Permalink
executable file 214 lines (179 sloc) 6.27 KB
#!/usr/bin/env python
#
# solisten Trace TCP listen events
# For Linux, uses BCC, eBPF. Embedded C.
#
# USAGE: solisten.py [-h] [-p PID] [--show-netns]
#
# This is provided as a basic example of TCP connection & socket tracing.
# It could be useful in scenarios where load balancers needs to be updated
# dynamically as application is fully initialized.
#
# All IPv4 listen attempts are traced, even if they ultimately fail or the
# the listening program is not willing to accept().
#
# Copyright (c) 2016 Jean-Tiare Le Bigot.
# Licensed under the Apache License, Version 2.0 (the "License")
#
# 04-Mar-2016 Jean-Tiare Le Bigot Created this.
import os
from socket import inet_ntop, AF_INET, AF_INET6, SOCK_STREAM, SOCK_DGRAM
from struct import pack
import argparse
from bcc import BPF
import ctypes as ct
# Arguments
examples = """Examples:
./solisten.py # Stream socket listen
./solisten.py -p 1234 # Stream socket listen for specified PID only
./solisten.py --netns 4242 # " for the specified network namespace ID only
./solisten.py --show-netns # Show network ns ID (useful for containers)
"""
parser = argparse.ArgumentParser(
description="Stream sockets listen",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
parser.add_argument("--show-netns", action="store_true",
help="show network namespace")
parser.add_argument("-p", "--pid", default=0, type=int,
help="trace this PID only")
parser.add_argument("-n", "--netns", default=0, type=int,
help="trace this Network Namespace only")
parser.add_argument("--ebpf", action="store_true",
help=argparse.SUPPRESS)
# BPF Program
bpf_text = """
#include <net/net_namespace.h>
#include <bcc/proto.h>
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wenum-conversion"
#include <net/inet_sock.h>
#pragma clang diagnostic pop
// Common structure for UDP/TCP IPv4/IPv6
struct listen_evt_t {
u64 ts_us;
u64 pid_tgid;
u64 backlog;
u64 netns;
u64 proto; // familiy << 16 | type
u64 lport; // use only 16 bits
u64 laddr[2]; // IPv4: store in laddr[0]
char task[TASK_COMM_LEN];
};
BPF_PERF_OUTPUT(listen_evt);
// Send an event for each IPv4 listen with PID, bound address and port
int kprobe__inet_listen(struct pt_regs *ctx, struct socket *sock, int backlog)
{
// cast types. Intermediate cast not needed, kept for readability
struct sock *sk = sock->sk;
struct inet_sock *inet = (struct inet_sock *)sk;
// Built event for userland
struct listen_evt_t evt = {
.ts_us = bpf_ktime_get_ns() / 1000,
.backlog = backlog,
};
// Get process comm. Needs LLVM >= 3.7.1
// see https://github.com/iovisor/bcc/issues/393
bpf_get_current_comm(evt.task, TASK_COMM_LEN);
// Get socket IP family
u16 family = sk->__sk_common.skc_family;
evt.proto = family << 16 | SOCK_STREAM;
// Get PID
evt.pid_tgid = bpf_get_current_pid_tgid();
##FILTER_PID##
// Get port
evt.lport = inet->inet_sport;
evt.lport = ntohs(evt.lport);
// Get network namespace id, if kernel supports it
#ifdef CONFIG_NET_NS
evt.netns = sk->__sk_common.skc_net.net->ns.inum;
#else
evt.netns = 0;
#endif
##FILTER_NETNS##
// Get IP
if (family == AF_INET) {
evt.laddr[0] = inet->inet_rcv_saddr;
} else if (family == AF_INET6) {
bpf_probe_read(evt.laddr, sizeof(evt.laddr),
sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr32);
}
// Send event to userland
listen_evt.perf_submit(ctx, &evt, sizeof(evt));
return 0;
};
"""
# event data
TASK_COMM_LEN = 16 # linux/sched.h
class ListenEvt(ct.Structure):
_fields_ = [
("ts_us", ct.c_ulonglong),
("pid_tgid", ct.c_ulonglong),
("backlog", ct.c_ulonglong),
("netns", ct.c_ulonglong),
("proto", ct.c_ulonglong),
("lport", ct.c_ulonglong),
("laddr", ct.c_ulonglong * 2),
("task", ct.c_char * TASK_COMM_LEN)
]
# TODO: properties to unpack protocol / ip / pid / tgid ...
# Format output
def event_printer(show_netns):
def print_event(cpu, data, size):
# Decode event
event = ct.cast(data, ct.POINTER(ListenEvt)).contents
pid = event.pid_tgid & 0xffffffff
proto_family = event.proto & 0xff
proto_type = event.proto >> 16 & 0xff
if proto_family == SOCK_STREAM:
protocol = "TCP"
elif proto_family == SOCK_DGRAM:
protocol = "UDP"
else:
protocol = "UNK"
address = ""
if proto_type == AF_INET:
protocol += "v4"
address = inet_ntop(AF_INET, pack("I", event.laddr[0]))
elif proto_type == AF_INET6:
address = inet_ntop(AF_INET6, event.laddr)
protocol += "v6"
# Display
if show_netns:
print("%-6d %-12.12s %-12s %-6s %-8s %-5s %-39s" % (
pid, event.task, event.netns, protocol, event.backlog,
event.lport, address,
))
else:
print("%-6d %-12.12s %-6s %-8s %-5s %-39s" % (
pid, event.task, protocol, event.backlog,
event.lport, address,
))
return print_event
if __name__ == "__main__":
# Parse arguments
args = parser.parse_args()
pid_filter = ""
netns_filter = ""
if args.pid:
pid_filter = "if (evt.pid_tgid != %d) return 0;" % args.pid
if args.netns:
netns_filter = "if (evt.netns != %d) return 0;" % args.netns
bpf_text = bpf_text.replace("##FILTER_PID##", pid_filter)
bpf_text = bpf_text.replace("##FILTER_NETNS##", netns_filter)
if args.ebpf:
print(bpf_text)
exit()
# Initialize BPF
b = BPF(text=bpf_text)
b["listen_evt"].open_perf_buffer(event_printer(args.show_netns))
# Print headers
if args.show_netns:
print("%-6s %-12s %-12s %-6s %-8s %-5s %-39s" %
("PID", "COMM", "NETNS", "PROTO", "BACKLOG", "PORT", "ADDR"))
else:
print("%-6s %-12s %-6s %-8s %-5s %-39s" %
("PID", "COMM", "PROTO", "BACKLOG", "PORT", "ADDR"))
# Read events
while 1:
b.perf_buffer_poll()