How it works

A new set of filterchecks fd.*ip.name has been added to the sysdig filter engine, that allows to match a domain name with the related client/server/local/remote address of the descriptor.

If you specify a filter containing fd.*ip.name, the domain names on the right hand side of the comparison (=foo.com or in (foo.com, bar.com)) will be saved upon first resolution of the condition and kept in sync, on a separate thread, with the following strategy:

• Domain names have a base refresh time of 10 seconds.
• If after a full refresh cycle the IP addresses haven't changed, the refresh timeout for that domain name is doubled until 320 seconds (~5mins).
• Domain names that haven't been used in any filter for an hour will be deleted.

Notes fd.*ip.name predicates can also be used in the output expression, but they will return meaningful values only when the associated IP fd.*ip is one of the IPs to which one of the domain names present in the rule resolves to. For example, running sysdig with sysdig "proc.name=apache" -p "Source IP=%fd.sip.name" will never display any meaningful value for fd.sip.name, because no event was ever filtered using that name. On the other hand, sysdig "proc.name=apache and fd.sip.name=yahoo.com" -p "Source IP=%fd.sip.name" would display a meaningful value, because fd.sip.name was used to match the system call event.