An eBPF sample application, written in C & Rust using
libbpf-rs. It will output all
TCPv4 connections that have been established on the host as ips and
hostnames by probing tcp_v4_connect in kernel and glibc's getaddrinfo
in userland. On a successful host lookup the first result will be stored in
a hashmap, which can be used as a lookup table to retrieve a hostname for
ip_v4 connections.
The project is built on technology like CO-RE and BTF, which is only
available in more recent kernels (5.0-ish). Ubuntu 20.10 has configured and
packaged all the required dependencies.
The project has been tested with LLVM v11 and Rust v1.52.1.
bpftool btf dump file /sys/kernel/btf/vmlinux format c > src/bpf/vmlinux.hYou can verify whether your kernel was built with BTF enabled:
cat /boot/config-$(uname -r) | grep CONFIG_DEBUG_INFO_BTFeBPF is a low-level technology on the Linux kernel. Docker is not a good fit to build eBPF code on MacOS or Windows environments. On those platforms Docker ships its own kernel (e.g. linuxkit) and BTF might not be enabled.
There is a Vagrantfile to provision a Ubuntu 20.10 VM including the
necessary dependencies to build the project. To install Vagrant with a
VirtualBox backend and provision the VM on a MacOS host machine run:
brew cask install virtualbox
brew cask install vagrant
vagrant up
Log in to the machine. The current host workdir is mounted to /vagrant:
vagrant ssh
sudo su -
cd /vagrant
cargo buildStart the program to instrument the eBPF probe and listen to events:
cargo run --releaseIn another shell perform some http calls:
curl -s www.jsonplaceholder.com > /dev/null
# Do not use a dns lookup
curl -s -H "Host: www.jsonplaceholder.com" 172.67.201.157 > /dev/nullThe other shell should show the respective events:
host event: www.jsonplaceholder.com
ip event: 172.67.201.157