From 55fa92490af593358a0b13ad1708ee9b14eec128 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 7 Oct 2024 20:06:45 +0200 Subject: Implemented (disabled by default) DNS host cache. You can set the cache size as follows: ndpiReader --cfg=dpi.address_cache_size,1000 -i .pcap In the above example the cache has up to 1000 entries. In jcase ndpiReader exports data in JSON, the cache hostname (if found) is exported in the field server_hostname --- src/lib/protocols/dns.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/lib/protocols') diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 8a6e2d1a8..d109098d1 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -475,9 +475,20 @@ static int search_valid_dns(struct ndpi_detection_module_struct *ndpi_struct, || ((rsp_type == 0x1c) && (data_len == 16)) /* AAAA */ )) { if(found == 0) { + /* Necessary for IP address comparison */ + memset(&flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], 0, sizeof(ndpi_ip_addr_t)); + memcpy(&flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], packet->payload + x, data_len); flow->protos.dns.is_rsp_addr_ipv6[flow->protos.dns.num_rsp_addr] = (data_len == 16) ? 1 : 0; flow->protos.dns.rsp_addr_ttl[flow->protos.dns.num_rsp_addr] = ttl; + + if(ndpi_struct->cfg.address_cache_size) + ndpi_cache_address(ndpi_struct, + flow->protos.dns.rsp_addr[flow->protos.dns.num_rsp_addr], + flow->host_server_name, + packet->current_time_ms/1000, + flow->protos.dns.rsp_addr_ttl[flow->protos.dns.num_rsp_addr]); + if(++flow->protos.dns.num_rsp_addr == MAX_NUM_DNS_RSP_ADDRESSES) found = 1; } -- cgit v1.2.3