-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Add skboutput function #1272
Conversation
I like it. It is a useful thing to have and easier than digging into a skb straight away. Being able to do |
Does libpcap handle changes to |
so there's skboutput bpf kernel helper that gets you skb data and store it to perf map/buffer, the pcap writer on the user space side is quite basic at the moment, but I've got few pointers where to get some examples of how to make it better and more robust |
Hi Jiri, Is there any progress on this RFC? I feel this feature is useful for networking debug. And it could be used on my bpftrace version of dropwath. Thanks |
heya, also it'd be great if you paste in here some of your usage examples so I have some case when asking for the kernel change thanks, |
@olsajiri , thanks for your works. I will clone the code and try it first. After that, I will paste my testing script here. |
Basically, I would use this feature for bpftrace version of dropwatch . The current version only implements the dropwatch feature. But for bpftrace version of dwdump, the And an example use case looks like |
Detect pcap developement libraries and set LIBPCAP_FOUND if the library is detected. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
a279d76
to
dd6a1d4
Compare
Adding PCAPwriter class as a wrapper to write tcpdump output files. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding skb_output check to features and display its state in --info output. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Adding skboutput function that allows to dump 'struct sk_buff' object to the tcpdump output file, like: # bpftrace -e 'kfunc:napi_gro_receive { skboutput("krava.pcap", args->skb, 1500); }' ... # tcpdump -n -r ./krava.pcap | head -3 reading from file ./krava.pcap, link-type RAW (Raw IP) dropped privs to tcpdump 19:24:36.665948 IP 10.40.195.119.57218 > 10.37.152.221.ssh: Flags [.], ack 576407458, win 502, options [nop,nop,TS val 697277009 ecr 2101346304], length 0 19:24:36.679313 IP 10.40.195.119.57218 > 10.37.152.221.ssh: Flags [.], ack 53, win 502, options [nop,nop,TS val 697277022 ecr 2101346304], length 0 19:24:36.692242 IP 10.40.195.119.57218 > 10.37.152.221.ssh: Flags [.], ack 105, win 502, options [nop,nop,TS val 697277035 ecr 2101346304], length 0 the function has following syntax: skboutput(file, skb, caplen) it will store packet from 'skb' object to tcpdump 'file' and limit the size by 'caplen Signed-off-by: Jiri Olsa <jolsa@kernel.org>
@@ -1077,6 +1077,39 @@ void CodegenLLVM::visit(Call &call) | |||
b_.CreateLifetimeEnd(buf); | |||
expr_ = nullptr; | |||
} | |||
else if (call.func == "skboutput") | |||
{ | |||
std::vector<llvm::Type *> elements = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we keep these in src/ast/async_event_types.h so theyre all defined in one place
@olsajiri Hi Jiri, are you still working on this feature? It seems very helpful for digging network issues. If you use |
@xh4n3 great, feel free to rebase/fix/push it ;-) I dropped that because I thought there's no interest in this, |
heya,
please take as RFC, it's by no means final code ;-)
I just need to hear some feedback on wether you guys think this is useful
I tried to put together something we discussed with Arnaldo and Jiri Benc
on LPC - storing skb_buff via bpf helper from any probe with 'skb' argument
the new bpftrace function has following syntax:
skboutput(file, skb, caplen)
it will store packet from 'skb' object to tcpdump 'file' and limit the size by 'caplen', for example:
you can use skboutput function from multiple places/probes with different files
it seems useful for debuging network stuff, but what do I know..? ;-)
I haven't got too much positive feedback yet to continue on with this
thanks for any thoughts on this