devinteske

FreeBSD dwatch profile: gource-net

May 26th, 2018
577
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 4.65 KB | None | 0 0
  1. # -*- tab-width: 4 -*- ;; Emacs
  2. # vi: set filetype=sh tabstop=8 shiftwidth=8 noexpandtab :: Vi/ViM
  3. ############################################################ IDENT(1)
  4. #
  5. # $Title: dwatch(8) gource module for network activity $
  6. # $Copyright: 2014-2018 Devin Teske. All rights reserved. $
  7. # $FrauBSD$
  8. #
  9. ############################################################ DESCRIPTION
  10. #
  11. # Produce gource custom log format for network activity
  12. #
  13. # Requires saving https://pastebin.com/1fe4Bjci to
  14. #     /usr/local/libexec/dwatch/gource-net-raw
  15. #
  16. ############################################################ PROBE
  17.  
  18. load_profile gource-net-raw
  19.  
  20. ############################################################ GLOBALS
  21.  
  22. : ${_DEBUG=}
  23.  
  24. ############################################################ MAIN
  25.  
  26. [ "$DEBUG$EXIT_AFTER_COMPILE" ] || info "Watching '$PROBE' ..."
  27. {
  28.     sockstat -cPtcp | awk -v debug="$_DEBUG" '
  29.     ################################################## BEGIN
  30.     BEGIN {
  31.         stdout = "/dev/stdout"
  32.         stderr = "/dev/stderr"
  33.  
  34.         delete uid
  35.         delete gid
  36.         while ((cmd = "getent passwd") | getline pwinfo) {
  37.             if (split(pwinfo, pwf, /:/) < 3) continue
  38.             if (uid[pwf[1]] || gid[pwf[1]]) continue
  39.             uid[pwf[1]] = pwf[3]
  40.             gid[pwf[1]] = pwf[4]
  41.         }
  42.         close(cmd)
  43.         delete pwf
  44.         pwinfo = cmd = ""
  45.  
  46.         getline hdr
  47.         (cmd = "date +\"%s: %Y %b %e %T\"") | getline epoch_dt
  48.         close(cmd)
  49.         epoch = dt = epoch_dt
  50.         sub(/: .*/, "", epoch)
  51.         sub(/.*: /, "", dt)
  52.     }
  53.     ################################################## FUNCTIONS
  54.     function dwatch(user, ucomm, pid, event) {
  55.         printf "%s %u.%u %s[%u]: %u tcp " event "\n",
  56.             dt, uid[user], gid[user], ucomm, pid, epoch
  57.         fflush(stdout)
  58.     }
  59.     ################################################## MAIN
  60.     (user = $1)(ucomm = $2)(pid = $3)(local = $6)(remote = $7) {
  61.         dwatch(user, ucomm, pid, local " ACCEPT " remote)
  62.     }
  63.     ################################################## END
  64.     END {
  65.         if (!debug) exit
  66.         print "DEBUG: END OF SOCKSTAT" > stderr
  67.         fflush(stderr)
  68.     }
  69.     ' # END-QUOTE
  70.     eval dwatch $ARGV -qX gource-net-raw
  71. } | awk -v debug=$_DEBUG '
  72.     ################################################## BEGIN
  73.     BEGIN {
  74.         stdout = "/dev/stdout"
  75.         stderr = "/dev/stderr"
  76.  
  77.         date = "[[:digit:]]+ [A-Z][a-z][a-z] [0-9 ][0-9]"
  78.         time = "[0-9][0-9]:[0-9][0-9]:[0-9][0-9]"
  79.         rcvd = "/input|#e62020"
  80.         send = "/output|#32cd32"
  81.  
  82.         delete noptr
  83.         delete addr2host
  84.         addr2host["127.0.0.1"] = addr2host["::1"] = "localhost"
  85.  
  86.         delete port2service
  87.         while (getline < "/etc/services") {
  88.             if (/^[[:space:]]*(#|$)/ || !sub("/tcp.*", "", $2))
  89.                 continue
  90.             port2service[$2] = $1
  91.         }
  92.     }
  93.     ################################################## FUNCTIONS
  94.     function dprint(text) {
  95.         if (!debug) return
  96.         print "DEBUG: " text > stderr
  97.         fflush(stderr)
  98.     }
  99.     function gource(user, type, path,        str) {
  100.         str = sprintf("%u|%s|%s|%s", epoch, user, type, path)
  101.         print str
  102.         fflush(stdout)
  103.         dprint(str)
  104.     }
  105.     function add(user, path) {
  106.         gource(user, "A", path)
  107.         gource(user, "A", path rcvd)
  108.         gource(user, "A", path send)
  109.     }
  110.     function mod(user, path) {
  111.         gource(user, path ~ "/udp/" ? "D" : "M", path)
  112.     }
  113.     function del(user, path) {
  114.         gource(user, "D", path send)
  115.         gource(user, "D", path rcvd)
  116.         gource(user, "D", path)
  117.     }
  118.     function service(port,        name) {
  119.         return (name = port2service[port]) ? name : port
  120.     }
  121.     function host(addr,        name, record, n, fields) {
  122.         if (addr in addr2host) return addr2host[addr]
  123.         if (addr in noptr) return addr
  124.         (cmd = "host " addr) | getline record
  125.         close(cmd)
  126.         n = split(record, fields)
  127.         if (fields[n-1] == "pointer") {
  128.             sub(/\.$/, "", fields[n])
  129.             return addr2host[addr] = fields[n]
  130.         }
  131.         noptr[addr] = 1
  132.         return addr
  133.     }
  134.     ################################################## MAIN
  135.     debug { dprint($0) }
  136.     length(datetime = substr($0, 1, 20)) != 20 { next }
  137.     datetime !~ "^" date " " time "$" { next }
  138.     (epoch = $7) ~ /^[[:digit:]]+/ {
  139.         curproc = $6
  140.         sub(/:$/, "", curproc)
  141.         family = $8
  142.         remote = $11
  143.         if (!remote) next
  144.         if (match(remote, /:[0-9]+$/)) remote = sprintf("%s/%s/%s",
  145.             host(substr(remote, 1, RSTART-1)), family,
  146.             service(substr(remote, RSTART+1)))
  147.         else
  148.             remote = host(remote)
  149.     }
  150.     $10 == "ACCEPT" || $10 == "CONNECT" { add(curproc, remote) }
  151.     $10 == "RCVD" { mod(curproc, remote rcvd) }
  152.     $10 == "SEND" { mod(curproc, remote send) }
  153.     $10 == "CLOSE" && remote != "0.0.0.0:0" { del(curproc, remote) }
  154.     ################################################## END
  155. ' # END-QUOTE
  156.  
  157. exit $SUCCESS
  158.  
  159. ################################################################################
  160. # END
  161. ################################################################################
Add Comment
Please, Sign In to add comment