💾 Archived View for thebackupbox.net › ~epoch › blog › bpftrace captured on 2024-12-17 at 10:14:26. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
stolen from here:
#include <net/sock.h>
#include <linux/socket.h>
kprobe:security_socket_post_create
{
if (arg3 == 1 || arg3 == 58){
$sk = (struct sock *)arg0;
$saddr = ntop(0);
$daddr = ntop(0);
if ($sk->__sk_common.skc_family == AF_INET){
$daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
} else {
$daddr = ntop(AF_INET6, $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
}
printf("%-8d %-10s, %s - ", pid, comm, $daddr);
system("readlink /proc/%d/exe", pid);
}
}
save it to icmp.bt and launch it: bpftrace --unsafe icmp.bt (--unsafe because of system())
https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md
other tools: tracee, bpcc-tools, and if it were pinging a host opensnitch (it doesn't intercept icmp)