Merge pull request #1 from ThreatEye/threateye-dev

add dns ttl to dns dissector and ndpi dns proto struct
ThreatEye · May 18, 2022 · b26bf36 · b26bf36
2 parents 3f18039 + bda10da
commit b26bf36
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -1221,6 +1221,7 @@ struct ndpi_flow_struct {
     struct {
       u_int8_t num_queries, num_answers, reply_code, is_query;
       u_int16_t query_type, query_class, rsp_type;
+      u_int32_t answer_ttl;
       ndpi_ip_addr_t rsp_addr; /* The first address in a DNS response packet */
     } dns;
 

diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c
@@ -140,6 +140,16 @@ static u_int16_t get16(int *i, const u_int8_t *payload) {
 
 /* *********************************************** */
 
+static u_int32_t get32(int *i, const u_int8_t *payload) {
+  u_int32_t v = *(u_int32_t*)&payload[*i];
+
+  (*i) += 4;
+
+  return(ntohl(v));
+}
+
+/* *********************************************** */
+
 static u_int getNameLength(u_int i, const u_int8_t *payload, u_int payloadLen) {
   if(i >= payloadLen)
     return(0);
@@ -287,8 +297,10 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct,
 
 	  /* here x points to the response "class" field */
 	  if((x+12) <= packet->payload_packet_len) {
-	    x += 6;
-	    data_len = get16(&x, packet->payload);
+        x += 2;
+        uint32_t ttl = get32(&x,packet->payload);
+        flow->protos.dns.answer_ttl = ttl;
+        data_len = get16(&x, packet->payload);
 
 	    if((x + data_len) <= packet->payload_packet_len) {
 	      // printf("[rsp_type: %u][data_len: %u]\n", rsp_type, data_len);