Text Output Format - HoneProject/Linux-Sensor GitHub Wiki

Brief Hone output is available as ASCII text from /dev/honet

Example

1701758.202203645 HEAD 1333692203.304905650
0.016999828 EXEC 1 0 0 0 "/sbin/init" /sbin/init
0.016999828 KTHD 2 0 0 0 [kthreadd]
5.404488129 FORK 317 1 0 0 "/sbin/udevd" /sbin/udevd --daemon
11.205130669 FORK 781 733 0 0
27.051775285 SOCK O 1716 1 1716 32 32 2cba3c00
1701758.248816643 PAKT O 64ccb900 TCPv4 192.168.3.4:22 -> 192.168.3.5:46862 1300

HEAD format: uptime HEAD boottime. Times are Unix times in seconds

EXEC, FORK, KTHD, EXIT format: timestamp EXEC PID PPID UID GID

SOCK format: timestamp SOCK event PID PPID UID GID socket

PAKT format: timestamp PAKT dir socket proto source > dest length

Time-of-day for events can be calculated by summing uptime, boottime and timestamp values and converting from Unix time to local time or UTC.

PID (process ID), PPID (parent process ID), UID etc. are the same as for the ps command