He had another one for UDP connect
https://raw.githubusercontent.com/brendangregg/bpf-perf-tools-book/master/updated/Ch10_Networking/udpconnect.bt
However I found some modifications were required to get the known correct
port number (53):
#!/usr/bin/bpftrace
/*
* udpconnect - Trace new UDP connections from localhost.
*
* See BPF Performance Tools, Chapter 10, for an explanation of this tool.
*
* Copyright (c) 2019 Brendan Gregg.
* Licensed under the Apache License, Version 2.0 (the "License").
* This was originally created for the BPF Performance Tools book
* published by Addison Wesley. ISBN-13: 9780136554820
* When copying or porting, include this comment.
*
* 20-Apr-2019 Brendan Gregg Created this.
*/
#include <net/sock.h>
BEGIN
{
printf("%-8s %-6s %-16s %-2s %-16s %-5s\n", "TIME", "PID", "COMM",
"IP", "RADDR", "RPORT");
}
kprobe:ip4_datagram_connect,
kprobe:ip6_datagram_connect
{
$sk = (struct sock *)arg0;
$sa = (struct sockaddr *)arg1;
if (($sa->sa_family == AF_INET || $sa->sa_family == AF_INET6) &&
$sk->sk_protocol == IPPROTO_UDP) {
time("%H:%M:%S ");
if ($sa->sa_family == AF_INET) {
$s = (struct sockaddr_in *)arg1;
$port = ($s->sin_port) /256;
printf("%-6d %-16s 4 %-16s %-5d\n", pid, comm,
ntop(AF_INET, $s->sin_addr.s_addr),
$s->sin_port/256);
} else {
$s6 = (struct sockaddr_in6 *)arg1;
$port = ($s6->sin6_port >> 8) |
(($s6->sin6_port << 8) & 0xff00);
printf("%-6d %-16s 6 %-16s %-5d\n", pid, comm,
ntop(AF_INET6, $s6->sin6_addr.in6_u.u6_addr8),
$port);
}
}
}
output:
/tmp$ sudo ./udpconnect.bt
Attaching 3 probes...
TIME PID COMM IP RADDR RPORT
23:06:49 3823 systemd-resolve 4 8.8.8.8 53
On Mon, Oct 3, 2022 at 10:10 PM Sean Liu <[email protected]> wrote:
> Actually Bredan already had one written:
>
> https://raw.githubusercontent.com/brendangregg/bpf-perf-tools-book/master/exercises/Ch10_Networking/udplife.bt
> With nslookup google.com, I get:
> Attaching 8 probes...
> PID COMM LADDR LPORT RADDR RPORT TX_B RX_B
> MS
> 3823 systemd-re 192.168.10.26 0 8.8.8.8 32927 39 110
> 27
>
> I am not certain why RPORT is not 53 through.
>
> Sean
>
>
> On Mon, Oct 3, 2022 at 5:06 PM Sean Liu <[email protected]> wrote:
>
>> Well what's hot nowadays in Linux is bpftrace which is built on top of
>> eBPF.
>> You probably can just 'apt install bpftrace' on your ubuntu18.04 which
>> *may* be a bit outdated.
>> Afterwards you can check out existing scripts, for example on my ubt
>> 20.04:
>> sean@ubuntu:/usr/sbin$ ls *bt
>> bashreadline.bt capable.bt killsnoop.bt opensnoop.bt
>> statsnoop.bt tcpconnect.bt threadsnoop.bt
>> biolatency.bt cpuwalk.bt loads.bt pidpersec.bt swapin.bt
>> tcpdrop.bt vfscount.bt
>> biosnoop.bt dcsnoop.bt mdflush.bt runqlat.bt
>> syncsnoop.bt tcplife.bt vfsstat.bt
>> biostacks.bt execsnoop.bt naptime.bt runqlen.bt
>> syscount.bt tcpretrans.bt writeback.bt
>> bitesize.bt gethostlatency.bt oomkill.bt setuids.bt
>> tcpaccept.bt tcpsynbl.bt xfsdist.bt
>>
>> There are some resemblance between bpftrace and dtrace scripts so you
>> might be able to adapt what you need to bpftrace.
>>
>> Good luck,
>>
>> Sean
>>
>> On Mon, Oct 3, 2022 at 4:02 PM ch-and-dtrace.topicbox.com via
>> dtrace-discuss <[email protected]> wrote:
>>
>>> Ok, I found perf (https://www.brendangregg.com/perf.html), and if I
>>> knew what I was doing, I think I'd be able to write a one-liner that did
>>> what I want. That's a big caveat, though.
>>> *DTrace <https://dtrace.topicbox.com/latest>* / dtrace-discuss / see
>>> discussions <https://dtrace.topicbox.com/groups/dtrace-discuss> +
>>> participants <https://dtrace.topicbox.com/groups/dtrace-discuss/members>
>>> + delivery options
>>> <https://dtrace.topicbox.com/groups/dtrace-discuss/subscription>
>>> Permalink
>>> <https://dtrace.topicbox.com/groups/dtrace-discuss/T345746b17158d294-M4ea6ca4c8a542ceb7d276016>
>>>
------------------------------------------
DTrace: dtrace-discuss
Permalink:
https://dtrace.topicbox.com/groups/dtrace-discuss/T345746b17158d294-M582e4641e199169891113621
Delivery options: https://dtrace.topicbox.com/groups/dtrace-discuss/subscription
