15bf5ca77SDevin Teske# -*- tab-width: 4 -*- ;; Emacs 25bf5ca77SDevin Teske# vi: set filetype=sh tabstop=8 shiftwidth=8 noexpandtab :: Vi/ViM 35bf5ca77SDevin Teske############################################################ IDENT(1) 45bf5ca77SDevin Teske# 55bf5ca77SDevin Teske# $Title: dwatch(8) module for dtrace_tcp(4) connections $ 65bf5ca77SDevin Teske# $Copyright: 2014-2018 Devin Teske. All rights reserved. $ 75bf5ca77SDevin Teske# 85bf5ca77SDevin Teske############################################################ DESCRIPTION 95bf5ca77SDevin Teske# 105bf5ca77SDevin Teske# Display local/remote TCP addresses/ports and bytes sent/received for TCP I/O 115bf5ca77SDevin Teske# 125bf5ca77SDevin Teske############################################################ PROBE 135bf5ca77SDevin Teske 145bf5ca77SDevin Teskecase "$PROFILE" in 155bf5ca77SDevin Tesketcp) 165bf5ca77SDevin Teske : ${PROBE:=$( echo \ 175bf5ca77SDevin Teske tcp:::accept-established, \ 185bf5ca77SDevin Teske tcp:::accept-refused, \ 195bf5ca77SDevin Teske tcp:::connect-established, \ 205bf5ca77SDevin Teske tcp:::connect-refused, \ 215bf5ca77SDevin Teske tcp:::connect-request, \ 225bf5ca77SDevin Teske tcp:::receive, \ 235bf5ca77SDevin Teske tcp:::send, \ 245bf5ca77SDevin Teske tcp:::state-change )} ;; 255bf5ca77SDevin Tesketcp-accept) 265bf5ca77SDevin Teske : ${PROBE:=tcp:::accept-established, tcp:::accept-refused} ;; 275bf5ca77SDevin Tesketcp-connect) 285bf5ca77SDevin Teske : ${PROBE:=$( echo \ 295bf5ca77SDevin Teske tcp:::connect-established, \ 305bf5ca77SDevin Teske tcp:::connect-refused, \ 315bf5ca77SDevin Teske tcp:::connect-request )} ;; 325bf5ca77SDevin Tesketcp-established) 335bf5ca77SDevin Teske : ${PROBE:=tcp:::accept-established, tcp:::connect-established} ;; 345bf5ca77SDevin Tesketcp-init) 355bf5ca77SDevin Teske : ${PROBE:=$( echo \ 365bf5ca77SDevin Teske tcp:::accept-established, \ 375bf5ca77SDevin Teske tcp:::accept-refused, \ 385bf5ca77SDevin Teske tcp:::connect-established, \ 395bf5ca77SDevin Teske tcp:::connect-refused, \ 405bf5ca77SDevin Teske tcp:::connect-request )} ;; 415bf5ca77SDevin Tesketcp-io) 425bf5ca77SDevin Teske : ${PROBE:=tcp:::send, tcp:::receive} ;; 435bf5ca77SDevin Tesketcp-refused) 445bf5ca77SDevin Teske : ${PROBE:=tcp:::accept-refused, tcp:::connect-refused} ;; 455bf5ca77SDevin Tesketcp-status) 465bf5ca77SDevin Teske : ${PROBE:=$( echo \ 475bf5ca77SDevin Teske tcp:::accept-established, \ 485bf5ca77SDevin Teske tcp:::accept-refused, \ 495bf5ca77SDevin Teske tcp:::connect-established, \ 505bf5ca77SDevin Teske tcp:::connect-refused, \ 515bf5ca77SDevin Teske tcp:::connect-request, \ 525bf5ca77SDevin Teske tcp:::state-change )} ;; 535bf5ca77SDevin Teske*) 545bf5ca77SDevin Teske : ${PROBE:=tcp:::${PROFILE#tcp-}} 555bf5ca77SDevin Teskeesac 565bf5ca77SDevin Teske 575bf5ca77SDevin Teske############################################################ ACTIONS 585bf5ca77SDevin Teske 595bf5ca77SDevin Teskeexec 9<<EOF 605bf5ca77SDevin Teskethis int32_t from_state; 615bf5ca77SDevin Teskethis int32_t to_state; 625bf5ca77SDevin Teskethis string details; 635bf5ca77SDevin Teskethis string flow; 645bf5ca77SDevin Teskethis string local; 655bf5ca77SDevin Teskethis string remote; 665bf5ca77SDevin Teskethis u_char local6; 675bf5ca77SDevin Teskethis u_char remote6; 685bf5ca77SDevin Teskethis u_char slocal; 695bf5ca77SDevin Teskethis uint16_t lport; 705bf5ca77SDevin Teskethis uint16_t rport; 715bf5ca77SDevin Teskethis uint32_t length; 725bf5ca77SDevin Teske 735bf5ca77SDevin Teskeinline string probeflow[string name] = 745bf5ca77SDevin Teske name == "accept-established" ? "<-" : 755bf5ca77SDevin Teske name == "accept-refused" ? "X-" : 765bf5ca77SDevin Teske name == "connect-refused" ? "-X" : 775bf5ca77SDevin Teske name == "connect-request" ? "-?" : 785bf5ca77SDevin Teske name == "receive" ? "<-" : 795bf5ca77SDevin Teske "->"; 805bf5ca77SDevin Teske 815bf5ca77SDevin Teskeinline u_char srclocal[string name] = 825bf5ca77SDevin Teske name == "accept-refused" ? 1 : 835bf5ca77SDevin Teske name == "connect-request" ? 1 : 845bf5ca77SDevin Teske name == "send" ? 1 : 855bf5ca77SDevin Teske 0; 865bf5ca77SDevin Teske 875bf5ca77SDevin Teske/* 885bf5ca77SDevin Teske * TCPSTATES from <sys/netinet/tcp_fsm.h> used by netstat(1) 895bf5ca77SDevin Teske */ 905bf5ca77SDevin Teskeinline string tcpstate[int32_t state] = 915bf5ca77SDevin Teske state == TCPS_CLOSED ? "CLOSED" : 925bf5ca77SDevin Teske state == TCPS_LISTEN ? "LISTEN" : 935bf5ca77SDevin Teske state == TCPS_SYN_SENT ? "SYN_SENT" : 945bf5ca77SDevin Teske state == TCPS_SYN_RECEIVED ? "SYN_RCVD" : 955bf5ca77SDevin Teske state == TCPS_ESTABLISHED ? "ESTABLISHED" : 965bf5ca77SDevin Teske state == TCPS_CLOSE_WAIT ? "CLOSE_WAIT" : 975bf5ca77SDevin Teske state == TCPS_FIN_WAIT_1 ? "FIN_WAIT_1" : 985bf5ca77SDevin Teske state == TCPS_CLOSING ? "CLOSING" : 995bf5ca77SDevin Teske state == TCPS_LAST_ACK ? "LAST_ACK" : 1005bf5ca77SDevin Teske state == TCPS_FIN_WAIT_2 ? "FIN_WAIT_2" : 1015bf5ca77SDevin Teske state == TCPS_TIME_WAIT ? "TIME_WAIT" : 1025bf5ca77SDevin Teske strjoin("UNKNOWN(", strjoin(lltostr(state), ")")); 1035bf5ca77SDevin Teske 1045bf5ca77SDevin Teske$PROBE /* probe ID $ID */ 1055bf5ca77SDevin Teske{${TRACE:+ 1065bf5ca77SDevin Teske printf("<$ID>");} 1075bf5ca77SDevin Teske this->details = ""; 1085bf5ca77SDevin Teske 1095bf5ca77SDevin Teske /* 1105bf5ca77SDevin Teske * dtrace_tcp(4) 1115bf5ca77SDevin Teske */ 1125bf5ca77SDevin Teske this->flow = probeflow[probename]; 1135bf5ca77SDevin Teske} 1145bf5ca77SDevin Teske 1155bf5ca77SDevin Tesketcp:::accept-established, 1165bf5ca77SDevin Tesketcp:::accept-refused, 1175bf5ca77SDevin Tesketcp:::connect-established, 1185bf5ca77SDevin Tesketcp:::connect-refused, 1195bf5ca77SDevin Tesketcp:::connect-request, 1205bf5ca77SDevin Tesketcp:::receive, 1215bf5ca77SDevin Tesketcp:::send /* probe ID $(( $ID + 1 )) */ 1225bf5ca77SDevin Teske{${TRACE:+ 1235bf5ca77SDevin Teske printf("<$(( $ID + 1 ))>"); 1245bf5ca77SDevin Teske} 1255bf5ca77SDevin Teske /* 1265bf5ca77SDevin Teske * dtrace_tcp(4) 1275bf5ca77SDevin Teske */ 1285bf5ca77SDevin Teske this->slocal = srclocal[probename]; 1295bf5ca77SDevin Teske 1305bf5ca77SDevin Teske /* 1315bf5ca77SDevin Teske * ipinfo_t * 1325bf5ca77SDevin Teske */ 1335bf5ca77SDevin Teske this->local = this->slocal ? args[2]->ip_saddr : args[2]->ip_daddr; 1345bf5ca77SDevin Teske this->remote = this->slocal ? args[2]->ip_daddr : args[2]->ip_saddr; 1355bf5ca77SDevin Teske 1365bf5ca77SDevin Teske /* 1375bf5ca77SDevin Teske * tcpinfo_t * 1385bf5ca77SDevin Teske */ 1395bf5ca77SDevin Teske this->lport = this->slocal ? args[4]->tcp_sport : args[4]->tcp_dport; 1405bf5ca77SDevin Teske this->rport = this->slocal ? args[4]->tcp_dport : args[4]->tcp_sport; 1415bf5ca77SDevin Teske 1425bf5ca77SDevin Teske /* 1435bf5ca77SDevin Teske * IPv6 support 1445bf5ca77SDevin Teske */ 1455bf5ca77SDevin Teske this->local6 = strstr(this->local, ":") != NULL ? 1 : 0; 1465bf5ca77SDevin Teske this->remote6 = strstr(this->remote, ":") != NULL ? 1 : 0; 1475bf5ca77SDevin Teske this->local = strjoin(strjoin(this->local6 ? "[" : "", 1485bf5ca77SDevin Teske this->local), this->local6 ? "]" : ""); 1495bf5ca77SDevin Teske this->remote = strjoin(strjoin(this->remote6 ? "[" : "", 1505bf5ca77SDevin Teske this->remote), this->remote6 ? "]" : ""); 1515bf5ca77SDevin Teske} 1525bf5ca77SDevin Teske 1535bf5ca77SDevin Tesketcp:::state-change /* probe ID $(( $ID + 2 )) */ 1545bf5ca77SDevin Teske{${TRACE:+ 1555bf5ca77SDevin Teske printf("<$(( $ID + 2 ))>"); 1565bf5ca77SDevin Teske} 1575bf5ca77SDevin Teske /* 1585bf5ca77SDevin Teske * tcpsinfo_t * 1595bf5ca77SDevin Teske */ 1605bf5ca77SDevin Teske this->local = args[3]->tcps_laddr; 1615bf5ca77SDevin Teske this->lport = (uint16_t)args[3]->tcps_lport; 1625bf5ca77SDevin Teske this->remote = args[3]->tcps_raddr; 1635bf5ca77SDevin Teske this->rport = (uint16_t)args[3]->tcps_rport; 1645bf5ca77SDevin Teske this->to_state = (int32_t)args[3]->tcps_state; 1655bf5ca77SDevin Teske 1665bf5ca77SDevin Teske /* 1675bf5ca77SDevin Teske * tcplsinfo_t * 1685bf5ca77SDevin Teske */ 1695bf5ca77SDevin Teske this->from_state = (int32_t)args[5]->tcps_state; 1705bf5ca77SDevin Teske 1715bf5ca77SDevin Teske /* flow = "[from state]->[to state]" */ 1725bf5ca77SDevin Teske this->flow = strjoin(tcpstate[this->from_state], 1735bf5ca77SDevin Teske strjoin("->", tcpstate[this->to_state])); 1745bf5ca77SDevin Teske} 1755bf5ca77SDevin Teske 1765bf5ca77SDevin Tesketcp:::send, tcp:::receive /* pribe ID $(( $ID + 3 )) */ 1775bf5ca77SDevin Teske{${TRACE:+ 1785bf5ca77SDevin Teske printf("<$(( $ID + 3 ))>");} 1795bf5ca77SDevin Teske this->length = (uint32_t)args[2]->ip_plength - 1805bf5ca77SDevin Teske (uint8_t)args[4]->tcp_offset; 1815bf5ca77SDevin Teske 1825bf5ca77SDevin Teske /* details = " <length> byte<s>" */ 1835bf5ca77SDevin Teske this->details = strjoin( 1845bf5ca77SDevin Teske strjoin(" ", lltostr(this->length)), 1855bf5ca77SDevin Teske strjoin(" byte", this->length == 1 ? "" : "s")); 1865bf5ca77SDevin Teske} 1875bf5ca77SDevin TeskeEOF 1885bf5ca77SDevin TeskeACTIONS=$( cat <&9 ) 1895bf5ca77SDevin TeskeID=$(( $ID + 4 )) 1905bf5ca77SDevin Teske 1915bf5ca77SDevin Teske############################################################ EVENT DETAILS 1925bf5ca77SDevin Teske 193*a061d970SDevin Teskeif [ ! "$CUSTOM_DETAILS" ]; then 1945bf5ca77SDevin Teskeexec 9<<EOF 1955bf5ca77SDevin Teske /* 1965bf5ca77SDevin Teske * Print details 1975bf5ca77SDevin Teske */ 1985bf5ca77SDevin Teske printf("%s:%u %s %s:%u%s", 1995bf5ca77SDevin Teske this->local, this->lport, 2005bf5ca77SDevin Teske this->flow, 2015bf5ca77SDevin Teske this->remote, this->rport, 2025bf5ca77SDevin Teske this->details); 2035bf5ca77SDevin TeskeEOF 2045bf5ca77SDevin TeskeEVENT_DETAILS=$( cat <&9 ) 205*a061d970SDevin Teskefi 2065bf5ca77SDevin Teske 2075bf5ca77SDevin Teske################################################################################ 2085bf5ca77SDevin Teske# END 2095bf5ca77SDevin Teske################################################################################ 210