From 6391255b9beb67244324bb0a9134ec336ca8f81c Mon Sep 17 00:00:00 2001 From: Henri DF Date: Thu, 28 Apr 2016 14:13:39 -0700 Subject: [PATCH] Destroyed Sysdig notes (markdown) --- Sysdig-notes.md | 116 ------------------------------------------------ 1 file changed, 116 deletions(-) delete mode 100644 Sysdig-notes.md diff --git a/Sysdig-notes.md b/Sysdig-notes.md deleted file mode 100644 index b95e176..0000000 --- a/Sysdig-notes.md +++ /dev/null @@ -1,116 +0,0 @@ -## Notes on sysdig - -### Missing/undecoded syscalls - -- `fchmodat` needs to be decoded (from a quick experimentation, this is the one used by e.g. `/bin/chmod` on a recent linux system). - - -### Outbound UDP traffic support -UDP can be sent either via `sendto` or via `send` - -#### `connect` -The `nc` tool uses `connect`. The commands below validate that sysdig decodes UDP `connect()`s properly. Note that the 'enter' connect does not pass the filter (the state table is only updated on the syscall return?) - - -`echo -n “foo” | nc -4u -w1 10.0.2.15 1500` - -``` -$ sudo sysdig 'proc.name=nc and fd.l4proto=udp' -1617 00:09:09.388994739 0 nc (12310) < connect res=0 tuple=10.0.2.15:52575->10.0.2.15:1500 -1618 00:09:09.388995574 0 nc (12310) > fcntl fd=3(<4u>10.0.2.15:52575->10.0.2.15:1500) cmd=5(F_SETFL) -1619 00:09:09.388995725 0 nc (12310) < fcntl res=0(

) -1624 00:09:09.389009055 0 nc (12310) > write fd=3(<4u>10.0.2.15:52575->10.0.2.15:1500) size=9 -1625 00:09:09.389026498 0 nc (12310) < write res=9 data=...foo... -1628 00:09:09.389028747 0 nc (12310) > shutdown fd=3(<4u>10.0.2.15:52575->10.0.2.15:1500) how=1(SHUT_WR) -1629 00:09:09.389029898 0 nc (12310) < shutdown res=0 -``` - -#### `sendto` - -``` -00:23 vagrant@vagrant-ubuntu-trusty-64:~ -$ sudo sysdig 'syscall.type = sendto' -684 00:23:20.935487226 0 a.out (12527) > sendto fd=3(<4>) size=16 tuple=0.0.0.0:12345->0.0.0.0:12345 -685 00:23:20.935518814 0 a.out (12527) < sendto res=16 data=..09.....9...... -``` - -``` -00:22 vagrant@vagrant-ubuntu-trusty-64:~ -$ sudo sysdig 'fd.l4proto=udp' -1104 00:23:09.296146765 0 a.out (12524) < sendto res=16 data=..09............ -``` - - - -``` -#include -#include -#include - -main() -{ - - int sd; - struct sockaddr_in server; - char buf[512]; - int rc; - - server.sin_family = AF_INET; - server.sin_addr.s_addr = htonl(INADDR_ANY); - server.sin_port = htons(12345); - - sd = socket (AF_INET,SOCK_DGRAM,0); - - bind ( sd, (struct sockaddr *) &server, sizeof(server)); - - sendto(sd, &server, sizeof(server), 0, (struct sockaddr *)&server, sizeof(server)); -} -``` - -### Writing to the filesystem - -From some quick c experimentation: -- It is possible to create a file with `O_RDONLY | O_CREAT` but it is not possible to then write to it. -- It is possible to open a file with `O_RDONLY | O_APPEND` but it is not possible to write to it. - - -``` -#include -#include -#include -#include -#include -#include - -int main(int argc, char *argv[]) -{ - int fd; - - if(2 != argc) { - printf("\n Usage : \n"); - return 1; - } - - errno = 0; - fd = open(argv[1],O_RDONLY | O_CREAT); - - if(-1 == fd) { - printf("\n open() failed with error [%s]\n",strerror(errno)); - return 1; - } else { - printf("\n open() Successful\n"); - } - - const char *hello = "Hello"; - int ret = write(fd, hello, sizeof(hello)); - if(-1 == ret) { - printf("\n write() failed with error [%s]\n",strerror(errno)); - return 1; - } else { - printf("\n write() Successful\n"); - } - return 0; -} -``` - -