thr3ads.net - dtrace discuss - [dtrace-discuss] conntrack DTrace script [Aug 2009]

If this information is useful, please help other people find it:
Share via:
Sergio Rodriguez de Guzman
2009-Aug-27 11:58 UTC
[dtrace-discuss] conntrack DTrace script

Hi there,

I?ve created an script for Solaris and Opensolaris to monitor all outgoing TCP
and UDP connections by process, user and port.

It has some filtering capabilities allowing to filter traffic by port, process
or user.

It''s slightly similar to Brendan''s DTT/Net/connections but
I''ve included the monitoring of all outgoing connections and filtering
capabilities.

Here are some examples:
Usage:
# ./conntrack -h
USAGE: ./conntrack [-h] [-p port] [-c command] [-u user]
   -p port         # filter by port (incompatible with user and command)
   -c command	   # filter by command (incompatible with port and user)
   -u user	   # filter by user (incompatible with port and command)
  eg,
       ./conntrack -p 22    # snoop connections to port 22

- What process is listening on port 23?:

# ./conntrack -p 23
             PROC   PID   UID      ZONE     LPORT     RPORT TYPE SOURCE
            sched     0     0    global        23     36438  TCP 10.164.50.105
       in.telnetd  2084     0    global        23     36438  TCP 10.164.50.105
            sched     0     0    global        23     36438  TCP 10.164.50.105
            sched     0     0    global        23     36438  TCP 10.164.50.105
            sched     0     0    global        23     36438  TCP 10.164.50.105
       in.telnetd  2084     0    global        23     36438  TCP 10.164.50.105
       in.telnetd  2084     0    global        23     36438  TCP 10.164.50.105
            sched     0     0    global        23     36438  TCP 10.164.50.105
            sched     0     0    global        23     36438  TCP 10.164.50.105
       in.telnetd  2084     0    global        23     36438  TCP 10.164.50.105
       in.telnetd  2084     0    global        23     36438  TCP 10.164.50.105
            login  2086     0    global        23     36438  TCP 10.164.50.105

- Where is the firefox process connecting?

# ./conntrack -c firefox-bin
             PROC   PID   UID      ZONE     LPORT     RPORT TYPE SOURCE
      firefox-bin  1305   100    global     63640        80  TCP 212.58.226.138
      firefox-bin  1305   100    global     60055        80  TCP 63.245.209.93
      firefox-bin  1305   100    global     38147        80  TCP 63.245.209.93
      firefox-bin  1305   100    global     61736        80  TCP 212.58.226.138

- Where and how is sending information a specific user?

# ./conntrack -u sergio
             PROC   PID   UID      ZONE     LPORT     RPORT TYPE SOURCE
      firefox-bin  1305   100    global     57245        80  TCP 74.125.39.105
      firefox-bin  1305   100    global     57245        80  TCP 74.125.39.105
      firefox-bin  1305   100    global     57245        80  TCP 74.125.39.105
      firefox-bin  1305   100    global     57245        80  TCP 74.125.39.105
      firefox-bin  1305   100    global     64782        80  TCP 209.85.129.100
      firefox-bin  1305   100    global     57245        80  TCP 74.125.39.105
  thunderbird-bin  1323   100    global     45556       993  TCP 10.164.50.28
  thunderbird-bin  1323   100    global     45556       993  TCP 10.164.50.28
  thunderbird-bin  1323   100    global     45556       993  TCP 10.164.50.28
  thunderbird-bin  1323   100    global     45556       993  TCP 10.164.50.28

You can get the latest version here:
http://blogs.corenetworks.es/wp-content/uploads/2009/08/conntrack
and the full explanation here:
http://blogs.corenetworks.es/2009/08/conntrack-dtrace-script-connections-by-process-user-and-port-on-solaris-opensolaris/

I would appreciate your feedback and comments.
Sergio.
-- 
This message posted from opensolaris.org
dtrace discuss - Aug 2009 - conntrack DTrace script

[dtrace-discuss] conntrack DTrace script
