Skip to content

Commit

Permalink
add http head capture
Browse files Browse the repository at this point in the history
  • Loading branch information
@chaolihf
chaolihf committed Mar 8, 2024
1 parent ce49b3d commit ebb71e9
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 23 deletions.
41 changes: 20 additions & 21 deletions pkg/ebpf/uretprobe.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,6 @@
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_endian.h>
//#include <linux/if_ether.h>
//#include <linux/ip.h>
//#include <linux/in.h>
//#include <linux/socket.h>
//#include <linux/fs.h>
//#include <linux/sched.h>

char __license[] SEC("license") = "Dual MIT/GPL";

Expand Down Expand Up @@ -325,6 +319,11 @@ int sys_enter_accept(struct trace_event_raw_sys_enter *ctx)
return 0;
}

struct
{
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 256 * 1024);
} socketEvents SEC(".maps");

#define IP_MF 0x2000
#define IP_OFFSET 0x1FFF
Expand All @@ -347,6 +346,9 @@ struct so_event {
__u8 payload[MAX_BUF_SIZE];
};

// Force emitting struct so_event into the ELF.
const struct so_event *useSocketEventForGo __attribute__((unused));

struct __tcphdr
{
__be16 source;
Expand Down Expand Up @@ -394,15 +396,12 @@ int socket_handler(struct __sk_buff *skb)
bpf_skb_load_bytes(skb, ETH_HLEN, &hdr_len, sizeof(hdr_len));
hdr_len &= 0x0f;
hdr_len *= 4;

/* verify hlen meets minimum size requirements */
if (hdr_len < sizeof(struct iphdr))
{
return 0;
}



bpf_skb_load_bytes(skb, nhoff + offsetof(struct iphdr, protocol), &ip_proto, 1);

if (ip_proto != IPPROTO_TCP)
Expand Down Expand Up @@ -440,21 +439,21 @@ int socket_handler(struct __sk_buff *skb)
bpf_printk("receive http request %d len %d buffer: %s\n", payload_offset, payload_length, line_buffer);

// /* reserve sample from BPF ringbuf */
// e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
// if (!e)
// return 0;
e = bpf_ringbuf_reserve(&socketEvents, sizeof(*e), 0);
if (!e)
return 0;

// e->ip_proto = ip_proto;
// bpf_skb_load_bytes(skb, nhoff + hdr_len, &(e->ports), 4);
// e->pkt_type = skb->pkt_type;
// e->ifindex = skb->ifindex;
e->ip_proto = ip_proto;
bpf_skb_load_bytes(skb, nhoff + hdr_len, &(e->ports), 4);
e->pkt_type = skb->pkt_type;
e->ifindex = skb->ifindex;

// e->payload_length = payload_length;
// bpf_skb_load_bytes(skb, payload_offset, e->payload, MAX_BUF_SIZE);
e->payload_length = payload_length;
bpf_skb_load_bytes(skb, payload_offset, e->payload, MAX_BUF_SIZE);

// bpf_skb_load_bytes(skb, nhoff + offsetof(struct iphdr, saddr), &(e->src_addr), 4);
// bpf_skb_load_bytes(skb, nhoff + offsetof(struct iphdr, daddr), &(e->dst_addr), 4);
// bpf_ringbuf_submit(e, 0);
bpf_skb_load_bytes(skb, nhoff + offsetof(struct iphdr, saddr), &(e->src_addr), 4);
bpf_skb_load_bytes(skb, nhoff + offsetof(struct iphdr, daddr), &(e->dst_addr), 4);
bpf_ringbuf_submit(e, 0);

return skb->len;
}
43 changes: 41 additions & 2 deletions pkg/ebpf/uretprobe.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
)

//export BPF2GO_FLAGS="-O2 -g -Wall"
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -target amd64 -type event -type fileEvent bpf uretprobe.c -- -I /usr/src/linux-headers-6.5.0-17-generic/tools/bpf/resolve_btfids/libbpf/include
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -target amd64 -type event -type fileEvent -type so_event bpf uretprobe.c -- -I /usr/src/linux-headers-6.5.0-17-generic/tools/bpf/resolve_btfids/libbpf/include

const (
// The path to the ELF binary containing the function to trace.
Expand Down Expand Up @@ -298,8 +298,47 @@ func main() {
fmt.Printf("Filtering on eth index: %d\n", linkIndex)
fmt.Println("Packet stats:")

time.Sleep(30 * time.Second)
socketRingReader, err := ringbuf.NewReader(objs.SocketEvents)
if err != nil {
log.Fatalf("opening socket ringbuf reader: %s", err)
}
defer socketRingReader.Close()

// Close the reader when the process receives a signal, which will exit
// the read loop.
go func() {
<-stopper

if err := socketRingReader.Close(); err != nil {
log.Fatalf("closing socket ringbuf reader: %s", err)
}
}()

log.Printf("Listening for file create socket ring buffer events..")
func() {
var socketEvent bpfSoEvent
for {
record, err := socketRingReader.Read()
if err != nil {
if errors.Is(err, ringbuf.ErrClosed) {
log.Println("Received socket ring signal, exiting..")
return
}
log.Printf("reading from socket reader: %s", err)
continue
}

// Parse the socket ringbuf event entry into a socket Event structure.
if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &socketEvent); err != nil {
log.Printf("parsing socket ringbuf event: %s", err)
continue
}
log.Printf("http request from %d:%d to %d:%d , content:%s\n",
socketEvent.SrcAddr, socketEvent.Ports>>2, socketEvent.DstAddr, (socketEvent.Ports&0xff00)>>2,
unix.ByteSliceToString(socketEvent.Payload[:]))
}
}()
time.Sleep(1000000 * time.Second)
}

func openRawSock(index int) (int, error) {
Expand Down

0 comments on commit ebb71e9

Please sign in to comment.