func (dns *dnsPlugin) GapInStream(tcpTuple *common.TCPTuple, dir uint8, nbytes int, private protos.ProtocolData) (priv protos.ProtocolData, drop bool) { if private == nil { return private, true } conn, ok := private.(*dnsConnectionData) if !ok { return private, false } stream := conn.data[dir] if stream == nil || stream.message == nil { return private, false } decodedData, err := stream.handleTCPRawData() if err == nil { dns.messageComplete(conn, tcpTuple, dir, decodedData) return private, true } if dir == tcp.TCPDirectionReverse { dns.publishResponseError(conn, err) } debugf("%s addresses %s, length %d", err.Error(), tcpTuple.String(), len(stream.rawData)) debugf("Dropping the stream %s", tcpTuple.String()) // drop the stream because it is binary Data and it would be unexpected to have a decodable message later return private, true }
func (dns *dnsPlugin) ReceivedFin(tcpTuple *common.TCPTuple, dir uint8, private protos.ProtocolData) protos.ProtocolData { if private == nil { return nil } conn, ok := private.(*dnsConnectionData) if !ok { return private } stream := conn.data[dir] if stream == nil || stream.message == nil { return conn } decodedData, err := stream.handleTCPRawData() if err == nil { dns.messageComplete(conn, tcpTuple, dir, decodedData) return conn } if dir == tcp.TCPDirectionReverse { dns.publishResponseError(conn, err) } debugf("%s addresses %s, length %d", err.Error(), tcpTuple.String(), len(stream.rawData)) return conn }
func (dns *dnsPlugin) doParse(conn *dnsConnectionData, pkt *protos.Packet, tcpTuple *common.TCPTuple, dir uint8) *dnsConnectionData { stream := conn.data[dir] payload := pkt.Payload if stream == nil { stream = newStream(pkt, tcpTuple) conn.data[dir] = stream } else { if stream.message == nil { // nth message of the same stream stream.message = &dnsMessage{ts: pkt.Ts, tuple: pkt.Tuple} } stream.rawData = append(stream.rawData, payload...) if len(stream.rawData) > tcp.TCPMaxDataInStream { debugf("Stream data too large, dropping DNS stream") conn.data[dir] = nil return conn } } decodedData, err := stream.handleTCPRawData() if err != nil { if err == incompleteMsg { debugf("Waiting for more raw data") return conn } if dir == tcp.TCPDirectionReverse { dns.publishResponseError(conn, err) } debugf("%s addresses %s, length %d", err.Error(), tcpTuple.String(), len(stream.rawData)) // This means that malformed requests or responses are being sent... // TODO: publish the situation also if Request conn.data[dir] = nil return conn } dns.messageComplete(conn, tcpTuple, dir, decodedData) stream.prepareForNewMessage() return conn }