-
Notifications
You must be signed in to change notification settings - Fork 1
/
monitor-set-mac.bt
52 lines (47 loc) · 1.01 KB
/
monitor-set-mac.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/env bpftrace
#include <linux/skbuff.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/sched.h>
#include <linux/dcache.h>
#include <linux/fs.h>
#include <linux/pid_namespace.h>
#include <linux/nsproxy.h>
#include <linux/netdevice.h>
BEGIN
{
printf("Tracing register network device. Hit Ctrl-C to end.\n");
}
kprobe:register_netdevice
{
$dev = (struct net_device *)arg0;
$mac = $dev->dev_addr;
$name = $dev->name;
time("%H:%M:%S ");
// printf("%s %d %s %s %r %s %s\n",
printf("%s %d %s %s %r \n",
func,
pid,
comm,
$name,
buf($mac, 6));
// ustack,
// kstack);
}
kprobe:dev_set_mac_address
{
$newmac = (struct sockaddr *) arg1;
$dev = (struct net_device *)arg0;
$oldmac = $dev->dev_addr;
$name = $dev->name;
time("%H:%M:%S ");
printf("%s %d %s %s %r %r \n",
func,
pid,
comm,
$name,
buf($oldmac, 6),
buf($newmac->sa_data, 6));
// ustack,
// kstack);
}