fix up bpftrace-based operation
This commit is contained in:
parent
ef47d7cfae
commit
985c9bb97c
10
README.md
10
README.md
@ -72,13 +72,17 @@ addresses, so you must check both sets before determining something is in
|
|||||||
fact a Google service and not a Google customer.
|
fact a Google service and not a Google customer.
|
||||||
|
|
||||||
# To run on a single process on Linux
|
# To run on a single process on Linux
|
||||||
|
|
||||||
Or, to track a single process, fe `firefox`, start it and run:
|
Or, to track a single process, fe `firefox`, start it and run:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
sudo bpftrace netsendmsg.bt |
|
sudo bpftrace netsendmsg.bt |
|
||||||
grep --line-buffered ^$(pgrep firefox) |
|
grep --line-buffered ^$(pgrep firefox) | ./teller
|
||||||
stdbuf -oL cut -f2 | ./cidr.py | ./teller
|
```
|
||||||
|
|
||||||
|
Or try:
|
||||||
|
|
||||||
|
```shell
|
||||||
|
sudo bpftrace netsendmsg.bt | grep --line-buffered -i chrome | ./teller
|
||||||
```
|
```
|
||||||
|
|
||||||
And cry.
|
And cry.
|
||||||
|
18
cidr.py
18
cidr.py
@ -1,18 +0,0 @@
|
|||||||
#!/usr/bin/env -S python3 -u
|
|
||||||
import sys
|
|
||||||
from ipaddress import ip_network, ip_address
|
|
||||||
|
|
||||||
nets = []
|
|
||||||
with open("goog-prefixes.txt") as f:
|
|
||||||
nets = [line.strip() for line in f.readlines()]
|
|
||||||
|
|
||||||
for line in iter(sys.stdin.readline, ''):
|
|
||||||
line = line.strip()
|
|
||||||
for net in nets:
|
|
||||||
try:
|
|
||||||
if ip_address(line) in ip_network(net):
|
|
||||||
print(line)
|
|
||||||
|
|
||||||
continue
|
|
||||||
except:
|
|
||||||
continue
|
|
@ -6,7 +6,15 @@ kprobe:tcp_sendmsg
|
|||||||
{
|
{
|
||||||
$sk = (struct sock *)arg0;
|
$sk = (struct sock *)arg0;
|
||||||
|
|
||||||
|
if($sk->__sk_common.skc_family==2) {
|
||||||
$daddr = ntop($sk->__sk_common.skc_daddr);
|
$daddr = ntop($sk->__sk_common.skc_daddr);
|
||||||
|
|
||||||
printf("%-8d\t%s\t(%s)\n", pid, $daddr, comm);
|
|
||||||
}
|
}
|
||||||
|
else if($sk->__sk_common.skc_family==10) {
|
||||||
|
$daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* skc_v6_daddr, skc_family */
|
||||||
|
|
||||||
|
printf("direct\t%s\tpid%d\t%d\t%s\n", $daddr , pid, $sk->__sk_common.skc_family, comm);
|
||||||
|
}
|
||||||
|
|
||||||
|
28
teller.cc
28
teller.cc
@ -139,7 +139,7 @@ int main(int argc, char** argv)
|
|||||||
}
|
}
|
||||||
string line;
|
string line;
|
||||||
while(getline(cin, line)) {
|
while(getline(cin, line)) {
|
||||||
|
string ip;
|
||||||
/*
|
/*
|
||||||
22:42:25.323984 IP 13.81.0.219.29601 > 10.0.0.3.32902: tcp 1186
|
22:42:25.323984 IP 13.81.0.219.29601 > 10.0.0.3.32902: tcp 1186
|
||||||
22:42:25.323997 IP 10.0.0.3.32902 > 13.81.0.219.29601: tcp 0
|
22:42:25.323997 IP 10.0.0.3.32902 > 13.81.0.219.29601: tcp 0
|
||||||
@ -155,17 +155,17 @@ int main(int argc, char** argv)
|
|||||||
auto pos2 = line.find('.', pos); // this misses out on IPv6 ICMP
|
auto pos2 = line.find('.', pos); // this misses out on IPv6 ICMP
|
||||||
if(pos2 == string::npos) continue;
|
if(pos2 == string::npos) continue;
|
||||||
line.resize(pos2);
|
line.resize(pos2);
|
||||||
string ip = line.substr(pos+2, pos2 - pos - 2);
|
ip = line.substr(pos+2, pos2 - pos - 2);
|
||||||
|
|
||||||
if(auto fptr = tracksneg.lookup(ip.c_str())) {
|
|
||||||
auto ptr = (TrackerConf*)fptr;
|
|
||||||
cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
|
|
||||||
}
|
|
||||||
else if(auto fptr = trackspos.lookup(ip.c_str())) {
|
|
||||||
auto ptr = (TrackerConf*)fptr;
|
|
||||||
cout<<ip<<" match ("<<ptr->name<<")"<<endl;
|
|
||||||
ptr->counter++;
|
|
||||||
}
|
}
|
||||||
|
else if(line.find("direct") ==0 ) { // ebpfscript output
|
||||||
|
auto pos = line.find('\t');
|
||||||
|
if(pos == string::npos)
|
||||||
|
continue;
|
||||||
|
auto pos2 = line.find('\t', pos+1);
|
||||||
|
if(pos2 == string::npos)
|
||||||
|
continue;
|
||||||
|
line.resize(pos2);
|
||||||
|
ip = line.substr(pos+1);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
auto pos = line.find('>');
|
auto pos = line.find('>');
|
||||||
@ -182,8 +182,9 @@ int main(int argc, char** argv)
|
|||||||
if(pos2 == string::npos) continue;
|
if(pos2 == string::npos) continue;
|
||||||
|
|
||||||
line.resize(pos2);
|
line.resize(pos2);
|
||||||
string ip=line.substr(pos+2, pos2 - pos - 2);
|
ip=line.substr(pos+2, pos2 - pos - 2);
|
||||||
|
}
|
||||||
|
if(!ip.empty()) {
|
||||||
if(auto fptr = tracksneg.lookup(ip.c_str())) {
|
if(auto fptr = tracksneg.lookup(ip.c_str())) {
|
||||||
auto ptr = (TrackerConf*)fptr;
|
auto ptr = (TrackerConf*)fptr;
|
||||||
cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
|
cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
|
||||||
@ -194,7 +195,6 @@ int main(int argc, char** argv)
|
|||||||
ptr->counter++;
|
ptr->counter++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
sleep(1);
|
sleep(1);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user