Add UDP support to packetbeat's process monitor #7571
Conversation
| @@ -77,3 +78,22 @@ func _GetExtendedTcpTable(pTcpTable uintptr, pdwSize *uint32, bOrder bool, ulAf | |||
| } | |||
| return | |||
| } | |||
|
|
|||
| func _GetExtendedUdpTable(pTcpTable uintptr, pdwSize *uint32, bOrder bool, ulAf uint32, tableClass uint32, reserved uint32) (code syscall.Errno, err error) { | |||
There was a problem hiding this comment.
func _GetExtendedUdpTable should be _GetExtendedUDPTable
func parameter pTcpTable should be pTCPTable
| @@ -57,6 +57,7 @@ var ( | |||
| modiphlpapi = windows.NewLazySystemDLL("iphlpapi.dll") | |||
|
|
|||
| procGetExtendedTcpTable = modiphlpapi.NewProc("GetExtendedTcpTable") | |||
| procGetExtendedUdpTable = modiphlpapi.NewProc("GetExtendedUdpTable") | |||
There was a problem hiding this comment.
var procGetExtendedUdpTable should be procGetExtendedUDPTable
| owningPID uint32 | ||
| } | ||
|
|
||
| type UDP6RowOwnerPID struct { |
There was a problem hiding this comment.
exported type UDP6RowOwnerPID should have comment or be unexported
| @@ -51,6 +52,19 @@ type TCP6RowOwnerPID struct { | |||
| owningPID uint32 | |||
| } | |||
|
|
|||
| type UDPRowOwnerPID struct { | |||
There was a problem hiding this comment.
exported type UDPRowOwnerPID should have comment or be unexported
| @@ -24,6 +24,7 @@ import ( | |||
| ) | |||
|
|
|||
| const ( | |||
| UDP_TABLE_OWNER_PID = 1 | |||
There was a problem hiding this comment.
don't use ALL_CAPS in Go names; use CamelCase
exported const UDP_TABLE_OWNER_PID should have comment (or a comment on this block) or be unexported
adriansr
force-pushed
the
feature/pb/udp_procs
branch
from
82fa5c4 to
c6964cc
Compare
adriansr
force-pushed
the
feature/pb/udp_procs
branch
from
c6964cc to
82b3730
Compare
|
Related to this page: https://www.elastic.co/guide/en/beats/packetbeat/master/configuration-processes.html It needs to be updated to mention UDP. And the note about Linux only should be expanded to include Windows. |
This updates the process monitor with UDP support. Until now, it would lookup all ports as TCP. This could result in the wrong process being reported when two different processes used the same port number, one for TCP and one for UDP. The Linux and Windows implementations have been updated to fetch information for UDP ports. Closes elastic#541
- Windows support - UDP support - cmdline fields
adriansr
force-pushed
the
feature/pb/udp_procs
branch
from
82b3730 to
5a48b17
Compare
|
Thanks @andrewkroh, I've added a new commit with updated docs. |
| or destination is a local process. The `cmdline` and/or `client_cmdline` fields | ||
| will be added to an event, when the server side or client side of the connection | ||
| belong to a local process, respectively. Additionally, you can specify a pattern | ||
| using the `cmdline_grep` option, to also name those processes. This will cause |
There was a problem hiding this comment.
This totally helps clarify how it works for me.
This updates the process monitor with UDP support.
Until now, it would lookup all ports as TCP. This could result in the wrong process being reported when two different processes used the same port number, one for TCP and one for UDP.
The Linux and Windows implementations have been updated to fetch information for UDP ports.
Closes #541