forked from ns1/pktvisor-v1
-
Notifications
You must be signed in to change notification settings - Fork 0
/
dnsctxt.h
108 lines (84 loc) · 2.5 KB
/
dnsctxt.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
/*
* Copyright 2015 NSONE, Inc.
*/
#ifndef DNSCTXT_H
#define DNSCTXT_H
#include "uthash.h"
// max length of domain name. 253 is the max according to standard,
// can make it smaller if we truncate and save memory
#define MAX_DNAME_LEN 253
// max LRU table size
// XXX need to make this per table
#define MAX_LRU_SIZE 10000
// max summary table size
#define MAX_SUMMARY_SIZE 20
// accumulator hash table keyed by ip address (in int form)
// or other 32 bit key
struct int32_entry {
uint32_t key;
uint64_t count;
// LRU hash
UT_hash_handle hh;
// sorted hash
UT_hash_handle hh_srt;
};
// accumulator hash table keyed by string
struct str_entry {
char key[MAX_DNAME_LEN];
uint64_t count;
// LRU hash
UT_hash_handle hh;
// sorted hash
UT_hash_handle hh_srt;
};
// context structure that gets passed to dns processing function
struct dnsctxt {
// LRU hash tables
// source ips
struct int32_entry *source_table;
// dest ips
struct int32_entry *dest_table;
// malformed (unparsable) query source ips
struct int32_entry *malformed_table;
// src ports
struct int32_entry *src_port_table;
// queried name tables, for 2,3 label lengths
struct str_entry *query_name2_table;
struct str_entry *query_name3_table;
// NXDOMAIN names
struct str_entry *nxdomain_table;
// REFUSED names
struct str_entry *refused_table;
// QUERY types
struct str_entry *qtype_table;
// GEO
int have_geo_asn;
int have_geo_loc;
struct str_entry *geo_asn_table;
struct str_entry *geo_loc_table;
// local network so we can decide what is "incoming" vs "outgoing"
uint32_t local_net;
uint8_t local_bits;
// general packet counters
uint64_t seen;
uint64_t incoming;
// dns header counters
uint64_t cnt_query;
uint64_t cnt_reply;
uint64_t cnt_status_noerror;
uint64_t cnt_status_srvfail;
uint64_t cnt_status_nxdomain;
uint64_t cnt_status_refused;
// parsed DNS counters
uint64_t cnt_malformed;
uint64_t cnt_edns;
};
void dnsctxt_init(struct dnsctxt *ctxt, uint32_t local_net, uint8_t local_bits);
void dnsctxt_free(struct dnsctxt *ctxt);
void dnsctxt_table_summary(struct dnsctxt *ctxt, int size);
void dnsctxt_count_ip(struct int32_entry **table, uint32_t key);
void dnsctxt_count_name(struct str_entry **table, char *name);
#define dnsctxt_count_int dnsctxt_count_ip
int sort_int_by_count(void *a, void *b);
int sort_str_by_count(void *a, void *b);
#endif /* DNSCTXT_H */