Documentation

Overview

    Package process fetches process and socket information from the operating system. It can find the process owning a network connection.

    Index

    Constants

    View Source
    const (
    	// UnidentifiedProcessID is the PID used for anything that could not be
    	// attributed to a PID for any reason.
    	UnidentifiedProcessID = -1
    
    	// NetworkHostProcessID is the PID used for requests served to the network.
    	NetworkHostProcessID = -255
    )
    View Source
    const SystemProcessID = 0

      SystemProcessID is the PID of the System/Kernel itself.

      Variables

      View Source
      var (
      	CfgOptionEnableProcessDetectionKey = "core/enableProcessDetection"
      )

        Configuration Keys.

        Functions

        func All

        func All() map[int]*Process

          All returns a copy of all process objects.

          func CleanProcessStorage

          func CleanProcessStorage(activePIDs map[int]struct{})

            CleanProcessStorage cleans the storage from old processes.

            func SetDBController

            func SetDBController(controller *database.Controller)

              SetDBController sets the database controller and allows the package to push database updates on a save. It must be set by the package that registers the "network" database.

              Types

              type Process

              type Process struct {
              	record.Base
              	sync.Mutex
              
              	Name      string
              	UserID    int
              	UserName  string
              	UserHome  string
              	Pid       int
              	ParentPid int
              	Path      string
              	ExecName  string
              	Cwd       string
              	CmdLine   string
              	FirstArg  string
              
              	LocalProfileKey string
              
              	FirstSeen int64
              	LastSeen  int64
              	Error     string // Cache errors
              
              	ExecHashes map[string]string
              	// contains filtered or unexported fields
              }

                A Process represents a process running on the operating system.

                func GetNetworkHost

                func GetNetworkHost(ctx context.Context, remoteIP net.IP) (process *Process, err error)

                func GetOrFindProcess

                func GetOrFindProcess(ctx context.Context, pid int) (*Process, error)

                  GetOrFindProcess returns the process for the given PID.

                  func GetProcessByConnection

                  func GetProcessByConnection(ctx context.Context, pktInfo *packet.Info) (process *Process, connInbound bool, err error)

                    GetProcessByConnection returns the process that owns the described connection.

                    func GetProcessFromStorage

                    func GetProcessFromStorage(pid int) (*Process, bool)

                      GetProcessFromStorage returns a process from the internal storage.

                      func GetSystemProcess

                      func GetSystemProcess(ctx context.Context) *Process

                        GetSystemProcess returns the special process used for the Kernel.

                        func GetUnidentifiedProcess

                        func GetUnidentifiedProcess(ctx context.Context) *Process

                          GetUnidentifiedProcess returns the special process assigned to unidentified processes.

                          func (*Process) Delete

                          func (p *Process) Delete()

                            Delete deletes a process from the storage and propagates the change.

                            func (*Process) GetExecHash

                            func (p *Process) GetExecHash(algorithm string) (string, error)

                              GetExecHash returns the hash of the executable with the given algorithm.

                              func (*Process) GetLastSeen

                              func (p *Process) GetLastSeen() int64

                                GetLastSeen returns the unix timestamp when the process was last seen.

                                func (*Process) GetProfile

                                func (p *Process) GetProfile(ctx context.Context) (changed bool, err error)

                                  GetProfile finds and assigns a profile set to the process.

                                  func (*Process) Profile

                                  func (p *Process) Profile() *profile.LayeredProfile

                                    Profile returns the assigned layered profile.

                                    func (*Process) Save

                                    func (p *Process) Save()

                                      Save saves the process to the internal state and pushes an update.

                                      func (*Process) SetLastSeen

                                      func (p *Process) SetLastSeen(lastSeen int64)

                                        SetLastSeen sets the unix timestamp when the process was last seen.

                                        func (*Process) String

                                        func (p *Process) String() string

                                          Strings returns a string representation of process.

                                          func (*Process) UpdateProfileMetadata

                                          func (p *Process) UpdateProfileMetadata()

                                            UpdateProfileMetadata updates the metadata of the local profile as required.

                                            GOOS=linux, GOARCH=amd64