Skip to content

Commit

Permalink
make "linux kernel" connections configurable
Browse files Browse the repository at this point in the history 
Sometimes when a new connection is about to be established, we don't get
the PID of the process using the eBPF proc monitor method. But in some
rare situations, the kernel still holds information about the connection
(sock_diag struct basically). We assume that these connections are
initiated from kernel space.

Per some debugging, this doesn't seem to be always the root cause, so
these connections will only be shown if InterceptUnknown config field is
set to true.
  • Loading branch information
@gustavo-iniguez-goya
gustavo-iniguez-goya committed May 16, 2021
1 parent 423dbd6 commit 6ea63f7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion daemon/procmon/parse.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ func GetPIDFromINode(inode int, inodeKey string) int {
// If it exists in /proc, a new Process{} object is returned with the details
// to identify a process (cmdline, name, environment variables, etc).
func FindProcess(pid int, interceptUnknown bool) *Process {
if pid == -100 {
if interceptUnknown && pid == -100 {
return NewProcess(-100, "Linux kernel")
}
if interceptUnknown && pid < 0 {
Expand Down

0 comments on commit 6ea63f7

Please sign in to comment.