trace_dns: convert domain to dot notation (without wasm) #2845
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alban
force-pushed
the
alban_dns_dot_notation
branch
from
b09732e
to
15b40cd
Compare
mauriciovasquezbernal
approved these changes
May 14, 2024
gadgets/trace_dns/program.bpf.c
Outdated
Comment on lines
346
to
366
| // Convert DNS string to dot notation | ||
| // "\u0003www\u0009wikipedia\u0003org\u0000" | ||
| // "www.wikipedia.org" | ||
| unsigned int i; | ||
| unsigned int remaining = 0; | ||
| unsigned int offset = 0; | ||
| for (i = 0; i < MAX_DNS_NAME - 1; i++) { | ||
| if (remaining == 0) { | ||
| remaining = event->name[i + offset]; | ||
| offset = 1; | ||
| if (i > 0) { | ||
| if (remaining == 0) { | ||
| event->name[i] = '\0'; | ||
| break; | ||
| } | ||
| event->name[i] = '.'; | ||
| continue; | ||
| } | ||
| } | ||
| event->name[i] = event->name[i + 1]; | ||
| remaining--; | ||
| } | ||
|
|
There was a problem hiding this comment.
What about this:
Suggested change
| // Convert DNS string to dot notation | |
| // "\u0003www\u0009wikipedia\u0003org\u0000" | |
| // "www.wikipedia.org" | |
| unsigned int i; | |
| unsigned int remaining = 0; | |
| unsigned int offset = 0; | |
| for (i = 0; i < MAX_DNS_NAME - 1; i++) { | |
| if (remaining == 0) { | |
| remaining = event->name[i + offset]; | |
| offset = 1; | |
| if (i > 0) { | |
| if (remaining == 0) { | |
| event->name[i] = '\0'; | |
| break; | |
| } | |
| event->name[i] = '.'; | |
| continue; | |
| } | |
| } | |
| event->name[i] = event->name[i + 1]; | |
| remaining--; | |
| } | |
| // Convert DNS string to dot notation | |
| // "\u0003www\u0009wikipedia\u0003org\u0000" | |
| // "www.wikipedia.org" | |
| unsigned int i; | |
| unsigned int remaining = event->name[0]; | |
| for (i = 0; i < MAX_DNS_NAME - 1; i++) { | |
| if (remaining == 0) { | |
| remaining = event->name[i + 1]; | |
| if (remaining == 0) { | |
| event->name[i] = '\0'; | |
| break; | |
| } | |
| event->name[i] = '.'; | |
| continue; | |
| } | |
| event->name[i] = event->name[i + 1]; | |
| remaining--; | |
| } | |
There was a problem hiding this comment.
Thanks. I picked your patch. I also added a test if the name is empty.
I'll merge when the CI completes.
$ sudo -E ig run ghcr.io/inspektor-gadget/gadget/trace_dns:latest --verify-image=false INFO[0000] Experimental features enabled WARN[0000] you set --verify-image=false, image will not be verified WARN[0001] you set --verify-image=false, image will not be verified RUNTIME.CONTAINERN… SRC… SRC… DST… DST… MNTNS_ID NETNS PID TID UID GID TASK ID QTYPE … PKT_… RCODE LATE… NAME ANCOUNT ANADDRCOU… ANADDR TIMESTAMP SRC.ADDRE… DST.ADDRE… busybox 565… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 48138 1 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 565… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 58639 28 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 53 17 565… 17 40265327 4026533 2869179 2869179 0 0 wget 48138 1 1 0 0 17880 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 busybox 53 17 565… 17 40265327 4026533 2869179 2869179 0 0 wget 58639 28 1 0 0 20834 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 busybox 548… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 58969 1 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 548… 17 53 17 40265327 4026533 2869179 2869179 0 0 wget 15719 28 0 4 0 0 www.wikipedia.org 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. busybox 53 17 548… 17 40265327 4026533 2869179 2869179 0 0 wget 58969 1 1 0 0 16420 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 busybox 53 17 548… 17 40265327 4026533 2869179 2869179 0 0 wget 15719 28 1 0 0 18310 www.wikipedia.org 2 0 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 ubuntu 463… 17 53 17 40265336 4026534 2869330 2869330 100 65534 http 62504 1 0 4 0 0 archive.ubuntu.com 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. ubuntu 559… 17 53 17 40265336 4026534 2869329 2869329 100 65534 http 20280 1 0 4 0 0 security.ubuntu.co 0 0 <16 bytes> 2024-05-14 172.17.0.4 192.168.0. ubuntu 53 17 463… 17 40265336 4026534 2869330 2869330 100 65534 http 62504 1 1 0 0 19688 archive.ubuntu.com 5 1 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 ubuntu 53 17 559… 17 40265336 4026534 2869329 2869329 100 65534 http 20280 1 1 0 0 21438 security.ubuntu.co 5 1 <16 bytes> 2024-05-14 192.168.0. 172.17.0.4 Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
alban
force-pushed
the
alban_dns_dot_notation
branch
from
15b40cd
to
e474519
Compare
This was referenced May 15, 2024
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Although string manipulation is more difficult to do in ebpf than in userspace, it is actually possible to convert the domain name encoded in the DNS packet into dot notation strings.
How to use
DNS requests generated with:
Testing done
See above.