Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Support for other capture options #36

Merged
merged 6 commits into from
Jan 25, 2023
Merged

[WIP] Support for other capture options #36

merged 6 commits into from
Jan 25, 2023

Conversation

fako1024
Copy link
Collaborator

This PR is not yet ready to merge, it's supposed to prepare features for more capture flexibility (standard libpcap, PF_RING, AF_PACKET, ...).

@fako1024 fako1024 self-assigned this Aug 14, 2022
@fako1024 fako1024 added the feature New feature or request label Aug 14, 2022
This was linked to issues Aug 14, 2022
Remove custom libpcap / gopacket dependency #34
Closed
Support PF_RING #35
Closed
@fako1024
Copy link
Collaborator Author

@els0r FYI: Still WIP (next would be the bidirectional pcap capture), but the recent commit replaces PCAP by AF_PACKET for Linux completely. I did a quick run locally for comparison, accumulated CPU usage goes down by >30% while yielding the same output:

$ top -n1 -b | grep goProbe
... 0:03.85 goProbe_afpacket
... 0:05.70 goProbe_pcap

@els0r
Copy link
Owner

els0r commented Aug 20, 2022

Wow! That sounds like we're on to something 😁.

Is the comparison between a force_pcap build and an afpacket build? The question being: do both use ZeroCopy for packets captured?

If so, do you know how it compares to the standard capture without ZeroCopy?

@els0r
Copy link
Owner

els0r commented Aug 20, 2022
edited
Loading

Concerning BPF: I had the fleeting idea that we could write the BPF code generator ourselves based on pcap_compile. After reading through the function, I discarded that idea very quickly 🙃

No idea how to get around the CGO dependency on this one to be honest.

@els0r
Copy link
Owner

els0r commented Jan 9, 2023

@fako1024 : FYI. Taking a shot at removing the custom libcap. And if Apple auto-corrects this to lieb-pcap one more time, I’ll scream so loud that Steve Jobs will hear it…

Lennart Elsen added 2 commits January 9, 2023 15:58
[WIP][capture] #34: split directions for libpcap
22dd866 
First steps towards using the standard libpcap library. At the moment,
it relies on BPF filters "inbound" and "outbound".

The current code is _not_ stable, since it fails when running on MacOS,
where apparently, the BPF filters aren't supported.
[pcap][capture] #34: split directions for libpcap
ee4fb61 
Do not rely on BPF, but rather on `handle.SetDirection`, which, ironically
also fails on MacOS.

Currently uses `ReadPacketData` instead of `ZeroCopyReadPacketData` due to
inconsistencies observed with goProbe's stable version.

Also removes the fako1024 gopacket fork dependencies everywhere except for
the afpacket case
els0r
els0r reviewed Jan 11, 2023
View reviewed changes
pkg/capture/pcap_source.go
PcapMutex.Unlock()
return fmt.Errorf("Interface '%s': failed to set bpf filter to %q: %w", iface, bpfFilter, err)
}
err = ds.handle.SetDirection(ds.direction)
Copy link
Owner

@els0r els0r Jan 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Craps out on MacOS for Outbound traffic:
[ ERR] Wed Jan 11 14:58:32 2023 Interface 'en0': failed to set direction to OUTBOUND: Generic error

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooof. Didn't see that coming. Does tcpdump on MacOS support that? As in: Is that just something that the Go implementation lacks in feature or is a fundamental libpcap limitation on MacOS?

@els0r
Copy link
Owner

els0r commented Jan 11, 2023
edited
Loading

@fako1024 : here's my shot at the direction split for pcap. The traffic patterns align, see comment about ZeroCopyReadPacketData. There's something seriously wrong when calling it for pcap. Traffic doesn't align at all with the stable version.

https://github.com/els0r/goProbe/pull/36/files#diff-8927a0ba8d3906e5c78318560786b1dbcea9950b47d5b60899a73ed532d769cfR36

Finally, we should have a discussion whether it makes sense to support MacOS altogether. Having to maintain both OS'es, which may be UNIX, but behave vastly different on several levels (especially once CGO is involved) seems more pain than gain. Could be worth to shift focus to Linux again.

@els0r
Copy link
Owner

els0r commented Jan 12, 2023

Preliminary results for pfring:

# top -n1 -b | grep goProbe
  15489 root      20   0 1549332  66480  11104 S   5.6   1.7   0:03.70 goProbe_pf_ring
  15488 root      25   5 1391988  38572  12472 S   0.0   1.0   0:05.00 goProbe

This puts pfring on par with afpacket.

@els0r els0r marked this pull request as ready for review January 25, 2023 14:03
@els0r els0r merged commit 9892e33 into develop Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@els0r els0r els0r approved these changes

Assignees

@fako1024 fako1024

Labels
feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support PF_RING Remove custom libpcap / gopacket dependency
2 participants
@fako1024 @els0r