def collect(self, hint, endpoints):
for entity in endpoints:
struct = entity["Struct/base"]
af_inet = struct.InetAF.dereference(
vm=self.session.kernel_address_space)
if af_inet.AddressFamily == AF_INET:
family = "INET"
elif af_inet.AddressFamily == AF_INET6:
family = "INET6"
else:
continue
l4_port = struct.Port
for ver, laddr, _ in struct.dual_stack_sockets(
vm=self.session.kernel_address_space):
l3_protocol = "IP%s" % ver
epoint_id = self.manager.identify({
("OSILayer3/address", "OSILayer4/port", "OSILayer4/protocol"):
(laddr, l4_port, "UDP")
})
yield [
epoint_id,
definitions.Named(kind="UDP Endpoint",
name="%s:%s (%s)" %
(laddr, l4_port, "UDP")),
definitions.OSILayer3(address=laddr, protocol=l3_protocol),
definitions.OSILayer4(port=l4_port, protocol="UDP"),
definitions.Endpoint(addressing_family=family, local=True)
]
def collect(self, hint, ifnets):
for entity in ifnets:
ifnet = entity["MemoryObject/base_object"]
yield [
entity.identity,
definitions.NetworkInterface(
name="%s%d" % (ifnet.if_name.deref(), ifnet.if_unit))]
l2_addr = None
l3_addrs = []
# Parse all the addresses on the interface. There should be exactly
# one link layer (L2) address.
for tqe in ifnet.if_addrhead.tqh_first.walk_list(
"ifa_link.tqe_next"):
family = tqe.ifa_addr.sa_family
if family == "AF_LINK":
l2_addr = utils.SmartUnicode(tqe.ifa_addr.deref())
continue
if family == "AF_INET":
l3_proto = "IPv4"
elif family == "AF_INET6":
l3_proto = "IPv6"
else:
l3_proto = utils.SmartUnicode(family).replace("AF_", "")
l3_addrs.append((l3_proto, unicode(tqe.ifa_addr.deref())))
# Yield all the endpoints as the shared L2 + each L3.
for l3_proto, l3_addr in l3_addrs:
endpoint_identity = self.manager.identify({
("Endpoint/interface", "OSILayer3/address",
"OSILayer2/address"):
(entity.identity, l3_addr, l2_addr)})
yield [
endpoint_identity,
definitions.Endpoint(
local=True,
interface=entity.identity),
definitions.OSILayer2(
address=l2_addr,
protocol="MAC"),
definitions.OSILayer3(
address=l3_addr,
protocol=unicode(l3_proto))]
def collect(self, hint, sockets):
for socket in sockets:
base_socket = socket["Struct/base"]
family = str(base_socket.addressing_family).replace("AF_", "")
if family in ("INET", "INET6"):
l3_protocol = "IPv4" if family == "INET" else "IPv6"
source_identity, source = self.prebuild(
components=[
definitions.OSILayer3(address=base_socket.src_addr,
protocol=l3_protocol),
definitions.OSILayer4(port=base_socket.src_port,
protocol=base_socket.l4_protocol,
state=base_socket.tcp_state)
],
keys=("OSILayer3/address", "OSILayer4/port",
"OSILayer4/protocol"))
destination_identity, destination = self.prebuild(
components=[
definitions.OSILayer3(address=base_socket.dst_addr,
protocol=l3_protocol),
definitions.OSILayer4(port=base_socket.dst_port,
protocol=base_socket.l4_protocol)
],
keys=("OSILayer3/address", "OSILayer4/port",
"OSILayer4/protocol"))
connection = [
socket.identity,
definitions.Named(name=base_socket.human_name,
kind="IP Connection"),
definitions.Connection(protocol_family=family,
source=source_identity,
destination=destination_identity)
]
yield source
yield destination
yield connection
elif family == "UNIX":
if base_socket.vnode:
path = base_socket.vnode.full_path
file_identity = self.session.entities.identify(
{"File/path": path})
else:
path = None
file_identity = None
yield [
socket.identity,
definitions.Named(name=base_socket.human_name,
kind="Unix Socket"),
definitions.Connection(protocol_family="UNIX"),
definitions.Socket(
type=base_socket.unix_type,
file=file_identity,
address="0x%x" % int(base_socket.so_pcb),
connected="0x%x" % int(base_socket.unp_conn))
]
# There may be a vnode here - if so, yield it.
if path:
yield [
definitions.File(path=path, type="socket"),
definitions.Named(name=path, kind="Socket"),
definitions.Struct(base=base_socket.vnode.deref(),
type="vnode")
]
else:
yield [
socket.identity,
definitions.Named(kind="Unknown Socket"),
definitions.Connection(protocol_family=family)
]