2 * collectd - src/utils_dns.c
3 * Modifications Copyright (C) 2006 Florian octo Forster
4 * Copyright (C) 2002 The Measurement Factory, Inc.
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions are met:
10 * 1. Redistributions of source code must retain the above copyright notice,
11 * this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright notice,
13 * this list of conditions and the following disclaimer in the documentation
14 * and/or other materials provided with the distribution.
15 * 3. Neither the name of The Measurement Factory nor the names of its
16 * contributors may be used to endorse or promote products derived from this
17 * software without specific prior written permission.
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
32 * The Measurement Factory, Inc. <http://www.measurement-factory.com/>
33 * Florian octo Forster <octo at verplant.org>
39 # include <netinet/in.h>
45 # include <arpa/inet.h>
48 #if HAVE_ARPA_NAMESER_H
49 # include <arpa/nameser.h>
50 #elif HAVE_ARPA_NAMESER_COMPAT_H
51 # include <arpa/nameser_compat.h>
55 # include <net/if_arp.h>
60 #if HAVE_NETINET_IF_ETHER_H
61 # include <netinet/if_ether.h>
64 # include <net/if_ppp.h>
68 # include <sys/socket.h>
74 #if HAVE_NETINET_IN_SYSTM_H
75 # include <netinet/in_systm.h>
78 # include <netinet/in.h>
81 # include <netinet/ip.h>
83 #ifdef HAVE_NETINET_IP_VAR_H
84 # include <netinet/ip_var.h>
86 #if HAVE_NETINET_IP6_H
87 # include <netinet/ip6.h>
89 #if HAVE_NETINET_UDP_H
90 # include <netinet/udp.h>
93 #define PCAP_SNAPLEN 1460
95 #define ETHER_ADDR_LEN 6
96 #define ETHER_TYPE_LEN 2
97 #define ETHER_HDR_LEN (ETHER_ADDR_LEN * 2 + ETHER_TYPE_LEN)
99 #ifndef ETHERTYPE_8021Q
100 # define ETHERTYPE_8021Q 0x8100
102 #ifndef ETHERTYPE_IPV6
103 # define ETHERTYPE_IPV6 0x86DD
106 #ifndef PPP_ADDRESS_VAL
107 # define PPP_ADDRESS_VAL 0xff /* The address byte value */
109 #ifndef PPP_CONTROL_VAL
110 # define PPP_CONTROL_VAL 0x03 /* The control byte value */
114 #define uh_sport source
115 #define uh_dport dest
118 #include "utils_dns.h"
125 struct in6_addr addr;
127 struct ip_list_s *next;
129 typedef struct ip_list_s ip_list_t;
131 typedef int (printer)(const char *, ...);
134 * flags/features for non-interactive mode
147 int qtype_counts[T_MAX];
148 int opcode_counts[OP_MAX];
149 int qclass_counts[C_MAX];
152 static pcap_t *pcap_obj = NULL;
155 static ip_list_t *IgnoreList = NULL;
157 static void (*Callback) (const rfc1035_header_t *) = NULL;
159 static int query_count_intvl = 0;
160 static int query_count_total = 0;
162 static struct bpf_timeval last_ts;
164 static struct timeval last_ts;
167 static int cmp_in6_addr (const struct in6_addr *a,
168 const struct in6_addr *b)
172 for (i = 0; i < 4; i++)
173 if (a->s6_addr32[i] != b->s6_addr32[i])
179 return (a->s6_addr32[i] > b->s6_addr32[i] ? 1 : -1);
180 } /* int cmp_addrinfo */
182 static inline int ignore_list_match (const struct in6_addr *addr)
186 for (ptr = IgnoreList; ptr != NULL; ptr = ptr->next)
187 if (cmp_in6_addr (addr, &ptr->addr) == 0)
190 } /* int ignore_list_match */
192 static void ignore_list_add (const struct in6_addr *addr)
196 if (ignore_list_match (addr) != 0)
199 new = malloc (sizeof (ip_list_t));
206 memcpy (&new->addr, addr, sizeof (struct in6_addr));
207 new->next = IgnoreList;
210 } /* void ignore_list_add */
212 void ignore_list_add_name (const char *name)
214 struct addrinfo *ai_list;
215 struct addrinfo *ai_ptr;
216 struct in6_addr addr;
219 status = getaddrinfo (name, NULL, NULL, &ai_list);
223 for (ai_ptr = ai_list; ai_ptr != NULL; ai_ptr = ai_ptr->ai_next)
225 if (ai_ptr->ai_family == AF_INET)
227 addr.s6_addr32[0] = 0;
228 addr.s6_addr32[1] = 0;
229 addr.s6_addr32[2] = htonl (0x0000FFFF);
230 addr.s6_addr32[3] = ((struct sockaddr_in *) ai_ptr->ai_addr)->sin_addr.s_addr;
232 ignore_list_add (&addr);
236 ignore_list_add (&((struct sockaddr_in6 *) ai_ptr->ai_addr)->sin6_addr);
240 freeaddrinfo (ai_list);
243 static void in6_addr_from_buffer (struct in6_addr *ia,
244 const void *buf, size_t buf_len,
247 memset (ia, 0, sizeof (struct in6_addr));
248 if ((AF_INET == family) && (sizeof (uint32_t) == buf_len))
250 ia->s6_addr32[2] = htonl (0x0000FFFF);
251 ia->s6_addr32[3] = *((uint32_t *) buf);
253 else if ((AF_INET6 == family) && (sizeof (struct in6_addr) == buf_len))
255 memcpy (ia, buf, buf_len);
257 } /* void in6_addr_from_buffer */
260 void dnstop_set_pcap_obj (pcap_t *po)
266 void dnstop_set_callback (void (*cb) (const rfc1035_header_t *))
271 #define RFC1035_MAXLABELSZ 63
273 rfc1035NameUnpack(const char *buf, size_t sz, off_t * off, char *name, size_t ns
285 /* blasted compression */
288 memcpy(&s, buf + (*off), sizeof(s));
295 /* Make sure the pointer is inside this message */
298 return rfc1035NameUnpack(buf, sz, &ptr, name + no, ns - no);
299 } else if (c > RFC1035_MAXLABELSZ) {
301 * "(The 10 and 01 combinations are reserved for future use.)"
312 if ((*off) + len > sz) /* message is too short */
314 memcpy(name + no, buf + (*off), len);
317 *(name + (no++)) = '.';
320 *(name + no - 1) = '\0';
321 /* make sure we didn't allow someone to overflow the name buffer */
327 handle_dns(const char *buf, int len,
328 const struct in6_addr *s_addr,
329 const struct in6_addr *d_addr)
337 /* The DNS header is 12 bytes long */
341 memcpy(&us, buf + 0, 2);
344 memcpy(&us, buf + 2, 2);
346 fprintf (stderr, "Bytes 0, 1: 0x%04hx\n", us);
347 qh.qr = (us >> 15) & 0x01;
348 qh.opcode = (us >> 11) & 0x0F;
349 qh.aa = (us >> 10) & 0x01;
350 qh.tc = (us >> 9) & 0x01;
351 qh.rd = (us >> 8) & 0x01;
352 qh.ra = (us >> 7) & 0x01;
353 qh.z = (us >> 6) & 0x01;
354 qh.ad = (us >> 5) & 0x01;
355 qh.cd = (us >> 4) & 0x01;
356 qh.rcode = us & 0x0F;
358 memcpy(&us, buf + 4, 2);
359 qh.qdcount = ntohs(us);
361 memcpy(&us, buf + 6, 2);
362 qh.ancount = ntohs(us);
364 memcpy(&us, buf + 8, 2);
365 qh.nscount = ntohs(us);
367 memcpy(&us, buf + 10, 2);
368 qh.arcount = ntohs(us);
371 memset(qh.qname, '\0', MAX_QNAME_SZ);
372 x = rfc1035NameUnpack(buf, len, &offset, qh.qname, MAX_QNAME_SZ);
375 if ('\0' == qh.qname[0])
376 strcpy(qh.qname, ".");
377 while ((t = strchr(qh.qname, '\n')))
379 while ((t = strchr(qh.qname, '\r')))
381 for (t = qh.qname; *t; t++)
384 memcpy(&us, buf + offset, 2);
385 qh.qtype = ntohs(us);
386 memcpy(&us, buf + offset + 2, 2);
387 qh.qclass = ntohs(us);
389 qh.length = (uint16_t) len;
392 qtype_counts[qh.qtype]++;
393 qclass_counts[qh.qclass]++;
394 opcode_counts[qh.opcode]++;
396 if (Callback != NULL)
403 handle_udp(const struct udphdr *udp, int len,
404 const struct in6_addr *s_addr,
405 const struct in6_addr *d_addr)
407 char buf[PCAP_SNAPLEN];
408 if ((ntohs (udp->uh_dport) != 53)
409 && (ntohs (udp->uh_sport) != 53))
411 memcpy(buf, udp + 1, len - sizeof(*udp));
412 if (0 == handle_dns(buf, len - sizeof(*udp), s_addr, d_addr))
418 handle_ipv6 (struct ip6_hdr *ipv6, int len)
420 char buf[PCAP_SNAPLEN];
424 struct in6_addr s_addr;
425 struct in6_addr d_addr;
426 uint16_t payload_len;
428 offset = sizeof (struct ip6_hdr);
429 nexthdr = ipv6->ip6_nxt;
430 s_addr = ipv6->ip6_src;
431 d_addr = ipv6->ip6_dst;
432 payload_len = ntohs (ipv6->ip6_plen);
434 if (ignore_list_match (&s_addr))
437 /* Parse extension headers. This only handles the standard headers, as
438 * defined in RFC 2460, correctly. Fragments are discarded. */
439 while ((IPPROTO_ROUTING == nexthdr) /* routing header */
440 || (IPPROTO_HOPOPTS == nexthdr) /* Hop-by-Hop options. */
441 || (IPPROTO_FRAGMENT == nexthdr) /* fragmentation header. */
442 || (IPPROTO_DSTOPTS == nexthdr) /* destination options. */
443 || (IPPROTO_DSTOPTS == nexthdr) /* destination options. */
444 || (IPPROTO_AH == nexthdr) /* destination options. */
445 || (IPPROTO_ESP == nexthdr)) /* encapsulating security payload. */
447 struct ip6_ext ext_hdr;
448 uint16_t ext_hdr_len;
450 /* Catch broken packets */
451 if ((offset + sizeof (struct ip6_ext)) > len)
454 /* Cannot handle fragments. */
455 if (IPPROTO_FRAGMENT == nexthdr)
458 memcpy (&ext_hdr, (char *) ipv6 + offset, sizeof (struct ip6_ext));
459 nexthdr = ext_hdr.ip6e_nxt;
460 ext_hdr_len = (8 * (ntohs (ext_hdr.ip6e_len) + 1));
462 /* This header is longer than the packets payload.. WTF? */
463 if (ext_hdr_len > payload_len)
466 offset += ext_hdr_len;
467 payload_len -= ext_hdr_len;
470 /* Catch broken and empty packets */
471 if (((offset + payload_len) > len)
472 || (payload_len == 0)
473 || (payload_len > PCAP_SNAPLEN))
476 if (IPPROTO_UDP != nexthdr)
479 memcpy (buf, (char *) ipv6 + offset, payload_len);
480 if (handle_udp ((struct udphdr *) buf, payload_len, &s_addr, &d_addr) == 0)
483 return (1); /* Success */
484 } /* int handle_ipv6 */
487 handle_ip(const struct ip *ip, int len)
489 char buf[PCAP_SNAPLEN];
490 int offset = ip->ip_hl << 2;
491 struct in6_addr s_addr;
492 struct in6_addr d_addr;
495 return (handle_ipv6 ((struct ip6_hdr *) ip, len));
497 in6_addr_from_buffer (&s_addr, &ip->ip_src.s_addr, sizeof (ip->ip_src.s_addr), AF_INET);
498 in6_addr_from_buffer (&d_addr, &ip->ip_dst.s_addr, sizeof (ip->ip_dst.s_addr), AF_INET);
499 if (ignore_list_match (&s_addr))
501 if (IPPROTO_UDP != ip->ip_p)
503 memcpy(buf, (void *) ip + offset, len - offset);
504 if (0 == handle_udp((struct udphdr *) buf, len - offset, &s_addr, &d_addr))
510 handle_ppp(const u_char * pkt, int len)
512 char buf[PCAP_SNAPLEN];
514 unsigned short proto;
517 if (*pkt == PPP_ADDRESS_VAL && *(pkt + 1) == PPP_CONTROL_VAL) {
518 pkt += 2; /* ACFC not used */
524 proto = *pkt; /* PFC is used */
528 memcpy(&us, pkt, sizeof(us));
533 if (ETHERTYPE_IP != proto && PPP_IP != proto)
535 memcpy(buf, pkt, len);
536 return handle_ip((struct ip *) buf, len);
540 handle_null(const u_char * pkt, int len)
543 memcpy(&family, pkt, sizeof(family));
544 if (AF_INET != family)
546 return handle_ip((struct ip *) (pkt + 4), len - 4);
551 handle_loop(const u_char * pkt, int len)
554 memcpy(&family, pkt, sizeof(family));
555 if (AF_INET != ntohl(family))
557 return handle_ip((struct ip *) (pkt + 4), len - 4);
564 handle_raw(const u_char * pkt, int len)
566 return handle_ip((struct ip *) pkt, len);
572 handle_ether(const u_char * pkt, int len)
574 char buf[PCAP_SNAPLEN];
575 struct ether_header *e = (void *) pkt;
576 unsigned short etype = ntohs(e->ether_type);
577 if (len < ETHER_HDR_LEN)
579 pkt += ETHER_HDR_LEN;
580 len -= ETHER_HDR_LEN;
581 if (ETHERTYPE_8021Q == etype) {
582 etype = ntohs(*(unsigned short *) (pkt + 2));
586 if ((ETHERTYPE_IP != etype)
587 && (ETHERTYPE_IPV6 != etype))
589 memcpy(buf, pkt, len);
590 if (ETHERTYPE_IPV6 == etype)
591 return (handle_ipv6 ((struct ip6_hdr *) buf, len));
593 return handle_ip((struct ip *) buf, len);
596 /* public function */
598 void handle_pcap(u_char *udata, const struct pcap_pkthdr *hdr, const u_char *pkt)
602 fprintf (stderr, "handle_pcap (udata = %p, hdr = %p, pkt = %p): hdr->caplen = %i\n",
603 (void *) udata, (void *) hdr, (void *) pkt,
606 if (hdr->caplen < ETHER_HDR_LEN)
609 switch (pcap_datalink (pcap_obj))
612 status = handle_ether (pkt, hdr->caplen);
615 status = handle_ppp (pkt, hdr->caplen);
619 status = handle_loop (pkt, hdr->caplen);
624 status = handle_raw (pkt, hdr->caplen);
628 status = handle_null (pkt, hdr->caplen);
632 fprintf (stderr, "unsupported data link type %d\n",
633 pcap_datalink(pcap_obj));
636 } /* switch (pcap_datalink(pcap_obj)) */
647 const char *qtype_str(int t)
651 case ns_t_a: return ("A");
652 case ns_t_ns: return ("NS");
653 case ns_t_md: return ("MD");
654 case ns_t_mf: return ("MF");
655 case ns_t_cname: return ("CNAME");
656 case ns_t_soa: return ("SOA");
657 case ns_t_mb: return ("MB");
658 case ns_t_mg: return ("MG");
659 case ns_t_mr: return ("MR");
660 case ns_t_null: return ("NULL");
661 case ns_t_wks: return ("WKS");
662 case ns_t_ptr: return ("PTR");
663 case ns_t_hinfo: return ("HINFO");
664 case ns_t_minfo: return ("MINFO");
665 case ns_t_mx: return ("MX");
666 case ns_t_txt: return ("TXT");
667 case ns_t_rp: return ("RP");
668 case ns_t_afsdb: return ("AFSDB");
669 case ns_t_x25: return ("X25");
670 case ns_t_isdn: return ("ISDN");
671 case ns_t_rt: return ("RT");
672 case ns_t_nsap: return ("NSAP");
673 case ns_t_nsap_ptr: return ("NSAP-PTR");
674 case ns_t_sig: return ("SIG");
675 case ns_t_key: return ("KEY");
676 case ns_t_px: return ("PX");
677 case ns_t_gpos: return ("GPOS");
678 case ns_t_aaaa: return ("AAAA");
679 case ns_t_loc: return ("LOC");
680 case ns_t_nxt: return ("NXT");
681 case ns_t_eid: return ("EID");
682 case ns_t_nimloc: return ("NIMLOC");
683 case ns_t_srv: return ("SRV");
684 case ns_t_atma: return ("ATMA");
685 case ns_t_naptr: return ("NAPTR");
686 case ns_t_kx: return ("KX");
687 case ns_t_cert: return ("CERT");
688 case ns_t_a6: return ("A6");
689 case ns_t_dname: return ("DNAME");
690 case ns_t_sink: return ("SINK");
691 case ns_t_opt: return ("OPT");
692 case ns_t_tsig: return ("TSIG");
693 case ns_t_ixfr: return ("IXFR");
694 case ns_t_axfr: return ("AXFR");
695 case ns_t_mailb: return ("MAILB");
696 case ns_t_maila: return ("MAILA");
697 case ns_t_any: return ("ANY");
698 case ns_t_zxfr: return ("ZXFR");
700 snprintf (buf, 32, "#%i", t);
708 const char *opcode_str (int o)
728 snprintf(buf, 30, "Opcode%d", o);
734 const char *rcode_str (int rcode)
739 case ns_r_noerror: return ("NOERROR");
740 case ns_r_formerr: return ("FORMERR");
741 case ns_r_servfail: return ("SERVFAIL");
742 case ns_r_nxdomain: return ("NXDOMAIN");
743 case ns_r_notimpl: return ("NOTIMPL");
744 case ns_r_refused: return ("REFUSED");
745 case ns_r_yxdomain: return ("YXDOMAIN");
746 case ns_r_yxrrset: return ("YXRRSET");
747 case ns_r_nxrrset: return ("NXRRSET");
748 case ns_r_notauth: return ("NOTAUTH");
749 case ns_r_notzone: return ("NOTZONE");
750 case ns_r_max: return ("MAX");
751 case ns_r_badsig: return ("BADSIG");
752 case ns_r_badkey: return ("BADKEY");
753 case ns_r_badtime: return ("BADTIME");
755 snprintf (buf, 32, "RCode%i", rcode);
761 } /* const char *rcode_str (int rcode) */
765 main(int argc, char *argv[])
767 char errbuf[PCAP_ERRBUF_SIZE];
770 int readfile_state = 0;
771 struct bpf_program fp;
774 SubReport = Sources_report;
775 ignore_addr.s_addr = 0;
776 progname = strdup(strrchr(argv[0], '/') ? strchr(argv[0], '/') + 1 : argv[0]);
780 while ((x = getopt(argc, argv, "ab:f:i:pst")) != -1) {
795 bpf_program_str = strdup(optarg);
798 ignore_addr.s_addr = inet_addr(optarg);
813 device = strdup(argv[0]);
815 if (0 == stat(device, &sb))
817 if (readfile_state) {
818 pcap_obj = pcap_open_offline(device, errbuf);
820 pcap_obj = pcap_open_live(device, PCAP_SNAPLEN, promisc_flag, 1000, errbuf);
822 if (NULL == pcap_obj) {
823 fprintf(stderr, "pcap_open_*: %s\n", errbuf);
827 if (0 == isatty(1)) {
828 if (0 == readfile_state) {
829 fprintf(stderr, "Non-interactive mode requires savefile argument\n");
836 memset(&fp, '\0', sizeof(fp));
837 x = pcap_compile(pcap_obj, &fp, bpf_program_str, 1, 0);
839 fprintf(stderr, "pcap_compile failed\n");
842 x = pcap_setfilter(pcap_obj, &fp);
844 fprintf(stderr, "pcap_setfilter failed\n");
849 * non-blocking call added for Mac OS X bugfix. Sent by Max Horn.
850 * ref http://www.tcpdump.org/lists/workers/2002/09/msg00033.html
852 x = pcap_setnonblock(pcap_obj, 1, errbuf);
854 fprintf(stderr, "pcap_setnonblock failed: %s\n", errbuf);
858 switch (pcap_datalink(pcap_obj)) {
860 handle_datalink = handle_ether;
864 handle_datalink = handle_ppp;
869 handle_datalink = handle_loop;
874 handle_datalink = handle_raw;
878 handle_datalink = handle_null;
881 fprintf(stderr, "unsupported data link type %d\n",
882 pcap_datalink(pcap_obj));
889 if (readfile_state < 2) {
891 * On some OSes select() might return 0 even when
892 * there are packets to process. Thus, we always
893 * ignore its return value and just call pcap_dispatch()
896 if (0 == readfile_state) /* interactive */
897 pcap_select(pcap_obj, 1, 0);
898 x = pcap_dispatch(pcap_obj, 50, handle_pcap, NULL);
900 if (0 == x && 1 == readfile_state) {
901 /* block on keyboard until user quits */
910 endwin(); /* klin, Thu Nov 28 08:56:51 2002 */
912 while (pcap_dispatch(pcap_obj, 50, handle_pcap, NULL))
915 Sources_report(); print_func("\n");
916 Destinatioreport(); print_func("\n");
917 Qtypes_report(); print_func("\n");
918 Opcodes_report(); print_func("\n");
919 Tld_report(); print_func("\n");
920 Sld_report(); print_func("\n");
921 Nld_report(); print_func("\n");
922 SldBySource_report();
925 pcap_close(pcap_obj);
927 } /* static int main(int argc, char *argv[]) */
projects / collectd.git / blob