-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathnfcttrace.bt
executable file
·91 lines (78 loc) · 2.81 KB
/
nfcttrace.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#!/bin/env bpftrace
// SPDX-License-Identifier: GPL-2.0-or-later
/**
* nfcttrace.bt - Show entries about TCP&UDP in nf_conntrack.
* For Linux, uses bpftrace and eBPF.
*
* USAGE: nfcttrace.bt
*
* Copyright (C) 2024 llaoj
*/
#include <net/netfilter/nf_conntrack.h>
BEGIN
{
printf("Show nf_conntrack TCP&UDP entries... Hit Ctrl-C to end.\n");
@prot2str[IPPROTO_TCP] = "tcp";
@prot2str[IPPROTO_UDP] = "udp";
}
kprobe:nf_ct_delete
{
$ct = (struct nf_conn*)arg0;
$prefix = "[nf_ct]";
$suffix = "";
$original_tuple = $ct->tuplehash[0].tuple;
$protocol = $original_tuple.dst.protonum;
// original
if ($protocol == IPPROTO_TCP || $protocol == IPPROTO_UDP) {
// print portocol
printf("%s proto=%s", $prefix, @prot2str[$protocol]);
// status
printf(" status=%s", IPS_SEEN_REPLY & $ct->status ? "replied" : "unreplied");
// print ip/ipv6
if($original_tuple.src.l3num == AF_INET){
$original_saddr = ntop(AF_INET, $original_tuple.src.u3.ip);
$original_daddr = ntop(AF_INET, $original_tuple.dst.u3.ip);
printf(" osaddr=%s odaddr=%s", $original_saddr, $original_daddr);
} else {
$original_saddr = ntop(AF_INET6, $original_tuple.src.u3.all);
$original_daddr = ntop(AF_INET6, $original_tuple.dst.u3.all);
printf(" osaddr=%s odaddr=%s", $original_saddr, $original_daddr);
}
// print port
$original_sport = $original_tuple.src.u.all;
$original_sport = bswap($original_sport);
$original_dport = $original_tuple.dst.u.all;
$original_dport = bswap($original_dport);
printf(" osport=%d odport=%d", $original_sport, $original_dport);
$prefix = "";
$suffix = "\n";
}
$reply_tuple = $ct->tuplehash[1].tuple;
$protocol = $reply_tuple.dst.protonum;
// reply
if ($protocol == IPPROTO_TCP || $protocol == IPPROTO_UDP) {
// print ip/ipv6
if ($reply_tuple.src.l3num == AF_INET) {
$reply_saddr = ntop(AF_INET, $reply_tuple.src.u3.ip);
$reply_daddr = ntop(AF_INET, $reply_tuple.dst.u3.ip);
printf(" rsaddr=%s rdaddr=%s", $reply_saddr, $reply_daddr);
} else {
$reply_saddr = ntop(AF_INET6, $reply_tuple.src.u3.all);
$reply_daddr = ntop(AF_INET6, $reply_tuple.dst.u3.all);
printf(" rsaddr=%s rdaddr=%s", $reply_saddr, $reply_daddr);
}
// print port
$reply_sport = $reply_tuple.src.u.all;
$reply_sport = bswap($reply_sport);
$reply_dport = $reply_tuple.dst.u.all;
$reply_dport = bswap($reply_dport);
printf(" rsport=%d rdport=%d", $reply_sport, $reply_dport);
$suffix = "\n";
}
printf("%s", $suffix);
}
END
{
clear(@prot2str);
printf("Bye.\n");
}