fix(capture): restore absolute time in pcap frames

Use the normal process events step in the pipeline for the network capture buffer pipeline as well. This fixes the issue that the conversion of the monotonic time to absolute time moved from the decode step to the process step, leaving the network capture events timestamp monotonic.
aquasecurity · Jan 11, 2024 · 1763cd4 · 1763cd4
1 parent c6d88a0
commit 1763cd4
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 14 deletions.
diff --git a/pkg/ebpf/capture.go b/pkg/ebpf/capture.go
@@ -15,9 +15,9 @@ import (
 	"github.com/aquasecurity/tracee/pkg/utils"
 )
 
-func (t *Tracee) processFileCaptures(ctx context.Context) {
-	logger.Debugw("Starting processFileCaptures go routine")
-	defer logger.Debugw("Stopped processFileCaptures go routine")
+func (t *Tracee) handleFileCaptures(ctx context.Context) {
+	logger.Debugw("Starting handleFileCaptures go routine")
+	defer logger.Debugw("Stopped handleFileCaptures go routine")
 
 	const (
 		// stat_S_IFMT uint32 = 0170000 // bit mask for the file type bit field

diff --git a/pkg/ebpf/net_capture.go b/pkg/ebpf/net_capture.go
@@ -29,9 +29,9 @@ const (
 	familyIpv6
 )
 
-func (t *Tracee) processNetCaptureEvents(ctx context.Context) {
-	logger.Debugw("Starting processNetCaptureEvents goroutine")
-	defer logger.Debugw("Stopped processNetCaptureEvents goroutine")
+func (t *Tracee) handleNetCaptureEvents(ctx context.Context) {
+	logger.Debugw("Starting handleNetCaptureEvents goroutine")
+	defer logger.Debugw("Stopped handleNetCaptureEvents goroutine")
 
 	var errChanList []<-chan error
 
@@ -58,15 +58,18 @@ func (t *Tracee) processNetCapEvents(ctx context.Context, in <-chan *trace.Event
 		for {
 			select {
 			case event := <-in:
+				// Go through event processors if needed
+				errs := t.processEvent(event)
+				if len(errs) > 0 {
+					for _, err := range errs {
+						t.handleError(err)
+					}
+					t.eventsPool.Put(event)
+					continue
+				}
 				t.processNetCapEvent(event)
 				_ = t.stats.NetCapCount.Increment()
 
-			case lost := <-t.lostNetCapChannel:
-				if err := t.stats.LostNtCapCount.Increment(lost); err != nil {
-					logger.Errorw("Incrementing lost network events count", "error", err)
-				}
-				logger.Warnw(fmt.Sprintf("Lost %d network capture events", lost))
-
 			case <-ctx.Done():
 				return
 			}
@@ -76,6 +79,32 @@ func (t *Tracee) processNetCapEvents(ctx context.Context, in <-chan *trace.Event
 	return errc
 }
 
+func (t *Tracee) processLostNetCapEvents() {
+	logger.Debugw("Starting processLostNetCapEvents goroutine")
+	defer logger.Debugw("Stopped processLostNetCapEvents goroutine")
+
+	// Since this is an end-stage goroutine, it should be terminated when:
+	// - lostNetCapChannel is closed, or finally when;
+	// - internal done channel is closed (not ctx).
+	for {
+		select {
+		case lost, ok := <-t.lostNetCapChannel:
+			if !ok {
+				return // lostEvChannel is closed, lost is zero value
+			}
+
+			if err := t.stats.LostNtCapCount.Increment(lost); err != nil {
+				logger.Errorw("Incrementing lost network events count", "error", err)
+			}
+			logger.Warnw(fmt.Sprintf("Lost %d network capture events", lost))
+
+		// internal done channel is closed when Tracee is stopped via Tracee.Close()
+		case <-t.done:
+			return
+		}
+	}
+}
+
 // processNetCapEvent processes network packets meant to be captured.
 //
 // TODO: usually networking parsing functions are big, still, this might need

diff --git a/pkg/ebpf/tracee.go b/pkg/ebpf/tracee.go
@@ -1440,14 +1440,15 @@ func (t *Tracee) Run(ctx gocontext.Context) error {
 
 	if t.config.BlobPerfBufferSize > 0 {
 		t.fileWrPerfMap.Poll(pollTimeout)
-		go t.processFileCaptures(ctx)
+		go t.handleFileCaptures(ctx)
 	}
 
 	// Network capture perf buffer (similar to regular pipeline)
 
 	if pcaps.PcapsEnabled(t.config.Capture.Net) {
 		t.netCapPerfMap.Poll(pollTimeout)
-		go t.processNetCaptureEvents(ctx)
+		go t.processLostNetCapEvents()
+		go t.handleNetCaptureEvents(ctx)
 	}
 
 	// Logging perf buffer