This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: trace ARP and UDP to pid


Thanks for pointing me in the right direction. It's now clear that I am going to have to write my own tapset for this. Here is the pseudo code of what I am trying to do.


probe for sending of UDP if destination address is x.x.x.x and port is nnnn print pid of sender process

probe for sending of ARP
       print pid of sender process, IP address requested in ARP query


The reason with I am doing this is because of glibc's old 'feature' where processes only reads /etc/resolv.conf when they start. I moved my dns servers around and now I want to restart only the processes that needs it.


Thanks


Daniel Bourque




William Cohen wrote:
On 09/27/2010 03:58 PM, Daniel Bourque wrote:
Hi,

I'm trying to find what process is creating ARP and DNS packets. I approached the problem from different angles, with limited success.


the "socket.sendmsg" or "udp.sendmsg" are nice, and I get a valid "sock" variable and pid() works, but I am unable to get the address using ip_ntop(__ip_sock_daddr(sock)) or ip_ntop(__ip_sock_saddr(sock)) . it always returns 0.0.0.0 . so I have to do things like ignoring if execname() == "nfsd" , and using tcpdump to correlate envents.


I've done my share of BSD style programming years ago, but this is getting to a much lower level :)

So I look at the definition. is there a way to add to this so it can drill back to the *msghdr* structure and extract source/dest address/port ??

probe socket.sendmsg = kernel.function ("sock_sendmsg")
{
       name = "socket.sendmsg"
       size = $size
       protocol = $sock->sk->sk_protocol
       family = $sock->ops->family
       state = $sock->state
       flags = $sock->flags
       type = $sock->type
}



systemtap-0.9.7-5
2.6.18-164.15.1.el5PAE

Thank !


Hi Daniel,


The alias socket.sendmsg predefines those variable listed above. However, you should be able to access the other parameters of the function sock_sendmesg in your script. LXR webpage for 2.6.18-164.el5 shows that $msg and $size should be available at that probe point:

http://rhkernel.org/RHEL5+2.6.18-164.el5/net/socket.c#L605

You might look at the pfiles.stp example to see how addresses are extracted from there:

http://sourceware.org/systemtap/examples/process/pfiles.stp

Would it be possible post the script that you are working on or a simplified example demonstrating the problem?

-Will




Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]