search

meow-watermelon / dns-flow

DNS Traffic Flow Sniffer
1 stars 1 forks source link

IndexError on Layer DNSQR #2

Closed meow-watermelon closed 11 months ago

meow-watermelon commented 12 months ago 
Tue, 28 Nov 2023 16:05:09 +0000 UDP QUERY   0   NoError _viziocast._tcp.local.  PTR
Traceback (most recent call last):
  File "/home/ericlee/Projects/git/dns-flow/./dns-flow.py", line 236, in <module>
    sniff(iface=args.interface, lfilter=lambda p: process_payload(p))
  File "/usr/lib/python3.12/site-packages/scapy/sendrecv.py", line 1311, in sniff
    sniffer._run(*args, **kwargs)
  File "/usr/lib/python3.12/site-packages/scapy/sendrecv.py", line 1250, in _run
    if lfilter and not lfilter(p):
                       ^^^^^^^^^^
  File "/home/ericlee/Projects/git/dns-flow/./dns-flow.py", line 236, in <lambda>
    sniff(iface=args.interface, lfilter=lambda p: process_payload(p))
                                                  ^^^^^^^^^^^^^^^^^^
  File "/home/ericlee/Projects/git/dns-flow/./dns-flow.py", line 153, in process_payload
    dns_dnsqr = dns[DNSQR]
                ~~~^^^^^^^
  File "/usr/lib/python3.12/site-packages/scapy/packet.py", line 1327, in __getitem__
    raise IndexError("Layer [%s] not found" % name)
IndexError: Layer [DNSQR] not found
meow-watermelon commented 12 months ago

i should consider adding a --debug flag to display the whole packet information in case i need to collect the packet layout details.

meow-watermelon commented 12 months ago

w/ debug mode enabled, i am able to capture the actual packet that caused the IndexError exception.

##### Raw Packet Bytes #####
b'\x01\x00^\x00\x00\xfb|\xed\xc6\t\x181\x08\x00E\x00\x02\xce\x85(@\x00\xff\x11Q\n\xc0\xa8\x01H\xe0\x00\x00\xfb\x14\xe9\x14\xe9\x02\xba\xb1\x12\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x1aBrother DCP-L2550DW series\x04_ipp\x04_tcp\x05local\x00\x00\x10\x00\x01\x00\x00\x11\x94\x02H\ttxtvers=1\x08qtotal=17pdl=application/octet-stream,image/urf,image/pwg-raster\x0crp=ipp/print\x05note=\x1dty=Brother DCP-L2550DW series$product=(Brother DCP-L2550DW series)<adminurl=http://BRW405BD89FDD14.local./net/net/airprint.html\x0bpriority=25\x0fusb_MFG=Brother\x1ausb_MDL=DCP-L2550DW series\x19usb_CMD=PJL,PCL,PCLXL,URF\x07Color=F\x08Copies=T\x08Duplex=T\x05Fax=F\x06Scan=T\rPaperCustom=T\x08Binary=T\rTransparent=T\x06TBCP=FAURF=W8,CP1,IS4-1,MT1-3-4-5-8,OB10,PQ3-4-5,RS300-600-1200,V1.4,DM1%kind=document,envelope,label,postcard\x11PaperMax=legal-A4)UUID=e3248000-80ce-11db-8000-3c2af4df2615\x0cprint_wfds=T\x14mopria-certified=1.3\n_viziocast\xc0,\x00\x0c\x00\x01\x00\x00\x11\x94\x00\x11\x0eFamily Room TV\xc2\x8a'

###[ Ethernet ]### 
  dst       = 01:00:5e:xx:xx:xx
  src       = 7c:ed:c6:xx:xx:xx
  type      = IPv4
###[ IP ]### 
     version   = 4
     ihl       = 5
     tos       = 0x0
     len       = 718
     id        = 34088
     flags     = DF
     frag      = 0
     ttl       = 255
     proto     = udp
     chksum    = 0x510a
     src       = 192.168.1.72
     dst       = 224.0.0.251
     \options   \
###[ UDP ]### 
        sport     = mdns
        dport     = mdns
        len       = 698
        chksum    = 0xb112
###[ DNS ]### 
           id        = 0
           qr        = 0
           opcode    = QUERY
           aa        = 0
           tc        = 0
           rd        = 0
           ra        = 0
           z         = 0
           ad        = 0
           cd        = 0
           rcode     = ok
           qdcount   = 0
           ancount   = 2
           nscount   = 0
           arcount   = 0
           qd        = None
           \an        \
            |###[ DNS Resource Record ]### 
            |  rrname    = 'Brother DCP-L2550DW series._ipp._tcp.local.'
            |  type      = TXT
            |  rclass    = IN
            |  ttl       = 4500
            |  rdlen     = 584
            |  rdata     = [b'txtvers=1', b'qtotal=1', b'pdl=application/octet-stream,image/urf,image/pwg-raster', b'rp=ipp/print', b'note=', b'ty=Brother DCP-L2550DW series', b'product=(Brother DCP-L2550DW series)', b'adminurl=http://BRW405BD89FDD14.local./net/net/airprint.html', b'priority=25', b'usb_MFG=Brother', b'usb_MDL=DCP-L2550DW series', b'usb_CMD=PJL,PCL,PCLXL,URF', b'Color=F', b'Copies=T', b'Duplex=T', b'Fax=F', b'Scan=T', b'PaperCustom=T', b'Binary=T', b'Transparent=T', b'TBCP=F', b'URF=W8,CP1,IS4-1,MT1-3-4-5-8,OB10,PQ3-4-5,RS300-600-1200,V1.4,DM1', b'kind=document,envelope,label,postcard', b'PaperMax=legal-A4', b'UUID=e3248000-80ce-11db-8000-3c2af4df2615', b'print_wfds=T', b'mopria-certified=1.3']
            |###[ DNS Resource Record ]### 
            |  rrname    = '_viziocast._tcp.local.'
            |  type      = PTR
            |  rclass    = IN
            |  ttl       = 4500
            |  rdlen     = None
            |  rdata     = 'Family Room TV._viziocast._tcp.local.'
           ns        = None
           ar        = None

0000  01 00 5E XX XX XX 7C ED C6 XX XX XX 08 00 45 00  ...........1..E.
0010  02 CE 85 28 40 00 FF 11 51 0A C0 A8 01 48 E0 00  ...(@...Q....H..
0020  00 FB 14 E9 14 E9 02 BA B1 12 00 00 00 00 00 00  ................
0030  00 02 00 00 00 00 1A 42 72 6F 74 68 65 72 20 44  .......Brother D
0040  43 50 2D 4C 32 35 35 30 44 57 20 73 65 72 69 65  CP-L2550DW serie
0050  73 04 5F 69 70 70 04 5F 74 63 70 05 6C 6F 63 61  s._ipp._tcp.loca
0060  6C 00 00 10 00 01 00 00 11 94 02 48 09 74 78 74  l..........H.txt
0070  76 65 72 73 3D 31 08 71 74 6F 74 61 6C 3D 31 37  vers=1.qtotal=17
0080  70 64 6C 3D 61 70 70 6C 69 63 61 74 69 6F 6E 2F  pdl=application/
0090  6F 63 74 65 74 2D 73 74 72 65 61 6D 2C 69 6D 61  octet-stream,ima
00a0  67 65 2F 75 72 66 2C 69 6D 61 67 65 2F 70 77 67  ge/urf,image/pwg
00b0  2D 72 61 73 74 65 72 0C 72 70 3D 69 70 70 2F 70  -raster.rp=ipp/p
00c0  72 69 6E 74 05 6E 6F 74 65 3D 1D 74 79 3D 42 72  rint.note=.ty=Br
00d0  6F 74 68 65 72 20 44 43 50 2D 4C 32 35 35 30 44  other DCP-L2550D
00e0  57 20 73 65 72 69 65 73 24 70 72 6F 64 75 63 74  W series$product
00f0  3D 28 42 72 6F 74 68 65 72 20 44 43 50 2D 4C 32  =(Brother DCP-L2
0100  35 35 30 44 57 20 73 65 72 69 65 73 29 3C 61 64  550DW series)<ad
0110  6D 69 6E 75 72 6C 3D 68 74 74 70 3A 2F 2F 42 52  minurl=http://BR
0120  57 34 30 35 42 44 38 39 46 44 44 31 34 2E 6C 6F  W405BD89FDD14.lo
0130  63 61 6C 2E 2F 6E 65 74 2F 6E 65 74 2F 61 69 72  cal./net/net/air
0140  70 72 69 6E 74 2E 68 74 6D 6C 0B 70 72 69 6F 72  print.html.prior
0150  69 74 79 3D 32 35 0F 75 73 62 5F 4D 46 47 3D 42  ity=25.usb_MFG=B
0160  72 6F 74 68 65 72 1A 75 73 62 5F 4D 44 4C 3D 44  rother.usb_MDL=D
0170  43 50 2D 4C 32 35 35 30 44 57 20 73 65 72 69 65  CP-L2550DW serie
0180  73 19 75 73 62 5F 43 4D 44 3D 50 4A 4C 2C 50 43  s.usb_CMD=PJL,PC
0190  4C 2C 50 43 4C 58 4C 2C 55 52 46 07 43 6F 6C 6F  L,PCLXL,URF.Colo
01a0  72 3D 46 08 43 6F 70 69 65 73 3D 54 08 44 75 70  r=F.Copies=T.Dup
01b0  6C 65 78 3D 54 05 46 61 78 3D 46 06 53 63 61 6E  lex=T.Fax=F.Scan
01c0  3D 54 0D 50 61 70 65 72 43 75 73 74 6F 6D 3D 54  =T.PaperCustom=T
01d0  08 42 69 6E 61 72 79 3D 54 0D 54 72 61 6E 73 70  .Binary=T.Transp
01e0  61 72 65 6E 74 3D 54 06 54 42 43 50 3D 46 41 55  arent=T.TBCP=FAU
01f0  52 46 3D 57 38 2C 43 50 31 2C 49 53 34 2D 31 2C  RF=W8,CP1,IS4-1,
0200  4D 54 31 2D 33 2D 34 2D 35 2D 38 2C 4F 42 31 30  MT1-3-4-5-8,OB10
0210  2C 50 51 33 2D 34 2D 35 2C 52 53 33 30 30 2D 36  ,PQ3-4-5,RS300-6
0220  30 30 2D 31 32 30 30 2C 56 31 2E 34 2C 44 4D 31  00-1200,V1.4,DM1
0230  25 6B 69 6E 64 3D 64 6F 63 75 6D 65 6E 74 2C 65  %kind=document,e
0240  6E 76 65 6C 6F 70 65 2C 6C 61 62 65 6C 2C 70 6F  nvelope,label,po
0250  73 74 63 61 72 64 11 50 61 70 65 72 4D 61 78 3D  stcard.PaperMax=
0260  6C 65 67 61 6C 2D 41 34 29 55 55 49 44 3D 65 33  legal-A4)UUID=e3
0270  32 34 38 30 30 30 2D 38 30 63 65 2D 31 31 64 62  248000-80ce-11db
0280  2D 38 30 30 30 2D 33 63 32 61 66 34 64 66 32 36  -8000-3c2af4df26
0290  31 35 0C 70 72 69 6E 74 5F 77 66 64 73 3D 54 14  15.print_wfds=T.
02a0  6D 6F 70 72 69 61 2D 63 65 72 74 69 66 69 65 64  mopria-certified
02b0  3D 31 2E 33 0A 5F 76 69 7A 69 6F 63 61 73 74 C0  =1.3._viziocast.
02c0  2C 00 0C 00 01 00 00 11 94 00 11 0E 46 61 6D 69  ,...........Fami
02d0  6C 79 20 52 6F 6F 6D 20 54 56 C2 8A              ly Room TV..
None

Ether(dst='01:00:5e:xx:xx:xx', src='7c:ed:c6:xx:xx:xx', type=2048)/IP(version=4, ihl=5, tos=0, len=718, id=34088, flags=2, frag=0, ttl=255, proto=17, chksum=20746, src='192.168.1.72', dst='224.0.0.251')/UDP(sport=5353, dport=5353, len=698, chksum=45330)/DNS(qd=None, id=0, qr=0, opcode=0, aa=0, tc=0, rd=0, ra=0, z=0, ad=0, cd=0, rcode=0, qdcount=0, ancount=2, nscount=0, arcount=0, an=DNSRR(rrname=b'Brother DCP-L2550DW series._ipp._tcp.local.', type=16, rclass=1, ttl=4500, rdlen=584, rdata=[b'txtvers=1', b'qtotal=1', b'pdl=application/octet-stream,image/urf,image/pwg-raster', b'rp=ipp/print', b'note=', b'ty=Brother DCP-L2550DW series', b'product=(Brother DCP-L2550DW series)', b'adminurl=http://BRW405BD89FDD14.local./net/net/airprint.html', b'priority=25', b'usb_MFG=Brother', b'usb_MDL=DCP-L2550DW series', b'usb_CMD=PJL,PCL,PCLXL,URF', b'Color=F', b'Copies=T', b'Duplex=T', b'Fax=F', b'Scan=T', b'PaperCustom=T', b'Binary=T', b'Transparent=T', b'TBCP=F', b'URF=W8,CP1,IS4-1,MT1-3-4-5-8,OB10,PQ3-4-5,RS300-600-1200,V1.4,DM1', b'kind=document,envelope,label,postcard', b'PaperMax=legal-A4', b'UUID=e3248000-80ce-11db-8000-3c2af4df2615', b'print_wfds=T', b'mopria-certified=1.3'])/DNSRR(rrname=b'_viziocast._tcp.local.', type=12, rclass=1, ttl=4500, rdata=b'Family Room TV._viziocast._tcp.local.'), ns=None, ar=None)

Traceback (most recent call last):
  File "/home/ericlee/Projects/git/dns-flow/./dns-flow.py", line 258, in <module>
    sniff(iface=args.interface, lfilter=lambda p: process_payload(p, debug=args.debug))
  File "/usr/lib/python3.12/site-packages/scapy/sendrecv.py", line 1311, in sniff
    sniffer._run(*args, **kwargs)
  File "/usr/lib/python3.12/site-packages/scapy/sendrecv.py", line 1250, in _run
    if lfilter and not lfilter(p):
                       ^^^^^^^^^^
  File "/home/ericlee/Projects/git/dns-flow/./dns-flow.py", line 258, in <lambda>
    sniff(iface=args.interface, lfilter=lambda p: process_payload(p, debug=args.debug))
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ericlee/Projects/git/dns-flow/./dns-flow.py", line 169, in process_payload
    dns_dnsqr = dns[DNSQR]
                ~~~^^^^^^^
  File "/usr/lib/python3.12/site-packages/scapy/packet.py", line 1327, in __getitem__
    raise IndexError("Layer [%s] not found" % name)
IndexError: Layer [DNSQR] not found
meow-watermelon commented 12 months ago

the packets caused the exception are mDNS packets. ref.: https://datatracker.ietf.org/doc/html/rfc6762

need to filter out mDNS packets.

meow-watermelon commented 11 months ago

this bug is fixed in pr https://github.com/meow-watermelon/dns-flow/pull/4.