Skip to content

feat(sight): add tcpsniff probe for plain HTTP traffic capture#587

Merged
chengshuyi merged 5 commits into
alibaba:mainfrom
Daydreamer-Li:feat/sight/mem_opt
May 22, 2026
Merged

feat(sight): add tcpsniff probe for plain HTTP traffic capture#587
chengshuyi merged 5 commits into
alibaba:mainfrom
Daydreamer-Li:feat/sight/mem_opt

Conversation

@Daydreamer-Li
Copy link
Copy Markdown
Collaborator

@Daydreamer-Li Daydreamer-Li commented May 21, 2026
edited
Loading

Description

Add tcpsniff eBPF probe for capturing plain HTTP traffic, enabling observation of unencrypted HTTP requests/responses for LLM API calls that don't use TLS (e.g., local proxies, internal services).

Related Issue

closes #588

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Refactoring
  • Performance improvement
  • CI/CD or build changes

Scope

  • sight (agentsight)

Checklist

  • I have read the Contributing Guide
  • My code follows the project's code style
  • I have added tests that prove my fix is effective or that my feature works
  • I have updated the documentation accordingly
  • For sight: cargo clippy -- -D warnings and cargo fmt --check pass
  • Lock files are up to date (Cargo.lock)

Testing

Tested tcpsniff probe attachment and plain HTTP traffic capture manually on alinux3 with kernel 5.10+.

Additional Notes

This probe complements the existing SSL probe by capturing unencrypted HTTP traffic for complete LLM API observability.

@Daydreamer-Li Daydreamer-Li requested a review from chengshuyi as a code owner May 21, 2026 06:23
@Daydreamer-Li Daydreamer-Li requested a review from samchu-zsl May 21, 2026 06:23
@github-actions github-actions Bot added the component:sight src/agentsight/ label May 21, 2026
chengshuyi
chengshuyi reviewed May 21, 2026
View reviewed changes
Comment thread src/agentsight/src/bin/cli/trace.rs Outdated
/// Useful when the agent routes through a local gateway (e.g. Higress) via HTTP.
#[structopt(long, use_delimiter = true)]
pub tcp_ports: Vec<u16>,

Copy link
Copy Markdown
Collaborator

@chengshuyi chengshuyi May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

不需要指定port,建议通过现有的domain_rules来进行过滤

chengshuyi
chengshuyi previously approved these changes May 22, 2026
View reviewed changes
@Daydreamer-Li Daydreamer-Li requested a review from casparant as a code owner May 22, 2026 08:48
@Daydreamer-Li
feat(sight): add tcpsniff probe for plain HTTP traffic capture
ad1e7cf 
Add eBPF-based TCP traffic capture (fentry/fexit on tcp_sendmsg and
tcp_recvmsg) to observe plain-text HTTP calls routed through local
gateways like Higress on configurable ports (default: 8080).

Key design decisions:
- Reuses probe_SSL_data_t event format so the entire downstream pipeline
  (parser, aggregator, analyzer, GenAI, storage) works unchanged.
- Handles writev scatter-gather: concatenates iov[0] (headers) + iov[1]
  (body) into a single event buffer for correct request parsing.
- CO-RE compatibility for iov_iter field renames (iov vs __iov) and
  ITER_UBUF (kernel 6.0+) vs ITER_IOVEC.
- Multi-kernel support (5.8+): compiles two fexit variants for
  tcp_recvmsg signature change (nonblock param removed in 5.18);
  userspace auto-detects via load-and-fallback at runtime.
- Stashes user_buf pointer at fentry to avoid reading advanced iov_iter
  at fexit (kernel advances ubuf pointer during tcp_recvmsg).

Signed-off-by: liyuqing <liyuqing@alibaba-inc.com>
@Daydreamer-Li
feat(sight): add User-Agent based agent detection and redesign tcpsni…
2f5df38 
…ff IP/port filtering

1. tcpsniff: replace port-only filtering with flexible IP/port/IP+port
   target configuration via BPF composite key map. Remove PID filtering
   from BPF layer — tcpsniff now captures all TCP to configured targets,
   relying on userspace for LLM call identification.

2. User-Agent fallback: when cmdline-based agent detection fails, fall
   back to matching HTTP User-Agent header against configurable glob
   rules in agentsight.json. Detected agent names are cached in
   pid_agent_name_cache and backfilled into TokenRecord.agent.

3. AuditRecord token fix: reorder audit extraction after token resolution
   so AuditRecord gets real token counts instead of hardcoded zeros.

Signed-off-by: liyuqing <liyuqing@alibaba-inc.com>
@Daydreamer-Li
refactor(sight): simplify agent detection by using comm as fallback i…
ad4b519 
…nstead of User-Agent matching

Replace the User-Agent header matching logic with a simpler approach:
use the process comm name as the agent name fallback when cmdline
matching and pid_agent_name_cache both fail. This is more reliable
for tcpsniff scenarios where PID info may be unreliable.

Signed-off-by: liyuqing <liyuqing@alibaba-inc.com>
@Daydreamer-Li
docs(sight): add tcpsniff integration test specification
848e5ed 
Signed-off-by: liyuqing <liyuqing@alibaba-inc.com>
@Daydreamer-Li
fix(sight): disable tcpsniff by default with empty tcp_targets
7a55fc4 
Signed-off-by: liyuqing <liyuqing@alibaba-inc.com>
@chengshuyi chengshuyi merged commit 0edca07 into alibaba:main May 22, 2026
11 checks passed
@Daydreamer-Li Daydreamer-Li mentioned this pull request May 22, 2026
Merged
14 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chengshuyi chengshuyi chengshuyi approved these changes

@samchu-zsl samchu-zsl Awaiting requested review from samchu-zsl

@casparant casparant Awaiting requested review from casparant casparant is a code owner

Assignees

No one assigned

Labels

component:sight src/agentsight/

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[sight] feat: add tcpsniff probe for plain HTTP traffic capture

2 participants

@Daydreamer-Li @chengshuyi