fix: sniffer - regression with outdated timestamp since v0.30 (dmacha…

…rd#284) * fix bad timestamp * update cfg
flowintel · Apr 21, 2023 · 1d7e40e · 1d7e40e
1 parent da88670
commit 1d7e40e
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/collectors/sniffer_afpacket.go b/collectors/sniffer_afpacket.go
@@ -313,8 +313,11 @@ func (c *AfpacketSniffer) Run() {
 			dm.DNS.Length = len(dnsPacket.Payload)
 
 			dm.DnsTap.Identity = c.identity
-			dm.DnsTap.TimeSec = dnsPacket.Timestamp.Second()
-			dm.DnsTap.TimeNsec = int(dnsPacket.Timestamp.UnixNano())
+
+			timestamp := dnsPacket.Timestamp.UnixNano()
+			seconds := timestamp / int64(time.Second)
+			dm.DnsTap.TimeSec = int(seconds)
+			dm.DnsTap.TimeNsec = int(timestamp - seconds*int64(time.Second)*int64(time.Nanosecond))
 
 			// send DNS message to DNS processor
 			dnsProcessor.GetChannel() <- dm

diff --git a/config.yml b/config.yml
@@ -298,7 +298,7 @@ multiplexer:
 #   # overwrite original identity
 #   overwrite-identity: false
 #   # number of dns messages in buffer
-#   buffer-size: 500
+#   buffer-size: 100
 
 # # resend captured dns traffic to a tcp remote destination or to unix socket
 # tcpclient:
@@ -346,7 +346,7 @@ multiplexer:
 #        tls-insecure: false
 #        text-format: "timestamp-rfc3339ns identity operation rcode queryip queryport family protocol length qname qtype latency"
 #        delimiter: "\n"
-#        buffer-size: 1
+#        buffer-size: 100
 # # Name of the channel to publish into
 #        redis-channel: dns-collector
 

diff --git a/dnsutils/constants.go b/dnsutils/constants.go
@@ -58,4 +58,9 @@ var (
 		PROTO_INET:  PROTO_IPV4,
 		PROTO_INET6: PROTO_IPV6,
 	}
+
+	IP_TO_INET = map[string]string{
+		PROTO_IPV4: PROTO_INET,
+		PROTO_IPV6: PROTO_INET6,
+	}
 )
diff --git a/dnsutils/message.go b/dnsutils/message.go
@@ -522,7 +522,11 @@ func (dm *DnsMessage) ToDnstap() ([]byte, error) {
 	dt.Type = &t
 
 	mt := dnstap.Message_Type(dnstap.Message_Type_value[dm.DnsTap.Operation])
-	sf := dnstap.SocketFamily(dnstap.SocketFamily_value[dm.NetworkInfo.Family])
+
+	var sf dnstap.SocketFamily
+	if ipNet, valid := IP_TO_INET[dm.NetworkInfo.Family]; valid {
+		sf = dnstap.SocketFamily(dnstap.SocketFamily_value[ipNet])
+	}
 	sp := dnstap.SocketProtocol(dnstap.SocketProtocol_value[dm.NetworkInfo.Protocol])
 	tsec := uint64(dm.DnsTap.TimeSec)
 	tnsec := uint32(dm.DnsTap.TimeNsec)