Version: v0.9.3 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 4, 2022 License: AGPL-3.0 Imports: 30 Imported by: 0



Package process fetches process and socket information from the operating system. It can find the process owning a network connection.



View Source
const (
	// UndefinedProcessID is not used by any (virtual) process and signifies that
	// the PID is unset.
	UndefinedProcessID = -1

	// UnidentifiedProcessID is the PID used for outgoing connections that could
	// not be attributed to a PID for any reason.
	UnidentifiedProcessID = -2

	// UnsolicitedProcessID is the PID used for incoming connections that could
	// not be attributed to a PID for any reason.
	UnsolicitedProcessID = -3

	// NetworkHostProcessID is the PID used for requests served to the network.
	NetworkHostProcessID = -255
View Source
const SystemProcessID = 0

SystemProcessID is the PID of the System/Kernel itself.


View Source
var (
	CfgOptionEnableProcessDetectionKey = "core/enableProcessDetection"

Configuration Keys.


func All

func All() map[int]*Process

All returns a copy of all process objects.

func CleanProcessStorage

func CleanProcessStorage(activePIDs map[int]struct{})

CleanProcessStorage cleans the storage from old processes.

func SetDBController

func SetDBController(controller *database.Controller)

SetDBController sets the database controller and allows the package to push database updates on a save. It must be set by the package that registers the "network" database.


type Process

type Process struct {

	Name      string
	UserID    int
	UserName  string
	UserHome  string
	Pid       int
	ParentPid int
	Path      string
	ExecName  string
	Cwd       string
	CmdLine   string
	FirstArg  string

	// SpecialDetail holds special information, the meaning of which can change
	// based on any of the previous attributes.
	SpecialDetail string

	// PrimaryProfileID holds the scoped ID of the primary profile.
	PrimaryProfileID string

	FirstSeen int64
	LastSeen  int64
	Error     string // Cache errors

	ExecHashes map[string]string
	// contains filtered or unexported fields

A Process represents a process running on the operating system.

func GetNetworkHost added in v0.6.5

func GetNetworkHost(ctx context.Context, remoteIP net.IP) (process *Process, err error)

GetNetworkHost returns a *Process that represents a host on the network.

func GetOrFindProcess

func GetOrFindProcess(ctx context.Context, pid int) (*Process, error)

GetOrFindProcess returns the process for the given PID.

func GetProcessByConnection added in v0.4.4

func GetProcessByConnection(ctx context.Context, pktInfo *packet.Info) (process *Process, connInbound bool, err error)

GetProcessByConnection returns the process that owns the described connection.

func GetProcessByRequestOrigin added in v0.9.1

func GetProcessByRequestOrigin(ar *api.Request) (*Process, error)

GetProcessByRequestOrigin returns the process that initiated the API request ar.

func GetProcessFromStorage

func GetProcessFromStorage(pid int) (*Process, bool)

GetProcessFromStorage returns a process from the internal storage.

func GetSystemProcess added in v0.4.1

func GetSystemProcess(ctx context.Context) *Process

GetSystemProcess returns the special process used for the Kernel.

func GetUnidentifiedProcess added in v0.4.1

func GetUnidentifiedProcess(ctx context.Context) *Process

GetUnidentifiedProcess returns the special process assigned to non-attributed outgoing connections.

func GetUnsolicitedProcess added in v0.8.6

func GetUnsolicitedProcess(ctx context.Context) *Process

GetUnsolicitedProcess returns the special process assigned to non-attributed incoming connections.

func (*Process) Delete

func (p *Process) Delete()

Delete deletes a process from the storage and propagates the change.

func (*Process) Equal added in v0.8.13

func (p *Process) Equal(other *Process) bool

Equal returns if the two processes are both identified and have the same PID.

func (*Process) GetExecHash

func (p *Process) GetExecHash(algorithm string) (string, error)

GetExecHash returns the hash of the executable with the given algorithm.

func (*Process) GetLastSeen added in v0.6.0

func (p *Process) GetLastSeen() int64

GetLastSeen returns the unix timestamp when the process was last seen.

func (*Process) GetProfile added in v0.4.0

func (p *Process) GetProfile(ctx context.Context) (changed bool, err error)

GetProfile finds and assigns a profile set to the process.

func (*Process) IsIdentified added in v0.8.13

func (p *Process) IsIdentified() bool

IsIdentified returns whether the process has been identified or if it represents some kind of unidentified process.

func (*Process) IsSystemResolver added in v0.6.7

func (p *Process) IsSystemResolver() bool

IsSystemResolver is a shortcut to check if the process is or belongs to the system resolver and needs special handling.

func (*Process) Profile added in v0.4.0

func (p *Process) Profile() *profile.LayeredProfile

Profile returns the assigned layered profile.

func (*Process) Save

func (p *Process) Save()

Save saves the process to the internal state and pushes an update.

func (*Process) SetLastSeen added in v0.6.0

func (p *Process) SetLastSeen(lastSeen int64)

SetLastSeen sets the unix timestamp when the process was last seen.

func (*Process) String

func (p *Process) String() string

String returns a string representation of process.

func (*Process) UpdateProfileMetadata added in v0.6.3

func (p *Process) UpdateProfileMetadata()

UpdateProfileMetadata updates the metadata of the local profile as required.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL