1 #!/usr/bin/ksh 2 # 3 # tcpsnoop - snoop TCP network packets by process. 4 # Written using DTrace (Solaris 10 3/05) 5 # 6 # This analyses TCP network packets and prints the responsible PID and UID, 7 # plus standard details such as IP address and port. This captures traffic 8 # of newly created TCP connections that were established while this program 9 # was running. It can help identify which processes is causing TCP traffic. 10 # 11 # WARNING: This script may only work on Solaris 10 3/05, since it uses the 12 # fbt provider to trace the raw operation of a specific version of the kernel. 13 # In the future, a 'stable' network provider should exist which will allow 14 # this to be written for that and subsequent versions of the kernel. In the 15 # meantime, check for other versions of this script in the /Net directory, 16 # and read the Notes/ALLfbt_notes.txt for more background on fbt. 17 # 18 # $Id: tcpsnoop,v 1.1.1.1 2015/09/30 22:01:07 christos Exp $ 19 # 20 # USAGE: tcpsnoop [-a|hjsvZ] [-n name] [-p pid] 21 # 22 # -a # print all data 23 # -j # print project ID 24 # -s # print time, us 25 # -v # print time, string 26 # -Z # print zone ID 27 # -n name # command name to snoop 28 # -p pid # PID to snoop 29 # eg, 30 # tcpsnoop -v # human readable timestamps 31 # tcpsnoop -Z # print zonename 32 # tcpsnoop -n sshd # snoop sshd traffic only 33 # 34 # FIELDS: 35 # UID user ID 36 # PID process ID 37 # CMD command 38 # LADDR local IP address 39 # RADDR remote IP address 40 # LPORT local port number 41 # RPORT remote port number 42 # DR direction 43 # SIZE packet size, bytes 44 # TIME timestamp, us 45 # STRTIME human readable timestamp, string 46 # ZONE zone ID 47 # PROJ project ID 48 # 49 # SEE ALSO: snoop -rS 50 # 51 # COPYRIGHT: Copyright (c) 2005, 2006 Brendan Gregg. 52 # 53 # CDDL HEADER START 54 # 55 # The contents of this file are subject to the terms of the 56 # Common Development and Distribution License, Version 1.0 only 57 # (the "License"). You may not use this file except in compliance 58 # with the License. 59 # 60 # You can obtain a copy of the license at Docs/cddl1.txt 61 # or http://www.opensolaris.org/os/licensing. 62 # See the License for the specific language governing permissions 63 # and limitations under the License. 64 # 65 # CDDL HEADER END 66 # 67 # Author: Brendan Gregg [Sydney, Australia] 68 # 69 # TODO: IPv6 70 # 71 # CODE: 72 # The FILTER syntax matches on packets rather than initial 73 # connections, so that it can follow inetd connections properly. 74 # 75 # 09-Jul-2004 Brendan Gregg Created this. 76 # 12-Mar-2005 " " Changed probes, size info now printed. 77 # 02-Jul-2005 " " Many more probes. Renamed "tcpsnoop.d". 78 # 04-Jul-2005 " " Now wrapped in shell, called "tcpsnoop". 79 # 03-Dec-2005 " " Fixed tcp_accept_finish bug, now 100% correct 80 # execname. Thanks Kias Belgaied for expertise. 81 # 20-Apr-2006 " " Fixed SS_TCP_FAST_ACCEPT bug in build 31+. 82 # 20-Apr-2006 " " Last update. 83 # 84 85 ############################## 86 # --- Process Arguments --- 87 # 88 89 ### default variables 90 opt_name=0; opt_time=0; opt_timestr=0; filter=0; pname=. 91 opt_zone=0; opt_proj=0; opt_pid=0; pid=0 92 93 ### process options 94 while getopts ahjsvZn:p: name 95 do 96 case $name in 97 a) opt_time=1; opt_timestr=1; opt_zone=1; opt_proj=1 ;; 98 n) opt_name=1; pname=$OPTARG ;; 99 p) opt_pid=1; pid=$OPTARG ;; 100 j) opt_proj=1 ;; 101 s) opt_time=1 ;; 102 v) opt_timestr=1 ;; 103 Z) opt_zone=1 ;; 104 h|?) cat <<-END >&2 105 USAGE: tcpsnoop [-a|hjsvZ] [-n name] [-p pid] 106 tcpsnoop # default output 107 -a # print all data 108 -j # print project ID 109 -s # print start time, us 110 -v # print start time, string 111 -Z # print zonename 112 -n name # command name to snoop 113 -p pid # PID to snoop 114 eg, 115 tcpsnoop -v # human readable timestamps 116 tcpsnoop -Z # print zonename 117 tcpsnoop -n sshd # snoop sshd traffic only 118 END 119 exit 1 120 esac 121 done 122 123 ### option logic 124 if (( opt_name || opt_pid )); then 125 filter=1 126 fi 127 128 ################################# 129 # --- Main Program, DTrace --- 130 # 131 /usr/sbin/dtrace -Cs <( print -r ' 132 /* 133 * Command line arguments 134 */ 135 inline int OPT_name = '$opt_name'; 136 inline int OPT_pid = '$opt_pid'; 137 inline int OPT_time = '$opt_time'; 138 inline int OPT_timestr = '$opt_timestr'; 139 inline int OPT_zone = '$opt_zone'; 140 inline int OPT_proj = '$opt_proj'; 141 inline int PID = '$pid'; 142 inline int FILTER = '$filter'; 143 inline string NAME = "'$pname'"; 144 145 #pragma D option quiet 146 #pragma D option switchrate=10hz 147 148 #include <sys/file.h> 149 #include <inet/common.h> 150 #include <sys/byteorder.h> 151 #include <sys/socket.h> 152 #include <sys/socketvar.h> 153 154 /* 155 * Print header 156 */ 157 dtrace:::BEGIN 158 { 159 /* print optional headers */ 160 OPT_time ? printf("%-14s ", "TIME") : 1; 161 OPT_timestr ? printf("%-20s ", "STRTIME") : 1; 162 OPT_zone ? printf("%4s ", "ZONE") : 1; 163 OPT_proj ? printf("%4s ", "PROJ") : 1; 164 165 /* print main headers */ 166 printf("%5s %6s %-15s %5s %2s %-15s %5s %5s %s\n", 167 "UID", "PID", "LADDR", "LPORT", "DR", "RADDR", "RPORT", 168 "SIZE", "CMD"); 169 } 170 171 172 /* 173 * TCP Process inbound connections 174 * 175 * 0x00200000 has been hardcoded. It was SS_TCP_FAST_ACCEPT, but was 176 * renamed to SS_DIRECT around build 31. 177 */ 178 fbt:sockfs:sotpi_accept:entry 179 /(arg1 & FREAD) && (arg1 & FWRITE) && (args[0]->so_state & 0x00200000)/ 180 { 181 self->sop = args[0]; 182 } 183 184 fbt:sockfs:sotpi_create:return 185 /self->sop/ 186 { 187 self->nsop = (struct sonode *)arg1; 188 } 189 190 fbt:sockfs:sotpi_accept:return 191 /self->nsop/ 192 { 193 this->tcpp = (tcp_t *)self->nsop->so_priv; 194 self->connp = (conn_t *)this->tcpp->tcp_connp; 195 tname[(int)self->connp] = execname; 196 tpid[(int)self->connp] = pid; 197 tuid[(int)self->connp] = uid; 198 } 199 200 fbt:sockfs:sotpi_accept:return 201 { 202 self->nsop = 0; 203 self->sop = 0; 204 } 205 206 /* 207 * TCP Process outbound connections 208 */ 209 fbt:ip:tcp_connect:entry 210 { 211 this->tcpp = (tcp_t *)arg0; 212 self->connp = (conn_t *)this->tcpp->tcp_connp; 213 tname[(int)self->connp] = execname; 214 tpid[(int)self->connp] = pid; 215 tuid[(int)self->connp] = uid; 216 OPT_proj ? tproj[(int)self->connp] = curpsinfo->pr_projid : 1; 217 } 218 219 /* 220 * TCP Data translations 221 */ 222 fbt:sockfs:sotpi_accept:return, 223 fbt:ip:tcp_connect:return 224 /self->connp/ 225 { 226 /* fetch ports */ 227 #if defined(_BIG_ENDIAN) 228 self->lport = self->connp->u_port.tcpu_ports.tcpu_lport; 229 self->fport = self->connp->u_port.tcpu_ports.tcpu_fport; 230 #else 231 self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport); 232 self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport); 233 #endif 234 235 /* fetch IPv4 addresses */ 236 this->fad12 = 237 (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12]; 238 this->fad13 = 239 (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13]; 240 this->fad14 = 241 (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14]; 242 this->fad15 = 243 (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15]; 244 this->lad12 = 245 (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12]; 246 this->lad13 = 247 (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13]; 248 this->lad14 = 249 (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14]; 250 this->lad15 = 251 (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15]; 252 253 /* convert type for use with lltostr() */ 254 this->fad12 = this->fad12 < 0 ? 256 + this->fad12 : this->fad12; 255 this->fad13 = this->fad13 < 0 ? 256 + this->fad13 : this->fad13; 256 this->fad14 = this->fad14 < 0 ? 256 + this->fad14 : this->fad14; 257 this->fad15 = this->fad15 < 0 ? 256 + this->fad15 : this->fad15; 258 this->lad12 = this->lad12 < 0 ? 256 + this->lad12 : this->lad12; 259 this->lad13 = this->lad13 < 0 ? 256 + this->lad13 : this->lad13; 260 this->lad14 = this->lad14 < 0 ? 256 + this->lad14 : this->lad14; 261 this->lad15 = this->lad15 < 0 ? 256 + this->lad15 : this->lad15; 262 263 /* stringify addresses */ 264 self->faddr = strjoin(lltostr(this->fad12), "."); 265 self->faddr = strjoin(self->faddr, strjoin(lltostr(this->fad13), ".")); 266 self->faddr = strjoin(self->faddr, strjoin(lltostr(this->fad14), ".")); 267 self->faddr = strjoin(self->faddr, lltostr(this->fad15 + 0)); 268 self->laddr = strjoin(lltostr(this->lad12), "."); 269 self->laddr = strjoin(self->laddr, strjoin(lltostr(this->lad13), ".")); 270 self->laddr = strjoin(self->laddr, strjoin(lltostr(this->lad14), ".")); 271 self->laddr = strjoin(self->laddr, lltostr(this->lad15 + 0)); 272 273 /* fix direction and save values */ 274 tladdr[(int)self->connp] = self->laddr; 275 tfaddr[(int)self->connp] = self->faddr; 276 tlport[(int)self->connp] = self->lport; 277 tfport[(int)self->connp] = self->fport; 278 279 /* all systems go */ 280 tok[(int)self->connp] = 1; 281 } 282 283 /* 284 * TCP Clear connp 285 */ 286 fbt:ip:tcp_get_conn:return 287 { 288 /* Q_TO_CONN */ 289 this->connp = (conn_t *)arg1; 290 tok[(int)this->connp] = 0; 291 tpid[(int)this->connp] = 0; 292 tuid[(int)this->connp] = 0; 293 tname[(int)this->connp] = 0; 294 tproj[(int)this->connp] = 0; 295 } 296 297 /* 298 * TCP Process "port closed" 299 */ 300 fbt:ip:tcp_xmit_early_reset:entry 301 /FILTER == 0/ 302 { 303 this->queuep = (queue_t *)`tcp_g_q; /* ` */ 304 this->connp = (conn_t *)this->queuep->q_ptr; 305 this->tcpp = (tcp_t *)this->connp->conn_tcp; 306 self->zoneid = this->connp->conn_zoneid; 307 308 /* split addresses */ 309 this->ipha = (ipha_t *)args[1]->b_rptr; 310 this->fad15 = (this->ipha->ipha_src & 0xff000000) >> 24; 311 this->fad14 = (this->ipha->ipha_src & 0x00ff0000) >> 16; 312 this->fad13 = (this->ipha->ipha_src & 0x0000ff00) >> 8; 313 this->fad12 = (this->ipha->ipha_src & 0x000000ff); 314 this->lad15 = (this->ipha->ipha_dst & 0xff000000) >> 24; 315 this->lad14 = (this->ipha->ipha_dst & 0x00ff0000) >> 16; 316 this->lad13 = (this->ipha->ipha_dst & 0x0000ff00) >> 8; 317 this->lad12 = (this->ipha->ipha_dst & 0x000000ff); 318 319 /* stringify addresses */ 320 self->faddr = strjoin(lltostr(this->fad12), "."); 321 self->faddr = strjoin(self->faddr, strjoin(lltostr(this->fad13), ".")); 322 self->faddr = strjoin(self->faddr, strjoin(lltostr(this->fad14), ".")); 323 self->faddr = strjoin(self->faddr, lltostr(this->fad15 + 0)); 324 self->laddr = strjoin(lltostr(this->lad12), "."); 325 self->laddr = strjoin(self->laddr, strjoin(lltostr(this->lad13), ".")); 326 self->laddr = strjoin(self->laddr, strjoin(lltostr(this->lad14), ".")); 327 self->laddr = strjoin(self->laddr, lltostr(this->lad15 + 0)); 328 329 self->reset = 1; 330 } 331 332 /* 333 * TCP Fetch "port closed" ports 334 */ 335 fbt:ip:tcp_xchg:entry 336 /self->reset/ 337 { 338 #if defined(_BIG_ENDIAN) 339 self->lport = (uint16_t)arg0; 340 self->fport = (uint16_t)arg1; 341 #else 342 self->lport = BSWAP_16((uint16_t)arg0); 343 self->fport = BSWAP_16((uint16_t)arg1); 344 #endif 345 self->lport = BE16_TO_U16(arg0); 346 self->fport = BE16_TO_U16(arg1); 347 } 348 349 /* 350 * TCP Print "port closed" 351 */ 352 fbt:ip:tcp_xmit_early_reset:return 353 /FILTER == 0/ 354 { 355 self->name = "<closed>"; 356 self->pid = 0; 357 self->uid = 0; 358 self->proj = 0; 359 self->size = 54; /* should check trailers */ 360 self->dir = "<-"; 361 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 362 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 363 OPT_zone ? printf("%4d ", self->zoneid) : 1; 364 OPT_proj ? printf("%4d ", self->proj) : 1; 365 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 366 self->uid, self->pid, self->laddr, self->lport, self->dir, 367 self->faddr, self->fport, self->size, self->name); 368 self->dir = "->"; 369 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 370 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 371 OPT_zone ? printf("%4d ", self->zoneid) : 1; 372 OPT_proj ? printf("%4d ", self->proj) : 1; 373 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 374 self->uid, self->pid, self->laddr, self->lport, self->dir, 375 self->faddr, self->fport, self->size, self->name); 376 self->reset = 0; 377 self->size = 0; 378 self->name = 0; 379 self->zoneid = 0; 380 } 381 382 /* 383 * TCP Process Write 384 */ 385 fbt:ip:tcp_send_data:entry 386 { 387 self->conn_p = (conn_t *)args[0]->tcp_connp; 388 } 389 390 fbt:ip:tcp_send_data:entry 391 /tok[(int)self->conn_p]/ 392 { 393 self->dir = "->"; 394 self->size = msgdsize(args[2]) + 14; /* should check trailers */ 395 self->uid = tuid[(int)self->conn_p]; 396 self->laddr = tladdr[(int)self->conn_p]; 397 self->faddr = tfaddr[(int)self->conn_p]; 398 self->lport = tlport[(int)self->conn_p]; 399 self->fport = tfport[(int)self->conn_p]; 400 OPT_proj ? self->proj = tproj[(int)self->conn_p] : 1; 401 self->zoneid = self->conn_p->conn_zoneid; 402 self->ok = 2; 403 404 /* follow inetd -> in.* transitions */ 405 self->name = pid && (tname[(int)self->conn_p] == "inetd") ? 406 execname : tname[(int)self->conn_p]; 407 self->pid = pid && (tname[(int)self->conn_p] == "inetd") ? 408 pid : tpid[(int)self->conn_p]; 409 tname[(int)self->conn_p] = self->name; 410 tpid[(int)self->conn_p] = self->pid; 411 } 412 413 /* 414 * TCP Process Read 415 */ 416 fbt:ip:tcp_rput_data:entry 417 { 418 self->conn_p = (conn_t *)arg0; 419 self->size = msgdsize(args[1]) + 14; /* should check trailers */ 420 } 421 422 fbt:ip:tcp_rput_data:entry 423 /tok[(int)self->conn_p]/ 424 { 425 self->dir = "<-"; 426 self->uid = tuid[(int)self->conn_p]; 427 self->laddr = tladdr[(int)self->conn_p]; 428 self->faddr = tfaddr[(int)self->conn_p]; 429 self->lport = tlport[(int)self->conn_p]; 430 self->fport = tfport[(int)self->conn_p]; 431 OPT_proj ? self->proj = tproj[(int)self->conn_p] : 1; 432 self->zoneid = self->conn_p->conn_zoneid; 433 self->ok = 2; 434 435 /* follow inetd -> in.* transitions */ 436 self->name = pid && (tname[(int)self->conn_p] == "inetd") ? 437 execname : tname[(int)self->conn_p]; 438 self->pid = pid && (tname[(int)self->conn_p] == "inetd") ? 439 pid : tpid[(int)self->conn_p]; 440 tname[(int)self->conn_p] = self->name; 441 tpid[(int)self->conn_p] = self->pid; 442 } 443 444 /* 445 * TCP Complete printing outbound handshake 446 */ 447 fbt:ip:tcp_connect:return 448 /self->connp/ 449 { 450 self->name = tname[(int)self->connp]; 451 self->pid = tpid[(int)self->connp]; 452 self->uid = tuid[(int)self->connp]; 453 self->zoneid = self->connp->conn_zoneid; 454 OPT_proj ? self->proj = tproj[(int)self->connp] : 1; 455 self->size = 54; /* should check trailers */ 456 self->dir = "->"; 457 } 458 459 fbt:ip:tcp_connect:return 460 /(self->connp) && 461 ((FILTER == 0) || 462 (OPT_pid && self->pid == PID) || 463 (OPT_name && self->name == NAME))/ 464 { 465 /* this packet occured before connp was fully established */ 466 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 467 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 468 OPT_zone ? printf("%4d ", self->zoneid) : 1; 469 OPT_proj ? printf("%4d ", self->proj) : 1; 470 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 471 self->uid, self->pid, self->laddr, self->lport, self->dir, 472 self->faddr, self->fport, self->size, self->name); 473 } 474 475 /* 476 * TCP Complete printing inbound handshake 477 */ 478 fbt:sockfs:sotpi_accept:return 479 /self->connp/ 480 { 481 self->name = tname[(int)self->connp]; 482 self->pid = tpid[(int)self->connp]; 483 self->uid = tuid[(int)self->connp]; 484 self->zoneid = self->connp->conn_zoneid; 485 OPT_proj ? self->proj = tproj[(int)self->connp] : 1; 486 self->size = 54; /* should check trailers */ 487 self->dir = "<-"; 488 } 489 490 fbt:sockfs:sotpi_accept:return 491 /(self->connp) && 492 ((FILTER == 0) || 493 (OPT_pid && self->pid == PID) || 494 (OPT_name && self->name == NAME))/ 495 { 496 /* these packets occured before connp was fully established */ 497 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 498 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 499 OPT_zone ? printf("%4d ", self->zoneid) : 1; 500 OPT_proj ? printf("%4d ", self->proj) : 1; 501 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 502 self->uid, self->pid, self->laddr, self->lport, self->dir, 503 self->faddr, self->fport, self->size, self->name); 504 self->dir = "->"; 505 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 506 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 507 OPT_zone ? printf("%4d ", self->zoneid) : 1; 508 OPT_proj ? printf("%4d ", self->proj) : 1; 509 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 510 self->uid, self->pid, self->laddr, self->lport, self->dir, 511 self->faddr, self->fport, self->size, self->name); 512 self->dir = "<-"; 513 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 514 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 515 OPT_zone ? printf("%4d ", self->zoneid) : 1; 516 OPT_proj ? printf("%4d ", self->proj) : 1; 517 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 518 self->uid, self->pid, self->laddr, self->lport, self->dir, 519 self->faddr, self->fport, self->size, self->name); 520 } 521 522 /* 523 * Print output 524 */ 525 fbt:ip:tcp_send_data:entry, 526 fbt:ip:tcp_rput_data:entry 527 /(self->ok == 2) && 528 ((FILTER == 0) || 529 (OPT_pid && self->pid == PID) || 530 (OPT_name && self->name == NAME))/ 531 { 532 /* print optional fields */ 533 OPT_time ? printf("%-14d ", timestamp/1000) : 1; 534 OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; 535 OPT_zone ? printf("%4d ", self->zoneid) : 1; 536 OPT_proj ? printf("%4d ", self->proj) : 1; 537 538 /* print output line */ 539 printf("%5d %6d %-15s %5d %2s %-15s %5d %5d %s\n", 540 self->uid, self->pid, self->laddr, self->lport, self->dir, 541 self->faddr, self->fport, self->size, self->name); 542 } 543 544 /* 545 * TCP Clear connect variables 546 */ 547 fbt:sockfs:sotpi_accept:return, 548 fbt:ip:tcp_connect:return 549 /self->connp/ 550 { 551 self->faddr = 0; 552 self->laddr = 0; 553 self->fport = 0; 554 self->lport = 0; 555 self->connp = 0; 556 self->name = 0; 557 self->pid = 0; 558 self->uid = 0; 559 } 560 561 /* 562 * TCP Clear r/w variables 563 */ 564 fbt:ip:tcp_send_data:entry, 565 fbt:ip:tcp_rput_data:entry 566 { 567 self->ok = 0; 568 self->dir = 0; 569 self->uid = 0; 570 self->pid = 0; 571 self->size = 0; 572 self->name = 0; 573 self->lport = 0; 574 self->fport = 0; 575 self->laddr = 0; 576 self->faddr = 0; 577 self->conn_p = 0; 578 self->zoneid = 0; 579 self->proj = 0; 580 } 581 ') 582
Indexes created Thu Apr 16 00:22:31 UTC 2026