Shulou(Shulou.com)06/02 Report--

Preface

Linux has corresponding open source tools to collect network connection, process and other information in real time. Network connection generally includes the most basic five-tuple information (source address, target address, source port, target port, protocol number) plus process information pid, exe, cmdline, and so on. Most of these two items of data can be read directly from the network status connection files / proc/net/tcp, / proc/net/udp) and the process status directory (/ proc/pid/xx) under the linux / proc directory.

In some application security scenarios, it is necessary to combine the process network connection, inflow and outflow traffic and other data to analyze whether there is malicious external sensitive data in the intranet. During network monitoring, it is found that a large amount of bandwidth of the server is occupied, but it is not clear which process is occupied by the system. For this reason, it is necessary to obtain a more fine-grained comprehensive analysis of process-level network traffic data.

Host-level network data can be found in the linux proc directory. For example, / proc/net/snmp provides detailed data of IP, ICMP, ICMPMsg, TCP and UDP at all layers of the host, and / proc/net/netstat file InBcastPkts, OutBcastPkts, InOctets and OutOctets fields indicate the number of packets and bytes of packets received and received by the host. Unfortunately, there is no process-level inflow and outflow of network traffic data.

For this reason, the statistical process-level network traffic mode is realized according to the principle of nethogs.

Basic data

Involves the following proc directories or files network status files / proc/net/tcp, / proc/net/udp, process file descriptor directory / proc/pid/fd.

Network status file / proc/net/tcp

We focus on the quintuple + status + inode number in columns 2, 3, 4 and 11, respectively.

Column 23 is the host byte order ip:port, for example, "0500000A:0016"-> "10.0.0.5", 22.

The fourth column is the status information. the meaning of the status field is as follows:

"01": "ESTABLISHED"

"02": "SYN_SENT"

"03": "SYN_RECV"

"04": "FIN_WAIT1"

"05": "FIN_WAIT2"

"06": "TIME_WAIT"

"07": "CLOSE"

"08": "CLOSE_WAIT"

"09": "LAST_ACK"

"0A": "LISTEN"

"0B": "CLOSING"

Column 11 is the meta-information of a file system object in the linux system file system of inode, including files, directories, device files, socket, pipes, and so on.

Process file descriptor

The file information opened by the current process is listed under the / proc/pid/fd directory, where 0, 1, and 2 represent standard input, output, and error.

A network connection is a file descriptor that begins with socket:, where the [] number is the inode number, which corresponds to the inode number under the network status file / proc/net/tcp.

Take the pid:25133 process as an example. File descriptors 10 and 12 correspond to network connections with inode numbers of 512505532 and 512473483, respectively. At the same time, the details of the corresponding connections can be found in the / proc/net/tcp in the figure below.

According to the above file information, the mapping of network connection quintuple-> inode can be established from / proc/net/tcp, and the mapping of connection inode-> process can be established by / proc/pid/fd.

In this way, the process in the system is connected with the network connection information through the inode number as a bridge.

Realization process

In order to obtain the network connection traffic in real time, the open source libpcap library is used on the linux host to grab the network message. The whole implementation flowchart contains the following five key steps.

Grab the bag

Use the packet grab Libpcap library to get the network packet structure.

Parsing message

Parse the quintuple (source address, destination address, source port, destination port, protocol number) of the packet and the traffic size of the current packet.

Cache update

Look for the inode number corresponding to the key composed of quintuples in ConnInodeHash if there is no reread / proc/net/tcp and udp refresh ConnInodeHash cache to establish connection mapping with inode and reread / proc/pid/fd directory to filter out connections starting with socket: refresh InodeProcessHash cache to re-establish the mapping between inode and process.

Hash search

Find the corresponding process pid in InodeProcessHash according to the inode number found.

Statistical flow

According to the message address, determine the direction of the network connection, accumulate the process inflow and outflow data.

Summary

A fine-grained process-level network traffic collection method is realized by grabbing packets for linux hosts, combined with network status files and process file descriptors.

The inode number of the linux file is used as a bridge to correlate the relationship between processes and network connections, and you can count the total / average data received / sent by the process, as well as analyze the traffic data of each network connection of the process, which can be used as an important basis for host traffic security analysis, network monitoring and troubleshooting and other scenarios. But at the same time, it should also be noted that continuously grabbing packets through libpcap has a lossy impact on the performance of the host.

The above is the realization process of the Linux process network traffic statistics introduced by the editor. I hope it will be helpful to you. If you have any questions, please leave me a message and the editor will reply you in time. Thank you very much for your support to the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.