{"id":21071905,"url":"https://github.com/mfontanini/sockwho","last_synced_at":"2025-04-12T21:24:31.791Z","repository":{"id":166649397,"uuid":"642155114","full_name":"mfontanini/sockwho","owner":"mfontanini","description":"Inspect socketaddrs using eBPF tracepoints","archived":false,"fork":false,"pushed_at":"2023-05-18T00:21:12.000Z","size":22,"stargazers_count":7,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-06T03:27:58.384Z","etag":null,"topics":["ebpf","rust","sockets"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mfontanini.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-05-18T00:18:48.000Z","updated_at":"2024-11-17T15:52:31.000Z","dependencies_parsed_at":"2023-06-01T13:31:02.925Z","dependency_job_id":null,"html_url":"https://github.com/mfontanini/sockwho","commit_stats":null,"previous_names":["mfontanini/sockwho"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mfontanini%2Fsockwho","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mfontanini%2Fsockwho/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mfontanini%2Fsockwho/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mfontanini%2Fsockwho/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mfontanini","download_url":"https://codeload.github.com/mfontanini/sockwho/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248633089,"owners_count":21136800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","rust","sockets"],"created_at":"2024-11-19T18:54:38.893Z","updated_at":"2025-04-12T21:24:31.771Z","avatar_url":"https://github.com/mfontanini.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sockwho\n\nA tool to help determine the (socket) addresses being used by socket syscalls.\n\n---\n\nThis uses [aya](https://github.com/aya-rs/aya) to attach eBPF tracepoints to some events like:\n* Syscalls that involve `sockaddr` types like `bind` and `connect`.\n* The `sock:inet_sock_set_state` event which is called whenever there's a TCP socket changes state.\n\nFor every event in the above list it will print a line containing information like the pid, file descriptor, socket\naddress contents (address and port) and the return value for each syscall.\n\nThe output looks something like:\n\n```\nChrome_ChildIOT/135876/53 syscall::bind(0.0.0.0:22317) = 0\nChrome_ChildIOT/135876/53 syscall::connect(127.0.0.53:53) = 0\nChrome_ChildIOT/135876/57 syscall::bind(0.0.0.0:44155) = 0\nChrome_ChildIOT/135876/57 syscall::connect(127.0.0.53:53) = 0\nsystemd-resolve/912/17 syscall::connect(192.168.0.1:53) = 0\nsystemd-resolve/912/18 syscall::connect(192.168.0.1:53) = 0\nChrome_ChildIOT/135876 socket::set_state(192.168.0.2:0 \u003c-\u003e 192.30.255.113:443) Close -\u003e SynSent\nChrome_ChildIOT/135876/57 syscall::connect(192.30.255.113:443) = -115 [EINPROGRESS]\n```\n\n# Why?\n\nWhile tools like `strace` give you great insights into what syscalls a process and all of its children are invoking,\nthey don't let you get information outside that process tree. For example, if I wanted to see which processes are\nattempting to bind to a specific port, I wouldn't be able to spot that via strace.\n\nTools like `perf` allow you to use tracepoints to trace syscalls, but they don't allow expanding the contents of\n`sockaddr` pointers being passed in to syscalls (at least not yet).\n\nThis tool tries to bridge that gap by letting you trace these syscalls globally and providing insights into what's the\nsocket address behind each `sockaddr` parameter.\n\n# Building\n\nIn order to build _sockwho_, install [rust](https://www.rust-lang.org/) and run\n\n```shell\nmake release\n```\n\nThe output binary will be placed in `target/release/sockwho`.\n\n# Running\n\nSimply run the binary to hook into all supported syscalls and events. Otherwise pass a subset of them as an argument:\n\n```shell\n# Only trace connect syscalls\nsockwho connect\n```\n\n# Formats\n\nThe formats used for every traced event is:\n\n## Syscalls\n\n```\n\u003cprocess-name\u003e/\u003cpid\u003e/\u003cfd\u003e syscall::\u003csyscall-name\u003e(\u003csocket-address\u003e) = \u003creturn code\u003e [errno if applicable]\n```\n\n## Socket state events\n\n```\n\u003cprocess-name\u003e/\u003cpid\u003e socket::set_state(\u003clocal-address\u003e \u003c-\u003e \u003cremote-address\u003e) \u003cold-tcp-state\u003e -\u003e \u003cnew-tcp-state\u003e\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmfontanini%2Fsockwho","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmfontanini%2Fsockwho","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmfontanini%2Fsockwho/lists"}