Merge pull request #15 from bfabio/single-process

Add scripts for tracking single process

README.md

@@ -61,6 +61,15 @@ Then start as:
 ```
 sudo tcpdump -i nflog:20 -ln | ./teller
 ```
+
+Or, to track a single process, fe `firefox`, start it and run:
+
+```shell
+sudo bpftrace netsendmsg.bt |
+    grep --line-buffered ^$(pgrep firefox) |
+    stdbuf -oL cut -f2 | ./cidr.py | ./teller
+```
+
 And cry.
 
 ## Data source

cidr.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env -S python3 -u
+import sys
+from ipaddress import ip_network, ip_address
+
+nets = []
+with open("goog-prefixes.txt") as f:
+    nets = [line.strip() for line in f.readlines()]
+
+for line in iter(sys.stdin.readline, ''):
+    line = line.strip()
+    for net in nets:
+        try:
+            if ip_address(line) in ip_network(net):
+                print(line)
+
+                continue
+        except:
+            continue

netsendmsg.bt

@@ -0,0 +1,12 @@
+#!/usr/bin/bpftrace
+#include <net/sock.h>
+
+kprobe:udp_sendmsg,
+kprobe:tcp_sendmsg
+{
+  $sk = (struct sock *)arg0;
+
+  $daddr = ntop($sk->__sk_common.skc_daddr);
+
+  printf("%-8d\t%s\t(%s)\n", pid, $daddr, comm);
+}