
strncpy(tmp, "CS", 3);
|
||||
break;
|
||||
case 3:
|
||||
printf("CH\n");
|
||||
strncpy(tmp, "CH", 3);
|
||||
break;
|
||||
case 4:
|
||||
printf("HS\n");
|
||||
strncpy(tmp, "HS", 3);
|
||||
break;
|
||||
default:
|
||||
printf("Unknown\n");
|
||||
strncpy(tmp, "Unknown", 8);
|
||||
break;
|
||||
}
|
||||
return tmp;
|
||||
}
|
||||
static void mapType(const int type){
|
||||
static char *mapType(const int type){
|
||||
char *tmp = malloc(8);
|
||||
if (tmp == NULL)
|
||||
return NULL;
|
||||
|
||||
switch(type){
|
||||
case 1:
|
||||
printf("A");
|
||||
strncpy(tmp, "A", 2);
|
||||
break;
|
||||
case 2:
|
||||
printf("NS");
|
||||
strncpy(tmp, "NS", 3);
|
||||
break;
|
||||
case 3:
|
||||
printf("MD");
|
||||
strncpy(tmp, "MD", 3);
|
||||
break;
|
||||
case 4:
|
||||
printf("MF");
|
||||
strncpy(tmp, "MF", 3);
|
||||
break;
|
||||
case 5:
|
||||
printf("CNAME");
|
||||
strncpy(tmp, "CNAME", 6);
|
||||
break;
|
||||
case 6:
|
||||
printf("SOA");
|
||||
strncpy(tmp, "SOA", 4);
|
||||
break;
|
||||
case 7:
|
||||
printf("MB");
|
||||
strncpy(tmp, "MB", 3);
|
||||
break;
|
||||
case 8:
|
||||
printf("MG");
|
||||
strncpy(tmp, "MG", 3);
|
||||
break;
|
||||
case 9:
|
||||
printf("MR");
|
||||
strncpy(tmp, "MR", 3);
|
||||
break;
|
||||
case 10:
|
||||
printf("NULL");
|
||||
strncpy(tmp, "NULL", 5);
|
||||
break;
|
||||
case 11:
|
||||
printf("WKS");
|
||||
strncpy(tmp, "WKS", 4);
|
||||
break;
|
||||
case 12:
|
||||
printf("PTR");
|
||||
strncpy(tmp, "PTR", 4);
|
||||
break;
|
||||
case 13:
|
||||
printf("HINFO");
|
||||
strncpy(tmp, "HINFO", 6);
|
||||
break;
|
||||
case 14:
|
||||
printf("MINFO");
|
||||
strncpy(tmp, "MINFO", 6);
|
||||
break;
|
||||
case 15:
|
||||
printf("MX");
|
||||
strncpy(tmp, "MX", 3);
|
||||
break;
|
||||
case 16:
|
||||
printf("TXT");
|
||||
strncpy(tmp, "TXT", 4);
|
||||
break;
|
||||
default:
|
||||
printf("Unknown\n");
|
||||
strncpy(tmp, "Unknown", 8);
|
||||
break;
|
||||
}
|
||||
printf("\n");
|
||||
return tmp;
|
||||
}
|
||||
|
||||
int handle_event(void *ctx, void *data, size_t data_sz){
|
||||
struct event *s_event = (struct event*)data;
|
||||
printf("IP: %s\n", inet_ntoa(*(struct in_addr*)&s_event->client));
|
||||
char *req_type, *class, *type;
|
||||
printf("%s:%-10d", inet_ntoa(*(struct in_addr*)&s_event->client), s_event->dport);
|
||||
printf("%-5x", s_event->tid);
|
||||
|
||||
req_type = mapReqType(s_event->req_type);
|
||||
printf("%-10s", req_type);
|
||||
free(req_type);
|
||||
|
||||
printf("%-30s", s_event->qname);
|
||||
|
||||
class = mapClass(s_event->class);
|
||||
printf("%-10s", class);
|
||||
free(class);
|
||||
|
||||
type = mapType(s_event->type);
|
||||
printf("%-10s", type);
|
||||
free(type);
|
||||
|
||||
if (s_event->req_type == REQ_ANSWER){
|
||||
printf("%-15s", inet_ntoa(*(struct in_addr*)&s_event->ans));
|
||||
printf("%-5d", s_event->ttl);
|
||||
}
|
||||
|
||||
|
||||
/*printf("IP: %s\n", inet_ntoa(*(struct in_addr*)&s_event->client));
|
||||
printf("dport: %d\n", s_event->dport);
|
||||
printf("sport: %d\n", s_event->sport);
|
||||
printf("Transaction ID: %x\n", s_event->tid);
|
||||
@ -205,9 +244,9 @@ int handle_event(void *ctx, void *data, size_t data_sz){
|
||||
|
||||
if (s_event->req_type == REQ_ANSWER)
|
||||
printf("Data: %s\n", inet_ntoa(*(struct in_addr*)&s_event->ans));
|
||||
|
||||
*/
|
||||
printf("\n");
|
||||
|
||||
|
||||
return 0;
|
||||
}
|
||||
int main(int argc, char *argv[]){
|
||||
@ -253,8 +292,8 @@ int main(int argc, char *argv[]){
|
||||
}
|
||||
|
||||
bpf_program__attach(programSkb);
|
||||
int sock = open_raw_sock("wlp0s20f3");
|
||||
//int sock = open_raw_sock("enx98e743c667fc");
|
||||
// int sock = open_raw_sock("wlp0s20f3");
|
||||
int sock = open_raw_sock("enx98e743c667fc");
|
||||
printf("Socket: %d\n", sock);
|
||||
int prog_fd = bpf_program__fd(programSkb);
|
||||
printf("Program fd: %d\n", prog_fd);
|
||||
|
||||
@ -55,7 +55,7 @@ static size_t get_labels2(struct __sk_buff *skb, size_t offset, struct event *s_
|
||||
}
|
||||
s_event->qname[qname_len - 1] = '\0';
|
||||
qname_len++;
|
||||
bpf_printk("qname: %s", s_event->qname);
|
||||
// bpf_printk("qname: %s", s_event->qname);
|
||||
// bpf_printk("qname len: %d", qname_len);
|
||||
return qname_len;
|
||||
}
|
||||
@ -161,7 +161,7 @@ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tl
|
||||
bpf_skb_load_bytes(skb, tlen, &ttl, sizeof(uint32_t));
|
||||
tlen += 2;
|
||||
bpf_printk("offset: %d", tlen);
|
||||
bpf_printk("ttl: %d", ntohs(ttl));
|
||||
s_event->ttl = ntohs(ttl);
|
||||
|
||||
// Get data size
|
||||
uint16_t size;
|
||||
@ -185,31 +185,28 @@ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tl
|
||||
static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, struct udphdr udp, int dport, int sport){
|
||||
struct event *s_event;
|
||||
struct dnshdr dns = {0};
|
||||
// bpf_printk("udp len: %d", ntohs(udp.len));
|
||||
|
||||
s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0);
|
||||
if (!s_event)
|
||||
return 0;
|
||||
|
||||
/* Get IP header */
|
||||
s_event->client = ip.saddr;
|
||||
struct query_section dquery = {0};
|
||||
|
||||
/* Get DNS header */
|
||||
bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr), &dns, sizeof(struct dnshdr));
|
||||
|
||||
// Check OpCode
|
||||
uint16_t flags = ntohs(dns.flags);
|
||||
uint16_t qr = flags & 0xF000; // Get the QR code: 0 -> query, 1 -> response
|
||||
if (qr == 0x0)
|
||||
s_event->req_type = REQ_QUERY;
|
||||
else if(qr == 0x8000)
|
||||
bpf_printk("Response");
|
||||
bpf_printk("Flags: %x %x", flags, qr);
|
||||
|
||||
if (ntohs(dns.nbQuestions) == 0){
|
||||
bpf_ringbuf_discard(s_event, 0);
|
||||
uint16_t qr = ntohs(dns.flags) & 0xF000; // Get the QR code: 0 -> query, 1 -> response
|
||||
/* If it's not a query, we do not continue */
|
||||
if(qr != 0x0)
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (ntohs(dns.nbQuestions) == 0)
|
||||
return 0;
|
||||
|
||||
s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0);
|
||||
if (!s_event)
|
||||
return 0;
|
||||
|
||||
s_event->req_type = REQ_QUERY;
|
||||
|
||||
/* Get IP header */
|
||||
s_event->client = ip.saddr;
|
||||
|
||||
s_event->tid = ntohs(dns.transactionID);
|
||||
|
||||
@ -242,7 +239,6 @@ static void dnsanswer_old(struct __sk_buff *skb, struct iphdr ip, struct udphdr
|
||||
if (payload_len <= -1) {
|
||||
bpf_printk("payload len %d", payload_len);
|
||||
}
|
||||
|
||||
|
||||
// Get udp len
|
||||
//udplen = ntohs(udp.len);
|
||||
@ -252,7 +248,6 @@ static void dnsanswer_old(struct __sk_buff *skb, struct iphdr ip, struct udphdr
|
||||
//if (udplen <= 0)
|
||||
// return 0;
|
||||
|
||||
|
||||
/*if (offset + udplen > skb->len) {
|
||||
bpf_printk("outbound");
|
||||
plen = sizeof(struct dnshdr);
|
||||
@ -284,26 +279,23 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
|
||||
if (bpf_skb_load_bytes(skb, offset, &dns, 12) < 0)
|
||||
return;
|
||||
|
||||
// Check OpCode
|
||||
uint16_t qr = ntohs(dns.flags) & 0xF000; // Get the QR code: 0 -> query, 1 -> response
|
||||
if(qr != 0x8000) // Not a response, we do not continue
|
||||
return;
|
||||
|
||||
if (ntohs(dns.nbQuestions) == 0)
|
||||
return;
|
||||
|
||||
s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0);
|
||||
if (!s_event)
|
||||
return;
|
||||
|
||||
s_event->req_type = REQ_ANSWER;
|
||||
|
||||
/* Get IP header */
|
||||
s_event->client = ip.daddr;
|
||||
|
||||
// Check OpCode
|
||||
uint16_t flags = ntohs(dns.flags);
|
||||
uint16_t qr = flags & 0xF000; // Get the QR code: 0 -> query, 1 -> response
|
||||
if (qr == 0x0) // Query
|
||||
s_event->req_type = REQ_QUERY;
|
||||
else if(qr == 0x8000) // Response
|
||||
s_event->req_type = REQ_ANSWER;
|
||||
|
||||
if (ntohs(dns.nbQuestions) == 0){
|
||||
bpf_ringbuf_discard(s_event, 0);
|
||||
return;
|
||||
}
|
||||
|
||||
s_event->dport = dport;
|
||||
s_event->sport = sport;
|
||||
|
||||
|
||||
Binary file not shown.
193060
src/vmlinux.h
193060
src/vmlinux.h
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user