blob: 4c5e2399d5a899ec46c25ce1ec10f2e77067cd07 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
%{
#include <linux/version.h>
#include <net/sock.h>
#include <net/tcp.h>
#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,11)
#define LPORT (inet->inet.num)
#define DADDR (&inet->inet.daddr)
#else
#define LPORT (inet->num)
#define DADDR (&inet->daddr)
#endif
%}
function get_eax:long () %{
if (CONTEXT && CONTEXT->regs)
THIS->__retvalue = CONTEXT->regs->eax;
else
THIS->__retvalue = 0;
%}
function get_local_port:long(sock)
%{
unsigned long ptr = (unsigned long) THIS->sock;
struct inet_sock *inet = (struct inet_sock *) ptr;
THIS->__retvalue = (long long) LPORT;
%}
function get_ip_source:string(sock)
%{
unsigned long ptr = (unsigned long) THIS->sock;
struct inet_sock *inet = (struct inet_sock *) ptr;
unsigned char addr[4];
memcpy(addr, DADDR, sizeof(addr));
sprintf(THIS->__retvalue, "%d.%d.%d.%d",
addr[0], addr[1], addr[2], addr[3]);
%}
probe begin {
log ("UID\tCMD\t\tPID\t\tPORT\tIP_SOURCE")
}
probe kernel.function("tcp_accept").return {
sock = get_eax()
if (sock != 0)
log(sprint(uid())."\t".
execname()."\t\t".
sprint(pid())."\t\t ".
sprint(get_local_port(sock))."\t".
get_ip_source(sock))
}
|
