We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I want to capture traffic from unix socket and print skb in user-space. When I use bpf_perf_event_output(), error occurs: /////////////////////////////////////////////////////////////////////// root@ebpf:~# ./kprobe libbpf: loading object 'kprobe_bpf' from buffer ... libbpf: prog 'do_unixsocket': BPF program load failed: Permission denied libbpf: prog 'do_unixsocket': -- BEGIN PROG LOAD LOG -- R1 type=ctx expected=fp ; struct sk_buff* skb = (struct sk_buff *)PT_REGS_PARM1(ctx); 0: (79) r2 = *(u64 *)(r1 +112) ; if (!skb) { 1: (15) if r2 == 0x0 goto pc+11 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0 ; ((__u64) data_len << 32) | 2: (61) r3 = *(u32 *)(r2 +116) R2 invalid mem access 'inv' processed 3 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 -- END PROG LOAD LOG -- libbpf: prog 'do_unixsocket': failed to load: -13 libbpf: failed to load object 'kprobe_bpf' libbpf: failed to load BPF skeleton 'kprobe_bpf': -13 Failed to open BPF skeleton ///////////////////////////////////////////////////////////////////////
The code is as follows. `#ifndef __packed #define __packed attribute((packed)) #endif
#define MAX_CPUS 256
struct pkt_trace_metadata { __u16 pkt_len; __u16 cap_len; unsigned char packet[]; } __packed; struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); __uint(max_entries, MAX_CPUS); __type(key, int); __type(value, __u32); } pb SEC(".maps");
char LICENSE[] SEC("license") = "Dual BSD/GPL";
SEC("kprobe/unix_stream_read_actor") int BPF_KPROBE(do_unixsocket) { void* data; int data_len; struct pkt_trace_metadata metadata; struct sk_buff* skb = (struct sk_buff *)PT_REGS_PARM1(ctx); data = skb->data; data_len = skb->data_len; bpf_perf_event_output(ctx, &pb, ((__u64) data_len << 32) | BPF_F_CURRENT_CPU, &metadata, sizeof(metadata)); return 0; }`
The text was updated successfully, but these errors were encountered:
No branches or pull requests
I want to capture traffic from unix socket and print skb in user-space.
When I use bpf_perf_event_output(), error occurs:
///////////////////////////////////////////////////////////////////////
root@ebpf:~# ./kprobe
libbpf: loading object 'kprobe_bpf' from buffer
...
libbpf: prog 'do_unixsocket': BPF program load failed: Permission denied
libbpf: prog 'do_unixsocket': -- BEGIN PROG LOAD LOG --
R1 type=ctx expected=fp
; struct sk_buff* skb = (struct sk_buff *)PT_REGS_PARM1(ctx);
0: (79) r2 = *(u64 *)(r1 +112)
; if (!skb) {
1: (15) if r2 == 0x0 goto pc+11
R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0
; ((__u64) data_len << 32) |
2: (61) r3 = *(u32 *)(r2 +116)
R2 invalid mem access 'inv'
processed 3 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
-- END PROG LOAD LOG --
libbpf: prog 'do_unixsocket': failed to load: -13
libbpf: failed to load object 'kprobe_bpf'
libbpf: failed to load BPF skeleton 'kprobe_bpf': -13
Failed to open BPF skeleton
///////////////////////////////////////////////////////////////////////
The code is as follows.
`#ifndef __packed
#define __packed attribute((packed))
#endif
#define MAX_CPUS 256
struct pkt_trace_metadata {
__u16 pkt_len;
__u16 cap_len;
unsigned char packet[];
} __packed;
struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(max_entries, MAX_CPUS);
__type(key, int);
__type(value, __u32);
} pb SEC(".maps");
char LICENSE[] SEC("license") = "Dual BSD/GPL";
SEC("kprobe/unix_stream_read_actor")
int BPF_KPROBE(do_unixsocket)
{
void* data;
int data_len;
struct pkt_trace_metadata metadata;
struct sk_buff* skb = (struct sk_buff *)PT_REGS_PARM1(ctx);
data = skb->data;
data_len = skb->data_len;
bpf_perf_event_output(ctx, &pb,
((__u64) data_len << 32) |
BPF_F_CURRENT_CPU,
&metadata, sizeof(metadata));
return 0;
}`
The text was updated successfully, but these errors were encountered: