ebpf

package

v0.0.0-...-2ec37ed Latest Latest Go to latest Published: Feb 11, 2024 License: GPL-3.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/evilsocket/opensnitch

Documentation ¶

Index ¶

Constants
func Events() <-chan interface{}
func GetPid(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstPort uint) (*procmon.Process, bool, error)
func NewEbpfCache() *ebpfCacheType
func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem
func PrintEverything()
func Stop()
type Error
- func Start(modPath string) *Error

Constants ¶

View Source

const (
	NoError = iota
	NotAvailable
	EventsNotAvailable
)

list of returned errors

View Source

const (
	EV_TYPE_NONE = iota
	EV_TYPE_EXEC
	EV_TYPE_EXECVEAT
	EV_TYPE_FORK
	EV_TYPE_SCHED_EXIT
)

List of supported events

View Source

const MaxArgLen = 256

MaxArgLen defines the maximum length of each argument. NOTE: this value is 131072 (PAGE_SIZE * 32) https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/binfmts.h#L16

View Source

const MaxArgs = 20

MaxArgs defines the maximum number of arguments allowed

View Source

const MaxPathLen = 4096

MaxPathLen defines the maximum length of a path, as defined by the kernel: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/limits.h#L13

View Source

const TaskCommLen = 16

TaskCommLen is the maximum num of characters of the comm field

Variables ¶

This section is empty.

Functions ¶

func Events ¶

func Events() <-chan interface{}

func GetPid ¶

func GetPid(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstPort uint) (*procmon.Process, bool, error)

GetPid looks up process pid in a bpf map. If it's not found, it searches already-established TCP connections. Returns the process if found. Additionally, if the process has been found by swapping fields, it'll return a flag indicating it.

func NewEbpfCache ¶

func NewEbpfCache() *ebpfCacheType

NewEbpfCache creates a new cache store.

func NewEbpfCacheItem ¶

func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem

NewEbpfCacheItem creates a new cache item.

func PrintEverything ¶

func PrintEverything()

PrintEverything prints all the stats. used only for debugging

func Stop ¶

func Stop()

Stop stops monitoring connections using kprobes

Types ¶

type Error ¶

type Error struct {
	What int // 1 global error, 2 events error, 3 ...
	Msg  error
}

Error returns the error type and a message with the explanation

func Start ¶

func Start(modPath string) *Error

Start installs ebpf kprobes

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL