fche changed the topic of #systemtap to: http://sourceware.org/systemtap; email systemtap@sourceware.org if answers here not timely, conversations may be logged
hpt has joined #systemtap
srikar_away is now known as srikar
hkshaw has quit [Ping timeout: 252 seconds]
hkshaw has joined #systemtap
ravi has joined #systemtap
hchiramm has quit [Read error: Connection reset by peer]
<ggherdov`>
I cloned from git://sourceware.org/git/systemtap.git and I can't find it (and I am having the problem fixed by the patch :)
hchiramm has quit [Read error: Connection reset by peer]
hchiramm has joined #systemtap
effbiai has joined #systemtap
<effbiai>
hi, i'm using stap with probe udb.sendmsg and an if statement on port 53 to capture dns traffic. i'm using pid(), gid(), uid(), execname() to capture and print information on the equivalent. is there a function to see the actual DNS query? to see the hostname that the process is asking for?
ego has joined #systemtap
ravi has quit [Ping timeout: 264 seconds]
<ton31337>
effbiai: actual DNS query could be extracted only from userspace probing
<ton31337>
because DNS doesn't use plain format for data
<ton31337>
like HTTP
hpt_ has quit [Ping timeout: 252 seconds]
ravi has joined #systemtap
<ggherdov`>
effbiai: can I ask you what kernel version and systemtap version? unrelated to your problem, but very related to mine :)
hkshaw1 has joined #systemtap
hkshaw has quit [Ping timeout: 276 seconds]
hkshaw1 has quit [Quit: Leaving.]
hkshaw has joined #systemtap
ravi has quit [Ping timeout: 244 seconds]
ravi_ has joined #systemtap
<effbiai>
ggherdov`: 4.3/4.4
<ggherdov`>
effbiai: thanks
<effbiai>
ton31337: guess a solution with tcpdump and stap together would be the solution then. is there a function to get the time (in milliseconds)?
<effbiai>
that would be neat to be able to match data from tcpdump with the data from stap
<effbiai>
if that's the case. would it be possible to do two types of probing in one stp file to get the result that i was originally looking for?
hkshaw has quit [Quit: Leaving.]
hkshaw has joined #systemtap
ravi_ has quit [Ping timeout: 244 seconds]
ravi_ has joined #systemtap
<ton31337>
effbiai: yes, you can have multiple probes
<effbiai>
guess i have to read up on that then. thanx and have a good weekend!
hkshaw has quit [Quit: Leaving.]
<fche>
effbiai, yeah probably probe glibc's getaddr* type functions to catch the queries at point of origin
<fche>
you can also catch dns packets going down at the network level, but indeed they're binary and hard to instantly decode
srikar is now known as srikar_away
nkambo has quit [Ping timeout: 276 seconds]
drsmith has joined #systemtap
nkambo has joined #systemtap
ego has quit [Ping timeout: 276 seconds]
wcohen has quit [Ping timeout: 244 seconds]
hchiramm has quit [Read error: Connection reset by peer]
mbenitez has joined #systemtap
<effbiai>
well, the binary packets doesn't need to be decoded in the stp. i could decode them in perl or some other scripting language. would it be possible to find the binary packet within probe udp.sendmsg{}? if yes, how?
<effbiai>
For example, to access the pointer chain name = skb->dev->name in embedded C, use the following code.
<effbiai>
ahh :)
tromey has joined #systemtap
wcohen has joined #systemtap
effbiai has quit [Quit: leaving]
ravi_ has quit [Quit: Leaving]
brolley has joined #systemtap
effbiai has joined #systemtap
wcohen has quit [Ping timeout: 250 seconds]
wcohen has joined #systemtap
naveen has quit [Ping timeout: 276 seconds]
srikar_away is now known as srikar
jistone has joined #systemtap
<effbiai>
fche: i'm really rusty when it comes to C and i guess this proves it; trying to extract and print dport from the $skb like this;
<effbiai>
port = __tcp_skb_dport($skb);
<effbiai>
printf("%s\n",port);
<effbiai>
ending up with
<effbiai>
semantic error: unknown type in dereference: operator '->' at /usr/share/systemtap/tapset/linux/netfilter.stp:162:32 source: dport = ntohs(udphdr->dest)
<effbiai>
^
mjw has quit [Quit: Leaving]
<fche>
effbiai, yeah, this isn't exactly C anyway, but stap script langauge