Stats: add preferences for displaying unix sockets

plugins/epan/tracee-event/packet-tracee.c

@@ -232,8 +232,12 @@ gint preferences_pid_format = PID_FORMAT_CONTAINER_ONLY;
 gint preferences_container_identifier = CONTAINER_IDENTIFIER_ID;
 #if ((WIRESHARK_VERSION_MAJOR > 4) || ((WIRESHARK_VERSION_MAJOR == 4) && (WIRESHARK_VERSION_MINOR >= 3)))
 bool preferences_show_container_image = FALSE;
+bool preferences_include_unix_sockets = TRUE;
+bool preferences_exclude_nscd_socket = FALSE;
 #else
 gboolean preferences_show_container_image = FALSE;
+gboolean preferences_include_unix_sockets = TRUE;
+gboolean preferences_exclude_nscd_socket = FALSE;
 #endif
 
 struct event_dynamic_hf {
@@ -3371,6 +3375,12 @@ void proto_register_tracee(void)
     prefs_register_bool_preference(tracee_module, "container_image", "Show container image",
         "Whether to show the container image in the container column", &preferences_show_container_image);
 
+    prefs_register_bool_preference(tracee_module, "include_unix_sockets", "Include Unix sockets in network stats",
+        "Whether to include unix sockets in network stats views (like process tree with network)", &preferences_include_unix_sockets);
+
+    prefs_register_bool_preference(tracee_module, "exclude_nscd_socket", "Exclude NSCD socket in network stats",
+        "Whether to exclude the NSCD unix socket (/var/run/nscd/socket) from network stats views (if unix sockets are included)", &preferences_exclude_nscd_socket);
+
     tracee_tap = register_tap("tracee");
 
     // initialize all of the possible string types

plugins/epan/tracee-event/stats.c

@@ -480,6 +480,7 @@ STATS_TREE_PACKET_GENERIC_FUNC(process_tree_with_network)
     struct process_stat_node *node;
     gchar *description;
     struct tracee_dissector_data *data = (struct tracee_dissector_data *)p;
+    const gchar *family, *sun_path;
     struct process_info *process = NULL;
     const struct container_info *container = NULL;
 
@@ -488,7 +489,19 @@ STATS_TREE_PACKET_GENERIC_FUNC(process_tree_with_network)
     if (data->process == NULL || data->process->host_pid == 0)
         return TAP_PACKET_DONT_REDRAW;
 
-    // we only care about connect, bind and accept events
+    // ignore unix sockets if requested
+    if ((family = wanted_field_get_str("tracee.sockaddr.sa_family")) != NULL && strcmp(family, "AF_UNIX") == 0) {
+        if (!preferences_include_unix_sockets)
+            return TAP_PACKET_DONT_REDRAW;
+
+        // ignore /var/run/nscd/socket if requested
+        if (preferences_exclude_nscd_socket
+            && (sun_path = wanted_field_get_str("tracee.sockaddr.sun_path")) != NULL
+            && strcmp(sun_path, "/var/run/nscd/socket") == 0)
+            return TAP_PACKET_DONT_REDRAW;
+    }
+
+    // we only care about connect and bind events
     if (strcmp(data->event_name, "security_socket_connect") == 0)
         description = enrichments_get_security_socket_bind_connect_description(pinfo, "Connect");
     else if (strcmp(data->event_name, "security_socket_bind") == 0)

plugins/epan/tracee-event/tracee.h

@@ -8,8 +8,12 @@ extern gint preferences_pid_format;
 extern gint preferences_container_identifier;
 #if ((WIRESHARK_VERSION_MAJOR > 4) || ((WIRESHARK_VERSION_MAJOR == 4) && (WIRESHARK_VERSION_MINOR >= 3)))
 extern bool preferences_show_container_image;
+extern bool preferences_include_unix_sockets;
+extern bool preferences_exclude_nscd_socket;
 #else
 extern gboolean preferences_show_container_image;
+extern gboolean preferences_include_unix_sockets;
+extern gboolean preferences_exclude_nscd_socket;
 #endif
 
 struct container_info {