examples:dns_matching: make it work as DNS sniffer

Reason: The intention of initial version of this example was to provide a loop-uprolling example and expected functionality was to drop DNS packets requesting the DNS name contained in the map. But the functionality doesn't work as exepected because the BPF program attached to the raw socket only filters the packets received by the python program. With these modifications, it still serves as a loop-unrolling example, with slightly different functionality. Inverted return values of bpf program. It keeps the packet if the name in DNS packet is also exists in the map. All other packets are dropped. Python program is modified to read packets from raw socket. DNS data from the packet is parsed and printed using dnslib library.

examples:dns_matching: make it work as DNS sniffer
Reason: The intention of initial version of this example was to provide a loop-uprolling example and expected functionality was to drop DNS packets requesting the DNS name contained in the map. But the functionality doesn't work as exepected because the BPF program attached to the raw socket only filters the packets received by the python program. With these modifications, it still serves as a loop-unrolling example, with slightly different functionality. Inverted return values of bpf program. It keeps the packet if the name in DNS packet is also exists in the map. All other packets are dropped. Python program is modified to read packets from raw socket. DNS data from the packet is parsed and printed using dnslib library.
af83f6ff · Prashant Bhole · 74368724 · af83f6ff · af83f6ff
Commit af83f6ff authored Sep 26, 2017 by Prashant Bhole
Showing with 30 additions and 5 deletions

examples/networking/dns_matching/dns_matching.c examples/networking/dns_matching/dns_matching.c +4 -4

examples/networking/dns_matching/dns_matching.py examples/networking/dns_matching/dns_matching.py +26 -1

No files found.
--- a/examples/networking/dns_matching/dns_matching.c
+++ b/examples/networking/dns_matching/dns_matching.c
@@ -90,14 +90,14 @@ int dns_matching(struct __sk_buff *skb)

        struct Leaf * lookup_leaf = cache.lookup(&key);

-        // If DNS name is contained in our map, drop packet.
+        // If DNS name is contained in our map, keep the packet
        if(lookup_leaf) {
          bpf_trace_printk("Matched1\n");
-          return 0;
+          return -1;
        }
      }
    }
  }
-
-  return -1;
+  // Drop the packet
+  return 0;
 }
--- a/examples/networking/dns_matching/dns_matching.py
+++ b/examples/networking/dns_matching/dns_matching.py
@@ -8,6 +8,7 @@ import sys
 import socket
 import os
 import struct
+import dnslib


 def encode_dns(name):
@@ -55,4 +56,28 @@ cache = bpf.get_table("cache")
 add_cache_entry(cache, "foo.bar")
 add_cache_entry(cache, "another.sample.domain")

-bpf.trace_print()
+socket_fd = function_dns_matching.sock
+sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP)
+sock.setblocking(True)
+
+while 1:
+  #retrieve raw packet from socket
+  packet_str = os.read(socket_fd, 2048)
+  packet_bytearray = bytearray(packet_str)
+
+  ETH_HLEN = 14
+  UDP_HLEN = 8
+
+  #IP HEADER
+  #calculate ip header length
+  ip_header_length = packet_bytearray[ETH_HLEN]               #load Byte
+  ip_header_length = ip_header_length & 0x0F                  #mask bits 0..3
+  ip_header_length = ip_header_length << 2                    #shift to obtain length
+
+  #calculate payload offset
+  payload_offset = ETH_HLEN + ip_header_length + UDP_HLEN
+
+  payload = packet_bytearray[payload_offset:]
+  # pass the payload to dnslib for parsing
+  dnsrec = dnslib.DNSRecord.parse(payload)
+  print (dnsrec.questions, "\n")