Problem with dtrace and function parameters
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 22 Feb 2024 00:53:17 UTC
Concerning PR 269770, I am trying to watch what is going in and
out of my libalias. So I am looking at this function in alias_db.c:
> struct alias_link *
> AddLink(struct libalias *la, struct in_addr src_addr, struct in_addr dst_addr,
> struct in_addr alias_addr, u_short src_port, u_short dst_port,
> int alias_port_param, int link_type)
> {
I cannot read args[1], because when I'm doing
> printf("%d", args[1].s_addr)
that is understood, but then:
> dtrace: error on enabled probe ID 1 (ID 49947:
> fbt:kernel:AddLink:entry): invalid address (0x<my ip address>)
> in action #4 at DIF offset 8
Actually my IP address is not invalid, but dtrace seems to have
difficulties understanding the difference between an IP address
and a memory address. ;)
So I started to do it in the brute way (linefeeds inserted for readability):
# dtrace -n 'AddLink:entry { printf("%s %d %d
(src_port %d) (dst_port %d) (alias_p %d) (link_type %d)
(src_addr %d.%d.%d.%d %d.%d.%d.%d)
(dst_addr %d.%d.%d.%d %d.%d.%d.%d)
(alias_addr %d.%d.%d.%d %d.%d.%d.%d)
(src_port %d.%d.%d.%d %d.%d.%d.%d)
(dst_port %d.%d.%d.%d %d.%d.%d.%d)
(alias_port_param %d.%d.%d.%d %d.%d.%d.%d)
(link_type %d.%d.%d.%d %d.%d.%d.%d)
(unused %d.%d.%d.%d %d.%d.%d.%d)
(unused %d.%d.%d.%d %d.%d.%d.%d)",
execname, walltimestamp/1000000000, args[0]->udpLinkCount,
args[4],args[5], args[6], args[7],
arg1/4294967296%256, arg1/4294967296/256%256,
arg1/4294967296/65536%256, arg1/4294967296/16777216,
arg1%256, arg1/256%256, arg1/65536%256, arg1/16777216,
arg2/4294967296%256, arg2/4294967296/256%256,
arg2/4294967296/65536%256, arg2/4294967296/16777216,
arg2%256, arg2/256%256, arg2/65536%256, arg2/16777216,
arg3/4294967296%256, arg3/4294967296/256%256,
arg3/4294967296/65536%256, arg3/4294967296/16777216,
arg3%256, arg3/256%256, arg3/65536%256, arg3/16777216,
arg4/4294967296%256, arg4/4294967296/256%256,
arg4/4294967296/65536%256, arg4/4294967296/16777216,
arg4%256, arg4/256%256, arg4/65536%256, arg4/16777216,
arg5/4294967296%256, arg5/4294967296/256%256,
arg5/4294967296/65536%256, arg5/4294967296/16777216,
arg5%256, arg5/256%256, arg5/65536%256, arg5/16777216,
arg6/4294967296%256, arg6/4294967296/256%256,
arg6/4294967296/65536%256, arg6/4294967296/16777216,
arg6%256, arg6/256%256, arg6/65536%256, arg6/16777216,
arg7/4294967296%256, arg7/4294967296/256%256,
arg7/4294967296/65536%256, arg7/4294967296/16777216,
arg7%256, arg7/256%256, arg7/65536%256, arg7/16777216,
arg8/4294967296%256, arg8/4294967296/256%256,
arg8/4294967296/65536%256, arg8/4294967296/16777216,
arg8%256, arg8/256%256, arg8/65536%256, arg8/16777216,
arg9/4294967296%256, arg9/4294967296/256%256,
arg9/4294967296/65536%256, arg9/4294967296/16777216,
arg9%256, arg9/256%256, arg9/65536%256, arg9/16777216); }
Now the output looks like this, and while the IP addresses are fine,
the remainder is obviousely bogus, and seems neither to resolve
via network byte order nor via 64-32 bit conversions to anything
useful - and no, these numbers do not make more sense when casting
all to unsigned, they only look better.
AddLink:entry openvpn 1708539730 2
(src_port 20931) (dst_port 46672) (alias_p 70) (link_type -2045910784)
(src_addr 0.0.0.0 <my ip address>)
(dst_addr 0.0.0.0 46.17.96.38)
(alias_addr 0.0.0.0 <my ip address>)
(src_port 0.0.0.0 195.81.0.0)
(dst_port -254.-1.0.0 -176.-73.-201.-130577)
(alias_port_param 0.0.0.0 70.0.0.0)
(link_type -253.-7.0.0 0.-31.-242.-523641)
(unused 0.0.0.0 <my ip address>)
(unused 0.0.0.0 46.17.96.38)
BTW, this is the packet concerned:
ipfw-oper: 2422 Count TCP 46.17.96.38:55812 <my ip address>:50001 in via tun3
The last parameter that makes sense here is the src_port, apparently in
network order. Everything afterwards seems to be just crap.
Any ideas why, anybody?