capture DNS request payloads #37
Comments
|
DNS requests made by getaddrinfo, gethosbyname/1/2/3/4 result in DNS events for request and receive. however, the UDP traffic for the query is not emitted in payload data. the DNS answer is exported in payload data. glibc uses __sendmsg for DNS queries. if a virtual circuit (VC) is required, the DNS response is larger than the max UDP size of 64k, then it will send the request a second time using TCP by means of writev (not __writev). currently, libscope will see the VC queries as it interposes writev. the UDP queries are not tracked due to the use of the private glibc function __sendmsg. for completeness sake, note that at this time, a net connection event does not include UDP as these are not considered connections. that can be changed, of course. this means that, if we decide to interpose __sendmsg, the DNS traffic will be exposed in payload traffic and not events. |
|
We are getting the DNS query packet in payload data. From Wireshark after converting the payload data to a pcap: 0000 0a 02 02 02 02 02 0a 02 02 02 02 01 08 00 45 00 ..............E. Note that src & dst IPs are inserted when converting the payload to pcap. We have the IP addrs. They are used in the path name. I just didn't use them when creating the pcap. The hex dump of the payload file: (the 75fe defines this as a std A DNS query) |
|
The files created with payload data for the command
|
DNS ResponseQueries 0000 0a 02 02 02 02 02 0a 02 02 02 02 01 08 00 45 00 ..............E. |
HTTPS Request0000 16 03 01 02 00 01 00 01 fc 03 03 5e 01 c6 9b 6a ...........^...j |
|
a DNS response event emits the domain name and duration for the query/response. for the command propose to add this to the DNS response event: |
When running a payload capture when using curl we only capture the response of DNS requests, but not the requests.
To reproduce:
run the following command
SCOPE_PAYLOAD_ENABLE=true ./scope curl -v --http1.1 https://cdn.cribl.io/dl/latestLook at the files that are produced in /tmp for the process
Notice that there is 24778_127.0.0.53:53:0.in but no corresponding .out file
See below for an example of how the request looks like
/tmp$ ls -lha 24778_*
-rw-rw-r-- 1 ledion ledion 146 Jan 7 10:00 24778_127.0.0.53:53:0.in
-rw-rw-r-- 1 ledion ledion 6.4K Jan 7 10:00 24778_99.84.198.43:443:44844.in
-rw-rw-r-- 1 ledion ledion 797 Jan 7 10:00 24778_99.84.198.43:44844:443.out
The text was updated successfully, but these errors were encountered: