From 08207d77be79afc6f75d1611726b92bdf622717f Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Mon, 2 Sep 2024 16:45:07 +0800 Subject: Show filt result in tree&json, fix sth in listener In the listener, I change the order coroutines are started to avoid 'send on a closed channel'. Besides, the method to get syscall names and numbers are not so universial, so let's go back to check unistd.h. In the filter, the output is set to be written to ./log dir. Pid tree are shown in logs/tree.log, and detail info in pids.log, while file info in the logs/files.log. tree.log shows a tree just like `tree` command, the other two files are written in json. What's more, the flags while opening files are also checked ans showed in files.log. --- filter/global.go | 73 ++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 44 insertions(+), 29 deletions(-) (limited to 'filter/global.go') diff --git a/filter/global.go b/filter/global.go index bade895..7ba3fc1 100644 --- a/filter/global.go +++ b/filter/global.go @@ -1,39 +1,40 @@ package main import ( + "encoding/json" "fmt" "time" ) type Exec struct { - Timestamp time.Time `bson:"timestamp"` - ExecArgs []string `bson:"execArgs"` + Timestamp time.Time `bson:"timestamp" json:"timestamp"` + ExecArgs []string `bson:"execArgs" json:"execArgs"` } type Process struct { - Star bool `bson:"star"` - StartTimestamp time.Time `bson:"start_timestamp"` - Ppid int `bson:"ppid"` - ParentTgid int `bson:"parentTgid"` - Pid int `bson:"pid"` - Tgid int `bson:"tgid"` - Args []string `bson:"args"` - Comm string `bson:"comm"` - RootFS string `bson:"rootfs"` - Cwd string `bson:"cwd"` - Children []int `bson:"children"` - DockerId string `bson:"docker_id"` - Execve []Exec `bson:"execve"` - ExitCode int `bson:"exit_code"` - ExitSignal int `bson:"exit_signal"` - ExitTimestamp time.Time `bson:"exit_timestamp"` + Star bool `bson:"star" json:"star"` + StartTimestamp time.Time `bson:"start_timestamp" json:"start_timestamp"` + Ppid int `bson:"ppid" json:"ppid"` + ParentTgid int `bson:"parentTgid" json:"parentTgid"` + Pid int `bson:"pid" json:"pid"` + Tgid int `bson:"tgid" json:"tgid"` + Args []string `bson:"args" json:"args"` + Comm string `bson:"comm" json:"comm"` + RootFS string `bson:"rootfs" json:"rootfs"` + Cwd string `bson:"cwd" json:"cwd"` + Children []int `bson:"children" json:"children"` + DockerId string `bson:"docker_id" json:"docker_id"` + Execve []Exec `bson:"execve" json:"execve"` + ExitCode int `bson:"exit_code" json:"exit_code"` + ExitSignal int `bson:"exit_signal" json:"exit_signal"` + ExitTimestamp time.Time `bson:"exit_timestamp" json:"exit_timestamp"` } type tgidNode struct { - Tgid int `bson:"tgid"` - FindPid map[int]int `bson:"findPid"` - Threads []Process `bson:"threads"` - ChildTgid []int `bson:"child_tgid"` + Tgid int `bson:"tgid" json:"tgid"` + FindPid map[int]int `bson:"findPid" json:"findPid"` + Threads []Process `bson:"threads" json:"threads"` + ChildTgid []int `bson:"child_tgid" json:"child_tgid"` } func (p Process) String() string { @@ -80,13 +81,27 @@ func (node tgidNode) String() string { } type File struct { - OpenTimestamp time.Time `bson:"timestamp"` - FileName string `bson:"fileName"` - Pid int `bson:"pid"` - Fd int `bson:"fd"` - Flags [4]uint64 `bson:"flags"` - Written []time.Time `bson:"written"` - CloseTimestamp time.Time `bson:"close_timestamp"` + OpenTimestamp time.Time `bson:"timestamp" json:"timestamp"` + FileName string `bson:"fileName" json:"fileName"` + Pid int `bson:"pid" json:"pid"` + Fd int `bson:"fd" json:"fd"` + Flags [4]uint64 `bson:"flags" json:"flags"` + Written []time.Time `bson:"written" json:"written"` + CloseTimestamp time.Time `bson:"close_timestamp" json:"close_timestamp"` +} + +func (f File) MarshalJSON() ([]byte, error) { + type Alias File // 使用别名避免递归调用 + + return json.Marshal(&struct { + Alias + Flags0 string `json:"FileNamePointer"` + Flags1 string `json:"FileFlags"` + }{ + Alias: Alias(f), + Flags0: fmt.Sprintf("%#012x", f.Flags[0]), // flags[0] 转换为小写16进制 + Flags1: parseFlags(f.Flags[1]), // flags[1] 解析为字符串 + }) } // Queue 定义一个队列结构体 -- cgit v1.2.3-70-g09d2