-
Notifications
You must be signed in to change notification settings - Fork 0
/
SockClosePercPar.lua
executable file
·386 lines (361 loc) · 8.93 KB
/
SockClosePercPar.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
-- @author: Alessandra Fais
-- Chisel description
description = "Usage of socket done by processes and close of respective file descriptors"
short_description = "Socket and close monitoring"
category = "misc"
-- Chisel argument list
args =
{
{
name = "process",
description = "Set process to monitor",
argtype = "string"
},
}
-- Chisel data structures (number of socket and close and file descriptors in use)
-- Number of socket
ProcSocket = {}
ProcLastSocket = {}
-- Number of socket tcp, udp, other
SockTCP = {}
SockLastTCP = {}
SockUDP = {}
SockLastUDP = {}
OtherSock = {}
OtherSockLast = {}
-- Number of close
ProcClose = {}
ProcLastClose = {}
-- Number of close tcp, udp, other
CloseTCP = {}
CloseLastTCP = {}
CloseUDP = {}
CloseLastUDP = {}
OtherClose = {}
OtherCloseLast = {}
-- File descriptors
FileDesc = {}
-- Process' details
ProcPID = {}
ProcDuration = {}
OldProcDuration = {}
StartTimeProc = {}
-- Function that looks for process' name in his absolute path
function findLast(pathname, pattern)
local i = pathname:match(".*"..pattern.."()")
if i==nil then
return 0
else
return i-1
end
end
-- Function that deletes stopped or interrupted processes
function deleteStoppedProcess(proc)
ProcSocket[proc] = nil
ProcLastSocket[proc] = nil
SockTCP[proc] = nil
SockLastTCP[proc] = nil
SockUDP[proc] = nil
SockLastUDP[proc] = nil
OtherSock[proc] = nil
OtherSockLast[proc] = nil
ProcClose[proc] = nil
ProcLastClose[proc] = nil
CloseTCP[proc] = nil
CloseLastTCP[proc] = nil
CloseUDP[proc] = nil
CloseLastUDP[proc] = nil
OtherClose[proc] = nil
OtherCloseLast[proc] = nil
FileDesc[proc] = nil
ProcPID[proc] = nil
ProcDuration[proc] = nil
OldProcDuration[proc] = nil
StartTimeProc[proc] = nil
end
-- Function that calculates processes lifetime
function calcExecTime(pname, extime)
-- Process' execution time in seconds
local hour, min, sec = extime:match("(%d+):(%d+):(%d+)")
extimesec = (hour*3600) + (min*60) + sec
-- Process just started (saving initial execution time)
if ProcPID[pname]==nil then
ProcDuration[pname] = 0
StartTimeProc[pname] = extimesec
else
-- Process in execution
ProcDuration[pname] = extimesec - StartTimeProc[pname]
end
end
-- Fields needed
function on_init()
proc = chisel.request_field("proc.exe")
procpid = chisel.request_field("proc.pid")
procduration = chisel.request_field("evt.time.s")
fd = chisel.request_field("fd.num")
syscall = chisel.request_field("evt.type")
dir = chisel.request_field("evt.dir")
arguments = chisel.request_field("evt.args")
chisel.set_interval_s(7)
return true
end
-- Arguments setting and system call's filter setting
function on_set_arg(name, val)
if val=="all" then
chisel.set_filter('evt.type=socket or evt.type=close')
else
chisel.set_filter('proc.name="'..val..'" and evt.type=socket or evt.type=close')
end
return true
end
-- Print of statistics about collected data
function on_interval()
os.execute("clear")
for k, v in pairs(ProcSocket) do
print("Process name: "..k)
if ProcDuration[k]~=nil then
if OldProcDuration[k]==nil or OldProcDuration[k]<ProcDuration[k] then
pdur = ProcDuration[k]
else
pdur = ProcDuration[k].." [process stopped]"
end
else
pdur = "-"
end
print("Process PID: "..ProcPID[k].." ".."ProcessDuration: "..pdur)
if ProcLastSocket[k]~=nil then
pls = ProcLastSocket[k]
else
pls = 0
end
if ProcClose[k]~=nil then
pc = ProcClose[k]
else
pc = 0
end
if ProcLastClose[k]~=nil then
plc = ProcLastClose[k]
else
plc = 0
end
stillop = v - pc
print("SocketTOT SocketLAST CloseTOT CloseLAST StillOPEN")
print(" "..v.." "..pls.." "..pc.." "..plc.." "..stillop)
if SockTCP[k]~=nil then
tcp = SockTCP[k]
else
tcp = 0
end
if SockLastTCP[k]~=nil then
lasttcp = SockLastTCP[k]
else
lasttcp = 0
end
if SockUDP[k]~=nil then
udp = SockUDP[k]
else
udp = 0
end
if SockLastUDP[k]~=nil then
lastudp = SockLastUDP[k]
else
lastudp = 0
end
if OtherSock[k]~=nil then
other = OtherSock[k]
else
other = 0
end
if OtherSockLast[k]~=nil then
lastother = OtherSockLast[k]
else
lastother = 0
end
if CloseTCP[k]~=nil then
ctcp = CloseTCP[k]
else
ctcp = 0
end
if CloseLastTCP[k]~=nil then
clasttcp = CloseLastTCP[k]
else
clasttcp = 0
end
if CloseUDP[k]~=nil then
cudp = CloseUDP[k]
else
cudp = 0
end
if CloseLastUDP[k]~=nil then
clastudp = CloseLastUDP[k]
else
clastudp = 0
end
if OtherClose[k]~=nil then
cother = OtherClose[k]
else
cother = 0
end
if OtherCloseLast[k]~=nil then
clastother = OtherCloseLast[k]
else
clastother = 0
end
stillopTCP = tcp - ctcp
stillopUDP = udp - cudp
stillopOTHER = other - cother
print("[TCP] "..tcp.." [TCP] "..lasttcp.." [TCP] "..ctcp.." [TCP] "..clasttcp.." [TCP] "..stillopTCP)
print("[UDP] "..udp.." [UDP] "..lastudp.." [UDP] "..cudp.." [UDP] "..clastudp.." [UDP] "..stillopUDP)
print("[OTHER] "..other.." [OTHER] "..lastother.." [OTHER] "..cother.." [OTHER] "..clastother.." [OTHER] "..stillopOTHER)
print(" ")
OldProcDuration[k] = ProcDuration[k]
if string.find(pdur, " [process stopped]") then
deleteStoppedProcess(k)
end
end
FileDesc = {}
ProcLastSocket = {}
ProcLastClose = {}
SockLastTCP = {}
SockLastUDP = {}
OtherSockLast = {}
CloseLastTCP = {}
CloseLastUDP = {}
OtherCloseLast = {}
return true
end
-- Event parsing callback
function on_event()
curfd = evt.field(fd)
curproc = evt.field(proc)
nameproc = string.sub(curproc, findLast(curproc,"/")+1, string.len(curproc))
time = evt.field(procduration)
calcExecTime(nameproc, time)
ProcPID[nameproc] = evt.field(procpid)
scdir = evt.field(dir)
sock = evt.field(arguments)
-- Socket
if evt.field(syscall)=="socket" then
if scdir==">" then
if string.find(sock, "AF_INET") then
if string.find(sock, "type=1") then
type = 1
elseif string.find(sock, "type=2") then
type = 2
else
type = 0
end
end
else
FileDesc[curfd] = type
-- Counting all ip socket
if ProcSocket[nameproc]==nil then
ProcSocket[nameproc] = 1
else
ProcSocket[nameproc] = ProcSocket[nameproc] + 1
end
if ProcLastSocket[nameproc]==nil then
ProcLastSocket[nameproc] = 1
else
ProcLastSocket[nameproc] = ProcLastSocket[nameproc] + 1
end
-- Counting tcp socket, udp socket and other socket
if type==1 then
if SockTCP[nameproc]==nil then
SockTCP[nameproc] = 1
else
SockTCP[nameproc] = SockTCP[nameproc] + 1
end
if SockLastTCP[nameproc]==nil then
SockLastTCP[nameproc] = 1
else
SockLastTCP[nameproc] = SockLastTCP[nameproc] + 1
end
else
if type==2 then
if SockUDP[nameproc]==nil then
SockUDP[nameproc] = 1
else
SockUDP[nameproc] = SockUDP[nameproc] + 1
end
if SockLastUDP[nameproc]==nil then
SockLastUDP[nameproc] = 1
else
SockLastUDP[nameproc] = SockLastUDP[nameproc] + 1
end
else
if OtherSock[nameproc]==nil then
OtherSock[nameproc] = 1
else
OtherSock[nameproc] = OtherSock[nameproc] + 1
end
if OtherSockLast[nameproc]==nil then
OtherSockLast[nameproc] = 1
else
OtherSockLast[nameproc] = OtherSockLast[nameproc] + 1
end
end
end
end
else
-- Close
if FileDesc[curfd]~=nil then
-- Counting all close
if ProcClose[nameproc]==nil then
ProcClose[nameproc] = 1
else
ProcClose[nameproc] = ProcClose[nameproc] + 1
end
if ProcLastClose[nameproc]==nil then
ProcLastClose[nameproc] = 1
else
ProcLastClose[nameproc] = ProcLastClose[nameproc] + 1
end
-- Counting fd close of tcp socket, udp socket and other socket
if FileDesc[curfd]==1 then
if CloseTCP[nameproc]==nil then
CloseTCP[nameproc] = 1
else
CloseTCP[nameproc] = CloseTCP[nameproc] + 1
end
if CloseLastTCP[nameproc]==nil then
CloseLastTCP[nameproc] = 1
else
CloseLastTCP[nameproc] = CloseLastTCP[nameproc] + 1
end
else
if FileDesc[curfd]==2 then
if CloseUDP[nameproc]==nil then
CloseUDP[nameproc] = 1
else
CloseUDP[nameproc] = CloseUDP[nameproc] + 1
end
if CloseLastUDP[nameproc]==nil then
CloseLastUDP[nameproc] = 1
else
CloseLastUDP[nameproc] = CloseLastUDP[nameproc] + 1
end
else
if OtherClose[nameproc]==nil then
OtherClose[nameproc] = 1
else
OtherClose[nameproc] = OtherClose[nameproc] + 1
end
if OtherCloseLast[nameproc]==nil then
OtherCloseLast[nameproc] = 1
else
OtherCloseLast[nameproc] = OtherCloseLast[nameproc] + 1
end
end
end
FileDesc[curfd] = nil
end
end
return true
end
-- Management of chisel's interruption
function on_capture_end()
print()
print("Bye bye! Thank you for using this chisel.")
return true
end