Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve detection some network programs when using systemd-resolved #1379

Closed
Zesko opened this issue Dec 3, 2023 · 8 comments
Closed

Improve detection some network programs when using systemd-resolved #1379

Zesko opened this issue Dec 3, 2023 · 8 comments
Labels
suggestion TYPE: idea for new feature or improvements

Comments

@Zesko
Copy link

Zesko commented Dec 3, 2023

What would you like to add or change?:

  • I notice that Opensnitch can detect a network-binary such as /usr/bin/ping when ping is executed and its detail is stored in Opensnitch, but Portmaster does not.

  • I notice that Portmaster does not detect a network-binary such as /usr/bin/ping when using systemd-resolved instead of openresolv on any Arch based distros.

  • I would like to see cmdline in detail of any app, for example:
    When I ran curl --silent --fail --connect-timeout 8 www.google.com, Opensnitch shows the detail:

Process:
/usr/bin/curl

Cmdline:
/usr/bin/curl --silent --fail --connect-timeout 8 www.google.com

CWD:
/home/test

UID: test (1000) PID: 24988

Node: unix:/local

Screenshot of Opensnitch:
Screenshot_20231203_175731

The detail of cmdline lacks in Portmaster except the process-name.

@Zesko Zesko added the suggestion TYPE: idea for new feature or improvements label Dec 3, 2023
@Zesko
Copy link
Author

Zesko commented Dec 3, 2023

I found a example code: how to read the cmdline of the process in Kernel /proc/<pid>/cmdline

https://github.com/evilsocket/opensnitch/blob/d7c7a08d6f6c58127f04aff7765596fd070ca617/daemon/procmon/details.go#L213

This is as expected.

@dhaavi
Copy link
Member

dhaavi commented Dec 3, 2023

It's here:

image

Click on a connection to see the "Process Details" button at the bottom of the section.

@dhaavi
Copy link
Member

dhaavi commented Dec 3, 2023

You can even create a new profile with a process fingerprint to match based on the command line if you want. Press the plus on the right for a quick start into that.

@Zesko
Copy link
Author

Zesko commented Dec 3, 2023

Thanks, I was blind.

/usr/bin/ping is not recognized by Portmaster. But Opensnitch does. Do you have an idea?

@dhaavi
Copy link
Member

dhaavi commented Dec 3, 2023

We don't yet parse /proc/net/icmp.

See https://github.com/safing/portmaster/blob/develop/network/proc/tables.go

@Zesko Zesko changed the title Improve detection of some network-binaries and add "Cmdline" to detail of any process on Linux. Improve detection some network-binaries and add "Cmdline" to detail of any process on Linux. Dec 4, 2023
@Zesko
Copy link
Author

Zesko commented Dec 4, 2023

/usr/bin/ping is not recognized by Portmaster. But Opensnitch does. Do you have an idea?

Today, I know that ping is not recognized by Portmaster and also Opensnitch when switching openresolv to systemd-resolved on any Arch based distros. Both show /usr/lib/systemd/systemd-resolved instead of /usr/bin/ping .

Screenshot_20231204_111222

When I try to switch from systemd-resolved to openresolv, now ping is recognized by Portmaster and also Opensnitch

Screenshot_20231204_110306

Sorry for the confusion.

I have a question, which of the two DNS resolvers (openresolv vs. systemd-resolved) would you recommend?


Edit:

Screenshot_20231204_114955

It looks like that the ping detail does not show a network protocol. But "Accept" google.com is not correct after I blocked google.com under "Other Connections".

@Zesko Zesko changed the title Improve detection some network-binaries and add "Cmdline" to detail of any process on Linux. Improve detection some network-binaries when using systemd-resolved Dec 4, 2023
@Zesko Zesko changed the title Improve detection some network-binaries when using systemd-resolved Improve detection some network programs when using systemd-resolved Dec 4, 2023
@dhaavi
Copy link
Member

dhaavi commented Dec 6, 2023

What you are looking at here are DNS requests, not the actual ICMP message.

You do not see DNS requests when using systemd-resolved, because the requests do not go over the "wire", but go through the DBUS interface, so there is no network packet from the ping process for DNS resolution.

@Zesko
Copy link
Author

Zesko commented Dec 6, 2023

Thanks!

I disabled systemd-resolved.

@Zesko Zesko closed this as completed Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
suggestion TYPE: idea for new feature or improvements
Projects
None yet
Development

No branches or pull requests

2 participants