0

I'm using jnetpcap to made an application for android, and I know how to extract most of the information that I need, but I can't get the DNS packets.

I know to extract DNS packet first need to look at UDP port 53, but when I reach that point I don't know how to proceed.

my code

public static void SetPcapData(String directory){
    final StringBuilder errbuf = new StringBuilder();

    //archivo cargara en memoria el paquete .pcap
    Log.i("Abriendo PCAP desde", directory);
    Pcap pcapfile = Pcap.openOffline(directory, errbuf);

    if (pcapfile == null) {
        Log.e("Error al abrir PCAP", errbuf.toString());
    }

    Ethernet eth = new Ethernet();
    Http http = new Http();
    Ip4 ip4 = new Ip4();
    Tcp tcp = new Tcp();
    Udp udp = new Udp();

    PcapHeader hdr = new PcapHeader(JMemory.POINTER);
    //PcapPacket packet = new PcapPacket(JMemory.POINTER);
    JBuffer buf = new JBuffer(JMemory.POINTER);
    assert pcapfile != null;
    int id = JRegistry.mapDLTToId(pcapfile.datalink());
    int contIP, contETH, contHTTP, contUDP, contTCP;
    contIP = contETH = contHTTP = contUDP = contTCP = 1;

    while(pcapfile.nextEx(hdr, buf) == Pcap.NEXT_EX_OK) {
        PcapPacket packet = new PcapPacket(hdr, buf);
        packet.scan(id);
        String str;

        Log.i("::::", "-----------------------------------------------------------------------");
        if (packet.hasHeader(eth)) {
            str = eth.toString();
            Log.i("#" + String.valueOf(contETH) + " ETH src", FormatUtils.mac(eth.source()) + " | " + FormatUtils.mac(eth.destination()));
            ethData.add(str);

            contETH++;

            if (packet.hasHeader(ip4)) {
                str = FormatUtils.ip(ip4.source());
                Log.i("#" + String.valueOf(contIP) + " IP src", str);
                ipSource.add(str);

                str = FormatUtils.ip(ip4.destination());
                Log.i("#" + String.valueOf(contIP) + " IP dest", str);
                ipDestination.add(str);

                contIP++;

                if (packet.hasHeader(tcp)) {
                    str = String.valueOf(tcp.source()) + " | " + String.valueOf(tcp.destination());
                    Log.i("#" + String.valueOf(contTCP) + " TCP src|dest port", str);
                    tcpPortSource.add(String.valueOf(tcp.source()));
                    tcpPortDestination.add(String.valueOf(tcp.destination()));

                    contTCP++;

                } else if (packet.hasHeader(udp)) {
                    str = String.valueOf(udp.source()) + " | " + String.valueOf(udp.destination());
                    Log.i("#" + String.valueOf(contUDP) + " UDP src|dest port", str);
                    udpPortSource.add(String.valueOf(udp.source()));
                    udpPortDestination.add(String.valueOf(udp.destination()));

                    contUDP++;

                    if(udp.source() == 53 || udp.destination() == 53){
                        //here is where I need to start extracting DNS packets
                    }
                }
            }
        }
    }

    pcapfile.close();
}

So jnetpcap can handle DNS packets or not, I do not what to do now.

lcpr_phoenix
  • 373
  • 4
  • 15
  • DNS can also use TCP port 53. The original DNS RFC was misinterpreted by some people who believe that TCP is purely optional for DNS, but _[RFC 5966, DNS Transport over TCP - Implementation Requirements](https://tools.ietf.org/html/rfc5966)_ clarifies: "_This document therefore updates the core DNS protocol specifications such that support for TCP is henceforth a REQUIRED part of a full DNS protocol implementation._" – Ron Maupin Oct 26 '17 at 13:05
  • Sound interesting, maybe this is the reason why in networkminer show so many dns query in the same pcac file that I use in my code. But it showing that the dns query pass over a UDP transport protocol. In my code show the same, but I can't extract the infromation. thx for the reply. – lcpr_phoenix Oct 27 '17 at 23:48

0 Answers0