Listing 5. Network Monitoring
// This defines subroutine (function) named doit
function doit {
// Log PID of process which is using network
log "Process pid is using network ";
// Here you can (dis)allow network connection,
// change capabilities ....
}
// when syscall event raised
on syscall {
if (action == 102) { // If it's
// socketcall, see man 2
// socketcall
if ( trace1 == 1 /* SYS_SOCKET */
and lpeek trace2 $x /* verify_area() */
and $x == 2 /* PF_INET */
)
{
// It's opening inet socket => call function doit
doit;
}
else // Other syscalls are not interesting =>
// switch off tracing for
them
trace_off action;
}