Tuesday, April 15, 2014

Solaris: DTrace 556

I'm not even sure if this is right, but i've stolen a dtrace script (if i ever find the source again, I'll list it) and adapted it to print the payload written to the FD of a newly opened
connection.. ie. the HTTP request upstream in this case GET POST etc...

wal:/web/server/squid/etc # cat dtrace-connect.d
#!/usr/sbin/dtrace -qs

syscall::connect:entry
/execname == "squid"/
{
/* s = ( int ) copyin(arg1);*/
myfd = arg0;
socks = (struct sockaddr*) copyin(arg1, arg2);
hport = (uint_t) socks->sa_data[0];
lport = (uint_t) socks->sa_data[1];
hport <<= 8; port = hport + lport; printf("%s: (%d) %d.%d.%d.%d:%d\n", execname, myfd, socks->sa_data[2], socks->sa_data[3], socks->sa_data[4], socks->sa_data[5], port);
}

syscall::write:entry
/ arg0 == myfd /
{
printf("%s", copyinstr(arg1)); /* correct use of arg1 */
}

/* end end end */



run it with

wal:/web/server/squid/etc # ./dtrace-connect.d >& DTRACE.OUT &
to watch it in action to see when it happens aand what file descriptor is invovled, take a copy of the idle connections of squid

wal:/ # lsof -p `cat /web/squid/logs/squid.pid ` | fgrep IDLE > A


now the idea is that when the idle connections increase, watch it with netstat as it has less if a hit on the system

wal:/web/server/squid/etc # netstat -an|fgrep IDLE|wc -l

when it ticks over, you make a new file

wal:/ # lsof -p `cat /web/squid/logs/squid.pid ` | fgrep IDLE > B


wal:/web/server/squid/etc # diff A B
6a7
> squid 25357 nobody 161u IPv4 0x30009c90900 0t0 TCP *:* (IDLE)



and in this case the new one was FD 161... the number vefore the IPv46 is the FD (u means read/write?)


(the formatting of the output has been cleaned up below)

wal:/web/server/squid/etc # fgrep -a -A5 '(161)' DTRACE.OUT |less -S

squid: (161) 167.123.240.35:3128
POST http://www.vision6.com.au/api/xmlrpcserver.php?version=1.2&v6_session=1b1deddddb2a55571de542ef612b5fd2 HTTP/1.1
Content-Type: text/xml
User-Agent: Apache XML RPC 3.0 (Jakarta Commons httpclient Transport)
Host: www.vision6.com.au
Content-Length: isLoggedIn



wal:/web/server/squid/etc 32694 # diff A B
39a40
> squid 25357 nobody 334u IPv4 0x6001b534f80 0t0 TCP *:* (IDLE)




wal:/web/server/squid/etc 32693 # fgrep -A2 fd=334 DTRACE.OUT
squid: (fd=334) 167.123.240.35:3128
CONNECT corptech.service-now.com:443 HTTP/1.1



and it's corptech ...


bah ... i'm out


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)