From 985c9bb97c31ae05078b716184b4ae4c3fc0e4b8 Mon Sep 17 00:00:00 2001
From: bert hubert <bert@hubertnet.nl>
Date: Fri, 26 Apr 2024 00:21:49 +0200
Subject: [PATCH] fix up bpftrace-based operation

---
 README.md     | 10 +++++++---
 cidr.py       | 18 ------------------
 netsendmsg.bt | 12 ++++++++++--
 teller.cc     | 30 +++++++++++++++---------------
 4 files changed, 32 insertions(+), 38 deletions(-)
 delete mode 100755 cidr.py

diff --git a/README.md b/README.md
index 8b89ff2..7a422d9 100644
--- a/README.md
+++ b/README.md
@@ -72,13 +72,17 @@ addresses, so you must check both sets before determining something is in
 fact a Google service and not a Google customer.
 
 # To run on a single process on Linux
-
 Or, to track a single process, fe `firefox`, start it and run:
 
 ```shell
 sudo bpftrace netsendmsg.bt |
-    grep --line-buffered ^$(pgrep firefox) |
-    stdbuf -oL cut -f2 | ./cidr.py | ./teller
+    grep --line-buffered ^$(pgrep firefox) | ./teller
+```
+
+Or try:
+
+```shell
+sudo bpftrace netsendmsg.bt | grep --line-buffered -i chrome | ./teller
 ```
 
 And cry.
diff --git a/cidr.py b/cidr.py
deleted file mode 100755
index a470078..0000000
--- a/cidr.py
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/usr/bin/env -S python3 -u
-import sys
-from ipaddress import ip_network, ip_address
-
-nets = []
-with open("goog-prefixes.txt") as f:
-    nets = [line.strip() for line in f.readlines()]
-
-for line in iter(sys.stdin.readline, ''):
-    line = line.strip()
-    for net in nets:
-        try:
-            if ip_address(line) in ip_network(net):
-                print(line)
-
-                continue
-        except:
-            continue
diff --git a/netsendmsg.bt b/netsendmsg.bt
index 8be0c1a..4cbc31f 100644
--- a/netsendmsg.bt
+++ b/netsendmsg.bt
@@ -6,7 +6,15 @@ kprobe:tcp_sendmsg
 {
   $sk = (struct sock *)arg0;
 
-  $daddr = ntop($sk->__sk_common.skc_daddr);
+  if($sk->__sk_common.skc_family==2) {
+    $daddr = ntop($sk->__sk_common.skc_daddr);
+  }
+  else if($sk->__sk_common.skc_family==10) {
+    $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
+  }
 
-  printf("%-8d\t%s\t(%s)\n", pid, $daddr, comm);
+  /* skc_v6_daddr, skc_family */
+
+  printf("direct\t%s\tpid%d\t%d\t%s\n", $daddr , pid, $sk->__sk_common.skc_family, comm);
 }
+
diff --git a/teller.cc b/teller.cc
index c9fdec9..24e201b 100644
--- a/teller.cc
+++ b/teller.cc
@@ -139,7 +139,7 @@ int main(int argc, char** argv)
   }
   string line;
   while(getline(cin, line)) {
-
+    string ip;
     /*
       22:42:25.323984 IP 13.81.0.219.29601 > 10.0.0.3.32902: tcp 1186
       22:42:25.323997 IP 10.0.0.3.32902 > 13.81.0.219.29601: tcp 0
@@ -155,17 +155,17 @@ int main(int argc, char** argv)
       auto pos2 = line.find('.', pos); // this misses out on IPv6 ICMP
       if(pos2 == string::npos) continue;
       line.resize(pos2);
-      string ip = line.substr(pos+2, pos2 - pos - 2);
-
-      if(auto fptr = tracksneg.lookup(ip.c_str())) {
-	auto ptr = (TrackerConf*)fptr;
-        cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
-      }
-      else if(auto fptr = trackspos.lookup(ip.c_str())) {
-	auto ptr = (TrackerConf*)fptr;
-        cout<<ip<<" match ("<<ptr->name<<")"<<endl;
-        ptr->counter++;
-      }
+      ip = line.substr(pos+2, pos2 - pos - 2);
+    }
+    else if(line.find("direct") ==0 ) { // ebpfscript output
+      auto pos = line.find('\t');
+      if(pos == string::npos)
+        continue;
+      auto pos2 = line.find('\t', pos+1);
+      if(pos2 == string::npos)
+        continue;
+      line.resize(pos2);
+      ip = line.substr(pos+1);
     }
     else { 
       auto pos = line.find('>');
@@ -182,8 +182,9 @@ int main(int argc, char** argv)
       if(pos2 == string::npos) continue;
       
       line.resize(pos2);
-      string ip=line.substr(pos+2, pos2 - pos - 2);
-
+      ip=line.substr(pos+2, pos2 - pos - 2);
+    }
+    if(!ip.empty()) {
       if(auto fptr = tracksneg.lookup(ip.c_str())) {
 	auto ptr = (TrackerConf*)fptr;
         cout<<ip<<" negative match ("<<ptr->name<<")"<<endl;
@@ -194,7 +195,6 @@ int main(int argc, char** argv)
         ptr->counter++;
       }
     }
-
   }
   sleep(1);
 }