diff options
Diffstat (limited to 'tapset')
| -rw-r--r-- | tapset/DEVGUIDE | 6 | ||||
| -rw-r--r-- | tapset/ip.stp | 46 | ||||
| -rw-r--r-- | tapset/kprocess.stp (renamed from tapset/process.stp) | 30 | ||||
| -rw-r--r-- | tapset/tcp.stp | 94 |
4 files changed, 158 insertions, 18 deletions
diff --git a/tapset/DEVGUIDE b/tapset/DEVGUIDE index e6bc3fb8..693521a8 100644 --- a/tapset/DEVGUIDE +++ b/tapset/DEVGUIDE @@ -59,8 +59,8 @@ For example, process execs can occur in either the do_execve() or the compat_do_execve() functions. The following alias inserts probes at the beginning of those functions: -probe process.exec = kernel.function("do_execve"), - kernel.function("compat_do_execve") { +probe kprocess.exec = kernel.function("do_execve"), + kernel.function("compat_do_execve") { < probe body > } @@ -87,7 +87,7 @@ process is retrieved by calling task_pid() and passing it the task_struct pointer. In this case, the auxiliary function is an embedded C function that's defined in the task tapset (task.stp). -probe process.create = kernel.function("copy_process").return { +probe kprocess.create = kernel.function("copy_process").return { task = $return new_pid = task_pid(task) } diff --git a/tapset/ip.stp b/tapset/ip.stp index 1e2e263c..299d88d2 100644 --- a/tapset/ip.stp +++ b/tapset/ip.stp @@ -7,6 +7,10 @@ // // Based on previous work done by Arnaldo Carvalho de Melo <acme@redhat.com> +%{ +#include <linux/skbuff.h> +%} + /** * sfunction ip_ntop - returns a string representation from an integer IP number * @addr: the ip represented as an integer @@ -30,3 +34,45 @@ function __ip_sock_daddr:long (sock:long) { return @cast(sock, "inet_sock")->daddr } + +/* Get the IP header for recent (> 2.6.21) kernels */ +function __get_skb_iphdr_new:long(skb:long) +%{ /* pure */ + struct sk_buff *skb; + skb = (struct sk_buff *)(long)THIS->skb; + /* as done by skb_network_header() */ + #ifdef NET_SKBUFF_DATA_USES_OFFSET + THIS->__retvalue = (long)(kread(&(skb->head)) + kread(&(skb->network_header))); + #else + THIS->__retvalue = (long)kread(&(skb->network_header)); + #endif + CATCH_DEREF_FAULT(); +%} + +/* Get the IP header from a sk_buff struct */ +function __get_skb_iphdr:long(skb:long){ +%( kernel_v < "2.6.21" %? + iphdr = @cast(skb, "sk_buff")->nh->raw + return iphdr +%: + return __get_skb_iphdr_new(skb) +%) +} + +/* return the source next layer protocol for a given sk_buff structure */ +function __ip_skb_proto:long (iphdr) +{ + return @cast(iphdr, "iphdr")->protocol +} + +/* return the source IP address for a given sk_buff structure */ +function __ip_skb_saddr:long (iphdr) +{ + return @cast(iphdr, "iphdr")->saddr +} + +/* return the destination IP address for a given skb */ +function __ip_skb_daddr:long (iphdr) +{ + return @cast(iphdr, "iphdr")->daddr +} diff --git a/tapset/process.stp b/tapset/kprocess.stp index e39f740a..316e03ce 100644 --- a/tapset/process.stp +++ b/tapset/kprocess.stp @@ -1,4 +1,4 @@ -// process tapset +// kernel process tapset // Copyright (C) 2006 Intel Corporation. // // This file is part of systemtap, and is free software. You can @@ -15,7 +15,7 @@ function _IS_ERR:long(ptr:long) %{ /* pure */ /** - * probe process.create - Fires whenever a new process is successfully created + * probe kprocess.create - Fires whenever a new process is successfully created * @new_pid: The PID of the newly created process * * Context: @@ -24,7 +24,7 @@ function _IS_ERR:long(ptr:long) %{ /* pure */ * Fires whenever a new process is successfully created, either as a result of * <command>fork</command> (or one of its syscall variants), or a new kernel thread. */ -probe process.create = kernel.function("copy_process").return { +probe kprocess.create = kernel.function("copy_process").return { task = $return if (_IS_ERR(task)) next new_pid = task_pid(task) @@ -32,7 +32,7 @@ probe process.create = kernel.function("copy_process").return { /** - * probe process.start - Starting new process + * probe kprocess.start - Starting new process * * Context: * Newly created process. @@ -40,11 +40,11 @@ probe process.create = kernel.function("copy_process").return { * Fires immediately before a new process begins execution. * */ -probe process.start = kernel.function("schedule_tail") { } +probe kprocess.start = kernel.function("schedule_tail") { } /** - * probe process.exec - Attempt to exec to a new program + * probe kprocess.exec - Attempt to exec to a new program * @filename: The path to the new executable * * Context: @@ -52,7 +52,7 @@ probe process.start = kernel.function("schedule_tail") { } * * Fires whenever a process attempts to exec to a new program. */ -probe process.exec = +probe kprocess.exec = kernel.function("do_execve"), kernel.function("compat_do_execve") ? { @@ -61,7 +61,7 @@ probe process.exec = /** - * probe process.exec_complete - Return from exec to a new program + * probe kprocess.exec_complete - Return from exec to a new program * @errno: The error number resulting from the exec * @success: A boolean indicating whether the exec was successful * @@ -71,7 +71,7 @@ probe process.exec = * * Fires at the completion of an exec call. */ -probe process.exec_complete = +probe kprocess.exec_complete = kernel.function("do_execve").return, kernel.function("compat_do_execve").return ? { @@ -81,23 +81,23 @@ probe process.exec_complete = /** - * probe process.exit - Exit from process + * probe kprocess.exit - Exit from process * @code: The exit code of the process * * Context: * The process which is terminating. * * Fires when a process terminates. This will always be followed by a - * process.release, though the latter may be delayed if the process waits in a + * kprocess.release, though the latter may be delayed if the process waits in a * zombie state. */ -probe process.exit = kernel.function("do_exit") { +probe kprocess.exit = kernel.function("do_exit") { code = $code } /** - * probe process.release - Process released + * probe kprocess.release - Process released * @task: A task handle to the process being released * @pid: PID of the process being released * @@ -106,10 +106,10 @@ probe process.exit = kernel.function("do_exit") { * termination, else the context of the process itself. * * Fires when a process is released from the kernel. This always follows a - * process.exit, though it may be delayed somewhat if the process waits in a + * kprocess.exit, though it may be delayed somewhat if the process waits in a * zombie state. */ -probe process.release = kernel.function("release_task") { +probe kprocess.release = kernel.function("release_task") { task = $p pid = $p->pid; } diff --git a/tapset/tcp.stp b/tapset/tcp.stp index bb96b0cb..2c5dce7e 100644 --- a/tapset/tcp.stp +++ b/tapset/tcp.stp @@ -15,6 +15,7 @@ #include <net/sock.h> #include <net/tcp.h> #include <net/ip.h> +#include <linux/skbuff.h> %} // Get retransmission timeout in usecs. RTO is initialized from default @@ -78,6 +79,70 @@ function __tcp_sock_dport:long (sock:long){ return @cast(sock, "inet_sock")->dport } +/* returns the TCP header for recent (<2.6.21) kernel */ +function __get_skb_tcphdr_new:long(skb:long) +%{ /* pure */ + struct sk_buff *skb; + skb = (struct sk_buff *)(long)THIS->skb; + /* as done by skb_transport_header() */ + #ifdef NET_SKBUFF_DATA_USES_OFFSET + THIS->__retvalue = (long)(kread(&(skb->head)) + kread(&(skb->transport_header))); + #else + THIS->__retvalue = (long)kread(&(skb->transport_header)); + #endif + CATCH_DEREF_FAULT(); +%} + +/* returns the TCP header for a given sk_buff structure */ +function __get_skb_tcphdr:long(skb:long){ +%( kernel_v < "2.6.21" %? + tcphdr = @cast(skb, "sk_buff")->h->raw + return tcphdr +%: + return __get_skb_tcphdr_new(skb) +%) +} + +/* returns TCP URG flag for a given sk_buff structure */ +function __tcp_skb_urg:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->urg +} + +/* returns TCP ACK flag for a given sk_buff structure */ +function __tcp_skb_ack:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->ack +} + +/* returns TCP PSH flag for a given sk_buff structure */ +function __tcp_skb_psh:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->psh +} + +/* returns TCP RST flag for a given sk_buff structure */ +function __tcp_skb_rst:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->rst +} + +/* returns TCP SYN flag for a given sk_buff structure */ +function __tcp_skb_syn:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->syn +} + +/* returns TCP FIN flag for a given sk_buff structure */ +function __tcp_skb_fin:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->fin +} + +/* returns TCP source port for a given sk_buff structure */ +function __tcp_skb_sport:long (tcphdr){ + return ntohs(@cast(tcphdr, "tcphdr")->source) +} + +/* returns TCP destination port for a given sk_buff structure */ +function __tcp_skb_dport:long (tcphdr){ + return @cast(tcphdr, "tcphdr")->dest +} + /* return the TCP source port for a given sock */ function __tcp_sock_sport:long (sock:long){ return @cast(sock, "inet_sock")->sport @@ -300,3 +365,32 @@ probe tcp.setsockopt.return = kernel.function("tcp_setsockopt").return { ret = $return } +/** + * probe tcp.receive - Called when a TCP packet is received + * @saddr: A string representing the source IP address + * @daddr: A string representing the destination IP address + * @sport: TCP source port + * @dport: TCP destination port + * @urg: TCP URG flag + * @ack: TCP ACK flag + * @psh: TCP PSH flag + * @rst: TCP RST flag + * @syn: TCP SYN flag + * @fin: TCP FIN flag + */ +probe tcp.receive = kernel.function("tcp_v4_rcv") { + iphdr = __get_skb_iphdr($skb) + saddr = ip_ntop(__ip_skb_saddr(iphdr)) + daddr = ip_ntop(__ip_skb_daddr(iphdr)) + protocol = __ip_skb_proto(iphdr) + + tcphdr = __get_skb_tcphdr($skb) + dport = __tcp_skb_dport(tcphdr) + sport = __tcp_skb_sport(tcphdr) + urg = __tcp_skb_urg(tcphdr) + ack = __tcp_skb_ack(tcphdr) + psh = __tcp_skb_psh(tcphdr) + rst = __tcp_skb_rst(tcphdr) + syn = __tcp_skb_syn(tcphdr) + fin = __tcp_skb_fin(tcphdr) +} |