From 08e0ca8c33f0842495340eb7135f647968ebe139 Mon Sep 17 00:00:00 2001 From: Fabio Bonelli Date: Tue, 23 Aug 2022 12:51:43 +0200 Subject: [PATCH] Add scripts for tracking single process --- README.md | 9 +++++++++ cidr.py | 18 ++++++++++++++++++ netsendmsg.bt | 12 ++++++++++++ 3 files changed, 39 insertions(+) create mode 100755 cidr.py create mode 100644 netsendmsg.bt diff --git a/README.md b/README.md index f3d8035..966faf0 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,15 @@ Then start as: ``` sudo tcpdump -i nflog:20 -ln | ./teller ``` + +Or, to track a single process, fe `firefox`, start it and run: + +```shell +sudo bpftrace netsendmsg.bt | + grep --line-buffered ^$(pgrep firefox) | + stdbuf -oL cut -f2 | ./cidr.py | ./teller +``` + And cry. ## Data source diff --git a/cidr.py b/cidr.py new file mode 100755 index 0000000..a470078 --- /dev/null +++ b/cidr.py @@ -0,0 +1,18 @@ +#!/usr/bin/env -S python3 -u +import sys +from ipaddress import ip_network, ip_address + +nets = [] +with open("goog-prefixes.txt") as f: + nets = [line.strip() for line in f.readlines()] + +for line in iter(sys.stdin.readline, ''): + line = line.strip() + for net in nets: + try: + if ip_address(line) in ip_network(net): + print(line) + + continue + except: + continue diff --git a/netsendmsg.bt b/netsendmsg.bt new file mode 100644 index 0000000..8be0c1a --- /dev/null +++ b/netsendmsg.bt @@ -0,0 +1,12 @@ +#!/usr/bin/bpftrace +#include + +kprobe:udp_sendmsg, +kprobe:tcp_sendmsg +{ + $sk = (struct sock *)arg0; + + $daddr = ntop($sk->__sk_common.skc_daddr); + + printf("%-8d\t%s\t(%s)\n", pid, $daddr, comm); +}