1# -*- tab-width: 4 -*- ;; Emacs
2# vi: set filetype=sh tabstop=8 shiftwidth=8 noexpandtab :: Vi/ViM
3############################################################ IDENT(1)
4#
5# $Title: dwatch(8) JSON module for network activity $
6# $Copyright: 2014-2018 Devin Teske. All rights reserved. $
7# $FrauBSD: dwatch-json/json-net-raw 2018-10-01 16:08:27 -0700 freebsdfrau $
8#
9############################################################ DESCRIPTION
10#
11# Produce JSON custom log format for network activity
12#
13############################################################ PROBE
14
15: ${PROBE:=$( echo \
16	tcp:::debug-user, \
17	tcp:::state-change, \
18	udp:::send, \
19	fbt::soreceive_dgram:entry )}
20
21############################################################ EVENT ACTION
22
23EVENT_TEST='this->event != ""'
24
25############################################################ ACTIONS
26
27exec 9<<EOF
28this string	event;
29this string	family;
30this string	local;
31this string	remote;
32this u_char	local6;
33this u_char	remote6;
34this uint16_t	lport;
35this uint16_t	rport;
36this uint32_t	length;
37
38struct socket *	urecv_socket;
39struct inpcb *	urecv_inpcb;
40string		urecv_local;
41string		urecv_remote;
42u_char		urecv_local6;
43u_char		urecv_remote6;
44uint16_t	urecv_lport;
45uint16_t	urecv_rport;
46uint32_t	urecv_length;
47
48/****************************** TCP ******************************/
49
50tcp:::send,
51tcp:::receive /* probe ID $ID */
52{${TRACE:+
53	printf("<$ID>");}
54	this->length = (uint32_t)args[2]->ip_plength -
55                (uint8_t)args[4]->tcp_offset;
56}
57
58tcp:::debug-user /* probe ID $(( $ID + 1 )) */
59{${TRACE:+
60	printf("<$(( $ID + 1 ))>");
61}
62	/*
63	 * tcpsinfo_t *
64	 */
65	this->local  = args[0]->tcps_laddr;
66	this->lport  = args[0]->tcps_lport;
67	this->remote = args[0]->tcps_raddr;
68	this->rport  = args[0]->tcps_rport;
69
70	/*
71	 * IPv6 support
72	 */
73	this->local6 = strstr(this->local, ":") != NULL ? 1 : 0;
74	this->remote6 = strstr(this->remote, ":") != NULL ? 1 : 0;
75	this->local = strjoin(strjoin(this->local6 ? "[" : "",
76		this->local), this->local6 ? "]" : "");
77	this->remote = strjoin(strjoin(this->remote6 ? "[" : "",
78		this->remote), this->remote6 ? "]" : "");
79
80	this->family = "tcp";
81	this->event = prureq_string[arg1];
82}
83
84tcp:::state-change /* probe ID $(( $ID + 2 )) */
85{${TRACE:+
86	printf("<$(( $ID + 2 ))>");
87}
88	/*
89	 * tcpsinfo_t *
90	 */
91	this->local    = args[3]->tcps_laddr;
92	this->lport    = (uint16_t)args[3]->tcps_lport;
93	this->remote   = args[3]->tcps_raddr;
94	this->rport    = (uint16_t)args[3]->tcps_rport;
95	this->to_state = (int32_t)args[3]->tcps_state;
96
97	/*
98	 * tcplsinfo_t *
99	 */
100	this->from_state = (int32_t)args[5]->tcps_state;
101
102	/*
103	 * IPv6 support
104	 */
105	this->local6 = strstr(this->local, ":") != NULL ? 1 : 0;
106	this->remote6 = strstr(this->remote, ":") != NULL ? 1 : 0;
107	this->local = strjoin(strjoin(this->local6 ? "[" : "",
108		this->local), this->local6 ? "]" : "");
109	this->remote = strjoin(strjoin(this->remote6 ? "[" : "",
110		this->remote), this->remote6 ? "]" : "");
111
112	this->family = "tcp";
113	this->event = this->to_state == TCPS_CLOSED ? "CLOSE" : "";
114	this->length = 0;
115}
116
117/****************************** UDP ******************************/
118
119udp:::send /* probe ID $(( $ID + 3 )) */
120{${TRACE:+
121	printf("<$(( $ID + 3 ))>");
122}
123	/*
124	 * ipinfo_t *
125	 */
126	this->local  = args[2]->ip_saddr;
127	this->remote = args[2]->ip_daddr;
128
129	/*
130	 * udpinfo_t *
131	 */
132	this->length = (uint16_t)args[4]->udp_length;
133	this->lport  = args[4]->udp_sport;
134	this->rport  = args[4]->udp_dport;
135
136	/*
137	 * IPv6 support
138	 */
139	this->local6 = strstr(this->local, ":") != NULL ? 1 : 0;
140	this->remote6 = strstr(this->remote, ":") != NULL ? 1 : 0;
141	this->local = strjoin(strjoin(this->local6 ? "[" : "",
142		this->local), this->local6 ? "]" : "");
143	this->remote = strjoin(strjoin(this->remote6 ? "[" : "",
144		this->remote), this->remote6 ? "]" : "");
145
146	this->family = "udp";
147	this->event = "SEND";
148}
149
150udp:::receive /* probe ID $(( $ID + 4 )) */
151{${TRACE:+
152	printf("<$(( $ID + 4 ))>");
153}
154	/*
155	 * csinfo_t *
156	 */
157	urecv_inpcb = (struct inpcb *)args[1]->cs_cid;
158	urecv_socket = urecv_inpcb->inp_socket;
159
160	/*
161	 * ipinfo_t *
162	 */
163	urecv_local  = args[2]->ip_daddr;
164	urecv_remote = args[2]->ip_saddr;
165
166	/*
167	 * udpinfo_t *
168	 */
169	urecv_length = (uint16_t)args[4]->udp_length;
170	urecv_lport  = args[4]->udp_dport;
171	urecv_rport  = args[4]->udp_sport;
172
173	/*
174	 * IPv6 support
175	 */
176	urecv_local6 = strstr(urecv_local, ":") != NULL ? 1 : 0;
177	urecv_remote6 = strstr(urecv_remote, ":") != NULL ? 1 : 0;
178	urecv_local = strjoin(strjoin(urecv_local6 ? "[" : "",
179		urecv_local), urecv_local6 ? "]" : "");
180	urecv_remote = strjoin(strjoin(urecv_remote6 ? "[" : "",
181		urecv_remote), urecv_remote6 ? "]" : "");
182}
183
184fbt::soreceive_dgram:entry
185	/args[0] == urecv_socket/ /* probe ID $(( $ID + 5 )) */
186{${TRACE:+
187	printf("<$(( $ID + 5 ))>");
188}
189	this->local = urecv_local;
190	this->remote = urecv_remote;
191	this->length = urecv_length;
192	this->lport = urecv_lport;
193	this->rport = urecv_rport;
194	this->local6 = urecv_local6;
195	this->remote6 = urecv_remote6;
196
197	this->family = "udp";
198	this->event = "RCVD";
199}
200EOF
201ACTIONS=$( cat <&9 )
202ID=$(( $ID + 6 ))
203
204############################################################ EVENT DETAILS
205
206exec 9<<EOF
207	/*
208	 * Print path details
209	 */
210	printf("{\"report_type\":\"${PROFILE%-raw}\",\"epoch\":%u,\"family\":\"%s\",\"local\":\"%s\",\"lport\":%u,\"event\":\"%s\",\"remote\":\"%s\",\"rport\":%u,\"length\":%u}",
211		walltimestamp / 1000000000,
212		this->family,
213		this->local,
214		this->lport,
215		this->event,
216		this->remote,
217		this->rport,
218		this->length);
219
220	this->event = "";
221EOF
222EVENT_DETAILS=$( cat <&9 )
223
224################################################################################
225# END
226################################################################################
227