return to first page linux journal archive
keywordscontents

Listing 5. Network Monitoring

// This defines subroutine (function) named doit
function doit {
  // Log PID of process which is using network
  log "Process pid is using network ";
  // Here you can (dis)allow network connection,
  // change capabilities ....
}
// when syscall event raised
on syscall {
  if (action == 102) {           // If it's 
                         // socketcall, see man 2
                                 // socketcall
    if ( trace1 == 1             /* SYS_SOCKET */
         and lpeek trace2 $x     /* verify_area() */
         and $x == 2             /* PF_INET */
       )
    { 
// It's opening inet socket => call function doit
       doit;
    }
  else // Other syscalls are not interesting =>
       // switch off tracing for
them
    trace_off action;
}