This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
trace ARP and UDP to pid
- From: Daniel Bourque <dbourque at weatherdata dot com>
- To: systemtap at sourceware dot org
- Date: Mon, 27 Sep 2010 14:58:32 -0500
- Subject: trace ARP and UDP to pid
Hi,
I'm trying to find what process is creating ARP and DNS packets. I
approached the problem from different angles, with limited success.
the "socket.sendmsg" or "udp.sendmsg" are nice, and I get a valid "sock"
variable and pid() works, but I am unable to get the address using
ip_ntop(__ip_sock_daddr(sock)) or ip_ntop(__ip_sock_saddr(sock)) . it
always returns 0.0.0.0 . so I have to do things like ignoring if
execname() == "nfsd" , and using tcpdump to correlate envents.
I've done my share of BSD style programming years ago, but this is
getting to a much lower level :)
So I look at the definition. is there a way to add to this so it can
drill back to the *msghdr* structure and extract source/dest address/port ??
probe socket.sendmsg = kernel.function ("sock_sendmsg")
{
name = "socket.sendmsg"
size = $size
protocol = $sock->sk->sk_protocol
family = $sock->ops->family
state = $sock->state
flags = $sock->flags
type = $sock->type
}
systemtap-0.9.7-5
2.6.18-164.15.1.el5PAE
Thank !
--
Dan