From: Francois-Xavier Le Bail Date: Mon, 2 Mar 2020 15:04:35 +0000 (+0100) Subject: Add "domain" as an option for -T X-Git-Tag: tcpdump-4.99-bp~491 X-Git-Url: https://git.tcpdump.org/tcpdump/commitdiff_plain/9736efeb962a7e9b4e2e4929b04a0e88a1f690a7 Add "domain" as an option for -T This allows tcpdump to handle DNS running on non-standard ports. Add two test files with DNS over TCP and DNS over UDP, port 8053. --- diff --git a/netdissect.h b/netdissect.h index fddcdc46..ba3b6b96 100644 --- a/netdissect.h +++ b/netdissect.h @@ -293,6 +293,7 @@ extern void nd_pop_all_packet_info(netdissect_options *); #define PT_RESP 17 /* RESP */ #define PT_PTP 18 /* PTP */ #define PT_SOMEIP 19 /* Autosar SOME/IP Protocol */ +#define PT_DOMAIN 20 /* Domain Name System (DNS) */ #ifndef min #define min(a,b) ((a)>(b)?(b):(a)) diff --git a/print-tcp.c b/print-tcp.c index 3310b9e9..d420382e 100644 --- a/print-tcp.c +++ b/print-tcp.c @@ -702,6 +702,10 @@ tcp_print(netdissect_options *ndo, case PT_RESP: resp_print(ndo, bp, length); break; + case PT_DOMAIN: + ND_PRINT(" "); + domain_print(ndo, bp + 2, length - 2, 0); + break; } return; } diff --git a/print-udp.c b/print-udp.c index 9cde3d89..8133cf8a 100644 --- a/print-udp.c +++ b/print-udp.c @@ -528,6 +528,10 @@ udp_print(netdissect_options *ndo, const u_char *bp, u_int length, udpipaddr_print(ndo, ip, sport, dport); someip_print(ndo, cp, length); break; + case PT_DOMAIN: + udpipaddr_print(ndo, ip, sport, dport); + domain_print(ndo, (const u_char *)(up + 1), length, 0); + break; } return; } diff --git a/tcpdump.1.in b/tcpdump.1.in index 2bc88a9a..88006dc5 100644 --- a/tcpdump.1.in +++ b/tcpdump.1.in @@ -682,6 +682,7 @@ Currently known types are \fBaodv\fR (Ad-hoc On-demand Distance Vector protocol), \fBcarp\fR (Common Address Redundancy Protocol), \fBcnfp\fR (Cisco NetFlow protocol), +\fBdomain\fR (Domain Name System), \fBlmp\fR (Link Management Protocol), \fBpgm\fR (Pragmatic General Multicast), \fBpgm_zmtp1\fR (ZMTP/1.0 inside PGM/EPGM), diff --git a/tcpdump.c b/tcpdump.c index 30671841..a5148c74 100644 --- a/tcpdump.c +++ b/tcpdump.c @@ -1796,6 +1796,8 @@ main(int argc, char **argv) ndo->ndo_packettype = PT_PTP; else if (ascii_strcasecmp(optarg, "someip") == 0) ndo->ndo_packettype = PT_SOMEIP; + else if (ascii_strcasecmp(optarg, "domain") == 0) + ndo->ndo_packettype = PT_DOMAIN; else error("unknown packet type `%s'", optarg); break; diff --git a/tests/TESTLIST b/tests/TESTLIST index b39b376d..c12259bd 100644 --- a/tests/TESTLIST +++ b/tests/TESTLIST @@ -254,6 +254,12 @@ nflog-e nflog.pcap nflog-e.out -e # syslog test case syslog-v syslog_udp.pcap syslog-v.out -v +# DNS on non-standard ports. +dns_tcp_8053 dns_tcp_8053.pcap dns_tcp_8053.out -vv +dns_tcp_8053-T dns_tcp_8053.pcap dns_tcp_8053-T.out -vv -T domain +dns_udp_8053 dns_udp_8053.pcap dns_udp_8053.out -vv +dns_udp_8053-T dns_udp_8053.pcap dns_udp_8053-T.out -vv -T domain + # DNSSEC from https://bugzilla.redhat.com/show_bug.cgi?id=205842, -vv exposes EDNS DO dnssec-vv dnssec.pcap dnssec-vv.out -vv diff --git a/tests/dns_tcp_8053-T.out b/tests/dns_tcp_8053-T.out new file mode 100644 index 00000000..124b5cef --- /dev/null +++ b/tests/dns_tcp_8053-T.out @@ -0,0 +1,22 @@ + 1 15:44:09.947213 IP (tos 0x0, ttl 64, id 42696, offset 0, flags [DF], proto TCP (6), length 60) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [S], cksum 0xf4f0 (correct), seq 3802885148, win 64240, options [mss 1460,sackOK,TS val 2931281549 ecr 0,nop,wscale 7], length 0 + 2 15:44:10.091462 IP (tos 0x0, ttl 128, id 4486, offset 0, flags [none], proto TCP (6), length 44) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [S.], cksum 0x1923 (correct), seq 856651289, ack 3802885149, win 64240, options [mss 1460], length 0 + 3 15:44:10.091537 IP (tos 0x0, ttl 64, id 42697, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [.], cksum 0x30e0 (correct), seq 1, ack 1, win 64240, length 0 + 4 15:44:10.092032 IP (tos 0x0, ttl 64, id 42698, offset 0, flags [DF], proto TCP (6), length 98) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [P.], cksum 0x9724 (correct), seq 1:59, ack 1, win 64240, length 58 56178+ [1au] A? www.tcpdump.org. ar: . OPT UDPsize=4096 (56) + 5 15:44:10.092267 IP (tos 0x0, ttl 128, id 4487, offset 0, flags [none], proto TCP (6), length 40) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [.], cksum 0x30a6 (correct), seq 1, ack 59, win 64240, length 0 + 6 15:44:10.236187 IP (tos 0x0, ttl 128, id 4488, offset 0, flags [none], proto TCP (6), length 250) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [P.], cksum 0x69e6 (correct), seq 1:211, ack 59, win 64240, length 210 56178*- q: A? www.tcpdump.org. 1/2/5 www.tcpdump.org. A 192.139.46.66 ns: tcpdump.org. NS nic.sandelman.ca., tcpdump.org. NS sns.cooperix.net. ar: nic.sandelman.ca. A 209.87.249.18, nic.sandelman.ca. AAAA 2607:f0b0:f::babe:f00d, sns.cooperix.net. A 97.107.133.15, sns.cooperix.net. AAAA 2600:3c03::f03c:91ff:fe96:e8ef, . OPT UDPsize=4096 (208) + 7 15:44:10.236250 IP (tos 0x0, ttl 64, id 42699, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [.], cksum 0x30a6 (correct), seq 59, ack 211, win 64030, length 0 + 8 15:44:10.237389 IP (tos 0x0, ttl 64, id 42700, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [F.], cksum 0x30a5 (correct), seq 59, ack 211, win 64030, length 0 + 9 15:44:10.237718 IP (tos 0x0, ttl 128, id 4489, offset 0, flags [none], proto TCP (6), length 40) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [.], cksum 0x2fd4 (correct), seq 211, ack 60, win 64239, length 0 + 10 15:44:10.381399 IP (tos 0x0, ttl 128, id 4490, offset 0, flags [none], proto TCP (6), length 40) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [FP.], cksum 0x2fcb (correct), seq 211, ack 60, win 64239, length 0 + 11 15:44:10.381475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [.], cksum 0x30a4 (correct), seq 60, ack 212, win 64030, length 0 diff --git a/tests/dns_tcp_8053.out b/tests/dns_tcp_8053.out new file mode 100644 index 00000000..a5e8328c --- /dev/null +++ b/tests/dns_tcp_8053.out @@ -0,0 +1,22 @@ + 1 15:44:09.947213 IP (tos 0x0, ttl 64, id 42696, offset 0, flags [DF], proto TCP (6), length 60) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [S], cksum 0xf4f0 (correct), seq 3802885148, win 64240, options [mss 1460,sackOK,TS val 2931281549 ecr 0,nop,wscale 7], length 0 + 2 15:44:10.091462 IP (tos 0x0, ttl 128, id 4486, offset 0, flags [none], proto TCP (6), length 44) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [S.], cksum 0x1923 (correct), seq 856651289, ack 3802885149, win 64240, options [mss 1460], length 0 + 3 15:44:10.091537 IP (tos 0x0, ttl 64, id 42697, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [.], cksum 0x30e0 (correct), seq 1, ack 1, win 64240, length 0 + 4 15:44:10.092032 IP (tos 0x0, ttl 64, id 42698, offset 0, flags [DF], proto TCP (6), length 98) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [P.], cksum 0x9724 (correct), seq 1:59, ack 1, win 64240, length 58 + 5 15:44:10.092267 IP (tos 0x0, ttl 128, id 4487, offset 0, flags [none], proto TCP (6), length 40) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [.], cksum 0x30a6 (correct), seq 1, ack 59, win 64240, length 0 + 6 15:44:10.236187 IP (tos 0x0, ttl 128, id 4488, offset 0, flags [none], proto TCP (6), length 250) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [P.], cksum 0x69e6 (correct), seq 1:211, ack 59, win 64240, length 210 + 7 15:44:10.236250 IP (tos 0x0, ttl 64, id 42699, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [.], cksum 0x30a6 (correct), seq 59, ack 211, win 64030, length 0 + 8 15:44:10.237389 IP (tos 0x0, ttl 64, id 42700, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [F.], cksum 0x30a5 (correct), seq 59, ack 211, win 64030, length 0 + 9 15:44:10.237718 IP (tos 0x0, ttl 128, id 4489, offset 0, flags [none], proto TCP (6), length 40) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [.], cksum 0x2fd4 (correct), seq 211, ack 60, win 64239, length 0 + 10 15:44:10.381399 IP (tos 0x0, ttl 128, id 4490, offset 0, flags [none], proto TCP (6), length 40) + 209.87.249.18.8053 > 192.168.1.11.57469: Flags [FP.], cksum 0x2fcb (correct), seq 211, ack 60, win 64239, length 0 + 11 15:44:10.381475 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) + 192.168.1.11.57469 > 209.87.249.18.8053: Flags [.], cksum 0x30a4 (correct), seq 60, ack 212, win 64030, length 0 diff --git a/tests/dns_tcp_8053.pcap b/tests/dns_tcp_8053.pcap new file mode 100644 index 00000000..f924df68 Binary files /dev/null and b/tests/dns_tcp_8053.pcap differ diff --git a/tests/dns_udp_8053-T.out b/tests/dns_udp_8053-T.out new file mode 100644 index 00000000..423460f0 --- /dev/null +++ b/tests/dns_udp_8053-T.out @@ -0,0 +1,4 @@ + 1 15:42:50.464436 IP (tos 0x0, ttl 64, id 38190, offset 0, flags [none], proto UDP (17), length 84) + 192.168.1.11.43757 > 209.87.249.18.8053: 323+ [1au] A? www.tcpdump.org. ar: . OPT UDPsize=4096 (56) + 2 15:42:50.613154 IP (tos 0x0, ttl 128, id 4483, offset 0, flags [none], proto UDP (17), length 236) + 209.87.249.18.8053 > 192.168.1.11.43757: 323*- q: A? www.tcpdump.org. 1/2/5 www.tcpdump.org. A 192.139.46.66 ns: tcpdump.org. NS sns.cooperix.net., tcpdump.org. NS nic.sandelman.ca. ar: nic.sandelman.ca. A 209.87.249.18, nic.sandelman.ca. AAAA 2607:f0b0:f::babe:f00d, sns.cooperix.net. A 97.107.133.15, sns.cooperix.net. AAAA 2600:3c03::f03c:91ff:fe96:e8ef, . OPT UDPsize=4096 (208) diff --git a/tests/dns_udp_8053.out b/tests/dns_udp_8053.out new file mode 100644 index 00000000..8019e066 --- /dev/null +++ b/tests/dns_udp_8053.out @@ -0,0 +1,4 @@ + 1 15:42:50.464436 IP (tos 0x0, ttl 64, id 38190, offset 0, flags [none], proto UDP (17), length 84) + 192.168.1.11.43757 > 209.87.249.18.8053: [udp sum ok] UDP, length 56 + 2 15:42:50.613154 IP (tos 0x0, ttl 128, id 4483, offset 0, flags [none], proto UDP (17), length 236) + 209.87.249.18.8053 > 192.168.1.11.43757: [udp sum ok] UDP, length 208 diff --git a/tests/dns_udp_8053.pcap b/tests/dns_udp_8053.pcap new file mode 100644 index 00000000..c2f8a638 Binary files /dev/null and b/tests/dns_udp_8053.pcap differ