Merge pull request #3 from carlosotgz/improved-conn-parsing

Improved connection parsing
evilsocket · Apr 18, 2017 · 99009b9 · 99009b9
2 parents 06f28fb + e3d376b
commit 99009b9
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 68 deletions.
diff --git a/opensnitch/connection.py b/opensnitch/connection.py
@@ -16,7 +16,7 @@
 # program. If not, go to http://www.gnu.org/licenses/gpl.html
 # or write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-from opensnitch.proc import get_process_name_by_connection 
+from opensnitch.proc import get_pid_by_connection
 from opensnitch.app import Application 
 from dpkt import ip
 from socket import inet_ntoa, getservbyport
@@ -48,11 +48,11 @@ def __init__( self, payload ):
             except:
                 self.service = None
 
-            self.pid, self.app_path = get_process_name_by_connection( self.src_addr, 
-                                                                      self.src_port,
-                                                                      self.dst_addr, 
-                                                                      self.dst_port, 
-                                                                      self.proto )
+            self.pid, self.app_path = get_pid_by_connection( self.src_addr,
+                                                             self.src_port,
+                                                             self.dst_addr,
+                                                             self.dst_port,
+                                                             self.proto )
             self.app = Application( self.pid, self.app_path )
 
     def get_app_name(self):

diff --git a/opensnitch/proc.py b/opensnitch/proc.py
@@ -16,66 +16,24 @@
 # program. If not, go to http://www.gnu.org/licenses/gpl.html
 # or write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-import re
-import glob
 import os
 import logging
-
-def hex2address(address):
-    hex_addr, hex_port = address.split(':')
-
-    octects = [ hex_addr[i:i+2] for i in range(0, len(hex_addr), 2 ) ]
-    octects.reverse()
-
-    addr = ".".join(map(lambda x: str(int(x, 16)), octects))
-    port = int(hex_port, 16)
-
-    return (addr, port)
-
-def get_pid_of_inode(inode):
-    inode = int(inode)
-    sname = 'socket:[%d]' % inode
-    for fd_file in glob.glob('/proc/[0-9]*/fd/[0-9]*'):
-        try:
-            link = os.readlink(fd_file)
-            if sname == link:
-                return fd_file.split('/')[2]
-        except:
-            pass
-
-    logging.warning( "Could not find pid of inode %d" % inode )
-
-    return None
-
-# TODO: Implement a cleaner and faster /proc/net/(tcp|udp) parsing.
-def get_process_name_by_connection( src_addr, src_p, dst_addr, dst_p, proto = 'tcp' ):
-    filename = "/proc/net/%s" % proto
-    with open( filename, 'rt' ) as fd:
-        for line in fd:
-            line = line.strip()
-            if line.startswith('sl'):
-                continue
-
-            parts = line.split()
-            src   = parts[1]
-            dst   = parts[2]
-            uid   = parts[6]
-            inode = parts[9]
-
-            src_ip, src_port = hex2address( src )
-            dst_ip, dst_port = hex2address( dst )
-
-            if src_ip == src_addr and src_port == src_p and dst_ip == dst_addr and dst_port == dst_p:
-                pid = get_pid_of_inode(inode)
-                if pid is not None:
-                    return ( pid, os.readlink( "/proc/%s/exe" % pid ) )
-
-    logging.warning( "Could not find process for %s connection %s:%s -> %s:%s inside %s" % (
-                     proto,
-                     src_addr,
-                     src_p,
-                     dst_addr,
-                     dst_p,
-                     filename ) )
-
-    return ( None, "Unknown" )
+import psutil
+
+def get_pid_by_connection( src_addr, src_p, dst_addr, dst_p, proto = 'tcp' ):
+    connections_list = [connection for connection in psutil.net_connections(kind=proto) if connection.laddr==(src_addr, src_p) and connection.raddr==(dst_addr, dst_p)]
+
+    # We always take the first element as we assume it contains only one, because
+    # it should not be possible to keep two connections which are exactly the same.
+    if connections_list:
+        pid = connections_list[0][-1]
+        return ( pid, os.readlink( "/proc/%s/exe" % pid ) )
+    else:
+        logging.warning( "Could not find process for %s connection %s:%s -> %s:%s" % (
+                         proto,
+                         src_addr,
+                         src_p,
+                         dst_addr,
+                         dst_p) )
+
+        return ( None, "Unknown" )
diff --git a/setup.py b/setup.py
@@ -36,5 +36,5 @@
        scripts              = [ 'bin/opensnitch' ],
        license              = 'GPL',
        zip_safe             = False,
-       install_requires     = [ 'scapy', 'easygui', 'dpkt', 'NetfilterQueue' ]
+       install_requires     = [ 'scapy', 'easygui', 'dpkt', 'NetfilterQueue', 'psutil' ]
 )