FreeBSD dwatch profile: gource-net

1. # -*- tab-width: 4 -*- ;; Emacs
2. # vi: set filetype=sh tabstop=8 shiftwidth=8 noexpandtab :: Vi/ViM
3. ############################################################ IDENT(1)
4. #
5. # $Title: dwatch(8) gource module for network activity $
6. # $Copyright: 2014-2018 Devin Teske. All rights reserved. $
7. # $FrauBSD$
8. #
9. ############################################################ DESCRIPTION
10. #
11. # Produce gource custom log format for network activity
12. #
13. # Requires saving https://pastebin.com/1fe4Bjci to
14. #     /usr/local/libexec/dwatch/gource-net-raw
15. #
16. ############################################################ PROBE
17.  
18. load_profile gource-net-raw
19.  
20. ############################################################ GLOBALS
21.  
22. : ${_DEBUG=}
23.  
24. ############################################################ MAIN
25.  
26. [ "$DEBUG$EXIT_AFTER_COMPILE" ] || info "Watching '$PROBE' ..."
27. {
28.     sockstat -cPtcp | awk -v debug="$_DEBUG" '
29.     ################################################## BEGIN
30.     BEGIN {
31.         stdout = "/dev/stdout"
32.         stderr = "/dev/stderr"
33.  
34.         delete uid
35.         delete gid
36.         while ((cmd = "getent passwd") | getline pwinfo) {
37.             if (split(pwinfo, pwf, /:/) < 3) continue
38.             if (uid[pwf[1]] || gid[pwf[1]]) continue
39.             uid[pwf[1]] = pwf[3]
40.             gid[pwf[1]] = pwf[4]
41.         }
42.         close(cmd)
43.         delete pwf
44.         pwinfo = cmd = ""
45.  
46.         getline hdr
47.         (cmd = "date +\"%s: %Y %b %e %T\"") | getline epoch_dt
48.         close(cmd)
49.         epoch = dt = epoch_dt
50.         sub(/: .*/, "", epoch)
51.         sub(/.*: /, "", dt)
52.     }
53.     ################################################## FUNCTIONS
54.     function dwatch(user, ucomm, pid, event) {
55.         printf "%s %u.%u %s[%u]: %u tcp " event "\n",
56.             dt, uid[user], gid[user], ucomm, pid, epoch
57.         fflush(stdout)
58.     }
59.     ################################################## MAIN
60.     (user = $1)(ucomm = $2)(pid = $3)(local = $6)(remote = $7) {
61.         dwatch(user, ucomm, pid, local " ACCEPT " remote)
62.     }
63.     ################################################## END
64.     END {
65.         if (!debug) exit
66.         print "DEBUG: END OF SOCKSTAT" > stderr
67.         fflush(stderr)
68.     }
69.     ' # END-QUOTE
70.     eval dwatch $ARGV -qX gource-net-raw
71. } | awk -v debug=$_DEBUG '
72.     ################################################## BEGIN
73.     BEGIN {
74.         stdout = "/dev/stdout"
75.         stderr = "/dev/stderr"
76.  
77.         date = "[[:digit:]]+ [A-Z][a-z][a-z] [0-9 ][0-9]"
78.         time = "[0-9][0-9]:[0-9][0-9]:[0-9][0-9]"
79.         rcvd = "/input|#e62020"
80.         send = "/output|#32cd32"
81.  
82.         delete noptr
83.         delete addr2host
84.         addr2host["127.0.0.1"] = addr2host["::1"] = "localhost"
85.  
86.         delete port2service
87.         while (getline < "/etc/services") {
88.             if (/^[[:space:]]*(#|$)/ || !sub("/tcp.*", "", $2))
89.                 continue
90.             port2service[$2] = $1
91.         }
92.     }
93.     ################################################## FUNCTIONS
94.     function dprint(text) {
95.         if (!debug) return
96.         print "DEBUG: " text > stderr
97.         fflush(stderr)
98.     }
99.     function gource(user, type, path,        str) {
100.         str = sprintf("%u|%s|%s|%s", epoch, user, type, path)
101.         print str
102.         fflush(stdout)
103.         dprint(str)
104.     }
105.     function add(user, path) {
106.         gource(user, "A", path)
107.         gource(user, "A", path rcvd)
108.         gource(user, "A", path send)
109.     }
110.     function mod(user, path) {
111.         gource(user, path ~ "/udp/" ? "D" : "M", path)
112.     }
113.     function del(user, path) {
114.         gource(user, "D", path send)
115.         gource(user, "D", path rcvd)
116.         gource(user, "D", path)
117.     }
118.     function service(port,        name) {
119.         return (name = port2service[port]) ? name : port
120.     }
121.     function host(addr,        name, record, n, fields) {
122.         if (addr in addr2host) return addr2host[addr]
123.         if (addr in noptr) return addr
124.         (cmd = "host " addr) | getline record
125.         close(cmd)
126.         n = split(record, fields)
127.         if (fields[n-1] == "pointer") {
128.             sub(/\.$/, "", fields[n])
129.             return addr2host[addr] = fields[n]
130.         }
131.         noptr[addr] = 1
132.         return addr
133.     }
134.     ################################################## MAIN
135.     debug { dprint($0) }
136.     length(datetime = substr($0, 1, 20)) != 20 { next }
137.     datetime !~ "^" date " " time "$" { next }
138.     (epoch = $7) ~ /^[[:digit:]]+/ {
139.         curproc = $6
140.         sub(/:$/, "", curproc)
141.         family = $8
142.         remote = $11
143.         if (!remote) next
144.         if (match(remote, /:[0-9]+$/)) remote = sprintf("%s/%s/%s",
145.             host(substr(remote, 1, RSTART-1)), family,
146.             service(substr(remote, RSTART+1)))
147.         else
148.             remote = host(remote)
149.     }
150.     $10 == "ACCEPT" || $10 == "CONNECT" { add(curproc, remote) }
151.     $10 == "RCVD" { mod(curproc, remote rcvd) }
152.     $10 == "SEND" { mod(curproc, remote send) }
153.     $10 == "CLOSE" && remote != "0.0.0.0:0" { del(curproc, remote) }
154.     ################################################## END
155. ' # END-QUOTE
156.  
157. exit $SUCCESS
158.  
159. ################################################################################
160. # END
161. ################################################################################