1

My semester project is a Network Level Anti-Malware S/W. It main components are the Manager and the Agent. The Agent provides the Manager with:

1. CPU usage, Memory usage and B/W usage information

2. Network related Information - 

    Network Profiling
    Function calls from Network Sockets
    TCP packets related information

3. Disk Related Information - 

    I/O monitoring
    File Read/Writes
    File Attribute changes

4. General Profiling

    Function calls
    Call Graph
    Frequently used system calls
    call volume per process

Each of these four functionalities are implemented as threads. Our platform is Linux. We have found a tool called systemtap...

http://sourceware.org/systemtap/SystemTap_Beginners_Guide/useful-systemtap-scripts.html

Rather than exploiting linux commands like top, ifstat, tcpdump etc., we found this a better alternative. In effect, all that is to be done is invoke either the script or executable from the Agent Java program.

All the scripts used by "systemtap" are written in systemtap scripting language. A front-end tool(stap) converts this script into a C code and then compiles it into a Kernel file.

stap --tmpdir=/home/test/ nettop.stp

By using the above command, I have managed to obtain the converted C code file. But the file is not getting compiled due to dependency issues.

gcc nettop.c nettop.c:10:29: fatal error: runtime_defines.h: No such file or directory compilation terminated.

gcc -B /usr/share/systemtap/runtime/ -B /usr/src/kernels/3.3.1-3.fc16.x86_64/include/ nettop.c nettop.c:10:29: fatal error: runtime_defines.h: No such file or directory compilation terminated.

gcc --sysroot=/usr/ nettop.c nettop.c:10:29: fatal error: runtime_defines.h: No such file or directory compilation terminated.

The systemtap runtime headers all use the linux/header format signifying that the classpath for systemtap is set till /usr/../../../../include. Copying all the headers to a specific folder is easy but editing them to reflect the right path names is not a possibility. There are 106 runtime headers reffering to over a thousand linux headers.

a. How do I make gcc use a specific folder as the library?

b. Is there a better alternative to this Agent Architecture?

PS: Hopefully the question is not too vague. Thanks for the replies in advance.

Ananth
  • 9
  • 4

1 Answers1

0

Don't try to hand-compile systemtap's intermediate C code. Instead, run the scripts through stap (or the compiled .ko's through staprun), and consume their output via stdout.

fche
  • 2,641
  • 20
  • 28