https://github.com/osquery/osquery logo
Powered by
Title
u

钢铁侠

12/09/2018, 6:45 AM
when I read the osquery 
sokcet_events.cpp
source code, I found that 
// skip operations on NETLINK_ROUTE sockets
if (saddr[0] == '1' && saddr[1] == '0') {
    continue;
}
why is the saddr with 10 the NETLINK_ROUTE sockets?I can not find some info about it,does anybody knows it?
p

packetzero

12/10/2018, 12:12 AM
https://unix.stackexchange.com/questions/102926/how-to-interpret-the-saddr-field-of-an-audit-log#102997
u

钢铁侠

12/10/2018, 3:45 AM
yeah,I also see that,but those answers doesn't tell what is the meanging of the saddr with 10
just tell me the address family
p

packetzero

12/10/2018, 2:50 PM
0x10 == 16 #define PF_NETLINK 16 is in /usr/include/x86_64-linux-gnu/bits/socket.h (on Ubuntu 18)
so it looks like it's in hex
u

钢铁侠

12/10/2018, 3:37 PM
thanks.got it
#generalJoin Slack
Powered by