Re: Filtering Connect syscalls for af_inet only
On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible(a)gmail.com> wrote:
After some log analysis it looks like filtering on "a2=10"
only shows
network activity. From what I understand, this is the address length (int
addrlen) argument in the sys_connect function.
Traced it down to this comment in socket.c. Sounds like filtering for a2=10
and a2=18 (to account for IPv6) may work.
#define MAX_SOCK_ADDR 128
/* 108 for Unix domain -
16 for IP,
16 for IPX,
24 for IPv6,
about 80 for AX.
25 must be at least one bigger than the AF_UNIX size (see netunix/af_unix.c
:unix_mkname())
*/
10 hex = 16 dec and 18 hex = 24 dec
I hope someone can correct me if I sound like I'm not all there.
[Ooops, hit "reply" instead of "reply-to-all"]
A few things come to mind with this approach:
* This will not work on x86 due to the socketcall() syscall multiplexer.
* This doesn't solve the problem for applications that leverage the
address family independent sockaddr_storage structure.
--
paul moore
www.paul-moore.com