On 2015-10-26 at 14:16:09 +0100, vkochan <vadi...@gmail.com> wrote:
> On Mon, Oct 26, 2015 at 01:38:41PM +0100, Tobias Klauser wrote:
> > On 2015-10-24 at 16:38:10 +0200, Vadim Kochan <vadi...@gmail.com> wrote:
> > > From: Vadim Kochan <vadi...@gmail.com>
> > >
> > > Perform lookup inode by dst port too if remote traffic represented as
> > > src flow, so in case if lookup by src port failed then choose
> > > inode matched by dst port.
> > >
> > > Signed-off-by: Vadim Kochan <vadi...@gmail.com>
> > > ---
> > > flowtop.c | 37 +++++++++++++++++++++----------------
> > > 1 file changed, 21 insertions(+), 16 deletions(-)
> > >
> > > diff --git a/flowtop.c b/flowtop.c
> > > index 6aa0a6e..f36e8fe 100644
> > > --- a/flowtop.c
> > > +++ b/flowtop.c
> > > @@ -503,40 +503,50 @@ static void walk_processes(struct flow_entry *n)
> > > closedir(dir);
> > > }
> > >
> > > -static int get_port_inode(uint16_t port, int proto, bool is_ip6)
> > > +static void flow_entry_find_process(struct flow_entry *n)
> > > {
> > > - int ret = -ENOENT;
> > > + int src_inode = 0, dst_inode = 0;
> > > char path[128], buff[1024];
> > > FILE *proc;
> > >
> > > memset(path, 0, sizeof(path));
> > > snprintf(path, sizeof(path), "/proc/net/%s%s",
> > > - l4proto2str[proto], is_ip6 ? "6" : "");
> > > + l4proto2str[n->l4_proto], n->l3_proto == AF_INET6 ? "6" : "");
> > >
> > > proc = fopen(path, "r");
> > > if (!proc)
> > > - return -EIO;
> > > + return;
> > >
> > > + /* Here we try to find process's socket inode by src port, at the same
> > > + * time we try to do it by dst port too which will be choosen in case
> > > + * if src port inode will be not found, this is needed in case if the
> > > + * 1st flow's packet will be originated from the remote server so then
> > > + * local host will be represented as dst flow.
> > > + */
> > > memset(buff, 0, sizeof(buff));
> > > -
> > > while (fgets(buff, sizeof(buff), proc) != NULL) {
> > > - int inode = 0;
> > > unsigned int lport = 0;
> > > + int inode = 0;
> > >
> > > buff[sizeof(buff) - 1] = 0;
> > > if (sscanf(buff, "%*u: %*X:%X %*X:%*X %*X %*X:%*X %*X:%*X "
> > > "%*X %*u %*u %u", &lport, &inode) == 2) {
> > > - if ((uint16_t) lport == port) {
> > > - ret = inode;
> > > +
> > > + if ((uint16_t) lport == n->port_src) {
> > > + src_inode = inode;
> > > break;
> > > + } else if ((uint16_t) lport == n->port_dst) {
> > > + dst_inode = inode;
> >
> > Shouldn't we break here as well?
> Let me think again on this, I did not put break here because there might be
> a case that
> port_dst might be matched to some other local port earlier than port_src and
> then the wrong inode might found.
> But now I see that it can't be solved by this patch too ... Seems this
> is not easy to find locally generated flow (except by matching with
> local interface addresses) because in case if 1st flow's packet will be
> generated from remote, then local traffic will be identified as dst flow ...
Ah, I see.
Before you think too much about it: I'd prefer to keep the lookup logic
rather simple. So if you can't figure out the inode reliably without
keeping a lot of internal state or querying a lot of information (i.e.
easily), I'd suggest we just keep the logic as it is and leave dst port
lookup aside.
--
You received this message because you are subscribed to the Google Groups
"netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to netsniff-ng+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
