Skip to content

Instantly share code, notes, and snippets.

@amitu

amitu/send.d

Created March 20, 2012 12:49
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save amitu/2134968 to your computer and use it in GitHub Desktop.
Save amitu/2134968 to your computer and use it in GitHub Desktop.
Download ZIP
dtrace script to monitor all network send activity
Raw
send.d
tcp:::send
/args[1]->dport == 80/
{
printf(
"Packet sent: %s:%u -> %s:%u on behalf of %s (PID: %d, UID: %d)\n",
args[1]->ip_saddr, args[1]->sport, args[1]->ip_daddr,
args[1]->dport, execname, pid, uid);
}
Raw
snow_leopard.d
#!/usr/sbin/dtrace -C -q -s
#if Q_BIG_ENDIAN
#define ntohs(x) ((short)x)
#else
#define ntohs(x) ((short) (((((short)(x)) & 0x0FF) << 8) | ((((short)(x)) >> 8) & 0x0FF)))
#endif
inline int AF_INET = 2;
syscall::connect:entry,
syscall::connect_nocancel:entry
/
! self->trace
/
{
self->connectFD = arg0;
self->sock = ((struct socket *) (curproc->p_fd->fd_ofiles[self->connectFD]->f_fglob->fg_data));
self->trace = 1;
}
syscall::connect:return,
syscall::connect_nocancel:return
/
self->trace
&& (self->sock->so_proto->pr_domain->dom_family == AF_INET)
/
{
pcb = (struct inpcb *) self->sock->so_pcb;
localPort = ntohs((uint16_t) pcb->inp_lport);
remotePort = ntohs((uint16_t) pcb->inp_fport);
printf("%u %u -> %u\n", uid, localPort, remotePort);
}
syscall::connect:return,
syscall::connect_nocancel:return
/
self->trace
/
{
self->connectFD = 0;
self->sock = 0;
self->trace = 0;
}
@amitu
Copy link
Author

amitu commented Mar 20, 2012

$ sudo dtrace -s send.d

@amitu
Copy link
Author

amitu commented Mar 21, 2012

Snow leopard appears to not support TCP dtrace provider, which is new in lion. Second script is for snow leopard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment