Simple Python script to parse auditd SOCKADDR records' saddr field

decode_auditd_saddr.py

# Based on Niles's Unix & Linux StackExchange answer: https://unix.stackexchange.com/a/468698

import binascii
import socket
import struct
import sys

if (len(sys.argv) < 2):
    print("Usage: decode_auditd_saddr.py <SADDR>")
    exit(1)
 
saddr = sys.argv[1]

if len(saddr) < 16 or not saddr.startswith('0200'):
    print(f"'{saddr}' doest not follow a valid autid's saddr format for IP connection")
    exit(1)

port, ip_raw = struct.unpack('>HL', binascii.unhexlify(saddr[4:16]))
ip_addr = socket.inet_ntoa(struct.pack('>L', ip_raw))

print(f"{saddr} = {ip_addr}:{port}")