This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
tcp_connects script redux
- From: Hien Nguyen <hien at us dot ibm dot com>
- To: SystemTAP <systemtap at sources dot redhat dot com>
- Date: Fri, 09 Sep 2005 10:17:18 -0700
- Subject: tcp_connects script redux
Here's a more completed version of tcp_connects script. This version has
been tested with RHEL4 i386 and FC4 i386. The output would look like this
stap -g tcp_connects_wa.stp
UID CMD PID PORT IP_SOURCE
0 sshd 1961 22 9.47.18.87
0 sshd 1961 22 9.47.67.99
Note: the tcp_connect_wa.stp has a work around for the $retvalue bug is
fixed. After the $retvalue bug is fixed we should use the
tcp_connects.stp script.
Hien.
%{
#include <linux/version.h>
#include <net/sock.h>
#include <net/tcp.h>
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,11)
#define LPORT (inet->inet.num)
#define DADDR (&inet->inet.daddr)
#else
#define LPORT (inet->num)
#define DADDR (&inet->daddr)
#endif
%}
function _get_eax () %{
if (CONTEXT && CONTEXT->regs)
THIS->__retvalue = CONTEXT->regs->eax;
else
THIS->__retvalue = -1;
%}
function get_local_port:long(sock)
%{
unsigned long ptr = (unsigned long) THIS->sock;
struct inet_sock *inet = (struct inet_sock *) ptr;
THIS->__retvalue = (long long) LPORT;
%}
function get_ip_source:string(sock)
%{
unsigned long ptr = (unsigned long) THIS->sock;
struct inet_sock *inet = (struct inet_sock *) ptr;
unsigned char addr[4];
memcpy(addr, DADDR, sizeof(addr));
sprintf(THIS->__retvalue, "%d.%d.%d.%d",
addr[0], addr[1], addr[2], addr[3]);
%}
function get_eax() {
return _get_eax() + 0
}
probe begin {
log ("UID\tCMD\t\tPID\t\tPORT\tIP_SOURCE")
}
probe kernel.function("tcp_accept").return {
sock = get_eax()
if (sock != 0)
log(string(uid())."\t".
execname()."\t\t".
string(pid())."\t\t ".
string(get_local_port(sock))."\t".
get_ip_source(sock))
}
%{
#include <linux/version.h>
#include <net/sock.h>
#include <net/tcp.h>
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,11)
#define LPORT (inet->inet.num)
#define DADDR (&inet->inet.daddr)
#else
#define LPORT (inet->num)
#define DADDR (&inet->daddr)
#endif
%}
function get_local_port:long(sock)
%{
unsigned long ptr = (unsigned long) THIS->sock;
struct inet_sock *inet = (struct inet_sock *) ptr;
THIS->__retvalue = (long long) LPORT;
%}
function get_ip_source:string(sock)
%{
unsigned long ptr = (unsigned long) THIS->sock;
struct inet_sock *inet = (struct inet_sock *) ptr;
unsigned char addr[4];
memcpy(addr, DADDR, sizeof(addr));
sprintf(THIS->__retvalue, "%d.%d.%d.%d",
addr[0], addr[1], addr[2], addr[3]);
%}
probe begin {
log ("UID\tCMD\t\tPID\t\tPORT\tIP_SOURCE")
}
probe kernel.function("tcp_accept").return {
sock = $retvalue
if (sock != 0)
log(string(uid())."\t".
execname()."\t\t".
string(pid())."\t\t ".
string(get_local_port(sock))."\t".
get_ip_source(sock))
}