fche changed the topic of #systemtap to: http://sourceware.org/systemtap; email systemtap@sourceware.org if answers here not timely, conversations may be logged
hpt has joined #systemtap
srikar_away is now known as srikar
hkshaw has quit [Ping timeout: 252 seconds]
hkshaw has joined #systemtap
ravi has joined #systemtap
hchiramm has quit [Read error: Connection reset by peer]
hchiramm has joined #systemtap
jistone has quit [Ping timeout: 276 seconds]
ravi has quit [Ping timeout: 276 seconds]
ego has joined #systemtap
ravi has joined #systemtap
srikar is now known as srikar_away
ravi has quit [Ping timeout: 252 seconds]
ravi has joined #systemtap
naveen has joined #systemtap
srikar_away is now known as srikar
ravi has quit [Ping timeout: 276 seconds]
hchiramm has quit [Ping timeout: 264 seconds]
hkshaw has quit [Ping timeout: 264 seconds]
hpt has quit [Ping timeout: 264 seconds]
hkshaw has joined #systemtap
ravi has joined #systemtap
srikar is now known as srikar_away
hpt has joined #systemtap
srikar_away is now known as srikar
hchiramm has joined #systemtap
hpt_ has joined #systemtap
ggherdov` has joined #systemtap
hpt has quit [*.net *.split]
ravi has quit [*.net *.split]
naveen has quit [*.net *.split]
ravi has joined #systemtap
naveen has joined #systemtap
ego has quit [Ping timeout: 276 seconds]
ego has joined #systemtap
mjw has joined #systemtap
ego has quit [Ping timeout: 276 seconds]
<ggherdov`> Hello, was the patch "fix taskfinder2.c for kernels missing the dentry macro" by William Cohen ever merged? https://sourceware.org/ml/systemtap/2014-q4/msg00257.html
<ggherdov`> I cloned from git://sourceware.org/git/systemtap.git and I can't find it (and I am having the problem fixed by the patch :)
hchiramm has quit [Read error: Connection reset by peer]
hchiramm has joined #systemtap
effbiai has joined #systemtap
<effbiai> hi, i'm using stap with probe udb.sendmsg and an if statement on port 53 to capture dns traffic. i'm using pid(), gid(), uid(), execname() to capture and print information on the equivalent. is there a function to see the actual DNS query? to see the hostname that the process is asking for?
ego has joined #systemtap
ravi has quit [Ping timeout: 264 seconds]
<ton31337> effbiai: actual DNS query could be extracted only from userspace probing
<ton31337> because DNS doesn't use plain format for data
<ton31337> like HTTP
hpt_ has quit [Ping timeout: 252 seconds]
ravi has joined #systemtap
<ggherdov`> effbiai: can I ask you what kernel version and systemtap version? unrelated to your problem, but very related to mine :)
hkshaw1 has joined #systemtap
hkshaw has quit [Ping timeout: 276 seconds]
hkshaw1 has quit [Quit: Leaving.]
hkshaw has joined #systemtap
ravi has quit [Ping timeout: 244 seconds]
ravi_ has joined #systemtap
<effbiai> ggherdov`: 4.3/4.4
<ggherdov`> effbiai: thanks
<effbiai> ton31337: guess a solution with tcpdump and stap together would be the solution then. is there a function to get the time (in milliseconds)?
<effbiai> that would be neat to be able to match data from tcpdump with the data from stap
<ggherdov`> effbiai: wait, how did you get systemtap 4.4? The latest I see at https://sourceware.org/systemtap/ftp/releases/ is called 3.0
<effbiai> linux kernel
<ggherdov`> ah ok.
<effbiai> systemtap is v3.0
<ggherdov`> ok thanks
<ton31337> gettimeofday_ms()
<effbiai> thx
<effbiai> %d?
<ton31337> yes ;-)
<effbiai> thx :)
<effbiai> oh.. ton31337 you ment earlier that it was possible to get the DNS query using https://sourceware.org/systemtap/SystemTap_Beginners_Guide/userspace-probing.html ? :)
<effbiai> if that's the case. would it be possible to do two types of probing in one stp file to get the result that i was originally looking for?
hkshaw has quit [Quit: Leaving.]
hkshaw has joined #systemtap
ravi_ has quit [Ping timeout: 244 seconds]
ravi_ has joined #systemtap
<ton31337> effbiai: yes, you can have multiple probes
<effbiai> guess i have to read up on that then. thanx and have a good weekend!
hkshaw has quit [Quit: Leaving.]
<fche> effbiai, yeah probably probe glibc's getaddr* type functions to catch the queries at point of origin
<fche> you can also catch dns packets going down at the network level, but indeed they're binary and hard to instantly decode
srikar is now known as srikar_away
nkambo has quit [Ping timeout: 276 seconds]
drsmith has joined #systemtap
nkambo has joined #systemtap
ego has quit [Ping timeout: 276 seconds]
wcohen has quit [Ping timeout: 244 seconds]
hchiramm has quit [Read error: Connection reset by peer]
mbenitez has joined #systemtap
<effbiai> well, the binary packets doesn't need to be decoded in the stp. i could decode them in perl or some other scripting language. would it be possible to find the binary packet within probe udp.sendmsg{}? if yes, how?
<fche> probably something like
<fche> just need the right context variable to pull out the packet contents
<effbiai> thx
<fche> $skb->
<effbiai> ?
<effbiai> that's the variable?
<effbiai> For example, to access the pointer chain name = skb->dev->name in embedded C, use the following code.
<effbiai> ahh :)
tromey has joined #systemtap
wcohen has joined #systemtap
effbiai has quit [Quit: leaving]
ravi_ has quit [Quit: Leaving]
brolley has joined #systemtap
effbiai has joined #systemtap
wcohen has quit [Ping timeout: 250 seconds]
wcohen has joined #systemtap
naveen has quit [Ping timeout: 276 seconds]
srikar_away is now known as srikar
jistone has joined #systemtap
<effbiai> fche: i'm really rusty when it comes to C and i guess this proves it; trying to extract and print dport from the $skb like this;
<effbiai> port = __tcp_skb_dport($skb);
<effbiai> printf("%s\n",port);
<effbiai> ending up with
<effbiai> semantic error: unknown type in dereference: operator '->' at /usr/share/systemtap/tapset/linux/netfilter.stp:162:32 source: dport = ntohs(udphdr->dest)
<effbiai> ^
mjw has quit [Quit: Leaving]
<fche> effbiai, yeah, this isn't exactly C anyway, but stap script langauge
naveen has joined #systemtap
<fche> what's the complete script you're trying?
<effbiai> that second port = and printf is just for debugging purposes. what i'm actually trying to do is extract the datapacket from the DNS query
<effbiai> if i change the %s to %d i get a lot of zeroes :)
<fche> hm, why are you doing the __tcp_skb_... business?
<fche> dport is already right there in a script level variable - you're comparing it to == 53
<fche> the issue was trying to find the packet proper, right?
<effbiai> yes, the __tcp_skb_... business was just for debugging purposes to test. if that worked i was going to test the other __tcp_skb_ methodes
<fche> we should be able to get hold of the entire packet (including the headers) in $skb pretty directly
<effbiai> is it possible to dump the entiere $skb so that we are able to find what we are looking for? an equivalent to print Dumper in perl? :)
<fche> printf("%.*M", buf_len, buffer_base)
<effbiai> that didn't work
<effbiai> do i have to store the length of $skb in buf_len or something like that first?
<fche> yes, that was jsut a template
<effbiai> would you give me a crashcourse? ;)
<fche> yeah, I wish the tool could be more help too
<fche> probe netfilter.ip.local_out { skb = &@cast($skb,"sk_buff","kernel<linux/skbuff.h>") printf("%.*M\n", skb->truesize > 256 ? 256 : skb->truesize, skb->data) }
<fche> you should see each packet hexdumped, including the network level header I believe
<fche> up to 256 bytes each
<effbiai> thanks
<effbiai> when doing nslookup now, the output looks like this for google.com
<effbiai> 1460732686950 - nslookup[PID 14302, TID 14303], GID 1000, UID 1000 sent packet to 54.76.198.100:53
<effbiai> 45000038d808000040115beec0a88965364cc66487ec0035002446f4829e0100000100000000000006676f6f676c6503636f6d000001000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006c000000000000000000000000000700000600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
<effbiai> 000000000001000000010000000000000000000000e8a0a7550088ffff000000000000000000adb17a0088ffff0060e6360088ffff
<effbiai> will dig in to that package after the weekend. have a nice weekend fche !
<fche> you too!
_whitelogger has joined #systemtap
tromey has quit [*.net *.split]
pfallenop has quit [*.net *.split]
srikar has quit [*.net *.split]
pmuldoon has quit [*.net *.split]
pcarrier has quit [Ping timeout: 269 seconds]
ego has joined #systemtap
pcarrier has joined #systemtap
ego has quit [Ping timeout: 252 seconds]
ego has joined #systemtap
ego has quit [*.net *.split]
pmuldoon_ has quit [Ping timeout: 250 seconds]
srikar_away has quit [*.net *.split]
naveen has quit [*.net *.split]
srikar has joined #systemtap
pmuldoon_ has joined #systemtap
ego has joined #systemtap
srikar is now known as srikar_away
_pash has joined #systemtap
<_pash> fche: hey! Compiled great on fedora 22
<_pash> Ubuntu must have messed something up
<_pash> although I have one more question
<_pash> Do you know what probelkm.ko is?
<fche> nope, not familiar
brolley has quit [Ping timeout: 250 seconds]
brolley has joined #systemtap
<jistone> (heh, "probelkm" looks like a fumbled type of "problem")
<fche> heh
<fche> I think it's some prepackaged module from somewhere on that distro
<fche> or package
<jistone> ((*typo)) MUPHRY!!!
pfalleno2 has quit [Quit: leaving]
pfallenop has joined #systemtap
pfallenop has joined #systemtap
ego has quit [Ping timeout: 276 seconds]
_pash has quit [Quit: leaving]
flu__ has quit [Quit: moving]
<ton31337> possible to get IP address as string from struct in6_addr sin6_addr;
<ton31337> ?
ravi has joined #systemtap
ravi has quit [Client Quit]
irker740 has joined #systemtap
<irker740> systemtap: wcohen systemtap.git:refs/heads/master * release-3.0-29-g8085d25 / testsuite/lib/systemtap.exp: Avoid using tcl exec command "-ignorestderr" option http://tinyurl.com/j2edoh4
<jistone> ton31337, format_ipaddr(addr, AF_INET6())
<jistone> (I don't know why we have AF_INET6 as a function instead of a global constant, hmm)
<ton31337> jistone: great, works
<ton31337> thanks
<jistone> np
pmuldoon_ has quit [Ping timeout: 276 seconds]
pmuldoon_ has joined #systemtap
flu__ has joined #systemtap
drsmith has left #systemtap [#systemtap]
pmuldoon_ has quit [Ping timeout: 264 seconds]
pmuldoon_ has joined #systemtap
wcohen has quit [Ping timeout: 276 seconds]
mbenitez has quit [Quit: Leaving]
brolley has left #systemtap [#systemtap]
scox has quit [Ping timeout: 244 seconds]
wcohen has joined #systemtap
scox has joined #systemtap