search

lemontree55 / packetgen

Ruby library to easily generate and capture network packets
MIT License
98 stars 13 forks source link

How to get the queried domain name from an DNS request? #104

Closed n00b110 closed 5 years ago

n00b110 commented 5 years ago

require 'packetgen'

filter = 'udp and port 53'
iface = 'wlp2s0'

cap_thread = Thread.new do
  PacketGen.capture(filter: filter, iface: iface, max: 1) do |pkt|
    puts pkt.dns.qd
  end
end

cap_thread.join

@sdaubert In the code above, I'm trying to parse the domain name from a DNS query, but when ever I run this code I get strange output like wwwrubydocinfo or paygooglecom, this isn't just for these domains, but for any output. I tried using pkt.dns.qd.name to access the domain name, but I end up getting an (NoMethodError). Is there any way to directly and cleanly access the requested domain name in a DNS query? Thanks! `

sdaubert commented 5 years ago

@n00b110 DNS names are a list of null-terminated labels. This is wy you get in your stange output. Moreafter, DNS#qd returns a DNS::QDSection, which is a list of DNS::Question.

To cleanly get name, use:

pkt.dns.qd.first.name #=>String
n00b110 commented 5 years ago

Thanks, but just one more question, on a unrelated note how would I get the mac address from a Dot11 packet? Thanks for your time!

sdaubert commented 5 years ago

Which MAC address ? destination one or source one, or another one ? There may be up to 4 MAC addresses in a Dot11 packet.

You may use:

pkt.dot11.mac1
pkt.dot11.mac2
pkt.dot11.mac3
pkt.dot11.mac4

But this is difficult as role of each MAC address changes in function of #frame_ctrl.

There are also some shortcuts:

# Only for PacketGen::Header::Dot11::Data headers
pkt.dot11.src
pkt.dot11.dst