Created
May 12, 2021 20:14
-
-
Save rzezeski/b8954c3f3aefb82c63340e9d3548ba49 to your computer and use it in GitHub Desktop.
snoop any function
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * Print basic Ethernet frame and IP header info for all IPv4 traffic | |
| * that hits mac_rx_classify(). | |
| * | |
| * $ pfexec dtrace -I /usr/include/sys/ -Cqs ~/snoop-mac-example.d | |
| */ | |
| #pragma D option quiet | |
| #include <inttypes.h> | |
| #include <sys/types.h> | |
| #include <sys/ethernet.h> | |
| #include <sys/pattr.h> | |
| /* Copied from sys/vlan.h */ | |
| #define VLAN_ID_MASK 0x0fffu | |
| #define VLAN_ID_SIZE 12 | |
| #define VLAN_ID_SHIFT 0 | |
| #define VLAN_ID(tci) (((tci) >> VLAN_ID_SHIFT) & VLAN_ID_MASK) | |
| #define ETH_FMT "%.2x:%.2x:%.2x:%.2x:%.2x:%.2x" | |
| BEGIN | |
| { | |
| IPP_FILT=6; /* TCP */ | |
| } | |
| /* | |
| * Point this at whatever function you want, just make sure to | |
| * update the first statement to point to the mblk_t pointer. | |
| */ | |
| mac_rx_classify:entry | |
| { | |
| this->mp = args[2]; | |
| this->eh = (struct ether_header *)this->mp->b_rptr; | |
| this->l2type = ntohs(this->eh->ether_type); | |
| if (this->l2type == ETHERTYPE_VLAN) { | |
| this->evh = (struct ether_vlan_header *)this->mp->b_rptr; | |
| this->l2type = ntohs(this->evh->ether_type); | |
| this->l2dst = &(this->evh->ether_dhost.ether_addr_octet[0]); | |
| this->l2src = &(this->evh->ether_shost.ether_addr_octet[0]); | |
| this->vid = VLAN_ID(ntohs(this->evh->ether_tci)); | |
| this->eh = NULL; | |
| this->offset = 18; | |
| } else { | |
| this->l2dst = &(this->eh->ether_dhost.ether_addr_octet[0]); | |
| this->l2src = &(this->eh->ether_shost.ether_addr_octet[0]); | |
| this->vid = 0; | |
| this->offset = 14; | |
| } | |
| if (this->l2type == 0x800) { | |
| this->ipha = (ipha_t *)(this->mp->b_rptr + this->offset); | |
| this->l3src = inet_ntoa(&this->ipha->ipha_src); | |
| this->l3dst = inet_ntoa(&this->ipha->ipha_dst); | |
| this->l3proto = this->ipha->ipha_protocol; | |
| } | |
| if (this->l2type == 0x800 && | |
| (IPP_FILT == -1 || this->l3proto == IPP_FILT)) { | |
| printf(ETH_FMT, this->l2src[0], this->l2src[1], this->l2src[2], | |
| this->l2src[3], this->l2src[4], this->l2src[5]); | |
| printf(" "); | |
| printf(ETH_FMT, this->l2dst[0], this->l2dst[1], this->l2dst[2], | |
| this->l2dst[3], this->l2dst[4], this->l2dst[5]); | |
| printf(" %-.4x", this->l2type); | |
| printf(" %-4u", this->vid); | |
| printf(" %-15s %-15s %-4u\n", this->l3src, this->l3dst, | |
| this->l3proto); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment