This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: trace ARP and UDP to pid
- From: William Cohen <wcohen at redhat dot com>
- To: systemtap at sourceware dot org
- Date: Mon, 27 Sep 2010 17:27:03 -0400
- Subject: Re: trace ARP and UDP to pid
- References: <4CA0F768.8010706@weatherdata.com>
On 09/27/2010 03:58 PM, Daniel Bourque wrote:
> Hi,
>
> I'm trying to find what process is creating ARP and DNS packets. I approached the problem from different angles, with limited success.
>
>
> the "socket.sendmsg" or "udp.sendmsg" are nice, and I get a valid "sock" variable and pid() works, but I am unable to get the address using ip_ntop(__ip_sock_daddr(sock)) or ip_ntop(__ip_sock_saddr(sock)) . it always returns 0.0.0.0 . so I have to do things like ignoring if execname() == "nfsd" , and using tcpdump to correlate envents.
>
> I've done my share of BSD style programming years ago, but this is getting to a much lower level :)
>
> So I look at the definition. is there a way to add to this so it can drill back to the *msghdr* structure and extract source/dest address/port ??
>
> probe socket.sendmsg = kernel.function ("sock_sendmsg")
> {
> name = "socket.sendmsg"
> size = $size
> protocol = $sock->sk->sk_protocol
> family = $sock->ops->family
> state = $sock->state
> flags = $sock->flags
> type = $sock->type
> }
>
>
>
> systemtap-0.9.7-5
> 2.6.18-164.15.1.el5PAE
>
> Thank !
>
Hi Daniel,
The alias socket.sendmsg predefines those variable listed above. However, you should be able to access the other parameters of the function sock_sendmesg in your script. LXR webpage for 2.6.18-164.el5 shows that $msg and $size should be available at that probe point:
http://rhkernel.org/RHEL5+2.6.18-164.el5/net/socket.c#L605
You might look at the pfiles.stp example to see how addresses are extracted from there:
http://sourceware.org/systemtap/examples/process/pfiles.stp
Would it be possible post the script that you are working on or a simplified example demonstrating the problem?
-Will