[lttng-dev] New LTTNG user

Matthew Khouzam matthew.khouzam at ericsson.com
Tue Jul 2 14:42:37 EDT 2013


Hi Jessica,

I am ccing the list because this is relevant and I am hoping someone
yells at me: "No you're wrong!" It's a great way to learn.
On 13-06-28 03:33 PM, Jessica Foest wrote:
> hi Matthew,
> thanks for your response
>
> i'm using ubuntu distribution.
> your solution seems to be a good one but i'm not sure that i
> understand what do you mean by "check later events to infer if enabled
> is true" , can your explain to me how can i do it ?

Ok, you can do it in may ways technically, also I am far from being an
expert on the subject of promiscuity, you may want to consult with
people in security for less  

let's say you have the following events

file_read, net_set_promiscuous, file_read, file_write,
net_copy_whole_packet_to_cpu, file_touch

these are obviously made up events, but it's to give you an idea of
what's going on.

you know the mode is set when net_set_promiscuous is called, you don't
know if it's changed or not, someone can be calling true or false
constantly.
you know that net_copy_whole_packet_to_cpu is only callable when the
card is in promiscuous mode.
let's say there's a second set promiscous mode and nothing saying before
that the card was in promiscuous mode, could it be safe to assume that
it was not?

When you get the second packet, you know the mode.

function receive_event(event event_){
  if( event.is_promiscuous() == true) {
    flags.new_promiscuous_mode = true;
    flags.new_promiscuous_time = event.ts;
  }
  if( event.is_an_event_that_will_only_happen_in_promiscuous_mode() ) {
    if( flags.new_promiscuous_mode == true) {
     flags.new_promiscuous_mode = false;
     flags.promiscuous = true;
    }
  }
}

This is by the way one of the interesting use cases of the state systems
available in eclipse and the awesome LTTv. You read the trace once,
infer more information then the analysis tools will give you pertinent
info, instead of sifting through a detailed events list like this
http://youtu.be/3vAnuBtyEYE.

best regards,

Matthew

>
> regards
>
>
> 2013/6/27 Matthew Khouzam <matthew.khouzam at ericsson.com
> <mailto:matthew.khouzam at ericsson.com>>
>
>     Hi,
>
>     Welcome to LTTng-dev.
>
>     What distro are you using?
>
>     I am looking at the tracepoints, I see system tap has
>     probe:netdev.set_promiscuity, it's probably not in the default
>     list but it hooked onto set_promiscuity.
>
>     Maybe you can use a kprobe on set_promiscuity and then check later
>     events to infer if enabled is true. I'm sorry, I work more on the
>     trace viewing side than the kernel side so my knowledge is rather
>     limited.
>
>     Hope this helps and please keep us updated, this is an interesting
>     problem.
>
>     Matthew
>
>
>     On 13-06-26 04:14 PM, Jessica Foest wrote:
>>     Hi
>>
>>     when use lttng network tracepoint it didn't display network
>>     interface mode (like promiscuous mode or other ) . did i miss
>>     some tracepoint option or it's a limitation ?
>>     regard
>>
>>
>>     2013/6/26 Jessica Foest <jessica.foest at gmail.com
>>     <mailto:jessica.foest at gmail.com>>
>>
>>         Hi
>>
>>         when use lttng network tracepoint it didn't display network
>>         interface mode (like promiscuous mode or other ) . did i miss
>>         some tracepoint option or it's a limitation ?
>>         regard
>>
>>
>>
>>
>>     _______________________________________________
>>     lttng-dev mailing list
>>     lttng-dev at lists.lttng.org <mailto:lttng-dev at lists.lttng.org>
>>     http://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lttng.org/pipermail/lttng-dev/attachments/20130702/19caad30/attachment.html>


More information about the lttng-dev mailing list