| Trees | Indices | Help |
|
|---|
|
|
Provides human-readable accessors for sockets of the more common AFs.
This class has two basic ways of getting information. Most attributes are computed using the method fill_socketinfo, which is directly adapted from the kernel function of the same name. For the few things that fill_socketinfo doesn't care about, the properties themselves get the data and provide references to the kernel source for anyone wondering why and how all this works.
| Nested Classes | |
|
__metaclass__ Give each object a unique ID. (Inherited from rekall.obj.BaseObject) |
|
| Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Inherited from |
|||
| Class Methods | |||
|
|||
| Class Variables | |
cached_socketinfo = Nonehash(x) |
|
obj_name = <No name>
(Inherited from rekall.obj.BaseObject)
|
|
obj_parent = <No parent>
(Inherited from rekall.obj.BaseObject)
|
|
obj_producers = Nonehash(x) (Inherited from rekall.obj.BaseObject) |
|
| Properties | |
|
src_addr For IPv[46] sockets, return source IP as string. |
|
|
dst_addr For IPv[46] sockets, return destination IP as string. |
|
|
addressing_family The Addressing Family corresponds roughly to OSI layer 3. |
|
| tcp_state | |
|
vnode For Unix sockets, pointer to vnode, if any. |
|
|
unp_conn For Unix sockets, the pcb of the paired socket. |
|
| src_port | |
| dst_port | |
| l4_protocol | |
| unix_type | |
| human_name | |
| human_type | |
|
indices Returns (usually 1) representation(s) of self usable as dict keys. (Inherited from rekall.obj.Struct) |
|
| obj_end (Inherited from rekall.obj.BaseObject) | |
| obj_size (Inherited from rekall.obj.Struct) | |
|
parents Returns all the parents of this object. (Inherited from rekall.obj.BaseObject) |
|
|
Inherited from |
|
| Method Details |
Computes information about sockets of some addressing families. This function is directly adapted from the kernel function fill_socketinfo [1]. The original function is used to fill a struct with addressing and other useful information about sockets of a few key addressing families. All families are supported, but only the following will return useful information: - AF_INET (IPv4) - AF_INET6 (IPv6) - AF_UNIX (Unix socket) - AF_NDRV (Network driver raw access) - AF_SYSTEM (Darwin-specific; see documentation [3]) Differences between the kernel function and this adaptation: - The kernel uses Protocol Families (prefixed with PF_). Rekall relies on Addressing Families (AF_) which are exactly the same. - The kernel fills a struct; this function returns a dict with the same members. - The kernel returns the data raw. This function converts endianness and unions to human-readable representations, as appropriate. - Only a subset of members are filled in. - Other differences as documented in code. Returns: A dict with the same members as struct socket_info and related. Only member that's always filled is "soi_kind". That's not Spanish, but one of the values in this anonymous enum [2], which determines what other members are present. (Read the code.) [1] https://github.com/opensource-apple/xnu/blob/10.9/bsd/kern/socket_info.c#L98 [2] https://github.com/opensource-apple/xnu/blob/10.9/bsd/sys/proc_info.h#L503 [3] "KEXT Controls and Notifications" https://developer.apple.com/library/mac/documentation/Darwin/Conceptual/NKEConceptual/control/control.html |
| Property Details |
src_addrFor IPv[46] sockets, return source IP as string.
|
dst_addrFor IPv[46] sockets, return destination IP as string.
|
addressing_familyThe Addressing Family corresponds roughly to OSI layer 3.
|
tcp_state
|
vnodeFor Unix sockets, pointer to vnode, if any. This is the same way that OS gathers this information in response to syscall [1] (this is the API used by netstat, among others). 1: https://github.com/opensource-apple/xnu/blob/10.9/bsd/kern/uipc_usrreq.c#L1683
|
unp_connFor Unix sockets, the pcb of the paired socket. [1] You most likely want to do sock.conn_pcb.unp_socket to get at the other socket in the pair. However, because the sockets are paired through the protocol control block, it's actually useful to have a direct pointer at it in order to be able to spot paired sockets. 1: https://github.com/opensource-apple/xnu/blob/10.9/bsd/sys/unpcb.h#L128
|
src_port
|
dst_port
|
l4_protocol
|
unix_type
|
human_name
|
human_type
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:28:32 2017 | http://epydoc.sourceforge.net |