dns-oarc/dnscap
1
0
Fork 0
Code Issues Activity

Adding upstream version 2.0.0+debian.

Browse source 
Signed-off-by: Daniel Baumann <daniel@debian.org>
This commit is contained in:
Daniel Baumann 2025-02-08 11:57:11 +01:00
parent 65eb8bc08a
commit 1cf0d30d41
Signed by: daniel
GPG key ID: FBB4F0E80A80222F
191 changed files with 48816 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

42
src/Makefile.am Normal file
View file

@ -0,0 +1,42 @@
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in $(srcdir)/config.h.in
CLEANFILES = dnscap.1 *.gcda *.gcno *.gcov
SUBDIRS = test
AM_CFLAGS = -I$(srcdir) \
-I$(top_srcdir) \
$(SECCOMPFLAGS) \
$(PTHREAD_CFLAGS) \
$(libcrypto_CFLAGS) \
$(libldns_CFLAGS)
EXTRA_DIST = dnscap.1.in
bin_PROGRAMS = dnscap
dnscap_SOURCES = args.c assert.c bpft.c daemon.c dnscap.c dump_cbor.c \
dump_cds.c dump_dns.c dumper.c endpoint.c hashtbl.c iaddr.c log.c \
network.c options.c pcaps.c sig.c tcpstate.c tcpreasm.c memzero.c \
pcap-thread/pcap_thread.c pcap-thread/pcap_thread_ext_frag.c
dist_dnscap_SOURCES = args.h bpft.h daemon.h dnscap_common.h dnscap.h \
dump_cbor.h dump_cds.h dump_dns.h dumper.h endpoint.h hashtbl.h iaddr.h \
log.h network.h options.h pcaps.h sig.h tcpstate.h tcpreasm.h memzero.h \
endian_compat.h \
pcap-thread/pcap_thread.h pcap-thread/pcap_thread_ext_frag.h
dnscap_LDADD = $(PTHREAD_LIBS) $(libcrypto_LIBS) $(libldns_LIBS)
man1_MANS = dnscap.1
dnscap.1: dnscap.1.in Makefile
sed -e 's,[@]PACKAGE_VERSION[@],$(PACKAGE_VERSION),g' \
-e 's,[@]PACKAGE_URL[@],$(PACKAGE_URL),g' \
-e 's,[@]PACKAGE_BUGREPORT[@],$(PACKAGE_BUGREPORT),g' \
-e 's,[@]pkglibdir[@],$(pkglibdir),g' \
< $(srcdir)/dnscap.1.in > dnscap.1
if ENABLE_GCOV
gcov-local:
for src in $(dnscap_SOURCES); do \
gcov -l -r -s "$(srcdir)" "$$src"; \
done
endif

843
src/args.c Normal file
View file

@ -0,0 +1,843 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "args.h"
#include "endpoint.h"
#include "iaddr.h"
#include "log.h"
#include "tcpstate.h"
#include "network.h"
#include <ldns/ldns.h>
/*
* OpenBSD and Debian Stretch i386 need file local functions for export
* to loaded modules, so use this for all platforms.
*/
void* _tcpstate_getcurr(void)
{
return (void*)tcpstate_getcurr();
}
void _tcpstate_reset(void* tcpstate, const char* msg)
{
tcpstate_reset((tcpstate_ptr)tcpstate, msg);
}
const char* _ia_str(iaddr ia)
{
return ia_str(ia);
}
extern struct ip6_hdr* network_ipv6;
extern struct ip* network_ip;
extern struct udphdr* network_udp;
void set_iaddr(iaddr* from, iaddr* to)
{
if (from) {
switch (from->af) {
case AF_INET:
if (network_ip) {
memcpy(&network_ip->ip_src, &from->u.a4, sizeof(struct in_addr));
}
break;
case AF_INET6:
if (network_ipv6) {
memcpy(&network_ipv6->ip6_src, &from->u.a6, sizeof(struct in6_addr));
}
break;
default:
from = 0;
break;
}
}
if (to) {
switch (to->af) {
case AF_INET:
if (network_ip) {
memcpy(&network_ip->ip_dst, &to->u.a4, sizeof(struct in_addr));
}
break;
case AF_INET6:
if (network_ipv6) {
memcpy(&network_ipv6->ip6_dst, &to->u.a6, sizeof(struct in6_addr));
}
break;
default:
to = 0;
break;
}
}
if (from || to) {
if (network_ip) {
network_ip->ip_sum = 0;
network_ip->ip_sum = ~in_checksum((u_char*)network_ip, sizeof *network_ip);
}
if (network_udp) {
network_udp->uh_sum = 0;
}
}
}
#ifdef __linux__
extern char* strptime(const char*, const char*, struct tm*);
#endif
time_t xtimegm(struct tm* tmp)
{
#if defined(__SVR4) && defined(__sun)
char tz[3] = "TZ=";
putenv((char*)tz);
return mktime(tmp);
#else
return timegm(tmp);
#endif
}
void usage(const char* msg)
{
struct plugin* p;
fprintf(stderr, "%s: usage error: %s\n", ProgramName, msg);
fprintf(stderr, "\n");
help_1();
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link))
if (p->usage)
(*p->usage)();
fprintf(stderr,
"\nnote: the -? or -\\? option will display full help text\n");
exit(1);
}
void help_1(void)
{
fprintf(stderr, "%s: version %s\n\n", ProgramName, PACKAGE_VERSION);
fprintf(stderr,
"usage: %s\n"
" [-?VbNpd1gfTI"
#ifdef USE_SECCOMP
"y"
#endif
"SMD] [-o option=value]+\n"
" [-i <if>]+ [-r <file>]+ [-l <vlan>]+ [-L <vlan>]+\n"
" [-u <port>] [-m [qun]] [-e [nytfsxir]] [-h [ir]] [-s [ir]]\n"
" [-a <host>]+ [-z <host>]+ [-A <host>]+ [-Z <host>]+ [-Y <host>]+\n"
" [-w <base> [-W <suffix>] [-k <cmd>] -F <format>]\n"
" [-t <lim>] [-c <lim>] [-C <lim>]\n"
" [-x <pat>]+ [-X <pat>]+\n"
" [-B <datetime>] [-E <datetime>]\n"
" [-U <str>] [-q <num|str>] [-Q <num|str>]\n"
" [-P plugin.so <plugin options...>]\n",
ProgramName);
}
void help_2(void)
{
help_1();
fprintf(stderr,
"\noptions:\n"
" -? or -\\? print these instructions and exit\n"
" -V print version and exit\n"
" -o opt=val extended options, see man page for list of options\n"
" -b run in background as daemon\n"
" -N do not attempt to drop privileges, this is implicit\n"
" if only reading offline pcap files\n"
" -p do not put interface in promiscuous mode\n"
" -d dump verbose trace information to stderr, specify multiple\n"
" times to increase debugging\n"
" -1 flush output on every packet\n"
" -g dump packets dig-style on stderr\n"
" -f include fragmented packets\n"
" -T include TCP packets (DNS header filters will inspect only the\n"
" first DNS header, and the result will apply to all messages\n"
" in the TCP stream; DNS payload filters will not be applied.)\n"
" -I include ICMP and ICMPv6 packets\n"
" -i <if> select this live interface(s)\n"
" -r <file> read this pcap file\n"
" -l <vlan> select only these vlan(s) (4095 for all)\n"
" -L <vlan> select these vlan(s) and non-VLAN frames (4095 for all)\n"
" -u <port> dns port (default: 53)\n"
" -m [qun] select messages: query, update, notify\n"
" -e [nytfsxir] select error/response code\n"
" n = no error\n"
" y = any error\n"
" t = truncated response\n"
" f = format error (rcode 1)\n"
" s = server failure (rcode 2)\n"
" x = nxdomain (rcode 3)\n"
" i = not implemented (rcode 4)\n"
" r = refused (rcode 5)\n"
" -h [ir] hide initiators and/or responders\n"
" -s [ir] select sides: initiations, responses\n"
" -a <host> want messages from these initiator(s)\n"
" -z <host> want messages from these responder(s)\n"
" -A <host> want messages NOT to/from these initiator(s)\n"
" -Z <host> want messages NOT to/from these responder(s)\n"
" -Y <host> drop responses from these responder(s)\n"
" -w <base> dump to <base>.<timesec>.<timeusec>\n"
" -W <suffix> add suffix to dump file name, e.g. '.pcap'\n"
" -k <cmd> kick off <cmd> when each dump closes\n"
" -F <format> dump format: pcap (default), cbor, cds\n"
" -t <lim> close dump or exit every/after <lim> secs\n"
" -c <lim> close dump or exit every/after <lim> pkts\n"
" -C <lim> close dump or exit every/after <lim> bytes captured\n"
" -x <pat> select messages matching regex <pat>\n"
" -X <pat> select messages not matching regex <pat>\n"
#ifdef USE_SECCOMP
" -y enable seccomp-bpf\n"
#endif
" -S show summarized statistics\n"
" -B <datetime> begin collecting at this date and time\n"
" -E <datetime> end collecting at this date and time\n"
" -M set monitor mode on interfaces\n"
" -D set immediate mode on interfaces\n"
" -U <str> append 'and <str>' to the pcap filter\n"
" -q <num|str> select messages based on QTYPE\n"
" -Q <num|str> filter out messages based on QTYPE\n"
" -P <plugin.so> load plugin, any argument after this is sent to the plugin!\n");
}
void check_gzip()
{
char* dot = strrchr(dump_suffix, '.');
if (dot) {
wantgzip = (strcmp(dot, ".gz") == 0) ? TRUE : FALSE;
}
#if !(HAVE_GZOPEN && (HAVE_FUNOPEN || HAVE_FOPENCOOKIE))
if (wantgzip) {
fprintf(stderr, "error: gzip compression requested but not supported\n");
exit(1);
}
#endif
}
int is_responder(iaddr ia)
{
if (EMPTY(responders))
return 1;
if (ep_present(&responders, ia))
return 1;
return 0;
}
void parse_args(int argc, char* argv[])
{
mypcap_ptr mypcap;
unsigned long ul;
vlan_ptr vlan;
unsigned u;
int ch;
char * p, *match_qtype_arg = 0;
if ((p = strrchr(argv[0], '/')) == NULL)
ProgramName = argv[0];
else
ProgramName = p + 1;
INIT_LIST(vlans_incl);
INIT_LIST(vlans_excl);
INIT_LIST(mypcaps);
INIT_LIST(initiators);
INIT_LIST(responders);
INIT_LIST(not_initiators);
INIT_LIST(not_responders);
INIT_LIST(drop_responders);
INIT_LIST(myregexes);
INIT_LIST(plugins);
while ((ch = getopt(argc, argv,
"a:bc:de:fgh:i:k:l:m:o:pr:s:t:u:w:x:yz:q:"
"A:B:C:DE:F:IL:MNP:STU:VW:X:Y:Z:Q:1?"))
!= EOF) {
switch (ch) {
case 'o':
if (option_parse(&options, optarg)) {
fprintf(stderr, "%s: unknown or invalid extended -o option: %s\n", ProgramName, optarg);
exit(1);
}
break;
case 'b':
background = TRUE;
break;
case 'N':
dont_drop_privileges = TRUE;
break;
case 'p':
promisc = FALSE;
break;
case 'd':
dumptrace++;
break;
case '1':
flush = TRUE;
break;
case 'g':
preso = TRUE;
break;
case 'f':
wantfrags = TRUE;
break;
case 'I':
wanticmp = TRUE;
break;
case 'V':
printf("%s version %s\n", ProgramName, PACKAGE_VERSION);
exit(0);
case 'i':
if (pcap_offline != NULL)
usage("-i makes no sense after -r");
mypcap = calloc(1, sizeof *mypcap);
assert(mypcap != NULL);
INIT_LINK(mypcap, link);
mypcap->name = strdup(optarg);
assert(mypcap->name != NULL);
APPEND(mypcaps, mypcap, link);
break;
case 'r':
if (!EMPTY(mypcaps))
usage("-r makes no sense after -i");
pcap_offline = calloc(1, sizeof *pcap_offline);
assert(pcap_offline != NULL);
INIT_LINK(pcap_offline, link);
pcap_offline->name = strdup(optarg);
assert(pcap_offline->name != NULL);
APPEND(mypcaps, pcap_offline, link);
only_offline_pcaps = TRUE;
break;
case 'l':
ul = strtoul(optarg, &p, 0);
if (*p != '\0' || ul > MAX_VLAN)
usage("-l vlan must be an integer 0..4095");
vlan = calloc(1, sizeof *vlan);
assert(vlan != NULL);
INIT_LINK(vlan, link);
vlan->vlan = (unsigned)ul;
APPEND(vlans_excl, vlan, link);
if (0 == ul)
fprintf(stderr, "Warning: previous versions of %s "
"interpreted 0 as all VLANs. "
"If you want all VLANs now you must "
"specify %u.\n",
ProgramName, MAX_VLAN);
break;
case 'L':
ul = strtoul(optarg, &p, 0);
if (*p != '\0' || ul > MAX_VLAN)
usage("-L vlan must be an integer 0..4095");
vlan = calloc(1, sizeof *vlan);
assert(vlan != NULL);
INIT_LINK(vlan, link);
vlan->vlan = (unsigned)ul;
APPEND(vlans_incl, vlan, link);
if (0 == ul)
fprintf(stderr, "Warning: previous versions of %s "
"interpreted 0 as all VLANs. "
"If you want all VLANs now you must "
"specify %u.\n",
ProgramName, MAX_VLAN);
break;
case 'T':
wanttcp = TRUE;
break;
case 'u':
ul = strtoul(optarg, &p, 0);
if (*p != '\0' || ul < 1U || ul > 65535U)
usage("port must be an integer 1..65535");
dns_port = (unsigned)ul;
break;
case 'm':
u = 0;
for (p = optarg; *p; p++)
switch (*p) {
case 'q':
u |= MSG_QUERY;
break;
case 'u':
u |= MSG_UPDATE;
break;
case 'n':
u |= MSG_NOTIFY;
break;
default:
usage("-m takes only [qun]");
}
msg_wanted = u;
break;
case 's':
u = 0;
for (p = optarg; *p; p++)
switch (*p) {
case 'i':
u |= DIR_INITIATE;
break;
case 'r':
u |= DIR_RESPONSE;
break;
default:
usage("-s takes only [ir]");
}
dir_wanted = u;
break;
case 'h':
u = 0;
for (p = optarg; *p; p++)
switch (*p) {
case 'i':
u |= END_INITIATOR;
break;
case 'r':
u |= END_RESPONDER;
break;
default:
usage("-h takes only [ir]");
}
end_hide = u;
break;
case 'e':
u = 0;
for (p = optarg; *p; p++)
switch (*p) {
case 'n':
u |= ERR_NO;
break;
case 'y':
u |= ERR_YES;
break;
case 't':
u |= ERR_TRUNC;
break;
case 'f':
u |= ERR_FORMERR;
break;
case 's':
u |= ERR_SERVFAIL;
break;
case 'x':
u |= ERR_NXDOMAIN;
break;
case 'i':
u |= ERR_NOTIMPL;
break;
case 'r':
u |= ERR_REFUSED;
break;
default:
usage("-e takes only [nytfsxir]");
}
err_wanted = u;
break;
case 'a':
endpoint_arg(&initiators, optarg);
break;
case 'z':
endpoint_arg(&responders, optarg);
break;
case 'A':
endpoint_arg(&not_initiators, optarg);
break;
case 'Z':
endpoint_arg(&not_responders, optarg);
break;
case 'Y':
endpoint_arg(&drop_responders, optarg);
break;
case 'w':
dump_base = optarg;
if (strcmp(optarg, "-") == 0)
dump_type = to_stdout;
else
dump_type = to_file;
break;
case 'W':
if (dump_suffix)
free(dump_suffix);
dump_suffix = strdup(optarg);
check_gzip();
break;
case 'k':
if (dump_type != to_file)
usage("-k depends on -w"
" (note: can't be stdout)");
kick_cmd = optarg;
break;
case 'F':
if (!strcmp(optarg, "pcap")) {
options.dump_format = pcap;
} else if (!strcmp(optarg, "cbor")) {
options.dump_format = cbor;
} else if (!strcmp(optarg, "cds")) {
options.dump_format = cds;
} else {
usage("invalid output format for -F");
}
break;
case 't':
ul = strtoul(optarg, &p, 0);
if (*p != '\0')
usage("argument to -t must be an integer");
limit_seconds = (unsigned)ul;
break;
case 'c':
ul = strtoul(optarg, &p, 0);
if (*p != '\0')
usage("argument to -c must be an integer");
limit_packets = (unsigned)ul;
break;
case 'C':
ul = strtoul(optarg, &p, 0);
if (*p != '\0')
usage("argument to -C must be an integer");
limit_pcapfilesize = (unsigned)ul;
break;
case 'x':
/* FALLTHROUGH */
case 'X': {
int i;
myregex_ptr myregex = calloc(1, sizeof *myregex);
assert(myregex != NULL);
INIT_LINK(myregex, link);
myregex->str = strdup(optarg);
i = regcomp(&myregex->reg, myregex->str, REGEX_CFLAGS);
if (i != 0) {
regerror(i, &myregex->reg,
errbuf, sizeof errbuf);
usage(errbuf);
}
myregex->not = (ch == 'X');
APPEND(myregexes, myregex, link);
} break;
case 'B': {
struct tm tm;
memset(&tm, '\0', sizeof(tm));
if (NULL == strptime(optarg, "%F %T", &tm))
usage("-B arg must have format YYYY-MM-DD HH:MM:SS");
start_time = xtimegm(&tm);
} break;
case 'E': {
struct tm tm;
memset(&tm, '\0', sizeof(tm));
if (NULL == strptime(optarg, "%F %T", &tm))
usage("-E arg must have format YYYY-MM-DD HH:MM:SS");
stop_time = xtimegm(&tm);
} break;
case 'S':
print_pcap_stats = TRUE;
break;
case 'P': {
char* fn = strdup(optarg);
char* t;
char sn[256];
struct plugin* p = calloc(1, sizeof(*p));
assert(p != NULL);
INIT_LINK(p, link);
t = strrchr(fn, '/');
p->name = strdup(t ? t + 1 : fn);
if ((t = strstr(p->name, ".so")))
*t = 0;
p->handle = dlopen(fn, RTLD_NOW);
if (!p->handle) {
logerr("%s: %s", fn, dlerror());
exit(1);
}
snprintf(sn, sizeof(sn), "%s_type", p->name);
p->type = dlsym(p->handle, sn);
if (p->type) {
p->pt = (*p->type)();
switch (p->pt) {
case plugin_output:
case plugin_filter:
break;
default:
logerr("invalid plugin type for plugin '%s'", p->name);
exit(1);
}
} else {
p->pt = plugin_output;
}
snprintf(sn, sizeof(sn), "%s_start", p->name);
p->start = dlsym(p->handle, sn);
snprintf(sn, sizeof(sn), "%s_stop", p->name);
p->stop = dlsym(p->handle, sn);
snprintf(sn, sizeof(sn), "%s_open", p->name);
p->open = dlsym(p->handle, sn);
snprintf(sn, sizeof(sn), "%s_close", p->name);
p->close = dlsym(p->handle, sn);
snprintf(sn, sizeof(sn), "%s_output", p->name);
p->output = dlsym(p->handle, sn);
if (p->pt == plugin_output && !p->output) {
logerr("%s", dlerror());
exit(1);
}
snprintf(sn, sizeof(sn), "%s_filter", p->name);
p->filter = dlsym(p->handle, sn);
if (p->pt == plugin_filter && !p->filter) {
logerr("%s", dlerror());
exit(1);
}
snprintf(sn, sizeof(sn), "%s_usage", p->name);
p->usage = dlsym(p->handle, sn);
snprintf(sn, sizeof(sn), "%s_extension", p->name);
p->extension = dlsym(p->handle, sn);
if (p->extension) {
(*p->extension)(DNSCAP_EXT_IS_RESPONDER, (void*)is_responder);
(*p->extension)(DNSCAP_EXT_IA_STR, (void*)_ia_str);
(*p->extension)(DNSCAP_EXT_TCPSTATE_GETCURR, (void*)_tcpstate_getcurr);
(*p->extension)(DNSCAP_EXT_TCPSTATE_RESET, (void*)_tcpstate_reset);
(*p->extension)(DNSCAP_EXT_SET_IADDR, (void*)set_iaddr);
}
snprintf(sn, sizeof(sn), "%s_getopt", p->name);
p->getopt = dlsym(p->handle, sn);
if (p->getopt)
(*p->getopt)(&argc, &argv);
APPEND(plugins, p, link);
if (dumptrace)
fprintf(stderr, "Plugin '%s' loaded\n", p->name);
free(fn);
} break;
case 'U':
if (extra_bpf)
free(extra_bpf);
extra_bpf = strdup(optarg);
break;
case 'y':
#ifdef USE_SECCOMP
use_seccomp = TRUE;
break;
#else
usage("-y: seccomp-bpf not enabled");
#endif
case 'M':
monitor_mode = TRUE;
break;
case 'D':
immediate_mode = TRUE;
break;
case 'q': {
if (nmatch_qtype) {
usage("-q and -Q can't be used together");
}
free(match_qtype_arg); // fix clang scan-build
match_qtype_arg = strdup(optarg);
match_qtype = ldns_get_rr_type_by_name(optarg);
if (!match_qtype) {
ul = strtoul(optarg, &p, 0);
if (*p != '\0' || ul < 1U || ul > 65535U)
usage("-q QTYPE must be a valid type or an integer 1..65535");
match_qtype = (ldns_rr_type)ul;
}
break;
}
case 'Q': {
if (match_qtype) {
usage("-q and -Q can't be used together");
}
free(match_qtype_arg); // fix clang scan-build
match_qtype_arg = strdup(optarg);
nmatch_qtype = ldns_get_rr_type_by_name(optarg);
if (!nmatch_qtype) {
ul = strtoul(optarg, &p, 0);
if (*p != '\0' || ul < 1U || ul > 65535U)
usage("-Q QTYPE must be a valid type or an integer 1..65535");
nmatch_qtype = (ldns_rr_type)ul;
}
break;
}
case '?':
if (!optopt || optopt == '?') {
help_2();
options_free(&options);
exit(0);
}
// fallthrough
default:
usage("unrecognized command line option");
}
}
assert(msg_wanted != 0U);
assert(err_wanted != 0U);
if (dump_type != nowhere && options.use_layers)
usage("use_layers is only compatible with -g so far");
if (dump_type == nowhere && !preso && EMPTY(plugins))
usage("without -w or -g, there would be no output");
if (end_hide != 0U && wantfrags)
usage("the -h and -f options are incompatible");
if (!EMPTY(vlans_incl) && !EMPTY(vlans_excl))
usage("the -L and -l options are mutually exclusive");
if (background && (dumptrace || preso))
usage("the -b option is incompatible with -d and -g");
if (dumptrace >= 1) {
endpoint_ptr ep;
const char* sep;
myregex_ptr mr;
fprintf(stderr, "%s: version %s\n", ProgramName, PACKAGE_VERSION);
fprintf(stderr,
"%s: msg %c%c%c, side %c%c, hide %c%c, err %c%c%c%c%c%c%c%c, t %u, c %u, C %zu, %sq %s\n",
ProgramName,
(msg_wanted & MSG_QUERY) != 0 ? 'Q' : '.',
(msg_wanted & MSG_UPDATE) != 0 ? 'U' : '.',
(msg_wanted & MSG_NOTIFY) != 0 ? 'N' : '.',
(dir_wanted & DIR_INITIATE) != 0 ? 'I' : '.',
(dir_wanted & DIR_RESPONSE) != 0 ? 'R' : '.',
(end_hide & END_INITIATOR) != 0 ? 'I' : '.',
(end_hide & END_RESPONDER) != 0 ? 'R' : '.',
(err_wanted & ERR_NO) != 0 ? 'N' : '.',
(err_wanted & ERR_YES) == ERR_YES ? 'Y' : '.',
(err_wanted & ERR_TRUNC) != 0 ? 't' : '.',
(err_wanted & ERR_FORMERR) != 0 ? 'f' : '.',
(err_wanted & ERR_SERVFAIL) != 0 ? 's' : '.',
(err_wanted & ERR_NXDOMAIN) != 0 ? 'x' : '.',
(err_wanted & ERR_NOTIMPL) != 0 ? 'i' : '.',
(err_wanted & ERR_REFUSED) != 0 ? 'r' : '.',
limit_seconds, limit_packets, limit_pcapfilesize,
nmatch_qtype ? "!" : "", match_qtype_arg);
sep = "\tinit";
for (ep = HEAD(initiators);
ep != NULL;
ep = NEXT(ep, link)) {
fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
sep = "";
}
if (!EMPTY(initiators))
fprintf(stderr, "\n");
sep = "\tresp";
for (ep = HEAD(responders);
ep != NULL;
ep = NEXT(ep, link)) {
fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
sep = "";
}
if (!EMPTY(responders))
fprintf(stderr, "\n");
sep = "\t!init";
for (ep = HEAD(not_initiators);
ep != NULL;
ep = NEXT(ep, link)) {
fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
sep = "";
}
if (!EMPTY(not_initiators))
fprintf(stderr, "\n");
sep = "\t!resp";
for (ep = HEAD(not_responders);
ep != NULL;
ep = NEXT(ep, link)) {
fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
sep = "";
}
if (!EMPTY(not_responders))
fprintf(stderr, "\n");
sep = "\t!dropresp";
for (ep = HEAD(drop_responders);
ep != NULL;
ep = NEXT(ep, link)) {
fprintf(stderr, "%s %s", sep, ia_str(ep->ia));
sep = "";
}
if (!EMPTY(drop_responders))
fprintf(stderr, "\n");
if (!EMPTY(myregexes)) {
fprintf(stderr, "%s: pat:", ProgramName);
for (mr = HEAD(myregexes);
mr != NULL;
mr = NEXT(mr, link))
fprintf(stderr, " %s/%s/",
mr->not ? "!" : "", mr->str);
fprintf(stderr, "\n");
}
}
if (EMPTY(mypcaps)) {
pcap_if_t* pcapdev = 0;
int res;
res = pcap_findalldevs(&pcapdev, errbuf);
if (res == -1) {
fprintf(stderr, "%s: pcap_findalldevs: %s\n",
ProgramName, errbuf);
exit(1);
} else if (pcapdev == NULL) {
fprintf(stderr, "%s: pcap_findalldevs: no devices found\n",
ProgramName);
exit(1);
}
mypcap = calloc(1, sizeof *mypcap);
assert(mypcap != NULL);
INIT_LINK(mypcap, link);
mypcap->name = strdup(pcapdev->name);
APPEND(mypcaps, mypcap, link);
pcap_freealldevs(pcapdev);
}
if (start_time && stop_time && start_time >= stop_time)
usage("start time must be before stop time");
if (options.dump_format == cbor) {
if (!have_cbor_support()) {
usage("no built in cbor support");
}
cbor_set_size(options.cbor_chunk_size);
} else if (options.dump_format == cds) {
if (!have_cds_support()) {
usage("no built in cds support");
}
cds_set_cbor_size(options.cds_cbor_size);
cds_set_message_size(options.cds_message_size);
cds_set_max_rlabels(options.cds_max_rlabels);
cds_set_min_rlabel_size(options.cds_min_rlabel_size);
if (options.cds_use_rdata_index && options.cds_use_rdata_rindex) {
usage("can't use both CDS rdata index and rindex");
}
cds_set_use_rdata_index(options.cds_use_rdata_index);
cds_set_use_rdata_rindex(options.cds_use_rdata_rindex);
cds_set_rdata_index_min_size(options.cds_rdata_index_min_size);
cds_set_rdata_rindex_min_size(options.cds_rdata_rindex_min_size);
cds_set_rdata_rindex_size(options.cds_rdata_rindex_size);
}
if (!options.use_layers && (options.defrag_ipv4 || options.defrag_ipv6)) {
usage("can't defragment IP packets without use_layers=yes");
}
if (options.reassemble_tcp_bfbparsedns) {
if (!options.reassemble_tcp) {
usage("can't do byte for byte parsing of DNS without reassemble_tcp=yes");
}
}
free(match_qtype_arg);
}

48
src/args.h Normal file
View file

@ -0,0 +1,48 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_args_h
#define __dnscap_args_h
time_t xtimegm(struct tm* tmp);
void usage(const char* msg);
void help_1(void);
void help_2(void);
void check_gzip();
int is_responder(iaddr ia);
void parse_args(int argc, char* argv[]);
#endif /* __dnscap_args_h */

54
src/assert.c Normal file
View file

@ -0,0 +1,54 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "dnscap.h"
#if !HAVE___ASSERTION_FAILED
static void my_assertion_failed(const char* file, int line, assertion_type type, const char* msg, int something) __attribute__((noreturn));
#endif
#if !HAVE___ASSERTION_FAILED
static void
my_assertion_failed(const char* file, int line, assertion_type type, const char* msg, int something)
{
(void)type;
(void)something;
fprintf(stderr, "assertion failed: %s(%d): %s\n", file, line, msg);
abort();
}
assertion_failure_callback __assertion_failed = my_assertion_failed;
#endif

233
src/bpft.c Normal file
View file

@ -0,0 +1,233 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "bpft.h"
#include "iaddr.h"
#include <ldns/ldns.h>
void prepare_bpft(void)
{
unsigned udp10_mbs, udp10_mbc, udp11_mbc; //udp11_mbs
text_list bpfl;
text_ptr text;
size_t len;
char* p;
/* Prepare the must-be-set and must-be-clear tests. */
udp10_mbs = udp10_mbc = udp11_mbc = 0U; // udp11_mbs
if ((dir_wanted & DIR_INITIATE) != 0) {
if ((dir_wanted & DIR_RESPONSE) == 0)
udp10_mbc |= UDP10_QR_MASK;
} else if ((dir_wanted & DIR_RESPONSE) != 0) {
udp10_mbs |= UDP10_QR_MASK;
}
if ((msg_wanted & MSG_UPDATE) != 0) {
if ((msg_wanted & (MSG_QUERY | MSG_NOTIFY)) == 0)
udp10_mbs |= (LDNS_PACKET_UPDATE << UDP10_OP_SHIFT);
} else if ((msg_wanted & MSG_NOTIFY) != 0) {
if ((msg_wanted & (MSG_QUERY | MSG_UPDATE)) == 0)
udp10_mbs |= (LDNS_PACKET_NOTIFY << UDP10_OP_SHIFT);
} else if ((msg_wanted & MSG_QUERY) != 0) {
udp10_mbc |= UDP10_OP_MASK;
}
if (err_wanted == ERR_NO) {
udp10_mbc |= UDP10_TC_MASK;
udp11_mbc |= UDP11_RC_MASK;
}
/*
* Model
* (vlan) and (transport)
* (vlan) and ((icmp) or (frags) or (dns))
* (vlan) and ((icmp) or (frags) or ((ports) and (hosts)))
* (vlan) and ((icmp) or (frags) or (((tcp) or (udp)) and (hosts)))
* [(vlan) and] ( [(icmp) or] [(frags) or] ( ( [(tcp) or] (udp) ) [and (hosts)] ) )
*/
/* Make a BPF program to do early course kernel-level filtering. */
INIT_LIST(bpfl);
len = 0;
if (!EMPTY(vlans_excl))
len += text_add(&bpfl, "vlan and ("); /* vlan and ( transports ... */
else
len += text_add(&bpfl, "("); /* ( transports ... */
if (wanticmp) {
len += text_add(&bpfl, " ( ip proto 1 or ip proto 58 ) or");
}
if (wantfrags) {
len += text_add(&bpfl, " ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or");
}
len += text_add(&bpfl, " ("); /* ( dns ... */
len += text_add(&bpfl, " ("); /* ( ports ... */
if (wanttcp) {
len += text_add(&bpfl, " ( tcp port %d ) or", dns_port);
/* tcp packets can be filtered by initiators/responders, but
* not mbs/mbc. */
}
len += text_add(&bpfl, " ( udp port %d and ( ip6 or ( ip", dns_port);
if (udp10_mbc != 0)
len += text_add(&bpfl, " and udp[10] & 0x%x = 0",
udp10_mbc);
if (udp10_mbs != 0)
len += text_add(&bpfl, " and udp[10] & 0x%x = 0x%x",
udp10_mbs, udp10_mbs);
if (udp11_mbc != 0)
len += text_add(&bpfl, " and udp[11] & 0x%x = 0",
udp11_mbc);
/* Dead code, udp11_mbs never set
if (udp11_mbs != 0)
len += text_add(&bpfl, " and udp[11] & 0x%x = 0x%x",
udp11_mbs, udp11_mbs);
*/
if (err_wanted != ERR_NO) {
len += text_add(&bpfl, " and (");
if ((err_wanted & ERR_TRUNC) != 0) {
len += text_add(&bpfl, " udp[10] & 0x%x = 0x%x or", UDP10_TC_MASK, UDP10_TC_MASK);
}
len += text_add(&bpfl, " 0x%x << (udp[11] & 0xf) & 0x%x != 0 )", ERR_RCODE_BASE, err_wanted);
}
len += text_add(&bpfl, " )))"); /* ... udp 53 ) */
len += text_add(&bpfl, " )"); /* ... ports ) */
if (options.bpf_hosts_apply_all) {
len += text_add(&bpfl, " )"); /* ... dns ) */
len += text_add(&bpfl, " )"); /* ... transport ) */
}
if (!EMPTY(initiators) || !EMPTY(responders)) {
const char* or = "or", *lp = "(", *sep;
endpoint_ptr ep;
len += text_add(&bpfl, " and host");
sep = lp;
for (ep = HEAD(initiators);
ep != NULL;
ep = NEXT(ep, link)) {
len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
sep = or ;
}
for (ep = HEAD(responders);
ep != NULL;
ep = NEXT(ep, link)) {
len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
sep = or ;
}
len += text_add(&bpfl, " )");
}
if (!EMPTY(not_initiators) || !EMPTY(not_responders)) {
const char* or = "or", *lp = "(", *sep;
endpoint_ptr ep;
len += text_add(&bpfl, " and not host");
sep = lp;
for (ep = HEAD(not_initiators);
ep != NULL;
ep = NEXT(ep, link)) {
len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
sep = or ;
}
for (ep = HEAD(not_responders);
ep != NULL;
ep = NEXT(ep, link)) {
len += text_add(&bpfl, " %s %s", sep, ia_str(ep->ia));
sep = or ;
}
len += text_add(&bpfl, " )");
}
if (!options.bpf_hosts_apply_all) {
len += text_add(&bpfl, " )"); /* ... dns ) */
len += text_add(&bpfl, " )"); /* ... transport ) */
}
if (extra_bpf)
len += text_add(&bpfl, " and ( %s )", extra_bpf);
bpft = calloc(len + 1, sizeof(char));
assert(bpft != NULL);
p = bpft;
for (text = HEAD(bpfl); text != NULL; text = NEXT(text, link)) {
memcpy(p, text->text, text->len);
p += text->len;
}
text_free(&bpfl);
if (!EMPTY(vlans_incl)) {
char* bpft_vlan;
len = (2 * len) + 64; /* add enough for the extra in snprintf() below */
bpft_vlan = calloc(len, sizeof(char));
assert(bpft_vlan != NULL);
snprintf(bpft_vlan, len, "( %s ) or ( vlan and ( %s ) )", bpft, bpft);
free(bpft);
bpft = bpft_vlan;
}
if (dumptrace >= 1)
fprintf(stderr, "%s: \"%s\"\n", ProgramName, bpft);
}
size_t text_add(text_list* list, const char* fmt, ...)
{
text_ptr text;
va_list ap;
int len;
text = calloc(1, sizeof *text);
assert(text != NULL);
INIT_LINK(text, link);
va_start(ap, fmt);
len = vasprintf(&text->text, fmt, ap);
assert(len >= 0);
va_end(ap);
text->len = len;
APPEND(*list, text, link);
return (text->len);
}
void text_free(text_list* list)
{
text_ptr at, text;
for (at = HEAD(*list); at;) {
text = at;
at = NEXT(text, link);
UNLINK(*list, text, link);
free(text->text);
assert(text != (void*)-1);
free(text);
}
}

45
src/bpft.h Normal file
View file

@ -0,0 +1,45 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_bpft_h
#define __dnscap_bpft_h
void prepare_bpft(void);
size_t text_add(text_list* list, const char* fmt, ...);
void text_free(text_list* list);
#endif /* __dnscap_bpft_h */

250
src/daemon.c Normal file
View file

@ -0,0 +1,250 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "daemon.h"
#include "log.h"
#include "memzero.h"
void drop_privileges(void)
{
struct rlimit rss;
struct passwd pwd;
struct passwd* result = 0;
size_t pwdBufSize;
char* pwdBuf;
unsigned int s;
uid_t oldUID = getuid();
uid_t oldGID = getgid();
uid_t dropUID;
gid_t dropGID;
const char* user;
struct group* grp = 0;
/*
* Security: getting UID and GUID for nobody
*/
pwdBufSize = sysconf(_SC_GETPW_R_SIZE_MAX);
if (pwdBufSize == -1)
pwdBufSize = 16384;
pwdBuf = calloc(pwdBufSize, sizeof(char));
if (pwdBuf == NULL) {
fprintf(stderr, "unable to allocate buffer for pwdBuf\n");
exit(1);
}
user = options.user ? options.user : DROPTOUSER;
if (options.group) {
if (!(grp = getgrnam(options.group))) {
if (errno) {
fprintf(stderr, "Unable to get group %s: %s\n", options.group, strerror(errno));
} else {
fprintf(stderr, "Group %s not found, existing.\n", options.group);
}
exit(1);
}
}
s = getpwnam_r(user, &pwd, pwdBuf, pwdBufSize, &result);
if (result == NULL) {
if (s == 0) {
fprintf(stderr, "User %s not found, exiting.\n", user);
exit(1);
} else {
fprintf(stderr, "issue with getpwnnam_r call, exiting.\n");
exit(1);
}
}
dropUID = pwd.pw_uid;
dropGID = grp ? grp->gr_gid : pwd.pw_gid;
dnscap_memzero(pwdBuf, pwdBufSize);
free(pwdBuf);
/*
* Security section: setting memory limit and dropping privileges to nobody
*/
getrlimit(RLIMIT_DATA, &rss);
if (mem_limit_set) {
rss.rlim_cur = mem_limit;
rss.rlim_max = mem_limit;
if (setrlimit(RLIMIT_DATA, &rss) == -1) {
fprintf(stderr, "Unable to set the memory limit, exiting\n");
exit(1);
}
}
#if HAVE_SETRESGID
if (setresgid(dropGID, dropGID, dropGID) < 0) {
fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno));
exit(1);
}
#elif HAVE_SETREGID
if (setregid(dropGID, dropGID) < 0) {
fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno));
exit(1);
}
#elif HAVE_SETEGID
if (setegid(dropGID) < 0) {
fprintf(stderr, "Unable to drop GID to %s: %s\n", options.group ? options.group : user, strerror(errno));
exit(1);
}
#endif
#if HAVE_INITGROUPS
if (initgroups(pwd.pw_name, dropGID) < 0) {
fprintf(stderr, "Unable to init supplemental groups for %s: %s\n", user, strerror(errno));
exit(1);
}
#elif HAVE_SETGROUPS
if (setgroups(0, NULL) < 0) {
fprintf(stderr, "Unable to drop supplemental groups: %s\n", strerror(errno));
exit(1);
}
#endif
#if HAVE_SETRESUID
if (setresuid(dropUID, dropUID, dropUID) < 0) {
fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno));
exit(1);
}
#elif HAVE_SETREUID
if (setreuid(dropUID, dropUID) < 0) {
fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno));
exit(1);
}
#elif HAVE_SETEUID
if (seteuid(dropUID) < 0) {
fprintf(stderr, "Unable to drop UID to %s: %s\n", user, strerror(errno));
exit(1);
}
#endif
/*
* Testing if privileges are dropped
*/
if (oldGID != getgid() && (setgid(oldGID) == 1 && setegid(oldGID) != 1)) {
fprintf(stderr, "Able to restore back to root, exiting.\n");
fprintf(stderr, "currentUID:%u currentGID:%u\n", getuid(), getgid());
exit(1);
}
if ((oldUID != getuid() && getuid() == 0) && (setuid(oldUID) != 1 && seteuid(oldUID) != 1)) {
fprintf(stderr, "Able to restore back to root, exiting.\n");
fprintf(stderr, "currentUID:%u currentGID:%u\n", getgid(), getgid());
exit(1);
}
#ifdef USE_SECCOMP
if (use_seccomp == FALSE) {
return;
}
#if 0
/*
* Setting SCMP_ACT_TRAP means the process will get
* a SIGSYS signal when a bad syscall is executed
* This is for debugging and should be monitored.
*/
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
#endif
/*
* SCMP_ACT_KILL tells the kernel to kill the process
* when a syscall we did not filter on is called.
* This should be uncommented in production.
*/
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL);
if (ctx == NULL) {
fprintf(stderr, "Unable to create seccomp-bpf context\n");
exit(1);
}
int r = 0;
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(uname), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(mmap), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(munmap), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(lseek), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(select), 0);
r |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(stat), 0);
if (r != 0) {
fprintf(stderr, "Unable to apply seccomp-bpf filter\n");
seccomp_release(ctx);
exit(1);
}
r = seccomp_load(ctx);
if (r < 0) {
seccomp_release(ctx);
fprintf(stderr, "Unable to load seccomp-bpf filter\n");
exit(1);
}
#endif
}
void daemonize(void)
{
pid_t pid;
#ifdef TIOCNOTTY
int i;
#endif
if ((pid = fork()) < 0) {
logerr("fork failed: %s", strerror(errno));
exit(1);
} else if (pid > 0)
exit(0);
openlog("dnscap", 0, LOG_DAEMON);
if (setsid() < 0) {
logerr("setsid failed: %s", strerror(errno));
exit(1);
}
#ifdef TIOCNOTTY
if ((i = open("/dev/tty", O_RDWR)) >= 0) {
ioctl(i, TIOCNOTTY, NULL);
close(i);
}
#endif
logerr("Backgrounded as pid %u", getpid());
}

43
src/daemon.h Normal file
View file

@ -0,0 +1,43 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_daemon_h
#define __dnscap_daemon_h
void drop_privileges(void);
void daemonize(void);
#endif /* __dnscap_daemon_h */

1011
src/dnscap.1.in Normal file
View file

File diff suppressed because it is too large Load diff

249
src/dnscap.c Normal file
View file

@ -0,0 +1,249 @@
/* dnscap - DNS capture utility
*
* By Paul Vixie (ISC) and Duane Wessels (Measurement Factory), 2007.
*/
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "dnscap.h"
#include "args.h"
#include "bpft.h"
#include "pcaps.h"
#include "dumper.h"
#include "daemon.h"
#include "log.h"
#include "sig.h"
#if defined(HAVE_LIBCRYPTO) && defined(HAVE_OPENSSL_CONF_H) && defined(HAVE_OPENSSL_ERR_H) && defined(HAVE_OPENSSL_EVP_H)
#include <openssl/conf.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#define INIT_OPENSSL 1
#endif
plugin_list plugins;
const char* ProgramName = "amnesia";
int dumptrace = 0;
int flush = FALSE;
vlan_list vlans_excl;
vlan_list vlans_incl;
unsigned msg_wanted = MSG_QUERY;
unsigned dir_wanted = DIR_INITIATE | DIR_RESPONSE;
unsigned end_hide = 0U;
unsigned err_wanted = ERR_NO | ERR_YES; /* accept all by default */
tcpstate_list tcpstates;
int tcpstate_count = 0;
endpoint_list initiators, not_initiators;
endpoint_list responders, not_responders;
endpoint_list drop_responders; /* drops only responses from these hosts */
myregex_list myregexes;
mypcap_list mypcaps;
mypcap_ptr pcap_offline = NULL;
const char* dump_base = NULL;
char* dump_suffix = 0;
char* extra_bpf = NULL;
enum dump_type dump_type = nowhere;
enum dump_state dump_state = dumper_closed;
const char* kick_cmd = NULL;
unsigned limit_seconds = 0U;
time_t next_interval = 0;
unsigned limit_packets = 0U;
size_t limit_pcapfilesize = 0U;
pcap_t* pcap_dead;
pcap_dumper_t* dumper;
time_t dumpstart;
unsigned msgcount;
size_t capturedbytes = 0;
char * dumpname, *dumpnamepart;
char* bpft;
unsigned dns_port = DNS_PORT;
int promisc = TRUE;
int monitor_mode = FALSE;
int immediate_mode = FALSE;
int background = FALSE;
char errbuf[PCAP_ERRBUF_SIZE];
int wantgzip = 0;
int wantfrags = FALSE;
int wanticmp = FALSE;
int wanttcp = FALSE;
int preso = FALSE;
#ifdef USE_SECCOMP
int use_seccomp = FALSE;
#endif
int main_exit = FALSE;
int alarm_set = FALSE;
time_t start_time = 0;
time_t stop_time = 0;
int print_pcap_stats = FALSE;
uint64_t pcap_drops = 0;
my_bpftimeval last_ts = { 0, 0 };
unsigned long long mem_limit = (unsigned)MEM_MAX; /* process memory limit */
int mem_limit_set = 1; /* TODO: Should be configurable */
const char DROPTOUSER[] = "nobody";
pcap_thread_t pcap_thread = PCAP_THREAD_T_INIT;
int only_offline_pcaps = FALSE;
int dont_drop_privileges = FALSE;
options_t options = OPTIONS_T_DEFAULTS;
ldns_rr_type match_qtype = 0, nmatch_qtype = 0;
int main(int argc, char* argv[])
{
struct plugin* p;
struct timeval now;
#ifdef INIT_OPENSSL
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
#if OPENSSL_VERSION_NUMBER < 0x10100000L
OPENSSL_config(0);
#endif
#endif
parse_args(argc, argv);
gettimeofday(&now, 0);
if (!only_offline_pcaps && start_time) {
if (now.tv_sec < start_time) {
char when[100];
struct tm tm;
gmtime_r(&start_time, &tm);
strftime(when, sizeof when, "%F %T", &tm);
fprintf(stderr, "Sleeping for %d seconds until %s UTC\n",
(int)(start_time - now.tv_sec), when);
sleep(start_time - now.tv_sec);
fprintf(stderr, "Awake.\n");
}
}
prepare_bpft();
open_pcaps();
if (dump_type == to_stdout) {
if (dumper_open(now)) {
fprintf(stderr, "%s: dumper_open() to stdout failed\n", ProgramName);
exit(1);
}
}
INIT_LIST(tcpstates);
if (!dont_drop_privileges && !only_offline_pcaps) {
drop_privileges();
}
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
if (p->start)
if (0 != (*p->start)(logerr)) {
logerr("%s_start returned non-zero", p->name);
exit(1);
}
}
if (dump_type == nowhere)
dumpstart = time(NULL);
if (background)
daemonize();
#if HAVE_PTHREAD
/*
* Defer signal setup until we have dropped privileges and daemonized,
* otherwise signals might not reach us because different threads
* are running under different users/access
*/
{
sigset_t set;
int err;
pthread_t thread;
sigfillset(&set);
if ((err = pthread_sigmask(SIG_BLOCK, &set, 0))) {
logerr("pthread_sigmask: %s", strerror(err));
exit(1);
}
sigemptyset(&set);
sigaddset(&set, SIGHUP);
sigaddset(&set, SIGINT);
sigaddset(&set, SIGALRM);
sigaddset(&set, SIGTERM);
sigaddset(&set, SIGQUIT);
if ((err = pthread_create(&thread, 0, &sigthread, (void*)&set))) {
logerr("pthread_create: %s", strerror(err));
exit(1);
}
}
#else
{
sigset_t set;
sigfillset(&set);
sigdelset(&set, SIGHUP);
sigdelset(&set, SIGINT);
sigdelset(&set, SIGALRM);
sigdelset(&set, SIGTERM);
sigdelset(&set, SIGQUIT);
if (sigprocmask(SIG_BLOCK, &set, 0)) {
logerr("sigprocmask: %s", strerror(errno));
exit(1);
}
}
setsig(SIGHUP, TRUE);
setsig(SIGINT, TRUE);
setsig(SIGALRM, FALSE);
setsig(SIGTERM, TRUE);
setsig(SIGQUIT, TRUE);
#endif
while (!main_exit)
poll_pcaps();
/* close PCAPs after dumper_close() to have statistics still available during dumper_close() */
if (dumper_opened == dump_state)
(void)dumper_close(last_ts);
close_pcaps();
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
if (p->stop)
(*p->stop)();
}
options_free(&options);
#ifdef INIT_OPENSSL
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
#endif
return 0;
}

441
src/dnscap.h Normal file
View file

@ -0,0 +1,441 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __dnscap_dnscap_h
#define __dnscap_dnscap_h
#ifdef __linux__
#define _GNU_SOURCE
#endif
#include <sys/param.h>
#include <sys/types.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/fcntl.h> /* for open() */
#include <sys/ioctl.h> /* for TIOCNOTTY */
#include <stdarg.h>
#include <syslog.h>
#include <dlfcn.h>
#include <sys/stat.h>
#include <sys/resource.h>
#if HAVE_PTHREAD
#include <pthread.h>
#endif
#ifdef __linux__
#define __FAVOR_BSD
#include <net/ethernet.h>
#ifdef USE_SECCOMP
#include <seccomp.h>
#endif
#endif
#ifdef __FreeBSD__
#include <net/ethernet.h>
#endif
#ifdef __NetBSD__
#include <net/ethertypes.h>
#include <net/if.h>
#include <net/if_ether.h>
#endif
#ifdef __OpenBSD__
#include <net/ethertypes.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/in_var.h>
#include <netinet/if_ether.h>
#endif
#ifdef __APPLE__
#include <net/ethernet.h>
#include <net/bpf.h>
#endif
#ifdef __hpux
#include <net/if.h>
#include <netinet/if_ether.h>
#define ETHER_HDR_LEN ETHER_HLEN
#define __BIT_TYPES_DEFINED
#define __HPLX
#endif
#ifdef __SVR4
#include <stdarg.h>
#include <net/if.h>
#include <net/if_arp.h>
#include <netinet/if_ether.h>
#include "snprintf.h"
#define IP_OFFMASK 0x1fff
#define u_int32_t uint32_t
#ifndef ETHER_HDR_LEN
#define ETHER_HDR_LEN 14
#endif
#endif
#ifndef MY_BPFTIMEVAL
#define MY_BPFTIMEVAL timeval
#endif
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
#include <arpa/nameser.h>
#if HAVE_ARPA_NAMESER_COMPAT_H
#include <arpa/nameser_compat.h>
#endif
#include <arpa/inet.h>
#include <assert.h>
#include <errno.h>
#include <netdb.h>
#include <pcap.h>
#include <regex.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <pwd.h>
#include <grp.h>
#if HAVE_ZLIB_H
#include <zlib.h>
#endif
#include <ldns/ldns.h>
#ifndef IPV6_VERSION
#define IPV6_VERSION 0x60
#endif
#ifndef IPV6_VERSION_MASK
#define IPV6_VERSION_MASK 0xf0
#endif
#define UDP10_QR_MASK 0x80
#define UDP10_QR_SHIFT 7
#define UDP10_OP_MASK 0x78
#define UDP10_OP_SHIFT 3
#define UDP10_AA_MASK 0x04
#define UDP10_AA_SHIFT 2
#define UDP10_TC_MASK 0x02
#define UDP10_TC_SHIFT 1
#define UDP10_RD_MASK 0x01
#define UDP10_RD_SHIFT 0
#define UDP11_RC_MASK 0x0f
#define UDP11_RC_SHIFT 0
#define MSG_QUERY 0x0001
#define MSG_UPDATE 0x0002
#define MSG_NOTIFY 0x0004
#define ERR_TRUNC 0x0001
#define ERR_RCODE_BASE 0x0002
#define ERR_NO (ERR_RCODE_BASE << 0)
#define ERR_FORMERR (ERR_RCODE_BASE << 1)
#define ERR_SERVFAIL (ERR_RCODE_BASE << 2)
#define ERR_NXDOMAIN (ERR_RCODE_BASE << 3)
#define ERR_NOTIMPL (ERR_RCODE_BASE << 4)
#define ERR_REFUSED (ERR_RCODE_BASE << 5)
#define ERR_YES (0xffffffff & ~ERR_NO)
#define END_INITIATOR 0x0001
#define END_RESPONDER 0x0002
#define HIDE_INET "\177\177\177\177"
#define HIDE_INET6 "\177\177\177\177\177\177\177\177" \
"\177\177\177\177\177\177\177\177"
#define HIDE_PORT 54321
#ifndef ETHERTYPE_VLAN
#define ETHERTYPE_VLAN 0x8100
#endif
#ifndef ETHERTYPE_IPV6
#define ETHERTYPE_IPV6 0x86DD
#endif
#define THOUSAND 1000
#define MILLION (THOUSAND * THOUSAND)
#define MAX_VLAN 4095
#define DNS_PORT 53
#define TO_MS 1
#define SNAPLEN 65536
#define TRUE 1
#define FALSE 0
#define REGEX_CFLAGS (REG_EXTENDED | REG_ICASE | REG_NOSUB | REG_NEWLINE)
#define MAX_TCP_WINDOW (0xFFFF << 14)
#define MEM_MAX 20000000000 /* SETTING MAX MEMORY USAGE TO 2GB */
#define ISC_CHECK_NONE 1
#include "isc/list.h"
#include "isc/assertions.h"
#include "dnscap_common.h"
#include "dump_dns.h"
#include "dump_cbor.h"
#include "dump_cds.h"
#include "options.h"
#include "pcap-thread/pcap_thread.h"
struct text {
LINK(struct text)
link;
size_t len;
char* text;
};
typedef struct text* text_ptr;
typedef LIST(struct text) text_list;
#define text_size(len) (sizeof(struct text) + len)
struct mypcap {
LINK(struct mypcap)
link;
const char* name;
struct pcap_stat ps0, ps1;
uint64_t drops;
};
typedef struct mypcap* mypcap_ptr;
typedef LIST(struct mypcap) mypcap_list;
struct vlan {
LINK(struct vlan)
link;
unsigned vlan;
};
typedef struct vlan* vlan_ptr;
typedef LIST(struct vlan) vlan_list;
#define MAX_TCP_WINDOW_SIZE (0xFFFF << 14)
#define MAX_TCP_MSGS 8
#define MAX_TCP_SEGS 8
#define MAX_TCP_HOLES 8
#define MAX_TCP_DNS_MSG 8
typedef struct tcphole tcphole_t;
typedef struct tcp_msgbuf tcp_msgbuf_t;
typedef struct tcp_segbuf tcp_segbuf_t;
typedef struct tcpdnsmsg tcpdnsmsg_t;
typedef struct tcpreasm tcpreasm_t;
struct tcphole {
uint16_t start;
uint16_t len;
};
struct tcp_msgbuf {
uint32_t seq;
uint16_t dnslen;
tcphole_t hole[MAX_TCP_HOLES];
int holes;
u_char buf[];
};
struct tcp_segbuf {
uint32_t seq;
uint16_t len;
u_char buf[];
};
struct tcpdnsmsg {
size_t segments_seen;
uint16_t dnslen;
u_char dnspkt[];
};
struct tcpreasm {
uint32_t seq_start;
size_t msgbufs;
u_char dnslen_buf[2];
u_char dnslen_bytes_seen_mask;
tcp_msgbuf_t* msgbuf[MAX_TCP_MSGS];
tcp_segbuf_t* segbuf[MAX_TCP_SEGS];
size_t segments_seen;
size_t dnsmsgs;
tcpdnsmsg_t* dnsmsg[MAX_TCP_DNS_MSG];
uint32_t seq_bfb;
tcp_segbuf_t* bfb_seg[MAX_TCP_SEGS];
u_char* bfb_buf;
size_t bfb_at;
};
struct tcpstate {
LINK(struct tcpstate)
link;
iaddr saddr;
iaddr daddr;
uint16_t sport;
uint16_t dport;
uint32_t start; /* seq# of tcp payload start */
uint32_t maxdiff; /* maximum (seq# - start) */
uint16_t dnslen;
time_t last_use;
uint32_t lastdns;
uint32_t currseq;
size_t currlen;
tcpreasm_t* reasm;
size_t reasm_faults;
};
typedef struct tcpstate* tcpstate_ptr;
typedef LIST(struct tcpstate) tcpstate_list;
struct endpoint {
LINK(struct endpoint)
link;
iaddr ia;
};
typedef struct endpoint* endpoint_ptr;
typedef LIST(struct endpoint) endpoint_list;
struct myregex {
LINK(struct myregex)
link;
regex_t reg;
char* str;
int not ;
};
typedef struct myregex* myregex_ptr;
typedef LIST(struct myregex) myregex_list;
struct plugin {
LINK(struct plugin)
link;
char* name;
void* handle;
enum plugin_type pt;
type_t(*type);
int (*start)(logerr_t*);
void (*stop)();
int (*open)(my_bpftimeval);
int (*close)();
output_t(*output);
filter_t(*filter);
void (*getopt)(int*, char**[]);
void (*usage)();
void (*extension)(int, void*);
};
typedef LIST(struct plugin) plugin_list;
enum dump_type {
nowhere,
to_stdout,
to_file
};
enum dump_state {
dumper_opened,
dumper_closed
};
extern plugin_list plugins;
extern const char* ProgramName;
extern char* dump_suffix;
extern int wantgzip;
extern plugin_list plugins;
extern const char* ProgramName;
extern int dumptrace;
extern int flush;
extern vlan_list vlans_excl;
extern vlan_list vlans_incl;
extern unsigned msg_wanted;
extern unsigned dir_wanted;
extern unsigned end_hide;
extern unsigned err_wanted;
extern tcpstate_list tcpstates;
extern int tcpstate_count;
extern endpoint_list initiators, not_initiators;
extern endpoint_list responders, not_responders;
extern endpoint_list drop_responders;
extern myregex_list myregexes;
extern mypcap_list mypcaps;
extern mypcap_ptr pcap_offline;
extern const char* dump_base;
extern char* dump_suffix;
extern char* extra_bpf;
extern enum dump_type dump_type;
extern enum dump_state dump_state;
extern const char* kick_cmd;
extern unsigned limit_seconds;
extern time_t next_interval;
extern unsigned limit_packets;
extern size_t limit_pcapfilesize;
extern pcap_t* pcap_dead;
extern pcap_dumper_t* dumper;
extern time_t dumpstart;
extern unsigned msgcount;
extern size_t capturedbytes;
extern char * dumpname, *dumpnamepart;
extern char* bpft;
extern unsigned dns_port;
extern int promisc;
extern int monitor_mode;
extern int immediate_mode;
extern int background;
extern char errbuf[PCAP_ERRBUF_SIZE];
extern int wantgzip;
extern int wantfrags;
extern int wanticmp;
extern int wanttcp;
extern int preso;
#ifdef USE_SECCOMP
extern int use_seccomp;
#endif
extern int main_exit;
extern int alarm_set;
extern time_t start_time;
extern time_t stop_time;
extern int print_pcap_stats;
extern uint64_t pcap_drops;
extern my_bpftimeval last_ts;
extern unsigned long long mem_limit;
extern int mem_limit_set;
extern const char DROPTOUSER[];
extern pcap_thread_t pcap_thread;
extern int only_offline_pcaps;
extern int dont_drop_privileges;
extern options_t options;
extern ldns_rr_type match_qtype, nmatch_qtype;
#endif /* __dnscap_dnscap_h */

158
src/dnscap_common.h Normal file
View file

@ -0,0 +1,158 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __dnscap_dnscap_common_h
#define __dnscap_dnscap_common_h
#include <netinet/in.h>
#include <sys/types.h>
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#else
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#else
#include <time.h>
#endif
#endif
/*
* setup MY_BPFTIMEVAL as the timeval structure that bpf packets
* will be assoicated with packets from libpcap
*/
#ifndef MY_BPFTIMEVAL
#define MY_BPFTIMEVAL timeval
#endif
typedef struct MY_BPFTIMEVAL my_bpftimeval;
/*
* Structure to contain IP addresses
*/
typedef struct {
int af;
union {
struct in_addr a4;
struct in6_addr a6;
} u;
} iaddr;
/*
* Prototype for the plugin "type" function
*
* output - Will run plugin's "output" function last when outputting (default
* and same behavior before the existens of a plugin type)
* filter - Will run plugin's "filter" function before outputting and won't
* output if the return of that function is non-zero.
*/
enum plugin_type {
plugin_output,
plugin_filter,
};
typedef enum plugin_type type_t(void);
/*
* plugins can call the logerr() function in the main dnscap
* process.
*/
typedef int logerr_t(const char* fmt, ...);
/*
* Prototype for the plugin "output" function
*/
typedef void output_t(const char* descr,
iaddr from,
iaddr to,
uint8_t proto,
unsigned flags,
unsigned sport,
unsigned dport,
my_bpftimeval ts,
const u_char* pkt_copy,
const unsigned olen,
const u_char* payload,
const unsigned payloadlen);
/*
* Prototype for the plugin "filter" function
*/
typedef int filter_t(const char* descr,
iaddr* from,
iaddr* to,
uint8_t proto,
unsigned flags,
unsigned sport,
unsigned dport,
my_bpftimeval ts,
const u_char* pkt_copy,
const unsigned olen,
const u_char* payload,
const unsigned payloadlen);
/*
* Extensions
*/
#define DNSCAP_EXT_IS_RESPONDER 1
typedef int (*is_responder_t)(iaddr ia);
#define DNSCAP_EXT_IA_STR 2
typedef const char* (*ia_str_t)(iaddr ia);
#define DNSCAP_EXT_TCPSTATE_GETCURR 3
typedef void* (*tcpstate_getcurr_t)(void);
#define DNSCAP_EXT_TCPSTATE_RESET 4
typedef void (*tcpstate_reset_t)(void* tcpstate, const char* msg);
#define DNSCAP_EXT_SET_IADDR 5
typedef void (*set_iaddr_t)(iaddr* from, iaddr* to);
/*
* Flags
*/
#define DNSCAP_OUTPUT_ISFRAG (1 << 0)
#define DNSCAP_OUTPUT_ISDNS (1 << 1)
#define DNSCAP_OUTPUT_ISLAYER (1 << 2)
/*
* Direction
*/
#define DIR_INITIATE 0x0001
#define DIR_RESPONSE 0x0002
#endif /* __dnscap_dnscap_common_h */

680
src/dump_cbor.c Normal file
View file

@ -0,0 +1,680 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
/*
DNS-in-JSON
- generally naming convention
- compressedNAME.length is there a point here? isn't the length in the
compressed data itself? Maybe have compressedNAME as just the data
of the compressed name
- 2.5 Additional Message Object Members
- IP stuff:
- ipProtocol: num
- sourceIpAddress: string
- sourcePort: num
- destinationIpAddress: string
- destinationPort: num
or
- ip: [ ipProtocol, sourceIpAddress, sourcePort, destinationIpAddress, destinationPort ]
- dateNanoFractions as addition to dateSeconds, specify the fraction of
nano seconds separatly to have better precision.
*/
#include "config.h"
#include "dump_cbor.h"
#include "dnscap.h"
#include "iaddr.h"
#if HAVE_LIBTINYCBOR
#include <ldns/ldns.h>
#if HAVE_CBOR_CBOR_H
#include <cbor/cbor.h>
#endif
#if HAVE_CBOR_H
#include <cbor.h>
#endif
static uint8_t* cbor_buf = 0;
static size_t cbor_size = 128 * 1024;
/*static size_t cbor_size = 1024;*/
static size_t cbor_reserve = 64 * 1024;
static CborEncoder cbor_root, cbor_pkts;
/*static cbor_stringref_t *cbor_stringrefs = 0;*/
/*static size_t cbor_stringref_size = 8192;*/
static int cbor_flushed = 1;
int cbor_set_size(size_t size)
{
if (!size) {
return DUMP_CBOR_EINVAL;
}
cbor_size = size;
return DUMP_CBOR_OK;
}
int cbor_set_reserve(size_t reserve)
{
if (!reserve) {
return DUMP_CBOR_EINVAL;
}
cbor_reserve = reserve;
return DUMP_CBOR_OK;
}
#define append_cbor(func, name, type) \
CborError func(CborEncoder* encoder, type value, int* should_flush) \
{ \
CborError err; \
uint8_t* ptr = encoder->data.ptr; \
err = name(encoder, value); \
if (err == CborErrorOutOfMemory && !*should_flush) { \
*should_flush = 1; \
encoder->data.ptr = ptr; \
encoder->end = cbor_buf + cbor_size + cbor_reserve; \
err = name(encoder, value); \
} \
return err; \
}
static append_cbor(append_cbor_text_stringz, cbor_encode_text_stringz, const char*);
static append_cbor(append_cbor_boolean, cbor_encode_boolean, bool);
static append_cbor(append_cbor_int, cbor_encode_int, int64_t);
static append_cbor(append_cbor_uint, cbor_encode_uint, uint64_t);
static append_cbor(append_cbor_double, cbor_encode_double, double);
static CborError append_cbor_bytes(CborEncoder* encoder, uint8_t* bytes, size_t length, int* should_flush)
{
CborError err;
uint8_t* ptr = encoder->data.ptr;
err = cbor_encode_byte_string(encoder, bytes, length);
if (err == CborErrorOutOfMemory && !*should_flush) {
*should_flush = 1;
encoder->data.ptr = ptr;
encoder->end = cbor_buf + cbor_size + cbor_reserve;
err = cbor_encode_byte_string(encoder, bytes, length);
}
return err;
}
/*CborError append_cbor_text_stringz2(CborEncoder *encoder, const char *value, int *should_flush) {*/
/* CborError err;*/
/* uint8_t *ptr = encoder->data.ptr;*/
/* err = cbor_encode_byte_string(encoder, bytes, length);*/
/* if (err == CborErrorOutOfMemory && !*should_flush) {*/
/* *should_flush = 1;*/
/* encoder->data.ptr = ptr;*/
/* encoder->end = cbor_buf + cbor_size + cbor_reserve;*/
/* err = cbor_encode_byte_string(encoder, bytes, length);*/
/* }*/
/* return err;*/
/*}*/
#define append_cbor_container(func, name) \
CborError func(CborEncoder* encoder, CborEncoder* container, size_t length, int* should_flush) \
{ \
CborError err; \
uint8_t* ptr = encoder->data.ptr; \
err = name(encoder, container, length); \
if (err == CborErrorOutOfMemory && !*should_flush) { \
*should_flush = 1; \
encoder->data.ptr = ptr; \
encoder->end = cbor_buf + cbor_size + cbor_reserve; \
err = name(encoder, container, length); \
} \
return err; \
}
static append_cbor_container(append_cbor_array, cbor_encoder_create_array);
static append_cbor_container(append_cbor_map, cbor_encoder_create_map);
static CborError close_cbor_container(CborEncoder* encoder, CborEncoder* container, int* should_flush)
{
CborError err;
uint8_t* ptr = encoder->data.ptr;
err = cbor_encoder_close_container_checked(encoder, container);
if (err == CborErrorOutOfMemory && !*should_flush) {
*should_flush = 1;
encoder->data.ptr = ptr;
encoder->end = cbor_buf + cbor_size + cbor_reserve;
err = cbor_encoder_close_container_checked(encoder, container);
}
return err;
}
static CborError cbor_ldns_rr_list(CborEncoder* encoder, ldns_rr_list* list, size_t count, int* should_flush)
{
CborError cbor_err = CborNoError;
size_t n;
ldns_buffer* dname;
char* dname_str;
if (!encoder) {
return CborErrorInternalError;
}
if (!list) {
return CborErrorInternalError;
}
if (!count) {
return CborErrorInternalError;
}
if (!should_flush) {
return CborErrorInternalError;
}
for (n = 0; cbor_err == CborNoError && n < count; n++) {
CborEncoder cbor_rr;
uint8_t* rdata_bytes;
ldns_buffer* rdata;
ldns_rr* rr = ldns_rr_list_rr(list, n);
size_t rd_count;
if (!rr) {
return CborErrorInternalError;
}
rd_count = ldns_rr_rd_count(rr);
if (!(dname = ldns_buffer_new(512))) {
return CborErrorOutOfMemory;
}
if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
ldns_buffer_free(dname);
return CborErrorInternalError;
}
ldns_buffer_write_u8(dname, 0);
if (!(dname_str = ldns_buffer_export(dname))) {
ldns_buffer_free(dname);
return CborErrorOutOfMemory;
}
if (cbor_err == CborNoError)
cbor_err = append_cbor_map(encoder, &cbor_rr, CborIndefiniteLength, should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "NAME", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, dname_str, should_flush);
free(dname_str);
ldns_buffer_free(dname);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "CLASS", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_get_class(rr), should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "TYPE", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_get_type(rr), should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "TTL", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor_rr, ldns_rr_ttl(rr), should_flush);
if (rd_count == 1) {
if (!(rdata = ldns_buffer_new(64 * 1024))) {
return CborErrorOutOfMemory;
}
if (ldns_rdf2buffer_wire(rdata, ldns_rr_rdf(rr, 0)) != LDNS_STATUS_OK) {
ldns_buffer_free(rdata);
return CborErrorInternalError;
}
if (!(rdata_bytes = ldns_buffer_export(rdata))) {
ldns_buffer_free(rdata);
return CborErrorOutOfMemory;
}
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "RDLENGTH", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor_rr, ldns_buffer_position(rdata), should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "RDATA", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_bytes(&cbor_rr, rdata_bytes, ldns_buffer_position(rdata), should_flush);
free(rdata_bytes);
ldns_buffer_free(rdata);
} else if (rd_count > 1) {
size_t n2;
CborEncoder rr_set;
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor_rr, "rrSet", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_array(&cbor_rr, &rr_set, CborIndefiniteLength, should_flush);
for (n2 = 0; n2 < rd_count; n2++) {
if (!(rdata = ldns_buffer_new(64 * 1024))) {
return CborErrorOutOfMemory;
}
if (ldns_rdf2buffer_wire(rdata, ldns_rr_rdf(rr, n2)) != LDNS_STATUS_OK) {
ldns_buffer_free(rdata);
return CborErrorInternalError;
}
if (!(rdata_bytes = ldns_buffer_export(rdata))) {
ldns_buffer_free(rdata);
return CborErrorOutOfMemory;
}
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&rr_set, "RDLENGTH", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&rr_set, ldns_buffer_position(rdata), should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&rr_set, "RDATA", should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_bytes(&rr_set, rdata_bytes, ldns_buffer_position(rdata), should_flush);
free(rdata_bytes);
ldns_buffer_free(rdata);
}
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor_rr, &rr_set, should_flush);
}
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(encoder, &cbor_rr, should_flush);
}
return cbor_err;
}
int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen)
{
ldns_pkt* pkt = 0;
ldns_status ldns_rc;
if (!payload) {
return DUMP_CBOR_EINVAL;
}
if (!payloadlen) {
return DUMP_CBOR_EINVAL;
}
/* if (!cbor_stringrefs) {*/
/* cbor_stringrefs = calloc(1, cbor_stringref_size);*/
/* }*/
if (!cbor_buf) {
if (!(cbor_buf = calloc(1, cbor_size + cbor_reserve))) {
return DUMP_CBOR_ENOMEM;
}
}
if (cbor_flushed) {
CborError cbor_err;
cbor_encoder_init(&cbor_root, cbor_buf, cbor_size, 0);
/* cbor_err = cbor_encode_tag(&cbor_root, 256);*/
/* if (cbor_err == CborNoError)*/
cbor_err = cbor_encoder_create_array(&cbor_root, &cbor_pkts, CborIndefiniteLength);
if (cbor_err != CborNoError) {
fprintf(stderr, "cbor init error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
return DUMP_CBOR_ECBOR;
}
cbor_flushed = 0;
}
ldns_rc = ldns_wire2pkt(&pkt, payload, payloadlen);
if (ldns_rc != LDNS_STATUS_OK) {
fprintf(stderr, "ldns error [%d]: %s\n", ldns_rc, ldns_get_errorstr_by_id(ldns_rc));
return DUMP_CBOR_ELDNS;
}
if (!pkt) {
return DUMP_CBOR_ELDNS;
}
CborEncoder cbor, ip;
CborError cbor_err = CborNoError;
int should_flush = 0;
cbor_err = append_cbor_map(&cbor_pkts, &cbor, CborIndefiniteLength, &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "dateSeconds", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_double(&cbor, (double)ts.tv_sec + ((double)ts.tv_usec / 1000000), &should_flush);
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "dateNanoFractions", &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, ts.tv_usec * 1000, &should_flush);*/
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "ip", &should_flush);
/* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, proto, &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "sourceIpAddress", &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, ia_str(from), &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "sourcePort", &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, sport, &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "destinationIpAddress", &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, ia_str(to), &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_text_stringz(&cbor, "destinationPort", &should_flush);*/
/* if (cbor_err == CborNoError) cbor_err = append_cbor_uint(&cbor, dport, &should_flush);*/
if (cbor_err == CborNoError)
cbor_err = append_cbor_array(&cbor, &ip, CborIndefiniteLength, &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&ip, proto, &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&ip, ia_str(from), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&ip, sport, &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&ip, ia_str(to), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&ip, dport, &should_flush);
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor, &ip, &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "ID", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_id(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "QR", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_qr(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "Opcode", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_get_opcode(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "AA", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_aa(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "TC", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_tc(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "RD", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_rd(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "RA", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_ra(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "AD", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_ad(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "CD", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_boolean(&cbor, ldns_pkt_cd(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "RCODE", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_get_rcode(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "QDCOUNT", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_qdcount(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "ANCOUNT", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_ancount(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "NSCOUNT", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_nscount(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "ARCOUNT", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_pkt_arcount(pkt), &should_flush);
/* questionRRs */
if (ldns_pkt_qdcount(pkt) > 0) {
ldns_rr_list* list = ldns_pkt_question(pkt);
ldns_rr* rr;
size_t n, qdcount = ldns_pkt_qdcount(pkt);
ldns_buffer* dname;
char* dname_str;
if (!list) {
ldns_pkt_free(pkt);
return DUMP_CBOR_ELDNS;
}
rr = ldns_rr_list_rr(list, 0);
if (!rr) {
ldns_pkt_free(pkt);
return DUMP_CBOR_ELDNS;
}
if (!(dname = ldns_buffer_new(512))) {
ldns_pkt_free(pkt);
return DUMP_CBOR_ENOMEM;
}
if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
ldns_buffer_free(dname);
ldns_pkt_free(pkt);
return DUMP_CBOR_ELDNS;
}
ldns_buffer_write_u8(dname, 0);
if (!(dname_str = ldns_buffer_export(dname))) {
ldns_buffer_free(dname);
ldns_pkt_free(pkt);
return DUMP_CBOR_ENOMEM;
}
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "QNAME", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, dname_str, &should_flush);
free(dname_str);
ldns_buffer_free(dname);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "QCLASS", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_rr_get_class(rr), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "QTYPE", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&cbor, ldns_rr_get_type(rr), &should_flush);
if (qdcount > 1) {
CborEncoder queries;
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "questionRRs", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_array(&cbor, &queries, CborIndefiniteLength, &should_flush);
for (n = 1; cbor_err == CborNoError && n < qdcount; n++) {
CborEncoder query;
rr = ldns_rr_list_rr(list, n);
if (!rr) {
ldns_pkt_free(pkt);
return DUMP_CBOR_ELDNS;
}
if (!(dname = ldns_buffer_new(512))) {
ldns_pkt_free(pkt);
return DUMP_CBOR_ENOMEM;
}
if (ldns_rdf2buffer_str_dname(dname, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
ldns_buffer_free(dname);
ldns_pkt_free(pkt);
return DUMP_CBOR_ELDNS;
}
ldns_buffer_write_u8(dname, 0);
if (!(dname_str = ldns_buffer_export(dname))) {
ldns_buffer_free(dname);
ldns_pkt_free(pkt);
return DUMP_CBOR_ENOMEM;
}
if (cbor_err == CborNoError)
cbor_err = append_cbor_map(&queries, &query, CborIndefiniteLength, &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&query, "NAME", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&query, dname_str, &should_flush);
free(dname_str);
ldns_buffer_free(dname);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&query, "CLASS", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&query, ldns_rr_get_class(rr), &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&query, "TYPE", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_uint(&query, ldns_rr_get_type(rr), &should_flush);
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&queries, &query, &should_flush);
}
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor, &queries, &should_flush);
}
}
/* answerRRs */
if (ldns_pkt_ancount(pkt) > 0) {
CborEncoder cbor_rrs;
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "answerRRs", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush);
cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_answer(pkt), ldns_pkt_ancount(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush);
}
/* authorityRRs */
if (ldns_pkt_nscount(pkt) > 0) {
CborEncoder cbor_rrs;
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "authorityRRs", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush);
cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_authority(pkt), ldns_pkt_nscount(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush);
}
/* additionalRRs */
if (ldns_pkt_arcount(pkt) > 0) {
CborEncoder cbor_rrs;
if (cbor_err == CborNoError)
cbor_err = append_cbor_text_stringz(&cbor, "additionalRRs", &should_flush);
if (cbor_err == CborNoError)
cbor_err = append_cbor_array(&cbor, &cbor_rrs, CborIndefiniteLength, &should_flush);
cbor_ldns_rr_list(&cbor_rrs, ldns_pkt_additional(pkt), ldns_pkt_arcount(pkt), &should_flush);
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor, &cbor_rrs, &should_flush);
}
ldns_pkt_free(pkt);
if (cbor_err == CborNoError)
cbor_err = close_cbor_container(&cbor_pkts, &cbor, &should_flush);
if (cbor_err != CborNoError) {
fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
return DUMP_CBOR_ECBOR;
}
if (should_flush) {
if ((cbor_err = cbor_encoder_close_container_checked(&cbor_root, &cbor_pkts)) != CborNoError) {
fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
return DUMP_CBOR_ECBOR;
}
fprintf(stderr, "cbor output: %lu bytes\n", cbor_encoder_get_buffer_size(&cbor_root, cbor_buf));
cbor_flushed = 1;
return DUMP_CBOR_FLUSH;
}
return DUMP_CBOR_OK;
}
int dump_cbor(FILE* fp)
{
CborError cbor_err;
if (!fp) {
return DUMP_CBOR_EINVAL;
}
if ((cbor_err = cbor_encoder_close_container_checked(&cbor_root, &cbor_pkts)) != CborNoError) {
fprintf(stderr, "cbor error[%d]: %s\n", cbor_err, cbor_error_string(cbor_err));
return DUMP_CBOR_ECBOR;
}
fprintf(stderr, "cbor output: %lu bytes\n", cbor_encoder_get_buffer_size(&cbor_root, cbor_buf));
if (fwrite(cbor_buf, cbor_encoder_get_buffer_size(&cbor_root, cbor_buf), 1, fp) != 1) {
return DUMP_CBOR_EWRITE;
}
return DUMP_CBOR_OK;
}
int have_cbor_support()
{
return 1;
}
#else /* HAVE_LIBTINYCBOR */
int cbor_set_size(size_t size)
{
return DUMP_CBOR_ENOSUP;
}
int cbor_set_reserve(size_t reserve)
{
return DUMP_CBOR_ENOSUP;
}
int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen)
{
return DUMP_CBOR_ENOSUP;
}
int dump_cbor(FILE* fp)
{
return DUMP_CBOR_ENOSUP;
}
int have_cbor_support()
{
return 0;
}
#endif

65
src/dump_cbor.h Normal file
View file

@ -0,0 +1,65 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap_common.h"
#include <stdio.h>
#ifndef __dnscap_dump_cbor_h
#define __dnscap_dump_cbor_h
#define DUMP_CBOR_OK 0
#define DUMP_CBOR_EINVAL 1
#define DUMP_CBOR_ENOMEM 2
#define DUMP_CBOR_ECBOR 3
#define DUMP_CBOR_ELDNS 4
#define DUMP_CBOR_EWRITE 5
#define DUMP_CBOR_FLUSH 6
#define DUMP_CBOR_ENOSUP 7
/*
typedef struct cbor_stringref cbor_stringref_t;
struct cbor_stringref {
char *string;
size_t ref;
};
*/
int cbor_set_size(size_t size);
int cbor_set_reserve(size_t reserve);
int output_cbor(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* payload, size_t payloadlen);
int dump_cbor(FILE* fp);
int have_cbor_support();
#endif /* __dnscap_dump_cbor_h */

1962
src/dump_cds.c Normal file
View file

File diff suppressed because it is too large Load diff

218
src/dump_cds.h Normal file
View file

@ -0,0 +1,218 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap_common.h"
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#ifndef __dnscap_dump_cds_h
#define __dnscap_dump_cds_h
#define DUMP_CDS_OK 0
#define DUMP_CDS_EINVAL 1
#define DUMP_CDS_ENOMEM 2
#define DUMP_CDS_ECBOR 3
#define DUMP_CDS_ELDNS 4
#define DUMP_CDS_EWRITE 5
#define DUMP_CDS_FLUSH 6
#define DUMP_CDS_ENOSUP 7
#define DUMP_CDS_EBUF 8
#define CDS_OPTION_RLABELS 0
#define CDS_OPTION_RLABEL_MIN_SIZE 1
#define CDS_OPTION_RDATA_RINDEX_SIZE 2
#define CDS_OPTION_RDATA_RINDEX_MIN_SIZE 3
#define CDS_OPTION_USE_RDATA_INDEX 4
#define CDS_OPTION_RDATA_INDEX_MIN_SIZE 5
#define CDS_DEFAULT_MAX_RLABELS 255
#define CDS_DEFAULT_MIN_RLABEL_SIZE 3
#define CDS_DEFAULT_RDATA_INDEX_MIN_SIZE 5
#define CDS_DEFAULT_RDATA_RINDEX_SIZE 255
#define CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE 5
typedef struct ip_header ip_header_t;
struct ip_header {
unsigned short is_v6 : 1;
unsigned short is_reverse : 1;
unsigned short have_src_addr : 1;
unsigned short have_src_port : 1;
unsigned short have_dest_addr : 1;
unsigned short have_dest_port : 1;
uint8_t bits;
struct in_addr src_addr4;
uint16_t src_port4;
struct in6_addr src_addr6;
uint16_t src_port6;
struct in_addr dest_addr4;
uint16_t dest_port4;
struct in6_addr dest_addr6;
uint16_t dest_port6;
};
typedef struct dns_label dns_label_t;
struct dns_label {
unsigned short is_complete : 1;
unsigned short have_size : 1;
unsigned short have_extension_bits : 1;
unsigned short have_offset : 1;
unsigned short have_label : 1;
unsigned short have_n_offset : 1;
uint8_t size;
uint8_t extension_bits;
uint16_t offset;
uint8_t* offset_p;
uint8_t* label;
size_t n_offset;
};
#define CDS_RLABEL_LABEL_T_LABEL 64
typedef struct dns_rlabel_label dns_rlabel_label_t;
struct dns_rlabel_label {
unsigned short have_n_offset : 1;
uint8_t size;
uint8_t label[CDS_RLABEL_LABEL_T_LABEL];
size_t n_offset;
};
#define CDS_RLABEL_T_LABELS 256
typedef struct dns_rlabel dns_rlabel_t;
struct dns_rlabel {
dns_rlabel_t* next;
dns_rlabel_t* prev;
uint8_t labels;
dns_rlabel_label_t label[CDS_RLABEL_T_LABELS];
};
typedef struct dns_rdata dns_rdata_t;
struct dns_rdata {
unsigned short is_complete : 1;
unsigned short have_labels : 1;
unsigned short have_rlabel_idx : 1;
unsigned short have_rdata : 1;
size_t rdata_len;
uint8_t* rdata;
size_t labels;
dns_label_t* label;
size_t rlabel_idx;
};
typedef struct dns_rr dns_rr_t;
struct dns_rr {
unsigned short is_complete : 1;
unsigned short have_labels : 1;
unsigned short have_rlabel_idx : 1;
unsigned short have_bits : 1;
unsigned short have_type : 1;
unsigned short have_class : 1;
unsigned short have_ttl : 1;
unsigned short have_rdlength : 1;
unsigned short have_rdata : 1;
unsigned short have_mixed_rdata : 1;
unsigned short have_rdata_index : 1;
unsigned short have_rdata_rindex : 1;
size_t labels;
dns_label_t* label;
size_t rlabel_idx;
uint8_t bits;
uint16_t type;
uint16_t class;
uint32_t ttl;
uint16_t rdlength;
uint8_t* rdata;
size_t mixed_rdatas;
dns_rdata_t* mixed_rdata;
size_t rdata_index;
size_t rdata_rindex;
};
typedef struct dns dns_t;
struct dns {
unsigned short header_is_complete : 1;
unsigned short have_id : 1;
unsigned short have_raw : 1;
unsigned short have_cnt_bits : 1;
unsigned short have_qdcount : 1;
unsigned short have_ancount : 1;
unsigned short have_nscount : 1;
unsigned short have_arcount : 1;
unsigned short have_rr_bits : 1;
unsigned short have_questions : 1;
unsigned short have_answers : 1;
unsigned short have_authorities : 1;
unsigned short have_additionals : 1;
int id;
uint16_t raw;
uint8_t cnt_bits;
uint16_t qdcount;
uint16_t ancount;
uint16_t nscount;
uint16_t arcount;
uint8_t rr_bits;
size_t questions;
dns_rr_t* question;
size_t answers;
dns_rr_t* answer;
size_t authorities;
dns_rr_t* authority;
size_t additionals;
dns_rr_t* additional;
};
int cds_set_cbor_size(size_t size);
int cds_set_message_size(size_t size);
int cds_set_max_rlabels(size_t size);
int cds_set_min_rlabel_size(size_t size);
int cds_set_use_rdata_index(int use);
int cds_set_use_rdata_rindex(int use);
int cds_set_rdata_index_min_size(size_t size);
int cds_set_rdata_rindex_min_size(size_t size);
int cds_set_rdata_rindex_size(size_t size);
int output_cds(iaddr from, iaddr to, uint8_t proto, unsigned flags, unsigned sport, unsigned dport, my_bpftimeval ts, const u_char* pkt_copy, size_t olen, const u_char* payload, size_t payloadlen);
int dump_cds(FILE* fp);
int have_cds_support();
#endif /* __dnscap_dump_cds_h */

319
src/dump_dns.c Normal file
View file

@ -0,0 +1,319 @@
/* dump_dns.c - library function to emit decoded dns message on a FILE.
*
* By: Paul Vixie, ISC, October 2007
*/
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "dnscap_common.h"
#include "dump_dns.h"
#include "network.h"
#include "tcpstate.h"
#include "endian_compat.h"
#include <ldns/ldns.h>
#include <netinet/in.h>
static inline uint16_t _need16(const void* ptr)
{
uint16_t v;
memcpy(&v, ptr, sizeof(v));
return be16toh(v);
}
static void dump_dns_rr(ldns_rr* rr, FILE* trace, ldns_buffer* lbuf, bool qsect)
{
size_t rdlen, i;
ldns_rdf* rdf;
// owner
ldns_buffer_clear(lbuf);
if (ldns_rdf2buffer_str(lbuf, ldns_rr_owner(rr)) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, "%s", (char*)ldns_buffer_begin(lbuf));
// class
ldns_buffer_clear(lbuf);
if (ldns_rr_class2buffer_str(lbuf, ldns_rr_get_class(rr)) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
// type
ldns_buffer_clear(lbuf);
if (ldns_rr_type2buffer_str(lbuf, ldns_rr_get_type(rr)) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
if (qsect)
return;
fprintf(trace, ",%u", ldns_rr_ttl(rr));
switch (ldns_rr_get_type(rr)) {
case LDNS_RR_TYPE_SOA:
for (i = 0; i < 2; i++) {
if (!(rdf = ldns_rr_rdf(rr, i))) {
goto error;
}
ldns_buffer_clear(lbuf);
if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
}
for (; i < 7; i++) {
if (!(rdf = ldns_rr_rdf(rr, i))) {
goto error;
}
ldns_buffer_clear(lbuf);
if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
}
break;
case LDNS_RR_TYPE_A:
case LDNS_RR_TYPE_AAAA:
case LDNS_RR_TYPE_MX:
if (!(rdf = ldns_rr_rdf(rr, 0))) {
goto error;
}
ldns_buffer_clear(lbuf);
if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
break;
case LDNS_RR_TYPE_NS:
case LDNS_RR_TYPE_PTR:
case LDNS_RR_TYPE_CNAME:
if (!(rdf = ldns_rr_rdf(rr, 0))) {
goto error;
}
ldns_buffer_clear(lbuf);
if (ldns_rdf2buffer_str(lbuf, rdf) != LDNS_STATUS_OK) {
goto error;
}
fprintf(trace, ",%s", (char*)ldns_buffer_begin(lbuf));
break;
default:
goto error;
}
return;
error:
for (rdlen = 0, i = 0, rdf = ldns_rr_rdf(rr, i); rdf; rdf = ldns_rr_rdf(rr, ++i)) {
rdlen += ldns_rdf_size(rdf);
}
fprintf(trace, ",[%zu]", rdlen);
}
static void dump_dns_sect(ldns_rr_list* rrs, FILE* trace, const char* endline, ldns_buffer* lbuf, bool qsect, bool ansect, ldns_pkt* pkt)
{
size_t rrnum, rrmax;
const char* sep;
if (ansect && ldns_pkt_edns(pkt)) {
rrmax = ldns_rr_list_rr_count(rrs);
fprintf(trace, " %s%zu", endline, rrmax + 1);
sep = "";
for (rrnum = 0; rrnum < rrmax; rrnum++) {
fprintf(trace, " %s", sep);
dump_dns_rr(ldns_rr_list_rr(rrs, rrnum), trace, lbuf, qsect);
sep = endline;
}
ldns_rdf* edns_data = ldns_pkt_edns_data(pkt);
fprintf(trace, " %s.,%u,%u,0,edns0[len=%zu,UDP=%u,ver=%u,rcode=%u,DO=%u,z=%u]",
sep, ldns_pkt_edns_udp_size(pkt), ldns_pkt_edns_udp_size(pkt),
edns_data ? ldns_rdf_size(edns_data) : 0,
ldns_pkt_edns_udp_size(pkt),
ldns_pkt_edns_version(pkt),
ldns_pkt_edns_extended_rcode(pkt),
ldns_pkt_edns_do(pkt) ? 1 : 0,
ldns_pkt_edns_z(pkt));
if (edns_data) {
size_t len = ldns_rdf_size(edns_data);
uint8_t* d = ldns_rdf_data(edns_data);
while (len >= 4) {
uint16_t opcode = _need16(d);
uint16_t oplen = _need16(d + 2);
len -= 4;
d += 4;
if (oplen > len) {
break;
}
switch (opcode) {
case 8: {
if (oplen >= 4) {
uint16_t family = _need16(d);
uint8_t source_prefix_len = *(d + 2), scope_prefix_len = *(d + 3);
char addr[(INET_ADDRSTRLEN < INET6_ADDRSTRLEN ? INET6_ADDRSTRLEN : INET_ADDRSTRLEN) + 1] = { 0 };
struct in_addr in4 = { .s_addr = INADDR_ANY };
struct in6_addr in6 = IN6ADDR_ANY_INIT;
void* in = 0;
int af;
switch (family) {
case 1: {
memcpy(&in4.s_addr, d + 4, oplen - 4 > sizeof(in4.s_addr) ? sizeof(in4.s_addr) : oplen - 4);
in = &in4;
af = AF_INET;
break;
}
case 2: {
memcpy(&in6.s6_addr, d + 4, oplen - 4 > sizeof(in6.s6_addr) ? sizeof(in6.s6_addr) : oplen - 4);
in = &in6;
af = AF_INET6;
break;
}
default:
break;
}
fprintf(trace, ",edns0opt[ECS,family=%u,source=%u,scope=%u,", family, source_prefix_len, scope_prefix_len);
if (!in || !inet_ntop(af, in, addr, sizeof(addr) - 1)) {
fprintf(trace, "addr=INVALID]");
} else {
fprintf(trace, "addr=%s]", addr);
}
break;
}
}
default:
fprintf(trace, ",edns0opt[code=%u,codelen=%u]", opcode, oplen);
break;
}
len -= oplen;
d += oplen;
}
}
return;
}
rrmax = ldns_rr_list_rr_count(rrs);
if (rrmax == 0) {
fputs(" 0", trace);
return;
}
fprintf(trace, " %s%zu", endline, rrmax);
sep = "";
for (rrnum = 0; rrnum < rrmax; rrnum++) {
fprintf(trace, " %s", sep);
dump_dns_rr(ldns_rr_list_rr(rrs, rrnum), trace, lbuf, qsect);
sep = endline;
}
}
void dump_dns(const u_char* payload, size_t paylen, FILE* trace, const char* endline)
{
const char* sep;
tcpstate_ptr tcpstate;
ldns_pkt* pkt = 0;
ldns_buffer* lbuf = 0;
ldns_status ret;
fprintf(trace, " %sdns ", endline);
if ((ret = ldns_wire2pkt(&pkt, payload, paylen)) != LDNS_STATUS_OK) {
/* DNS message may have padding, try get actual size */
size_t dnslen = calcdnslen(payload, paylen);
if (dnslen > 0 && dnslen < paylen) {
if ((ret = ldns_wire2pkt(&pkt, payload, dnslen)) != LDNS_STATUS_OK) {
fputs(ldns_get_errorstr_by_id(ret), trace);
if ((tcpstate = tcpstate_getcurr()))
tcpstate_reset(tcpstate, strerror(errno));
return;
}
} else {
fputs(ldns_get_errorstr_by_id(ret), trace);
if ((tcpstate = tcpstate_getcurr()))
tcpstate_reset(tcpstate, strerror(errno));
return;
}
}
if (!(lbuf = ldns_buffer_new(512))) {
fprintf(stderr, "%s: out of memory", ProgramName);
exit(1);
}
if (ldns_pkt_opcode2buffer_str(lbuf, ldns_pkt_get_opcode(pkt)) != LDNS_STATUS_OK) {
fprintf(stderr, "%s: unable to covert opcode to str", ProgramName);
exit(1);
}
fprintf(trace, "%s,", (char*)ldns_buffer_begin(lbuf));
ldns_buffer_clear(lbuf);
if (ldns_pkt_rcode2buffer_str(lbuf, ldns_pkt_get_rcode(pkt)) != LDNS_STATUS_OK) {
fprintf(stderr, "%s: unable to covert rcode to str", ProgramName);
exit(1);
}
fprintf(trace, "%s,%u,", (char*)ldns_buffer_begin(lbuf), ldns_pkt_id(pkt));
sep = "";
#define FLAG(t, f) \
if (f) { \
fprintf(trace, "%s%s", sep, t); \
sep = "|"; \
}
FLAG("qr", ldns_pkt_qr(pkt));
FLAG("aa", ldns_pkt_aa(pkt));
FLAG("tc", ldns_pkt_tc(pkt));
FLAG("rd", ldns_pkt_rd(pkt));
FLAG("ra", ldns_pkt_ra(pkt));
FLAG("z", LDNS_Z_WIRE(payload));
FLAG("ad", ldns_pkt_ad(pkt));
FLAG("cd", ldns_pkt_cd(pkt));
#undef FLAG
dump_dns_sect(ldns_pkt_question(pkt), trace, endline, lbuf, true, false, 0);
dump_dns_sect(ldns_pkt_answer(pkt), trace, endline, lbuf, false, false, 0);
dump_dns_sect(ldns_pkt_authority(pkt), trace, endline, lbuf, false, false, 0);
dump_dns_sect(ldns_pkt_additional(pkt), trace, endline, lbuf, false, true, pkt);
ldns_buffer_free(lbuf);
ldns_pkt_free(pkt);
}

47
src/dump_dns.h Normal file
View file

@ -0,0 +1,47 @@
/* dump_dns.c - library function to emit decoded dns message on a FILE.
*
* By: Paul Vixie, ISC, October 2007
*/
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __dnscap_dump_dns_h
#define __dnscap_dump_dns_h
#include <stdio.h>
void dump_dns(const u_char* payload, size_t paylen, FILE* trace, const char* endline);
#endif // __dnscap_dump_dns_h

399
src/dumper.c Normal file
View file

@ -0,0 +1,399 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "dumper.h"
#include "iaddr.h"
#include "log.h"
#include "pcaps.h"
/*
* when flags & DNSCAP_OUTPUT_ISDNS, payload points to a DNS packet
*/
void output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
unsigned sport, unsigned dport, my_bpftimeval ts,
const u_char* pkt_copy, const unsigned olen,
const u_char* payload, const unsigned payloadlen)
{
struct plugin* p;
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
if (p->filter && (*p->filter)(descr, &from, &to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen)) {
if (dumptrace >= 3) {
fprintf(stderr, "filtered: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n",
capturedbytes,
proto,
flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no",
flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no",
olen,
payloadlen);
}
return;
}
}
msgcount++;
capturedbytes += olen;
if (dumptrace >= 3) {
fprintf(stderr, "output: capturedbytes=%zu, proto=%d, isfrag=%s, isdns=%s, olen=%u, payloadlen=%u\n",
capturedbytes,
proto,
flags & DNSCAP_OUTPUT_ISFRAG ? "yes" : "no",
flags & DNSCAP_OUTPUT_ISDNS ? "yes" : "no",
olen,
payloadlen);
}
/* Output stage. */
if (preso) {
fputs(descr, stderr);
if (flags & DNSCAP_OUTPUT_ISFRAG) {
fprintf(stderr, ";: [%s] ", ia_str(from));
fprintf(stderr, "-> [%s] (frag)\n", ia_str(to));
} else {
fprintf(stderr, "\t[%s].%u ", ia_str(from), sport);
fprintf(stderr, "[%s].%u ", ia_str(to), dport);
if ((flags & DNSCAP_OUTPUT_ISDNS) && payload)
dump_dns(payload, payloadlen, stderr, "\\\n\t");
}
putc('\n', stderr);
}
if (dump_type != nowhere) {
if (options.dump_format == pcap) {
struct pcap_pkthdr h;
memset(&h, 0, sizeof h);
h.ts = ts;
h.len = h.caplen = olen;
pcap_dump((u_char*)dumper, &h, pkt_copy);
if (flush)
pcap_dump_flush(dumper);
} else if (options.dump_format == cbor && (flags & DNSCAP_OUTPUT_ISDNS) && payload) {
int ret = output_cbor(from, to, proto, flags, sport, dport, ts, payload, payloadlen);
if (ret == DUMP_CBOR_FLUSH) {
if (dumper_close(ts)) {
fprintf(stderr, "%s: dumper_close() failed\n", ProgramName);
exit(1);
}
if (dumper_open(ts)) {
fprintf(stderr, "%s: dumper_open() failed\n", ProgramName);
exit(1);
}
} else if (ret != DUMP_CBOR_OK) {
fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret);
exit(1);
}
} else if (options.dump_format == cds) {
int ret = output_cds(from, to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen);
if (ret == DUMP_CDS_FLUSH) {
if (dumper_close(ts)) {
fprintf(stderr, "%s: dumper_close() failed\n", ProgramName);
exit(1);
}
if (dumper_open(ts)) {
fprintf(stderr, "%s: dumper_open() failed\n", ProgramName);
exit(1);
}
} else if (ret != DUMP_CDS_OK) {
fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret);
exit(1);
}
}
}
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link))
if (p->output)
(*p->output)(descr, from, to, proto, flags, sport, dport, ts, pkt_copy, olen, payload, payloadlen);
return;
}
int dumper_open(my_bpftimeval ts)
{
const char* t = NULL;
struct plugin* p;
assert(dump_state == dumper_closed);
while (ts.tv_usec >= MILLION) {
ts.tv_sec++;
ts.tv_usec -= MILLION;
}
if (limit_seconds != 0U)
next_interval = ts.tv_sec
- (ts.tv_sec % limit_seconds)
+ limit_seconds;
if (dump_type == to_stdout) {
t = "-";
} else if (dump_type == to_file) {
char sbuf[64];
struct tm tm;
gmtime_r((time_t*)&ts.tv_sec, &tm);
strftime(sbuf, 64, "%Y%m%d.%H%M%S", &tm);
if (asprintf(&dumpname, "%s.%s.%06lu%s",
dump_base, sbuf,
(u_long)ts.tv_usec, dump_suffix ? dump_suffix : "")
< 0
|| asprintf(&dumpnamepart, "%s.part", dumpname) < 0) {
logerr("asprintf: %s", strerror(errno));
return (TRUE);
}
t = dumpnamepart;
}
if (NULL != t) {
if (options.dump_format == pcap) {
dumper = dnscap_pcap_dump_open(pcap_dead, t);
if (dumper == NULL) {
logerr("pcap dump open: %s",
pcap_geterr(pcap_dead));
return (TRUE);
}
}
}
dumpstart = ts.tv_sec;
if (limit_seconds != 0U) {
struct timeval now;
u_int seconds;
time_t targ;
gettimeofday(&now, NULL);
while (now.tv_usec >= MILLION) {
now.tv_sec++;
now.tv_usec -= MILLION;
}
targ = (((now.tv_sec + (limit_seconds / 2))
/ limit_seconds)
+ 1)
* limit_seconds;
assert(targ > now.tv_sec);
seconds = targ - now.tv_sec;
if (next_interval == 0) {
alarm(seconds);
alarm_set = TRUE;
}
}
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
int x;
if (!p->open)
continue;
x = (*p->open)(ts);
if (0 == x)
continue;
logerr("%s_open returned %d", p->name, x);
}
dump_state = dumper_opened;
return (FALSE);
}
int dumper_close(my_bpftimeval ts)
{
int ret = FALSE;
struct plugin* p;
assert(dump_state == dumper_opened);
if (print_pcap_stats)
do_pcap_stats();
if (alarm_set) {
alarm(0);
alarm_set = FALSE;
}
if (options.dump_format == pcap) {
if (dumper) {
pcap_dump_close(dumper);
dumper = FALSE;
}
} else if (options.dump_format == cbor) {
int ret;
if (dump_type == to_stdout) {
ret = dump_cbor(stdout);
if (ret != DUMP_CBOR_OK) {
fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret);
exit(1);
}
} else if (dump_type == to_file) {
FILE* fp;
if (!(fp = fopen(dumpnamepart, "w"))) {
fprintf(stderr, "%s: fopen(%s) failed: %s\n", ProgramName, dumpnamepart, strerror(errno));
exit(1);
}
ret = dump_cbor(fp);
fclose(fp);
if (ret != DUMP_CBOR_OK) {
fprintf(stderr, "%s: output to cbor failed [%u]\n", ProgramName, ret);
exit(1);
}
}
} else if (options.dump_format == cds) {
int ret;
if (dump_type == to_stdout) {
ret = dump_cds(stdout);
if (ret != DUMP_CDS_OK) {
fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret);
exit(1);
}
} else if (dump_type == to_file) {
FILE* fp;
if (!(fp = fopen(dumpnamepart, "w"))) {
fprintf(stderr, "%s: fopen(%s) failed: %s\n", ProgramName, dumpnamepart, strerror(errno));
exit(1);
}
ret = dump_cds(fp);
fclose(fp);
if (ret != DUMP_CDS_OK) {
fprintf(stderr, "%s: output to cds failed [%u]\n", ProgramName, ret);
exit(1);
}
}
}
if (dump_type == to_stdout) {
assert(dumpname == NULL);
assert(dumpnamepart == NULL);
if (dumptrace >= 1)
fprintf(stderr, "%s: breaking\n", ProgramName);
ret = TRUE;
} else if (dump_type == to_file) {
char* cmd = NULL;
;
if (dumptrace >= 1)
fprintf(stderr, "%s: closing %s\n",
ProgramName, dumpname);
if (rename(dumpnamepart, dumpname)) {
logerr("rename: %s", strerror(errno));
return ret;
}
if (kick_cmd != NULL)
if (asprintf(&cmd, "%s %s &", kick_cmd, dumpname) < 0) {
logerr("asprintf: %s", strerror(errno));
cmd = NULL;
}
free(dumpnamepart);
dumpnamepart = NULL;
free(dumpname);
dumpname = NULL;
if (cmd != NULL) {
int x = system(cmd);
if (x)
logerr("system: \"%s\" returned %d", cmd, x);
free(cmd);
}
if (kick_cmd == NULL && options.dump_format != cbor && options.dump_format != cds)
ret = TRUE;
}
for (p = HEAD(plugins); p != NULL; p = NEXT(p, link)) {
int x;
if (!p->close)
continue;
x = (*p->close)(ts);
if (x)
logerr("%s_close returned %d", p->name, x);
}
dump_state = dumper_closed;
return (ret);
}
#if HAVE_ZLIB_H
#if HAVE_FUNOPEN
static int
gzip_cookie_write(void* cookie, const char* buf, int size)
{
return gzwrite((gzFile)cookie, (voidpc)buf, (unsigned)size);
}
#elif HAVE_FOPENCOOKIE
static ssize_t
gzip_cookie_write(void* cookie, const char* buf, size_t size)
{
return gzwrite((gzFile)cookie, (voidpc)buf, (unsigned)size);
}
#endif
static int
gzip_cookie_close(void* cookie)
{
return gzclose((gzFile)cookie);
}
#endif /* HAVE_ZLIB_H */
pcap_dumper_t* dnscap_pcap_dump_open(pcap_t* pcap, const char* path)
{
#if HAVE_ZLIB_H
#if HAVE_GZOPEN
if (wantgzip) {
FILE* fp = NULL;
gzFile z = gzopen(path, "w");
if (z == NULL) {
perror("gzopen");
return NULL;
}
#if HAVE_FUNOPEN
fp = funopen(z, NULL, gzip_cookie_write, NULL, gzip_cookie_close);
if (fp == NULL) {
perror("funopen");
return NULL;
}
#elif HAVE_FOPENCOOKIE
{
static cookie_io_functions_t cookiefuncs = {
NULL, gzip_cookie_write, NULL, gzip_cookie_close
};
fp = fopencookie(z, "w", cookiefuncs);
if (fp == NULL) {
perror("fopencookie");
return NULL;
}
}
#endif
return pcap_dump_fopen(pcap, fp);
}
#endif /* HAVE_GZOPEN */
#endif /* HAVE_ZLIB_H */
return pcap_dump_open(pcap, path);
}

50
src/dumper.h Normal file
View file

@ -0,0 +1,50 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_dumper_h
#define __dnscap_dumper_h
void output(const char* descr, iaddr from, iaddr to, uint8_t proto, unsigned flags,
unsigned sport, unsigned dport, my_bpftimeval ts,
const u_char* pkt_copy, const unsigned olen,
const u_char* payload, const unsigned payloadlen);
int dumper_open(my_bpftimeval ts);
int dumper_close(my_bpftimeval ts);
pcap_dumper_t* dnscap_pcap_dump_open(pcap_t* pcap, const char* path);
#endif /* __dnscap_dumper_h */

108
src/endian_compat.h Normal file
View file

@ -0,0 +1,108 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __dnscap_endian_compat_h
#define __dnscap_endian_compat_h
#ifdef HAVE_ENDIAN_H
#include <endian.h>
#else
#ifdef HAVE_SYS_ENDIAN_H
#include <sys/endian.h>
#else
#ifdef HAVE_MACHINE_ENDIAN_H
#include <machine/endian.h>
#endif
#endif
#endif
#ifdef __APPLE__
#include <libkern/OSByteOrder.h>
#define htobe16(x) OSSwapHostToBigInt16(x)
#define htole16(x) OSSwapHostToLittleInt16(x)
#define be16toh(x) OSSwapBigToHostInt16(x)
#define le16toh(x) OSSwapLittleToHostInt16(x)
#define htobe32(x) OSSwapHostToBigInt32(x)
#define htole32(x) OSSwapHostToLittleInt32(x)
#define be32toh(x) OSSwapBigToHostInt32(x)
#define le32toh(x) OSSwapLittleToHostInt32(x)
#define htobe64(x) OSSwapHostToBigInt64(x)
#define htole64(x) OSSwapHostToLittleInt64(x)
#define be64toh(x) OSSwapBigToHostInt64(x)
#define le64toh(x) OSSwapLittleToHostInt64(x)
#define __BYTE_ORDER BYTE_ORDER
#define __BIG_ENDIAN BIG_ENDIAN
#define __LITTLE_ENDIAN LITTLE_ENDIAN
#define __PDP_ENDIAN PDP_ENDIAN
#endif
#if defined(_WIN16) || defined(_WIN32) || defined(_WIN64) || defined(__WINDOWS__)
#include <winsock2.h>
#include <sys/param.h>
#if BYTE_ORDER == LITTLE_ENDIAN
#define htobe16(x) htons(x)
#define htole16(x) (x)
#define be16toh(x) ntohs(x)
#define le16toh(x) (x)
#define htobe32(x) htonl(x)
#define htole32(x) (x)
#define be32toh(x) ntohl(x)
#define le32toh(x) (x)
#define htobe64(x) htonll(x)
#define htole64(x) (x)
#define be64toh(x) ntohll(x)
#define le64toh(x) (x)
#elif BYTE_ORDER == BIG_ENDIAN
#define htobe16(x) (x)
#define htole16(x) __builtin_bswap16(x)
#define be16toh(x) (x)
#define le16toh(x) __builtin_bswap16(x)
#define htobe32(x) (x)
#define htole32(x) __builtin_bswap32(x)
#define be32toh(x) (x)
#define le32toh(x) __builtin_bswap32(x)
#define htobe64(x) (x)
#define htole64(x) __builtin_bswap64(x)
#define be64toh(x) (x)
#define le64toh(x) __builtin_bswap64(x)
#else
#error "byte order not supported"
#endif
#define __BYTE_ORDER BYTE_ORDER
#define __BIG_ENDIAN BIG_ENDIAN
#define __LITTLE_ENDIAN LITTLE_ENDIAN
#define __PDP_ENDIAN PDP_ENDIAN
#endif
#endif

103
src/endpoint.c Normal file
View file

@ -0,0 +1,103 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "endpoint.h"
#include "args.h"
#include "iaddr.h"
void endpoint_arg(endpoint_list* list, const char* arg)
{
struct addrinfo* ai;
iaddr ia;
void* p;
if (inet_pton(AF_INET6, arg, &ia.u.a6) > 0) {
ia.af = AF_INET6;
endpoint_add(list, ia);
} else if (inet_pton(AF_INET, arg, &ia.u.a4) > 0) {
ia.af = AF_INET;
endpoint_add(list, ia);
} else if (getaddrinfo(arg, NULL, NULL, &ai) == 0) {
struct addrinfo* a;
for (a = ai; a != NULL; a = a->ai_next) {
if (a->ai_socktype != SOCK_DGRAM)
continue;
switch (a->ai_family) {
case PF_INET:
ia.af = AF_INET;
p = &((struct sockaddr_in*)a->ai_addr)
->sin_addr;
memcpy(&ia.u.a4, p, sizeof ia.u.a4);
break;
case PF_INET6:
ia.af = AF_INET6;
p = &((struct sockaddr_in6*)a->ai_addr)
->sin6_addr;
memcpy(&ia.u.a6, p, sizeof ia.u.a6);
break;
default:
continue;
}
endpoint_add(list, ia);
}
freeaddrinfo(ai);
} else
usage("invalid host address");
}
void endpoint_add(endpoint_list* list, iaddr ia)
{
endpoint_ptr ep;
ep = calloc(1, sizeof *ep);
assert(ep != NULL);
INIT_LINK(ep, link);
ep->ia = ia;
APPEND(*list, ep, link);
}
int ep_present(const endpoint_list* list, iaddr ia)
{
endpoint_ptr ep;
for (ep = HEAD(*list);
ep != NULL;
ep = NEXT(ep, link))
if (ia_equal(ia, ep->ia))
return TRUE;
return (FALSE);
}

44
src/endpoint.h Normal file
View file

@ -0,0 +1,44 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_endpoint_h
#define __dnscap_endpoint_h
void endpoint_arg(endpoint_list* list, const char* arg);
void endpoint_add(endpoint_list* list, iaddr ia);
int ep_present(const endpoint_list* list, iaddr ia);
#endif /* __dnscap_endpoint_h */

161
src/hashtbl.c Normal file
View file

@ -0,0 +1,161 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "hashtbl.h"
#include <unistd.h>
#include <stdlib.h>
#include <assert.h>
hashtbl* hash_create(unsigned int N, hashkey_func hasher, hashkeycmp_func cmp, hashfree_func datafree)
{
hashtbl* new;
assert(N);
assert(hasher);
assert(cmp);
if ((new = calloc(1, sizeof(hashtbl)))) {
new->modulus = N;
new->hasher = hasher;
new->keycmp = cmp;
new->datafree = datafree;
if (!(new->items = calloc(N, sizeof(hashitem*)))) {
free(new);
return 0;
}
}
return new;
}
int hash_add(const void* key, void* data, hashtbl* tbl)
{
hashitem* new, **I;
unsigned int slot;
if (!key || !tbl) {
return HASHTBL_EARGS;
}
new = calloc(1, sizeof(hashitem));
if (!new) {
return HASHTBL_ENOMEM;
}
new->key = key;
new->data = data;
slot = tbl->hasher(key) % tbl->modulus;
for (I = &tbl->items[slot]; *I; I = &(*I)->next)
;
*I = new;
return 0;
}
void* hash_find(const void* key, hashtbl* tbl)
{
unsigned int slot;
hashitem* i;
if (!key || !tbl) {
return NULL;
}
slot = tbl->hasher(key) % tbl->modulus;
for (i = tbl->items[slot]; i; i = i->next) {
if (!tbl->keycmp(key, i->key))
return i->data;
}
return NULL;
}
void hash_remove(const void* key, hashtbl* tbl)
{
hashitem **I, *i;
int slot;
if (!key || !tbl) {
return;
}
slot = tbl->hasher(key) % tbl->modulus;
for (I = &tbl->items[slot]; *I; I = &(*I)->next) {
if (!tbl->keycmp(key, (*I)->key)) {
i = *I;
*I = (*I)->next;
if (tbl->datafree)
tbl->datafree(i->data);
free(i);
break;
}
}
}
void hash_free(hashtbl* tbl)
{
hashitem *i, *next;
int slot;
if (!tbl) {
return;
}
for (slot = 0; slot < tbl->modulus; slot++) {
for (i = tbl->items[slot]; i;) {
next = i->next;
if (tbl->datafree)
tbl->datafree(i->data);
free(i);
i = next;
}
tbl->items[slot] = 0;
}
}
void hash_destroy(hashtbl* tbl)
{
if (!tbl) {
return;
}
hash_free(tbl);
free(tbl->items);
free(tbl);
}

70
src/hashtbl.h Normal file
View file

@ -0,0 +1,70 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __dnscap_hashtbl_h
#define __dnscap_hashtbl_h
#define HASHTBL_EARGS -1
#define HASHTBL_ENOMEM -2
typedef struct hashitem hashitem;
struct hashitem {
const void* key;
void* data;
hashitem* next;
};
typedef unsigned int (*hashkey_func)(const void* key);
typedef int (*hashkeycmp_func)(const void* a, const void* b);
typedef void (*hashfree_func)(void* data);
typedef struct hashtbl hashtbl;
struct hashtbl {
unsigned int modulus;
hashitem** items;
hashkey_func hasher;
hashkeycmp_func keycmp;
hashfree_func datafree;
};
hashtbl* hash_create(unsigned int N, hashkey_func hasher, hashkeycmp_func cmp, hashfree_func datafree);
int hash_add(const void* key, void* data, hashtbl* tbl);
void* hash_find(const void* key, hashtbl* tbl);
void hash_remove(const void* key, hashtbl* tbl);
void hash_free(hashtbl* tbl);
void hash_destroy(hashtbl* tbl);
#endif // __dnscap_hashtbl_h

68
src/iaddr.c Normal file
View file

@ -0,0 +1,68 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "iaddr.h"
const char* ia_str(iaddr ia)
{
static char inet[INET_ADDRSTRLEN], inet6[INET6_ADDRSTRLEN];
switch (ia.af) {
case AF_INET:
if (inet_ntop(ia.af, &ia.u, inet, sizeof(inet)))
return inet;
return "255.255.255.255";
case AF_INET6:
if (inet_ntop(ia.af, &ia.u, inet6, sizeof(inet6)))
return inet6;
return "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff";
}
return "UNKNOWN";
}
int ia_equal(iaddr x, iaddr y)
{
if (x.af != y.af)
return FALSE;
switch (x.af) {
case AF_INET:
return (x.u.a4.s_addr == y.u.a4.s_addr);
case AF_INET6:
return (memcmp(&x.u.a6.s6_addr, &y.u.a6.s6_addr, sizeof(x.u.a6.s6_addr)) == 0);
}
return FALSE;
}

43
src/iaddr.h Normal file
View file

@ -0,0 +1,43 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_iaddr_h
#define __dnscap_iaddr_h
const char* ia_str(iaddr ia);
int ia_equal(iaddr x, iaddr y);
#endif /* __dnscap_iaddr_h */

52
src/log.c Normal file
View file

@ -0,0 +1,52 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "log.h"
int logerr(const char* fmt, ...)
{
va_list ap;
int x = 1;
va_start(ap, fmt);
if (background)
vsyslog(LOG_NOTICE, fmt, ap);
else {
x = vfprintf(stderr, fmt, ap);
fputc('\n', stderr);
}
va_end(ap);
return x;
}

42
src/log.h Normal file
View file

@ -0,0 +1,42 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_log_h
#define __dnscap_log_h
int logerr(const char* fmt, ...);
#endif /* __dnscap_log_h */

62
src/memzero.c Normal file
View file

@ -0,0 +1,62 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#if defined(__FreeBSD__)
#include <strings.h>
#elif defined(__OpenBSD__)
#include <string.h>
#else
#ifndef __STDC_WANT_LIB_EXT1__
#define __STDC_WANT_LIB_EXT1__ 1
#endif
#include <string.h>
#endif
void dnscap_memzero(void* const pnt, const size_t len)
{
#if defined(__FreeBSD__) || defined(__OpenBSD__)
explicit_bzero(pnt, len);
#elif defined(__STDC_LIB_EXT1__)
memset_s(pnt, 0, len);
#else
volatile unsigned char* volatile pnt_ = (volatile unsigned char* volatile)pnt;
size_t i = (size_t)0U;
while (i < len) {
pnt_[i++] = 0U;
}
#endif
}

40
src/memzero.h Normal file
View file

@ -0,0 +1,40 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __dnscap_memzero_h
#define __dnscap_memzero_h
void dnscap_memzero(void* const pnt, const size_t len);
#endif /* __dnscap_memzero_h */

1834
src/network.c Normal file
View file

File diff suppressed because it is too large Load diff

52
src/network.h Normal file
View file

@ -0,0 +1,52 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_network_h
#define __dnscap_network_h
tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t);
tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport);
void dl_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt);
void discard(tcpstate_ptr tcpstate, const char* msg);
void network_pkt(const char* descr, my_bpftimeval ts, unsigned pf, const u_char* opkt, size_t olen);
uint16_t in_checksum(const u_char* ptr, size_t len);
void layer_pkt(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
void network_pkt2(const char* descr, my_bpftimeval ts, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
size_t calcdnslen(const u_char* dnspkt, size_t dnslen);
#endif /* __dnscap_network_h */

248
src/options.c Normal file
View file

@ -0,0 +1,248 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "options.h"
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#define have(a) option_length == (sizeof(a) - 1) && !strncmp(option, a, (sizeof(a) - 1))
int option_parse(options_t* options, const char* option)
{
const char* argument;
int option_length;
char* p;
size_t s;
if (!options) {
return -1;
}
if (!option) {
return -1;
}
if (!(argument = strchr(option, '='))) {
return -2;
}
argument++;
if (!*argument) {
return -2;
}
option_length = argument - option - 1;
if (option_length < 1) {
return -2;
}
if (have("cbor_chunk_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cbor_chunk_size = s;
return 0;
}
} else if (have("cds_cbor_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_cbor_size = s;
return 0;
}
} else if (have("cds_message_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_message_size = s;
return 0;
}
} else if (have("cds_max_rlabels")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_max_rlabels = s;
return 0;
}
} else if (have("cds_min_rlabel_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_min_rlabel_size = s;
return 0;
}
} else if (have("cds_use_rdata_index")) {
if (!strcmp(argument, "yes")) {
options->cds_use_rdata_index = 1;
return 0;
}
} else if (have("cds_rdata_index_min_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_rdata_index_min_size = s;
return 0;
}
} else if (have("cds_use_rdata_rindex")) {
if (!strcmp(argument, "yes")) {
options->cds_use_rdata_rindex = 1;
return 0;
}
} else if (have("cds_rdata_rindex_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_rdata_rindex_size = s;
return 0;
}
} else if (have("cds_rdata_rindex_min_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->cds_rdata_rindex_min_size = s;
return 0;
}
} else if (have("dump_format")) {
if (!strcmp(argument, "pcap")) {
options->dump_format = pcap;
return 0;
} else if (!strcmp(argument, "cbor")) {
options->dump_format = cbor;
return 0;
} else if (!strcmp(argument, "cds")) {
options->dump_format = cds;
return 0;
}
} else if (have("user")) {
if (options->user) {
free(options->user);
}
if ((options->user = strdup(argument))) {
return 0;
}
} else if (have("group")) {
if (options->group) {
free(options->group);
}
if ((options->group = strdup(argument))) {
return 0;
}
} else if (have("pcap_buffer_size")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->pcap_buffer_size = s;
return 0;
}
} else if (have("use_layers")) {
if (!strcmp(argument, "yes")) {
options->use_layers = 1;
return 0;
}
} else if (have("defrag_ipv4")) {
if (!strcmp(argument, "yes")) {
options->defrag_ipv4 = 1;
return 0;
}
} else if (have("max_ipv4_fragments")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->max_ipv4_fragments = s;
return 0;
}
} else if (have("max_ipv4_fragments_per_packet")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->max_ipv4_fragments_per_packet = s;
return 0;
}
} else if (have("defrag_ipv6")) {
if (!strcmp(argument, "yes")) {
options->defrag_ipv6 = 1;
return 0;
}
} else if (have("max_ipv6_fragments")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->max_ipv6_fragments = s;
return 0;
}
} else if (have("max_ipv6_fragments_per_packet")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->max_ipv6_fragments_per_packet = s;
return 0;
}
} else if (have("parse_ongoing_tcp")) {
if (!strcmp(argument, "yes")) {
options->parse_ongoing_tcp = 1;
return 0;
}
} else if (have("allow_reset_tcpstate")) {
if (!strcmp(argument, "yes")) {
options->allow_reset_tcpstate = 1;
return 0;
}
} else if (have("reassemble_tcp")) {
if (!strcmp(argument, "yes")) {
options->reassemble_tcp = 1;
return 0;
}
} else if (have("reassemble_tcp_faultreset")) {
s = strtoul(argument, &p, 0);
if (p && !*p && s > 0) {
options->reassemble_tcp_faultreset = s;
return 0;
}
} else if (have("reassemble_tcp_bfbparsedns")) {
if (!strcmp(argument, "yes")) {
options->reassemble_tcp_bfbparsedns = 1;
return 0;
}
} else if (have("bpf_hosts_apply_all")) {
if (!strcmp(argument, "yes")) {
options->bpf_hosts_apply_all = 1;
return 0;
}
}
return 1;
}
void options_free(options_t* options)
{
if (options) {
if (options->user) {
free(options->user);
options->user = 0;
}
if (options->group) {
free(options->group);
options->group = 0;
}
}
}

121
src/options.h Normal file
View file

@ -0,0 +1,121 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
#include "dump_cds.h"
#ifndef __dnscap_options_h
#define __dnscap_options_h
typedef enum dump_format dump_format_t;
enum dump_format {
pcap,
cbor,
cds
};
/* clang-format off */
#define OPTIONS_T_DEFAULTS { \
1024 * 1024, \
\
1024 * 1024, \
64 * 1024, \
CDS_DEFAULT_MAX_RLABELS, \
CDS_DEFAULT_MIN_RLABEL_SIZE, \
0, \
CDS_DEFAULT_RDATA_INDEX_MIN_SIZE, \
0, \
CDS_DEFAULT_RDATA_RINDEX_SIZE, \
CDS_DEFAULT_RDATA_RINDEX_MIN_SIZE, \
\
pcap, \
\
0, \
0, \
\
0, \
\
0, 0, 0, 0, 0, 0, 0, \
\
0, 0, 0, 0, 0, \
\
0 \
}
/* clang-format on */
typedef struct options options_t;
struct options {
size_t cbor_chunk_size;
size_t cds_cbor_size;
size_t cds_message_size;
size_t cds_max_rlabels;
size_t cds_min_rlabel_size;
int cds_use_rdata_index;
size_t cds_rdata_index_min_size;
int cds_use_rdata_rindex;
size_t cds_rdata_rindex_size;
size_t cds_rdata_rindex_min_size;
dump_format_t dump_format;
char* user;
char* group;
size_t pcap_buffer_size;
int use_layers;
int defrag_ipv4;
size_t max_ipv4_fragments;
size_t max_ipv4_fragments_per_packet;
int defrag_ipv6;
size_t max_ipv6_fragments;
size_t max_ipv6_fragments_per_packet;
int parse_ongoing_tcp;
int allow_reset_tcpstate;
int reassemble_tcp;
size_t reassemble_tcp_faultreset;
int reassemble_tcp_bfbparsedns;
int bpf_hosts_apply_all;
};
int option_parse(options_t* options, const char* option);
void options_free(options_t* options);
#endif /* __dnscap_options_h */

15
src/pcap-thread/m4/ax_pcap_thread.m4 Normal file
View file

@ -0,0 +1,15 @@
AC_DEFUN([AX_PCAP_THREAD_PCAP], [
AC_HEADER_TIME
AC_CHECK_LIB([pcap], [pcap_open_live], [], AC_MSG_ERROR([libpcap not found]))
AC_CHECK_HEADER([pcap/pcap.h], [], [AC_MSG_ERROR([libpcap header not found])])
AC_CHECK_HEADERS([endian.h sys/endian.h machine/endian.h sys/time.h])
AC_CHECK_FUNCS([pcap_create pcap_set_tstamp_precision pcap_set_immediate_mode])
AC_CHECK_FUNCS([pcap_set_tstamp_type pcap_setdirection sched_yield])
AC_CHECK_FUNCS([pcap_open_offline_with_tstamp_precision pcap_activate])
AC_CHECK_TYPES([pcap_direction_t], [], [], [[#include <pcap/pcap.h>]])
])
AC_DEFUN([AX_PCAP_THREAD], [
AX_PTHREAD
AX_PCAP_THREAD_PCAP
])

485
src/pcap-thread/m4/ax_pthread.m4 Normal file
View file

@ -0,0 +1,485 @@
# ===========================================================================
# http://www.gnu.org/software/autoconf-archive/ax_pthread.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]])
#
# DESCRIPTION
#
# This macro figures out how to build C programs using POSIX threads. It
# sets the PTHREAD_LIBS output variable to the threads library and linker
# flags, and the PTHREAD_CFLAGS output variable to any special C compiler
# flags that are needed. (The user can also force certain compiler
# flags/libs to be tested by setting these environment variables.)
#
# Also sets PTHREAD_CC to any special C compiler that is needed for
# multi-threaded programs (defaults to the value of CC otherwise). (This
# is necessary on AIX to use the special cc_r compiler alias.)
#
# NOTE: You are assumed to not only compile your program with these flags,
# but also to link with them as well. For example, you might link with
# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS
#
# If you are only building threaded programs, you may wish to use these
# variables in your default LIBS, CFLAGS, and CC:
#
# LIBS="$PTHREAD_LIBS $LIBS"
# CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
# CC="$PTHREAD_CC"
#
# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant
# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to
# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX).
#
# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the
# PTHREAD_PRIO_INHERIT symbol is defined when compiling with
# PTHREAD_CFLAGS.
#
# ACTION-IF-FOUND is a list of shell commands to run if a threads library
# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it
# is not found. If ACTION-IF-FOUND is not specified, the default action
# will define HAVE_PTHREAD.
#
# Please let the authors know if this macro fails on any platform, or if
# you have any other suggestions or comments. This macro was based on work
# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help
# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by
# Alejandro Forero Cuervo to the autoconf macro repository. We are also
# grateful for the helpful feedback of numerous users.
#
# Updated for Autoconf 2.68 by Daniel Richard G.
#
# LICENSE
#
# Copyright (c) 2008 Steven G. Johnson <stevenj@alum.mit.edu>
# Copyright (c) 2011 Daniel Richard G. <skunk@iSKUNK.ORG>
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
# Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program. If not, see <http://www.gnu.org/licenses/>.
#
# As a special exception, the respective Autoconf Macro's copyright owner
# gives unlimited permission to copy, distribute and modify the configure
# scripts that are the output of Autoconf when processing the Macro. You
# need not follow the terms of the GNU General Public License when using
# or distributing such scripts, even though portions of the text of the
# Macro appear in them. The GNU General Public License (GPL) does govern
# all other use of the material that constitutes the Autoconf Macro.
#
# This special exception to the GPL applies to versions of the Autoconf
# Macro released by the Autoconf Archive. When you make and distribute a
# modified version of the Autoconf Macro, you may extend this special
# exception to the GPL to apply to your modified version as well.
#serial 23
AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD])
AC_DEFUN([AX_PTHREAD], [
AC_REQUIRE([AC_CANONICAL_HOST])
AC_REQUIRE([AC_PROG_CC])
AC_REQUIRE([AC_PROG_SED])
AC_LANG_PUSH([C])
ax_pthread_ok=no
# We used to check for pthread.h first, but this fails if pthread.h
# requires special compiler flags (e.g. on Tru64 or Sequent).
# It gets checked for in the link test anyway.
# First of all, check if the user has set any of the PTHREAD_LIBS,
# etcetera environment variables, and if threads linking works using
# them:
if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then
ax_pthread_save_CC="$CC"
ax_pthread_save_CFLAGS="$CFLAGS"
ax_pthread_save_LIBS="$LIBS"
AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"])
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
LIBS="$PTHREAD_LIBS $LIBS"
AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS])
AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes])
AC_MSG_RESULT([$ax_pthread_ok])
if test "x$ax_pthread_ok" = "xno"; then
PTHREAD_LIBS=""
PTHREAD_CFLAGS=""
fi
CC="$ax_pthread_save_CC"
CFLAGS="$ax_pthread_save_CFLAGS"
LIBS="$ax_pthread_save_LIBS"
fi
# We must check for the threads library under a number of different
# names; the ordering is very important because some systems
# (e.g. DEC) have both -lpthread and -lpthreads, where one of the
# libraries is broken (non-POSIX).
# Create a list of thread flags to try. Items starting with a "-" are
# C compiler flags, and other items are library names, except for "none"
# which indicates that we try without any flags at all, and "pthread-config"
# which is a program returning the flags for the Pth emulation library.
ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config"
# The ordering *is* (sometimes) important. Some notes on the
# individual items follow:
# pthreads: AIX (must check this before -lpthread)
# none: in case threads are in libc; should be tried before -Kthread and
# other compiler flags to prevent continual compiler warnings
# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h)
# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64
# (Note: HP C rejects this with "bad form for `-t' option")
# -pthreads: Solaris/gcc (Note: HP C also rejects)
# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it
# doesn't hurt to check since this sometimes defines pthreads and
# -D_REENTRANT too), HP C (must be checked before -lpthread, which
# is present but should not be used directly; and before -mthreads,
# because the compiler interprets this as "-mt" + "-hreads")
# -mthreads: Mingw32/gcc, Lynx/gcc
# pthread: Linux, etcetera
# --thread-safe: KAI C++
# pthread-config: use pthread-config program (for GNU Pth library)
case $host_os in
freebsd*)
# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able)
# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread)
ax_pthread_flags="-kthread lthread $ax_pthread_flags"
;;
hpux*)
# From the cc(1) man page: "[-mt] Sets various -D flags to enable
# multi-threading and also sets -lpthread."
ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags"
;;
openedition*)
# IBM z/OS requires a feature-test macro to be defined in order to
# enable POSIX threads at all, so give the user a hint if this is
# not set. (We don't define these ourselves, as they can affect
# other portions of the system API in unpredictable ways.)
AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING],
[
# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS)
AX_PTHREAD_ZOS_MISSING
# endif
],
[AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])])
;;
solaris*)
# On Solaris (at least, for some versions), libc contains stubbed
# (non-functional) versions of the pthreads routines, so link-based
# tests will erroneously succeed. (N.B.: The stubs are missing
# pthread_cleanup_push, or rather a function called by this macro,
# so we could check for that, but who knows whether they'll stub
# that too in a future libc.) So we'll check first for the
# standard Solaris way of linking pthreads (-mt -lpthread).
ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags"
;;
esac
# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC)
AS_IF([test "x$GCC" = "xyes"],
[ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"])
# The presence of a feature test macro requesting re-entrant function
# definitions is, on some systems, a strong hint that pthreads support is
# correctly enabled
case $host_os in
darwin* | hpux* | linux* | osf* | solaris*)
ax_pthread_check_macro="_REENTRANT"
;;
aix*)
ax_pthread_check_macro="_THREAD_SAFE"
;;
*)
ax_pthread_check_macro="--"
;;
esac
AS_IF([test "x$ax_pthread_check_macro" = "x--"],
[ax_pthread_check_cond=0],
[ax_pthread_check_cond="!defined($ax_pthread_check_macro)"])
# Are we compiling with Clang?
AC_CACHE_CHECK([whether $CC is Clang],
[ax_cv_PTHREAD_CLANG],
[ax_cv_PTHREAD_CLANG=no
# Note that Autoconf sets GCC=yes for Clang as well as GCC
if test "x$GCC" = "xyes"; then
AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG],
[/* Note: Clang 2.7 lacks __clang_[a-z]+__ */
# if defined(__clang__) && defined(__llvm__)
AX_PTHREAD_CC_IS_CLANG
# endif
],
[ax_cv_PTHREAD_CLANG=yes])
fi
])
ax_pthread_clang="$ax_cv_PTHREAD_CLANG"
ax_pthread_clang_warning=no
# Clang needs special handling, because older versions handle the -pthread
# option in a rather... idiosyncratic way
if test "x$ax_pthread_clang" = "xyes"; then
# Clang takes -pthread; it has never supported any other flag
# (Note 1: This will need to be revisited if a system that Clang
# supports has POSIX threads in a separate library. This tends not
# to be the way of modern systems, but it's conceivable.)
# (Note 2: On some systems, notably Darwin, -pthread is not needed
# to get POSIX threads support; the API is always present and
# active. We could reasonably leave PTHREAD_CFLAGS empty. But
# -pthread does define _REENTRANT, and while the Darwin headers
# ignore this macro, third-party headers might not.)
PTHREAD_CFLAGS="-pthread"
PTHREAD_LIBS=
ax_pthread_ok=yes
# However, older versions of Clang make a point of warning the user
# that, in an invocation where only linking and no compilation is
# taking place, the -pthread option has no effect ("argument unused
# during compilation"). They expect -pthread to be passed in only
# when source code is being compiled.
#
# Problem is, this is at odds with the way Automake and most other
# C build frameworks function, which is that the same flags used in
# compilation (CFLAGS) are also used in linking. Many systems
# supported by AX_PTHREAD require exactly this for POSIX threads
# support, and in fact it is often not straightforward to specify a
# flag that is used only in the compilation phase and not in
# linking. Such a scenario is extremely rare in practice.
#
# Even though use of the -pthread flag in linking would only print
# a warning, this can be a nuisance for well-run software projects
# that build with -Werror. So if the active version of Clang has
# this misfeature, we search for an option to squash it.
AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread],
[ax_cv_PTHREAD_CLANG_NO_WARN_FLAG],
[ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown
# Create an alternate version of $ac_link that compiles and
# links in two steps (.c -> .o, .o -> exe) instead of one
# (.c -> exe), because the warning occurs only in the second
# step
ax_pthread_save_ac_link="$ac_link"
ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g'
ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"`
ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)"
ax_pthread_save_CFLAGS="$CFLAGS"
for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do
AS_IF([test "x$ax_pthread_try" = "xunknown"], [break])
CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS"
ac_link="$ax_pthread_save_ac_link"
AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
[ac_link="$ax_pthread_2step_ac_link"
AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])],
[break])
])
done
ac_link="$ax_pthread_save_ac_link"
CFLAGS="$ax_pthread_save_CFLAGS"
AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no])
ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try"
])
case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in
no | unknown) ;;
*) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;;
esac
fi # $ax_pthread_clang = yes
if test "x$ax_pthread_ok" = "xno"; then
for ax_pthread_try_flag in $ax_pthread_flags; do
case $ax_pthread_try_flag in
none)
AC_MSG_CHECKING([whether pthreads work without any flags])
;;
-mt,pthread)
AC_MSG_CHECKING([whether pthreads work with -mt -lpthread])
PTHREAD_CFLAGS="-mt"
PTHREAD_LIBS="-lpthread"
;;
-*)
AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag])
PTHREAD_CFLAGS="$ax_pthread_try_flag"
;;
pthread-config)
AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no])
AS_IF([test "x$ax_pthread_config" = "xno"], [continue])
PTHREAD_CFLAGS="`pthread-config --cflags`"
PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`"
;;
*)
AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag])
PTHREAD_LIBS="-l$ax_pthread_try_flag"
;;
esac
ax_pthread_save_CFLAGS="$CFLAGS"
ax_pthread_save_LIBS="$LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
LIBS="$PTHREAD_LIBS $LIBS"
# Check for various functions. We must include pthread.h,
# since some functions may be macros. (On the Sequent, we
# need a special flag -Kthread to make this header compile.)
# We check for pthread_join because it is in -lpthread on IRIX
# while pthread_create is in libc. We check for pthread_attr_init
# due to DEC craziness with -lpthreads. We check for
# pthread_cleanup_push because it is one of the few pthread
# functions on Solaris that doesn't have a non-functional libc stub.
# We try pthread_create on general principles.
AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>
# if $ax_pthread_check_cond
# error "$ax_pthread_check_macro must be defined"
# endif
static void routine(void *a) { a = 0; }
static void *start_routine(void *a) { return a; }],
[pthread_t th; pthread_attr_t attr;
pthread_create(&th, 0, start_routine, 0);
pthread_join(th, 0);
pthread_attr_init(&attr);
pthread_cleanup_push(routine, 0);
pthread_cleanup_pop(0) /* ; */])],
[ax_pthread_ok=yes],
[])
CFLAGS="$ax_pthread_save_CFLAGS"
LIBS="$ax_pthread_save_LIBS"
AC_MSG_RESULT([$ax_pthread_ok])
AS_IF([test "x$ax_pthread_ok" = "xyes"], [break])
PTHREAD_LIBS=""
PTHREAD_CFLAGS=""
done
fi
# Various other checks:
if test "x$ax_pthread_ok" = "xyes"; then
ax_pthread_save_CFLAGS="$CFLAGS"
ax_pthread_save_LIBS="$LIBS"
CFLAGS="$CFLAGS $PTHREAD_CFLAGS"
LIBS="$PTHREAD_LIBS $LIBS"
# Detect AIX lossage: JOINABLE attribute is called UNDETACHED.
AC_CACHE_CHECK([for joinable pthread attribute],
[ax_cv_PTHREAD_JOINABLE_ATTR],
[ax_cv_PTHREAD_JOINABLE_ATTR=unknown
for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do
AC_LINK_IFELSE([AC_LANG_PROGRAM([#include <pthread.h>],
[int attr = $ax_pthread_attr; return attr /* ; */])],
[ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break],
[])
done
])
AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \
test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \
test "x$ax_pthread_joinable_attr_defined" != "xyes"],
[AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE],
[$ax_cv_PTHREAD_JOINABLE_ATTR],
[Define to necessary symbol if this constant
uses a non-standard name on your system.])
ax_pthread_joinable_attr_defined=yes
])
AC_CACHE_CHECK([whether more special flags are required for pthreads],
[ax_cv_PTHREAD_SPECIAL_FLAGS],
[ax_cv_PTHREAD_SPECIAL_FLAGS=no
case $host_os in
solaris*)
ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS"
;;
esac
])
AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \
test "x$ax_pthread_special_flags_added" != "xyes"],
[PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS"
ax_pthread_special_flags_added=yes])
AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT],
[ax_cv_PTHREAD_PRIO_INHERIT],
[AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <pthread.h>]],
[[int i = PTHREAD_PRIO_INHERIT;]])],
[ax_cv_PTHREAD_PRIO_INHERIT=yes],
[ax_cv_PTHREAD_PRIO_INHERIT=no])
])
AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \
test "x$ax_pthread_prio_inherit_defined" != "xyes"],
[AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.])
ax_pthread_prio_inherit_defined=yes
])
CFLAGS="$ax_pthread_save_CFLAGS"
LIBS="$ax_pthread_save_LIBS"
# More AIX lossage: compile with *_r variant
if test "x$GCC" != "xyes"; then
case $host_os in
aix*)
AS_CASE(["x/$CC"],
[x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6],
[#handle absolute path differently from PATH based program lookup
AS_CASE(["x$CC"],
[x/*],
[AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])],
[AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])])
;;
esac
fi
fi
test -n "$PTHREAD_CC" || PTHREAD_CC="$CC"
AC_SUBST([PTHREAD_LIBS])
AC_SUBST([PTHREAD_CFLAGS])
AC_SUBST([PTHREAD_CC])
# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND:
if test "x$ax_pthread_ok" = "xyes"; then
ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1])
:
else
ax_pthread_ok=no
$2
fi
AC_LANG_POP
])dnl AX_PTHREAD

3818
src/pcap-thread/pcap_thread.c Normal file
View file

File diff suppressed because it is too large Load diff

640
src/pcap-thread/pcap_thread.h Normal file
View file

@ -0,0 +1,640 @@
/*
* Author Jerry Lundström <jerry@dns-oarc.net>
* Copyright (c) 2016-2017, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef __pcap_thread_h
#define __pcap_thread_h
#ifdef HAVE_PTHREAD
#include <pthread.h>
#endif
#include <pcap/pcap.h>
#include <sys/socket.h>
#ifdef TIME_WITH_SYS_TIME
#include <sys/time.h>
#include <time.h>
#else
#ifdef HAVE_SYS_TIME_H
#include <sys/time.h>
#else
#include <time.h>
#endif
#endif
#include <sys/types.h>
#include <netinet/in.h>
#include <net/if_arp.h>
#include <netinet/if_ether.h>
#include <netinet/ip.h>
#include <netinet/ip6.h>
#ifdef HAVE_ENDIAN_H
#include <endian.h>
#endif
#ifdef HAVE_SYS_ENDIAN_H
#include <sys/endian.h>
#endif
#ifdef HAVE_MACHINE_ENDIAN_H
#include <machine/endian.h>
#endif
#ifndef __BYTE_ORDER
#if defined(BYTE_ORDER)
#define __BYTE_ORDER BYTE_ORDER
#elif defined(_BYTE_ORDER)
#define __BYTE_ORDER _BYTE_ORDER
#else
#error "No endian byte order define, please fix"
#endif
#endif
#ifndef __LITTLE_ENDIAN
#if defined(LITTLE_ENDIAN)
#define __LITTLE_ENDIAN LITTLE_ENDIAN
#elif defined(_LITTLE_ENDIAN)
#define __LITTLE_ENDIAN _LITTLE_ENDIAN
#else
#error "No little endian define, please fix"
#endif
#endif
#ifndef __BIG_ENDIAN
#if defined(BIG_ENDIAN)
#define __BIG_ENDIAN BIG_ENDIAN
#elif defined(_BIG_ENDIAN)
#define __BIG_ENDIAN _BIG_ENDIAN
#else
#error "No big endian define, please fix"
#endif
#endif
#ifndef PCAP_NETMASK_UNKNOWN
#define PCAP_NETMASK_UNKNOWN 0xffffffff
#endif
#ifdef __cplusplus
extern "C" {
#endif
/* clang-format off */
#define PCAP_THREAD_VERSION_STR "4.0.0"
#define PCAP_THREAD_VERSION_MAJOR 4
#define PCAP_THREAD_VERSION_MINOR 0
#define PCAP_THREAD_VERSION_PATCH 0
#define PCAP_THREAD_DEFAULT_TIMEOUT 1000
#define PCAP_THREAD_DEFAULT_QUEUE_SIZE 64
#define PCAP_THREAD_DEFAULT_QUEUE_MODE PCAP_THREAD_QUEUE_MODE_COND
#define PCAP_THREAD_DEFAULT_ACTIVATE_MODE PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE
#define PCAP_THREAD_OK 0
#define PCAP_THREAD_EPCAP 1
#define PCAP_THREAD_ENOMEM 2
#define PCAP_THREAD_ENOMON 3
#define PCAP_THREAD_ENODIR 4
#define PCAP_THREAD_EINVAL 5
#define PCAP_THREAD_EWOULDBLOCK 6
#define PCAP_THREAD_NOPCAPS 7
#define PCAP_THREAD_NOCALLBACK 8
#define PCAP_THREAD_ERRNO 9
#define PCAP_THREAD_NOYIELD 10
#define PCAP_THREAD_EOBSOLETE 11
#define PCAP_THREAD_ERUNNING 12
#define PCAP_THREAD_ENOPCAPLIST 13
#define PCAP_THREAD_ELAYERCB 14
#define PCAP_THREAD_EPCAP_STR "libpcap error"
#define PCAP_THREAD_ENOMEM_STR "out of memory"
#define PCAP_THREAD_ENOMON_STR "monitor mode requested but not supported"
#define PCAP_THREAD_ENODIR_STR "direction specified but not supported"
#define PCAP_THREAD_EINVAL_STR "invalid argument"
#define PCAP_THREAD_EWOULDBLOCK_STR "nonblocking pcap can not be added"
#define PCAP_THREAD_NOPCAPS_STR "nothing to capture on"
#define PCAP_THREAD_NOCALLBACK_STR "no callback set"
#define PCAP_THREAD_ERRNO_STR "system error, check errno"
#define PCAP_THREAD_NOYIELD_STR "queue more yield requested but not supported"
#define PCAP_THREAD_EOBSOLETE_STR "obsolete function or feature"
#define PCAP_THREAD_ERUNNING_STR "pcap thread are running, can not complete task"
#define PCAP_THREAD_ENOPCAPLIST_STR "no internal reference to the pcap that captured the packet"
#define PCAP_THREAD_ELAYERCB_STR "layer callback already set in lower or higher segment"
/* clang-format on */
struct pcap_thread_linux_sll {
uint16_t packet_type;
uint16_t arp_hardware;
uint16_t link_layer_address_length;
uint8_t link_layer_address[8];
uint16_t ether_type;
};
struct pcap_thread_null_hdr {
uint32_t family;
};
struct pcap_thread_loop_hdr {
uint32_t family;
};
struct pcap_thread_ieee802_hdr {
uint16_t tpid;
unsigned short pcp : 3;
unsigned short dei : 1;
unsigned short vid : 12;
uint16_t ether_type;
};
struct pcap_thread_gre_hdr {
uint16_t gre_flags;
uint16_t ether_type;
};
struct pcap_thread_gre {
uint16_t checksum;
uint16_t key;
uint16_t sequence;
};
typedef enum pcap_thread_packet_state pcap_thread_packet_state_t;
enum pcap_thread_packet_state {
PCAP_THREAD_PACKET_OK = 0,
PCAP_THREAD_PACKET_INVALID,
PCAP_THREAD_PACKET_UNSUPPORTED,
PCAP_THREAD_PACKET_UNPROCESSED,
PCAP_THREAD_PACKET_INVALID_ETHER,
PCAP_THREAD_PACKET_INVALID_LINUX_SLL,
PCAP_THREAD_PACKET_INVALID_NULL,
PCAP_THREAD_PACKET_INVALID_LOOP,
PCAP_THREAD_PACKET_INVALID_IEEE802,
PCAP_THREAD_PACKET_INVALID_GRE,
PCAP_THREAD_PACKET_INVALID_IP,
PCAP_THREAD_PACKET_INVALID_IPV4,
PCAP_THREAD_PACKET_INVALID_IPV6,
PCAP_THREAD_PACKET_INVALID_IPV6HDR,
PCAP_THREAD_PACKET_INVALID_ICMP,
PCAP_THREAD_PACKET_INVALID_ICMPV6,
PCAP_THREAD_PACKET_INVALID_UDP,
PCAP_THREAD_PACKET_INVALID_TCP,
PCAP_THREAD_PACKET_IS_FRAGMENT,
PCAP_THREAD_PACKET_INVALID_FRAGMENT,
PCAP_THREAD_PACKET_ENOMEM,
PCAP_THREAD_PACKET_EMUTEX,
PCAP_THREAD_PACKET_FRAGMENTED_GREHDR,
PCAP_THREAD_PACKET_FRAGMENTED_ICMPHDR,
PCAP_THREAD_PACKET_FRAGMENTED_ICMPV6HDR,
PCAP_THREAD_PACKET_FRAGMENTED_UDPHDR,
PCAP_THREAD_PACKET_FRAGMENTED_TCPHDR
};
typedef struct pcap_thread_packet pcap_thread_packet_t;
struct pcap_thread_packet {
unsigned short have_prevpkt : 1;
unsigned short have_pkthdr : 1;
unsigned short have_linux_sll : 1;
unsigned short have_ethhdr : 1;
unsigned short have_nullhdr : 1;
unsigned short have_loophdr : 1;
unsigned short have_ieee802hdr : 1;
unsigned short have_grehdr : 1;
unsigned short have_gre : 1;
unsigned short have_iphdr : 1;
unsigned short have_ip6hdr : 1;
unsigned short have_ip6frag : 1;
unsigned short have_ip6rtdst : 1;
unsigned short have_icmphdr : 1;
unsigned short have_icmpv6hdr : 1;
unsigned short have_udphdr : 1;
unsigned short have_tcphdr : 1;
unsigned short have_tcpopts : 1;
unsigned short have_ippadding : 1;
unsigned short have_ip6padding : 1;
const char* name;
int dlt;
pcap_thread_packet_t* prevpkt;
struct pcap_pkthdr pkthdr;
struct pcap_thread_linux_sll linux_sll;
struct ether_header ethhdr;
struct pcap_thread_null_hdr nullhdr;
struct pcap_thread_loop_hdr loophdr;
struct pcap_thread_ieee802_hdr ieee802hdr;
struct pcap_thread_gre_hdr grehdr;
struct pcap_thread_gre gre;
struct ip iphdr;
struct ip6_hdr ip6hdr;
struct ip6_frag ip6frag;
uint8_t ip6frag_payload;
struct in6_addr ip6rtdst;
struct {
u_int8_t type;
u_int8_t code;
u_int16_t checksum;
} icmphdr;
struct {
u_int8_t icmp6_type;
u_int8_t icmp6_code;
u_int16_t icmp6_cksum;
} icmpv6hdr;
struct {
union {
struct {
u_int16_t uh_sport;
u_int16_t uh_dport;
u_int16_t uh_ulen;
u_int16_t uh_sum;
};
struct {
u_int16_t source;
u_int16_t dest;
u_int16_t len;
u_int16_t check;
};
};
} udphdr;
struct {
union {
struct {
u_int16_t th_sport;
u_int16_t th_dport;
u_int32_t th_seq;
u_int32_t th_ack;
#if __BYTE_ORDER == __LITTLE_ENDIAN
u_int8_t th_x2 : 4;
u_int8_t th_off : 4;
#endif
#if __BYTE_ORDER == __BIG_ENDIAN
u_int8_t th_off : 4;
u_int8_t th_x2 : 4;
#endif
u_int8_t th_flags;
u_int16_t th_win;
u_int16_t th_sum;
u_int16_t th_urp;
};
struct {
u_int16_t source;
u_int16_t dest;
u_int32_t seq;
u_int32_t ack_seq;
#if __BYTE_ORDER == __LITTLE_ENDIAN
u_int16_t res1 : 4;
u_int16_t doff : 4;
u_int16_t fin : 1;
u_int16_t syn : 1;
u_int16_t rst : 1;
u_int16_t psh : 1;
u_int16_t ack : 1;
u_int16_t urg : 1;
u_int16_t res2 : 2;
#elif __BYTE_ORDER == __BIG_ENDIAN
u_int16_t doff : 4;
u_int16_t res1 : 4;
u_int16_t res2 : 2;
u_int16_t urg : 1;
u_int16_t ack : 1;
u_int16_t psh : 1;
u_int16_t rst : 1;
u_int16_t syn : 1;
u_int16_t fin : 1;
#endif
u_int16_t window;
u_int16_t check;
u_int16_t urg_ptr;
};
};
} tcphdr;
u_int8_t tcpopts[64];
size_t tcpopts_len;
size_t ippadding;
size_t ip6padding;
pcap_thread_packet_state_t state;
};
typedef enum pcap_thread_queue_mode pcap_thread_queue_mode_t;
typedef struct pcap_thread pcap_thread_t;
typedef void (*pcap_thread_callback_t)(u_char* user, const struct pcap_pkthdr* pkthdr, const u_char* pkt, const char* name, int dlt);
typedef void (*pcap_thread_layer_callback_t)(u_char* user, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
typedef void (*pcap_thread_stats_callback_t)(u_char* user, const struct pcap_stat* stats, const char* name, int dlt);
#ifndef HAVE_PCAP_DIRECTION_T
typedef int pcap_direction_t;
#endif
typedef struct pcap_thread_pcaplist pcap_thread_pcaplist_t;
typedef enum pcap_thread_activate_mode pcap_thread_activate_mode_t;
enum pcap_thread_queue_mode {
PCAP_THREAD_QUEUE_MODE_COND,
PCAP_THREAD_QUEUE_MODE_WAIT,
PCAP_THREAD_QUEUE_MODE_YIELD,
PCAP_THREAD_QUEUE_MODE_DROP,
PCAP_THREAD_QUEUE_MODE_DIRECT
};
enum pcap_thread_activate_mode {
PCAP_THREAD_ACTIVATE_MODE_IMMEDIATE,
PCAP_THREAD_ACTIVATE_MODE_DELAYED
};
#ifdef HAVE_PCAP_DIRECTION_T
#define PCAP_THREAD_T_INIT_DIRECTION_T 0,
#else
#define PCAP_THREAD_T_INIT_DIRECTION_T
#endif
#ifdef HAVE_PTHREAD
#define PCAP_THREAD_T_INIT_QUEUE PTHREAD_COND_INITIALIZER, PTHREAD_COND_INITIALIZER, PTHREAD_MUTEX_INITIALIZER, \
0, 0, 0, 0, 0, 0,
#else
#define PCAP_THREAD_T_INIT_QUEUE
#endif
#ifdef PCAP_TSTAMP_PRECISION_MICRO
#define PCAP_THREAD_T_INIT_PRECISION PCAP_TSTAMP_PRECISION_MICRO
#else
#define PCAP_THREAD_T_INIT_PRECISION 0
#endif
typedef void* (*pcap_thread_layer_callback_frag_new_t)(void* conf, u_char* user);
typedef void (*pcap_thread_layer_callback_frag_free_t)(void* ctx);
typedef pcap_thread_packet_state_t (*pcap_thread_layer_callback_frag_reassemble_t)(void* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length, pcap_thread_packet_t** whole_packet, const u_char** whole_payload, size_t* whole_length);
typedef void (*pcap_thread_layer_callback_frag_release_t)(void* ctx, const pcap_thread_packet_t* packet, const u_char* payload, size_t length);
/* clang-format off */
#define PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT { \
0, 0, 0, 0, 0, \
}
/* clang-format on */
typedef struct pcap_thread_layer_callback_frag pcap_thread_layer_callback_frag_t;
struct pcap_thread_layer_callback_frag {
void* conf;
pcap_thread_layer_callback_frag_new_t new;
pcap_thread_layer_callback_frag_free_t free;
pcap_thread_layer_callback_frag_reassemble_t reassemble;
pcap_thread_layer_callback_frag_release_t release;
};
/* clang-format off */
#define PCAP_THREAD_T_INIT { \
0, 0, 0, 0, \
0, 1, 0, PCAP_THREAD_DEFAULT_QUEUE_MODE, PCAP_THREAD_DEFAULT_QUEUE_SIZE, \
PCAP_THREAD_T_INIT_QUEUE \
0, 0, 0, 0, PCAP_THREAD_DEFAULT_TIMEOUT, \
0, 0, PCAP_THREAD_T_INIT_PRECISION, 0, \
PCAP_THREAD_T_INIT_DIRECTION_T \
0, 0, 0, 1, PCAP_NETMASK_UNKNOWN, \
0, 0, \
0, "", 0, 0, \
{ 0, 0 }, { 0, 0 }, \
PCAP_THREAD_DEFAULT_ACTIVATE_MODE, \
0, 0, 0, 0, 0, 0, 0, 0, PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT, 0, PCAP_THREAD_LAYER_CALLBACK_FRAG_T_INIT, 0, 0, 0, 0, \
0 \
}
/* clang-format on */
struct pcap_thread {
unsigned short have_timestamp_precision : 1;
unsigned short have_timestamp_type : 1;
unsigned short have_direction : 1;
unsigned short was_stopped : 1;
int running;
int use_threads;
int use_layers;
pcap_thread_queue_mode_t queue_mode;
size_t queue_size;
#ifdef HAVE_PTHREAD
pthread_cond_t have_packets;
pthread_cond_t can_write;
pthread_mutex_t mutex;
struct pcap_pkthdr* pkthdr;
u_char* pkt;
pcap_thread_pcaplist_t** pcaplist_pkt;
size_t read_pos;
size_t write_pos;
size_t pkts;
#endif
int snapshot;
int snaplen;
int promiscuous;
int monitor;
int timeout;
int buffer_size;
int timestamp_type;
int timestamp_precision;
int immediate_mode;
#ifdef HAVE_PCAP_DIRECTION_T
pcap_direction_t direction;
#endif
char* filter;
size_t filter_len;
int filter_errno;
int filter_optimize;
bpf_u_int32 filter_netmask;
pcap_thread_callback_t callback;
pcap_thread_callback_t dropback;
int status;
char errbuf[PCAP_ERRBUF_SIZE];
pcap_thread_pcaplist_t* pcaplist;
pcap_thread_pcaplist_t* step;
struct timeval timedrun;
struct timeval timedrun_to;
pcap_thread_activate_mode_t activate_mode;
pcap_thread_layer_callback_t callback_linux_sll;
pcap_thread_layer_callback_t callback_ether;
pcap_thread_layer_callback_t callback_null;
pcap_thread_layer_callback_t callback_loop;
pcap_thread_layer_callback_t callback_ieee802;
pcap_thread_layer_callback_t callback_gre;
pcap_thread_layer_callback_t callback_ip;
pcap_thread_layer_callback_t callback_ipv4;
pcap_thread_layer_callback_frag_t callback_ipv4_frag;
pcap_thread_layer_callback_t callback_ipv6;
pcap_thread_layer_callback_frag_t callback_ipv6_frag;
pcap_thread_layer_callback_t callback_icmp;
pcap_thread_layer_callback_t callback_icmpv6;
pcap_thread_layer_callback_t callback_udp;
pcap_thread_layer_callback_t callback_tcp;
pcap_thread_layer_callback_t callback_invalid;
};
#define PCAP_THREAD_SET_ERRBUF(x, y) strncpy(x->errbuf, y, sizeof(x->errbuf) - 1)
#ifdef HAVE_PTHREAD
#define PCAP_THREAD_PCAPLIST_T_INIT_THREAD 0,
#else
#define PCAP_THREAD_PCAPLIST_T_INIT_THREAD
#endif
/* clang-format off */
#define PCAP_THREAD_PCAPLIST_T_INIT { \
0, 0, 0, \
0, 0, 0, 0, 0, 0, 0, 0, \
0, \
PCAP_THREAD_PCAPLIST_T_INIT_THREAD \
{ 0, 0 }, \
0, \
}
/* clang-format on */
struct pcap_thread_pcaplist {
unsigned short have_bpf : 1;
unsigned short have_ipv4_frag_ctx : 1;
unsigned short have_ipv6_frag_ctx : 1;
pcap_thread_pcaplist_t* next;
char* name;
pcap_t* pcap;
void* user;
int running;
int is_offline;
void* ipv4_frag_ctx;
void* ipv6_frag_ctx;
pcap_thread_t* pcap_thread;
#ifdef HAVE_PTHREAD
pthread_t thread;
#endif
struct bpf_program bpf;
pcap_thread_callback_t layer_callback;
};
const char* pcap_thread_version_str(void);
int pcap_thread_version_major(void);
int pcap_thread_version_minor(void);
int pcap_thread_version_patch(void);
pcap_thread_t* pcap_thread_create(void);
void pcap_thread_free(pcap_thread_t* pcap_thread);
int pcap_thread_use_threads(const pcap_thread_t* pcap_thread);
int pcap_thread_set_use_threads(pcap_thread_t* pcap_thread, const int use_threads);
int pcap_thread_use_layers(const pcap_thread_t* pcap_thread);
int pcap_thread_set_use_layers(pcap_thread_t* pcap_thread, const int use_layers);
pcap_thread_queue_mode_t pcap_thread_queue_mode(const pcap_thread_t* pcap_thread);
int pcap_thread_set_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t queue_mode);
struct timeval pcap_thread_queue_wait(const pcap_thread_t* pcap_thread);
int pcap_thread_set_queue_wait(pcap_thread_t* pcap_thread, const struct timeval queue_wait);
pcap_thread_queue_mode_t pcap_thread_callback_queue_mode(const pcap_thread_t* pcap_thread);
int pcap_thread_set_callback_queue_mode(pcap_thread_t* pcap_thread, const pcap_thread_queue_mode_t callback_queue_mode);
struct timeval pcap_thread_callback_queue_wait(const pcap_thread_t* pcap_thread);
int pcap_thread_set_callback_queue_wait(pcap_thread_t* pcap_thread, const struct timeval callback_queue_wait);
int pcap_thread_snapshot(const pcap_thread_t* pcap_thread);
int pcap_thread_snaplen(const pcap_thread_t* pcap_thread);
int pcap_thread_set_snaplen(pcap_thread_t* pcap_thread, const int snaplen);
int pcap_thread_promiscuous(const pcap_thread_t* pcap_thread);
int pcap_thread_set_promiscuous(pcap_thread_t* pcap_thread, const int promiscuous);
int pcap_thread_monitor(const pcap_thread_t* pcap_thread);
int pcap_thread_set_monitor(pcap_thread_t* pcap_thread, const int monitor);
int pcap_thread_timeout(const pcap_thread_t* pcap_thread);
int pcap_thread_set_timeout(pcap_thread_t* pcap_thread, const int timeout);
int pcap_thread_buffer_size(const pcap_thread_t* pcap_thread);
int pcap_thread_set_buffer_size(pcap_thread_t* pcap_thread, const int buffer_size);
int pcap_thread_timestamp_type(const pcap_thread_t* pcap_thread);
int pcap_thread_set_timestamp_type(pcap_thread_t* pcap_thread, const int timestamp_type);
int pcap_thread_timestamp_precision(const pcap_thread_t* pcap_thread);
int pcap_thread_set_timestamp_precision(pcap_thread_t* pcap_thread, const int timestamp_precision);
int pcap_thread_immediate_mode(const pcap_thread_t* pcap_thread);
int pcap_thread_set_immediate_mode(pcap_thread_t* pcap_thread, const int immediate_mode);
pcap_direction_t pcap_thread_direction(const pcap_thread_t* pcap_thread);
int pcap_thread_set_direction(pcap_thread_t* pcap_thread, const pcap_direction_t direction);
const char* pcap_thread_filter(const pcap_thread_t* pcap_thread);
int pcap_thread_set_filter(pcap_thread_t* pcap_thread, const char* filter, const size_t filter_len);
int pcap_thread_clear_filter(pcap_thread_t* pcap_thread);
int pcap_thread_filter_errno(const pcap_thread_t* pcap_thread);
int pcap_thread_filter_optimize(const pcap_thread_t* pcap_thread);
int pcap_thread_set_filter_optimize(pcap_thread_t* pcap_thread, const int filter_optimize);
bpf_u_int32 pcap_thread_filter_netmask(const pcap_thread_t* pcap_thread);
int pcap_thread_set_filter_netmask(pcap_thread_t* pcap_thread, const bpf_u_int32 filter_netmask);
struct timeval pcap_thread_timedrun(const pcap_thread_t* pcap_thread);
int pcap_thread_set_timedrun(pcap_thread_t* pcap_thread, const struct timeval timedrun);
struct timeval pcap_thread_timedrun_to(const pcap_thread_t* pcap_thread);
int pcap_thread_set_timedrun_to(pcap_thread_t* pcap_thread, const struct timeval timedrun_to);
pcap_thread_activate_mode_t pcap_thread_activate_mode(const pcap_thread_t* pcap_thread);
int pcap_thread_set_activate_mode(pcap_thread_t* pcap_thread, const pcap_thread_activate_mode_t activate_mode);
int pcap_thread_was_stopped(const pcap_thread_t* pcap_thread);
size_t pcap_thread_queue_size(const pcap_thread_t* pcap_thread);
int pcap_thread_set_queue_size(pcap_thread_t* pcap_thread, const size_t queue_size);
int pcap_thread_set_callback(pcap_thread_t* pcap_thread, pcap_thread_callback_t callback);
int pcap_thread_set_dropback(pcap_thread_t* pcap_thread, pcap_thread_callback_t dropback);
int pcap_thread_set_callback_linux_sll(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_linux_sll);
int pcap_thread_set_callback_ether(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ether);
int pcap_thread_set_callback_null(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_null);
int pcap_thread_set_callback_loop(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_loop);
int pcap_thread_set_callback_ieee802(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ieee802);
int pcap_thread_set_callback_gre(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_gre);
int pcap_thread_set_callback_ip(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ip);
int pcap_thread_set_callback_ipv4(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv4);
int pcap_thread_set_callback_ipv4_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv4_frag);
int pcap_thread_set_callback_ipv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_ipv6);
int pcap_thread_set_callback_ipv6_frag(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_frag_t callback_ipv6_frag);
int pcap_thread_set_callback_icmp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmp);
int pcap_thread_set_callback_icmpv6(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_icmpv6);
int pcap_thread_set_callback_udp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_udp);
int pcap_thread_set_callback_tcp(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp);
int pcap_thread_set_callback_invalid(pcap_thread_t* pcap_thread, pcap_thread_layer_callback_t callback_tcp);
int pcap_thread_open(pcap_thread_t* pcap_thread, const char* device, void* user);
int pcap_thread_open_offline(pcap_thread_t* pcap_thread, const char* file, void* user);
int pcap_thread_add(pcap_thread_t* pcap_thread, const char* name, pcap_t* pcap, void* user);
int pcap_thread_activate(pcap_thread_t* pcap_thread);
int pcap_thread_close(pcap_thread_t* pcap_thread);
int pcap_thread_run(pcap_thread_t* pcap_thread);
int pcap_thread_next(pcap_thread_t* pcap_thread);
int pcap_thread_next_reset(pcap_thread_t* pcap_thread);
int pcap_thread_stop(pcap_thread_t* pcap_thread);
int pcap_thread_stats(pcap_thread_t* pcap_thread, pcap_thread_stats_callback_t callback, u_char* user);
int pcap_thread_status(const pcap_thread_t* pcap_thread);
const char* pcap_thread_errbuf(const pcap_thread_t* pcap_thread);
const char* pcap_thread_strerr(int error);
#ifdef __cplusplus
}
#endif
#endif /* __pcap_thread_h */

1013
src/pcap-thread/pcap_thread_ext_frag.c Normal file
View file

File diff suppressed because it is too large Load diff

131
src/pcap-thread/pcap_thread_ext_frag.h Normal file
View file

@ -0,0 +1,131 @@
/*
* Author Jerry Lundström <jerry@dns-oarc.net>
* Copyright (c) 2016-2017, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "pcap_thread.h"
#ifndef __pcap_thread_ext_frag_h
#define __pcap_thread_ext_frag_h
#ifdef __cplusplus
extern "C" {
#endif
/*
* RFC791 - Handle fragments in an offset ascending order, allow fragments to overlap
* RFC815 - Handle fragments in a receiving order, allow fragments to overlap
* BSD - Handle fragments in an offset descending order, allow fragments to overlap
*/
typedef enum pcap_thread_ext_frag_reassemble_mode pcap_thread_ext_frag_reassemble_mode_t;
enum pcap_thread_ext_frag_reassemble_mode {
PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791 = 0,
PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC815,
PCAP_THREAD_EXT_FRAG_REASSEMBLE_BSD
};
typedef struct pcap_thread_ext_frag_fragment pcap_thread_ext_frag_fragment_t;
struct pcap_thread_ext_frag_fragment {
pcap_thread_ext_frag_fragment_t* next;
unsigned short flag_more_fragments : 1;
u_char* payload;
size_t length;
size_t offset;
};
typedef struct pcap_thread_ext_frag_fragments pcap_thread_ext_frag_fragments_t;
struct pcap_thread_ext_frag_fragments {
pcap_thread_ext_frag_fragments_t* next;
pcap_thread_packet_t packet;
pcap_thread_ext_frag_fragment_t* fragments;
size_t num_fragments;
u_char* payload;
size_t length;
};
typedef void (*pcap_thread_ext_frag_callback_t)(const pcap_thread_packet_t* packet, const u_char* payload, size_t length, const pcap_thread_ext_frag_fragments_t* fragments);
/* clang-format off */
#define PCAP_THREAD_EXT_FRAG_CONF_T_INIT { \
0, 0, \
PCAP_THREAD_EXT_FRAG_REASSEMBLE_RFC791, \
100, 10, { 30, 0 }, \
0, 0 \
}
/* clang-format on */
typedef struct pcap_thread_ext_frag_conf pcap_thread_ext_frag_conf_t;
struct pcap_thread_ext_frag_conf {
unsigned short reject_overlap : 1;
unsigned short check_timeout : 1;
pcap_thread_ext_frag_reassemble_mode_t reassemble_mode;
size_t fragments;
size_t per_packet;
struct timeval timeout;
pcap_thread_ext_frag_callback_t overlap_callback;
pcap_thread_ext_frag_callback_t timeout_callback;
};
pcap_thread_ext_frag_conf_t* pcap_thread_ext_frag_conf_new(void);
void pcap_thread_ext_frag_conf_free(pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_reject_overlap(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_reject_overlap(pcap_thread_ext_frag_conf_t* conf, const int reject_overlap);
int pcap_thread_ext_frag_conf_check_timeout(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_check_timeout(pcap_thread_ext_frag_conf_t* conf, const int check_timeout);
pcap_thread_ext_frag_reassemble_mode_t pcap_thread_ext_frag_conf_reassemble_mode(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_reassemble_mode(pcap_thread_ext_frag_conf_t* conf, const pcap_thread_ext_frag_reassemble_mode_t reassemble_mode);
size_t pcap_thread_ext_frag_conf_fragments(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_fragments(pcap_thread_ext_frag_conf_t* conf, const size_t fragments);
size_t pcap_thread_ext_frag_conf_per_packet(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_per_packet(pcap_thread_ext_frag_conf_t* conf, const size_t per_packet);
struct timeval pcap_thread_ext_frag_conf_timeout(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_timeout(pcap_thread_ext_frag_conf_t* conf, const struct timeval timeout);
pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_overlap_callback(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_overlap_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t overlap_callback);
pcap_thread_ext_frag_callback_t pcap_thread_ext_frag_conf_timeout_callback(const pcap_thread_ext_frag_conf_t* conf);
int pcap_thread_ext_frag_conf_set_timeout_callback(pcap_thread_ext_frag_conf_t* conf, pcap_thread_ext_frag_callback_t timeout_callback);
pcap_thread_layer_callback_frag_t pcap_thread_ext_frag_layer_callback(pcap_thread_ext_frag_conf_t* conf);
#ifdef __cplusplus
}
#endif
#endif /* __pcap_thread_ext_frag_h */

236
src/pcaps.c Normal file
View file

@ -0,0 +1,236 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "pcaps.h"
#include "log.h"
#include "network.h"
#include "pcap-thread/pcap_thread_ext_frag.h"
static void
drop_pkt(u_char* user, const struct pcap_pkthdr* hdr, const u_char* pkt, const char* name, const int dlt)
{
mypcap_ptr mypcap = (mypcap_ptr)user;
pcap_drops++;
if (mypcap) {
mypcap->drops++;
}
}
void print_pcap_thread_error(const char* func, int err)
{
if (err == PCAP_THREAD_EPCAP) {
fprintf(stderr, "%s: pcap_thread libpcap error [%d] %s: %s (%s)\n",
ProgramName,
pcap_thread_status(&pcap_thread),
func,
pcap_statustostr(pcap_thread_status(&pcap_thread)),
pcap_thread_errbuf(&pcap_thread));
} else if (err != PCAP_THREAD_OK) {
fprintf(stderr, "%s: pcap_thread error [%d] %s: %s\n",
ProgramName,
err,
func,
pcap_thread_strerr(err));
}
}
static pcap_thread_ext_frag_conf_t frag_conf_v4 = PCAP_THREAD_EXT_FRAG_CONF_T_INIT;
static pcap_thread_ext_frag_conf_t frag_conf_v6 = PCAP_THREAD_EXT_FRAG_CONF_T_INIT;
void open_pcaps(void)
{
mypcap_ptr mypcap;
int err;
if ((err = pcap_thread_set_snaplen(&pcap_thread, SNAPLEN)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_snaplen()", err);
exit(1);
}
if ((err = pcap_thread_set_promiscuous(&pcap_thread, promisc)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_promiscuous()", err);
exit(1);
}
if ((err = pcap_thread_set_monitor(&pcap_thread, monitor_mode)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_monitor()", err);
exit(1);
}
if ((err = pcap_thread_set_immediate_mode(&pcap_thread, immediate_mode)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_immediate_mode()", err);
exit(1);
}
if (options.use_layers) {
if ((err = pcap_thread_set_callback_icmp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback_icmp()", err);
exit(1);
}
if ((err = pcap_thread_set_callback_icmpv6(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback_icmpv6()", err);
exit(1);
}
if ((err = pcap_thread_set_callback_udp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback_udp()", err);
exit(1);
}
if ((err = pcap_thread_set_callback_tcp(&pcap_thread, layer_pkt)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback_tcp()", err);
exit(1);
}
if ((err = pcap_thread_set_use_layers(&pcap_thread, 1)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_use_layers()", err);
exit(1);
}
if (options.defrag_ipv4) {
if (options.max_ipv4_fragments > 0 && (err = pcap_thread_ext_frag_conf_set_fragments(&frag_conf_v4, options.max_ipv4_fragments)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_ext_frag_conf_set_fragments()", err);
exit(1);
}
if (options.max_ipv4_fragments_per_packet > 0 && (err = pcap_thread_ext_frag_conf_set_per_packet(&frag_conf_v4, options.max_ipv4_fragments_per_packet)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_ext_frag_conf_set_per_packet()", err);
exit(1);
}
if ((err = pcap_thread_set_callback_ipv4_frag(&pcap_thread, pcap_thread_ext_frag_layer_callback(&frag_conf_v4))) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback_ipv4_frag()", err);
exit(1);
}
}
if (options.defrag_ipv6) {
if (options.max_ipv6_fragments > 0 && (err = pcap_thread_ext_frag_conf_set_fragments(&frag_conf_v6, options.max_ipv6_fragments)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_ext_frag_conf_set_fragments()", err);
exit(1);
}
if (options.max_ipv6_fragments_per_packet > 0 && (err = pcap_thread_ext_frag_conf_set_per_packet(&frag_conf_v6, options.max_ipv6_fragments_per_packet)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_ext_frag_conf_set_per_packet()", err);
exit(1);
}
if ((err = pcap_thread_set_callback_ipv6_frag(&pcap_thread, pcap_thread_ext_frag_layer_callback(&frag_conf_v6))) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback_ipv6_frag()", err);
exit(1);
}
}
} else {
if ((err = pcap_thread_set_callback(&pcap_thread, dl_pkt)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_callback()", err);
exit(1);
}
}
if ((err = pcap_thread_set_dropback(&pcap_thread, drop_pkt)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_dropback()", err);
exit(1);
}
if ((err = pcap_thread_set_filter(&pcap_thread, bpft, strlen(bpft))) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_filter()", err);
exit(1);
}
if (options.pcap_buffer_size && (err = pcap_thread_set_buffer_size(&pcap_thread, options.pcap_buffer_size)) != PCAP_THREAD_OK) {
print_pcap_thread_error("pcap_thread_set_buffer_size()", err);
exit(1);
}
assert(!EMPTY(mypcaps));
for (mypcap = HEAD(mypcaps);
mypcap != NULL;
mypcap = NEXT(mypcap, link)) {
if (pcap_offline)
err = pcap_thread_open_offline(&pcap_thread, mypcap->name, (u_char*)mypcap);
else
err = pcap_thread_open(&pcap_thread, mypcap->name, (u_char*)mypcap);
if (err == PCAP_THREAD_EPCAP) {
fprintf(stderr, "%s: pcap_thread libpcap error [%d]: %s (%s)\n",
ProgramName,
pcap_thread_status(&pcap_thread),
pcap_statustostr(pcap_thread_status(&pcap_thread)),
pcap_thread_errbuf(&pcap_thread));
exit(1);
}
if (err) {
fprintf(stderr, "%s: pcap_thread error [%d]: %s\n",
ProgramName,
err,
pcap_thread_strerr(err));
exit(1);
}
}
pcap_dead = pcap_open_dead(DLT_RAW, SNAPLEN);
}
void poll_pcaps(void)
{
pcap_thread_run(&pcap_thread);
main_exit = TRUE;
}
void breakloop_pcaps(void)
{
pcap_thread_stop(&pcap_thread);
}
void close_pcaps(void)
{
pcap_thread_close(&pcap_thread);
}
static void stat_callback(u_char* user, const struct pcap_stat* stats, const char* name, int dlt)
{
mypcap_ptr mypcap;
for (mypcap = HEAD(mypcaps);
mypcap != NULL;
mypcap = NEXT(mypcap, link)) {
if (!strcmp(name, mypcap->name))
break;
}
if (mypcap) {
mypcap->ps0 = mypcap->ps1;
mypcap->ps1 = *stats;
logerr("%s: %u recv %u drop %u total ptdrop %lu",
mypcap->name,
mypcap->ps1.ps_recv - mypcap->ps0.ps_recv,
mypcap->ps1.ps_drop - mypcap->ps0.ps_drop,
mypcap->ps1.ps_recv + mypcap->ps1.ps_drop - mypcap->ps0.ps_recv - mypcap->ps0.ps_drop,
mypcap->drops);
}
}
void do_pcap_stats()
{
logerr("total drops: %lu", pcap_drops);
pcap_thread_stats(&pcap_thread, stat_callback, 0);
}

47
src/pcaps.h Normal file
View file

@ -0,0 +1,47 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_pcaps_h
#define __dnscap_pcaps_h
void print_pcap_thread_error(const char* func, int err);
void open_pcaps(void);
void poll_pcaps(void);
void breakloop_pcaps(void);
void close_pcaps(void);
void do_pcap_stats();
#endif /* __dnscap_pcaps_h */

102
src/sig.c Normal file
View file

@ -0,0 +1,102 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "sig.h"
#include "log.h"
#include "dumper.h"
#include "pcaps.h"
void setsig(int sig, int oneshot)
{
struct sigaction sa;
memset(&sa, 0, sizeof sa);
if (oneshot) {
sa.sa_handler = sigbreak;
sa.sa_flags = SA_RESETHAND;
} else {
sa.sa_handler = sigclose;
sa.sa_flags = SA_RESTART;
}
if (sigaction(sig, &sa, NULL) < 0) {
logerr("sigaction: %s", strerror(errno));
exit(1);
}
}
void sigclose(int signum)
{
if (0 == last_ts.tv_sec)
gettimeofday(&last_ts, NULL);
if (signum == SIGALRM)
alarm_set = FALSE;
if (dumper_close(last_ts))
breakloop_pcaps();
}
void sigbreak(int signum __attribute__((unused)))
{
logerr("%s: signalled break", ProgramName);
main_exit = TRUE;
breakloop_pcaps();
}
void* sigthread(void* arg)
{
#if HAVE_PTHREAD
sigset_t* set = (sigset_t*)arg;
int sig, err;
while (1) {
if ((err = sigwait(set, &sig))) {
logerr("sigwait: %s", strerror(err));
return 0;
}
switch (sig) {
case SIGALRM:
sigclose(sig);
break;
default:
sigbreak(sig);
break;
}
}
#endif
return 0;
}

45
src/sig.h Normal file
View file

@ -0,0 +1,45 @@
/*
* Copyright (c) 2016-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_sig_h
#define __dnscap_sig_h
void setsig(int sig, int oneshot);
void sigclose(int signum);
void sigbreak(int signum __attribute__((unused)));
void* sigthread(void* arg);
#endif /* __dnscap_sig_h */

547
src/tcpreasm.c Normal file
View file

@ -0,0 +1,547 @@
/*
* Copyright (c) 2018-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "tcpreasm.h"
#include "log.h"
#include "network.h"
#include <stdlib.h>
#include <ldns/ldns.h>
#define dfprintf(a, b...) \
if (dumptrace >= 3) { \
fprintf(stderr, b); \
fprintf(stderr, "\n"); \
}
#define dsyslogf(a, b...) logerr(b)
#define nptohs(p) ((((uint8_t*)(p))[0] << 8) | ((uint8_t*)(p))[1])
#define BFB_BUF_SIZE (0xffff + 0xffff + 2 + 2)
/*
* Originally from DSC:
*
* TCP Reassembly.
*
* When we see a SYN, we allocate a new tcpstate for the connection, and
* establish the initial sequence number of the first dns message (seq_start)
* on the connection. We assume that no other segment can arrive before the
* SYN (if one does, it is discarded, and if is not repeated the message it
* belongs to can never be completely reassembled).
*
* Then, for each segment that arrives on the connection:
* - If it's the first segment of a message (containing the 2-byte message
* length), we allocate a msgbuf, and check for any held segments that might
* belong to it.
* - If the first byte of the segment belongs to any msgbuf, we fill
* in the holes of that message. If the message has no more holes, we
* handle the complete dns message. If the tail of the segment was longer
* than the hole, we recurse on the tail.
* - Otherwise, if the segment could be within the tcp window, we hold onto it
* pending the creation of a matching msgbuf.
*
* This algorithm handles segments that arrive out of order, duplicated or
* overlapping (including segments from different dns messages arriving out of
* order), and dns messages that do not necessarily start on segment
* boundaries.
*
*/
static int dns_protocol_handler(tcpreasm_t* t, u_char* segment, uint16_t dnslen, uint32_t seq)
{
int m;
if (options.reassemble_tcp_bfbparsedns) {
int s;
ldns_pkt* pkt;
size_t at, len;
if (!t->bfb_buf && !(t->bfb_buf = malloc(BFB_BUF_SIZE))) {
dfprintf(1, "dns_protocol_handler: no memory for bfb_buf");
return 1;
}
/* if this is the first segment, add it to the processing buffer
and move up to next wanted segment */
if (seq == t->seq_bfb + 2) {
dfprintf(1, "dns_protocol_handler: first bfb_seg: seq = %u, len = %d", seq, dnslen);
if ((BFB_BUF_SIZE - t->bfb_at) < (dnslen + 2)) {
dfprintf(1, "dns_protocol_handler: out of space in bfb_buf");
return 1;
}
t->bfb_buf[t->bfb_at++] = dnslen >> 8;
t->bfb_buf[t->bfb_at++] = dnslen & 0xff; //NOSONAR
memcpy(&t->bfb_buf[t->bfb_at], segment, dnslen);
t->bfb_at += dnslen;
t->seq_bfb += 2 + dnslen;
} else {
/* add segment for later processing */
dfprintf(1, "dns_protocol_handler: add bfb_seg: seq = %u, len = %d", seq, dnslen);
for (s = 0; s < MAX_TCP_SEGS; s++) {
if (t->bfb_seg[s])
continue;
t->bfb_seg[s] = calloc(1, sizeof(tcp_segbuf_t) + dnslen);
t->bfb_seg[s]->seq = seq;
t->bfb_seg[s]->len = dnslen;
memcpy(t->bfb_seg[s]->buf, segment, dnslen);
dfprintf(1, "dns_protocol_handler: new bfbseg %d: seq = %u, len = %d",
s, t->bfb_seg[s]->seq, t->bfb_seg[s]->len);
break;
}
if (s >= MAX_TCP_SEGS) {
dfprintf(1, "dns_protocol_handler: out of bfbsegs");
return 1;
}
return 0;
}
for (;;) {
/* process the buffer, extract dnslen and try and parse */
at = 0;
len = t->bfb_at;
for (;;) {
dfprintf(1, "dns_protocol_handler: processing at = %zu, len = %zu", at, len);
if (len < 2) {
dfprintf(1, "dns_protocol_handler: bfb need more for dnslen");
break;
}
dnslen = nptohs(&t->bfb_buf[at]) & 0xffff;
if (dnslen > 11) {
/* 12 bytes minimum DNS header, other lengths should be invalid */
if (len < dnslen + 2) {
dfprintf(1, "dns_protocol_handler: bfb need %zu more", dnslen - len);
break;
}
if (ldns_wire2pkt(&pkt, &t->bfb_buf[at + 2], dnslen) == LDNS_STATUS_OK) {
ldns_pkt_free(pkt);
dfprintf(1, "dns_protocol_handler: dns at %zu len %u", at + 2, dnslen);
for (m = 0; t->dnsmsg[m];) {
if (++m >= MAX_TCP_DNS_MSG) {
dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs");
return 1;
}
}
if (!(t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen))) {
dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen);
return 1;
}
t->dnsmsgs++;
t->dnsmsg[m]->dnslen = dnslen;
memcpy(t->dnsmsg[m]->dnspkt, &t->bfb_buf[at + 2], dnslen);
dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen);
at += 2 + dnslen;
len -= 2 + dnslen;
continue;
}
if (errno == EMSGSIZE) {
size_t l = calcdnslen(&t->bfb_buf[at + 2], dnslen);
if (l > 0 && l < dnslen && ldns_wire2pkt(&pkt, &t->bfb_buf[at + 2], l) == LDNS_STATUS_OK) {
ldns_pkt_free(pkt);
dfprintf(1, "dns_protocol_handler: dns at %zu len %u (real len %zu)", at + 2, dnslen, l);
for (m = 0; t->dnsmsg[m];) {
if (++m >= MAX_TCP_DNS_MSG) {
dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs");
return 1;
}
}
if (!(t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen))) {
dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen);
return 1;
}
t->dnsmsgs++;
t->dnsmsg[m]->dnslen = dnslen;
memcpy(t->dnsmsg[m]->dnspkt, &t->bfb_buf[at + 2], dnslen);
dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen);
at += 2 + dnslen;
len -= 2 + dnslen;
continue;
}
}
}
dfprintf(1, "dns_protocol_handler: bfb dns parse failed at %zu", at);
at += 2;
len -= 2;
}
/* check for leftovers in the buffer */
if (!len) {
dfprintf(1, "dns_protocol_handler: bfb all buf parsed, reset at");
t->bfb_at = 0;
} else if (len && at) {
dfprintf(1, "dns_protocol_handler: bfb move %zu len %zu", at, len);
memmove(t->bfb_buf, &t->bfb_buf[at], len);
t->bfb_at = len;
}
dfprintf(1, "dns_protocol_handler: bfb fill at %zu", t->bfb_at);
/* see if we can fill the buffer */
for (s = 0; s < MAX_TCP_SEGS; s++) {
if (!t->bfb_seg[s])
continue;
if (t->bfb_seg[s]->seq == t->seq_bfb + 2) {
tcp_segbuf_t* seg = t->bfb_seg[s];
dfprintf(1, "dns_protocol_handler: next bfb_seg %d: seq = %u, len = %d", s, seg->seq, seg->len);
if ((BFB_BUF_SIZE - t->bfb_at) < (seg->len + 2)) {
dfprintf(1, "dns_protocol_handler: out of space in bfb_buf");
return 1;
}
t->bfb_seg[s] = 0;
t->bfb_buf[t->bfb_at++] = seg->len >> 8;
t->bfb_buf[t->bfb_at++] = seg->len & 0xff;
memcpy(&t->bfb_buf[t->bfb_at], seg->buf, seg->len);
t->bfb_at += seg->len;
t->seq_bfb += 2 + seg->len;
free(seg);
break;
}
}
if (s >= MAX_TCP_SEGS) {
dfprintf(1, "dns_protocol_handler: bfb need next seg");
return 0;
}
}
}
for (m = 0; t->dnsmsg[m];) {
if (++m >= MAX_TCP_DNS_MSG) {
dfprintf(1, "dns_protocol_handler: %s", "out of dnsmsgs");
return 1;
}
}
t->dnsmsg[m] = calloc(1, sizeof(tcpdnsmsg_t) + dnslen);
if (NULL == t->dnsmsg[m]) {
dsyslogf(LOG_ERR, "out of memory for dnsmsg (%d)", dnslen);
return 1;
}
t->dnsmsgs++;
t->dnsmsg[m]->segments_seen = t->segments_seen;
t->dnsmsg[m]->dnslen = dnslen;
memcpy(t->dnsmsg[m]->dnspkt, segment, dnslen);
dfprintf(1, "dns_protocol_handler: new dnsmsg %d: dnslen = %d", m, dnslen);
t->segments_seen = 0;
return 0;
}
int pcap_handle_tcp_segment(u_char* segment, int len, uint32_t seq, tcpstate_ptr _tcpstate)
{
int i, m, s, ret;
uint16_t dnslen;
int segoff, seglen;
tcpreasm_t* tcpstate = _tcpstate->reasm;
dfprintf(1, "pcap_handle_tcp_segment: seq=%u, len=%d", seq, len);
if (len <= 0) /* there is no more payload */
return 0;
tcpstate->segments_seen++;
if (seq - tcpstate->seq_start < 2) {
/* this segment contains all or part of the 2-byte DNS length field */
uint32_t o = seq - tcpstate->seq_start;
int l = (len > 1 && o == 0) ? 2 : 1;
dfprintf(1, "pcap_handle_tcp_segment: copying %d bytes to dnslen_buf[%d]", l, o);
memcpy(&tcpstate->dnslen_buf[o], segment, l);
if (l == 2)
tcpstate->dnslen_bytes_seen_mask = 3;
else
tcpstate->dnslen_bytes_seen_mask |= (1 << o);
len -= l;
segment += l;
seq += l;
}
if (3 == tcpstate->dnslen_bytes_seen_mask) {
/* We have the dnslen stored now */
dnslen = nptohs(tcpstate->dnslen_buf) & 0xffff;
/*
* Next we poison the mask to indicate we are in to the message body.
* If one doesn't remember we're past the then,
* one loops forever getting more msgbufs rather than filling
* in the contents of THIS message.
*
* We need to later reset that mask when we process the message
* (method: tcpstate->dnslen_bytes_seen_mask = 0).
*/
tcpstate->dnslen_bytes_seen_mask = 7;
tcpstate->seq_start += sizeof(uint16_t) + dnslen;
dfprintf(1, "pcap_handle_tcp_segment: first segment; dnslen = %d", dnslen);
if (len >= dnslen) {
/* this segment contains a complete message - avoid the reassembly
* buffer and just handle the message immediately */
ret = dns_protocol_handler(tcpstate, segment, dnslen, seq);
tcpstate->dnslen_bytes_seen_mask = 0; /* go back for another message in this tcp connection */
/* handle the trailing part of the segment? */
if (len > dnslen) {
dfprintf(1, "pcap_handle_tcp_segment: %s", "segment tail");
ret |= pcap_handle_tcp_segment(segment + dnslen, len - dnslen, seq + dnslen, _tcpstate);
}
return ret;
}
/*
* At this point we KNOW we have an incomplete message and need to do reassembly.
* i.e.: assert(len < dnslen);
*/
dfprintf(2, "pcap_handle_tcp_segment: %s", "buffering segment");
/* allocate a msgbuf for reassembly */
for (m = 0; tcpstate->msgbuf[m];) {
if (++m >= MAX_TCP_MSGS) {
dfprintf(1, "pcap_handle_tcp_segment: %s", "out of msgbufs");
return 1;
}
}
tcpstate->msgbuf[m] = calloc(1, sizeof(tcp_msgbuf_t) + dnslen);
if (NULL == tcpstate->msgbuf[m]) {
dsyslogf(LOG_ERR, "out of memory for tcp_msgbuf (%d)", dnslen);
return 1;
}
tcpstate->msgbufs++;
tcpstate->msgbuf[m]->seq = seq;
tcpstate->msgbuf[m]->dnslen = dnslen;
tcpstate->msgbuf[m]->holes = 1;
tcpstate->msgbuf[m]->hole[0].start = len;
tcpstate->msgbuf[m]->hole[0].len = dnslen - len;
dfprintf(1,
"pcap_handle_tcp_segment: new msgbuf %d: seq = %u, dnslen = %d, hole start = %d, hole len = %d", m,
tcpstate->msgbuf[m]->seq, tcpstate->msgbuf[m]->dnslen, tcpstate->msgbuf[m]->hole[0].start,
tcpstate->msgbuf[m]->hole[0].len);
/* copy segment to appropriate location in reassembly buffer */
memcpy(tcpstate->msgbuf[m]->buf, segment, len);
/* Now that we know the length of this message, we must check any held
* segments to see if they belong to it. */
ret = 0;
for (s = 0; s < MAX_TCP_SEGS; s++) {
if (!tcpstate->segbuf[s])
continue;
/* TODO: seq >= 0 */
if (tcpstate->segbuf[s]->seq - seq > 0 && tcpstate->segbuf[s]->seq - seq < dnslen) {
tcp_segbuf_t* segbuf = tcpstate->segbuf[s];
tcpstate->segbuf[s] = NULL;
dfprintf(1, "pcap_handle_tcp_segment: %s", "message reassembled");
ret |= pcap_handle_tcp_segment(segbuf->buf, segbuf->len, segbuf->seq, _tcpstate);
/*
* Note that our recursion will also cover any tail messages (I hope).
* Thus we do not need to do so here and can return.
*/
free(segbuf);
}
}
return ret;
}
/*
* Welcome to reassembly-land.
*/
/* find the message to which the first byte of this segment belongs */
for (m = 0; m < MAX_TCP_MSGS; m++) {
if (!tcpstate->msgbuf[m])
continue;
segoff = seq - tcpstate->msgbuf[m]->seq;
if (segoff >= 0 && segoff < tcpstate->msgbuf[m]->dnslen) {
/* segment starts in this msgbuf */
dfprintf(1, "pcap_handle_tcp_segment: seg matches msg %d: seq = %u, dnslen = %d",
m, tcpstate->msgbuf[m]->seq, tcpstate->msgbuf[m]->dnslen);
if (segoff + len > tcpstate->msgbuf[m]->dnslen) {
/* segment would overflow msgbuf */
seglen = tcpstate->msgbuf[m]->dnslen - segoff;
dfprintf(1, "pcap_handle_tcp_segment: using partial segment %d", seglen);
} else {
seglen = len;
}
break;
}
}
if (m >= MAX_TCP_MSGS) {
/* seg does not match any msgbuf; just hold on to it. */
dfprintf(1, "pcap_handle_tcp_segment: %s", "seg does not match any msgbuf");
if (seq - tcpstate->seq_start > MAX_TCP_WINDOW_SIZE) {
dfprintf(1, "pcap_handle_tcp_segment: %s %u %u", "seg is outside window; discarding", seq, tcpstate->seq_start);
return 1;
}
for (s = 0; s < MAX_TCP_SEGS; s++) {
if (tcpstate->segbuf[s])
continue;
tcpstate->segbuf[s] = calloc(1, sizeof(tcp_segbuf_t) + len);
tcpstate->segbuf[s]->seq = seq;
tcpstate->segbuf[s]->len = len;
memcpy(tcpstate->segbuf[s]->buf, segment, len);
dfprintf(1, "pcap_handle_tcp_segment: new segbuf %d: seq = %u, len = %d",
s, tcpstate->segbuf[s]->seq, tcpstate->segbuf[s]->len);
return 0;
}
dfprintf(1, "pcap_handle_tcp_segment: %s", "out of segbufs");
return 1;
}
/* Reassembly algorithm adapted from RFC 815. */
for (i = 0; i < MAX_TCP_HOLES; i++) {
tcphole_t* newhole;
uint16_t hole_start, hole_len;
if (tcpstate->msgbuf[m]->hole[i].len == 0)
continue; /* hole descriptor is not in use */
hole_start = tcpstate->msgbuf[m]->hole[i].start;
hole_len = tcpstate->msgbuf[m]->hole[i].len;
if (segoff >= hole_start + hole_len)
continue; /* segment is totally after hole */
if (segoff + seglen <= hole_start)
continue; /* segment is totally before hole */
/* The segment overlaps this hole. Delete the hole. */
dfprintf(1, "pcap_handle_tcp_segment: overlaping hole %d: %d %d", i, hole_start, hole_len);
tcpstate->msgbuf[m]->hole[i].len = 0;
tcpstate->msgbuf[m]->holes--;
if (segoff + seglen < hole_start + hole_len) {
/* create a new hole after the segment (common case) */
newhole = &tcpstate->msgbuf[m]->hole[i]; /* hole[i] is guaranteed free */
newhole->start = segoff + seglen;
newhole->len = (hole_start + hole_len) - newhole->start;
tcpstate->msgbuf[m]->holes++;
dfprintf(1, "pcap_handle_tcp_segment: new post-hole %d: %d %d", i, newhole->start, newhole->len);
}
if (segoff > hole_start) {
/* create a new hole before the segment */
int j;
for (j = 0; j < MAX_TCP_HOLES; j++) {
if (tcpstate->msgbuf[m]->hole[j].len == 0) {
newhole = &tcpstate->msgbuf[m]->hole[j];
break;
}
}
if (j >= MAX_TCP_HOLES) {
dfprintf(1, "pcap_handle_tcp_segment: %s", "out of hole descriptors");
return 1;
}
tcpstate->msgbuf[m]->holes++;
newhole->start = hole_start;
newhole->len = segoff - hole_start;
dfprintf(1, "pcap_handle_tcp_segment: new pre-hole %d: %d %d", j, newhole->start, newhole->len);
}
if (segoff >= hole_start && (hole_len == 0 || segoff + seglen < hole_start + hole_len)) {
/* The segment does not extend past hole boundaries; there is
* no need to look for other matching holes. */
break;
}
}
/* copy payload to appropriate location in reassembly buffer */
memcpy(&tcpstate->msgbuf[m]->buf[segoff], segment, seglen);
dfprintf(1, "pcap_handle_tcp_segment: holes remaining: %d", tcpstate->msgbuf[m]->holes);
ret = 0;
if (tcpstate->msgbuf[m]->holes == 0) {
/* We now have a completely reassembled dns message */
dfprintf(2, "pcap_handle_tcp_segment: %s", "reassembly to dns_protocol_handler");
ret |= dns_protocol_handler(tcpstate, tcpstate->msgbuf[m]->buf, tcpstate->msgbuf[m]->dnslen, tcpstate->msgbuf[m]->seq);
tcpstate->dnslen_bytes_seen_mask = 0; /* go back for another message in this tcp connection */
free(tcpstate->msgbuf[m]);
tcpstate->msgbuf[m] = NULL;
tcpstate->msgbufs--;
}
if (seglen < len) {
dfprintf(1, "pcap_handle_tcp_segment: %s", "segment tail after reassembly");
ret |= pcap_handle_tcp_segment(segment + seglen, len - seglen, seq + seglen, _tcpstate);
} else {
dfprintf(1, "pcap_handle_tcp_segment: %s", "nothing more after reassembly");
}
return ret;
}
void tcpreasm_free(tcpreasm_t* tcpreasm)
{
int i;
if (tcpreasm) {
for (i = 0; i < MAX_TCP_MSGS; i++) {
if (tcpreasm->msgbuf[i]) {
free(tcpreasm->msgbuf[i]);
}
}
for (i = 0; i < MAX_TCP_SEGS; i++) {
if (tcpreasm->segbuf[i]) {
free(tcpreasm->segbuf[i]);
}
if (tcpreasm->bfb_seg[i]) {
free(tcpreasm->bfb_seg[i]);
}
}
for (i = 0; i < MAX_TCP_DNS_MSG; i++) {
if (tcpreasm->dnsmsg[i]) {
free(tcpreasm->dnsmsg[i]);
}
}
free(tcpreasm->bfb_buf);
free(tcpreasm);
}
}
void tcpreasm_reset(tcpreasm_t* tcpreasm)
{
int i;
if (tcpreasm) {
for (i = 0; i < MAX_TCP_MSGS; i++) {
if (tcpreasm->msgbuf[i]) {
free(tcpreasm->msgbuf[i]);
}
}
for (i = 0; i < MAX_TCP_SEGS; i++) {
if (tcpreasm->segbuf[i]) {
free(tcpreasm->segbuf[i]);
}
if (tcpreasm->bfb_seg[i]) {
free(tcpreasm->bfb_seg[i]);
}
}
for (i = 0; i < MAX_TCP_DNS_MSG; i++) {
if (tcpreasm->dnsmsg[i]) {
free(tcpreasm->dnsmsg[i]);
}
}
memset(tcpreasm, 0, sizeof(tcpreasm_t));
}
}

44
src/tcpreasm.h Normal file
View file

@ -0,0 +1,44 @@
/*
* Copyright (c) 2018-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_tcpreasm_h
#define __dnscap_tcpreasm_h
int pcap_handle_tcp_segment(u_char* segment, int len, uint32_t seq, tcpstate_ptr _tcpstate);
void tcpreasm_free(tcpreasm_t* tcpreasm);
void tcpreasm_reset(tcpreasm_t* tcpreasm);
#endif /* __dnscap_tcpreasm_h */

141
src/tcpstate.c Normal file
View file

@ -0,0 +1,141 @@
/*
* Copyright (c) 2018-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "config.h"
#include "tcpstate.h"
#include "iaddr.h"
#include "log.h"
#include "tcpreasm.h"
#define MAX_TCP_IDLE_TIME 600
#define MAX_TCP_IDLE_COUNT 4096
#define TCP_GC_TIME 60
tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t)
{
static time_t next_gc = 0;
tcpstate_ptr tcpstate;
for (tcpstate = HEAD(tcpstates);
tcpstate != NULL;
tcpstate = NEXT(tcpstate, link)) {
if (ia_equal(tcpstate->saddr, from) && ia_equal(tcpstate->daddr, to) && tcpstate->sport == sport && tcpstate->dport == dport)
break;
}
if (tcpstate != NULL) {
tcpstate->last_use = t;
if (tcpstate != HEAD(tcpstates)) {
/* move to beginning of list */
UNLINK(tcpstates, tcpstate, link);
PREPEND(tcpstates, tcpstate, link);
}
}
if (t >= next_gc || tcpstate_count > MAX_TCP_IDLE_COUNT) {
/* garbage collect stale states */
time_t min_last_use = t - MAX_TCP_IDLE_TIME;
while ((tcpstate = TAIL(tcpstates)) && tcpstate->last_use < min_last_use) {
UNLINK(tcpstates, tcpstate, link);
tcpstate_count--;
}
next_gc = t + TCP_GC_TIME;
}
return tcpstate;
}
tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport)
{
tcpstate_ptr tcpstate = calloc(1, sizeof *tcpstate);
if (tcpstate == NULL) {
/* Out of memory; recycle the least recently used */
logerr("warning: out of memory, "
"discarding some TCP state early");
tcpstate = TAIL(tcpstates);
assert(tcpstate != NULL);
} else {
tcpstate_count++;
}
tcpstate->saddr = from;
tcpstate->daddr = to;
tcpstate->sport = sport;
tcpstate->dport = dport;
INIT_LINK(tcpstate, link);
PREPEND(tcpstates, tcpstate, link);
return tcpstate;
}
/* Discard this packet. If it's part of TCP stream, all subsequent pkts on
* the same tcp stream will also be discarded. */
void tcpstate_discard(tcpstate_ptr tcpstate, const char* msg)
{
if (dumptrace >= 3 && msg)
fprintf(stderr, "discarding packet: %s\n", msg);
if (tcpstate) {
UNLINK(tcpstates, tcpstate, link);
if (tcpstate->reasm) {
tcpreasm_free(tcpstate->reasm);
}
free(tcpstate);
tcpstate_count--;
return;
}
}
tcpstate_ptr _curr_tcpstate = 0;
tcpstate_ptr tcpstate_getcurr(void)
{
return _curr_tcpstate;
}
void tcpstate_reset(tcpstate_ptr tcpstate, const char* msg)
{
if (options.allow_reset_tcpstate && tcpstate) {
if (dumptrace >= 3 && msg)
fprintf(stderr, "resetting tcpstate: %s\n", msg);
tcpstate->start = tcpstate->currseq;
tcpstate->maxdiff = 0;
tcpstate->dnslen = 0;
tcpstate->lastdns = tcpstate->currseq + tcpstate->currlen;
if (tcpstate->reasm) {
tcpreasm_reset(tcpstate->reasm);
tcpstate->reasm->seq_start = tcpstate->start;
}
}
}

46
src/tcpstate.h Normal file
View file

@ -0,0 +1,46 @@
/*
* Copyright (c) 2018-2021, OARC, Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. Neither the name of the copyright holder nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#include "dnscap.h"
#ifndef __dnscap_tcpstate_h
#define __dnscap_tcpstate_h
tcpstate_ptr tcpstate_find(iaddr from, iaddr to, unsigned sport, unsigned dport, time_t t);
tcpstate_ptr tcpstate_new(iaddr from, iaddr to, unsigned sport, unsigned dport);
void tcpstate_discard(tcpstate_ptr tcpstate, const char* msg);
tcpstate_ptr tcpstate_getcurr(void);
void tcpstate_reset(tcpstate_ptr tcpstate, const char* msg);
#endif /* __dnscap_tcpstate_h */

4
src/test/.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
dns.out
dns.pcap.dist
test*.log
test*.trs

BIN
src/test/1qtcpnosyn.pcap Normal file
View file

Binary file not shown.

BIN
src/test/1qtcppadd.pcap Normal file
View file

Binary file not shown.

68
src/test/Makefile.am Normal file
View file

@ -0,0 +1,68 @@
MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
CLEANFILES = test*.log test*.trs \
*.pcap-dist \
dns.out \
no-layers.out layers.out \
frags.out \
padding-no-layers.out padding-layers.out \
vlan11.out \
dnspad.out \
test7.out test7.layer.out \
test8.out \
test9.out \
test10.out \
test11.out \
test12.out test12.20161020.152301.075993.gz \
test13.out \
test14.out
TESTS = test1.sh test2.sh test3.sh test4.sh test5.sh test6.sh test7.sh \
test8.sh test9.sh test10.sh test11.sh test12.sh test13.sh test14.sh
test1.sh: dns.pcap-dist
test2.sh: dns.pcap-dist
test3.sh: frags.pcap-dist
test4.sh: 1qtcppadd.pcap-dist
test5.sh: vlan11.pcap-dist
test6.sh: dnspad.pcap-dist
test7.sh: 1qtcpnosyn.pcap-dist dnso1tcp.pcap-dist \
do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist
test8.sh: dnsotcp-many1pkt.pcap-dist dnsotcp-manyopkts.pcap-dist \
dnso1tcp-bighole.pcap-dist
test9.sh: dns.pcap-dist
test10.sh: dns6.pcap-dist
test11.sh: dns.pcap-dist
test12.sh: dns.pcap-dist
test13.sh: dns.pcap-dist
test14.sh: dns.pcap-dist
.pcap.pcap-dist:
cp "$<" "$@"
EXTRA_DIST = $(TESTS) \
dns.gold dns.pcap \
frags.pcap \
1qtcppadd.pcap \
vlan11.gold vlan11.pcap \
dnspad.gold dnspad.pcap \
test7.gold 1qtcpnosyn.pcap dnso1tcp.pcap do1t-nosyn-1nolen.pcap \
dnso1tcp-midmiss.pcap \
test8.gold dnsotcp-many1pkt.pcap dnsotcp-manyopkts.pcap \
dnso1tcp-bighole.pcap \
test9.gold \
dns6.pcap test10.gold \
test14.gold

714
src/test/dns.gold Normal file
View file

@ -0,0 +1,714 @@
[56] 2016-10-20 15:23:01.075993 [#0 dns.pcap-dist 4095] \
[172.17.0.10].53199 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:01.077982 [#1 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].53199 \
dns QUERY,NOERROR,59311,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,44,216.58.218.206 \
4 google.com.,IN,NS,157880,ns4.google.com. \
google.com.,IN,NS,157880,ns3.google.com. \
google.com.,IN,NS,157880,ns1.google.com. \
google.com.,IN,NS,157880,ns2.google.com. \
4 ns2.google.com.,IN,A,157880,216.239.34.10 \
ns1.google.com.,IN,A,331882,216.239.32.10 \
ns3.google.com.,IN,A,157880,216.239.36.10 \
ns4.google.com.,IN,A,157880,216.239.38.10
[73] 2016-10-20 15:23:01.082865 [#2 dns.pcap-dist 4095] \
[172.17.0.10].57822 [8.8.8.8].53 \
dns QUERY,NOERROR,35665,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:01.084107 [#3 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].57822 \
dns QUERY,NOERROR,35665,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
4 ns1.google.com.,IN,A,331882,216.239.32.10 \
ns3.google.com.,IN,A,157880,216.239.36.10 \
ns4.google.com.,IN,A,157880,216.239.38.10 \
ns2.google.com.,IN,A,157880,216.239.34.10
[56] 2016-10-20 15:23:01.087291 [#4 dns.pcap-dist 4095] \
[172.17.0.10].40043 [8.8.8.8].53 \
dns QUERY,NOERROR,5337,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:01.088733 [#5 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].40043 \
dns QUERY,NOERROR,5337,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,44,216.58.218.206 \
4 google.com.,IN,NS,157880,ns1.google.com. \
google.com.,IN,NS,157880,ns2.google.com. \
google.com.,IN,NS,157880,ns3.google.com. \
google.com.,IN,NS,157880,ns4.google.com. \
4 ns2.google.com.,IN,A,157880,216.239.34.10 \
ns1.google.com.,IN,A,331882,216.239.32.10 \
ns3.google.com.,IN,A,157880,216.239.36.10 \
ns4.google.com.,IN,A,157880,216.239.38.10
[56] 2016-10-20 15:23:10.322117 [#6 dns.pcap-dist 4095] \
[172.17.0.10].37953 [8.8.8.8].53 \
dns QUERY,NOERROR,22982,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:10.323399 [#7 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].37953 \
dns QUERY,NOERROR,22982,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,34,216.58.218.206 \
4 google.com.,IN,NS,157870,ns4.google.com. \
google.com.,IN,NS,157870,ns1.google.com. \
google.com.,IN,NS,157870,ns2.google.com. \
google.com.,IN,NS,157870,ns3.google.com. \
4 ns2.google.com.,IN,A,157870,216.239.34.10 \
ns1.google.com.,IN,A,331872,216.239.32.10 \
ns3.google.com.,IN,A,157870,216.239.36.10 \
ns4.google.com.,IN,A,157870,216.239.38.10
[73] 2016-10-20 15:23:10.328324 [#8 dns.pcap-dist 4095] \
[172.17.0.10].48658 [8.8.8.8].53 \
dns QUERY,NOERROR,18718,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:10.329572 [#9 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].48658 \
dns QUERY,NOERROR,18718,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
4 ns1.google.com.,IN,A,331872,216.239.32.10 \
ns3.google.com.,IN,A,157870,216.239.36.10 \
ns4.google.com.,IN,A,157870,216.239.38.10 \
ns2.google.com.,IN,A,157870,216.239.34.10
[56] 2016-10-20 15:23:52.860937 [#10 dns.pcap-dist 4095] \
[172.17.0.10].40953 [8.8.8.8].53 \
dns QUERY,NOERROR,22531,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:52.863771 [#11 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].40953 \
dns QUERY,NOERROR,22531,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,297,216.58.218.206 \
4 google.com.,IN,NS,157828,ns2.google.com. \
google.com.,IN,NS,157828,ns4.google.com. \
google.com.,IN,NS,157828,ns1.google.com. \
google.com.,IN,NS,157828,ns3.google.com. \
4 ns2.google.com.,IN,A,157828,216.239.34.10 \
ns1.google.com.,IN,A,331830,216.239.32.10 \
ns3.google.com.,IN,A,157828,216.239.36.10 \
ns4.google.com.,IN,A,157828,216.239.38.10
[56] 2016-10-20 15:23:59.083869 [#12 dns.pcap-dist 4095] \
[172.17.0.10].45174 [8.8.8.8].53 \
dns QUERY,NOERROR,58510,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:59.086104 [#13 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].45174 \
dns QUERY,NOERROR,58510,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,291,216.58.218.206 \
4 google.com.,IN,NS,157822,ns2.google.com. \
google.com.,IN,NS,157822,ns3.google.com. \
google.com.,IN,NS,157822,ns1.google.com. \
google.com.,IN,NS,157822,ns4.google.com. \
4 ns2.google.com.,IN,A,157822,216.239.34.10 \
ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10
[73] 2016-10-20 15:23:59.090911 [#14 dns.pcap-dist 4095] \
[172.17.0.10].33916 [8.8.8.8].53 \
dns QUERY,NOERROR,45248,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:59.092204 [#15 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].33916 \
dns QUERY,NOERROR,45248,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
4 ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10 \
ns2.google.com.,IN,A,157822,216.239.34.10
[56] 2016-10-20 15:24:04.323868 [#16 dns.pcap-dist 4095] \
[172.17.0.10].43559 [8.8.8.8].53 \
dns QUERY,NOERROR,49483,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:04.325597 [#17 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].43559 \
dns QUERY,NOERROR,49483,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,285,216.58.218.206 \
4 google.com.,IN,NS,157816,ns4.google.com. \
google.com.,IN,NS,157816,ns3.google.com. \
google.com.,IN,NS,157816,ns1.google.com. \
google.com.,IN,NS,157816,ns2.google.com. \
4 ns2.google.com.,IN,A,157816,216.239.34.10 \
ns1.google.com.,IN,A,331818,216.239.32.10 \
ns3.google.com.,IN,A,157816,216.239.36.10 \
ns4.google.com.,IN,A,157816,216.239.38.10
[56] 2016-10-20 15:24:06.332239 [#18 dns.pcap-dist 4095] \
[172.17.0.10].54859 [8.8.8.8].53 \
dns QUERY,NOERROR,31669,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:06.333743 [#19 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].54859 \
dns QUERY,NOERROR,31669,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,283,216.58.218.206 \
4 google.com.,IN,NS,157814,ns2.google.com. \
google.com.,IN,NS,157814,ns1.google.com. \
google.com.,IN,NS,157814,ns4.google.com. \
google.com.,IN,NS,157814,ns3.google.com. \
4 ns2.google.com.,IN,A,157814,216.239.34.10 \
ns1.google.com.,IN,A,331816,216.239.32.10 \
ns3.google.com.,IN,A,157814,216.239.36.10 \
ns4.google.com.,IN,A,157814,216.239.38.10
[73] 2016-10-20 15:24:06.339145 [#20 dns.pcap-dist 4095] \
[172.17.0.10].58176 [8.8.8.8].53 \
dns QUERY,NOERROR,25433,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:06.340820 [#21 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].58176 \
dns QUERY,NOERROR,25433,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
4 ns1.google.com.,IN,A,331816,216.239.32.10 \
ns3.google.com.,IN,A,157814,216.239.36.10 \
ns4.google.com.,IN,A,157814,216.239.38.10 \
ns2.google.com.,IN,A,157814,216.239.34.10
[56] 2016-10-20 15:24:07.346429 [#22 dns.pcap-dist 4095] \
[172.17.0.10].41266 [8.8.8.8].53 \
dns QUERY,NOERROR,63798,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:07.348160 [#23 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].41266 \
dns QUERY,NOERROR,63798,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,282,216.58.218.206 \
4 google.com.,IN,NS,157813,ns4.google.com. \
google.com.,IN,NS,157813,ns1.google.com. \
google.com.,IN,NS,157813,ns3.google.com. \
google.com.,IN,NS,157813,ns2.google.com. \
4 ns2.google.com.,IN,A,157813,216.239.34.10 \
ns1.google.com.,IN,A,331815,216.239.32.10 \
ns3.google.com.,IN,A,157813,216.239.36.10 \
ns4.google.com.,IN,A,157813,216.239.38.10
[73] 2016-10-20 15:24:07.353123 [#24 dns.pcap-dist 4095] \
[172.17.0.10].34607 [8.8.8.8].53 \
dns QUERY,NOERROR,8470,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:07.354682 [#25 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].34607 \
dns QUERY,NOERROR,8470,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
4 ns1.google.com.,IN,A,331815,216.239.32.10 \
ns3.google.com.,IN,A,157813,216.239.36.10 \
ns4.google.com.,IN,A,157813,216.239.38.10 \
ns2.google.com.,IN,A,157813,216.239.34.10
[56] 2016-10-20 15:24:08.360528 [#26 dns.pcap-dist 4095] \
[172.17.0.10].60437 [8.8.8.8].53 \
dns QUERY,NOERROR,60258,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:08.362206 [#27 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].60437 \
dns QUERY,NOERROR,60258,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,281,216.58.218.206 \
4 google.com.,IN,NS,157812,ns3.google.com. \
google.com.,IN,NS,157812,ns2.google.com. \
google.com.,IN,NS,157812,ns4.google.com. \
google.com.,IN,NS,157812,ns1.google.com. \
4 ns2.google.com.,IN,A,157812,216.239.34.10 \
ns1.google.com.,IN,A,331814,216.239.32.10 \
ns3.google.com.,IN,A,157812,216.239.36.10 \
ns4.google.com.,IN,A,157812,216.239.38.10
[73] 2016-10-20 15:24:08.368516 [#28 dns.pcap-dist 4095] \
[172.17.0.10].37149 [8.8.8.8].53 \
dns QUERY,NOERROR,44985,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:08.370119 [#29 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].37149 \
dns QUERY,NOERROR,44985,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
4 ns1.google.com.,IN,A,331814,216.239.32.10 \
ns3.google.com.,IN,A,157812,216.239.36.10 \
ns4.google.com.,IN,A,157812,216.239.38.10 \
ns2.google.com.,IN,A,157812,216.239.34.10
[56] 2016-10-20 15:24:09.375942 [#30 dns.pcap-dist 4095] \
[172.17.0.10].53820 [8.8.8.8].53 \
dns QUERY,NOERROR,45512,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:09.378425 [#31 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].53820 \
dns QUERY,NOERROR,45512,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,280,216.58.218.206 \
4 google.com.,IN,NS,157811,ns3.google.com. \
google.com.,IN,NS,157811,ns4.google.com. \
google.com.,IN,NS,157811,ns1.google.com. \
google.com.,IN,NS,157811,ns2.google.com. \
4 ns2.google.com.,IN,A,157811,216.239.34.10 \
ns1.google.com.,IN,A,331813,216.239.32.10 \
ns3.google.com.,IN,A,157811,216.239.36.10 \
ns4.google.com.,IN,A,157811,216.239.38.10
[73] 2016-10-20 15:24:09.384057 [#32 dns.pcap-dist 4095] \
[172.17.0.10].52368 [8.8.8.8].53 \
dns QUERY,NOERROR,22980,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:09.385463 [#33 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].52368 \
dns QUERY,NOERROR,22980,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
4 ns1.google.com.,IN,A,331813,216.239.32.10 \
ns3.google.com.,IN,A,157811,216.239.36.10 \
ns4.google.com.,IN,A,157811,216.239.38.10 \
ns2.google.com.,IN,A,157811,216.239.34.10
[56] 2016-10-20 15:24:10.391358 [#34 dns.pcap-dist 4095] \
[172.17.0.10].47637 [8.8.8.8].53 \
dns QUERY,NOERROR,1834,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:10.392886 [#35 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].47637 \
dns QUERY,NOERROR,1834,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,279,216.58.218.206 \
4 google.com.,IN,NS,157810,ns1.google.com. \
google.com.,IN,NS,157810,ns2.google.com. \
google.com.,IN,NS,157810,ns4.google.com. \
google.com.,IN,NS,157810,ns3.google.com. \
4 ns2.google.com.,IN,A,157810,216.239.34.10 \
ns1.google.com.,IN,A,331812,216.239.32.10 \
ns3.google.com.,IN,A,157810,216.239.36.10 \
ns4.google.com.,IN,A,157810,216.239.38.10
[73] 2016-10-20 15:24:10.398099 [#36 dns.pcap-dist 4095] \
[172.17.0.10].34426 [8.8.8.8].53 \
dns QUERY,NOERROR,25431,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:10.400317 [#37 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].34426 \
dns QUERY,NOERROR,25431,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
4 ns1.google.com.,IN,A,331812,216.239.32.10 \
ns3.google.com.,IN,A,157810,216.239.36.10 \
ns4.google.com.,IN,A,157810,216.239.38.10 \
ns2.google.com.,IN,A,157810,216.239.34.10
[56] 2016-10-20 15:24:11.406297 [#38 dns.pcap-dist 4095] \
[172.17.0.10].41059 [8.8.8.8].53 \
dns QUERY,NOERROR,48432,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:11.407460 [#39 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].41059 \
dns QUERY,NOERROR,48432,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,278,216.58.218.206 \
4 google.com.,IN,NS,157809,ns3.google.com. \
google.com.,IN,NS,157809,ns4.google.com. \
google.com.,IN,NS,157809,ns2.google.com. \
google.com.,IN,NS,157809,ns1.google.com. \
4 ns2.google.com.,IN,A,157809,216.239.34.10 \
ns1.google.com.,IN,A,331811,216.239.32.10 \
ns3.google.com.,IN,A,157809,216.239.36.10 \
ns4.google.com.,IN,A,157809,216.239.38.10
[73] 2016-10-20 15:24:11.412133 [#40 dns.pcap-dist 4095] \
[172.17.0.10].51181 [8.8.8.8].53 \
dns QUERY,NOERROR,47411,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:11.413370 [#41 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].51181 \
dns QUERY,NOERROR,47411,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
4 ns1.google.com.,IN,A,331811,216.239.32.10 \
ns3.google.com.,IN,A,157809,216.239.36.10 \
ns4.google.com.,IN,A,157809,216.239.38.10 \
ns2.google.com.,IN,A,157809,216.239.34.10
[56] 2016-10-20 15:24:12.419936 [#42 dns.pcap-dist 4095] \
[172.17.0.10].32976 [8.8.8.8].53 \
dns QUERY,NOERROR,12038,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:12.421228 [#43 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].32976 \
dns QUERY,NOERROR,12038,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,277,216.58.218.206 \
4 google.com.,IN,NS,157808,ns2.google.com. \
google.com.,IN,NS,157808,ns3.google.com. \
google.com.,IN,NS,157808,ns1.google.com. \
google.com.,IN,NS,157808,ns4.google.com. \
4 ns2.google.com.,IN,A,157808,216.239.34.10 \
ns1.google.com.,IN,A,331810,216.239.32.10 \
ns3.google.com.,IN,A,157808,216.239.36.10 \
ns4.google.com.,IN,A,157808,216.239.38.10
[56] 2016-10-20 15:24:14.428524 [#44 dns.pcap-dist 4095] \
[172.17.0.10].53467 [8.8.8.8].53 \
dns QUERY,NOERROR,11614,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:14.429863 [#45 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].53467 \
dns QUERY,NOERROR,11614,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,275,216.58.218.206 \
4 google.com.,IN,NS,157806,ns3.google.com. \
google.com.,IN,NS,157806,ns1.google.com. \
google.com.,IN,NS,157806,ns4.google.com. \
google.com.,IN,NS,157806,ns2.google.com. \
4 ns2.google.com.,IN,A,157806,216.239.34.10 \
ns1.google.com.,IN,A,331808,216.239.32.10 \
ns3.google.com.,IN,A,157806,216.239.36.10 \
ns4.google.com.,IN,A,157806,216.239.38.10
[56] 2016-10-20 15:24:16.435733 [#46 dns.pcap-dist 4095] \
[172.17.0.10].41532 [8.8.8.8].53 \
dns QUERY,NOERROR,59173,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:16.437471 [#47 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].41532 \
dns QUERY,NOERROR,59173,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,273,216.58.218.206 \
4 google.com.,IN,NS,157804,ns1.google.com. \
google.com.,IN,NS,157804,ns3.google.com. \
google.com.,IN,NS,157804,ns2.google.com. \
google.com.,IN,NS,157804,ns4.google.com. \
4 ns2.google.com.,IN,A,157804,216.239.34.10 \
ns1.google.com.,IN,A,331806,216.239.32.10 \
ns3.google.com.,IN,A,157804,216.239.36.10 \
ns4.google.com.,IN,A,157804,216.239.38.10
[56] 2016-10-20 15:24:18.445519 [#48 dns.pcap-dist 4095] \
[172.17.0.10].44982 [8.8.8.8].53 \
dns QUERY,NOERROR,45535,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:18.446775 [#49 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].44982 \
dns QUERY,NOERROR,45535,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,271,216.58.218.206 \
4 google.com.,IN,NS,157802,ns4.google.com. \
google.com.,IN,NS,157802,ns2.google.com. \
google.com.,IN,NS,157802,ns1.google.com. \
google.com.,IN,NS,157802,ns3.google.com. \
4 ns2.google.com.,IN,A,157802,216.239.34.10 \
ns1.google.com.,IN,A,331804,216.239.32.10 \
ns3.google.com.,IN,A,157802,216.239.36.10 \
ns4.google.com.,IN,A,157802,216.239.38.10
[73] 2016-10-20 15:24:18.452451 [#50 dns.pcap-dist 4095] \
[172.17.0.10].40224 [8.8.8.8].53 \
dns QUERY,NOERROR,60808,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:18.454030 [#51 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].40224 \
dns QUERY,NOERROR,60808,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
4 ns1.google.com.,IN,A,331804,216.239.32.10 \
ns3.google.com.,IN,A,157802,216.239.36.10 \
ns4.google.com.,IN,A,157802,216.239.38.10 \
ns2.google.com.,IN,A,157802,216.239.34.10
[56] 2016-10-20 15:24:19.460087 [#52 dns.pcap-dist 4095] \
[172.17.0.10].45658 [8.8.8.8].53 \
dns QUERY,NOERROR,64325,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:19.462224 [#53 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].45658 \
dns QUERY,NOERROR,64325,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,270,216.58.218.206 \
4 google.com.,IN,NS,157801,ns1.google.com. \
google.com.,IN,NS,157801,ns3.google.com. \
google.com.,IN,NS,157801,ns4.google.com. \
google.com.,IN,NS,157801,ns2.google.com. \
4 ns2.google.com.,IN,A,157801,216.239.34.10 \
ns1.google.com.,IN,A,331803,216.239.32.10 \
ns3.google.com.,IN,A,157801,216.239.36.10 \
ns4.google.com.,IN,A,157801,216.239.38.10
[73] 2016-10-20 15:24:19.467324 [#54 dns.pcap-dist 4095] \
[172.17.0.10].60457 [8.8.8.8].53 \
dns QUERY,NOERROR,25543,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:19.468895 [#55 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].60457 \
dns QUERY,NOERROR,25543,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
4 ns1.google.com.,IN,A,331803,216.239.32.10 \
ns3.google.com.,IN,A,157801,216.239.36.10 \
ns4.google.com.,IN,A,157801,216.239.38.10 \
ns2.google.com.,IN,A,157801,216.239.34.10
[56] 2016-10-20 15:24:20.475086 [#56 dns.pcap-dist 4095] \
[172.17.0.10].59762 [8.8.8.8].53 \
dns QUERY,NOERROR,20736,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:20.476841 [#57 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].59762 \
dns QUERY,NOERROR,20736,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,269,216.58.218.206 \
4 google.com.,IN,NS,157800,ns3.google.com. \
google.com.,IN,NS,157800,ns1.google.com. \
google.com.,IN,NS,157800,ns4.google.com. \
google.com.,IN,NS,157800,ns2.google.com. \
4 ns2.google.com.,IN,A,157800,216.239.34.10 \
ns1.google.com.,IN,A,331802,216.239.32.10 \
ns3.google.com.,IN,A,157800,216.239.36.10 \
ns4.google.com.,IN,A,157800,216.239.38.10
[73] 2016-10-20 15:24:20.482188 [#58 dns.pcap-dist 4095] \
[172.17.0.10].56022 [8.8.8.8].53 \
dns QUERY,NOERROR,25911,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:20.483927 [#59 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].56022 \
dns QUERY,NOERROR,25911,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
4 ns1.google.com.,IN,A,331802,216.239.32.10 \
ns3.google.com.,IN,A,157800,216.239.36.10 \
ns4.google.com.,IN,A,157800,216.239.38.10 \
ns2.google.com.,IN,A,157800,216.239.34.10
[56] 2016-10-20 15:24:21.489468 [#60 dns.pcap-dist 4095] \
[172.17.0.10].37669 [8.8.8.8].53 \
dns QUERY,NOERROR,64358,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:21.490573 [#61 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].37669 \
dns QUERY,NOERROR,64358,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,268,216.58.218.206 \
4 google.com.,IN,NS,157799,ns2.google.com. \
google.com.,IN,NS,157799,ns1.google.com. \
google.com.,IN,NS,157799,ns4.google.com. \
google.com.,IN,NS,157799,ns3.google.com. \
4 ns2.google.com.,IN,A,157799,216.239.34.10 \
ns1.google.com.,IN,A,331801,216.239.32.10 \
ns3.google.com.,IN,A,157799,216.239.36.10 \
ns4.google.com.,IN,A,157799,216.239.38.10
[73] 2016-10-20 15:24:21.495324 [#62 dns.pcap-dist 4095] \
[172.17.0.10].42978 [8.8.8.8].53 \
dns QUERY,NOERROR,37698,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:21.496815 [#63 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].42978 \
dns QUERY,NOERROR,37698,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
4 ns1.google.com.,IN,A,331801,216.239.32.10 \
ns3.google.com.,IN,A,157799,216.239.36.10 \
ns4.google.com.,IN,A,157799,216.239.38.10 \
ns2.google.com.,IN,A,157799,216.239.34.10
[56] 2016-10-20 15:24:22.502667 [#64 dns.pcap-dist 4095] \
[172.17.0.10].49829 [8.8.8.8].53 \
dns QUERY,NOERROR,54706,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:22.504738 [#65 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].49829 \
dns QUERY,NOERROR,54706,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,267,216.58.218.206 \
4 google.com.,IN,NS,157798,ns2.google.com. \
google.com.,IN,NS,157798,ns4.google.com. \
google.com.,IN,NS,157798,ns3.google.com. \
google.com.,IN,NS,157798,ns1.google.com. \
4 ns2.google.com.,IN,A,157798,216.239.34.10 \
ns1.google.com.,IN,A,331800,216.239.32.10 \
ns3.google.com.,IN,A,157798,216.239.36.10 \
ns4.google.com.,IN,A,157798,216.239.38.10
[73] 2016-10-20 15:24:22.510176 [#66 dns.pcap-dist 4095] \
[172.17.0.10].50599 [8.8.8.8].53 \
dns QUERY,NOERROR,32142,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:22.511746 [#67 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].50599 \
dns QUERY,NOERROR,32142,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
4 ns1.google.com.,IN,A,331800,216.239.32.10 \
ns3.google.com.,IN,A,157798,216.239.36.10 \
ns4.google.com.,IN,A,157798,216.239.38.10 \
ns2.google.com.,IN,A,157798,216.239.34.10
[56] 2016-10-20 15:24:23.520203 [#68 dns.pcap-dist 4095] \
[172.17.0.10].44980 [8.8.8.8].53 \
dns QUERY,NOERROR,41808,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:23.521976 [#69 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].44980 \
dns QUERY,NOERROR,41808,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,266,216.58.218.206 \
4 google.com.,IN,NS,157797,ns2.google.com. \
google.com.,IN,NS,157797,ns4.google.com. \
google.com.,IN,NS,157797,ns1.google.com. \
google.com.,IN,NS,157797,ns3.google.com. \
4 ns2.google.com.,IN,A,157797,216.239.34.10 \
ns1.google.com.,IN,A,331799,216.239.32.10 \
ns3.google.com.,IN,A,157797,216.239.36.10 \
ns4.google.com.,IN,A,157797,216.239.38.10
[73] 2016-10-20 15:24:23.527449 [#70 dns.pcap-dist 4095] \
[172.17.0.10].60063 [8.8.8.8].53 \
dns QUERY,NOERROR,18886,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:23.529385 [#71 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].60063 \
dns QUERY,NOERROR,18886,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
4 ns1.google.com.,IN,A,331799,216.239.32.10 \
ns3.google.com.,IN,A,157797,216.239.36.10 \
ns4.google.com.,IN,A,157797,216.239.38.10 \
ns2.google.com.,IN,A,157797,216.239.34.10
[56] 2016-10-20 15:24:24.537264 [#72 dns.pcap-dist 4095] \
[172.17.0.10].42042 [8.8.8.8].53 \
dns QUERY,NOERROR,10624,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:24.539398 [#73 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].42042 \
dns QUERY,NOERROR,10624,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,265,216.58.218.206 \
4 google.com.,IN,NS,157796,ns3.google.com. \
google.com.,IN,NS,157796,ns4.google.com. \
google.com.,IN,NS,157796,ns1.google.com. \
google.com.,IN,NS,157796,ns2.google.com. \
4 ns2.google.com.,IN,A,157796,216.239.34.10 \
ns1.google.com.,IN,A,331798,216.239.32.10 \
ns3.google.com.,IN,A,157796,216.239.36.10 \
ns4.google.com.,IN,A,157796,216.239.38.10
[73] 2016-10-20 15:24:24.544538 [#74 dns.pcap-dist 4095] \
[172.17.0.10].60469 [8.8.8.8].53 \
dns QUERY,NOERROR,33139,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:24.546172 [#75 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].60469 \
dns QUERY,NOERROR,33139,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
4 ns1.google.com.,IN,A,331798,216.239.32.10 \
ns3.google.com.,IN,A,157796,216.239.36.10 \
ns4.google.com.,IN,A,157796,216.239.38.10 \
ns2.google.com.,IN,A,157796,216.239.34.10
[56] 2016-10-20 15:24:25.554744 [#76 dns.pcap-dist 4095] \
[172.17.0.10].45703 [8.8.8.8].53 \
dns QUERY,NOERROR,61415,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:25.556513 [#77 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].45703 \
dns QUERY,NOERROR,61415,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,264,216.58.218.206 \
4 google.com.,IN,NS,157795,ns3.google.com. \
google.com.,IN,NS,157795,ns4.google.com. \
google.com.,IN,NS,157795,ns2.google.com. \
google.com.,IN,NS,157795,ns1.google.com. \
4 ns2.google.com.,IN,A,157795,216.239.34.10 \
ns1.google.com.,IN,A,331797,216.239.32.10 \
ns3.google.com.,IN,A,157795,216.239.36.10 \
ns4.google.com.,IN,A,157795,216.239.38.10
[73] 2016-10-20 15:24:25.562608 [#78 dns.pcap-dist 4095] \
[172.17.0.10].33507 [8.8.8.8].53 \
dns QUERY,NOERROR,59258,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:25.564509 [#79 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].33507 \
dns QUERY,NOERROR,59258,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
4 ns1.google.com.,IN,A,331797,216.239.32.10 \
ns3.google.com.,IN,A,157795,216.239.36.10 \
ns4.google.com.,IN,A,157795,216.239.38.10 \
ns2.google.com.,IN,A,157795,216.239.34.10
[56] 2016-10-20 15:24:26.572784 [#80 dns.pcap-dist 4095] \
[172.17.0.10].46798 [8.8.8.8].53 \
dns QUERY,NOERROR,17700,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:26.574350 [#81 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].46798 \
dns QUERY,NOERROR,17700,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,263,216.58.218.206 \
4 google.com.,IN,NS,157794,ns1.google.com. \
google.com.,IN,NS,157794,ns4.google.com. \
google.com.,IN,NS,157794,ns3.google.com. \
google.com.,IN,NS,157794,ns2.google.com. \
4 ns2.google.com.,IN,A,157794,216.239.34.10 \
ns1.google.com.,IN,A,331796,216.239.32.10 \
ns3.google.com.,IN,A,157794,216.239.36.10 \
ns4.google.com.,IN,A,157794,216.239.38.10

BIN
src/test/dns.pcap Normal file
View file

Binary file not shown.

BIN
src/test/dns6.pcap Normal file
View file

Binary file not shown.

BIN
src/test/dnso1tcp-bighole.pcap Normal file
View file

Binary file not shown.

BIN
src/test/dnso1tcp-midmiss.pcap Normal file
View file

Binary file not shown.

BIN
src/test/dnso1tcp.pcap Normal file
View file

Binary file not shown.

BIN
src/test/dnsotcp-many1pkt.pcap Normal file
View file

Binary file not shown.

BIN
src/test/dnsotcp-manyopkts.pcap Normal file
View file

Binary file not shown.

8
src/test/dnspad.gold Normal file
View file

@ -0,0 +1,8 @@
[59] 2016-10-20 15:23:01.075993 [#0 dnspad.pcap-dist 4095] \
[172.17.0.10].53199 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[59] 2016-10-20 15:23:01.075993 [#0 dnspad.pcap-dist 4095] \
[172.17.0.10].53199 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0

BIN
src/test/dnspad.pcap Normal file
View file

Binary file not shown.

BIN
src/test/do1t-nosyn-1nolen.pcap Normal file
View file

Binary file not shown.

BIN
src/test/frags.pcap Normal file
View file

Binary file not shown.

9
src/test/test1.sh Executable file
View file

@ -0,0 +1,9 @@
#!/bin/sh -xe
../dnscap -g -r dns.pcap-dist 2>dns.out
mv dns.out dns.out.old
grep -v "^libgcov profiling error:" dns.out.old > dns.out
rm dns.out.old
diff dns.out "$srcdir/dns.gold"

22
src/test/test10.gold Normal file
View file

@ -0,0 +1,22 @@
[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \
dns QUERY,NOERROR,51420,rd|ad \
1 google.com.,IN,A 0 0 \
1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \
dns QUERY,NOERROR,51420,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,299,172.217.20.46 0 \
1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
[87] 2018-11-27 15:52:00.414188 [#0 dns6.pcap-dist 4095] \
[2a01:3f0:0:57::245].51972 [2001:4860:4860::8888].53 \
dns QUERY,NOERROR,51420,rd|ad \
1 google.com.,IN,A 0 0 \
1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0]
[103] 2018-11-27 15:52:00.428453 [#1 dns6.pcap-dist 4095] \
[2001:4860:4860::8888].53 [2a01:3f0:0:57::245].51972 \
dns QUERY,NOERROR,51420,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,299,172.217.20.46 0 \
1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]

6
src/test/test10.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -xe
../dnscap -r dns6.pcap-dist -g 2>test10.out
../dnscap -r dns6.pcap-dist -o use_layers=yes -g 2>>test10.out
diff test10.out "$srcdir/test10.gold"

79
src/test/test11.sh Executable file
View file

@ -0,0 +1,79 @@
#!/bin/sh -xe
../dnscap -?
! ../dnscap -j
! ../dnscap -o testing
! ../dnscap -o testing=
! ../dnscap -o testing=a
../dnscap -o user=user -o user=user -o group=group -o group=group \
-o dump_format=pcap -o dump_format=cbor -o dump_format=cds \
-F pcap -F cbor -F cds \
-?
../dnscap -b -N -p -d -1 -I -i fake -m q -m u -m n -s i -s r -h i -h r \
-e n -e y -e t -e f -e s -e x -e i -e r -w - -W a -W a -t 1 -c 1 -C 1 \
-x '.*' -S -U fake -U fake -M -D -?
../dnscap -w fake -k false -?
! ../dnscap -m X
! ../dnscap -s X
! ../dnscap -h X
! ../dnscap -e X
! ../dnscap -k false
! ../dnscap -F invalid
! ../dnscap -t invalid
! ../dnscap -c invalid
! ../dnscap -C invalid
! ../dnscap -x '('
! ../dnscap -B invalid
! ../dnscap -E invalid
! ../dnscap -P invalid
if ! ../dnscap -y -? 2>test11.out; then
grep -qF "seccomp-bpf not enabled" test11.out
fi
! ../dnscap -w fake -o use_layers=yes
! ../dnscap -g -f -h i
! ../dnscap -g -l 1 -L 1
! ../dnscap -g -b -d -g
! ../dnscap -g -b -g
! ../dnscap -g -B "2020-01-01 00:00:00" -E "2019-01-01 00:00:00"
! ../dnscap -g -o defrag_ipv4=yes
! ../dnscap -g -o defrag_ipv6=yes
! ../dnscap -g -o reassemble_tcp_bfbparsedns=yes
../dnscap -V
../dnscap -r dns.pcap-dist -g -ddddd
../dnscap -r dns.pcap-dist -x '.*' -X '.*' -g -ddddd
! ../dnscap -r dns.pcap-dist -i fake 2>test11.out
cat test11.out
grep -qF -- "-i makes no sense after -r" test11.out
! ../dnscap -i fake -r dns.pcap-dist 2>test11.out
cat test11.out
grep -qF -- "-r makes no sense after -i" test11.out
all_opts=
for opt in cbor_chunk_size cds_cbor_size cds_message_size cds_max_rlabels \
cds_min_rlabel_size cds_rdata_index_min_size cds_rdata_rindex_size \
cds_rdata_rindex_min_size pcap_buffer_size max_ipv4_fragments \
max_ipv6_fragments max_ipv6_fragments_per_packet reassemble_tcp_faultreset; \
do
! ../dnscap -o "$opt=0"
all_opts="$all_opts -o $opt=1"
done
../dnscap $all_opts -?
all_opts=
for opt in cds_use_rdata_rindex cds_use_rdata_index defrag_ipv6 \
reassemble_tcp_bfbparsedns bpf_hosts_apply_all; \
do
! ../dnscap -o "$opt=f"
all_opts="$all_opts -o $opt=yes"
done
../dnscap $all_opts -?
! ../dnscap -l 0 -l 4095 -l 4096
! ../dnscap -L 0 -L 4095 -L 4096
! ../dnscap -u 5353 -u 65536

6
src/test/test12.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -xe
if ! ../dnscap -g -r dns.pcap-dist -w test12 -W .gz 2>test12.out; then
grep -qF "gzip compression requested but not supported" test12.out && exit 0
exit 1
fi

28
src/test/test13.sh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh -xe
test -f /etc/resolv.conf || exit 0
! ../dnscap -a "fake_host-should+not/work" 2>test13.out
cat test13.out
grep -qF "invalid host address" test13.out
if [ "`uname`" = "OpenBSD" ]; then
# IPv6 addresses in BPF seems to segfault on OpenBSD and doing host and
# not host throws generic pcap_compile error
../dnscap -a 127.0.0.1 -r dns.pcap-dist -g -dddd
../dnscap -z 127.0.0.1 -r dns.pcap-dist -g -dddd
../dnscap -A 127.0.0.1 -r dns.pcap-dist -g -dddd
../dnscap -Z 127.0.0.1 -r dns.pcap-dist -g -dddd
../dnscap -Y 127.0.0.1 -r dns.pcap-dist -g -dddd
else
../dnscap -a 127.0.0.1 -a ::1 -r dns.pcap-dist -g -dddd
../dnscap -z 127.0.0.1 -z ::1 -r dns.pcap-dist -g -dddd
../dnscap -A 127.0.0.1 -A ::1 -r dns.pcap-dist -g -dddd
../dnscap -Z 127.0.0.1 -Z ::1 -r dns.pcap-dist -g -dddd
../dnscap -Y 127.0.0.1 -Y ::1 -r dns.pcap-dist -g -dddd
fi
if [ "$TEST_DNSCAP_WITH_NETWORK" = "1" ]; then
../dnscap -a google.com -r dns.pcap-dist -g -dddd
fi
../dnscap -Y 127.0.0.1 -r dns.pcap-dist -g
../dnscap -Y 8.8.8.8 -r dns.pcap-dist -g

2864
src/test/test14.gold Normal file
View file

File diff suppressed because it is too large Load diff

25
src/test/test14.sh Executable file
View file

@ -0,0 +1,25 @@
#!/bin/sh -xe
echo "-- only 1" >test14.out
../dnscap -g -q 1 -r dns.pcap-dist 2>>test14.out
echo "-- not 1" >>test14.out
../dnscap -g -Q 1 -r dns.pcap-dist 2>>test14.out
echo "-- only PTR" >>test14.out
../dnscap -g -q PTR -r dns.pcap-dist 2>>test14.out
echo "-- not PTR" >>test14.out
../dnscap -g -Q PTR -r dns.pcap-dist 2>>test14.out
echo "-- only 1" >>test14.out
../dnscap -g -o use_layers=yes -q 1 -r dns.pcap-dist 2>>test14.out
echo "-- not 1" >>test14.out
../dnscap -g -o use_layers=yes -Q 1 -r dns.pcap-dist 2>>test14.out
echo "-- only PTR" >>test14.out
../dnscap -g -o use_layers=yes -q PTR -r dns.pcap-dist 2>>test14.out
echo "-- not PTR" >>test14.out
../dnscap -g -o use_layers=yes -Q PTR -r dns.pcap-dist 2>>test14.out
mv test14.out test14.out.old
grep -v "^libgcov profiling error:" test14.out.old > test14.out
rm test14.out.old
diff test14.out "$srcdir/test14.gold"

6
src/test/test2.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -xe
../dnscap -g -r dns.pcap-dist 2>no-layers.out
../dnscap -g -r dns.pcap-dist -o use_layers=yes 2>layers.out
diff no-layers.out layers.out

13
src/test/test3.sh Executable file
View file

@ -0,0 +1,13 @@
#!/bin/sh -xe
../dnscap -g -f -r frags.pcap-dist -o use_layers=yes -o defrag_ipv4=yes -o max_ipv4_fragments_per_packet=64 2>frags.out
# remove timestamp
sed -i -e 's%^\(\[[0-9]*\]\)[^\[]*\[%\1 [%g' frags.out
# create gold file
cp "$srcdir/dns.gold" frags.gold
sed -i -e 's%^\(\[[0-9]*\]\)[^\[]*\[%\1 [%g' frags.gold
sed -i -e 's%dns.pcap-dist%frags.pcap-dist%g' frags.gold
diff frags.out frags.gold

6
src/test/test4.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -xe
../dnscap -g -T -r 1qtcppadd.pcap-dist 2>padding-no-layers.out
../dnscap -g -T -r 1qtcppadd.pcap-dist -o use_layers=yes 2>padding-layers.out
diff padding-no-layers.out padding-layers.out

20
src/test/test5.sh Executable file
View file

@ -0,0 +1,20 @@
#!/bin/sh -xe
osrel=`uname -s`
../dnscap -g -r vlan11.pcap-dist 2>vlan11.out
test -f vlan11.out && ! test -s vlan11.out
../dnscap -g -r vlan11.pcap-dist -L 10 2>vlan11.out
test -f vlan11.out && ! test -s vlan11.out
../dnscap -g -r vlan11.pcap-dist -L 4095 2>vlan11.out
diff vlan11.out "$srcdir/vlan11.gold"
../dnscap -g -r vlan11.pcap-dist -L 11 2>vlan11.out
diff vlan11.out "$srcdir/vlan11.gold"
../dnscap -g -r vlan11.pcap-dist -o use_layers=yes 2>vlan11.out
test -f vlan11.out && ! test -s vlan11.out
../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 10 2>vlan11.out
test -f vlan11.out && ! test -s vlan11.out
../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 4095 2>vlan11.out
diff vlan11.out "$srcdir/vlan11.gold"
../dnscap -g -r vlan11.pcap-dist -o use_layers=yes -L 11 2>vlan11.out
diff vlan11.out "$srcdir/vlan11.gold"

6
src/test/test6.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -xe
../dnscap -g -r dnspad.pcap-dist 2>dnspad.out
../dnscap -o use_layers=yes -g -r dnspad.pcap-dist 2>>dnspad.out
diff dnspad.out "$srcdir/dnspad.gold"

1417
src/test/test7.gold Normal file
View file

File diff suppressed because it is too large Load diff

33
src/test/test7.sh Executable file
View file

@ -0,0 +1,33 @@
#!/bin/sh -xe
txtout="../../plugins/txtout/.libs/txtout.so"
rm -f test7.out test7.layer.out
for what in dnso1tcp.pcap-dist 1qtcpnosyn.pcap-dist do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist; do
../dnscap -r "$what" -g -T 2>>test7.out
../dnscap -r "$what" -g -T -o use_layers=yes 2>>test7.layer.out
if [ -f "$txtout" ]; then
../dnscap -r "$what" -T -P "$txtout" >>test7.out
../dnscap -r "$what" -T -o use_layers=yes -P "$txtout" >>test7.layer.out
fi
done
echo "" >>test7.out
echo "Enabling parse_ongoing_tcp and allow_reset_tcpstate" >>test7.out
echo "" >>test7.out
echo "" >>test7.layer.out
echo "Enabling parse_ongoing_tcp and allow_reset_tcpstate" >>test7.layer.out
echo "" >>test7.layer.out
for what in dnso1tcp.pcap-dist 1qtcpnosyn.pcap-dist do1t-nosyn-1nolen.pcap-dist dnso1tcp-midmiss.pcap-dist; do
../dnscap -r "$what" -g -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes 2>>test7.out
../dnscap -r "$what" -g -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes 2>>test7.layer.out
if [ -f "$txtout" ]; then
../dnscap -r "$what" -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -P "$txtout" >>test7.out
../dnscap -r "$what" -T -o parse_ongoing_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes -P "$txtout" >>test7.layer.out
fi
done
diff test7.out "$srcdir/test7.gold"
diff test7.layer.out "$srcdir/test7.gold"

440
src/test/test8.gold Normal file
View file

@ -0,0 +1,440 @@
[60] 2017-12-11 13:59:04.949707 [#0 dnsotcp-many1pkt.pcap-dist 4095] \
[172.17.0.9].48613 [8.8.8.8].53
[60] 2017-12-11 13:59:04.953026 [#1 dnsotcp-many1pkt.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.9].48613
[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \
[172.17.0.9].48613 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \
[172.17.0.9].48613 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[142] 2017-12-11 13:59:04.953122 [#2 dnsotcp-many1pkt.pcap-dist 4095] \
[172.17.0.9].48613 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[109] 2017-12-11 13:59:04.956698 [#5 dnsotcp-many1pkt.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.9].48613 \
dns QUERY,NOERROR,4815,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,47,172.217.22.174 0 \
1 .,512,512,0,edns0[len=0,UDP=512,ver=0,rcode=0,DO=0,z=0]
[52] 2017-12-11 13:59:04.957247 [#6 dnsotcp-many1pkt.pcap-dist 4095] \
[172.17.0.9].48613 [8.8.8.8].53
[52] 2017-12-11 13:59:04.960230 [#7 dnsotcp-many1pkt.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.9].48613
[60] 2018-01-10 11:22:41.543825 [#0 dnsotcp-manyopkts.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[60] 2018-01-10 11:22:41.548834 [#1 dnsotcp-manyopkts.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388
[97] 2018-01-10 11:22:41.548947 [#2 dnsotcp-manyopkts.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[97] 2018-01-10 11:22:41.552406 [#3 dnsotcp-manyopkts.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[60] 2018-01-10 11:22:41.543825 [#0 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[60] 2018-01-10 11:22:41.548834 [#1 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388
[80] 2018-01-10 11:22:41.552406 [#2 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:41.552406 [#2 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:41.555912 [#4 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,59311,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,58,216.58.211.142 0 0
[97] 2018-01-10 11:22:41.600183 [#5 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:41.600183 [#5 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,35665,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:41.616460 [#7 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,35665,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21599,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:41.659921 [#8 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:41.659921 [#8 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,5337,rd \
1 google.com.,IN,A 0 0 0
[97] 2018-01-10 11:22:42.047148 [#10 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.047148 [#10 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,25433,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[80] 2018-01-10 11:22:42.097899 [#12 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.097899 [#12 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,63798,rd \
1 google.com.,IN,A 0 0 0
[97] 2018-01-10 11:22:42.145005 [#14 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.145005 [#14 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,8470,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[80] 2018-01-10 11:22:42.192777 [#16 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.192777 [#16 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,60258,rd \
1 google.com.,IN,A 0 0 0
[97] 2018-01-10 11:22:42.240395 [#18 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.240395 [#18 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,44985,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.245103 [#20 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,44985,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:42.290257 [#21 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.290257 [#21 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,45512,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.293978 [#23 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,45512,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[97] 2018-01-10 11:22:42.337985 [#24 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.337985 [#24 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,22980,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.341559 [#26 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,22980,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:42.385009 [#27 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.385009 [#27 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,1834,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.389082 [#29 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,1834,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[97] 2018-01-10 11:22:42.433458 [#30 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.433458 [#30 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,25431,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.438748 [#32 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,25431,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:42.484005 [#33 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.484005 [#33 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,48432,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.487697 [#35 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,48432,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[97] 2018-01-10 11:22:42.532414 [#36 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.532414 [#36 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,47411,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.537574 [#38 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,47411,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:42.583021 [#39 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.583021 [#39 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,12038,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.586898 [#41 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,12038,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[80] 2018-01-10 11:22:42.630221 [#42 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.630221 [#42 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,11614,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.633808 [#44 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,11614,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[80] 2018-01-10 11:22:42.679168 [#45 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.679168 [#45 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,59173,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.682888 [#47 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,59173,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[80] 2018-01-10 11:22:42.727254 [#48 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.727254 [#48 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,45535,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.732703 [#50 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,45535,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[97] 2018-01-10 11:22:42.777184 [#51 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.777184 [#51 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,60808,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.781053 [#53 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,60808,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:42.824222 [#54 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.824222 [#54 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,64325,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.828050 [#56 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,64325,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[97] 2018-01-10 11:22:42.872186 [#57 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.872186 [#57 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,25543,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.875911 [#59 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,25543,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21598,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:42.920231 [#60 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:42.920231 [#60 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,20736,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:42.923917 [#62 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,20736,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,57,216.58.211.142 0 0
[97] 2018-01-10 11:22:42.968961 [#63 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:42.968961 [#63 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,25911,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:42.972662 [#65 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,25911,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:43.017364 [#66 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:43.017364 [#66 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,64358,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:43.022591 [#68 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,64358,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,56,216.58.211.142 0 0
[97] 2018-01-10 11:22:43.066765 [#69 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:43.066765 [#69 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,37698,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:43.070349 [#71 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,37698,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:43.114332 [#72 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:43.114332 [#72 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,54706,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:43.119538 [#74 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,54706,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,56,216.58.211.142 0 0
[97] 2018-01-10 11:22:43.163857 [#75 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:43.163857 [#75 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,32142,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:43.167576 [#77 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,32142,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:43.211417 [#78 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:43.211417 [#78 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,41808,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:43.216686 [#80 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,41808,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,56,216.58.211.142 0 0
[97] 2018-01-10 11:22:43.260995 [#81 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:43.260995 [#81 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,18886,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:43.265047 [#83 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,18886,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:43.310017 [#84 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:43.310017 [#84 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,10624,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:43.313596 [#86 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,10624,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,56,216.58.211.142 0 0
[97] 2018-01-10 11:22:43.356802 [#87 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:43.356802 [#87 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,33139,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:43.360685 [#89 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,33139,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:43.406308 [#90 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:43.406308 [#90 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,61415,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:43.410191 [#92 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,61415,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,56,216.58.211.142 0 0
[97] 2018-01-10 11:22:43.454193 [#93 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[97] 2018-01-10 11:22:43.454193 [#93 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,59258,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[197] 2018-01-10 11:22:43.458191 [#95 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,59258,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
4 206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,21597,dfw06s47-in-f14.1e100.net. 0 0
[80] 2018-01-10 11:22:43.503242 [#96 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[80] 2018-01-10 11:22:43.503242 [#96 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53 \
dns QUERY,NOERROR,17700,rd \
1 google.com.,IN,A 0 0 0
[98] 2018-01-10 11:22:43.506884 [#98 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388 \
dns QUERY,NOERROR,17700,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,56,216.58.211.142 0 0
[52] 2018-01-10 11:22:43.507821 [#99 dnso1tcp-bighole.pcap-dist 4095] \
[172.17.0.8].51388 [8.8.8.8].53
[52] 2018-01-10 11:22:43.511351 [#100 dnso1tcp-bighole.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.8].51388

16
src/test/test8.sh Executable file
View file

@ -0,0 +1,16 @@
#!/bin/sh -xe
rm -f test8.out test8.layer.out
for what in dnsotcp-many1pkt.pcap-dist dnsotcp-manyopkts.pcap-dist; do
../dnscap -r "$what" -g -T -o reassemble_tcp=yes 2>>test8.out
../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o use_layers=yes 2>>test8.layer.out
done
for what in dnso1tcp-bighole.pcap-dist; do
../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o allow_reset_tcpstate=yes 2>>test8.out
../dnscap -r "$what" -g -T -o reassemble_tcp=yes -o allow_reset_tcpstate=yes -o use_layers=yes 2>>test8.layer.out
done
diff test8.out "$srcdir/test8.gold"
diff test8.layer.out "$srcdir/test8.gold"

104
src/test/test9.gold Normal file
View file

@ -0,0 +1,104 @@
[56] 2016-10-20 15:23:52.860937 [#0 dns.pcap-dist 4095] \
[172.17.0.10].40953 [8.8.8.8].53 \
dns QUERY,NOERROR,22531,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:52.863771 [#1 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].40953 \
dns QUERY,NOERROR,22531,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,297,216.58.218.206 \
4 google.com.,IN,NS,157828,ns2.google.com. \
google.com.,IN,NS,157828,ns4.google.com. \
google.com.,IN,NS,157828,ns1.google.com. \
google.com.,IN,NS,157828,ns3.google.com. \
4 ns2.google.com.,IN,A,157828,216.239.34.10 \
ns1.google.com.,IN,A,331830,216.239.32.10 \
ns3.google.com.,IN,A,157828,216.239.36.10 \
ns4.google.com.,IN,A,157828,216.239.38.10
[56] 2016-10-20 15:23:59.083869 [#2 dns.pcap-dist 4095] \
[172.17.0.10].45174 [8.8.8.8].53 \
dns QUERY,NOERROR,58510,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:59.086104 [#3 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].45174 \
dns QUERY,NOERROR,58510,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,291,216.58.218.206 \
4 google.com.,IN,NS,157822,ns2.google.com. \
google.com.,IN,NS,157822,ns3.google.com. \
google.com.,IN,NS,157822,ns1.google.com. \
google.com.,IN,NS,157822,ns4.google.com. \
4 ns2.google.com.,IN,A,157822,216.239.34.10 \
ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10
[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
[172.17.0.10].33916 [8.8.8.8].53 \
dns QUERY,NOERROR,45248,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].33916 \
dns QUERY,NOERROR,45248,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
4 ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10 \
ns2.google.com.,IN,A,157822,216.239.34.10
[56] 2016-10-20 15:23:52.860937 [#0 dns.pcap-dist 4095] \
[172.17.0.10].40953 [8.8.8.8].53 \
dns QUERY,NOERROR,22531,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:52.863771 [#1 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].40953 \
dns QUERY,NOERROR,22531,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,297,216.58.218.206 \
4 google.com.,IN,NS,157828,ns2.google.com. \
google.com.,IN,NS,157828,ns4.google.com. \
google.com.,IN,NS,157828,ns1.google.com. \
google.com.,IN,NS,157828,ns3.google.com. \
4 ns2.google.com.,IN,A,157828,216.239.34.10 \
ns1.google.com.,IN,A,331830,216.239.32.10 \
ns3.google.com.,IN,A,157828,216.239.36.10 \
ns4.google.com.,IN,A,157828,216.239.38.10
[56] 2016-10-20 15:23:59.083869 [#2 dns.pcap-dist 4095] \
[172.17.0.10].45174 [8.8.8.8].53 \
dns QUERY,NOERROR,58510,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:59.086104 [#3 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].45174 \
dns QUERY,NOERROR,58510,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,291,216.58.218.206 \
4 google.com.,IN,NS,157822,ns2.google.com. \
google.com.,IN,NS,157822,ns3.google.com. \
google.com.,IN,NS,157822,ns1.google.com. \
google.com.,IN,NS,157822,ns4.google.com. \
4 ns2.google.com.,IN,A,157822,216.239.34.10 \
ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10
[73] 2016-10-20 15:23:59.090911 [#4 dns.pcap-dist 4095] \
[172.17.0.10].33916 [8.8.8.8].53 \
dns QUERY,NOERROR,45248,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:59.092204 [#5 dns.pcap-dist 4095] \
[8.8.8.8].53 [172.17.0.10].33916 \
dns QUERY,NOERROR,45248,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
4 ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10 \
ns2.google.com.,IN,A,157822,216.239.34.10

6
src/test/test9.sh Executable file
View file

@ -0,0 +1,6 @@
#!/bin/sh -xe
../dnscap -r dns.pcap-dist -g -B '2016-10-20 15:23:30' -E '2016-10-20 15:24:00' 2>test9.out
../dnscap -r dns.pcap-dist -o use_layers=yes -g -B '2016-10-20 15:23:30' -E '2016-10-20 15:24:00' 2>>test9.out
diff test9.out "$srcdir/test9.gold"

714
src/test/vlan11.gold Normal file
View file

@ -0,0 +1,714 @@
[56] 2016-10-20 15:23:01.075993 [#0 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].53199 [8.8.8.8].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:01.077982 [#1 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].53199 \
dns QUERY,NOERROR,59311,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,44,216.58.218.206 \
4 google.com.,IN,NS,157880,ns4.google.com. \
google.com.,IN,NS,157880,ns3.google.com. \
google.com.,IN,NS,157880,ns1.google.com. \
google.com.,IN,NS,157880,ns2.google.com. \
4 ns2.google.com.,IN,A,157880,216.239.34.10 \
ns1.google.com.,IN,A,331882,216.239.32.10 \
ns3.google.com.,IN,A,157880,216.239.36.10 \
ns4.google.com.,IN,A,157880,216.239.38.10
[73] 2016-10-20 15:23:01.082865 [#2 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].57822 [8.8.8.8].53 \
dns QUERY,NOERROR,35665,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:01.084107 [#3 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].57822 \
dns QUERY,NOERROR,35665,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72125,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71608,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71608,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71608,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71608,ns4.google.com. \
4 ns1.google.com.,IN,A,331882,216.239.32.10 \
ns3.google.com.,IN,A,157880,216.239.36.10 \
ns4.google.com.,IN,A,157880,216.239.38.10 \
ns2.google.com.,IN,A,157880,216.239.34.10
[56] 2016-10-20 15:23:01.087291 [#4 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].40043 [8.8.8.8].53 \
dns QUERY,NOERROR,5337,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:01.088733 [#5 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].40043 \
dns QUERY,NOERROR,5337,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,44,216.58.218.206 \
4 google.com.,IN,NS,157880,ns1.google.com. \
google.com.,IN,NS,157880,ns2.google.com. \
google.com.,IN,NS,157880,ns3.google.com. \
google.com.,IN,NS,157880,ns4.google.com. \
4 ns2.google.com.,IN,A,157880,216.239.34.10 \
ns1.google.com.,IN,A,331882,216.239.32.10 \
ns3.google.com.,IN,A,157880,216.239.36.10 \
ns4.google.com.,IN,A,157880,216.239.38.10
[56] 2016-10-20 15:23:10.322117 [#6 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].37953 [8.8.8.8].53 \
dns QUERY,NOERROR,22982,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:10.323399 [#7 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].37953 \
dns QUERY,NOERROR,22982,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,34,216.58.218.206 \
4 google.com.,IN,NS,157870,ns4.google.com. \
google.com.,IN,NS,157870,ns1.google.com. \
google.com.,IN,NS,157870,ns2.google.com. \
google.com.,IN,NS,157870,ns3.google.com. \
4 ns2.google.com.,IN,A,157870,216.239.34.10 \
ns1.google.com.,IN,A,331872,216.239.32.10 \
ns3.google.com.,IN,A,157870,216.239.36.10 \
ns4.google.com.,IN,A,157870,216.239.38.10
[73] 2016-10-20 15:23:10.328324 [#8 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].48658 [8.8.8.8].53 \
dns QUERY,NOERROR,18718,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:10.329572 [#9 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].48658 \
dns QUERY,NOERROR,18718,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72115,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71598,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71598,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71598,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71598,ns1.google.com. \
4 ns1.google.com.,IN,A,331872,216.239.32.10 \
ns3.google.com.,IN,A,157870,216.239.36.10 \
ns4.google.com.,IN,A,157870,216.239.38.10 \
ns2.google.com.,IN,A,157870,216.239.34.10
[56] 2016-10-20 15:23:52.860937 [#10 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].40953 [8.8.8.8].53 \
dns QUERY,NOERROR,22531,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:52.863771 [#11 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].40953 \
dns QUERY,NOERROR,22531,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,297,216.58.218.206 \
4 google.com.,IN,NS,157828,ns2.google.com. \
google.com.,IN,NS,157828,ns4.google.com. \
google.com.,IN,NS,157828,ns1.google.com. \
google.com.,IN,NS,157828,ns3.google.com. \
4 ns2.google.com.,IN,A,157828,216.239.34.10 \
ns1.google.com.,IN,A,331830,216.239.32.10 \
ns3.google.com.,IN,A,157828,216.239.36.10 \
ns4.google.com.,IN,A,157828,216.239.38.10
[56] 2016-10-20 15:23:59.083869 [#12 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].45174 [8.8.8.8].53 \
dns QUERY,NOERROR,58510,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:23:59.086104 [#13 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].45174 \
dns QUERY,NOERROR,58510,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,291,216.58.218.206 \
4 google.com.,IN,NS,157822,ns2.google.com. \
google.com.,IN,NS,157822,ns3.google.com. \
google.com.,IN,NS,157822,ns1.google.com. \
google.com.,IN,NS,157822,ns4.google.com. \
4 ns2.google.com.,IN,A,157822,216.239.34.10 \
ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10
[73] 2016-10-20 15:23:59.090911 [#14 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].33916 [8.8.8.8].53 \
dns QUERY,NOERROR,45248,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:23:59.092204 [#15 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].33916 \
dns QUERY,NOERROR,45248,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72067,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71550,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71550,ns1.google.com. \
4 ns1.google.com.,IN,A,331824,216.239.32.10 \
ns3.google.com.,IN,A,157822,216.239.36.10 \
ns4.google.com.,IN,A,157822,216.239.38.10 \
ns2.google.com.,IN,A,157822,216.239.34.10
[56] 2016-10-20 15:24:04.323868 [#16 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].43559 [8.8.8.8].53 \
dns QUERY,NOERROR,49483,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:04.325597 [#17 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].43559 \
dns QUERY,NOERROR,49483,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,285,216.58.218.206 \
4 google.com.,IN,NS,157816,ns4.google.com. \
google.com.,IN,NS,157816,ns3.google.com. \
google.com.,IN,NS,157816,ns1.google.com. \
google.com.,IN,NS,157816,ns2.google.com. \
4 ns2.google.com.,IN,A,157816,216.239.34.10 \
ns1.google.com.,IN,A,331818,216.239.32.10 \
ns3.google.com.,IN,A,157816,216.239.36.10 \
ns4.google.com.,IN,A,157816,216.239.38.10
[56] 2016-10-20 15:24:06.332239 [#18 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].54859 [8.8.8.8].53 \
dns QUERY,NOERROR,31669,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:06.333743 [#19 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].54859 \
dns QUERY,NOERROR,31669,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,283,216.58.218.206 \
4 google.com.,IN,NS,157814,ns2.google.com. \
google.com.,IN,NS,157814,ns1.google.com. \
google.com.,IN,NS,157814,ns4.google.com. \
google.com.,IN,NS,157814,ns3.google.com. \
4 ns2.google.com.,IN,A,157814,216.239.34.10 \
ns1.google.com.,IN,A,331816,216.239.32.10 \
ns3.google.com.,IN,A,157814,216.239.36.10 \
ns4.google.com.,IN,A,157814,216.239.38.10
[73] 2016-10-20 15:24:06.339145 [#20 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].58176 [8.8.8.8].53 \
dns QUERY,NOERROR,25433,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:06.340820 [#21 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].58176 \
dns QUERY,NOERROR,25433,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72059,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71542,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71542,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71542,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71542,ns2.google.com. \
4 ns1.google.com.,IN,A,331816,216.239.32.10 \
ns3.google.com.,IN,A,157814,216.239.36.10 \
ns4.google.com.,IN,A,157814,216.239.38.10 \
ns2.google.com.,IN,A,157814,216.239.34.10
[56] 2016-10-20 15:24:07.346429 [#22 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].41266 [8.8.8.8].53 \
dns QUERY,NOERROR,63798,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:07.348160 [#23 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].41266 \
dns QUERY,NOERROR,63798,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,282,216.58.218.206 \
4 google.com.,IN,NS,157813,ns4.google.com. \
google.com.,IN,NS,157813,ns1.google.com. \
google.com.,IN,NS,157813,ns3.google.com. \
google.com.,IN,NS,157813,ns2.google.com. \
4 ns2.google.com.,IN,A,157813,216.239.34.10 \
ns1.google.com.,IN,A,331815,216.239.32.10 \
ns3.google.com.,IN,A,157813,216.239.36.10 \
ns4.google.com.,IN,A,157813,216.239.38.10
[73] 2016-10-20 15:24:07.353123 [#24 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].34607 [8.8.8.8].53 \
dns QUERY,NOERROR,8470,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:07.354682 [#25 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].34607 \
dns QUERY,NOERROR,8470,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72058,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71541,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71541,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71541,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71541,ns3.google.com. \
4 ns1.google.com.,IN,A,331815,216.239.32.10 \
ns3.google.com.,IN,A,157813,216.239.36.10 \
ns4.google.com.,IN,A,157813,216.239.38.10 \
ns2.google.com.,IN,A,157813,216.239.34.10
[56] 2016-10-20 15:24:08.360528 [#26 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].60437 [8.8.8.8].53 \
dns QUERY,NOERROR,60258,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:08.362206 [#27 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].60437 \
dns QUERY,NOERROR,60258,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,281,216.58.218.206 \
4 google.com.,IN,NS,157812,ns3.google.com. \
google.com.,IN,NS,157812,ns2.google.com. \
google.com.,IN,NS,157812,ns4.google.com. \
google.com.,IN,NS,157812,ns1.google.com. \
4 ns2.google.com.,IN,A,157812,216.239.34.10 \
ns1.google.com.,IN,A,331814,216.239.32.10 \
ns3.google.com.,IN,A,157812,216.239.36.10 \
ns4.google.com.,IN,A,157812,216.239.38.10
[73] 2016-10-20 15:24:08.368516 [#28 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].37149 [8.8.8.8].53 \
dns QUERY,NOERROR,44985,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:08.370119 [#29 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].37149 \
dns QUERY,NOERROR,44985,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72057,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71540,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71540,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71540,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71540,ns2.google.com. \
4 ns1.google.com.,IN,A,331814,216.239.32.10 \
ns3.google.com.,IN,A,157812,216.239.36.10 \
ns4.google.com.,IN,A,157812,216.239.38.10 \
ns2.google.com.,IN,A,157812,216.239.34.10
[56] 2016-10-20 15:24:09.375942 [#30 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].53820 [8.8.8.8].53 \
dns QUERY,NOERROR,45512,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:09.378425 [#31 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].53820 \
dns QUERY,NOERROR,45512,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,280,216.58.218.206 \
4 google.com.,IN,NS,157811,ns3.google.com. \
google.com.,IN,NS,157811,ns4.google.com. \
google.com.,IN,NS,157811,ns1.google.com. \
google.com.,IN,NS,157811,ns2.google.com. \
4 ns2.google.com.,IN,A,157811,216.239.34.10 \
ns1.google.com.,IN,A,331813,216.239.32.10 \
ns3.google.com.,IN,A,157811,216.239.36.10 \
ns4.google.com.,IN,A,157811,216.239.38.10
[73] 2016-10-20 15:24:09.384057 [#32 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].52368 [8.8.8.8].53 \
dns QUERY,NOERROR,22980,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:09.385463 [#33 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].52368 \
dns QUERY,NOERROR,22980,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72056,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71539,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71539,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71539,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71539,ns1.google.com. \
4 ns1.google.com.,IN,A,331813,216.239.32.10 \
ns3.google.com.,IN,A,157811,216.239.36.10 \
ns4.google.com.,IN,A,157811,216.239.38.10 \
ns2.google.com.,IN,A,157811,216.239.34.10
[56] 2016-10-20 15:24:10.391358 [#34 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].47637 [8.8.8.8].53 \
dns QUERY,NOERROR,1834,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:10.392886 [#35 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].47637 \
dns QUERY,NOERROR,1834,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,279,216.58.218.206 \
4 google.com.,IN,NS,157810,ns1.google.com. \
google.com.,IN,NS,157810,ns2.google.com. \
google.com.,IN,NS,157810,ns4.google.com. \
google.com.,IN,NS,157810,ns3.google.com. \
4 ns2.google.com.,IN,A,157810,216.239.34.10 \
ns1.google.com.,IN,A,331812,216.239.32.10 \
ns3.google.com.,IN,A,157810,216.239.36.10 \
ns4.google.com.,IN,A,157810,216.239.38.10
[73] 2016-10-20 15:24:10.398099 [#36 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].34426 [8.8.8.8].53 \
dns QUERY,NOERROR,25431,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:10.400317 [#37 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].34426 \
dns QUERY,NOERROR,25431,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72055,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71538,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71538,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71538,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71538,ns2.google.com. \
4 ns1.google.com.,IN,A,331812,216.239.32.10 \
ns3.google.com.,IN,A,157810,216.239.36.10 \
ns4.google.com.,IN,A,157810,216.239.38.10 \
ns2.google.com.,IN,A,157810,216.239.34.10
[56] 2016-10-20 15:24:11.406297 [#38 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].41059 [8.8.8.8].53 \
dns QUERY,NOERROR,48432,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:11.407460 [#39 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].41059 \
dns QUERY,NOERROR,48432,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,278,216.58.218.206 \
4 google.com.,IN,NS,157809,ns3.google.com. \
google.com.,IN,NS,157809,ns4.google.com. \
google.com.,IN,NS,157809,ns2.google.com. \
google.com.,IN,NS,157809,ns1.google.com. \
4 ns2.google.com.,IN,A,157809,216.239.34.10 \
ns1.google.com.,IN,A,331811,216.239.32.10 \
ns3.google.com.,IN,A,157809,216.239.36.10 \
ns4.google.com.,IN,A,157809,216.239.38.10
[73] 2016-10-20 15:24:11.412133 [#40 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].51181 [8.8.8.8].53 \
dns QUERY,NOERROR,47411,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:11.413370 [#41 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].51181 \
dns QUERY,NOERROR,47411,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72054,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71537,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71537,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71537,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71537,ns4.google.com. \
4 ns1.google.com.,IN,A,331811,216.239.32.10 \
ns3.google.com.,IN,A,157809,216.239.36.10 \
ns4.google.com.,IN,A,157809,216.239.38.10 \
ns2.google.com.,IN,A,157809,216.239.34.10
[56] 2016-10-20 15:24:12.419936 [#42 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].32976 [8.8.8.8].53 \
dns QUERY,NOERROR,12038,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:12.421228 [#43 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].32976 \
dns QUERY,NOERROR,12038,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,277,216.58.218.206 \
4 google.com.,IN,NS,157808,ns2.google.com. \
google.com.,IN,NS,157808,ns3.google.com. \
google.com.,IN,NS,157808,ns1.google.com. \
google.com.,IN,NS,157808,ns4.google.com. \
4 ns2.google.com.,IN,A,157808,216.239.34.10 \
ns1.google.com.,IN,A,331810,216.239.32.10 \
ns3.google.com.,IN,A,157808,216.239.36.10 \
ns4.google.com.,IN,A,157808,216.239.38.10
[56] 2016-10-20 15:24:14.428524 [#44 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].53467 [8.8.8.8].53 \
dns QUERY,NOERROR,11614,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:14.429863 [#45 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].53467 \
dns QUERY,NOERROR,11614,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,275,216.58.218.206 \
4 google.com.,IN,NS,157806,ns3.google.com. \
google.com.,IN,NS,157806,ns1.google.com. \
google.com.,IN,NS,157806,ns4.google.com. \
google.com.,IN,NS,157806,ns2.google.com. \
4 ns2.google.com.,IN,A,157806,216.239.34.10 \
ns1.google.com.,IN,A,331808,216.239.32.10 \
ns3.google.com.,IN,A,157806,216.239.36.10 \
ns4.google.com.,IN,A,157806,216.239.38.10
[56] 2016-10-20 15:24:16.435733 [#46 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].41532 [8.8.8.8].53 \
dns QUERY,NOERROR,59173,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:16.437471 [#47 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].41532 \
dns QUERY,NOERROR,59173,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,273,216.58.218.206 \
4 google.com.,IN,NS,157804,ns1.google.com. \
google.com.,IN,NS,157804,ns3.google.com. \
google.com.,IN,NS,157804,ns2.google.com. \
google.com.,IN,NS,157804,ns4.google.com. \
4 ns2.google.com.,IN,A,157804,216.239.34.10 \
ns1.google.com.,IN,A,331806,216.239.32.10 \
ns3.google.com.,IN,A,157804,216.239.36.10 \
ns4.google.com.,IN,A,157804,216.239.38.10
[56] 2016-10-20 15:24:18.445519 [#48 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].44982 [8.8.8.8].53 \
dns QUERY,NOERROR,45535,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:18.446775 [#49 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].44982 \
dns QUERY,NOERROR,45535,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,271,216.58.218.206 \
4 google.com.,IN,NS,157802,ns4.google.com. \
google.com.,IN,NS,157802,ns2.google.com. \
google.com.,IN,NS,157802,ns1.google.com. \
google.com.,IN,NS,157802,ns3.google.com. \
4 ns2.google.com.,IN,A,157802,216.239.34.10 \
ns1.google.com.,IN,A,331804,216.239.32.10 \
ns3.google.com.,IN,A,157802,216.239.36.10 \
ns4.google.com.,IN,A,157802,216.239.38.10
[73] 2016-10-20 15:24:18.452451 [#50 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].40224 [8.8.8.8].53 \
dns QUERY,NOERROR,60808,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:18.454030 [#51 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].40224 \
dns QUERY,NOERROR,60808,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72047,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71530,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71530,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71530,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71530,ns1.google.com. \
4 ns1.google.com.,IN,A,331804,216.239.32.10 \
ns3.google.com.,IN,A,157802,216.239.36.10 \
ns4.google.com.,IN,A,157802,216.239.38.10 \
ns2.google.com.,IN,A,157802,216.239.34.10
[56] 2016-10-20 15:24:19.460087 [#52 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].45658 [8.8.8.8].53 \
dns QUERY,NOERROR,64325,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:19.462224 [#53 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].45658 \
dns QUERY,NOERROR,64325,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,270,216.58.218.206 \
4 google.com.,IN,NS,157801,ns1.google.com. \
google.com.,IN,NS,157801,ns3.google.com. \
google.com.,IN,NS,157801,ns4.google.com. \
google.com.,IN,NS,157801,ns2.google.com. \
4 ns2.google.com.,IN,A,157801,216.239.34.10 \
ns1.google.com.,IN,A,331803,216.239.32.10 \
ns3.google.com.,IN,A,157801,216.239.36.10 \
ns4.google.com.,IN,A,157801,216.239.38.10
[73] 2016-10-20 15:24:19.467324 [#54 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].60457 [8.8.8.8].53 \
dns QUERY,NOERROR,25543,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:19.468895 [#55 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].60457 \
dns QUERY,NOERROR,25543,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72046,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71529,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71529,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71529,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71529,ns1.google.com. \
4 ns1.google.com.,IN,A,331803,216.239.32.10 \
ns3.google.com.,IN,A,157801,216.239.36.10 \
ns4.google.com.,IN,A,157801,216.239.38.10 \
ns2.google.com.,IN,A,157801,216.239.34.10
[56] 2016-10-20 15:24:20.475086 [#56 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].59762 [8.8.8.8].53 \
dns QUERY,NOERROR,20736,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:20.476841 [#57 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].59762 \
dns QUERY,NOERROR,20736,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,269,216.58.218.206 \
4 google.com.,IN,NS,157800,ns3.google.com. \
google.com.,IN,NS,157800,ns1.google.com. \
google.com.,IN,NS,157800,ns4.google.com. \
google.com.,IN,NS,157800,ns2.google.com. \
4 ns2.google.com.,IN,A,157800,216.239.34.10 \
ns1.google.com.,IN,A,331802,216.239.32.10 \
ns3.google.com.,IN,A,157800,216.239.36.10 \
ns4.google.com.,IN,A,157800,216.239.38.10
[73] 2016-10-20 15:24:20.482188 [#58 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].56022 [8.8.8.8].53 \
dns QUERY,NOERROR,25911,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:20.483927 [#59 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].56022 \
dns QUERY,NOERROR,25911,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72045,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71528,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71528,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71528,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71528,ns3.google.com. \
4 ns1.google.com.,IN,A,331802,216.239.32.10 \
ns3.google.com.,IN,A,157800,216.239.36.10 \
ns4.google.com.,IN,A,157800,216.239.38.10 \
ns2.google.com.,IN,A,157800,216.239.34.10
[56] 2016-10-20 15:24:21.489468 [#60 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].37669 [8.8.8.8].53 \
dns QUERY,NOERROR,64358,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:21.490573 [#61 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].37669 \
dns QUERY,NOERROR,64358,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,268,216.58.218.206 \
4 google.com.,IN,NS,157799,ns2.google.com. \
google.com.,IN,NS,157799,ns1.google.com. \
google.com.,IN,NS,157799,ns4.google.com. \
google.com.,IN,NS,157799,ns3.google.com. \
4 ns2.google.com.,IN,A,157799,216.239.34.10 \
ns1.google.com.,IN,A,331801,216.239.32.10 \
ns3.google.com.,IN,A,157799,216.239.36.10 \
ns4.google.com.,IN,A,157799,216.239.38.10
[73] 2016-10-20 15:24:21.495324 [#62 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].42978 [8.8.8.8].53 \
dns QUERY,NOERROR,37698,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:21.496815 [#63 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].42978 \
dns QUERY,NOERROR,37698,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72044,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71527,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71527,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71527,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71527,ns2.google.com. \
4 ns1.google.com.,IN,A,331801,216.239.32.10 \
ns3.google.com.,IN,A,157799,216.239.36.10 \
ns4.google.com.,IN,A,157799,216.239.38.10 \
ns2.google.com.,IN,A,157799,216.239.34.10
[56] 2016-10-20 15:24:22.502667 [#64 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].49829 [8.8.8.8].53 \
dns QUERY,NOERROR,54706,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:22.504738 [#65 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].49829 \
dns QUERY,NOERROR,54706,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,267,216.58.218.206 \
4 google.com.,IN,NS,157798,ns2.google.com. \
google.com.,IN,NS,157798,ns4.google.com. \
google.com.,IN,NS,157798,ns3.google.com. \
google.com.,IN,NS,157798,ns1.google.com. \
4 ns2.google.com.,IN,A,157798,216.239.34.10 \
ns1.google.com.,IN,A,331800,216.239.32.10 \
ns3.google.com.,IN,A,157798,216.239.36.10 \
ns4.google.com.,IN,A,157798,216.239.38.10
[73] 2016-10-20 15:24:22.510176 [#66 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].50599 [8.8.8.8].53 \
dns QUERY,NOERROR,32142,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:22.511746 [#67 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].50599 \
dns QUERY,NOERROR,32142,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72043,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71526,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71526,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71526,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71526,ns4.google.com. \
4 ns1.google.com.,IN,A,331800,216.239.32.10 \
ns3.google.com.,IN,A,157798,216.239.36.10 \
ns4.google.com.,IN,A,157798,216.239.38.10 \
ns2.google.com.,IN,A,157798,216.239.34.10
[56] 2016-10-20 15:24:23.520203 [#68 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].44980 [8.8.8.8].53 \
dns QUERY,NOERROR,41808,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:23.521976 [#69 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].44980 \
dns QUERY,NOERROR,41808,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,266,216.58.218.206 \
4 google.com.,IN,NS,157797,ns2.google.com. \
google.com.,IN,NS,157797,ns4.google.com. \
google.com.,IN,NS,157797,ns1.google.com. \
google.com.,IN,NS,157797,ns3.google.com. \
4 ns2.google.com.,IN,A,157797,216.239.34.10 \
ns1.google.com.,IN,A,331799,216.239.32.10 \
ns3.google.com.,IN,A,157797,216.239.36.10 \
ns4.google.com.,IN,A,157797,216.239.38.10
[73] 2016-10-20 15:24:23.527449 [#70 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].60063 [8.8.8.8].53 \
dns QUERY,NOERROR,18886,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:23.529385 [#71 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].60063 \
dns QUERY,NOERROR,18886,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72042,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71525,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71525,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71525,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71525,ns2.google.com. \
4 ns1.google.com.,IN,A,331799,216.239.32.10 \
ns3.google.com.,IN,A,157797,216.239.36.10 \
ns4.google.com.,IN,A,157797,216.239.38.10 \
ns2.google.com.,IN,A,157797,216.239.34.10
[56] 2016-10-20 15:24:24.537264 [#72 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].42042 [8.8.8.8].53 \
dns QUERY,NOERROR,10624,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:24.539398 [#73 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].42042 \
dns QUERY,NOERROR,10624,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,265,216.58.218.206 \
4 google.com.,IN,NS,157796,ns3.google.com. \
google.com.,IN,NS,157796,ns4.google.com. \
google.com.,IN,NS,157796,ns1.google.com. \
google.com.,IN,NS,157796,ns2.google.com. \
4 ns2.google.com.,IN,A,157796,216.239.34.10 \
ns1.google.com.,IN,A,331798,216.239.32.10 \
ns3.google.com.,IN,A,157796,216.239.36.10 \
ns4.google.com.,IN,A,157796,216.239.38.10
[73] 2016-10-20 15:24:24.544538 [#74 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].60469 [8.8.8.8].53 \
dns QUERY,NOERROR,33139,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:24.546172 [#75 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].60469 \
dns QUERY,NOERROR,33139,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f206.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72041,dfw06s47-in-f14.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71524,ns2.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71524,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71524,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71524,ns1.google.com. \
4 ns1.google.com.,IN,A,331798,216.239.32.10 \
ns3.google.com.,IN,A,157796,216.239.36.10 \
ns4.google.com.,IN,A,157796,216.239.38.10 \
ns2.google.com.,IN,A,157796,216.239.34.10
[56] 2016-10-20 15:24:25.554744 [#76 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].45703 [8.8.8.8].53 \
dns QUERY,NOERROR,61415,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:25.556513 [#77 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].45703 \
dns QUERY,NOERROR,61415,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,264,216.58.218.206 \
4 google.com.,IN,NS,157795,ns3.google.com. \
google.com.,IN,NS,157795,ns4.google.com. \
google.com.,IN,NS,157795,ns2.google.com. \
google.com.,IN,NS,157795,ns1.google.com. \
4 ns2.google.com.,IN,A,157795,216.239.34.10 \
ns1.google.com.,IN,A,331797,216.239.32.10 \
ns3.google.com.,IN,A,157795,216.239.36.10 \
ns4.google.com.,IN,A,157795,216.239.38.10
[73] 2016-10-20 15:24:25.562608 [#78 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].33507 [8.8.8.8].53 \
dns QUERY,NOERROR,59258,rd \
1 206.218.58.216.in-addr.arpa.,IN,PTR 0 0 0
[289] 2016-10-20 15:24:25.564509 [#79 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].33507 \
dns QUERY,NOERROR,59258,qr|rd|ra \
1 206.218.58.216.in-addr.arpa.,IN,PTR \
2 206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f14.1e100.net. \
206.218.58.216.in-addr.arpa.,IN,PTR,72040,dfw06s47-in-f206.1e100.net. \
4 218.58.216.in-addr.arpa.,IN,NS,71523,ns1.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71523,ns4.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71523,ns3.google.com. \
218.58.216.in-addr.arpa.,IN,NS,71523,ns2.google.com. \
4 ns1.google.com.,IN,A,331797,216.239.32.10 \
ns3.google.com.,IN,A,157795,216.239.36.10 \
ns4.google.com.,IN,A,157795,216.239.38.10 \
ns2.google.com.,IN,A,157795,216.239.34.10
[56] 2016-10-20 15:24:26.572784 [#80 vlan11.pcap-dist (vlan 11) 11] \
[172.17.0.10].46798 [8.8.8.8].53 \
dns QUERY,NOERROR,17700,rd \
1 google.com.,IN,A 0 0 0
[208] 2016-10-20 15:24:26.574350 [#81 vlan11.pcap-dist (vlan 11) 11] \
[8.8.8.8].53 [172.17.0.10].46798 \
dns QUERY,NOERROR,17700,qr|rd|ra \
1 google.com.,IN,A \
1 google.com.,IN,A,263,216.58.218.206 \
4 google.com.,IN,NS,157794,ns1.google.com. \
google.com.,IN,NS,157794,ns4.google.com. \
google.com.,IN,NS,157794,ns3.google.com. \
google.com.,IN,NS,157794,ns2.google.com. \
4 ns2.google.com.,IN,A,157794,216.239.34.10 \
ns1.google.com.,IN,A,331796,216.239.32.10 \
ns3.google.com.,IN,A,157794,216.239.36.10 \
ns4.google.com.,IN,A,157794,216.239.38.10

BIN
src/test/vlan11.pcap Normal file
View file

Binary file not shown.