Can one retrieve a socket's port from the Linux Kernel data type `struct sock`?

Question

Motivation

I'm trying to write a bpftrace program to trace out when a socket is ready for reading by hooking into the kprobe sock_def_readable. I will get a struct sock to inspect. I'd like to map it back to the socket I created in user-land.

Question

How does one recover the port number from a struct sock?

It would be astonishing if it wasn't in there. Have you considered looking at the definition? — user207421, May 08 '20 at 07:32
I think I can use the `inet_sk(sk)->inet_sport` or `inet_sk(sk)->inet_dport` functions to do it. — Jonathan Fischoff, May 08 '20 at 07:56

score 0 · Accepted Answer · answered May 09 '20 at 06:03

0

I just expanded the definition of inet_sk ... which was merely a cast.

#!/usr/bin/env bpftrace

#include <linux/net/inet_sock.h>

BEGIN
{
    printf("network tracing");
}

kprobe:sock_def_readable
{
  $inet_sock = (struct inet_sock *)arg0;
  printf("sock_def_readable destination port %d, source port %d \n", $inet_sock->inet_sport, $inet_sock->inet_dport);
}

answered May 09 '20 at 06:03

Jonathan Fischoff

1,467
12
22

An annoying thing is the ports are in big endian – Jonathan Fischoff May 09 '20 at 07:31

Can one retrieve a socket's port from the Linux Kernel data type `struct sock`?

1 Answers1