Skip to content

ceofraud/linux-analytics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 
monitor.sh
monitor.sh
 
 
process_tree.py
process_tree.py
 
 

Repository files navigation

linux-analytics

Trace process executions and socket activity on a Linux host with bpftrace, then reconstruct and visualize the result as a process tree.

  • monitor.sh — bpftrace script that logs execve ([EXEC]) and socket() ([SOCK]) events, one per line.
  • process_tree.py — parses the captured telemetry and prints a process tree, annotating each process with the commands it ran and the sockets it opened (decoded to names like AF_INET / SOCK_DGRAM / ICMP).

Capture (on the monitored host)

  • Enable execution: chmod +x monitor.sh
  • Start monitoring: sudo ./monitor.sh > raw_capture.log
  • Reproduce the activity you want to observe.
  • Stop monitoring: CTRL+C
  • Clean the log: sed -E '/COMM: sed|ARGS: sed/d; /^$/d' raw_capture.log > final_telemetry.txt
  • Copy the telemetry to your machine: scp user2@192.168.210.132:~/final_telemetry.txt .

Visualize

  • Full detail (default — exec list, decoded sockets, uid/ppid): python process_tree.py final_telemetry.txt
  • Compact tree (one line per process, comm (pid N): <cmd>): python process_tree.py -s final_telemetry.txt
  • Verbose without the socket summary: python process_tree.py --no-sockets final_telemetry.txt
  • Hide a PID and everything below it (repeat -x to exclude several): python process_tree.py -x 6086 -x 6153 final_telemetry.txt
  • Options: python process_tree.py -h

The file argument defaults to final_telemetry.txt, so python process_tree.py works on its own from the repo root.

-x/--exclude prunes by exact subtree, so pass the top PID of an activity to drop it whole (e.g. a snap/cron root); excluding a leaf only removes that leaf, not its siblings.

Example output

Verbose (default) — each process shows the commands it ran and a decoded, aggregated socket summary (×N = repeat count). The uid makes privilege transitions obvious (note 10000 through su):

│  ├─ exp (pid 6153, ppid 5923, uid 1000)
│  │    exec: ./exp
│  │    sockets:
│  │      AF_RXRPC(33)   SOCK_DGRAM                   2  ×4
│  │      AF_INET(2)     SOCK_DGRAM                   IP(0)  ×3
│  │      AF_ALG(38)     SOCK_SEQPACKET               0  ×6
│  │  ├─ getent (pid 6190, ppid 6153, uid 1000)
│  │  │    exec: getent passwd root
│  │  └─ su (pid 6191, ppid 6153, uid 1000)
│  │       exec: su -
│  │         AF_UNIX(1)     SOCK_STREAM|NONBLOCK|CLOEXEC 0  ×8

Simple (-s) — one line per process, comm (pid N): <cmd>:

│  ├─ exp (pid 6153): ./exp
│  │  ├─ getent (pid 6190): getent passwd root
│  │  └─ su (pid 6191): su -
│  │     └─ bash (pid 6192): -bash

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages