volatility3
volatility3 copied to clipboard
volatilityfoundation
Linux ip.Addr and ip.Link plugins
This PR adds the linux.ip.Addr and linux.ip.Link plugins.
linux.ip.Addr:
- It displays information about all network interfaces including network namespace, interface index, interface name, mac address, promiscuous status, IPv4/IPv6 address, prefix, scope type and state.
Example output:
$ python3 ./vol.py -r pretty \
-f ram-6.2.0-26 \
linux.ip.Addr
Volatility 3 Framework 2.5.2
Formatting...0.00 Stacking attempts finished
| NetNS | Index | Interface | MAC | Promiscuous | IP | Prefix | Scope Type | State
* | 4026531840 | 1 | lo | 00:00:00:00:00:00 | False | 127.0.0.1 | 8 | host | UNKNOWN
* | 4026531840 | 1 | lo | 00:00:00:00:00:00 | False | ::1 | 128 | host | UNKNOWN
* | 4026531840 | 2 | ens32 | 00:0c:29:7f:8b:ab | False | 172.16.141.130 | 24 | global | UP
* | 4026531840 | 2 | ens32 | 00:0c:29:7f:8b:ab | False | fe80::20c:29ff:fe7f:8bab | 64 | link | UP
* | 4026531840 | 3 | ens33 | 00:0c:29:7f:8b:b5 | False | 192.168.249.129 | 24 | global | UP
* | 4026531840 | 3 | ens33 | 00:0c:29:7f:8b:b5 | False | fe80::20c:29ff:fe7f:8bb5 | 64 | link | UP
linux.ip.Link (by @eve-mem )
- It displays information about all network devices configuration including network namespace, interface name, mac address, state, MTU, Qdisc, Qlen and flags.
$ python3 ./vol.py -r pretty \
-f ram-6.2.0-26 \
linux.ip.Link
Volatility 3 Framework 2.5.2
Formatting...0.00 Stacking attempts finished
| NS | Interface | MAC | State | MTU | Qdisc | Qlen | Flags
* | 4026531840 | lo | 00:00:00:00:00:00 | UNKNOWN | 65536 | noqueue | 1000 | LOOPBACK,LOWER_UP,UP
* | 4026531840 | ens32 | 00:0c:29:7f:8b:ab | UP | 1500 | fq_codel | 1000 | BROADCAST,LOWER_UP,MULTICAST,UP
* | 4026531840 | ens33 | 00:0c:29:7f:8b:b5 | UP | 1500 | fq_codel | 1000 | BROADCAST,LOWER_UP,MULTICAST,UP
Both plugins were tested with the following linux kernel versions:
- 2.6.32-74.142
- 3.10.0-862_el7
- 3.11.0-26
- 4.4.0-210
- 4.13.0-46
- 4.15.0-45
- 4.18.0-10
- 5.3.0-76
- 5.8.0-53
- 5.19.0-50
- 6.2.0-26
See the full test case suite output: vol3_linux_ip_addr_output.txt
Hey @ikelos I'm aware of this #1029 excellent contribution from @eve. We've already discussed this, and we agreed to collaborate, combining our efforts into one.
I will borrow some part of his code, for instance, to display the interface state and use the address conversion from the vol3 helpers instead from the python socket module.
Regarding the plugin name, I like the @eve-mem idea of named it as the new linux commands ip address. That also allows to continue developing other plugins like 'ip link' (@eve-mem already have done that) and other future commands.
My only concern is that probably for users coming from vol2 they would like to see this as ifconfig. Any preference?
@gcmoreira - looks really cool, I need to look over it properly. I certainly like pulling out the prefix into it's own column compared with https://github.com/volatilityfoundation/volatility3/pull/1029 - that makes it easier to work with programmatically later.
+1 vote to renaming the plugins to linux.ip.addr etc to match the new linux commands. There are already a bunch of commands that were effectively renamed between vol2 and vol3 already.
Thanks @ikelos. I will have a look at this soon. I also plan to include the ip.link plugin from @eve-mem in this PR, that's why I marked it as a draft.
In the meantime, could you have a look at the black formatter checks? I'm confused, as far as I understand it's failing on files which are not from this PR
@gcmoreira - it looks nice to me. I'll run it against my collection of samples when I can. Can I help adding in ip.Link at all?
It is, or was, github updated to black 24.1.0, so I went over the while codebase, but it doesn't seem to get that the merge target updated, so returning the task still results in the same output. 5:S. Basically if you add a new commit, it should do a proper refresh and either pass or show you how the new black failed it. Hard to tell if there's still something that needs doing, but just a trivial commit will help and I figured since it was in draft it would get added to... 5:)
On Mon, 29 Jan 2024, 00:55 gcmoreira, @.***> wrote:
Thanks @ikelos https://github.com/ikelos. I will have a look at this soon. I also plan to include the ip.link plugin from @eve-mem https://github.com/eve-mem in this PR, that's why I marked it as a draft.
In the meantime, could you have a look at the black formatter checks? I'm confused, as far as I understand it's failing on files which are not from this PR
— Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility3/pull/1079#issuecomment-1913792237, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIZVIJNUJJARGODCOUILTYQ3XOXAVCNFSM6AAAAABBTT6DKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTG44TEMRTG4 . You are receiving this because you were mentioned.Message ID: @.***>
It is, or was, github updated to black 24.1.0, so I went over the while codebase, but it doesn't seem to get that the merge target updated, so returning the task still results in the same output. 5:S. Basically if you add a new commit, it should do a proper refresh and either pass or show you how the new black failed it.
Yep, that did the trick, thanks
@gcmoreira - it looks nice to me. I'll run it against my collection of samples when I can. Can I help adding in
ip.Linkat all?
@eve-mem sure, go ahead with that ;)
Hi @ikelos, this is still awaiting a review. Maybe @atcuno can have a look? :pray: