wip: dns decoder

nqminds · Aug 23, 2021 · 334e9b7 · 334e9b7
1 parent 1412b7b
commit 334e9b7
Show file tree

Hide file tree

Showing 16 changed files with 870 additions and 499 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -18,6 +18,10 @@
  "pthread.h": "c",
  "capture_service.h": "c",
  "*.tcc": "c",
- "x509v3.h": "c"
+ "x509v3.h": "c",
+ "hash_map": "c",
+ "hash_set": "c",
+ "bitset": "c",
+ "any": "c"
  }
 }
diff --git a/src/capture/CMakeLists.txt b/src/capture/CMakeLists.txt
@@ -6,9 +6,13 @@ add_library(capture_config capture_config.c)
 target_link_libraries(capture_config log os)
 
 if (BUILD_PCAP_LIB)
+ add_library(dns_decoder dns_decoder.c)
+ target_include_directories(dns_decoder PRIVATE ${LIBPCAP_INCLUDE_PATH})
+ target_link_libraries(dns_decoder log os hash)
+
  add_library(packet_decoder packet_decoder.c)
  target_include_directories(packet_decoder PRIVATE ${LIBPCAP_INCLUDE_PATH})
- target_link_libraries(packet_decoder hash if log os hashmap ${LIBPCAP_LIB})
+ target_link_libraries(packet_decoder dns_decoder hash if log os hashmap ${LIBPCAP_LIB})
 
  add_library(packet_queue packet_queue.c)
  target_include_directories(packet_queue PRIVATE ${LIBPCAP_INCLUDE_PATH})
@@ -37,10 +41,10 @@ if (BUILD_SQLSYNC_SERVICE)
  add_library(sync_client sync_client.cc)
  target_include_directories(sync_client PRIVATE ${PROJECT_BINARY_DIR} ${LIBGRPC_INCLUDE_PATH})
  target_link_libraries(sync_client log sqlite_grpc_proto ${LIBGRPCPP_REFLECTION_LIB} ${LIBGRPCPP_LIB} ${LIBPROTOBUF_LIB})
- target_link_libraries(default_analyser pcap_service sync_client sqlite_header_writer sqlite_pcap_writer pcap_queue packet_queue packet_decoder eloop if log os hashmap)
+ target_link_libraries(default_analyser dns_decoder pcap_service sync_client sqlite_header_writer sqlite_pcap_writer pcap_queue packet_queue packet_decoder eloop if log os hashmap)
 else ()
  if (BUILD_PCAP_LIB)
- target_link_libraries(default_analyser pcap_service sqlite_header_writer sqlite_pcap_writer pcap_queue packet_queue packet_decoder eloop if log os hashmap)
+ target_link_libraries(default_analyser dns_decoder pcap_service sqlite_header_writer sqlite_pcap_writer pcap_queue packet_queue packet_decoder eloop if log os hashmap)
  endif()
 endif ()
 

diff --git a/src/capture/capture_config.h b/src/capture/capture_config.h
@@ -72,6 +72,24 @@
  "\t-h\t\t Show help\n" \
  "\t-v\t\t Show app version\n\n"
 
+
+#define MAX_SCHEMA_STR_LENGTH 100
+
+typedef enum packet_types {
+ PACKET_NONE = 0,
+ PACKET_ETHERNET,
+ PACKET_ARP,
+ PACKET_IP4,
+ PACKET_IP6,
+ PACKET_TCP,
+ PACKET_UDP,
+ PACKET_ICMP4,
+ PACKET_ICMP6,
+ PACKET_DNS,
+ PACKET_MDNS,
+ PACKET_DHCP
+} PACKET_TYPES;
+
 /**
  * @brief The capture configuration structure
  * 
@@ -96,6 +114,244 @@ struct capture_conf {
  char filter[MAX_FILTER_SIZE]; /**< Specifies the filter expression or pcap lib */
 };
 
+/**
+ * @brief Meta packet structure definition
+ * 
+ */
+struct meta_packet {
+ PACKET_TYPES type; /**< Packet type */
+ uint32_t hash; /**< Packet header hash */
+ uint32_t ethh_hash; /**< Packet ethernet header hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t caplen; /**< Packet caplen */
+ uint32_t length; /**< Packet length */
+ char interface[IFNAMSIZ]; /**< Packet interface name */
+ char hostname[HOST_NAME_MAX]; /**< Packet hostname name */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+};
+
+struct tuple_packet {
+ uint8_t *packet; /**< Packet data */
+ struct meta_packet mp; /**< Packet metadata */
+};
+
+/**
+ * @brief Ethernet protocol schema definition
+ * 
+ */
+struct eth_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint32_t caplen; /**< Packet caplen */
+ uint32_t length; /**< Packet length */
+ char ifname[IFNAMSIZ]; /**< Packet interface name */
+ char hostname[HOST_NAME_MAX]; /**< Packet hostname name */
+ char ether_dhost[MACSTR_LEN]; /**< Packet destination eth addr */
+ char ether_shost[MACSTR_LEN]; /**< Packet source ether addr */
+ uint16_t ether_type; /**< Packet packet type ID field */
+};
+
+/**
+ * @brief ARP protocol schema definition
+ * 
+ */
+struct arp_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint16_t ar_hrd; /**< Packet Format of hardware address. */
+ uint16_t ar_pro; /**< Packet Format of protocol address. */
+ uint8_t ar_hln; /**< Packet Length of hardware address. */
+ uint8_t ar_pln; /**< Packet Length of protocol address. */
+ uint16_t ar_op; /**< Packet ARP opcode (command). */
+ char arp_sha[MACSTR_LEN]; /**< Packet sender hardware address */
+ char arp_spa[MACSTR_LEN]; /**< Packet sender protocol address */
+ char arp_tha[MACSTR_LEN]; /**< Packet target hardware address */
+ char arp_tpa[MACSTR_LEN]; /**< Packet target protocol address */
+};
+
+/**
+ * @brief IP4 protocol schema definition
+ * 
+ */
+struct ip4_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint8_t ip_hl; /**< Packet header length */
+ uint8_t ip_v; /**< Packet version */
+ uint8_t ip_tos; /**< Packet type of service */
+ uint16_t ip_len; /**< Packet total length */
+ uint16_t ip_id; /**< Packet identification */
+ uint16_t ip_off; /**< Packet fragment offset field */
+ uint8_t ip_ttl; /**< Packet time to live */
+ uint8_t ip_p; /**< Packet protocol */
+ uint16_t ip_sum; /**< Packet checksum */
+ char ip_src[MAX_SCHEMA_STR_LENGTH]; /**< Packet source address */
+ char ip_dst[MAX_SCHEMA_STR_LENGTH]; /**< Packet dest address */
+};
+
+/**
+ * @brief IP6 protocol schema definition
+ * 
+ */
+struct ip6_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint32_t ip6_un1_flow; /**< Packet 4 bits version, 8 bits TC, 20 bits flow-ID */
+ uint16_t ip6_un1_plen; /**< Packet payload length */
+ uint8_t ip6_un1_nxt; /**< Packet next header */
+ uint8_t ip6_un1_hlim; /**< Packet hop limit */
+ uint8_t ip6_un2_vfc; /**< Packet 4 bits version, top 4 bits tclass */
+ char ip6_src[INET6_ADDRSTRLEN]; /**< Packet source address */
+ char ip6_dst[INET6_ADDRSTRLEN]; /**< Packet destination address */
+};
+
+/**
+ * @brief TCP protocol schema definition
+ * 
+ */
+struct tcp_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint16_t source; /**< Packet source port */
+ uint16_t dest; /**< Packet destination port */
+ uint32_t seq; /**< Packet seq flag */
+ uint32_t ack_seq; /**< Packet ack_seq flag */
+ uint16_t res1; /**< Packet res1 flag */
+ uint16_t doff; /**< Packet doff flag */
+ uint16_t fin; /**< Packet fin flag */
+ uint16_t syn; /**< Packet syn flag */
+ uint16_t rst; /**< Packet rst flag */
+ uint16_t psh; /**< Packet psh flag */
+ uint16_t ack; /**< Packet ack flag */
+ uint16_t urg; /**< Packet urg flag */
+ uint16_t window; /**< Packet window */
+ uint16_t check_p; /**< Packet check */
+ uint16_t urg_ptr; /**< Packet urg_ptr */
+};
+
+/**
+ * @brief UDP protocol schema definition
+ * 
+ */
+struct udp_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint16_t source; /**< Packet source port */
+ uint16_t dest; /**< Packet destination port */
+ uint16_t len; /**< Packet udp length */
+ uint16_t check_p; /**< Packet udp checksum */
+};
+
+/**
+ * @brief ICMP4 protocol schema definition
+ * 
+ */
+struct icmp4_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint8_t type; /**< Packet message type */
+ uint8_t code; /**< Packet type sub-code */
+ uint16_t checksum; /**< Packet checksum */
+ uint32_t gateway; /**< Packet gateway address */
+};
+
+/**
+ * @brief ICMP6 protocol schema definition
+ * 
+ */
+struct icmp6_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint8_t icmp6_type; /**< Packet type field */
+ uint8_t icmp6_code; /**< Packet code field */
+ uint16_t icmp6_cksum; /**< Packet checksum field */
+ uint32_t icmp6_un_data32; /**< Packet type-specific field */
+};
+
+/**
+ * @brief DNS protocol schema definition
+ * 
+ */
+struct dns_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint16_t tid; /**< Packet Transaction ID */
+ uint16_t flags; /**< Packet Flags */
+ uint16_t nqueries; /**< Packet Questions */
+ uint16_t nanswers; /**< Packet Answers */
+ uint16_t nauth; /**< Packet Authority PRs */
+ uint16_t nother; /**< Packet Other PRs */
+ uint16_t p_id; /**< Packet payload params */
+ uint8_t p_qr; /**< Packet payload params */
+ uint8_t p_aa; /**< Packet payload params */
+ uint8_t p_tc; /**< Packet payload params */
+ uint8_t p_rd; /**< Packet payload params */
+ uint8_t p_ra; /**< Packet payload params */
+ uint8_t p_z; /**< Packet payload params */
+ uint8_t p_opcode; /**< Packet payload params */
+ uint8_t p_rcode; /**< Packet payload params */
+ uint16_t p_qdcount; /**< Packet payload params */
+ uint16_t p_ancount; /**< Packet payload params */ 
+ uint16_t p_nscount; /**< Packet payload params */
+ uint16_t p_arcount; /**< Packet payload params */
+};
+
+/**
+ * @brief mDNS protocol schema definition
+ * 
+ */
+struct mdns_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint16_t tid; /**< Packet Transaction ID */
+ uint16_t flags; /**< Packet Flags */
+ uint16_t nqueries; /**< Packet Questions */
+ uint16_t nanswers; /**< Packet Answers */
+ uint16_t nauth; /**< Packet Authority PRs */
+ uint16_t nother; /**< Packet Other PRs */
+};
+
+/**
+ * @brief DHCP protocol schema definition
+ * 
+ */
+struct dhcp_schema {
+ uint32_t hash; /**< Packet hash */
+ uint64_t timestamp; /**< Packet timestamp */
+ uint32_t ethh_hash; /**< Packet ethernet hash */
+ char id[MAX_RANDOM_UUID_LEN]; /**< Packet id */
+ uint8_t op; /**< Packet packet type */
+ uint8_t htype; /**< Packet type of hardware address for this machine (Ethernet, etc) */
+ uint8_t hlen; /**< Packet length of hardware address (of this machine) */
+ uint8_t hops; /**< Packet hops */
+ uint32_t xid; /**< Packet random transaction id number - chosen by this machine */
+ uint16_t secs; /**< Packet seconds used in timing */
+ uint16_t flags; /**< Packet flags */
+ char ciaddr[MAX_SCHEMA_STR_LENGTH]; /**< Packet IP address of this machine (if we already have one) */
+ char yiaddr[MAX_SCHEMA_STR_LENGTH]; /**< Packet IP address of this machine (offered by the DHCP server) */
+ char siaddr[MAX_SCHEMA_STR_LENGTH]; /**< Packet IP address of DHCP server */
+ char giaddr[MAX_SCHEMA_STR_LENGTH]; /**< Packet IP address of DHCP relay */
+};
+
 /**
  * @brief Translate a capture process option to a config structure value
  * 

diff --git a/src/capture/default_analyser.c b/src/capture/default_analyser.c
@@ -87,17 +87,15 @@ void pcap_callback(const void *ctx, struct pcap_pkthdr *header, uint8_t *packet)
  UT_array *tp_array;
  int count;
 
- if (context->db_write) {
- if ((count = extract_packets(header, packet,
- context->interface,
- context->hostname,
- context->cap_id, &tp_array)) > 0) {
- add_packet_queue(tp_array, count, context->pqueue);
- }
-
- utarray_free(tp_array);
+ if ((count = extract_packets(header, packet,
+ context->interface,
+ context->hostname,
+ context->cap_id, &tp_array)) > 0) {
+ add_packet_queue(tp_array, count, context->pqueue);
  }
 
+ utarray_free(tp_array);
+
  if (context->file_write) {
  if (push_pcap_queue(context->cqueue, header, packet) == NULL) {
  log_trace("push_pcap_queue fail");
@@ -148,13 +146,13 @@ void eloop_tout_handler(void *eloop_ctx, void *user_ctx)
  char *traces = NULL;
 
  // Process all packets in the queue
- if (context->db_write) {
- while(get_packet_queue_length(context->pqueue)) {
- if ((el_packet = pop_packet_queue(context->pqueue)) != NULL) {
+ while(get_packet_queue_length(context->pqueue)) {
+ if ((el_packet = pop_packet_queue(context->pqueue)) != NULL) {
+ if (context->db_write) {
  save_packet_statement(context->header_db, &(el_packet->tp));
- // Process packet
- free_packet_queue_el(el_packet);
  }
+ // Process packet
+ free_packet_queue_el(el_packet);
  }
  }
 
@@ -205,6 +203,10 @@ int start_default_analyser(struct capture_conf *config)
  os_memset(&context, 0, sizeof(context));
  generate_radom_uuid(context.cap_id);
 
+ if (get_hostname(context.hostname) < 0) {
+ log_debug("get_hostname fail");
+ return -1;
+ }
  // Transform to microseconds
  context.interface = config->capture_interface;
  context.filter = config->filter;
@@ -233,6 +235,7 @@ int start_default_analyser(struct capture_conf *config)
  return -1;
  }
 
+ log_info("Capturing hostname=%s", context.hostname);
  log_info("Capturing id=%s", context.cap_id);
  log_info("Capturing interface=%s", context.interface);
  log_info("Capturing filter=%s", context.filter);

diff --git a/src/capture/default_analyser.h b/src/capture/default_analyser.h
@@ -50,7 +50,7 @@ struct capture_context {
  char *interface;
  char *filter;
  char cap_id[MAX_RANDOM_UUID_LEN];
- char hostname[MAX_HOSTNAME_LEN];
+ char hostname[HOST_NAME_MAX];
 };
 
 /**