On 2015-10-26 at 14:16:09 +0100, vkochan <vadi...@gmail.com> wrote: > On Mon, Oct 26, 2015 at 01:38:41PM +0100, Tobias Klauser wrote: > > On 2015-10-24 at 16:38:10 +0200, Vadim Kochan <vadi...@gmail.com> wrote: > > > From: Vadim Kochan <vadi...@gmail.com> > > > > > > Perform lookup inode by dst port too if remote traffic represented as > > > src flow, so in case if lookup by src port failed then choose > > > inode matched by dst port. > > > > > > Signed-off-by: Vadim Kochan <vadi...@gmail.com> > > > --- > > > flowtop.c | 37 +++++++++++++++++++++---------------- > > > 1 file changed, 21 insertions(+), 16 deletions(-) > > > > > > diff --git a/flowtop.c b/flowtop.c > > > index 6aa0a6e..f36e8fe 100644 > > > --- a/flowtop.c > > > +++ b/flowtop.c > > > @@ -503,40 +503,50 @@ static void walk_processes(struct flow_entry *n) > > > closedir(dir); > > > } > > > > > > -static int get_port_inode(uint16_t port, int proto, bool is_ip6) > > > +static void flow_entry_find_process(struct flow_entry *n) > > > { > > > - int ret = -ENOENT; > > > + int src_inode = 0, dst_inode = 0; > > > char path[128], buff[1024]; > > > FILE *proc; > > > > > > memset(path, 0, sizeof(path)); > > > snprintf(path, sizeof(path), "/proc/net/%s%s", > > > - l4proto2str[proto], is_ip6 ? "6" : ""); > > > + l4proto2str[n->l4_proto], n->l3_proto == AF_INET6 ? "6" : ""); > > > > > > proc = fopen(path, "r"); > > > if (!proc) > > > - return -EIO; > > > + return; > > > > > > + /* Here we try to find process's socket inode by src port, at the same > > > + * time we try to do it by dst port too which will be choosen in case > > > + * if src port inode will be not found, this is needed in case if the > > > + * 1st flow's packet will be originated from the remote server so then > > > + * local host will be represented as dst flow. > > > + */ > > > memset(buff, 0, sizeof(buff)); > > > - > > > while (fgets(buff, sizeof(buff), proc) != NULL) { > > > - int inode = 0; > > > unsigned int lport = 0; > > > + int inode = 0; > > > > > > buff[sizeof(buff) - 1] = 0; > > > if (sscanf(buff, "%*u: %*X:%X %*X:%*X %*X %*X:%*X %*X:%*X " > > > "%*X %*u %*u %u", &lport, &inode) == 2) { > > > - if ((uint16_t) lport == port) { > > > - ret = inode; > > > + > > > + if ((uint16_t) lport == n->port_src) { > > > + src_inode = inode; > > > break; > > > + } else if ((uint16_t) lport == n->port_dst) { > > > + dst_inode = inode; > > > > Shouldn't we break here as well? > Let me think again on this, I did not put break here because there might be > a case that > port_dst might be matched to some other local port earlier than port_src and > then the wrong inode might found. > But now I see that it can't be solved by this patch too ... Seems this > is not easy to find locally generated flow (except by matching with > local interface addresses) because in case if 1st flow's packet will be > generated from remote, then local traffic will be identified as dst flow ...
Ah, I see. Before you think too much about it: I'd prefer to keep the lookup logic rather simple. So if you can't figure out the inode reliably without keeping a lot of internal state or querying a lot of information (i.e. easily), I'd suggest we just keep the logic as it is and leave dst port lookup aside. -- You received this message because you are subscribed to the Google Groups "netsniff-ng" group. To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.