README
¶
dropspy
dropspy is a (POC-quality) reworking of the C-language dropwatch tool in Go, with some extra features.
This is currently potato code and I make no promises that it works at all.
Installation
git clone https://github.com/superfly/dropspy.git
cd dropspy
go install ./cmd/dropspy
Usage
./dropspy: Report packet drops from Linux kernel DM_MON.
./dropspy [flags] [pcap filter]
ie: ./dropspy -hex -iface lo udp port 53
-count uint
maximum drops to record
-hex
print hex dumps of matching packets
-hw
record hardware drops (default true)
-iface value
show only drops on this interface (may be repeated)
-isym value
include drops from syms matching regexp (may be repeated)
-maxlen uint
maximum packet length for drops
-minlen uint
minimum packet length for drops
-sw
record software drops (default true)
-timeout string
duration to capture for (300ms, 2h15m, &c)
-xsym value
exclude drops from syms matching regexp (may be repeated)
License
Documentation
¶
Index ¶
- Constants
- func LinkList() (map[uint32]string, error)
- type PacketAlert
- func (pa *PacketAlert) Is16() bool
- func (pa *PacketAlert) Is4() bool
- func (pa *PacketAlert) L3Packet() []byte
- func (pa *PacketAlert) Length() uint32
- func (pa *PacketAlert) Link() uint32
- func (pa *PacketAlert) PC() uint64
- func (pa *PacketAlert) Packet() []byte
- func (pa *PacketAlert) Proto() uint16
- func (pa *PacketAlert) Symbol() string
- type PacketAlertFunc
- type Session
- Bugs
Constants ¶
const ( CMD_UNSPEC = iota CMD_ALERT // 1 CMD_CONFIG CMD_START CMD_STOP CMD_PACKET_ALERT // 5 CMD_CONFIG_GET CMD_CONFIG_NEW CMD_STATS_GET CMD_STATS_NEW )
const ( ATTR_UNSPEC = iota ATTR_ALERT_MODE /* u8 */ // 1 ATTR_PC /* u64 */ ATTR_SYMBOL /* string */ ATTR_IN_PORT /* nested */ ATTR_TIMESTAMP /* u64 */ // 5 ATTR_PROTO /* u16 */ ATTR_PAYLOAD /* binary */ ATTR_PAD ATTR_TRUNC_LEN /* u32 */ ATTR_ORIG_LEN /* u32 */ // 10 ATTR_QUEUE_LEN /* u32 */ ATTR_STATS /* nested */ ATTR_HW_STATS /* nested */ ATTR_ORIGIN /* u16 */ ATTR_HW_TRAP_GROUP_NAME /* string */ // 15 ATTR_HW_TRAP_NAME /* string */ ATTR_HW_ENTRIES /* nested */ ATTR_HW_ENTRY /* nested */ ATTR_HW_TRAP_COUNT /* u32 */ ATTR_SW_DROPS /* flag */ // 20 ATTR_HW_DROPS /* flag */ )
const ( GRP_ALERT = 1 // i don't know how to parse SUMMARY mode so we just // always use PACKET, which gives us payloads (but requires // privileges) ALERT_MODE_SUMMARY = 0 ALERT_MODE_PACKET = 1 NATTR_PORT_NETDEV_IFINDEX = 0 /* u32 */ NATTR_PORT_NETDEV_NAME = 1 /* string */ NATTR_STATS_DROPPED = 0 ORIGIN_SW = 0 ORIGIN_HW = 1 CFG_ALERT_COUNT = 1 CFG_ALERT_DELAY = 2 )
Variables ¶
This section is empty.
Functions ¶
Types ¶
type PacketAlert ¶
type PacketAlert struct {
// contains filtered or unexported fields
}
PacketAlert wraps the Netlink attributes parsed from a CMD_ALERT message
func PacketAlertFromRaw ¶
func PacketAlertFromRaw(raw []byte) (PacketAlert, error)
PacketAlertFromRaw creates a PacketAlert from the raw bytes of a CMD_ALERT message.
func (*PacketAlert) Is16 ¶
func (pa *PacketAlert) Is16() bool
Is16 is true if the dropped packet is an IPv6 packet.
func (*PacketAlert) Is4 ¶
func (pa *PacketAlert) Is4() bool
Is4 is true if the dropped packet is an IPv4 packet.
func (*PacketAlert) L3Packet ¶
func (pa *PacketAlert) L3Packet() []byte
L3Packet returns the (truncated) raw bytes of a dropped packet, skipping the link layer header (ie: starting at the IP header of an IP packet)
func (*PacketAlert) Length ¶
func (pa *PacketAlert) Length() uint32
Length returns the original, non-truncated length of the dropped packet.
func (*PacketAlert) Link ¶
func (pa *PacketAlert) Link() uint32
Link returns the interface index on which the packet was dropped
func (*PacketAlert) PC ¶
func (pa *PacketAlert) PC() uint64
PC returns $RIP of the CPU when the drop occurred, for later resolution as a symbol.
func (*PacketAlert) Packet ¶
func (pa *PacketAlert) Packet() []byte
Packet returns the (truncated) raw bytes of a dropped packet, starting from the link layer header (which is ethernet-y?).
func (*PacketAlert) Proto ¶
func (pa *PacketAlert) Proto() uint16
Proto returns the layer 3 protocol of the dropped packet.
func (*PacketAlert) Symbol ¶
func (pa *PacketAlert) Symbol() string
Symbol returns the kernel function where this drop occurred, when available.
type PacketAlertFunc ¶
type PacketAlertFunc func(PacketAlert) bool
PacketAlertFunc returns false if we should stop reading drops now.
type Session ¶
type Session struct {
// contains filtered or unexported fields
}
Session wraps a genetlink.Conn and looks up the DM_NET family from the generic netlink registry
func NewSession ¶
NewSession connects to generic netlink and looks up the DM_NET family so we can issue requests
func (*Session) Config ¶
Config returns a raw bundle of attrs (see ATTR_ constants) holding the current DM_NET configuration (which is just the alert mode and the packet snap length and queue length)
func (*Session) ReadUntil ¶
func (s *Session) ReadUntil(deadline time.Time, f PacketAlertFunc) error
ReadUntil reads packet alerts until the deadline has elapsed, calling `f` on each; read indefinitely if deadline is zero.
func (*Session) Start ¶
Start puts DM_NET into packet alerting mode (so we get per-packet alerts, and the raw contents of dropped packets), issues an acknowledged CMD_START to start monitoring, and then joins the GRP_ALERT netlink multicast group to read alerts. DM_NET alerting needs to be stopped for this to work.
`sw` and `hw` enable/disable software and hardware drop monitoring, respectively; hardware drops are done by offload hardware rather than kernel software.
Notes ¶
Bugs ¶
log this or something, but if we ask this code to Stop(), I really want it to try to stop. Most of the time, we leave the multicast group simply by closing the connection.
voodoo; i have no idea if this matters
Source Files
Directories