Merge pull request #15 from bfabio/single-process

Add scripts for tracking single process
2022-08-25 22:27:15 +02:00 · 2022-08-25 22:27:15 +02:00 · 61ac5df1f2
commit 61ac5df1f2
parent 5488b0eb53 08e0ca8c33
3 changed files with 39 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -61,6 +61,15 @@ Then start as:
 ```
 sudo tcpdump -i nflog:20 -ln | ./teller
 ```
+
+Or, to track a single process, fe `firefox`, start it and run:
+
+```shell
+sudo bpftrace netsendmsg.bt |
+    grep --line-buffered ^$(pgrep firefox) |
+    stdbuf -oL cut -f2 | ./cidr.py | ./teller
+```
+
 And cry.

 ## Data source
--- a/cidr.py
+++ b/cidr.py
@ -0,0 +1,18 @@
+#!/usr/bin/env -S python3 -u
+import sys
+from ipaddress import ip_network, ip_address
+
+nets = []
+with open("goog-prefixes.txt") as f:
+    nets = [line.strip() for line in f.readlines()]
+
+for line in iter(sys.stdin.readline, ''):
+    line = line.strip()
+    for net in nets:
+        try:
+            if ip_address(line) in ip_network(net):
+                print(line)
+
+                continue
+        except:
+            continue
--- a/netsendmsg.bt
+++ b/netsendmsg.bt
@ -0,0 +1,12 @@
+#!/usr/bin/bpftrace
+#include <net/sock.h>
+
+kprobe:udp_sendmsg,
+kprobe:tcp_sendmsg
+{
+  $sk = (struct sock *)arg0;
+
+  $daddr = ntop($sk->__sk_common.skc_daddr);
+
+  printf("%-8d\t%s\t(%s)\n", pid, $daddr, comm);
+}