Skip to content

Commit

Permalink
Merge pull request #273 from cisco/bhudson-dev
Browse files Browse the repository at this point in the history 
updated DNS module and fixed a bug in IPv6 header creation when libpcap header is not present.
  • Loading branch information
@bhudson33
bhudson33 authored Jul 10, 2019
2 parents 89c6d90 + bcc60c6 commit 140b104
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 37 deletions.
71 changes: 36 additions & 35 deletions src/dns.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,14 +151,7 @@
/** DNS header structure */
typedef struct {
uint16_t id;
unsigned char qr : 1;
unsigned char opcode : 4;
unsigned char aa : 1;
unsigned char tc : 1;
unsigned char rd : 1;
unsigned char ra : 1;
unsigned char z : 3;
unsigned char rcode : 4;
uint16_t flags;
uint16_t qdcount;
uint16_t ancount;
uint16_t nscount;
Expand All @@ -173,14 +166,7 @@ typedef struct {
/** DNS header structure */
typedef struct {
uint16_t id;
unsigned char qr:1;
unsigned char opcode:4;
unsigned char aa:1;
unsigned char tc:1;
unsigned char rd:1;
unsigned char ra:1;
unsigned char z:3;
unsigned char rcode:4;
uint16_t flags;
uint16_t qdcount;
uint16_t ancount;
uint16_t nscount;
Expand All @@ -194,14 +180,7 @@ typedef struct {
/** DNS header structure */
typedef struct {
uint16_t id;
unsigned char rd:1;
unsigned char tc:1;
unsigned char aa:1;
unsigned char opcode:4;
unsigned char qr:1;
unsigned char rcode:4;
unsigned char z:3;
unsigned char ra:1;
uint16_t flags;
uint16_t qdcount;
uint16_t ancount;
uint16_t nscount;
Expand Down Expand Up @@ -301,7 +280,9 @@ enum dns_err {

/* advance the data position */
static enum dns_err data_advance (char **data, int *len, unsigned int size) {
if (*len < (int)size) {
unsigned int tlen = (unsigned int)*len;

if (tlen < size) {
return dns_err_malformed;
}
*data += size;
Expand Down Expand Up @@ -643,6 +624,8 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
const dns_question *question = NULL;
const dns_rr *rr;
int len = 0;
uint8_t flags_rcode = 0;
uint8_t flags_qr = 0;
char qr = 0;
uint16_t qdcount = 0, ancount = 0, nscount = 0, arcount = 0;
int rdlength = 0;
Expand All @@ -669,7 +652,9 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
len = pkt_len;
r = dns_name;
rh = (const dns_hdr*)r;
if (rh->qr == 0) {
flags_rcode = ntohs(rh->flags) & 0x000f;
flags_qr = ntohs(rh->flags) >> 15;
if (flags_qr == 0) {
qr = 'q';
} else {
qr = 'r';
Expand All @@ -685,6 +670,7 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
zprintf_debug(output, "qdcount=%u; err=%u\"}", qdcount, err);
return;
}

memset_s(name, DNS_OUTNAME_LEN, 0x00, DNS_OUTNAME_LEN);
while (qdcount-- > 0) {
/* parse question name and struct */
Expand All @@ -702,7 +688,7 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
}
zprintf(output, "\"%cn\":\"%s\",", qr, name + 1);
}
zprintf(output, "\"rc\":%u,\"rr\":[", rh->rcode);
zprintf(output, "\"rc\":%u,\"rr\":[", flags_rcode);

ancount = ntohs(rh->ancount);
comma = 0;
Expand Down Expand Up @@ -767,10 +753,17 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
return;
}
len -= rdlength;
if (rdlength > 1) {
r += (rdlength - 1);
rdlength = 1;
}
zprintf(output, ",\"ttl\":%u}", ntohl(rr->ttl));
}

arcount = ntohs(rh->arcount);
if (rdlength > 1) {
r += (rdlength - 1);
}
memset_s(name, DNS_OUTNAME_LEN, 0x00, DNS_OUTNAME_LEN);
while (arcount-- > 0) {
if (comma++) {
Expand All @@ -796,6 +789,10 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
return;
}
len -= rdlength;
if (rdlength > 1) {
r += (rdlength - 1);
rdlength = 1;
}
zprintf(output, ",\"ttl\":%u}", ntohl(rr->ttl));
}
zprintf(output, "]}");
Expand All @@ -805,10 +802,11 @@ static void dns_print_packet (char *dns_name, unsigned int pkt_len, zfile output
static void dns_printf (char * const dns_name[], const unsigned short pkt_len[],
char * const twin_dns_name[], const unsigned short twin_pkt_len[],
unsigned int count, zfile output) {
unsigned int i;
unsigned int i = 0;

zprintf(output, ",\"dns\":[");

/* if a twin exists, print out that data */
if (twin_dns_name) { /* bidirectional flow */
for (i=0; i<count; i++) {
if (i) {
Expand All @@ -818,9 +816,9 @@ static void dns_printf (char * const dns_name[], const unsigned short pkt_len[],
dns_print_packet(twin_dns_name[i], twin_pkt_len[i], output);
}
}

} else { /* unidirectional flow, with no twin */

} else {
/* unidirectional flow */
/* print out the data from the primary record */
for (i=0; i<count; i++) {
if (i) {
zprintf(output, ",");
Expand All @@ -830,6 +828,7 @@ static void dns_printf (char * const dns_name[], const unsigned short pkt_len[],
}
}
}

zprintf(output, "]");
}

Expand Down Expand Up @@ -967,12 +966,14 @@ void dns_update (dns_t *dns, const struct pcap_pkthdr *header, const void *start
void dns_print_json (const dns_t *dns1, const dns_t *dns2, zfile f) {
unsigned int count = 0;

if (dns1) {
count = dns1->pkt_count > MAX_NUM_DNS_PKT ? MAX_NUM_DNS_PKT : dns1->pkt_count;
}
/* should never get called with null dns1 handle*/
if (dns1 == NULL)
return;

count = dns1->pkt_count > MAX_NUM_DNS_PKT ? MAX_NUM_DNS_PKT : dns1->pkt_count;

if (dns2) {
count = dns2->pkt_count > count ? count : dns2->pkt_count;
count = dns2->pkt_count > MAX_NUM_DNS_PKT ? MAX_NUM_DNS_PKT : dns2->pkt_count;
}

if ((count == 0) || (count > MAX_NUM_DNS_PKT)) {
Expand Down
4 changes: 2 additions & 2 deletions src/pkt_proc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1090,8 +1090,8 @@ void* process_packet (unsigned char *ctx_ptr,
dyn_header->ts.tv_sec = now.tv_sec;
dyn_header->ts.tv_usec = now.tv_usec;
if (ctx->curr_pkt_type == ETH_TYPE_IPV6) {
dyn_header->caplen = ipv6->ip_len;
dyn_header->len = ipv6->ip_len;
dyn_header->caplen = ipv6->ip_len + IPV6_HDR_LENGTH;
dyn_header->len = ipv6->ip_len + IPV6_HDR_LENGTH;
} else {
dyn_header->caplen = ip->ip_len;
dyn_header->len = ip->ip_len;
Expand Down

0 comments on commit 140b104

Please sign in to comment.