README
¶
Note
This package is a fork of the weaveworks tcptracer-bpf package which focused on tracing TCP state events (connect, accept, close) without kernel specific runtime dependencies.
This fork adds support for UDP, as well as collection of metrics like bytes sent/received. It also opts for event collection via polling (using BPF maps) instead of being pushed event updates via perf buffers.
tracer-bpf
tracer-bpf is an eBPF program using kprobes to trace TCP/UDP events (connect, accept, close, send_msg, recv_msg).
The eBPF program is compiled to an ELF object file.
tracer-bpf also provides a Go library that provides a simple API for loading the ELF object file. Internally, it is using a fork of the cilium ebpf package.
tracer-bpf does not have any run-time dependencies on kernel headers and is not tied to a specific kernel version or kernel configuration. This is quite unusual for eBPF programs using kprobes: for example, eBPF programs using kprobes with bcc are compiled on the fly and depend on kernel headers. And perf tools compiled for one kernel version cannot be used on another kernel version.
To adapt to the currently running kernel at run-time, tracer-bpf creates a series of TCP connections with known parameters (such as known IP addresses and ports) and discovers where those parameters are stored in the kernel struct sock. The offsets of the struct sock fields vary depending on the kernel version and kernel configuration. Since an eBPF programs cannot loop, tracer-bpf does not directly iterate over the possible offsets. It is instead controlled from userspace by the Go library using a state machine.
Documentation
¶
Index ¶
- Constants
- type Batch
- type BindSyscallArgs
- type ClassificationProgram
- type Conn
- type ConnDirection
- type ConnFamily
- type ConnFlags
- type ConnStats
- type ConnTuple
- type ConnType
- type ConntrackTelemetry
- type ConntrackTuple
- func (t ConntrackTuple) DestAddress() util.Address
- func (t ConntrackTuple) DestEndpoint() string
- func (t ConntrackTuple) Family() ConnFamily
- func (t ConntrackTuple) SourceAddress() util.Address
- func (t ConntrackTuple) SourceEndpoint() string
- func (t ConntrackTuple) String() string
- func (t ConntrackTuple) Type() ConnType
- type PIDFD
- type PortBinding
- type ProtocolStack
- type ProtocolStackWrapper
- type TCPState
- type TCPStats
- type Telemetry
- type UDPRecvSock
Constants ¶
const BatchSize = 0x4
const SizeofBatch = 0x1f0
const SizeofConn = 0x78
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Batch ¶
type BindSyscallArgs ¶
type BindSyscallArgs struct {
Addr *_Ctype_struct_sockaddr
Sk *_Ctype_struct_sock
}
type ClassificationProgram ¶
type ClassificationProgram = uint32
const ( ClassificationQueues ClassificationProgram = 0x2 ClassificationDBs ClassificationProgram = 0x3 ClassificationGRPC ClassificationProgram = 0x5 )
type ConnDirection ¶
type ConnDirection uint8
const ( Unknown ConnDirection = 0x0 Incoming ConnDirection = 0x1 Outgoing ConnDirection = 0x2 )
type ConnFamily ¶
type ConnFamily uint32
const ( IPv4 ConnFamily = 0x0 IPv6 ConnFamily = 0x2 )
func (ConnFamily) String ¶
func (c ConnFamily) String() string
type ConnStats ¶
type ConnStats struct {
Sent_bytes uint64
Recv_bytes uint64
Sent_packets uint32
Recv_packets uint32
Timestamp uint64
Duration uint64
Cookie uint32
Protocol_stack ProtocolStack
Flags uint8
Direction uint8
Pad_cgo_0 [6]byte
}
func (ConnStats) ConnectionDirection ¶
func (cs ConnStats) ConnectionDirection() ConnDirection
ConnectionDirection returns the direction of the connection (incoming vs outgoing).
type ConnTuple ¶
type ConnTuple struct {
Saddr_h uint64
Saddr_l uint64
Daddr_h uint64
Daddr_l uint64
Sport uint16
Dport uint16
Netns uint32
Pid uint32
Metadata uint32
}
func (ConnTuple) DestAddress ¶
DestAddress returns the destination address
func (ConnTuple) DestEndpoint ¶
DestEndpoint returns the destination address and source port joined
func (ConnTuple) Family ¶
func (t ConnTuple) Family() ConnFamily
Family returns whether a tuple is IPv4 or IPv6
func (ConnTuple) SourceAddress ¶
SourceAddress returns the source address
func (ConnTuple) SourceEndpoint ¶
SourceEndpoint returns the source address and source port joined
type ConntrackTelemetry ¶
type ConntrackTelemetry struct {
Registers uint64
}
type ConntrackTuple ¶
type ConntrackTuple struct {
Saddr_h uint64
Saddr_l uint64
Daddr_h uint64
Daddr_l uint64
Sport uint16
Dport uint16
Netns uint32
Metadata uint32
X_pad uint32
}
func (ConntrackTuple) DestAddress ¶
func (t ConntrackTuple) DestAddress() util.Address
DestAddress returns the destination address
func (ConntrackTuple) DestEndpoint ¶
func (t ConntrackTuple) DestEndpoint() string
DestEndpoint returns the destination address and source port joined
func (ConntrackTuple) Family ¶
func (t ConntrackTuple) Family() ConnFamily
Family returns whether a tuple is IPv4 or IPv6
func (ConntrackTuple) SourceAddress ¶
func (t ConntrackTuple) SourceAddress() util.Address
SourceAddress returns the source address
func (ConntrackTuple) SourceEndpoint ¶
func (t ConntrackTuple) SourceEndpoint() string
SourceEndpoint returns the source address and source port joined
func (ConntrackTuple) String ¶
func (t ConntrackTuple) String() string
func (ConntrackTuple) Type ¶
func (t ConntrackTuple) Type() ConnType
Type returns whether a tuple is TCP or UDP
type PortBinding ¶
type ProtocolStack ¶
type ProtocolStackWrapper ¶
type ProtocolStackWrapper struct {
Stack ProtocolStack
Updated uint64
}
type UDPRecvSock ¶
type UDPRecvSock struct {
Sk *_Ctype_struct_sock
Msg *_Ctype_struct_msghdr
}
Source Files