ebpf

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 23, 2020 License: Apache-2.0, Apache-2.0 Imports: 14 Imported by: 7

README

Note

This package is a fork of the weaveworks tcptracer-bpf package which focused on tracing TCP state events (connect, accept, close) without kernel specific runtime dependencies.

This fork adds support for UDP, as well as collection of metrics like bytes sent/received. It also opts for event collection via polling (using BPF maps) instead of being pushed event updates via perf buffers.

tracer-bpf

tracer-bpf is an eBPF program using kprobes to trace TCP/UDP events (connect, accept, close, send_msg, recv_msg).

The eBPF program is compiled to an ELF object file.

tracer-bpf also provides a Go library that provides a simple API for loading the ELF object file. Internally, it is using the gobpf elf package.

tracer-bpf does not have any run-time dependencies on kernel headers and is not tied to a specific kernel version or kernel configuration. This is quite unusual for eBPF programs using kprobes: for example, eBPF programs using kprobes with bcc are compiled on the fly and depend on kernel headers. And perf tools compiled for one kernel version cannot be used on another kernel version.

To adapt to the currently running kernel at run-time, tracer-bpf creates a series of TCP connections with known parameters (such as known IP addresses and ports) and discovers where those parameters are stored in the kernel struct sock. The offsets of the struct sock fields vary depending on the kernel version and kernel configuration. Since an eBPF programs cannot loop, tracer-bpf does not directly iterate over the possible offsets. It is instead controlled from userspace by the Go library using a state machine.

Development

make nettop will run a small testing program which periodically prints statistics about TCP/UDP traffic.

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// ErrNotImplemented will be returned on non-linux environments like Windows and Mac OSX
	ErrNotImplemented = errors.New("BPF-based system probe not implemented on non-linux systems")

	// CIncludePattern is the regex for #include headers of C files
	CIncludePattern = `^\s*#\s*include\s+"(.*)"$`
)

Functions

func CurrentKernelVersion 

func CurrentKernelVersion() (uint32, error)

CurrentKernelVersion is not implemented on this OS for Tracer

func IsTracerSupportedByOS 

func IsTracerSupportedByOS(exclusionList []string) (bool, string)

IsTracerSupportedByOS returns whether or not the current kernel version supports tracer functionality along with some context on why it's not supported

Types

type Config 

type Config struct {
	// CollectTCPConns specifies whether the tracer should collect traffic statistics for TCP connections
	CollectTCPConns bool

	// CollectUDPConns specifies whether the tracer should collect traffic statistics for UDP connections
	CollectUDPConns bool

	// CollectIPv6Conns specifics whether the tracer should capture traffic for IPv6 TCP/UDP connections
	CollectIPv6Conns bool

	// CollectLocalDNS specifies whether the tracer should capture traffic for local DNS calls
	CollectLocalDNS bool

	// DNSInspection specifies whether the tracer should enhance connection data with domain names by inspecting DNS traffic
	// Notice this does *not* depend on CollectLocalDNS
	DNSInspection bool

	// CollectDNSStats specifies whether the tracer should enhance connection data with relevant DNS stats
	// It is relevant *only* when DNSInspection is enabled.
	CollectDNSStats bool

	// DNSTimeout determines the length of time to wait before considering a DNS Query to have timed out
	DNSTimeout time.Duration

	// UDPConnTimeout determines the length of traffic inactivity between two (IP, port)-pairs before declaring a UDP
	// connection as inactive.
	// Note: As UDP traffic is technically "connection-less", for tracking, we consider a UDP connection to be traffic
	//       between a source and destination IP and port.
	UDPConnTimeout time.Duration

	// TCPConnTimeout is like UDPConnTimeout, but for TCP connections. TCP connections are cleared when
	// the BPF module receives a tcp_close call, but TCP connections also age out to catch cases where
	// tcp_close is not intercepted for some reason.
	TCPConnTimeout time.Duration

	// TCPClosedTimeout represents the maximum amount of time a closed TCP connection can remain buffered in eBPF before
	// being marked as idle and flushed to the perf ring.
	TCPClosedTimeout time.Duration

	// MaxTrackedConnections specifies the maximum number of connections we can track. This determines the size of the eBPF Maps
	MaxTrackedConnections uint

	// MaxClosedConnectionsBuffered represents the maximum number of closed connections we'll buffer in memory. These closed connections
	// get flushed on every client request (default 30s check interval)
	MaxClosedConnectionsBuffered int

	// MaxDNSStatsBufferred represents the maximum number of DNS stats we'll buffer in memory. These stats
	// get flushed on every client request (default 30s check interval)
	MaxDNSStatsBufferred int

	// MaxConnectionsStateBuffered represents the maximum number of state objects that we'll store in memory. These state objects store
	// the stats for a connection so we can accurately determine traffic change between client requests.
	MaxConnectionsStateBuffered int

	// ClientStateExpiry specifies the max time a client (e.g. process-agent)'s state will be stored in memory before being evicted.
	ClientStateExpiry time.Duration

	// ProcRoot is the root path to the proc filesystem
	ProcRoot string

	// BPFDebug enables bpf debug logs
	BPFDebug bool

	// EnableConntrack enables probing conntrack for network address translation via netlink
	EnableConntrack bool

	// ConntrackMaxStateSize specifies the maximum number of connections with NAT we can track
	ConntrackMaxStateSize int

	// ConntrackRateLimit specifies the maximum number of netlink messages *per second* that can be processed
	// Setting it to -1 disables the limit and can result in a high CPU usage.
	ConntrackRateLimit int

	// DebugPort specifies a port to run golang's expvar and pprof debug endpoint
	DebugPort int

	// ClosedChannelSize specifies the size for closed channel for the tracer
	ClosedChannelSize int

	// ExcludedSourceConnections is a map of source connections to blacklist
	ExcludedSourceConnections map[string][]string

	// ExcludedDestinationConnections is a map of destination connections to blacklist
	ExcludedDestinationConnections map[string][]string

	// OffsetGuessThreshold is the size of the byte threshold we will iterate over when guessing offsets
	OffsetGuessThreshold uint64
}

Config stores all flags used by the eBPF tracer

func NewDefaultConfig 

func NewDefaultConfig() *Config

NewDefaultConfig enables traffic collection for all connection types

type OOMKillProbe 

type OOMKillProbe struct{}

OOMKillProbe is not implemented on non-linux systems

func NewOOMKillProbe 

func NewOOMKillProbe() (*OOMKillProbe, error)

NewOOMKillProbe is not implemented on non-linux systems

func (*OOMKillProbe) Close 

func (t *OOMKillProbe) Close()

Close is not implemented on non-linux systems

func (*OOMKillProbe) Get 

func (t *OOMKillProbe) Get() []oomkill.Stats

Get is not implemented on non-linux systems

func (*OOMKillProbe) GetAndFlush 

func (t *OOMKillProbe) GetAndFlush() []oomkill.Stats

GetAndFlush is not implemented on non-linux systems

type TCPQueueLengthTracer 

type TCPQueueLengthTracer struct{}

TCPQueueLengthTracer is not implemented on non-linux systems

func NewTCPQueueLengthTracer 

func NewTCPQueueLengthTracer() (*TCPQueueLengthTracer, error)

NewTCPQueueLengthTracer is not implemented on non-linux systems

func (*TCPQueueLengthTracer) Close 

func (t *TCPQueueLengthTracer) Close()

Close is not implemented on non-linux systems

func (*TCPQueueLengthTracer) Get 

func (t *TCPQueueLengthTracer) Get() []tcpqueuelength.Stats

Get is not implemented on non-linux systems

func (*TCPQueueLengthTracer) GetAndFlush 

func (t *TCPQueueLengthTracer) GetAndFlush() []tcpqueuelength.Stats

GetAndFlush is not implemented on non-linux systems

type Tracer 

type Tracer struct{}

Tracer is not implemented

func NewTracer 

func NewTracer(_ *Config) (*Tracer, error)

NewTracer is not implemented on this OS for Tracer

func (*Tracer) DebugNetworkMaps 

func (t *Tracer) DebugNetworkMaps() (*network.Connections, error)

DebugNetworkMaps is not implemented on this OS for Tracer

func (*Tracer) DebugNetworkState 

func (t *Tracer) DebugNetworkState(clientID string) (map[string]interface{}, error)

DebugNetworkState is not implemented on this OS for Tracer

func (*Tracer) GetActiveConnections 

func (t *Tracer) GetActiveConnections(_ string) (*network.Connections, error)

GetActiveConnections is not implemented on this OS for Tracer

func (*Tracer) GetStats 

func (t *Tracer) GetStats() (map[string]interface{}, error)

GetStats is not implemented on this OS for Tracer

func (*Tracer) Stop 

func (t *Tracer) Stop()

Stop is not implemented on this OS for Tracer

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.