volatilityfoundation
Linux sockstats plugin
Added Sockstat linux plugin to enumerate every single process socket.
The output format is based on the ss tools.
It supports:
- Unix socket
- Inet/Inet6 sockets (Based on Vol2 code).
- Netlink sockets
- VSock sockets (It requires vsock_sock type).
- Packet sockets.
- XDP sockets (eBPF): eBPF name and ID
- Bluetooth sockets (It requires bt_sock and _*pinfo types)
It also shows cBPF/eBPF socket and reuseport filters infomation such as BPF program type, name and ID (if one of those filters are set in the socket). If for some reason the types required are not present in the debugging symbols, it still shows basic information about the sockets such as: type, protocol and state.
Changes to the linux Lsof plugin were required to be able to reuse its filedescriptor listing capability.
Tested with the following linux kernel versions:
All done. Also, fixed some minor stuff and changed the warning log lines to LOGLEVEL_V. Otherwise, those lines will be always shown in the output and that's not the intention.
Please check the changes in 9b0b254. If an InvalidAddressException is raised reading the addresses, it returns a "?" value and a debug message is printed, but the plugin continues. Please let me know if you are fine with it or prefer to return a different value, raise the exception and abort the plugin or any other alternative
Thanks for the review guys. I will finish and submit a new batch with the requested changes probably next week.
@ikelos @digitalisx
Cool, here is the last batch of fixes and improvements.
Following your suggestions, I disaggregated pid, fd, address and port, and socket memory address to dedicated new columns. Previously, there were one record/line per kernel socket. This was because the kernel socket information is the same, and the task file descriptors using each socket were mentioned in a separate column. I found that awesome, summarised info and easy to spot all the 'users' of each socket. However, I also agree with you and It was hard to fit that info in just a field, and to be consumed by a library client, etc. So now that 'kernel socket -> tasks fds' association using the socket address has to be done by the end-user, or maybe can be performed by another plugin.
Also, not every type of socket address has an address and a port to easily structure them in these two columns. That's why previously I decided to use a more generic source and destination addresses. I think that an unstructured data representation would be better in this case.
On the other hand, I replaced all the hardcoded strings. Instead, I used a BaseAbsentValue-derived class as you also suggested.
Find attached a detailed plugin output of my tests on each kernel version, including memory dumps for each type of socket (and its variants) supported by this plugin. output.log.gz
Last but not least, as the amount of source code in this PR is substantial, I also performed a code coverage of the same executions you find in output.log above, to make it sure that every (almost?) line of my code was executed in one way or another and nothing makes it crash. It looks pretty good to me. If you are curious, please have a look at the following html.
Hope you like it and we could merge it as soon as possible. Cheers
@ikelos the latest work from Gus looks good to me. Can you do a (final?) review on it? I don't see any comments left for me.
