Closed brightpinefield closed 3 years ago
@brightpinefield would it be possible for you to share the pcap? I suspect that lib will fail with dpkt.UnpackError
, but wanted to check.
@kbandla Sure. I've attached it..Thx for the help!
Yes, there is way to parse truncated data!
We do this by first creating a dns
object and then calling the unpack
method, with the UDP data. This will populate the fields in the dns object as far as data in the packet is available, till an exception is raised.
However note that print(dns_object)
function will fail because it will internally call the unpack routine again, leading to failure.
Example:
....
for ts, buf in pcap:
try:
eth = dpkt.ethernet.Ethernet(buf)
if eth.type != 2048:
continue
ip = eth.data
if ip.p != 17:
continue
udp = ip.data
if udp.sport != 53 and udp.dport != 53:
continue
dns = dpkt.dns.DNS() # <---- THIS
dns.unpack(udp.data) # <---- HERE
except Exception as e:
print('ErrorParsingDNS: %s'%e)
print('Warning: Not all DNS fields might have been populated')
if dns.qr != dpkt.dns.DNS_R:
continue
if dns.opcode != dpkt.dns.DNS_QUERY:
continue
if dns.rcode != dpkt.dns.DNS_RCODE_NOERR:
continue
if len(dns.an) < 1:
continue
for answer in dns.an:
if answer.type == 5:
print('CNAME: %s - %s'%(answer.name, answer.cname))
elif answer.type == 1:
print('A: %s - %s'%(answer.name, answer.ip))
# etc
....
Hey Kiran! Ah cool.. Thanks a lot for the help on this! Really appreciate it!
@kbandla I also didn't realize you could do this.. I think this would be a good addition to our examples/ scripts. I'll gen up a script in the next couple of days and have you review it.
@brightpinefield would it be okay if I put the PCAP above in the dpkt examples/data? I've got an example script for truncated packets.
@brifordwylie sure, go ahead.
Kewl.. here's the example script to parse truncated DNS https://github.com/kbandla/dpkt/blob/master/examples/print_dns_truncated.py
I'm trying to dump DNS data out of pcaps that are truncated to the first 100 bytes. Found a script here https://mmishou.wordpress.com/2010/04/13/passive-dns-mining-from-pcap-with-dpkt-python/ to test dpkt but it seems to not go past the "try: dns = dpkt.dns.DNS(udp.data)" .. it hits the continue and I get nothing.. is it possible to use dpkt with truncated packets? I have data in the DNS packet (see screenshot) that I was hoping to get at..