Prashant Srinivasan
2006-Sep-08 20:54 UTC
[dtrace-discuss] Getting incoming IP addresses by instrumenting accept(3SOCKET)?
I wrote a program to obtain the originating IP address for oncoming
socket connections. It''s able to get the right IP address when the
connection is handled by Apache, or another server program. The program
cannot obtain the incoming IP address if the receiving program is inetd,
though.
I''m instrumenting the accept(3SOCKET) call - I''ve inlined the
code(and
sample output) below, in case someone can see what the problem is -
I''m running snv_46.
Thanks,
-ps
Code:
------
bash-3.00# cat test.d
#!/usr/sbin/dtrace -qCs
#include <netinet/in.h>
int b1,b2,b3,b4;
syscall::accept:entry
{
b1 = 255;
b2 = 65280;
b3 = 16711680;
b4 = 4278190080;
self->incoming_ip = arg1;
}
syscall::accept:return
/self->incoming_ip/
{
self->a1 = ((struct sockaddr_in *)(copyin(self->incoming_ip,
sizeof(struct sockaddr_in))))->sin_addr.s_addr;
printf("INCOMING IP: %d.%d.%d.%d - HANDLED BY: %s\n", self->a1
&
b1,(self->a1 & b2) >> 8, (self->a1 & b3) >> 16,
(self->a1 & b4) >> 24,
execname);
}
bash-3.00#
Output:
---------
bash-3.00# ./test.d
INCOMING IP: 10.6.141.127 - HANDLED BY: httpd
INCOMING IP: 10.6.141.127 - HANDLED BY: httpd
INCOMING IP: 0.0.0.0 - HANDLED BY: inetd
INCOMING IP: 10.6.141.127 - HANDLED BY: server
INCOMING IP: 0.0.0.0 - HANDLED BY: inetd
INCOMING IP: 0.0.0.0 - HANDLED BY: inetd
^C
Nicolas Williams
2006-Sep-08 21:13 UTC
[dtrace-discuss] Getting incoming IP addresses by instrumenting accept(3SOCKET)?
On Fri, Sep 08, 2006 at 01:54:59PM -0700, Prashant Srinivasan wrote:> I wrote a program to obtain the originating IP address for oncoming > socket connections. It''s able to get the right IP address when the > connection is handled by Apache, or another server program. The program > cannot obtain the incoming IP address if the receiving program is inetd, > though. > > I''m instrumenting the accept(3SOCKET) call - I''ve inlined the code(and > sample output) below, in case someone can see what the problem is - > I''m running snv_46.inetd uses TLI/XTI, not sockets. Try the tcpsnoop script in Brendan Gregg''s DTrace Toolkit: http://users.tpg.com.au/adsln4yb/dtrace.html That works fine. Nico --
Prashant Srinivasan
2006-Sep-08 23:02 UTC
[dtrace-discuss] Getting incoming IP addresses by instrumenting accept(3SOCKET)?
Thanks, Nico. tcpsnoop.d helped here - -ps Nicolas Williams wrote:> On Fri, Sep 08, 2006 at 01:54:59PM -0700, Prashant Srinivasan wrote: > >> I wrote a program to obtain the originating IP address for oncoming >> socket connections. It''s able to get the right IP address when the >> connection is handled by Apache, or another server program. The program >> cannot obtain the incoming IP address if the receiving program is inetd, >> though. >> >> I''m instrumenting the accept(3SOCKET) call - I''ve inlined the code(and >> sample output) below, in case someone can see what the problem is - >> I''m running snv_46. >> > > inetd uses TLI/XTI, not sockets. > > Try the tcpsnoop script in Brendan Gregg''s DTrace Toolkit: > > http://users.tpg.com.au/adsln4yb/dtrace.html > > That works fine. > > Nico >