anti
bfb3edbd4a
fuser and /proc fd walks race scp/wget/sftp — by close_write the writer has already closed the fd, so pid-chain attribution always resolved to unknown for non-interactive drops. Fall back to the ss snapshot: one established session → ss-only, multiple → ss-ambiguous (still record src_ip from the first, analysts cross-check concurrent_sessions).