-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
trace_dns: convert domain to dot notation (without wasm) #2845
Conversation
b09732e
to
15b40cd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did we never try this before? :O
I have a small code suggestions, but LGTM already.
gadgets/trace_dns/program.bpf.c
Outdated
// Convert DNS string to dot notation | ||
// "\u0003www\u0009wikipedia\u0003org\u0000" | ||
// "www.wikipedia.org" | ||
unsigned int i; | ||
unsigned int remaining = 0; | ||
unsigned int offset = 0; | ||
for (i = 0; i < MAX_DNS_NAME - 1; i++) { | ||
if (remaining == 0) { | ||
remaining = event->name[i + offset]; | ||
offset = 1; | ||
if (i > 0) { | ||
if (remaining == 0) { | ||
event->name[i] = '\0'; | ||
break; | ||
} | ||
event->name[i] = '.'; | ||
continue; | ||
} | ||
} | ||
event->name[i] = event->name[i + 1]; | ||
remaining--; | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about this:
// Convert DNS string to dot notation | |
// "\u0003www\u0009wikipedia\u0003org\u0000" | |
// "www.wikipedia.org" | |
unsigned int i; | |
unsigned int remaining = 0; | |
unsigned int offset = 0; | |
for (i = 0; i < MAX_DNS_NAME - 1; i++) { | |
if (remaining == 0) { | |
remaining = event->name[i + offset]; | |
offset = 1; | |
if (i > 0) { | |
if (remaining == 0) { | |
event->name[i] = '\0'; | |
break; | |
} | |
event->name[i] = '.'; | |
continue; | |
} | |
} | |
event->name[i] = event->name[i + 1]; | |
remaining--; | |
} | |
// Convert DNS string to dot notation | |
// "\u0003www\u0009wikipedia\u0003org\u0000" | |
// "www.wikipedia.org" | |
unsigned int i; | |
unsigned int remaining = event->name[0]; | |
for (i = 0; i < MAX_DNS_NAME - 1; i++) { | |
if (remaining == 0) { | |
remaining = event->name[i + 1]; | |
if (remaining == 0) { | |
event->name[i] = '\0'; | |
break; | |
} | |
event->name[i] = '.'; | |
continue; | |
} | |
event->name[i] = event->name[i + 1]; | |
remaining--; | |
} | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I picked your patch. I also added a test if the name is empty.
I'll merge when the CI completes.
$ sudo -E ig run ghcr.io/inspektor-gadget/gadget/trace_dns:latest --verify-image=false INFO[0000] Experimental features enabled WARN[0000] you set --verify-image=false, image will not be verified WARN[0001] you set --verify-image=false, image will not be verified RUNTIME.CONTAINERN… SRC… SRC… DST… DST… MNTNS_ID NETNS PID TID UID GID TASK ID QTYPE … PKT_… RCODE LATE… NAME ANCOUNT ANADDRCOU… ANADDR TIMESTAMP SRC.ADDRE… DST.ADDRE… busybox 565… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 48138 1 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 565… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 58639 28 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 53 17 565… 17 40265327 4026533 2869179 2869179 0 0 wget 48138 1 1 0 0 17880 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 busybox 53 17 565… 17 40265327 4026533 2869179 2869179 0 0 wget 58639 28 1 0 0 20834 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 busybox 548… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 58969 1 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 548… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 15719 28 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 53 17 548… 17 40265327 4026533 2869179 2869179 0 0 wget 58969 1 1 0 0 16420 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 busybox 53 17 548… 17 40265327 4026533 2869179 2869179 0 0 wget 15719 28 1 0 0 18310 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 ubuntu 463… 17 53 17 40265336 4026534 2869330 2869330 100 65534 http 62504 1 0 4 0 0 archive.ubuntu.com 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. ubuntu 559… 17 53 17 40265336 4026534 2869329 2869329 100 65534 http 20280 1 0 4 0 0 security.ubuntu.co 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. ubuntu 53 17 463… 17 40265336 4026534 2869330 2869330 100 65534 http 62504 1 1 0 0 19688 archive.ubuntu.com 5 1 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 ubuntu 53 17 559… 17 40265336 4026534 2869329 2869329 100 65534 http 20280 1 1 0 0 21438 security.ubuntu.co 5 1 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
15b40cd
to
e474519
Compare
Although string manipulation is more difficult to do in ebpf than in userspace, it is actually possible to convert the domain name encoded in the DNS packet into dot notation strings.
How to use
DNS requests generated with:
Testing done
See above.