Fixed the bpftrace invocation

dns-debunk.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# dns_bpf_correlate_fixed.sh
+# dns_bpf_correlate_safe.sh
 set -u
 
 DOMAIN=$1
@@ -40,14 +40,12 @@ tcpdump -n -i any port 53 -s0 -ttt -l 2>/dev/null >> "$DNSLOG" &
 TCPDUMP_PID=$!
 echo -e "${GREEN}[*] tcpdump started (PID $TCPDUMP_PID)${RESET}"
 
-# Start bpftrace inline (correct syntax)
+# Start bpftrace (safe, prints nsecs/1000000, PID, COMM, FD)
 bpftrace -e '
 tracepoint:syscalls:sys_enter_sendto
 {
-    $s = time; $ms = nsecs/1000000 % 1000;
+    printf("%d PID=%d COMM=%s FD=%d\n", nsecs/1000000, pid, comm, args->fd);
-    printf("%d.%03d PID=%d COMM=%s FD=%d\n", $s, $ms, pid, comm, args->fd);
+}' > "$BPFLOG" 2>/dev/null &
-}
-' > "$BPFLOG" 2>/dev/null &
 BPF_PID=$!
 sleep 0.2
 
@@ -97,15 +95,14 @@ tail -Fn0 "$DNSLOG" | while IFS= read -r dnsline; do
             echo "extracted_src_port: $srcPort" >> "$INCIDENT_FILE"
         fi
 
-        # Symmetric window: half before, half after
+        # Symmetric window: ±HALF_WINDOW_MS
         low_ms=$((detect_ms - HALF_WINDOW_MS))
         high_ms=$((detect_ms + HALF_WINDOW_MS))
         awk -v low="$low_ms" -v high="$high_ms" '
         BEGIN{FS=" "; OFS=" "}
         {
-            if ($1 ~ /^[0-9]+\.[0-9]{3}$/) {
+            if ($1 ~ /^[0-9]+$/) {
-                split($1, a, ".")
+                t=$1;
-                t_s=a[1]; t_ms=a[2]; t=t_s*1000+t_ms
                 if (t >= low && t <= high) print $0
             }
         }' "$BPFLOG" | tee -a "$INCIDENT_FILE" > /tmp/_bpf_matches.$$ || true