game monitor app

Hello, I'm writing an app thats primary purpose is to monitor the system
for certain user specified programs. If they are discovered to be running
then the app would attempt to discover if they are connected to any
servers (like game clients connect to game servers). So far I can detect
on a Linux system if the programs are running, but determining the server
IP of the servers they are connected to has proved more difficult that I
had originally imagined.

You see, most games, and TeamSpeak for that matter, seem to use
"unconnected UDP"... um... connections. What I mean is, running a simple
'netstat' does you no good. Which brings me to my first idea:

idea 1: use the netstat code! Yes... went through it and got some
valuable info. However, like i mentioned netstat basically just gives up
if it's UDP.

idea 2: use libpcap and sniff a packet or two. I have this working...
BUT only for ROOT. Well, I want this to be a userspace program. So, this
is no good.

idea 3: use ptrace, trace the program for "sendto" syscalls and gank the
server IP. This almost works. However, there are a few issues. Firstly,
tracing the program causes unacceptable performance hits (as you can
imagine, I'm sure), so the tracing would have to be kept to a minimum.
Well, if the program runs a "connect" then it can consequently use "write"
from then on out. Therefore, if my program is polling only on occasion to
minimize performance hits and misses any initial "sendto" or "connect"s
then how can it get the server IP?

If anyone can answer that question then idea 3 might still be on the
table. Otherwise I'd appreciate any other suggestions anyone can think
of.

The idea is to make this work so that the user could specify ANY program
and it would just work (like magic). However, if I can't think of any
other ideas I may be lift to using specific client SDKs for each program
I'd want to support. This means different code for each one... I was
hoping to avoid that.

sheldon
.

Relevant Pages

  • RE: host-based ids evaluation
    ... But for servers, many people don't like using features like autoblocking or ... host-based firewalls because it could cause additional performance ... Static Firewall rules do not prevent binding of programs to certain ports ... but I am not sure if some processes could be hidden from netstat. ...
    (Focus-IDS)
  • Re: svchost making connection to internet
    ... I noticed that periodically the servers will ... However, I have already disable automatic update on the servers, but ... Does your OS have the new netstat options which show the PID ...
    (microsoft.public.windowsupdate)
  • Re: netstat odd behavior
    ... > netstat -anf inet ... > displays LISTENing servers and any tcp connection in any state. ... > Active Internet connections ...
    (freebsd-hackers)
  • Re: netstat odd behavior
    ... > netstat -anf inet ... > displays LISTENing servers and any tcp connection in any state. ... > Active Internet connections ...
    (freebsd-questions)
  • RE: Monitor connected IPs
    ... >servers to detect ip's connected to my servers that are out of my lan ... >Something easier than running netstat against each server individually? ... One way to go about this would be to create a Perl script that used ...
    (Security-Basics)