How to identify which process the received TCP traffic belongs to with DTrace on macOS

Question

As can be seen here we have PID available on send but not receive. How to limit the probes to connections owned/initiated by a particular process?

sudo dtrace -n 'tcp:::receive, tcp:::send { printf("PID = %d, arg1 == %x", pid, arg1); }'
dtrace: description 'tcp:::receive, tcp:::send ' matched 2 probes
CPU     ID                    FUNCTION:NAME
  6   1571                  tcp_output:send PID = 13507, arg1 == ffffff80664413c0
  0   1574                tcp_input:receive PID = 0, arg1 == 0
  0   1574                tcp_input:receive PID = 0, arg1 == 0
  6   1571                  tcp_output:send PID = 13507, arg1 == ffffff80664f6fd8
  6   1574                tcp_input:receive PID = 0, arg1 == 0
  6   1574                tcp_input:receive PID = 0, arg1 == 0
  2   1571                  tcp_output:send PID = 0, arg1 == ffffff80664f9678
  4   1571                  tcp_output:send PID = 13511, arg1 == ffffff80664413c0
  6   1574                tcp_input:receive PID = 0, arg1 == 0
  6   1574                tcp_input:receive PID = 0, arg1 == 0
  6   1571                  tcp_output:send PID = 13511, arg1 == ffffff8057ee7678
  6   1574                tcp_input:receive PID = 0, arg1 == 0
  6   1574                tcp_input:receive PID = 0, arg1 == 0
  4   1574                tcp_input:receive PID = 0, arg1 == 0
  4   1571                  tcp_output:send PID = 0, arg1 == ffffff806c2b9d18
  4   1574                tcp_input:receive PID = 0, arg1 == 0
  4   1571                  tcp_output:send PID = 0, arg1 == ffffff806c2b9d18
  4   1574                tcp_input:receive PID = 0, arg1 == 0
  4   1571                  tcp_output:send PID = 0, arg1 == ffffff806c2b9d18
  6   1571                  tcp_output:send PID = 851, arg1 == ffffff806c2b9d18
  6   1571                  tcp_output:send PID = 851, arg1 == ffffff806c2b9d18
  6   1571                  tcp_output:send PID = 851, arg1 == ffffff806c2b9d18
  0   1574                tcp_input:receive PID = 0, arg1 == 0
  0   1574                tcp_input:receive PID = 0, arg1 == 0

On solaris the second argument args[1] would be a pointer to a csinfo_t containing all the information I need but on Mac OS it's always null. Solaris arguments are described on the following link https://docs.oracle.com/cd/E36784_01/html/E36846/glhmv.html

I'm using macOS 10.13.6

This looks like the TCP receive dTrace probe: https://github.com/apple/darwin-xnu/blob/0a798f6738bc1db01281fc08ae024145e84df927/bsd/netinet/tcp_input.c#L1976 It looks like `arg2` might be what you're looking for, as this code appears to translate the `inpcb` structure to a `csinfo_t`: https://github.com/apple/darwin-xnu/blob/5394bb038891708cd4ba748da79b90a33b19f82e/bsd/dev/dtrace/scripts/ip.d#L50 — Andrew Henle, Jul 17 '18 at 09:37

How to identify which process the received TCP traffic belongs to with DTrace on macOS

0 Answers0