Netstat in python. Does it's possible?

[billie]

Hi all. I don't know if Python is good for this kind of jobs but I'm
wondering if it's possible emulate the "netstat" command in Python.
I'd need to know if a certain executable opened a socket and, in that case,
I'd like to know what kind of socket it uses (TCP or UDP), its src/dst PORT,
and the current STATE of the connection (listening, established, SYN
sent...).

Thanks in advance.

 

[Sybren Stuvel]

billie enlightened us with:

Hi all. I don't know if Python is good for this kind of jobs but I'm
wondering if it's possible emulate the "netstat" command in Python.

On Linux, you can read /proc for that info, iirc.

Sybren

 

[=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=]

Hi all. I don't know if Python is good for this kind of jobs but I'm
wondering if it's possible emulate the "netstat" command in Python.

As a general recommendation, use strace(1) to answer this kind of
question. Run "strace -o tmp netstat", then inspect tmp to find out
how netstat obtained the information it reported.

As Sybren suggests, this can all be answered from /proc. For a
process you are interested in, list /proc/<pid>/fd (using os.listdir),
then read the contents of all links (using os.readlink). If the link
value starts with "[socket:", it's a socket. Then search
/proc/net/tcp for the ID. The line containing the ID will have
the information you want.

Regards,
Martin

 

[Jorgen Grahn]

As a general recommendation, use strace(1) to answer this kind of
question. Run "strace -o tmp netstat", then inspect tmp to find out
how netstat obtained the information it reported.

Good idea.

There might still be a problem for people doing things like this: netstat
might use unstable or non-public APIs to find the things it lists. This is
fine because it's typically your OS vendor who have to handle that (ship
another netstat when the /proc or /sys file system layout changes, etc).

If it works like that, you can access the APIs fine from Python -- but you
cannot write a portable 'pynetstat' without a lot of effort and maintenance.

/Jorgen

 

[=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=]

There might still be a problem for people doing things like this: netstat
might use unstable or non-public APIs to find the things it lists. This is
fine because it's typically your OS vendor who have to handle that (ship
another netstat when the /proc or /sys file system layout changes, etc).

Right. However, on Unix, there aren't really that much "non-public"
APIs. If you can figure out what the system call number is, and you
have /usr/include/sys, you can typically come up with a way to call
this API.

It becomes tricky if netstat turns out to read /dev/kmem or some such.

If it works like that, you can access the APIs fine from Python -- but you
cannot write a portable 'pynetstat' without a lot of effort and maintenance.

Well, to make that accessible from Python, you need to have Python
wrappers for all system calls involved (or for library routines that
use the system calls the right way). In case of /proc, this is easy;
if it is a ioctl(2), it might still be doable. If it is something
else, you may have to write a Python wrapper for that other system
call first.

Regards,
Martin

 

[Cameron Laird]

Right. However, on Unix, there aren't really that much "non-public"
APIs. If you can figure out what the system call number is, and you
have /usr/include/sys, you can typically come up with a way to call
this API.

It becomes tricky if netstat turns out to read /dev/kmem or some such.


Well, to make that accessible from Python, you need to have Python
wrappers for all system calls involved (or for library routines that
use the system calls the right way). In case of /proc, this is easy;
if it is a ioctl(2), it might still be doable. If it is something
else, you may have to write a Python wrapper for that other system
call first.

.
.
.
ALSO, as you know, but billie might not, Python certainly makes
it easy enough to wrap netstat itself as an external executable.
In many situations, *that*'s the right solution.

 

[Jorgen Grahn]

Right. However, on Unix, there aren't really that much "non-public"
APIs. If you can figure out what the system call number is, and you
have /usr/include/sys, you can typically come up with a way to call
this API.

I was thinking mostly about /proc, /sys and related file systems. I have a
feeling parts of them they change quite frequently under Linux, and of
course under other Unices they may look completely different, or be absent.

Like Mr Laird said elsewhere, the best thing might be to popen() netstat
and parse its output.

/Jorgen

 

[=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=]

I was thinking mostly about /proc, /sys and related file systems. I have a
feeling parts of them they change quite frequently under Linux, and of
course under other Unices they may look completely different, or be absent.

Like Mr Laird said elsewhere, the best thing might be to popen() netstat
and parse its output.

Hmm. And the netstat output cannot change, and is identical across all
systems?

I agree that the format of the proc file system is different across
systems (or other systems don't use netstat at all), however, on all
systems I'm aware of, there is a certain committment to keeping the
proc file system stable for applications (on Solaris more so than
on Linux).

Regards,
Martin

 

[billie]

Thank you all for your helping.

 

[Jorgen Grahn]

Hmm. And the netstat output cannot change, and is identical across all
systems?

I was going to mention that complication, but I didn't want to depress the
original poster any more ...

/Jorgen