0

I want to write a User Space C/C++ program , which gets triggered whenever a tcp or udp communication port is opened by the linux operating system.Is it possible to get those interrupts ?

BusyTraveller
  • 183
  • 3
  • 14
  • 1
    You may wish to look into libnetfilter_queue: http://www.netfilter.org/projects/libnetfilter_queue/index.html – Sean Comeau Feb 22 '16 at 11:34
  • 2
    If you can do a kernel-space implementation, you can implement a Linux Security Module that hooks the appropriate system calls inside the kernel. See https://en.wikipedia.org/wiki/Linux_Security_Modules and – Andrew Henle Feb 22 '16 at 11:37
  • In the best case the kernel would be the most right place for such a hook. However, is the point of interest of the monitoring are only your programs, or system and third party software as well? – dmi Feb 22 '16 at 12:25
  • 1.If I do a kernel space implementation . whether will it be affected by kernel update ? I mean , do I need to change the code after a kernel update. – BusyTraveller Feb 23 '16 at 04:43
  • 1.If I do a kernel space implementation . whether will it be affected by kernel update ? I mean , do I need to change the code after a kernel update. 2. I need the interrupt whenever a tcp/udp port is opened, irrespective of the process/program that opens it. – BusyTraveller Feb 23 '16 at 04:55
  • @SeanComeau , at this point of time ,I think that user space implementation is more viable. Kindly check http://stackoverflow.com/questions/35647509. Actually by the the technique you have mentioned above, the interrupt will be there ,when the traffic created and then it is queued by iptables.But I need the interrupt whenever the process opens a port.Is there a user space technique for that ? – BusyTraveller Mar 03 '16 at 06:41
  • @BusyTraveller The technique suggested by Andrew Henle is what you need. In order to monitor every process running on the system you will need to monitor syscalls like bind and connect. That way is clean. You get notification when it happens and you get access to the parameter containing the protocol/port info. Other than maybe reading the state of the TCP/IP stack directly through kmem, which is a terrible method, there's no way to accomplish what you want from userland. – Sean Comeau Mar 03 '16 at 17:36
  • @SeanComeau , I understand that Andrew Henle's suggestion is the best one. But I am stuck , because the system is freezing. Please have a look at http://stackoverflow.com/questions/35647509. I think that some kernel upgrade is creating the issue.As you have said, since user space implementation will not accomplish the task , kernel is the only way to go. – BusyTraveller Mar 04 '16 at 06:37
  • @AndrewHenle ...can you please have a look at http://stackoverflow.com/questions/35647509. Actually, the system is freezing. – BusyTraveller Mar 04 '16 at 06:38

0 Answers0