Hello there!
I'm trying to read DNS queries from kprobe/inet_sendmsg and
kprobe/inet_recvmsg.
I just copy data by
bpf_probe_read(&memory_in_my_map,
size_from_kprobe_arg,
msg>msg_iter.iov->iov_base);
It works fine for UDP (I'm checking by `dig @8.8.4.4 google.com`)
Buf for TCP (`dig @8.8.4.4 google.com +tcp`) the payload isn's a valid
DNS request.
I'm using the same method for reading DNS response from
kretprobe/inet_recvmsg (arguments are stored by kprobe/inet_recvmsg).
Receiving DNS responses works well for UDP and TCP.
I've found some related but unanswered topics:
-
https://www.reddit.com/r/eBPF/comments/15fh3n4/accessing_the_content_of_tcp_packages_in_an_ebpf/
-
https://stackoverflow.com/questions/76782000/linux-tcp-packet-sniffing-with-ebpf-kprobe-reading-package-content-from-iov-ite
-https://github.com/replicatedhq/exfilter/issues/8
Please, tell me, what I'm doing wrong.
