Differences between revisions 7 and 8
Revision 7 as of 2007-10-12 12:08:22
Size: 3441
Editor: 202-156-12-12
Comment:
Revision 8 as of 2007-10-12 12:20:21
Size: 3327
Editor: 202-156-12-12
Comment:
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
TODO:
 - report socket information
 - report pathname information
 - report locked open files
Line 19: Line 24:
$ ./pfiles.stp -g `pgrep pidgin`
4038: -pidgin
$ stap -g pfiles.stp $$
3291: -bash
Line 22: Line 27:
   0: S_IFCHR mode:0666 dev:0,16 ino:1971 uid:500 gid:500 rdev:1,3
        O_RDONLY|O_LARGEFILE
   1: S_IFIFO mode:0600 dev:0,6 ino:13796 uid:0 gid:42 rdev:0,0
        O_WRONLY
   2: S_IFIFO mode:0600 dev:0,6 ino:13796 uid:0 gid:42 rdev:0,0
        O_WRONLY
   3: S_IFSOCK mode:0777 dev:0,5 ino:18645 uid:500 gid:500 rdev:0,0
        O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC
   4: S_IFIFO mode:0600 dev:0,6 ino:18647 uid:500 gid:500 rdev:0,0
        O_RDONLY
   5: S_IFIFO mode:0600 dev:0,6 ino:18647 uid:500 gid:500 rdev:0,0
        O_WRONLY
   6: S_IFSOCK mode:0777 dev:0,5 ino:18648 uid:500 gid:500 rdev:0,0
        O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC
   7: S_IFSOCK mode:0777 dev:0,5 ino:18722 uid:500 gid:500 rdev:0,0
        O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC
   8: S_IFIFO mode:0600 dev:0,6 ino:18650 uid:500 gid:500 rdev:0,0
        O_RDONLY
   9: S_IFIFO mode:0600 dev:0,6 ino:18650 uid:500 gid:500 rdev:0,0
        O_WRONLY
  10: S_IFIFO mode:0600 dev:0,6 ino:18651 uid:500 gid:500 rdev:0,0
        O_RDONLY
  11: S_IFIFO mode:0600 dev:0,6 ino:18651 uid:500 gid:500 rdev:0,0
        O_WRONLY|O_NONBLOCK|O_NDELAY
  12: S_IFIFO mode:0600 dev:0,6 ino:18653 uid:500 gid:500 rdev:0,0
        O_RDONLY
  13: S_IFIFO mode:0600 dev:0,6 ino:18653 uid:500 gid:500 rdev:0,0
        O_WRONLY
  14: S_IFSOCK mode:0777 dev:0,5 ino:18654 uid:500 gid:500 rdev:0,0
        O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC
  15: S_IFSOCK mode:0777 dev:0,5 ino:18658 uid:500 gid:500 rdev:0,0
     0: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR
     1: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR
     2: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR
   255: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
Line 54: Line 35:
  16: S_IFSOCK mode:0777 dev:0,5 ino:18674 uid:500 gid:500 rdev:0,0
        O_RDWR|O_NONBLOCK|O_NDELAY
  18: S_IFIFO mode:0600 dev:0,6 ino:18677 uid:500 gid:500 rdev:0,0
        O_WRONLY
  19: S_IFIFO mode:0600 dev:0,6 ino:18678 uid:500 gid:500 rdev:0,0
        O_RDONLY
  20: S_IFSOCK mode:0777 dev:0,5 ino:18744 uid:500 gid:500 rdev:0,0
        O_RDWR|O_NONBLOCK|O_NDELAY FD_CLOEXEC

$ stap -g pfiles.stp $$ &> output
$ head output
3291: -bash
  Current rlimit: 256 file descriptors
     0: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR
     1: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR
     2: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR
   255: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR FD_CLOEXEC
}}}

To gather information about sockets, you can use lsof with pfiles. For example:

{{{
$ /usr/sbin/lsof -i :1-65535 -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
mugshot 3148 eteo 9u IPv4 15146 TCP w.x.y.z:35439->w.x.y.z:5222 (ESTABLISHED)
thunderbi 3401 eteo 38u IPv4 16229 TCP w.x.y.z:52935->w.x.y.z:993 (ESTABLISHED)
thunderbi 3401 eteo 39u IPv4 29750 TCP w.x.y.z:37526->w.x.y.z:993 (ESTABLISHED)
thunderbi 3401 eteo 48u IPv4 29751 TCP w.x.y.z:37527->w.x.y.z:993 (ESTABLISHED)
ssh 4025 eteo 3u IPv4 18562 TCP w.x.y.z:38303->w.x.y.z:22 (ESTABLISHED)
pidgin 4038 eteo 7u IPv4 18722 TCP w.x.y.z:40695->w.x.y.z:5222 (ESTABLISHED)
pidgin 4038 eteo 20u IPv4 18744 TCP w.x.y.z:36216->w.x.y.z:1863 (ESTABLISHED)
ssh 10206 eteo 3u IPv4 27165 TCP w.x.y.z:51226->w.x.y.z:22 (ESTABLISHED)

pfiles for Linux

Problem

Someone asked if there is a Linux equivalent of the [http://www.scit.wlv.ac.uk/cgi-bin/mansec?1+pfiles Solaris pfiles] tool. pfiles is a Solaris proc utility that reports information of all open files by the process id. Eugene decided to write a similar tool for Linux using SystemTap. It is based on an example output posted in the Red Hat BZ#223489.

TODO:

  • - report socket information - report pathname information - report locked open files

Scripts

The script is too long to be listed here. Please download the [attachment:pfiles.stp script] instead.

Output

$ stap -g pfiles.stp $$
3291:  -bash
  Current rlimit: 256 file descriptors
     0: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR 
     1: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR 
     2: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR 
   255: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR FD_CLOEXEC

$ stap -g pfiles.stp $$ &> output
$ head output 
3291:  -bash
  Current rlimit: 256 file descriptors
     0: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR 
     1: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR 
     2: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR 
   255: S_IFCHR mode:0620 dev:0,11 ino:2 uid:500 gid:500 rdev:136,0
        O_RDWR FD_CLOEXEC

To gather information about sockets, you can use lsof with pfiles. For example:

$ /usr/sbin/lsof -i :1-65535 -P
COMMAND     PID USER   FD   TYPE DEVICE SIZE NODE NAME
mugshot    3148 eteo    9u  IPv4  15146       TCP w.x.y.z:35439->w.x.y.z:5222 (ESTABLISHED)
thunderbi  3401 eteo   38u  IPv4  16229       TCP w.x.y.z:52935->w.x.y.z:993 (ESTABLISHED)
thunderbi  3401 eteo   39u  IPv4  29750       TCP w.x.y.z:37526->w.x.y.z:993 (ESTABLISHED)
thunderbi  3401 eteo   48u  IPv4  29751       TCP w.x.y.z:37527->w.x.y.z:993 (ESTABLISHED)
ssh        4025 eteo    3u  IPv4  18562       TCP w.x.y.z:38303->w.x.y.z:22 (ESTABLISHED)
pidgin     4038 eteo    7u  IPv4  18722       TCP w.x.y.z:40695->w.x.y.z:5222 (ESTABLISHED)
pidgin     4038 eteo   20u  IPv4  18744       TCP w.x.y.z:36216->w.x.y.z:1863 (ESTABLISHED)
ssh       10206 eteo    3u  IPv4  27165       TCP w.x.y.z:51226->w.x.y.z:22 (ESTABLISHED)

Lessons

You can start writing useful systems tools that are not available in Linux with SystemTap. [http://sources.redhat.com/systemtap/wiki/WSPfiles pfiles] and [http://sources.redhat.com/systemtap/wiki/WSPlimit plimit] are excellent examples.


WarStories

None: WSPfiles (last edited 2010-04-19 12:10:27 by 92)