ebpf

package
v0.0.0-...-44638ef Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 6, 2024 License: Apache-2.0 Imports: 5 Imported by: 0

README

Note

This package is a fork of the weaveworks tcptracer-bpf package which focused on tracing TCP state events (connect, accept, close) without kernel specific runtime dependencies.

This fork adds support for UDP, as well as collection of metrics like bytes sent/received. It also opts for event collection via polling (using BPF maps) instead of being pushed event updates via perf buffers.

tracer-bpf

tracer-bpf is an eBPF program using kprobes to trace TCP/UDP events (connect, accept, close, send_msg, recv_msg).

The eBPF program is compiled to an ELF object file.

tracer-bpf also provides a Go library that provides a simple API for loading the ELF object file. Internally, it is using a fork of the cilium ebpf package.

tracer-bpf does not have any run-time dependencies on kernel headers and is not tied to a specific kernel version or kernel configuration. This is quite unusual for eBPF programs using kprobes: for example, eBPF programs using kprobes with bcc are compiled on the fly and depend on kernel headers. And perf tools compiled for one kernel version cannot be used on another kernel version.

To adapt to the currently running kernel at run-time, tracer-bpf creates a series of TCP connections with known parameters (such as known IP addresses and ports) and discovers where those parameters are stored in the kernel struct sock. The offsets of the struct sock fields vary depending on the kernel version and kernel configuration. Since an eBPF programs cannot loop, tracer-bpf does not directly iterate over the possible offsets. It is instead controlled from userspace by the Go library using a state machine.

Development

make nettop will run a small testing program which periodically prints statistics about TCP/UDP traffic.

Documentation

Index

Constants

View Source 
const BatchSize = 0x4
View Source 
const ProcCommMaxLen = 0x10 - 1

Variables

This section is empty.

Functions

This section is empty.

Types

type Batch 

type Batch struct {
	C0  Conn
	C1  Conn
	C2  Conn
	C3  Conn
	Len uint16
	Id  uint64
}

func ToBatch 

func ToBatch(data []byte) *Batch

ToBatch converts a byte slice to a Batch pointer.

type BindSyscallArgs 

type BindSyscallArgs struct {
	Port uint16
}

type Conn 

type Conn struct {
	Tup        ConnTuple
	Conn_stats ConnStats
	Tcp_stats  TCPStats
}

type ConnDirection 

type ConnDirection uint8
const (
	Unknown  ConnDirection = 0x0
	Incoming ConnDirection = 0x1
	Outgoing ConnDirection = 0x2
)

type ConnFamily 

type ConnFamily uint32
const (
	IPv4 ConnFamily = 0x0
	IPv6 ConnFamily = 0x2
)

func (ConnFamily) String 

func (c ConnFamily) String() string

type ConnFlags 

type ConnFlags uint32
const (
	LInit   ConnFlags = 0x1
	RInit   ConnFlags = 0x2
	Assured ConnFlags = 0x4
)

type ConnStats 

type ConnStats struct {
	Sent_bytes   uint64
	Recv_bytes   uint64
	Timestamp    uint64
	Flags        uint32
	Direction    uint8
	Sent_packets uint64
	Recv_packets uint64
}

func (ConnStats) ConnectionDirection 

func (cs ConnStats) ConnectionDirection() ConnDirection

ConnectionDirection returns the direction of the connection (incoming vs outgoing).

func (ConnStats) IsAssured 

func (cs ConnStats) IsAssured() bool

IsAssured returns whether the connection has seen traffic in both directions.

type ConnTuple 

type ConnTuple struct {
	Saddr_h  uint64
	Saddr_l  uint64
	Daddr_h  uint64
	Daddr_l  uint64
	Sport    uint16
	Dport    uint16
	Netns    uint32
	Pid      uint32
	Metadata uint32
}

func (ConnTuple) DestAddress 

func (t ConnTuple) DestAddress() util.Address

DestAddress returns the destination address

func (ConnTuple) DestEndpoint 

func (t ConnTuple) DestEndpoint() string

DestEndpoint returns the destination address and source port joined

func (ConnTuple) Family 

func (t ConnTuple) Family() ConnFamily

Family returns whether a tuple is IPv4 or IPv6

func (ConnTuple) SourceAddress 

func (t ConnTuple) SourceAddress() util.Address

SourceAddress returns the source address

func (ConnTuple) SourceEndpoint 

func (t ConnTuple) SourceEndpoint() string

SourceEndpoint returns the source address and source port joined

func (ConnTuple) String 

func (t ConnTuple) String() string

func (ConnTuple) Type 

func (t ConnTuple) Type() ConnType

Type returns whether a tuple is TCP or UDP

type ConnType 

type ConnType uint32
const (
	UDP ConnType = 0x0
	TCP ConnType = 0x1
)

func (ConnType) String 

func (c ConnType) String() string

type ConntrackTelemetry 

type ConntrackTelemetry struct {
	Registers uint64
	Dropped   uint64
}

type ConntrackTuple 

type ConntrackTuple struct {
	Saddr_h  uint64
	Saddr_l  uint64
	Daddr_h  uint64
	Daddr_l  uint64
	Sport    uint16
	Dport    uint16
	Netns    uint32
	Metadata uint32
	X_pad    uint32
}

func (ConntrackTuple) DestAddress 

func (t ConntrackTuple) DestAddress() util.Address

DestAddress returns the destination address

func (ConntrackTuple) DestEndpoint 

func (t ConntrackTuple) DestEndpoint() string

DestEndpoint returns the destination address and source port joined

func (ConntrackTuple) Family 

func (t ConntrackTuple) Family() ConnFamily

Family returns whether a tuple is IPv4 or IPv6

func (ConntrackTuple) SourceAddress 

func (t ConntrackTuple) SourceAddress() util.Address

SourceAddress returns the source address

func (ConntrackTuple) SourceEndpoint 

func (t ConntrackTuple) SourceEndpoint() string

SourceEndpoint returns the source address and source port joined

func (ConntrackTuple) String 

func (t ConntrackTuple) String() string

func (ConntrackTuple) Type 

func (t ConntrackTuple) Type() ConnType

Type returns whether a tuple is TCP or UDP

type GuessWhat 

type GuessWhat uint64
const (
	GuessSAddr     GuessWhat = 0.000000
	GuessDAddr     GuessWhat = 1.000000
	GuessFamily    GuessWhat = 2.000000
	GuessSPort     GuessWhat = 3.000000
	GuessDPort     GuessWhat = 4.000000
	GuessNetNS     GuessWhat = 5.000000
	GuessRTT       GuessWhat = 6.000000
	GuessDAddrIPv6 GuessWhat = 7.000000

	GuessSAddrFl4 GuessWhat = 8.000000
	GuessDAddrFl4 GuessWhat = 9.000000
	GuessSPortFl4 GuessWhat = 10.000000
	GuessDPortFl4 GuessWhat = 11.000000

	GuessSAddrFl6 GuessWhat = 12.000000
	GuessDAddrFl6 GuessWhat = 13.000000
	GuessSPortFl6 GuessWhat = 14.000000
	GuessDPortFl6 GuessWhat = 15.000000
	GuessSocketSK GuessWhat = 16.000000

	GuessNotApplicable GuessWhat = 99999
)

type HTTPBatchState 

type HTTPBatchState struct {
	Idx       uint64
	Pos       uint8
	To_notify uint64
}

type HTTPConnTuple 

type HTTPConnTuple struct {
	Saddr_h  uint64
	Saddr_l  uint64
	Daddr_h  uint64
	Daddr_l  uint64
	Sport    uint16
	Dport    uint16
	Netns    uint32
	Pid      uint32
	Metadata uint32
}

type PIDFD 

type PIDFD struct {
	Pid uint32
	Fd  uint32
}

type PortBinding 

type PortBinding struct {
	Netns     uint32
	Port      uint16
	Pad_cgo_0 [2]byte
}

type PortState 

type PortState uint8
const (
	PortListening PortState = 0x1
	PortClosed    PortState = 0x0
)

type Proc 

type Proc struct {
	Comm [16]int8
}

type SSLReadArgs 

type SSLReadArgs struct {
	Ctx *byte
	Buf *byte
}

type SSLSock 

type SSLSock struct {
	Tup       HTTPConnTuple
	Fd        uint32
	Pad_cgo_0 [4]byte
}

type TCPState 

type TCPState uint8
const (
	Established TCPState = 0x1
	Close       TCPState = 0x7
)

type TCPStats 

type TCPStats struct {
	Retransmits       uint32
	Rtt               uint32
	Rtt_var           uint32
	State_transitions uint16
	Pad_cgo_0         [2]byte
}

type Telemetry 

type Telemetry struct {
	Tcp_sent_miscounts         uint64
	Missed_tcp_close           uint64
	Missed_udp_close           uint64
	Udp_sends_processed        uint64
	Udp_sends_missed           uint64
	Conn_stats_max_entries_hit uint64
}

type TracerState 

type TracerState uint8
const (
	StateUninitialized TracerState = 0.000000
	StateChecking      TracerState = 1.000000
	StateChecked       TracerState = 2.000000
	StateReady         TracerState = 3.000000
)

type TracerStatus 

type TracerStatus struct {
	State                  uint64
	Tcp_info_kprobe_status uint64
	Proc                   Proc
	What                   uint64
	Offset_saddr           uint64
	Offset_daddr           uint64
	Offset_sport           uint64
	Offset_dport           uint64
	Offset_netns           uint64
	Offset_ino             uint64
	Offset_family          uint64
	Offset_rtt             uint64
	Offset_rtt_var         uint64
	Offset_daddr_ipv6      uint64
	Offset_saddr_fl4       uint64
	Offset_daddr_fl4       uint64
	Offset_sport_fl4       uint64
	Offset_dport_fl4       uint64
	Offset_saddr_fl6       uint64
	Offset_daddr_fl6       uint64
	Offset_sport_fl6       uint64
	Offset_dport_fl6       uint64
	Offset_socket_sk       uint64
	Err                    uint64
	Daddr_ipv6             [4]uint32
	Netns                  uint32
	Rtt                    uint32
	Rtt_var                uint32
	Saddr                  uint32
	Daddr                  uint32
	Sport                  uint16
	Dport                  uint16
	Sport_via_sk           uint16
	Dport_via_sk           uint16
	Family                 uint16
	Saddr_fl4              uint32
	Daddr_fl4              uint32
	Sport_fl4              uint16
	Dport_fl4              uint16
	Saddr_fl6              [4]uint32
	Daddr_fl6              [4]uint32
	Sport_fl6              uint16
	Dport_fl6              uint16
	Ipv6_enabled           uint8
	Fl4_offsets            uint8
	Fl6_offsets            uint8
	Pad_cgo_0              [5]byte
}

type UDPRecvSock 

type UDPRecvSock struct {
	Sk  *_Ctype_struct_sock
	Msg *_Ctype_struct_msghdr
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.