gbucchino/dns-trace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update project

Browse Source
This commit is contained in:
gbucchino 2025-01-23 16:49:49 +01:00
parent 408ad6aef3
commit eeb15e8f7b
6 changed files with 123245 additions and 69996 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
dns-trace
View File

Binary file not shown.

10
src/common.h
View File

@ -28,19 +28,19 @@ struct event {
uint16_t tid; uint16_t tid;
int req_type; int req_type;
char qname[QNAME_SIZE]; char qname[QNAME_SIZE];
int class; uint16_t class;
int type; uint16_t type;
uint32_t ans; uint32_t ans;
uint32_t ttl;
}; };
struct query_section{ struct query_section{
char qname[QNAME_SIZE]; char qname[QNAME_SIZE];
int class; uint16_t class;
int type; uint16_t type;
}; };
struct dns_answer { struct dns_answer {
uint16_t tid;
char qname[QNAME_SIZE]; char qname[QNAME_SIZE];
char ip[32]; char ip[32];
int ttl; int ttl;

107
src/dns-trace.c
View File

@ -101,97 +101,136 @@ static int open_raw_sock(const char *name)
return sock; return sock;
} }
static void mapReqType(const int req){ static char *mapReqType(const int req){
char *tmp = malloc(8);
if (tmp == NULL)
return NULL;
switch(req){ switch(req){
case 0x00: case 0x00:
printf("Query\n"); strncpy(tmp, "Query", 6);
break; break;
case 0x01: case 0x01:
printf("Answer\n"); strncpy(tmp, "Answer", 7);
break; break;
default: default:
printf("Unknown"); strncpy(tmp, "Unknown", 8);
}; };
return tmp;
} }
static void mapClass(const int class){ static char *mapClass(const int class){
char *tmp = malloc(8);
if (tmp == NULL)
return NULL;
memset(tmp, 0, 8);
switch(class){ switch(class){
case 1: case 1:
printf("IN\n"); strncpy(tmp, "IN", 3);
break; break;
case 2: case 2:
printf("CS\n"); strncpy(tmp, "CS", 3);
break; break;
case 3: case 3:
printf("CH\n"); strncpy(tmp, "CH", 3);
break; break;
case 4: case 4:
printf("HS\n"); strncpy(tmp, "HS", 3);
break; break;
default: default:
printf("Unknown\n"); strncpy(tmp, "Unknown", 8);
break; break;
} }
return tmp;
} }
static void mapType(const int type){ static char *mapType(const int type){
char *tmp = malloc(8);
if (tmp == NULL)
return NULL;
switch(type){ switch(type){
case 1: case 1:
printf("A"); strncpy(tmp, "A", 2);
break; break;
case 2: case 2:
printf("NS"); strncpy(tmp, "NS", 3);
break; break;
case 3: case 3:
printf("MD"); strncpy(tmp, "MD", 3);
break; break;
case 4: case 4:
printf("MF"); strncpy(tmp, "MF", 3);
break; break;
case 5: case 5:
printf("CNAME"); strncpy(tmp, "CNAME", 6);
break; break;
case 6: case 6:
printf("SOA"); strncpy(tmp, "SOA", 4);
break; break;
case 7: case 7:
printf("MB"); strncpy(tmp, "MB", 3);
break; break;
case 8: case 8:
printf("MG"); strncpy(tmp, "MG", 3);
break; break;
case 9: case 9:
printf("MR"); strncpy(tmp, "MR", 3);
break; break;
case 10: case 10:
printf("NULL"); strncpy(tmp, "NULL", 5);
break; break;
case 11: case 11:
printf("WKS"); strncpy(tmp, "WKS", 4);
break; break;
case 12: case 12:
printf("PTR"); strncpy(tmp, "PTR", 4);
break; break;
case 13: case 13:
printf("HINFO"); strncpy(tmp, "HINFO", 6);
break; break;
case 14: case 14:
printf("MINFO"); strncpy(tmp, "MINFO", 6);
break; break;
case 15: case 15:
printf("MX"); strncpy(tmp, "MX", 3);
break; break;
case 16: case 16:
printf("TXT"); strncpy(tmp, "TXT", 4);
break; break;
default: default:
printf("Unknown\n"); strncpy(tmp, "Unknown", 8);
break; break;
} }
printf("\n"); return tmp;
} }
int handle_event(void *ctx, void *data, size_t data_sz){ int handle_event(void *ctx, void *data, size_t data_sz){
struct event *s_event = (struct event*)data; struct event *s_event = (struct event*)data;
printf("IP: %s\n", inet_ntoa(*(struct in_addr*)&s_event->client)); char *req_type, *class, *type;
printf("%s:%-10d", inet_ntoa(*(struct in_addr*)&s_event->client), s_event->dport);
printf("%-5x", s_event->tid);
req_type = mapReqType(s_event->req_type);
printf("%-10s", req_type);
free(req_type);
printf("%-30s", s_event->qname);
class = mapClass(s_event->class);
printf("%-10s", class);
free(class);
type = mapType(s_event->type);
printf("%-10s", type);
free(type);
if (s_event->req_type == REQ_ANSWER){
printf("%-15s", inet_ntoa(*(struct in_addr*)&s_event->ans));
printf("%-5d", s_event->ttl);
}
/*printf("IP: %s\n", inet_ntoa(*(struct in_addr*)&s_event->client));
printf("dport: %d\n", s_event->dport); printf("dport: %d\n", s_event->dport);
printf("sport: %d\n", s_event->sport); printf("sport: %d\n", s_event->sport);
printf("Transaction ID: %x\n", s_event->tid); printf("Transaction ID: %x\n", s_event->tid);
@ -205,9 +244,9 @@ int handle_event(void *ctx, void *data, size_t data_sz){
if (s_event->req_type == REQ_ANSWER) if (s_event->req_type == REQ_ANSWER)
printf("Data: %s\n", inet_ntoa(*(struct in_addr*)&s_event->ans)); printf("Data: %s\n", inet_ntoa(*(struct in_addr*)&s_event->ans));
*/
printf("\n"); printf("\n");
return 0; return 0;
} }
int main(int argc, char *argv[]){ int main(int argc, char *argv[]){
@ -253,8 +292,8 @@ int main(int argc, char *argv[]){
} }
bpf_program__attach(programSkb); bpf_program__attach(programSkb);
int sock = open_raw_sock("wlp0s20f3"); // int sock = open_raw_sock("wlp0s20f3");
//int sock = open_raw_sock("enx98e743c667fc"); int sock = open_raw_sock("enx98e743c667fc");
printf("Socket: %d\n", sock); printf("Socket: %d\n", sock);
int prog_fd = bpf_program__fd(programSkb); int prog_fd = bpf_program__fd(programSkb);
printf("Program fd: %d\n", prog_fd); printf("Program fd: %d\n", prog_fd);

64
src/dns-trace.ebpf.c
View File

@ -55,7 +55,7 @@ static size_t get_labels2(struct __sk_buff *skb, size_t offset, struct event *s_
} }
s_event->qname[qname_len - 1] = '\0'; s_event->qname[qname_len - 1] = '\0';
qname_len++; qname_len++;
bpf_printk("qname: %s", s_event->qname); // bpf_printk("qname: %s", s_event->qname);
// bpf_printk("qname len: %d", qname_len); // bpf_printk("qname len: %d", qname_len);
return qname_len; return qname_len;
} }
@ -161,7 +161,7 @@ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tl
bpf_skb_load_bytes(skb, tlen, &ttl, sizeof(uint32_t)); bpf_skb_load_bytes(skb, tlen, &ttl, sizeof(uint32_t));
tlen += 2; tlen += 2;
bpf_printk("offset: %d", tlen); bpf_printk("offset: %d", tlen);
bpf_printk("ttl: %d", ntohs(ttl)); s_event->ttl = ntohs(ttl);
// Get data size // Get data size
uint16_t size; uint16_t size;
@ -185,31 +185,28 @@ static size_t get_answer(struct __sk_buff *skb, struct event *s_event, size_t tl
static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, struct udphdr udp, int dport, int sport){ static int dnsquery(struct __sk_buff *skb, struct ethhdr eth, struct iphdr ip, struct udphdr udp, int dport, int sport){
struct event *s_event; struct event *s_event;
struct dnshdr dns = {0}; struct dnshdr dns = {0};
// bpf_printk("udp len: %d", ntohs(udp.len)); struct query_section dquery = {0};
s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0);
if (!s_event)
return 0;
/* Get IP header */
s_event->client = ip.saddr;
/* Get DNS header */ /* Get DNS header */
bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr), &dns, sizeof(struct dnshdr)); bpf_skb_load_bytes(skb, sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr), &dns, sizeof(struct dnshdr));
// Check OpCode // Check OpCode
uint16_t flags = ntohs(dns.flags); uint16_t qr = ntohs(dns.flags) & 0xF000; // Get the QR code: 0 -> query, 1 -> response
uint16_t qr = flags & 0xF000; // Get the QR code: 0 -> query, 1 -> response /* If it's not a query, we do not continue */
if (qr == 0x0) if(qr != 0x0)
s_event->req_type = REQ_QUERY;
else if(qr == 0x8000)
bpf_printk("Response");
bpf_printk("Flags: %x %x", flags, qr);
if (ntohs(dns.nbQuestions) == 0){
bpf_ringbuf_discard(s_event, 0);
return 0; return 0;
}
if (ntohs(dns.nbQuestions) == 0)
return 0;
s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0);
if (!s_event)
return 0;
s_event->req_type = REQ_QUERY;
/* Get IP header */
s_event->client = ip.saddr;
s_event->tid = ntohs(dns.transactionID); s_event->tid = ntohs(dns.transactionID);
@ -242,7 +239,6 @@ static void dnsanswer_old(struct __sk_buff *skb, struct iphdr ip, struct udphdr
if (payload_len <= -1) { if (payload_len <= -1) {
bpf_printk("payload len %d", payload_len); bpf_printk("payload len %d", payload_len);
} }
// Get udp len // Get udp len
//udplen = ntohs(udp.len); //udplen = ntohs(udp.len);
@ -252,7 +248,6 @@ static void dnsanswer_old(struct __sk_buff *skb, struct iphdr ip, struct udphdr
//if (udplen <= 0) //if (udplen <= 0)
// return 0; // return 0;
/*if (offset + udplen > skb->len) { /*if (offset + udplen > skb->len) {
bpf_printk("outbound"); bpf_printk("outbound");
plen = sizeof(struct dnshdr); plen = sizeof(struct dnshdr);
@ -284,26 +279,23 @@ static void dnsanswer(struct __sk_buff *skb, struct iphdr ip, struct udphdr udp,
if (bpf_skb_load_bytes(skb, offset, &dns, 12) < 0) if (bpf_skb_load_bytes(skb, offset, &dns, 12) < 0)
return; return;
// Check OpCode
uint16_t qr = ntohs(dns.flags) & 0xF000; // Get the QR code: 0 -> query, 1 -> response
if(qr != 0x8000) // Not a response, we do not continue
return;
if (ntohs(dns.nbQuestions) == 0)
return;
s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0); s_event = bpf_ringbuf_reserve(&m_data, sizeof(*s_event), 0);
if (!s_event) if (!s_event)
return; return;
s_event->req_type = REQ_ANSWER;
/* Get IP header */ /* Get IP header */
s_event->client = ip.daddr; s_event->client = ip.daddr;
// Check OpCode
uint16_t flags = ntohs(dns.flags);
uint16_t qr = flags & 0xF000; // Get the QR code: 0 -> query, 1 -> response
if (qr == 0x0) // Query
s_event->req_type = REQ_QUERY;
else if(qr == 0x8000) // Response
s_event->req_type = REQ_ANSWER;
if (ntohs(dns.nbQuestions) == 0){
bpf_ringbuf_discard(s_event, 0);
return;
}
s_event->dport = dport; s_event->dport = dport;
s_event->sport = sport; s_event->sport = sport;

BIN
src/dns-trace.ebpf.o
View File

Binary file not shown.

193060
src/vmlinux.h
View File

File diff suppressed because it is too large Load Diff