将地址famIRy AF_SYSTEM的连接地址转换为人类可读的字符串

时间:2017-11-23 11:25:04

标签: macos kernel dtrace

背景

我正在编写一些跟踪应用程序套接字文件描述符的var $iframe = $('#iframe'); $iframe.ready(function() { var iBody = $iframe.contents().find("body"); var myContent = iBody.find(".page-title"); alert(myContent); 程序。目标是提供日志,帮助我发现在一些非常复杂的OS X应用程序中泄漏文件描述符。

Here is my other questionvery helpful answer

问题

我希望我的程序记录已连接到哪个文件描述符的地址。在示例中,有一个代码可以部分执行我需要的操作:dtrace,这里是link to github

soconnect_mac.d在Firefox上应用时效果很好,但在我的应用程序中它完全失败。快速调查显示,soconnect_mac.d只能解释soconnect_mac.d(值2)系列地址,我的应用程序使用的som库使用AF_INET(值32)系列地址。

我无法找到任何可以帮助我将收到的地址转换为人类可读内容的内容。

到目前为止,我已经得到了这个:

AF_SYSTEM

更令人烦恼的是我的代码无法读取端口号(我得到512值而不是其中之一:443,8443,5061)。
IMO问题首先是#!/usr/sbin/dtrace -s inline int af_inet = 2 ; /* AF_INET defined in Kernel/sys/socket.h */ inline int af_inet6 = 30; /* AF_INET6 defined in Kernel/sys/socket.h */ inline int af_system = 32; /* AF_SYSTEM defined in Kernel/sys/socket.h */ … // some stuff syscall::connect:entry /pid == $target && isOpened[pid, arg0] == 1/ { /* assume this is sockaddr_in until we can examine family */ this->s = (struct sockaddr_in *)copyin(arg1, arg2); this->f = this->s->sin_family; self->fileDescriptor = arg0; } /* this section is copied with pride from "soconnect_mac.d" */ syscall::connect:entry /this->f == af_inet/ { /* Convert port to host byte order without ntohs() being available. */ self->port = (this->s->sin_port & 0xFF00) >> 8; self->port |= (this->s->sin_port & 0xFF) << 8; /* * Convert an IPv4 address into a dotted quad decimal string. * Until the inet_ntoa() functions are available from DTrace, this is * converted using the existing strjoin() and lltostr(). It's done in * two parts to avoid exhausting DTrace registers in one line of code. */ this->a = (uint8_t *)&this->s->sin_addr; this->addr1 = strjoin(lltostr(this->a[0] + 0ULL), strjoin(".", strjoin(lltostr(this->a[1] + 0ULL), "."))); this->addr2 = strjoin(lltostr(this->a[2] + 0ULL), strjoin(".", lltostr(this->a[3] + 0ULL))); self->address = strjoin(this->addr1, this->addr2); } /* this section is my */ syscall::connect:entry /this->f == af_system/ { /* TODO: Problem how to handle AF_SYSTEM address family */ /* Convert port to host byte order without ntohs() being available. */ self->port = (this->s->sin_port & 0xFF00) >> 8; self->port |= (this->s->sin_port & 0xFF) << 8; // this also doen't work as it should self->address = "system family address needed here"; } // a fallback syscall::connect:entry /this->f && this->f != af_inet && this->f != af_system/ { /* Convert port to host byte order without ntohs() being available. */ self->port = (this->s->sin_port & 0xFF00) >> 8; self->port |= (this->s->sin_port & 0xFF) << 8; self->address = strjoin("Can't handle family: ", lltostr(this->f)); } syscall::connect:return /self->fileDescriptor/ { this->errstr = err[errno] != NULL ? err[errno] : lltostr(errno); printf("%Y.%03d FD:%d Status:%s Address:%s Port:%d", walltimestamp, walltimestamp % 1000000000 / 1000000, self->fileDescriptor, this->errstr, self->address, self->port); self->fileDescriptor = 0; self->address = 0; self->port = 0; } ,其中假设第二个参数可以被视为syscall::connect:entry。在struct sockaddr_in地址系列的情况下我应该使用struct sockaddr_storage,但我没有找到任何直接证明这一点的文档或源代码。

我的AF_SYSTEM条件部分正确地捕获了我正在调查的应用程序中的事件。

0 个答案:

没有答案
相关问题
最新问题