This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: trace ARP and UDP to pid
- From: William Cohen <wcohen at redhat dot com>
- To: systemtap at sourceware dot org
- Date: Mon, 27 Sep 2010 16:21:56 -0400
- Subject: Re: trace ARP and UDP to pid
- References: <4CA0F768.8010706@weatherdata.com>
On 09/27/2010 03:58 PM, Daniel Bourque wrote:
> Hi,
>
> I'm trying to find what process is creating ARP and DNS packets. I approached the problem from different angles, with limited success.
>
>
> the "socket.sendmsg" or "udp.sendmsg" are nice, and I get a valid "sock" variable and pid() works, but I am unable to get the address using ip_ntop(__ip_sock_daddr(sock)) or ip_ntop(__ip_sock_saddr(sock)) . it always returns 0.0.0.0 . so I have to do things like ignoring if execname() == "nfsd" , and using tcpdump to correlate envents.
>
> I've done my share of BSD style programming years ago, but this is getting to a much lower level :)
>
> So I look at the definition. is there a way to add to this so it can drill back to the *msghdr* structure and extract source/dest address/port ??
>
> probe socket.sendmsg = kernel.function ("sock_sendmsg")
> {
> name = "socket.sendmsg"
> size = $size
> protocol = $sock->sk->sk_protocol
> family = $sock->ops->family
> state = $sock->state
> flags = $sock->flags
> type = $sock->type
> }
>
>
>
> systemtap-0.9.7-5
> 2.6.18-164.15.1.el5PAE
>
> Thank !
>
Hi,
Is this on ipv4 or ipv6? The ip_ntop() works for ipv4, but it might not work on ipv6.
-Will