def UdpPacketParser(ip_layer):
res = {}
udp = ip_layer.data
udph = False
try:
udph = udp.__hdr__
except (AttributeError) as err:
print(err)
if udph:
if udp.dport:
if udp.dport == 53:
dns = False
try:
dns = DNS(udp.data)
except (UnpackError):
pass
if dns:
res['domain'] = dns.qd[0].name.__str__()
res['dp'] = udp.dport
res['type'] = 'dns_request'
elif udp.sport == 53:
dns = False
try:
dns = DNS(udp.data)
except (UnpackError):
pass
if dns:
res['domain'] = dns.qd[0].name.__str__()
res['sp'] = udp.sport
res['type'] = 'dns_answer'
return res
def load_dns_packet_from_udp_packet(udp_packet: UDP) -> Optional[DNS]:
try:
return DNS(udp_packet.data)
except Exception as ex:
logging.warning('Can not extract DNS packet from UDP packet. Error: `%s`', ex)
raise ex
def test_extract_data_from_dns_packet_works_as_expected(self):
mock_ans_1 = dpkt.dns.DNS.RR()
mock_ans_1.type = dpkt.dns.DNS_CNAME
mock_ans_1.ttl = 60
mock_ans_1.name = 'mock_cname_ans'
mock_dns_packet = DNS()
mock_dns_packet.an = [mock_ans_1]
mock_dns_packet.qr = dpkt.dns.DNS_R
data = self.dpkt_utils.extract_data_from_dns_packet(mock_dns_packet)
self.assertEqual(mock_ans_1.name, data.dns_ans_cname)
self.assertEqual(mock_ans_1.ttl, data.dns_ans_cname_ttl)
self.assertEqual('', data.dns_ans_name)
self.assertEqual('', data.dns_ans_ip)
self.assertIsNone(data.dns_ans_ttl)
def test_extract_data_from_layer7_packet_works_for_dns_packet(self):
mock_ans_1 = dpkt.dns.DNS.RR()
mock_ans_1.type = dpkt.dns.DNS_CNAME
mock_ans_1.ttl = 60
mock_ans_1.name = 'mock_cname_ans'
mock_dns_packet = DNS()
mock_dns_packet.an = [mock_ans_1]
mock_dns_packet.qr = dpkt.dns.DNS_R
packet_data = self.dpkt_utils.extract_data_from_layer7_packet(
mock_dns_packet, PacketData())
self.assertEqual(mock_ans_1.name, packet_data.dns_ans_cname)
self.assertEqual(mock_ans_1.ttl, packet_data.dns_ans_cname_ttl)
self.assertIsNone(packet_data.dns_ans_name)
self.assertIsNone(packet_data.dns_ans_ip)
self.assertIsNone(packet_data.dns_ans_ttl)
def lookup(hosts):
"""
Returns a host/ip dictionary for the given host list.
"""
hosts_ip = dict.fromkeys(hosts)
UDP_IP = "0.0.0.0"
UDP_PORT = 5353
MCAST_GRP = '224.0.0.251'
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((UDP_IP, UDP_PORT))
# join the multicast group
mreq = struct.pack("4sl", socket.inet_aton(MCAST_GRP), socket.INADDR_ANY)
sock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
for host in hosts:
# the string in the following statement is an empty query packet
dns = DNS(
'\x00\x00\x01\x00\x00\x01\x00\x00' +
'\x00\x00\x00\x00\x00\x00\x01\x00\x01')
dns.qd[0].name = host
sock.sendto(dns.pack(), (MCAST_GRP, UDP_PORT))
# receives until the end of the timeout
sock.settimeout(5)
while True:
try:
m = sock.recvfrom(1024)
if VERBOSE_GLOBAL:
print('%r %s' % (m[0], m[1]))
dns = DNS(m[0])
if len(dns.qd) > 0:
if VERBOSE_GLOBAL:
print("%r %s" % (dns, dns.qd[0].name))
if len(dns.an) > 0 and dns.an[0].type == DNS_A:
host = dns.an[0].name
ip = socket.inet_ntoa(dns.an[0].rdata)
if VERBOSE_GLOBAL:
print("%r %s %s" % (dns, host, ip))
hosts_ip[host] = ip
except socket.timeout:
break
return hosts_ip
def lookup(hosts):
"""
Returns a host/ip dictionary for the given host list.
"""
hosts_ip = dict.fromkeys(hosts)
UDP_IP = "0.0.0.0"
UDP_PORT = 5353
MCAST_GRP = "224.0.0.251"
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind((UDP_IP, UDP_PORT))
# join the multicast group
mreq = struct.pack("4sl", socket.inet_aton(MCAST_GRP), socket.INADDR_ANY)
sock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
for host in hosts:
# the string in the following statement is an empty query packet
dns = DNS(b"\x00\x00\x01\x00\x00\x01\x00\x00" +
b"\x00\x00\x00\x00\x00\x00\x01\x00\x01")
dns.qd[0].name = host
sock.sendto(dns.pack(), (MCAST_GRP, UDP_PORT))
# receives until the end of the timeout
sock.settimeout(5)
while True:
try:
m = sock.recvfrom(1024)
if VERBOSE_GLOBAL:
print("%r %s" % (m[0], m[1]))
dns = DNS(m[0])
if len(dns.qd) > 0:
if VERBOSE_GLOBAL:
print("%r %s" % (dns, dns.qd[0].name))
if len(dns.an) > 0 and dns.an[0].type == DNS_A:
host = dns.an[0].name
ip = socket.inet_ntoa(dns.an[0].rdata)
if VERBOSE_GLOBAL:
print("%r %s %s" % (dns, host, ip))
hosts_ip[host] = ip
except socket.timeout:
break
return hosts_ip
def DnsRequestParser(udp):
res = {}
dns = False
try:
dns = DNS(udp.data)
except (UnpackError):
pass
if dns:
if 'qd' in dns.__hdr_fields__:
if dns.qd:
res['domain'] = dns.qd[0].name.__str__()
res['type'] = 'dns_request'
return res
def DnsResponseParser(udp):
res = {}
dns = False
try:
dns = DNS(udp.data)
except (UnpackError):
pass
if dns:
if 'qd' in dns.__hdr_fields__:
if dns.qd:
res['domain'] = dns.qd[0].name.__str__()
res['type'] = 'dns_response'
res['answers'] = []
if 'an' in dns.__hdr_fields__:
for answer in dns.an:
if answer.type == 1:
res['answers'].append({
'answer':
answer.name.__str__(),
'ip':
inet_ntoa(answer.ip)
})
return res
def get_dns_queries(ip, verbose=False):
# TODO: check flags in dpkt github
if not UdpUtils.is_dns(ip):
raise ValueError("Packet is not a DNS packet")
udp = ip.data
try:
dns_ = DNS(udp.data)
# dns is not a query
if dns_.opcode != DNS_QUERY:
raise ValueError("DNS is not a query")
query = {
'query':
[dns_.qd[i].name for i in range(len(dns_.qd))], # query domain
'server': [dns_.ns[i].nsname
for i in range(len(dns_.ns))], # name server
'answer':
[dns_.an[i].name for i in range(len(dns_.an))] # answer
}
return query
except (UnpackError, AttributeError): # need fix on Attribute error
if verbose:
print("failed to unpack")
return {}