0 Replies Latest reply: Apr 23, 2010 9:41 AM by 807559 RSS

    Tracing TCP Source/Destination Addresses/Ports for ongoing connections

    807559
      On Solaris 10 U4 through U7, I'm trying the following just to perform basic tracking of TCP source/destination addresses and ports, using code similar to what is available in tcpsnoop_snv and tcptop_snv.

      The odd thing is that the addresses/ports appear to be zeroed out - are they being cached outside of the conn_t data structure?
      #!/usr/sbin/dtrace -Cs
      
      #pragma D option switchrate=10hz
      #pragma D option bufsize=512k
      #pragma D option aggsize=512k
      
      #include <sys/file.h>
      #include <inet/common.h>
      #include <sys/byteorder.h>
      #include <sys/socket.h>
      #include <sys/socketvar.h>
      
      
      /* First pass, for all TCP Read/Write actions, collect source/destination
         IP + Port - after a few secs, print them all out */
      fbt:ip:tcp_send_data:entry
      {
        /* Outgoing TCP */
        self->connp = (conn_t *)args[0]->tcp_connp;
      }
      
      fbt:ip:tcp_rput_data:entry
      {
        /* Incoming TCP */
        self->connp = (conn_t *)arg0;
      }
      
      fbt:ip:tcp_send_data:entry,
      fbt:ip:tcp_rput_data:entry
      /self->connp/
      {
      
        /* fetch ports */
      #if defined(_BIG_ENDIAN)
        self->lport = self->connp->u_port.tcpu_ports.tcpu_lport;
        self->fport = self->connp->u_port.tcpu_ports.tcpu_fport;
      #else
        self->lport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_lport);
        self->fport = BSWAP_16(self->connp->u_port.tcpu_ports.tcpu_fport);
      #endif
      
        /* fetch IPv4 addresses */
        this->fad12 =
          (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[12];
        this->fad13 =
          (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[13];
        this->fad14 =
          (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[14];
        this->fad15 =
          (int)self->connp->connua_v6addr.connua_faddr._S6_un._S6_u8[15];
        this->lad12 =
          (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[12];
        this->lad13 =
          (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[13];
        this->lad14 =
          (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[14];
        this->lad15 =
          (int)self->connp->connua_v6addr.connua_laddr._S6_un._S6_u8[15];
      
       /* At this point, this->{f|l}ad1{2345}->connua_v6addr.connua_{f|l}addr._S6_un.S6_u8
          are empty - where is this data? */
      }