使用netlink inet_diag进行实时套接字监视 [英] Live socket monitoring with netlink inet_diag
问题描述
我的目标是监视套接字并将它们与创建它们的应用程序相关联.
我知道netstat,ss,lsof等,并且它们可以列出其应用程序中的所有套接字.
而且我也知道我可以解析/proc/net/tcp来获取套接字,并使用/proc/(PID)将它们与应用程序相关联,这正是这些工具所做的,或者它们使用了netlink套接字.
My goal is to monitor sockets and relate them to the applications that created them.
I am aware of netstat, ss, lsof and so on and that they can list all sockets with their application.
And I also know that I can parse /proc/net/tcp to get the sockets and relate them to the applications with /proc/(PID), which is exactly what these tools do or they use netlink sockets.
我的研究使我进入文章,该文章说明了如何从netet通过inet_diag协议的内核.用户空间程序设置了一个inet_diag类型的netlink套接字,并将请求发送到内核.响应由几个消息组成,这些消息包含套接字和其他相关信息.
这确实很整洁,但不幸的是,内核每个请求仅发送一次此信息.因此,我必须不断地轮询".
My researches brought me to an article which explains how to get all sockets from the kernel with netlink via the inet_diag protocol. The user space program sets up a netlink socket of the inet_diag type and sends a request to the kernel. The response consists of several messages which contain the sockets and additional related information.
This is really neat, but unfortunately the kernel sends this information only once per request. So I have to "poll" continuously.
进一步的研究将我带到了另一个文章使用netlink路由套接字连续监视接口的IP变化.套接字已绑定到多播组,然后以无限循环从中读取消息.
Further researches brought me to another article which monitors IP changes of interfaces with netlink route sockets continuously. The socket is bound to a multicast group and then messages are read from it in an endless loop.
因此,我研究了inet_diag套接字是否存在相同的可能性.不幸的是,我并不能真正理解内核代码.但据我所知,此套接字系列没有多播组.
So I investigated if there is the same possibility with the inet_diag sockets. Unfortunately I am not really able to understand kernel code. But as far as I can tell there are no multicast groups for this socket family.
这时我陷入了困境,我需要知道这种方法是否可行或有人知道任何其他提示.
At this point I am stuck and I need to know if this approach is somehow feasible or somebody knows any other hints.
推荐答案
如果您提到的每个工具都不能满足您的要求,则可以尝试dtrace.
You can try dtrace if every tools you mentioned can't meet your requirement.
这篇关于使用netlink inet_diag进行实时套接字监视的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
