Added sampling to dnscap

src/dnscap.1.in

@@ -53,6 +53,7 @@
 .Op Fl E Ar datetime
 .Op Fl P Ar plugin.so
 .Op Fl U Ar str
+.Op Fl q Ar unsigned int
 .Sh DESCRIPTION
 .Nm
 is a network capture utility designed specifically for DNS traffic.  It
@@ -353,6 +354,11 @@ Enable immediate mode on interfaces.
 Append "and
 .Ar str
 " to the pcap filter.
+.It Fl q Ar unsigned int
+Causes the output to be sampled after the application of all other filters.
+Only every nth dns initiation will be output and responses are only output
+if they correspond to one of the sampled queries. This option cannot be
+used with option.
 .El
 .Pp
 If started with no options,

src/dnscap.c

@@ -128,6 +128,7 @@ static const char version_fmt[] = "V1.0-OARC-r%d (%s)";
 #include <time.h>
 #include <unistd.h>
 #include <pwd.h>
+#include "../uthash/uthash.h" //for the hash used in the sample module
 
 #ifdef __linux__
 extern char *strptime(const char *, const char *, struct tm *);
@@ -287,6 +288,19 @@ struct plugin {
 };
 LIST(struct plugin) plugins;
 
+typedef struct{
+        UT_hash_handle          hh;             //makes the structure hashable using "uthash/uthash.h"
+        unsigned                   from;           //these next 5 fields make up the compound key
+        int                     sport,dport,transaction_id;
+        unsigned                   to;
+}samplePacket ;
+
+typedef struct{
+        unsigned                from;
+        int                     sport,dport,transaction_id;
+        unsigned                to;
+}sample_lookup_key;
+
 /* Forward. */
 
 static void setsig(int, int);
@@ -384,6 +398,12 @@ static unsigned long long mem_limit = (unsigned) MEM_MAX;			// process memory li
 static int mem_limit_set = 1; // Should be configurable
 const char DROPTOUSER[] = "nobody";
 static pcap_thread_t pcap_thread = PCAP_THREAD_T_INIT;
+static int sample = FALSE;
+static unsigned sampleAmount;
+static unsigned querycount;
+static samplePacket  *allSampleQueries = NULL;
+static int chooseSidesResponse = FALSE;
+static unsigned keylen;
 
 /* Public. */
 
@@ -694,7 +714,8 @@ help_1(void) {
 		"\t[-w <base> [-W <suffix>] [-k <cmd>]] [-t <lim>] [-c <lim>] [-C <lim>]\n"
 		"\t[-x <pat>]+ [-X <pat>]+\n"
 		"\t[-B <datetime>] [-E <datetime>]\n"
-		"\t[-P plugin.so] [-U <str>]\n",
+		"\t[-P plugin.so] [-U <str>]\n"
+                "\t[-q <unsinged int>]\n",
 		ProgramName);
 }
 
@@ -755,6 +776,8 @@ help_2(void) {
         "\t-E <datetime> end collecting at this date and time\n"
 		"\t-M         set monitor mode on interfaces\n"
 		"\t-D         set immediate mode on interfaces\n"
+                "\t-q <unsigned int> output only every nth DNS query and only output responses\n \
+                          if they correspond to one of the sampled queries\n"
 		);
 }
 
@@ -782,7 +805,7 @@ parse_args(int argc, char *argv[]) {
 	INIT_LIST(myregexes);
 	INIT_LIST(plugins);
 	while ((ch = getopt(argc, argv,
-			"a:bc:de:fgh:i:k:l:m:pr:s:t:u:w:x:"
+			"a:bc:de:fgh:i:k:l:m:pq:r:s:t:u:w:x:"
 #ifdef USE_SECCOMP
 			"y"
 #endif
@@ -889,6 +912,7 @@ parse_args(int argc, char *argv[]) {
 			msg_wanted = u;
 			break;
 		case 's':
+                        chooseSidesResponse = TRUE;
 			u = 0;
 			for (p = optarg; *p; p++)
 				switch (*p) {
@@ -898,6 +922,13 @@ parse_args(int argc, char *argv[]) {
 				}
 			dir_wanted = u;
 			break;
+                case 'q':
+                        sample = TRUE;
+                        sampleAmount =  atoi(optarg);
+                        if(sampleAmount == 0)
+                                usage("-q takes only unsigned integer values != 0");
+                        querycount = 0;
+                        break;
 		case 'h':
 			u = 0;
 			for (p = optarg; *p; p++)
@@ -1099,6 +1130,11 @@ parse_args(int argc, char *argv[]) {
 		usage("the -L and -l options are mutually exclusive");
 	if (background && (dumptrace || preso))
 		usage("the -b option is incompatible with -d and -g");
+        if (sample && chooseSidesResponse)
+        {
+                if (!((dir_wanted & DIR_INITIATE) != 0) && ((dir_wanted & DIR_RESPONSE) != 0))
+                        usage("the -q option is incompatible with -s r");
+        }
 	if (dumptrace >= 1) {
 		endpoint_ptr ep;
 		const char *sep;
@@ -2339,8 +2375,61 @@ network_pkt(const char *descr, my_bpftimeval ts, unsigned pf,
 			abort();
 		}
 	}
-	output(descr, from, to, proto, flags, sport, dport, ts,
-	    pkt_copy, olen, dnspkt, dnslen);
+/*Sample Module*/
+        if (sample == TRUE)
+        {
+                ns_msg dnsmsgSample;
+                ns_initparse(dnspkt,dnslen,&dnsmsgSample);
+                samplePacket *currentQuery;
+                void *ipAddrBufferFrom = &from.u;
+                void *ipAddrBufferTo = &to.u;
+                unsigned *fromBuffer = (unsigned*)ipAddrBufferFrom;
+                unsigned *toBuffer = (unsigned*)ipAddrBufferTo;
+
+                keylen = offsetof(samplePacket,to)      //keylen is used to define which fields of the hash structure are added
+                        + sizeof(*toBuffer)                    //as a compound key. Here, the key is composed of all fields between (and including)
+                        - offsetof(samplePacket,from);  //samplePacket->to and samplePacket->from (from, sport, dport, transaction_id, to)
+
+                if(dns.qr == 0)
+                {
+                        querycount++;
+                        if(querycount % sampleAmount == 0)
+                                {
+                                        currentQuery = malloc(sizeof(*currentQuery));
+                                        memset(currentQuery, 0, sizeof(*currentQuery));
+                                        currentQuery->from = *fromBuffer;
+                                        currentQuery->to = *toBuffer;
+                                        currentQuery->sport = sport;
+                                        currentQuery->dport = dport;
+                                        currentQuery->transaction_id = ns_msg_id(dnsmsgSample);
+
+                                        HASH_ADD(hh,allSampleQueries,from,keylen,currentQuery);
+                                        output(descr,from,to,proto,flags,sport,dport,ts,pkt_copy,olen,dnspkt,dnslen);
+                                }
+                }
+                else
+                {
+                        sample_lookup_key *lookup_key = (sample_lookup_key*)malloc(sizeof(*lookup_key));;
+                        memset(lookup_key, 0, sizeof(*lookup_key));
+                        lookup_key->from = *toBuffer;
+                        lookup_key->to = *fromBuffer;
+                        lookup_key->dport = sport;
+                        lookup_key->sport = dport;
+                        lookup_key->transaction_id = ns_msg_id(dnsmsgSample);
+
+                        HASH_FIND(hh,allSampleQueries,&lookup_key->from,keylen,currentQuery);
+                        if(currentQuery)
+                        {
+                                HASH_DEL(allSampleQueries,currentQuery);
+                                free(currentQuery);
+                                output(descr,from,to,proto,flags,sport,dport,ts,pkt_copy,olen,dnspkt,dnslen);
+                        }
+                        free(lookup_key);
+                }
+        }else
+        {
+                output(descr,from,to,proto,flags,sport,dport,ts,pkt_copy,olen,dnspkt,dnslen);
+        }
 }
 
 /*