draios · mattpag · Jan 26, 2018 · Jan 26, 2018
@@ -285,6 +285,11 @@ class SINSP_PUBLIC sinsp_fdinfo
 		return (m_flags & (FLAGS_ROLE_CLIENT | FLAGS_ROLE_SERVER)) == 0;
 	}
 
+	inline bool is_socket_connected()
+	{
+		return (m_flags & FLAGS_SOCKET_CONNECTED) == FLAGS_SOCKET_CONNECTED;
+	}
+
 	scap_fd_type m_type; ///< The fd type, e.g. file, directory, IPv4 socket...
 	uint32_t m_openflags; ///< If this FD is a file, the flags that were used when opening it. See the PPM_O_* definitions in driver/ppm_events_public.h.
 
@@ -327,6 +332,7 @@ VISIBILITY_PRIVATE
 		FLAGS_IN_BASELINE_R = (1 << 10),
 		FLAGS_IN_BASELINE_RW = (1 << 11),
 		FLAGS_IN_BASELINE_OTHER = (1 << 12),
+		FLAGS_SOCKET_CONNECTED = (1 << 13),
 	};
 
 	void add_filename(const char* fullpath);
@@ -408,6 +414,11 @@ VISIBILITY_PRIVATE
 		return (m_flags & FLAGS_IN_BASELINE_OTHER) == FLAGS_IN_BASELINE_OTHER; 
 	}
 
+	inline void set_socket_connected()
+	{
+		m_flags |= FLAGS_SOCKET_CONNECTED;
+	}
+
 	T* m_usrstate;
 	uint32_t m_flags;
 	uint64_t m_ino;

@@ -166,6 +166,7 @@ const filtercheck_field_info sinsp_filter_check_fd_fields[] =
 	{PT_IPV4NET, EPF_NONE, PF_NA, "fd.snet", "server IP network."},
 	{PT_IPV4NET, EPF_NONE, PF_NA, "fd.lnet", "local IP network."},
 	{PT_IPV4NET, EPF_NONE, PF_NA, "fd.rnet", "remote IP network."},
+	{PT_BOOL, EPF_NONE, PF_NA, "fd.connected", "for TCP/UDP FDs, 'true' if the socket is connected."},
 
 };
 
@@ -1037,6 +1038,18 @@ uint8_t* sinsp_filter_check_fd::extract(sinsp_evt *evt, OUT uint32_t* len, bool
 			RETURN_EXTRACT_STRING(m_tstr);
 		}
 		break;
+	case TYPE_IS_CONNECTED:
+		{
+			if(m_fdinfo == NULL)
+			{
+				return NULL;
+			}
+
+			m_tbool = m_fdinfo->is_socket_connected();
+
+			return (uint8_t*)&m_tbool;
+		}
+		break;
 	default:
 		ASSERT(false);
 	}

@@ -280,7 +280,8 @@ class sinsp_filter_check_fd : public sinsp_filter_check
 		TYPE_CNET = 28,
 		TYPE_SNET = 29,
 		TYPE_LNET = 30,
-		TYPE_RNET = 31
+		TYPE_RNET = 31,
+		TYPE_IS_CONNECTED = 32,
 	};
 
 	enum fd_type

@@ -2378,6 +2378,11 @@ void sinsp_parser::parse_connect_exit(sinsp_evt *evt)
 	//
 	evt->m_fdinfo->set_role_client();
 
+	//
+	// Mark this fd as a connected socket
+	//
+	evt->m_fdinfo->set_socket_connected();
+
 	//
 	// Call the protocol decoder callbacks associated to this event
 	//
@@ -2506,6 +2511,11 @@ void sinsp_parser::parse_accept_exit(sinsp_evt *evt)
 	//
 	fdi.set_role_server();
 
+	//
+	// Mark this fd as a connected socket
+	//
+	fdi.set_socket_connected();
+
 	//
 	// Add the entry to the table
 	//

@@ -222,6 +222,10 @@ void sinsp_threadinfo::add_fd_from_scap(scap_fdinfo *fdi, OUT sinsp_fdinfo_t *re
 		newfdi->m_sockinfo.m_ipv4info.m_fields.m_sport = fdi->info.ipv4info.sport;
 		newfdi->m_sockinfo.m_ipv4info.m_fields.m_dport = fdi->info.ipv4info.dport;
 		newfdi->m_sockinfo.m_ipv4info.m_fields.m_l4proto = fdi->info.ipv4info.l4proto;
+		if(fdi->info.ipv4info.l4proto == SCAP_L4_TCP)
+		{
+			newfdi->m_flags |= sinsp_fdinfo_t::FLAGS_SOCKET_CONNECTED;
+		}
 		if(m_inspector->m_network_interfaces)
 		{
 			m_inspector->m_network_interfaces->update_fd(newfdi);
@@ -255,6 +259,10 @@ void sinsp_threadinfo::add_fd_from_scap(scap_fdinfo *fdi, OUT sinsp_fdinfo_t *re
 			newfdi->m_sockinfo.m_ipv4info.m_fields.m_sport = fdi->info.ipv6info.sport;
 			newfdi->m_sockinfo.m_ipv4info.m_fields.m_dport = fdi->info.ipv6info.dport;
 			newfdi->m_sockinfo.m_ipv4info.m_fields.m_l4proto = fdi->info.ipv6info.l4proto;
+			if(fdi->info.ipv6info.l4proto == SCAP_L4_TCP)
+			{
+				newfdi->m_flags |= sinsp_fdinfo_t::FLAGS_SOCKET_CONNECTED;
+			}
 			if(m_inspector->m_network_interfaces)
 			{
 				m_inspector->m_network_interfaces->update_fd(newfdi);
@@ -268,6 +276,10 @@ void sinsp_threadinfo::add_fd_from_scap(scap_fdinfo *fdi, OUT sinsp_fdinfo_t *re
 			newfdi->m_sockinfo.m_ipv6info.m_fields.m_sport = fdi->info.ipv6info.sport;
 			newfdi->m_sockinfo.m_ipv6info.m_fields.m_dport = fdi->info.ipv6info.dport;
 			newfdi->m_sockinfo.m_ipv6info.m_fields.m_l4proto = fdi->info.ipv6info.l4proto;
+			if(fdi->info.ipv6info.l4proto == SCAP_L4_TCP)
+			{
+				newfdi->m_flags |= sinsp_fdinfo_t::FLAGS_SOCKET_CONNECTED;
+			}
 			newfdi->m_name = ipv6tuple_to_string(&newfdi->m_sockinfo.m_ipv6info, m_inspector->m_hostname_and_port_resolution_enabled);
 		}
 		break;