How to View DNS Calls Made by Processes

Linux Network

We had the need at work to monitor DNS calls made by an application in a RHEL system in order to stabilish if a connection pool config change had taken full effect, or if we had missed any configuration file. And the solution was to use SystemTap for this task.

SystemTap (stap) is a scripting language and tool that simplifies the gathering of information about the running Linux system. It allows you to monitor and trace the operation of a Linux kernel.

It should be present on most RHEL server installs, but for other desktop based distros (like Arch), you might need to install it.

Overview

The image below shows you the sript working and recording DNS lookup from Firefox (note the difference on the amount of connections between Google/Yahoo vs DuckDuckGo).

Installation

Install systemtap and linux-headers:

pacman -Syu systemtap linux-headers

Initial Config and Test

Because we are trying to figure out how the application makes DNS calls, we need to find where our libc6 library lives so we can probe it for requests (most likelly /usr/lib/libc.so.6 for Arch).

pacman -Ql glibc | grep '/libc.*so'
glibc /usr/lib/libc-2.26.so
glibc /usr/lib/libc.so
------------------------
glibc /usr/lib/libc.so.6
------------------------
glibc /usr/lib/libcidn-2.26.so
glibc /usr/lib/libcidn.so
glibc /usr/lib/libcidn.so.1
glibc /usr/lib/libcrypt-2.26.so
glibc /usr/lib/libcrypt.so
glibc /usr/lib/libcrypt.so.1

To test it, make sure the string probe process("/usr/lib/libc.so.6") has the location for libc6 on your system and run the command below:

sudo /usr/bin/stap -e 'probe process("/usr/lib/libc.so.6").function("getaddrinfo") { log(execname()) }'

You may get the following warning when running the script:

WARNING: Kernel function symbol table missing [man warning::symbols]

This is because Systemtap may need a linux-build style System.map file to find addresses of kernel functions/data. Try the command below to create it by hand:

sudo cp /proc/kallsyms /boot/System.map-`uname -r`

Running It

You can run the script below (or just the code) as root to monitor the connections. Output will be displayed on your current terminal, or you can choose to save it to a file.

_#!/bin/bash


system_stap="/usr/bin/stap"

_getaddrInfo () {
  /usr/bin/stap -e 'probe process("/usr/lib/libc.so.6").function("getaddrinfo")
{
  printf("| %-15s| %-7d| %-35s |\n", execname(), pid(), kernel_string(pointer_arg(1)))
}'
}

echo ""
printf "| %-15s| %-7s| %-35s |\n" "Process" "PID" "Destination Name"
echo "|----------------|--------|-------------------------------------|"


while true ; do
  _getaddrInfo
done

probe
  process("/lib64/libc.so.6").function("__gethostbyname_r").call,
  process("/lib64/libc.so.6").function("gethostbyname").call,
  process("/lib64/libc.so.6").function("__gethostbyname2_r").call,
  process("/lib64/libc.so.6").function("gethostbyname2").call,
  process("/lib64/libc.so.6").function("__new_gethostbyname2_r").call
{
	printf("[%s][%d]->%s(%s)\n", execname(), pid(), user_string(pointer_arg(1)), kernel_string(pointer_arg(1)))
}

Output:

$ sudo ./getAdreessInfo.sh
[sudo] password for victor:           

| Process        | PID    | Destination Name                    |
|----------------|--------|-------------------------------------|
| WorkerPool/5863| 5104   | adservice.google.ca                 |
| WorkerPool/6005| 5104   | apis.google.com                     |
| WorkerPool/1335| 5104   | clients5.google.com                 |
| WorkerPool/5823| 5104   | notifications.google.com            |
| WorkerPool/1856| 5104   | lh3.googleusercontent.com           |
| WorkerPool/5297| 5104   | ogs.google.com                      |
| WorkerPool/5823| 5104   | www.google.com                      |
| WorkerPool/1335| 5104   | www.gstatic.com                     |
| WorkerPool/5863| 5104   | uaswitcher.org                      |
| WorkerPool/6005| 5104   | fonts.gstatic.com                   |
| WorkerPool/5823| 5104   | play.google.com                     |

Closing Notes

The uses for SystemTap are very wide and diverse. You will be able to find great tutorials and documentation online. I’m also providing a few links below to some great documentation to get you started.

Bash Special Parameters

Bash Linux

Special parameters are set by the shell to store information about aspects of its current state, such as the number of arguments and the exit code of the last command. Special parameters can only be referenced and cannot have it’s value assigned.

Special parameters are: $*, $@, $#, $$, $!, $?, $0, $-, $_

Parameter Definition
$* List of arguments (as a string)
$@ List of arguments (as an array)
$# Number of positional parameters
$$ PID of the current shell
$! PID of the last command executed in the background
$? Exit code of the last-executed command
$0 Path to the currently running script
$- Current shell option flags
$_ Gives the last argument to the previous command

Atom as Markdown Editor

Markdown

I have been looking for a good Markdown editor for quite a while, and after a lot of research, I finally I found one.

Some of the key features that were very important to me on a Markdown editor were:

  • Live preview
  • File browser (sidebar)
  • GitHub flavored
  • Fast and non laggy preview

And not surprisingly, Atom from GitHub was my solution.

Imgur

You might also want to:

  • Change the preferences of the already installed package markdown-preview to GitHub flavored

apm install markdown-preview-auto-open

Gnome Touchpad Settings Missing in Arch Xps 13

Linux Arch Hardware

I had an issue where the Gnome extension ‘Touchpad Indicator’ stopped working on my xps 13 (Arch). After looking a bit further, it seems that the Gnome Touchpad settings had also stopped working. All I could see was the mouse settings, and the touchpad section was completelly gone.

Solution:

With Gnome 3.20, xf86-input-synaptics is not longer supported, and you should use xf86-input-libinput instead.

You can check what is installed on your Arch system with pacman -Q | grep input. In my case, I had both packages installed:

$ pacman -Q | grep input
inputproto 2.3.2-1
libinput 1.8.2-1
xf86-input-libinput 0.26.0-1
xf86-input-synaptics 1.9.0-1
xorg-xinput 1.6.2-1

Remove xf86-input-synaptics and any configuration file (like /etc/X11/xorg.conf.d/50-synaptics.conf), install xf86-input-libinput and reboot. That should get your configuration working again.

Additional Status for Vim With Powerline

vim bash Linux

Would you like to have more information displayed while reading files in VIM? Powerline is a great utility for that.

Imgur

In it’s default config, it displays:

  • Current mode (normal, insert, visual)
  • Git branch
  • File name
  • File encoding
  • Script type
  • File view percentage
  • Line number

To install it

Arch:

sudo pacman -Ss python-powerline powerline

Add the line below to your ~/.vimrc

set laststatus=2

Note: If you get the error below

Traceback (most recent call last):
  File "<string>", line 9, in <module>
ImportError: No module named powerline.vim
An error occurred while importing powerline module.
This could be caused by invalid sys.path setting,
or by an incompatible Python version (powerline requires
Python 2.6, 2.7 or 3.2 and later to work). Please consult
the troubleshooting section in the documentation for
possible solutions.
If powerline on your system is installed for python 3 only you
should set g:powerline_pycmd to "py3" to make it load correctly.
Unable to import powerline, is it installed?
Press ENTER or type command to continue

Modify either ~/.vimrc (or /etc/vimrc if you want the fix available for multiple users) by adding the line below:

let g:powerline_pycmd = 'py3'

Ubuntu 16.04

Use Python 3


tags

Latest Posts

back to top
code with
© 2018 Copyright Victor Mendonça