-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtcpv4connect.php
More file actions
72 lines (59 loc) · 1.85 KB
/
tcpv4connect.php
File metadata and controls
72 lines (59 loc) · 1.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
<?php
$bpf_text = <<<EOT
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <bcc/proto.h>
BPF_HASH(currsock, u32, struct sock *);
int kprobe__tcp_v4_connect(struct pt_regs *ctx, struct sock *sk)
{
u32 pid = bpf_get_current_pid_tgid();
// stash the sock ptr for lookup on return
currsock.update(&pid, &sk);
return 0;
};
int kretprobe__tcp_v4_connect(struct pt_regs *ctx)
{
int ret = PT_REGS_RC(ctx);
u32 pid = bpf_get_current_pid_tgid();
struct sock **skpp;
skpp = currsock.lookup(&pid);
if (skpp == 0) {
return 0; // missed entry
}
if (ret != 0) {
// failed to send SYNC packet, may not have populated
// socket __sk_common.{skc_rcv_saddr, ...}
currsock.delete(&pid);
return 0;
}
// pull in details
struct sock *skp = *skpp;
u32 saddr = skp->__sk_common.skc_rcv_saddr;
u32 daddr = skp->__sk_common.skc_daddr;
u16 dport = skp->__sk_common.skc_dport;
// output
bpf_trace_printk("trace_tcp4connect %x %x %d\\n", saddr, daddr, ntohs(dport));
currsock.delete(&pid);
return 0;
}
EOT;
$ebpf = new Bpf(["text" => $bpf_text]);
# header
printf("%-6s %-12s %-16s %-16s %-4s\n", "PID", "COMM", "SADDR", "DADDR","DPORT");
# format output
while (true) {
try {
list($task, $pid, $cpu, $flags, $ts, $msg) =$ebpf->trace_fields();
list($tag, $saddr_hs, $daddr_hs, $dport_s) = explode(" ", $msg, 4);
printf("%-6d %-12.12s %-16s %-16s %-4s\n",
$pid,
$task,
long2ip(unpack('V', pack('H*', $saddr_hs))[1]),
long2ip(unpack('V', pack('H*', $daddr_hs))[1]),
$dport_s
);
flush();
} catch (Exception $e) {
continue;
}
}