Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improvements to process attribution #14

Closed
ckuethe opened this issue Apr 20, 2017 · 5 comments
Closed

Improvements to process attribution #14

ckuethe opened this issue Apr 20, 2017 · 5 comments

Comments

@ckuethe
Copy link
Contributor

ckuethe commented Apr 20, 2017 

[2017-04-20 13:08:55,017] (WARNING) Could not find process for udp connection 172.18.115.120:123 -> 91.189.91.157:123
[2017-04-20 13:08:55,017] (WARNING) Could not detect process for connection.
[2017-04-20 13:08:55,044] (WARNING) Could not find process for tcp connection 172.18.115.120:38052 -> 216.58.192.14:80
[2017-04-20 13:08:55,045] (WARNING) Could not detect process for connection.
[2017-04-20 13:08:55,105] (WARNING) Could not find process for udp connection 172.18.115.120:52695 -> 239.255.255.250:1900
[2017-04-20 13:08:55,105] (WARNING) Could not detect process for connection.

Seems like additional ways of linking a packet to a process should be investigated.
@evilsocket
Copy link
Owner

This is basically a subset problem of #12

@ckuethe
Copy link
Contributor Author

ckuethe commented Apr 24, 2017

I disagree. This is not about figuring out what the process is called once we have its pid, it's about the fact that we're unable to associate traffic to ntpd or avahi (or some other long-running process) in the first place.

@evilsocket
Copy link
Owner

What I meant is that if we find another way of collecting connection info such as the process name, that would ideally fix this issue as well.

@ckuethe
Copy link
Contributor Author

ckuethe commented Apr 24, 2017

Pid is the canonical identifier of a process. There are connections that cannot be attributed to a process, and I see no progress toward additional techniques for establishing this link.

#12 is more about UI/UX. Reliability of attribution aside, when process 12345 wants to connect to the network what can we tell the user about that process to help them make a decision about whether or not to allow that connection.

@evilsocket
Copy link
Owner

Oh man, I miss the good old times when people just trusted the developers and didn't need to try to teach them OS basics in order to prove their point.

Since my previous comment was apparently not clear enough, let me rephrase.

It is clear that just relying on the /proc filesystem in order to get information about a connection, a process or whatever is involved in this project, is definitely not reliable and not enough.
Considering that a more robust approach is required, for instance a custom kernel module, this solution would also be able to keep track of processless connections, just like the ones you mentioned, and will expose a connection-type-agnostic interface to the user land ( can be something in /dev that we query using ioctls, or whatever ) that eventually will replace the current routines that rely on /proc.

Giving that I like to fix things once and fix them for good, the aforementioned solution will solve both issues, that's why I closed this one, just to keep the conversation on the more technical thread.

Is this enough for you or do we want to keep talking about how operating systems work? :D

@TraxXavier TraxXavier mentioned this issue May 12, 2018
Closed
@Tandaran3 Tandaran3 mentioned this issue Mar 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evilsocket @ckuethe