diff --git a/.github/workflows/network_monitor.yml b/.github/workflows/network_monitor.yml index cfba35df3..12bf77e52 100644 --- a/.github/workflows/network_monitor.yml +++ b/.github/workflows/network_monitor.yml @@ -25,6 +25,7 @@ jobs: - name: Install dependencies and Init Env run: | + sudo apt update sudo apt install libbpf-dev clang llvm libelf-dev libpcap-dev gcc-multilib build-essential git submodule update --init --recursive diff --git a/eBPF_Supermarket/Network_Subsystem/tcp_watch/data/connects.log b/eBPF_Supermarket/Network_Subsystem/tcp_watch/data/connects.log index 7e311dfb0..e69de29bb 100644 --- a/eBPF_Supermarket/Network_Subsystem/tcp_watch/data/connects.log +++ b/eBPF_Supermarket/Network_Subsystem/tcp_watch/data/connects.log @@ -1,51 +0,0 @@ -connection{sock="0xffff8e004e8dc600",src="10.0.2.15:37114",dst="13.224.103.89:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="6.836K",tx="1.130K",srtt="642026",duration="59486365"} 0 -connection{sock="0xffff8e004e8d8000",src="10.0.2.15:51086",dst="111.31.58.198:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="965",tx="474",srtt="280834",duration="103661616"} 0 -connection{sock="0xffff8e01f41b4600",src="10.0.2.15:46314",dst="106.38.179.31:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="6.043K",tx="1.211K",srtt="158281",duration="218017"} 0 -connection{sock="0xffff8e00a158b480",src="10.0.2.15:43814",dst="112.34.111.167:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="11.252K",tx="9.340K",srtt="236575",duration="13284847"} 0 -connection{sock="0xffff8e01f568bd40",src="10.0.2.15:46282",dst="36.99.3.36:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="9.126K",tx="1.347K",srtt="148393",duration="448178"} 0 -connection{sock="0xffff8e004e8da300",src="10.0.2.15:46422",dst="36.99.3.38:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="198.496K",tx="1.138K",srtt="301078",duration="477037"} 0 -connection{sock="0xffff8e004e8d88c0",src="10.0.2.15:41580",dst="34.120.177.193:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="3.601K",tx="496",srtt="1075541",duration="732830"} 0 -connection{sock="0xffff8e0045340000",src="10.0.2.15:54450",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="872.052K",tx="4.839K",srtt="155186",duration="5789601"} 0 -connection{sock="0xffff8e01a041c600",src="10.0.2.15:41112",dst="150.138.110.38:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="467.573K",tx="2.538K",srtt="215113",duration="2813230"} 0 -connection{sock="0xffff8e01f41b2300",src="10.0.2.15:46286",dst="106.38.179.31:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="13.343K",tx="1.212K",srtt="146404",duration="259921"} 0 -connection{sock="0xffff8e004e8d9a40",src="10.0.2.15:54344",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="408.240K",tx="3.260K",srtt="179475",duration="1840805"} 0 -connection{sock="0xffff8e004e8dbd40",src="10.0.2.15:51068",dst="111.31.58.198:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="965",tx="474",srtt="284764",duration="104408874"} 0 -connection{sock="0xffff8e01f41b6900",src="10.0.2.15:46300",dst="106.38.179.31:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="43.811K",tx="1.507K",srtt="129116",duration="298269"} 0 -connection{sock="0xffff8e01f41b1180",src="10.0.2.15:51568",dst="220.181.107.131:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="1.454K",tx="2.703K",srtt="207599",duration="12478412"} 0 -connection{sock="0xffff8e00498ea300",src="10.0.2.15:45816",dst="34.117.237.239:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.369K",tx="1.177K",srtt="719143",duration="118900997"} 0 -connection{sock="0xffff8e01f41b71c0",src="10.0.2.15:56624",dst="220.181.38.149:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.425K",tx="2.689K",srtt="209429",duration="495157"} 0 -connection{sock="0xffff8e004e8de040",src="10.0.2.15:51094",dst="111.31.58.198:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="965",tx="474",srtt="325598",duration="103148307"} 0 -connection{sock="0xffff8e00498eb480",src="10.0.2.15:43486",dst="34.120.208.123:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="9.224K",tx="10.135K",srtt="52870",duration="66280821"} 0 -connection{sock="0xffff8e01a25e4600",src="10.0.2.15:54284",dst="1.193.146.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="8.690K",tx="1.318K",srtt="201462",duration="59259851"} 0 -connection{sock="0xffff8e0192e50000",src="10.0.2.15:41132",dst="150.138.110.38:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="24.553K",tx="2.415K",srtt="284104",duration="2440236"} 0 -connection{sock="0xffff8e004e8dd780",src="10.0.2.15:58506",dst="124.238.241.36:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="271.006K",tx="4.796K",srtt="160873",duration="5895833"} 0 -connection{sock="0xffff8e01f568c600",src="10.0.2.15:54382",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="42.337K",tx="1.129K",srtt="251622",duration="1786782"} 0 -connection{sock="0xffff8e00498e88c0",src="10.0.2.15:42952",dst="222.35.73.1:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="253.802K",tx="1.699K",srtt="155610",duration="78790953"} 0 -connection{sock="0xffff8e01f41b6040",src="10.0.2.15:48326",dst="111.63.67.131:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="47.660K",tx="1.684K",srtt="237300",duration="59936736"} 0 -connection{sock="0xffff8e0045341180",src="10.0.2.15:54394",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="47.881K",tx="1.131K",srtt="483912",duration="1666192"} 0 -connection{sock="0xffff8e01f568cec0",src="10.0.2.15:51150",dst="180.101.49.111:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.336K",tx="2.512K",srtt="270717",duration="454676"} 0 -connection{sock="0xffff8e01f41b08c0",src="10.0.2.15:43266",dst="220.181.107.133:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="8.091K",tx="4.658K",srtt="123567",duration="12504692"} 0 -connection{sock="0xffff8e004e8de900",src="10.0.2.15:54346",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="178.613K",tx="1.664K",srtt="147239",duration="1688474"} 0 -connection{sock="0xffff8e01a25e2300",src="10.0.2.15:40484",dst="124.237.208.105:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="1.962K",tx="3.946K",srtt="147486",duration="17489749"} 0 -connection{sock="0xffff8e01f41b3d40",src="10.0.2.15:56626",dst="220.181.38.149:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.425K",tx="3.822K",srtt="210036",duration="424316"} 0 -connection{sock="0xffff8e0045346900",src="10.0.2.15:34002",dst="106.117.216.36:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="168.626K",tx="1.730K",srtt="337056",duration="1006900"} 0 -connection{sock="0xffff8e0192e52bc0",src="10.0.2.15:55636",dst="222.35.78.38:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="1315",rx="11.827K",tx="1.263K",srtt="163789",duration="3537940"} 0 -connection{sock="0xffff8e004e8d9180",src="10.0.2.15:51076",dst="111.31.58.198:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="965",tx="474",srtt="270694",duration="103410712"} 0 -connection{sock="0xffff8e00a158c600",src="10.0.2.15:51668",dst="34.117.65.55:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.079K",tx="822",srtt="893155",duration="60884204"} 0 -connection{sock="0xffff8e01f568e900",src="10.0.2.15:56856",dst="42.81.98.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="30.763K",tx="2.456K",srtt="236437",duration="798801"} 0 -connection{sock="0xffff8e004e8df1c0",src="10.0.2.15:51072",dst="111.31.58.198:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="965",tx="474",srtt="287125",duration="104925712"} 0 -connection{sock="0xffff8e00a1589180",src="10.0.2.15:49042",dst="111.13.181.106:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="986",tx="469",srtt="342931",duration="92006899"} 0 -connection{sock="0xffff8e01a041cec0",src="10.0.2.15:56966",dst="222.35.73.1:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="86.651K",tx="1.245K",srtt="135202",duration="2887178"} 0 -connection{sock="0xffff8e01a25e2bc0",src="10.0.2.15:51680",dst="34.117.65.55:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.266K",tx="1.534K",srtt="1229490",duration="1278945"} 0 -connection{sock="0xffff8e01a041a300",src="10.0.2.15:47650",dst="36.99.50.33:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="1311",rx="16.116K",tx="2.263K",srtt="215639",duration="2370784"} 0 -connection{sock="0xffff8e00a15888c0",src="10.0.2.15:39180",dst="220.181.38.150:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.425K",tx="3.211K",srtt="333297",duration="202753"} 0 -connection{sock="0xffff8e01a0419180",src="10.0.2.15:41118",dst="150.138.110.38:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="20.543K",tx="2.415K",srtt="305189",duration="2397742"} 0 -connection{sock="0xffff8e01a25e3480",src="10.0.2.15:59674",dst="111.62.97.212:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="6.404K",tx="1.450K",srtt="451761",duration="102406266"} 0 -connection{sock="0xffff8e0045343d40",src="10.0.2.15:56862",dst="42.81.98.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="21.781K",tx="2.455K",srtt="410851",duration="1638909"} 0 -connection{sock="0xffff8e0192e54ec0",src="10.0.2.15:51142",dst="180.101.49.111:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="5.548K",tx="4.941K",srtt="126554",duration="1295740"} 0 -connection{sock="0xffff8e01f41b5780",src="10.0.2.15:44480",dst="124.238.241.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="45.589K",tx="1.300K",srtt="89625",duration="58938044"} 0 -connection{sock="0xffff8e01a041b480",src="10.0.2.15:54430",dst="36.99.50.36:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="1311",rx="9.661K",tx="2.343K",srtt="121394",duration="2349986"} 0 -connection{sock="0xffff8e01f56888c0",src="10.0.2.15:54374",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="191.300K",tx="2.199K",srtt="222509",duration="1896712"} 0 -connection{sock="0xffff8e00a158bd40",src="10.0.2.15:40510",dst="34.107.221.82:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="596",tx="693",srtt="331202",duration="119280303"} 0 -connection{sock="0xffff8e004e8db480",src="10.0.2.15:54360",dst="106.117.216.35:443",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="424.226K",tx="2.197K",srtt="132231",duration="1989461"} 0 -connection{sock="0xffff8e01a041abc0",src="10.0.2.15:40524",dst="34.107.221.82:80",backlog="0",maxbacklog="0",cwnd="10",ssthresh="2147483647",sndbuf="87040",wmem_queued="0",rx="432",tx="697",srtt="419169",duration="118784730"} 0 diff --git a/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.bpf.c b/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.bpf.c index 983692ff2..eddcc7796 100644 --- a/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.bpf.c +++ b/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.bpf.c @@ -23,15 +23,17 @@ #include #include #include - -struct ktime_info { // us time stamp info - unsigned long long qdisc_time; // tx包离开mac层时间戳 - unsigned long long mac_time; // tx、rx包到达mac层时间戳 - unsigned long long ip_time; // tx、rx包到达ip层时间戳 - unsigned long long tcp_time; // tx、rx包到达tcp层时间戳 - unsigned long long app_time; // rx包离开tcp层时间戳 - void *sk; // 此包所属 socket - char comm[MAX_COMM]; // 此包所属 command +#include + +struct ktime_info { // us time stamp info + unsigned long long qdisc_time; // tx包离开mac层时间戳 + unsigned long long mac_time; // tx、rx包到达mac层时间戳 + unsigned long long ip_time; // tx、rx包到达ip层时间戳 + unsigned long long tcp_time; // tx、rx包到达tcp层时间戳 + unsigned long long app_time; // rx包离开tcp层时间戳 + void *sk; // 此包所属 socket + char comm[MAX_COMM]; // 此包所属 command + unsigned char data[MAX_HTTP_HEADER]; // 用户层数据 }; static __always_inline void * @@ -155,9 +157,9 @@ static void get_pkt_tuple_v6(struct packet_tuple *pkt_tuple, */ SEC("kretprobe/inet_csk_accept") int BPF_KRETPROBE(inet_csk_accept_exit, struct sock *newsk) { - bpf_printk("inet_accept_ret\n"); + // bpf_printk("inet_accept_ret\n"); if (newsk == NULL) { - bpf_printk("inet_accept_ret err: newsk is null\n"); + // bpf_printk("inet_accept_ret err: newsk is null\n"); return 0; } @@ -197,7 +199,7 @@ int BPF_KRETPROBE(inet_csk_accept_exit, struct sock *newsk) { int err = bpf_map_update_elem(&conns_info, &newsk, &conn, BPF_ANY); if (err) { - bpf_printk("inet_accept update err.\n"); + // bpf_printk("inet_accept update err.\n"); return 0; } @@ -212,11 +214,11 @@ int BPF_KRETPROBE(inet_csk_accept_exit, struct sock *newsk) { */ SEC("kprobe/tcp_v4_connect") int BPF_KPROBE(tcp_v4_connect, const struct sock *sk) { - bpf_printk("tcp_v4_connect\n"); + // bpf_printk("tcp_v4_connect\n"); u32 pid = bpf_get_current_pid_tgid(); int err = bpf_map_update_elem(&sock_stores, &pid, &sk, BPF_ANY); if (err) { - bpf_printk("tcp_v4_connect update sock_stores err.\n"); + // bpf_printk("tcp_v4_connect update sock_stores err.\n"); return 0; } return 0; @@ -229,9 +231,9 @@ int BPF_KRETPROBE(tcp_v4_connect_exit, int ret) { if (skp == NULL) { return 0; } - bpf_printk("tcp_v4_connect_exit\n"); + // bpf_printk("tcp_v4_connect_exit\n"); if (ret != 0) { - bpf_printk("tcp_v4_connect_exit but ret %d\n", ret); + // bpf_printk("tcp_v4_connect_exit but ret %d\n", ret); bpf_map_delete_elem(&sock_stores, &pid); return 0; } @@ -257,20 +259,20 @@ int BPF_KRETPROBE(tcp_v4_connect_exit, int ret) { long err = bpf_map_update_elem(&conns_info, &sk, &conn, BPF_ANY); if (err) { - bpf_printk("tcp_v4_connect_exit update err.\n"); + // bpf_printk("tcp_v4_connect_exit update err.\n"); return 0; } - bpf_printk("tcp_v4_connect_exit update sk: %p\n", sk); + // bpf_printk("tcp_v4_connect_exit update sk: %p\n", sk); return 0; } SEC("kprobe/tcp_v6_connect") int BPF_KPROBE(tcp_v6_connect, const struct sock *sk) { - bpf_printk("tcp_v6_connect\n"); + // bpf_printk("tcp_v6_connect\n"); u32 pid = bpf_get_current_pid_tgid(); int err = bpf_map_update_elem(&sock_stores, &pid, &sk, BPF_ANY); if (err) { - bpf_printk("tcp_v6_connect update sock_stores err.\n"); + // bpf_printk("tcp_v6_connect update sock_stores err.\n"); return 0; } return 0; @@ -283,9 +285,9 @@ int BPF_KRETPROBE(tcp_v6_connect_exit, int ret) { if (skp == NULL) { return 0; } - bpf_printk("tcp_v6_connect_exit\n"); + // bpf_printk("tcp_v6_connect_exit\n"); if (ret != 0) { - bpf_printk("tcp_v6_connect_exit but return %d\n", ret); + // bpf_printk("tcp_v6_connect_exit but return %d\n", ret); bpf_map_delete_elem(&sock_stores, &pid); return 0; } @@ -316,10 +318,10 @@ int BPF_KRETPROBE(tcp_v6_connect_exit, int ret) { long err = bpf_map_update_elem(&conns_info, &sk, &conn, BPF_ANY); if (err) { - bpf_printk("tcp_v6_connect_exit update err.\n"); + // bpf_printk("tcp_v6_connect_exit update err.\n"); return 0; } - bpf_printk("tcp_v4_connect_exit update sk: %p.\n", sk); + // bpf_printk("tcp_v4_connect_exit update sk: %p.\n", sk); return 0; } @@ -375,7 +377,7 @@ SEC("kprobe/eth_type_trans") int BPF_KPROBE(eth_type_trans, struct sk_buff *skb) { const struct ethhdr *eth = (struct ethhdr *)BPF_CORE_READ(skb, data); u16 protocol = BPF_CORE_READ(eth, h_proto); - bpf_printk("protocol: %d\n", __bpf_ntohs(protocol)); + // bpf_printk("protocol: %d\n", __bpf_ntohs(protocol)); if (protocol == __bpf_htons(ETH_P_IP)) { // Protocol is IP struct iphdr *ip = (struct iphdr *)(BPF_CORE_READ(skb, data) + 14); struct tcphdr *tcp = (struct tcphdr *)(BPF_CORE_READ(skb, data) + @@ -391,11 +393,11 @@ int BPF_KPROBE(eth_type_trans, struct sk_buff *skb) { tinfo = (struct ktime_info *)bpf_map_lookup_or_try_init( ×tamps, &pkt_tuple, &zero); if (tinfo == NULL) { - bpf_printk("v4 rx tinfo init fail.\n"); + // bpf_printk("v4 rx tinfo init fail.\n"); return 0; } tinfo->mac_time = bpf_ktime_get_ns() / 1000; - bpf_printk("v4 rx init.\n"); + // bpf_printk("v4 rx init.\n"); } else if (protocol == __bpf_htons(ETH_P_IPV6)) { // Protocol is IPV6 struct ipv6hdr *ip6h = (struct ipv6hdr *)(BPF_CORE_READ(skb, data) + 14); @@ -412,11 +414,11 @@ int BPF_KPROBE(eth_type_trans, struct sk_buff *skb) { tinfo = (struct ktime_info *)bpf_map_lookup_or_try_init( ×tamps, &pkt_tuple, &zero); if (tinfo == NULL) { - bpf_printk("v6 rx tinfo init fail.\n"); + // bpf_printk("v6 rx tinfo init fail.\n"); return 0; } tinfo->mac_time = bpf_ktime_get_ns() / 1000; - bpf_printk("v6 rx init.\n"); + // bpf_printk("v6 rx init.\n"); } return 0; } @@ -441,7 +443,7 @@ int BPF_KPROBE(ip_rcv_core, struct sk_buff *skb) { return 0; } tinfo->ip_time = bpf_ktime_get_ns() / 1000; - bpf_printk("rx enter ipv4 layer.\n"); + // bpf_printk("rx enter ipv4 layer.\n"); return 0; } @@ -465,7 +467,7 @@ int BPF_KPROBE(ip6_rcv_core, struct sk_buff *skb) { return 0; } tinfo->ip_time = bpf_ktime_get_ns() / 1000; - bpf_printk("rx enter ipv6 layer.\n"); + // bpf_printk("rx enter ipv6 layer.\n"); return 0; } @@ -489,7 +491,7 @@ int BPF_KPROBE(tcp_v4_rcv, struct sk_buff *skb) { return 0; } tinfo->tcp_time = bpf_ktime_get_ns() / 1000; - bpf_printk("rx enter tcp4 layer.\n"); + // bpf_printk("rx enter tcp4 layer.\n"); return 0; } @@ -513,7 +515,7 @@ int BPF_KPROBE(tcp_v6_rcv, struct sk_buff *skb) { return 0; } tinfo->tcp_time = bpf_ktime_get_ns() / 1000; - bpf_printk("rx enter tcp6 layer.\n"); + // bpf_printk("rx enter tcp6 layer.\n"); return 0; } @@ -525,7 +527,8 @@ int BPF_KPROBE(tcp_v4_do_rcv, struct sock *sk, struct sk_buff *skb) { return 0; struct conn_t *conn = bpf_map_lookup_elem(&conns_info, &sk); if (conn == NULL) { - bpf_printk("get a v4 rx pack but conn not record, its sock is: %p", sk); + // bpf_printk("get a v4 rx pack but conn not record, its sock is: %p", + // sk); return 0; } struct iphdr *ip = skb_to_iphdr(skb); @@ -543,8 +546,8 @@ int BPF_KPROBE(tcp_v4_do_rcv, struct sock *sk, struct sk_buff *skb) { for (int i = 0; i < MAX_COMM; ++i) { tinfo->comm[i] = conn->comm[i]; } - bpf_printk("rx enter tcp4_do_rcv, sk: %p \n", sk); - // conn info update + // bpf_printk("rx enter tcp4_do_rcv, sk: %p \n", sk); + // conn info update struct tcp_sock *tp = (struct tcp_sock *)sk; conn->srtt = BPF_CORE_READ(tp, srtt_us); conn->duration = bpf_ktime_get_ns() / 1000 - conn->init_timestamp; @@ -562,10 +565,11 @@ SEC("kprobe/tcp_v6_do_rcv") int BPF_KPROBE(tcp_v6_do_rcv, struct sock *sk, struct sk_buff *skb) { if (sk == NULL || skb == NULL) return 0; - bpf_printk("rx enter tcp6_do_rcv. \n"); + // bpf_printk("rx enter tcp6_do_rcv. \n"); struct conn_t *conn = bpf_map_lookup_elem(&conns_info, &sk); if (conn == NULL) { - bpf_printk("get a v6 rx pack but conn not record, its sock is: %p", sk); + // bpf_printk("get a v6 rx pack but conn not record, its sock is: %p", + // sk); return 0; } @@ -584,7 +588,7 @@ int BPF_KPROBE(tcp_v6_do_rcv, struct sock *sk, struct sk_buff *skb) { for (int i = 0; i < MAX_COMM; ++i) { tinfo->comm[i] = conn->comm[i]; } - bpf_printk("rx enter tcp6_do_rcv, sk: %p \n", sk); + // bpf_printk("rx enter tcp6_do_rcv, sk: %p \n", sk); /*----- update conn info ------*/ struct tcp_sock *tp = (struct tcp_sock *)sk; conn->srtt = BPF_CORE_READ(tp, srtt_us); @@ -648,13 +652,13 @@ int BPF_KPROBE(skb_copy_datagram_iter, struct sk_buff *skb) { if (sk == NULL) { return 0; } - bpf_printk("rx enter app layer.\n"); + // bpf_printk("rx enter app layer.\n"); struct pack_t *packet; packet = bpf_ringbuf_reserve(&rb, sizeof(*packet), 0); if (!packet) { return 0; } - bpf_printk("rx packet sk: %p\n", sk); + // bpf_printk("rx packet sk: %p\n", sk); for (int i = 0; i < MAX_COMM; ++i) { packet->comm[i] = tinfo->comm[i]; } @@ -666,6 +670,10 @@ int BPF_KPROBE(skb_copy_datagram_iter, struct sk_buff *skb) { packet->ip_time = tinfo->tcp_time - tinfo->ip_time; packet->tcp_time = tinfo->app_time - tinfo->tcp_time; packet->rx = 1; + int doff = BPF_CORE_READ_BITFIELD_PROBED(tcp, doff); // 得用bitfield_probed + unsigned char *user_data = + (unsigned char *)((unsigned char *)tcp + (doff * 4)); + bpf_probe_read_str(packet->data, sizeof(packet->data), user_data); bpf_ringbuf_submit(packet, 0); return 0; } @@ -694,11 +702,11 @@ int BPF_KPROBE(tcp_validate_incoming, struct sock *sk, struct sk_buff *skb) { receive_window = 0; if (end_seq >= rcv_wup && rcv_nxt + receive_window >= start_seq) { - bpf_printk("error_identify: tcp seq validated. \n"); + // bpf_printk("error_identify: tcp seq validated. \n"); return 0; } - bpf_printk("error_identify: tcp seq err. \n"); - // invalid seq + // bpf_printk("error_identify: tcp seq err. \n"); + // invalid seq u16 family = BPF_CORE_READ(sk, __sk_common.skc_family); struct packet_tuple pkt_tuple = {}; if (family == AF_INET) { @@ -735,10 +743,10 @@ int BPF_KRETPROBE(__skb_checksum_complete_exit, int ret) { return 0; } if (ret == 0) { - bpf_printk("error_identify: tcp checksum validated. \n"); + // bpf_printk("error_identify: tcp checksum validated. \n"); return 0; } - bpf_printk("error_identify: tcp checksum error. \n"); + // bpf_printk("error_identify: tcp checksum error. \n"); struct sock *sk = *skp; struct conn_t *conn = bpf_map_lookup_elem(&conns_info, &sk); if (conn == NULL) { @@ -843,6 +851,15 @@ int BPF_KPROBE(tcp_sendmsg, struct sock *sk, struct msghdr *msg, size_t size) { conn->sk_wmem_queued = BPF_CORE_READ(sk, sk_wmem_queued); conn->tcp_backlog = BPF_CORE_READ(sk, sk_ack_backlog); conn->max_tcp_backlog = BPF_CORE_READ(sk, sk_max_ack_backlog); + unsigned char *user_data = BPF_CORE_READ(msg, msg_iter.iov, iov_base); + tinfo = (struct ktime_info *)bpf_map_lookup_or_try_init(×tamps, + &pkt_tuple, &zero); + if (tinfo == NULL) { + return 0; + } + bpf_printk("kernel data: %s", user_data); + bpf_probe_read_str(tinfo->data, sizeof(tinfo->data), user_data); + bpf_printk("tinfo data: %s", tinfo->data); return 0; } @@ -854,9 +871,10 @@ tcp)获取ip段的数据 out only ipv4 SEC("kprobe/ip_queue_xmit") int BPF_KPROBE(ip_queue_xmit, struct sock *sk, struct sk_buff *skb) { u16 family = BPF_CORE_READ(sk, __sk_common.skc_family); + struct packet_tuple pkt_tuple = {}; + struct ktime_info *tinfo; + struct tcphdr *tcp = skb_to_tcphdr(skb); if (family == AF_INET) { - struct packet_tuple pkt_tuple = {}; - struct tcphdr *tcp = skb_to_tcphdr(skb); u16 dport; u32 seq, ack; pkt_tuple.saddr = BPF_CORE_READ(sk, __sk_common.skc_rcv_saddr); @@ -872,7 +890,6 @@ int BPF_KPROBE(ip_queue_xmit, struct sock *sk, struct sk_buff *skb) { // FILTER_DPORT // FILTER_SPORT - struct ktime_info *tinfo; if ((tinfo = bpf_map_lookup_elem(×tamps, &pkt_tuple)) == NULL) { return 0; } @@ -889,9 +906,10 @@ tcp)获取ip段的数据 out only ipv6 SEC("kprobe/inet6_csk_xmit") int BPF_KPROBE(inet6_csk_xmit, struct sock *sk, struct sk_buff *skb) { u16 family = BPF_CORE_READ(sk, __sk_common.skc_family); + struct tcphdr *tcp = skb_to_tcphdr(skb); + struct packet_tuple pkt_tuple = {}; + struct ktime_info *tinfo; if (family == AF_INET6) { - struct packet_tuple pkt_tuple = {}; - struct tcphdr *tcp = skb_to_tcphdr(skb); u16 dport; u32 seq, ack; @@ -916,13 +934,11 @@ int BPF_KPROBE(inet6_csk_xmit, struct sock *sk, struct sk_buff *skb) { // FILTER_DPORT // FILTER_SPORT - struct ktime_info *tinfo; if ((tinfo = bpf_map_lookup_elem(×tamps, &pkt_tuple)) == NULL) { return 0; } tinfo->ip_time = bpf_ktime_get_ns() / 1000; } - return 0; }; @@ -962,7 +978,6 @@ int BPF_KPROBE(__dev_queue_xmit, struct sk_buff *skb) { } tinfo->mac_time = bpf_ktime_get_ns() / 1000; } - return 0; }; @@ -1020,7 +1035,7 @@ int BPF_KPROBE(dev_hard_start_xmit, struct sk_buff *skb) { for (int i = 0; i < MAX_COMM; ++i) { packet->comm[i] = tinfo->comm[i]; } - bpf_printk("tx packet sk: %p\n", sk); + // bpf_printk("tx packet sk: %p\n", sk); packet->err = 0; packet->sock = sk; packet->ack = pkt_tuple.ack; @@ -1029,6 +1044,8 @@ int BPF_KPROBE(dev_hard_start_xmit, struct sk_buff *skb) { packet->ip_time = tinfo->mac_time - tinfo->ip_time; packet->mac_time = tinfo->qdisc_time - tinfo->mac_time; packet->rx = 0; + bpf_probe_read_str(packet->data, sizeof(packet->data), tinfo->data); + // 此时skb为非线性 不能直接用RX同样的方式读取 bpf_ringbuf_submit(packet, 0); return 0; diff --git a/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.c b/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.c index a59061935..326c17764 100644 --- a/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.c +++ b/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.c @@ -27,6 +27,7 @@ #include #include #include +#include #include static volatile bool exiting = false; @@ -157,6 +158,9 @@ static int print_packet(void *ctx, void *packet_info, size_t size) { pack_info->sock, pack_info->comm, pack_info->seq, pack_info->ack, pack_info->mac_time, pack_info->ip_time, pack_info->tcp_time, pack_info->rx); + if (strstr((char *)pack_info->data, "HTTP/1")) { + printf("%s\n", pack_info->data); + } } return 0; } diff --git a/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.h b/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.h index da1c15ee8..38b8259ea 100644 --- a/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.h +++ b/eBPF_Supermarket/Network_Subsystem/tcp_watch/tcpwatch.h @@ -61,6 +61,7 @@ struct conn_t { }; #define MAX_PACKET 1000 +#define MAX_HTTP_HEADER 256 struct packet_tuple { unsigned __int128 saddr_v6; @@ -81,8 +82,9 @@ struct pack_t { unsigned int seq; // the seq num of packet unsigned int ack; // the ack num of packet char comm[MAX_COMM]; // 此包tcp连接的 command - const void *sock; // 此包tcp连接的 socket 指针 - int rx; // rx packet(1) or tx packet(0) + unsigned char data[MAX_HTTP_HEADER]; // 用户层数据 + const void *sock; // 此包tcp连接的 socket 指针 + int rx; // rx packet(1) or tx packet(0) }; #endif /* __TCPWATCH_H */ \ No newline at end of file