README
¶
dropspy
dropspy is reworking of the C-language dropwatch tool in Go, with some extra features.
The original version dropspy is at superfly/dropspy,
Installation
go install github.com/smallnest/dropspy/cmd/dropspy@latest
Usage
./dropspy: Report packet drops from Linux kernel DM_MON.
./dropspy [flags] [pcap filter]
ie: ./dropspy --hex -I eth0 udp port 53
-c, --count uint maximum drops to record
--hex print hex dumps of matching packets
--hw record hardware drops (default true)
-I, --iface stringArray show only drops on this interface (may be repeated)
--isym stringArray include drops from syms matching regexp (may be repeated)
--maxlen uint maximum packet length for drops
--minlen uint minimum packet length for drops
--summary print summary of drops
--sw record software drops (default true)
-w, --timeout string duration to capture for (300ms, 2h15m, &c)
--xsym stringArray exclude drops from syms matching regexp (may be repeated)
You can only print the summary of drops per second:
./dropspy --summary
License
Documentation
¶
Index ¶
- Constants
- func EthTypeToString(ethType uint16) string
- func GetDropReason(pa *PacketAlert) string
- func GetOrigin(pa *PacketAlert) string
- func LinkList() (map[uint32]string, error)
- type PacketAlert
- func (pa *PacketAlert) Is16() bool
- func (pa *PacketAlert) Is4() bool
- func (pa *PacketAlert) L3Packet() []byte
- func (pa *PacketAlert) Length() uint32
- func (pa *PacketAlert) Link() uint32
- func (pa *PacketAlert) Output(links map[uint32]string)
- func (pa *PacketAlert) PC() uint64
- func (pa *PacketAlert) Packet() []byte
- func (pa *PacketAlert) Proto() uint16
- func (pa *PacketAlert) Symbol() string
- type PacketAlertFunc
- type Session
- Bugs
Constants ¶
View Source
const ( CMD_UNSPEC = iota CMD_ALERT // 1 CMD_CONFIG CMD_START CMD_STOP CMD_PACKET_ALERT // 5 CMD_CONFIG_GET CMD_CONFIG_NEW CMD_STATS_GET CMD_STATS_NEW )
View Source
const ( ATTR_UNSPEC = iota ATTR_ALERT_MODE /* u8 */ // 1 ATTR_PC /* u64 */ ATTR_SYMBOL /* string */ ATTR_IN_PORT /* nested */ ATTR_TIMESTAMP /* u64 */ // 5 ATTR_PROTO /* u16 */ ATTR_PAYLOAD /* binary */ ATTR_PAD ATTR_TRUNC_LEN /* u32 */ ATTR_ORIG_LEN /* u32 */ // 10 ATTR_QUEUE_LEN /* u32 */ ATTR_STATS /* nested */ ATTR_HW_STATS /* nested */ ATTR_ORIGIN /* u16 */ ATTR_HW_TRAP_GROUP_NAME /* string */ // 15 ATTR_HW_TRAP_NAME /* string */ ATTR_HW_ENTRIES /* nested */ ATTR_HW_ENTRY /* nested */ ATTR_HW_TRAP_COUNT /* u32 */ ATTR_SW_DROPS /* flag */ // 20 ATTR_HW_DROPS /* flag */ ATTR_FLOW_ACTION_COOKIE /* binary */ ATTR_DROP_REASON /* string */ // New: Drop reason )
View Source
const ( GRP_ALERT = 1 // I don't know how to parse SUMMARY mode, so we always // use PACKET, which gives us payloads (but requires // privileges) ALERT_MODE_SUMMARY = 0 ALERT_MODE_PACKET = 1 NATTR_PORT_NETDEV_IFINDEX = 0 /* u32 */ NATTR_PORT_NETDEV_NAME = 1 /* string */ NATTR_STATS_DROPPED = 0 ORIGIN_SW = 0 ORIGIN_HW = 1 CFG_ALERT_COUNT = 1 CFG_ALERT_DELAY = 2 )
View Source
const ( ETH_P_LOOP = 0x0060 // Ethernet Loopback packet ETH_P_PUP = 0x0200 // Xerox PUP packet ETH_P_PUPAT = 0x0201 // Xerox PUP Addr Trans packet ETH_P_TSN = 0x22F0 // TSN (IEEE 1722) packet ETH_P_ERSPAN2 = 0x22EB // ERSPAN version 2 (type III) ETH_P_IP = 0x0800 // Internet Protocol packet ETH_P_X25 = 0x0805 // CCITT X.25 ETH_P_ARP = 0x0806 // Address Resolution packet ETH_P_BPQ = 0x08FF // G8BPQ AX.25 Ethernet Packet [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_IEEEPUP = 0x0a00 // Xerox IEEE802.3 PUP packet ETH_P_IEEEPUPAT = 0x0a01 // Xerox IEEE802.3 PUP Addr Trans packet ETH_P_BATMAN = 0x4305 // B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_DEC = 0x6000 // DEC Assigned proto ETH_P_DNA_DL = 0x6001 // DEC DNA Dump/Load ETH_P_DNA_RC = 0x6002 // DEC DNA Remote Console ETH_P_DNA_RT = 0x6003 // DEC DNA Routing ETH_P_LAT = 0x6004 // DEC LAT ETH_P_DIAG = 0x6005 // DEC Diagnostics ETH_P_CUST = 0x6006 // DEC Customer use ETH_P_SCA = 0x6007 // DEC Systems Comms Arch ETH_P_TEB = 0x6558 // Trans Ether Bridging ETH_P_RARP = 0x8035 // Reverse Addr Res packet ETH_P_ATALK = 0x809B // Appletalk DDP ETH_P_AARP = 0x80F3 // Appletalk AARP ETH_P_8021Q = 0x8100 // 802.1Q VLAN Extended Header ETH_P_ERSPAN = 0x88BE // ERSPAN type II ETH_P_IPX = 0x8137 // IPX over DIX ETH_P_IPV6 = 0x86DD // IPv6 over bluebook ETH_P_PAUSE = 0x8808 // IEEE Pause frames. See 802.3 31B ETH_P_SLOW = 0x8809 // Slow Protocol. See 802.3ad 43B ETH_P_WCCP = 0x883E // Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt ETH_P_MPLS_UC = 0x8847 // MPLS Unicast traffic ETH_P_MPLS_MC = 0x8848 // MPLS Multicast traffic ETH_P_ATMMPOA = 0x884c // MultiProtocol Over ATM ETH_P_PPP_DISC = 0x8863 // PPPoE discovery messages ETH_P_PPP_SES = 0x8864 // PPPoE session messages ETH_P_LINK_CTL = 0x886c // HPNA, wlan link local tunnel ETH_P_ATMFATE = 0x8884 // Frame-based ATM Transport over Ethernet ETH_P_PAE = 0x888E // Port Access Entity (IEEE 802.1X) ETH_P_PROFINET = 0x8892 // PROFINET ETH_P_REALTEK = 0x8899 // Multiple proprietary protocols ETH_P_AOE = 0x88A2 // ATA over Ethernet ETH_P_ETHERCAT = 0x88A4 // EtherCAT ETH_P_8021AD = 0x88A8 // 802.1ad Service VLAN ETH_P_802_EX1 = 0x88B5 // 802.1 Local Experimental 1. ETH_P_PREAUTH = 0x88C7 // 802.11 Preauthentication ETH_P_TIPC = 0x88CA // TIPC ETH_P_LLDP = 0x88CC // Link Layer Discovery Protocol ETH_P_MRP = 0x88E3 // Media Redundancy Protocol ETH_P_MACSEC = 0x88E5 // 802.1ae MACsec ETH_P_8021AH = 0x88E7 // 802.1ah Backbone Service Tag ETH_P_MVRP = 0x88F5 // 802.1Q MVRP ETH_P_1588 = 0x88F7 // IEEE 1588 Timesync ETH_P_NCSI = 0x88F8 // NCSI protocol ETH_P_PRP = 0x88FB // IEC 62439-3 PRP/HSRv0 ETH_P_CFM = 0x8902 // Connectivity Fault Management ETH_P_FCOE = 0x8906 // Fibre Channel over Ethernet ETH_P_IBOE = 0x8915 // Infiniband over Ethernet ETH_P_TDLS = 0x890D // TDLS ETH_P_FIP = 0x8914 // FCoE Initialization Protocol ETH_P_80221 = 0x8917 // IEEE 802.21 Media Independent Handover Protocol ETH_P_HSR = 0x892F // IEC 62439-3 HSRv1 ETH_P_NSH = 0x894F // Network Service Header ETH_P_LOOPBACK = 0x9000 // Ethernet loopback packet, per IEEE 802.3 ETH_P_QINQ1 = 0x9100 // deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_QINQ2 = 0x9200 // deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_QINQ3 = 0x9300 // deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_EDSA = 0xDADA // Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_DSA_8021Q = 0xDADB // Fake VLAN Header for DSA [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_DSA_A5PSW = 0xE001 // A5PSW Tag Value [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_IFE = 0xED3E // ForCES inter-FE LFB type ETH_P_AF_IUCV = 0xFBFB // IBM af_iucv [ NOT AN OFFICIALLY REGISTERED ID ] ETH_P_802_3_MIN = 0x0600 // If the value in the ethernet type is more than this value then the frame is Ethernet II. Else it is 802.3 // Non DIX types. Won't clash for 1500 types. ETH_P_802_3 = 0x0001 // Dummy type for 802.3 frames ETH_P_AX25 = 0x0002 // Dummy protocol id for AX.25 ETH_P_ALL = 0x0003 // Every packet (be careful!!!) ETH_P_802_2 = 0x0004 // 802.2 frames ETH_P_SNAP = 0x0005 // Internal only ETH_P_DDCMP = 0x0006 // DEC DDCMP: Internal only ETH_P_WAN_PPP = 0x0007 // Dummy type for WAN PPP frames ETH_P_PPP_MP = 0x0008 // Dummy type for PPP MP frames ETH_P_LOCALTALK = 0x0009 // Localtalk pseudo type ETH_P_CAN = 0x000C // CAN: Controller Area Network ETH_P_CANFD = 0x000D // CANFD: CAN flexible data rate ETH_P_CANXL = 0x000E // CANXL: eXtended frame Length ETH_P_PPPTALK = 0x0010 // Dummy type for Atalk over PPP ETH_P_TR_802_2 = 0x0011 // 802.2 frames ETH_P_MOBITEX = 0x0015 // Mobitex (kaz@cafe.net) ETH_P_CONTROL = 0x0016 // Card specific control frames ETH_P_IRDA = 0x0017 // Linux-IrDA ETH_P_ECONET = 0x0018 // Acorn Econet ETH_P_HDLC = 0x0019 // HDLC frames ETH_P_ARCNET = 0x001A // 1A for ArcNet :-) ETH_P_DSA = 0x001B // Distributed Switch Arch. ETH_P_TRAILER = 0x001C // Trailer switch tagging ETH_P_PHONET = 0x00F5 // Nokia Phonet frames ETH_P_IEEE802154 = 0x00F6 // IEEE802.15.4 frame ETH_P_CAIF = 0x00F7 // ST-Ericsson CAIF protocol ETH_P_XDSA = 0x00F8 // Multiplexed DSA protocol ETH_P_MAP = 0x00F9 // Qualcomm multiplexing and aggregation protocol ETH_P_MCTP = 0x00FA // Management component transport protocol packets )
Third layer protocol
Variables ¶
This section is empty.
Functions ¶
func EthTypeToString ¶
func GetDropReason ¶
func GetDropReason(pa *PacketAlert) string
GetDropReason is a helper function to determine the drop reason
func GetOrigin ¶
func GetOrigin(pa *PacketAlert) string
GetOrigin is a helper function to determine the origin of the drop
Types ¶
type PacketAlert ¶
type PacketAlert struct {
// contains filtered or unexported fields
}
PacketAlert wraps the Netlink attributes parsed from a CMD_ALERT message
func PacketAlertFromRaw ¶
func PacketAlertFromRaw(raw []byte) (PacketAlert, error)
PacketAlertFromRaw creates a PacketAlert from the raw bytes of a CMD_ALERT message.
func (*PacketAlert) Is16 ¶
func (pa *PacketAlert) Is16() bool
Is16 is true if the dropped packet is an IPv6 packet.
func (*PacketAlert) Is4 ¶
func (pa *PacketAlert) Is4() bool
Is4 is true if the dropped packet is an IPv4 packet.
func (*PacketAlert) L3Packet ¶
func (pa *PacketAlert) L3Packet() []byte
L3Packet returns the (truncated) raw bytes of the dropped packet, skipping the link layer header (i.e., starting from the IP packet's IP header)
func (*PacketAlert) Length ¶
func (pa *PacketAlert) Length() uint32
Length returns the original non-truncated length of the dropped packet.
func (*PacketAlert) Link ¶
func (pa *PacketAlert) Link() uint32
Link returns the interface index of the dropped packet
func (*PacketAlert) Output ¶
func (pa *PacketAlert) Output(links map[uint32]string)
func (*PacketAlert) PC ¶
func (pa *PacketAlert) PC() uint64
PC returns the $RIP of the CPU when the drop occurred, for later resolution to a symbol.
func (*PacketAlert) Packet ¶
func (pa *PacketAlert) Packet() []byte
Packet returns the (truncated) raw bytes of the dropped packet, starting from the link layer header (which might be an Ethernet header?).
func (*PacketAlert) Proto ¶
func (pa *PacketAlert) Proto() uint16
Proto returns the layer 3 protocol of the dropped packet.
func (*PacketAlert) Symbol ¶
func (pa *PacketAlert) Symbol() string
Symbol returns the kernel function where the drop occurred, when available.
type PacketAlertFunc ¶
type PacketAlertFunc func(PacketAlert) bool
PacketAlertFunc returns false if we should stop reading drops
type Session ¶
type Session struct {
// contains filtered or unexported fields
}
Session wraps a genetlink.Conn and looks up the DM_NET family from the generic netlink registry
func NewSession ¶
NewSession connects to generic netlink and looks up the DM_NET family so we can issue requests
func (*Session) Config ¶
Config returns the raw attribute bundle of the current DM_NET configuration (see ATTR_ constants) Only includes alert mode, packet snapshot length, and queue length
func (*Session) ReadUntil ¶
func (s *Session) ReadUntil(deadline time.Time, f PacketAlertFunc) error
ReadUntil reads packet alerts until the deadline is reached, calling `f` on each alert; if the deadline is zero, reads indefinitely.
func (*Session) Start ¶
Start puts DM_NET in packet alert mode (so we get alerts for each packet, including the raw contents of the dropped packet), issues an acknowledged CMD_START to start monitoring, and then joins the GRP_ALERT netlink multicast group to read alerts. DM_NET alerts need to be stopped to work.
Notes ¶
Bugs ¶
Log this, but if we are asking this code to stop, I want it to try to stop. In most cases, we leave the multicast group simply by closing the connection.
voodoo; I don't know if this is important
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.