On Tue, Aug 04, 2015 at 03:20:51AM +0300, Vadim Kochan wrote:
> From: Vadim Kochan <[email protected]>
>
> Just ignore DNS flows instead of insert it and then
> filter it out by presenter.
>
> Signed-off-by: Vadim Kochan <[email protected]>
> ---
> flowtop.c | 34 +++++++++++++++++++++++++---------
> 1 file changed, 25 insertions(+), 9 deletions(-)
>
> diff --git a/flowtop.c b/flowtop.c
> index 492d77a..6b75897 100644
> --- a/flowtop.c
> +++ b/flowtop.c
> @@ -205,6 +205,8 @@ static void signal_handler(int number)
> static void flow_entry_from_ct(struct flow_entry *n, struct nf_conntrack
> *ct);
> static void flow_entry_get_extended(struct flow_entry *n);
>
> +static bool nfct_is_dns(struct nf_conntrack *ct);
> +
> static void help(void)
> {
> printf("flowtop %s, top-like netfilter TCP/UDP/SCTP/.. flow tracking\n",
> @@ -264,7 +266,15 @@ static inline void flow_list_init(struct flow_list *fl)
>
> static void flow_list_new_entry(struct flow_list *fl, struct nf_conntrack
> *ct)
> {
> - struct flow_entry *n = flow_entry_xalloc();
> + struct flow_entry *n;
> +
> + /* We don't want to analyze / display DNS itself, since we
> + * use it to resolve reverse dns.
> + */
> + if (nfct_is_dns(ct))
> + return;
> +
> + n = flow_entry_xalloc();
>
> n->ct = nfct_clone(ct);
>
> @@ -522,12 +532,20 @@ enum flow_entry_direction {
> flow_entry_dst,
> };
>
> -static inline bool flow_entry_get_extended_is_dns(struct flow_entry *n)
> +static bool nfct_is_dns(struct nf_conntrack *ct)
> {
> - /* We don't want to analyze / display DNS itself, since we
> - * use it to resolve reverse dns.
> - */
> - return n->port_src == 53 || n->port_dst == 53;
> + struct flow_entry fl;
> + struct flow_entry *n = &fl;
> +
> + CP_NFCT(l4_proto, ATTR_ORIG_L4PROTO, 8);
> +
> + if (n->l4_proto != IPPROTO_UDP)
> + return false;
Ooops, DNS might be via TCP too ...
> +
> + CP_NFCT(port_src, ATTR_ORIG_PORT_SRC, 16);
> + CP_NFCT(port_dst, ATTR_ORIG_PORT_DST, 16);
> +
> + return ntohs(n->port_src) == 53 || ntohs(n->port_dst) == 53;
> }
>
> #define SELFLD(dir,src_member,dst_member) \
> @@ -670,7 +688,7 @@ static void flow_entry_get_extended_revdns(struct
> flow_entry *n,
>
> static void flow_entry_get_extended(struct flow_entry *n)
> {
> - if (n->flow_id == 0 || flow_entry_get_extended_is_dns(n))
> + if (n->flow_id == 0)
> return;
>
> flow_entry_get_extended_revdns(n, flow_entry_src);
> @@ -943,8 +961,6 @@ static void presenter_screen_update(WINDOW *screen,
> struct flow_list *fl,
>
> for (; n; n = rcu_dereference(n->next)) {
> n->is_visible = false;
> - if (presenter_get_port(n->port_src, n->port_dst, false) == 53)
> - continue;
>
> if (presenter_flow_wrong_state(n))
> continue;
> --
> 2.4.2
>
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
