From: Vadim Kochan <[email protected]> Perform lookup inode by dst port too if remote traffic represented as src flow, so in case if lookup by src port failed then choose inode matched by dst port.
Signed-off-by: Vadim Kochan <[email protected]> --- flowtop.c | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/flowtop.c b/flowtop.c index 6aa0a6e..f36e8fe 100644 --- a/flowtop.c +++ b/flowtop.c @@ -503,40 +503,50 @@ static void walk_processes(struct flow_entry *n) closedir(dir); } -static int get_port_inode(uint16_t port, int proto, bool is_ip6) +static void flow_entry_find_process(struct flow_entry *n) { - int ret = -ENOENT; + int src_inode = 0, dst_inode = 0; char path[128], buff[1024]; FILE *proc; memset(path, 0, sizeof(path)); snprintf(path, sizeof(path), "/proc/net/%s%s", - l4proto2str[proto], is_ip6 ? "6" : ""); + l4proto2str[n->l4_proto], n->l3_proto == AF_INET6 ? "6" : ""); proc = fopen(path, "r"); if (!proc) - return -EIO; + return; + /* Here we try to find process's socket inode by src port, at the same + * time we try to do it by dst port too which will be choosen in case + * if src port inode will be not found, this is needed in case if the + * 1st flow's packet will be originated from the remote server so then + * local host will be represented as dst flow. + */ memset(buff, 0, sizeof(buff)); - while (fgets(buff, sizeof(buff), proc) != NULL) { - int inode = 0; unsigned int lport = 0; + int inode = 0; buff[sizeof(buff) - 1] = 0; if (sscanf(buff, "%*u: %*X:%X %*X:%*X %*X %*X:%*X %*X:%*X " "%*X %*u %*u %u", &lport, &inode) == 2) { - if ((uint16_t) lport == port) { - ret = inode; + + if ((uint16_t) lport == n->port_src) { + src_inode = inode; break; + } else if ((uint16_t) lport == n->port_dst) { + dst_inode = inode; } } memset(buff, 0, sizeof(buff)); } - fclose(proc); - return ret; + + n->inode = src_inode > 0 ? src_inode : dst_inode; + if (n->inode > 0) + walk_processes(n); } #define CP_NFCT(elem, attr, x) \ @@ -744,12 +754,7 @@ static void flow_entry_get_extended(struct flow_entry *n) flow_entry_get_extended_revdns(n, flow_entry_dst); flow_entry_get_extended_geo(n, flow_entry_dst); - - /* Lookup application */ - n->inode = get_port_inode(n->port_src, n->l4_proto, - n->l3_proto == AF_INET6); - if (n->inode > 0) - walk_processes(n); + flow_entry_find_process(n); } static uint16_t presenter_get_port(uint16_t src, uint16_t dst, bool is_tcp) -- 2.6.1 -- You received this message because you are subscribed to the Google Groups "netsniff-ng" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
