Documentation
¶
Index ¶
- Constants
- Variables
- func AllFieldNames() []string
- func DisplayHeader(fields []FieldID) string
- func MBtoB(b int) int
- func Run(c *Config) error
- func SetBPFFilter(h *afpacket.TPacket, filter string, snapLen int) error
- func StartNetTop(refreshChan <-chan map[UniqueDNS]*DisplayInfo, stopChan chan<- bool, ...)
- func StartTopLike(refreshChan <-chan *ToplikeData, stopChan chan<- bool, refTime time.Duration)
- type Config
- type Consumer
- type DNSDecoder
- func (d *DNSDecoder) BPFrule() string
- func (d *DNSDecoder) DstAddr() (net.IP, error)
- func (d *DNSDecoder) DstPort() (int, error)
- func (d *DNSDecoder) Header() []string
- func (d *DNSDecoder) Print()
- func (d *DNSDecoder) Row() ([]string, error)
- func (d *DNSDecoder) SrcAddr() (net.IP, error)
- func (d *DNSDecoder) SrcPort() (int, error)
- func (d *DNSDecoder) Unmarshal(data []byte) error
- func (d *DNSDecoder) Valid() bool
- type DisplayInfo
- type EnhancedProbeData
- type FieldID
- type FieldMeta
- type Filter
- type FilterDTO
- type FnID
- type HostData
- type NetTopData
- type NetTopRow
- type NetTopState
- type PortNr
- type Probe
- type ProbeDTO
- type ProbeEventData
- type ProcInfo
- type RawDecoder
- type SqllikeData
- type ToplikeData
- type ToplikeRow
- type ToplikeState
- type UniqueDNS
Constants ¶
const ( FieldPID = iota FieldPNAME FieldLAT FieldTYPE FieldQNAME FieldRCODE FieldRIP FieldQTIME FieldRTIME FieldTID FieldCMDLINE FieldQADDR FieldRADDR FieldSTACK )
Field constants
const UNK = "UNK"
UNK string to be displayed for unknown info
Variables ¶
var FieldToMeta = map[FieldID]FieldMeta{ FieldPID: {"PID", "%-7v "}, FieldPNAME: {"PNAME", "%-15v "}, FieldLAT: {"LAT", "%-5v "}, FieldTYPE: {"TYPE", "%-5v "}, FieldQNAME: {"QNAME", "%-80v "}, FieldRCODE: {"RCODE", "%-8v "}, FieldRIP: {"RIP", "%-40v "}, FieldQTIME: {"QTIME", "%-16v "}, FieldRTIME: {"RTIME", "%-16v "}, FieldTID: {"TID", "%-7v "}, FieldCMDLINE: {"CMDLINE", "%-120v "}, FieldQADDR: {"QADDR", "%-40v "}, FieldRADDR: {"RADDR", "%-40v "}, FieldSTACK: {"STACK", "%-40v "}, }
FieldToMeta maps fields to metadata
var PortToProtocol = map[PortNr]string{ // contains filtered or unexported fields }
PortToProtocol maps port to protocol string
Functions ¶
func AllFieldNames ¶
func AllFieldNames() []string
AllFieldNames returns list of all acceptable field names
func DisplayHeader ¶
DisplayHeader displays the header the field list
func SetBPFFilter ¶
SetBPFFilter translates a BPF filter string into BPF RawInstruction and applies them.
func StartNetTop ¶
func StartNetTop(refreshChan <-chan map[UniqueDNS]*DisplayInfo, stopChan chan<- bool, refTime time.Duration)
StartNetTop is the nettop stdout handler
func StartTopLike ¶
func StartTopLike(refreshChan <-chan *ToplikeData, stopChan chan<- bool, refTime time.Duration)
StartTopLike is the toplike stdout handler
Types ¶
type Config ¶
type Config struct {
Host HostData
LogLevel string
Interface string
Port int
FilterDebug bool
ProbeDebug bool
RingSizeMB int
CleanPeriod time.Duration
Fields string
ExporterListen string
Exporter bool
Detailed bool
Toplike bool
NetTop bool
Sqllike bool
Csv string
Where string
Orderby string
Groupby string
}
Config contains data needed for setup
type Consumer ¶
Consumer listens on both probe and filter queues
func (*Consumer) CleanDisplayMap ¶
func (c *Consumer) CleanDisplayMap()
CleanDisplayMap displays to stdout the attribute displayMap
type DNSDecoder ¶
type DNSDecoder struct {
// contains filtered or unexported fields
}
DNSDecoder used to decode DNS raw packets
func (*DNSDecoder) DstAddr ¶
func (d *DNSDecoder) DstAddr() (net.IP, error)
DstAddr returns destination address of the packet
func (*DNSDecoder) DstPort ¶
func (d *DNSDecoder) DstPort() (int, error)
DstPort returns destination port of the packet
func (*DNSDecoder) Header ¶
func (d *DNSDecoder) Header() []string
Header returns DNS specific data headers
func (*DNSDecoder) Print ¶
func (d *DNSDecoder) Print()
Print displays on stdout info about the packet Debug purposes
func (*DNSDecoder) Row ¶
func (d *DNSDecoder) Row() ([]string, error)
Row returns values ordered by fields in Header
func (*DNSDecoder) SrcAddr ¶
func (d *DNSDecoder) SrcAddr() (net.IP, error)
SrcAddr returns source address of the packet
func (*DNSDecoder) SrcPort ¶
func (d *DNSDecoder) SrcPort() (int, error)
SrcPort returns source port of the packet
func (*DNSDecoder) Unmarshal ¶
func (d *DNSDecoder) Unmarshal(data []byte) error
Unmarshal populates the struct with specific DNS data
func (*DNSDecoder) Valid ¶
func (d *DNSDecoder) Valid() bool
Valid is true if the DNSDecoder contains a DNS packet
type DisplayInfo ¶
type DisplayInfo struct {
ProcInfo
// contains filtered or unexported fields
}
DisplayInfo stores data about a complete match between (DNS query, DNS response, calling process)
func (*DisplayInfo) DetailedString ¶
func (d *DisplayInfo) DetailedString() string
DetailedString returns a dig like string
func (*DisplayInfo) FieldValue ¶
func (d *DisplayInfo) FieldValue(field FieldID) string
FieldValue returns the string of a field in displayinfo
func (*DisplayInfo) String ¶
func (d *DisplayInfo) String() string
String returns the string containing only the fields specified
type EnhancedProbeData ¶
type EnhancedProbeData struct {
// Tgid is the thread group id
Tgid uint32
// Pid is the process id
Pid uint32
// // Comm is the task comm
Comm [commLength]byte
// // Cmdline is the process cmdline
Cmdline [cmdlineLength]byte
// SockPortNr is the socket number used to send_msg
SockPortNr int32
// FnID is the identifier of the function
FnID uint8
// Stack is the stack trace
Stack []string
}
EnhancedProbeData is an extended version of the ProbeEventData struct populated with data from kernel which is then later enhanced by comm and cmdline by the userspace code
type FieldID ¶
type FieldID int
FieldID label for field
func FieldFromString ¶
FieldFromString returns FieldID from a string input
func ParseFields ¶
ParseFields parses a comma separated string to a list of FieldID ex: "PNAME,PID,TYPE" -> [1,0,3]
type Filter ¶
type Filter struct {
Rule string
Interface string
Debug bool
RingSizeMB int
// contains filtered or unexported fields
}
Filter is the BPF filter + Packet MMAPer used to receive and read packets in UserSpace.
type FilterDTO ¶
type FilterDTO struct {
Timestamp int64
SrcPort uint16
SrcAddr net.IP
DstPort uint16
DstAddr net.IP
DNS *layers.DNS
}
FilterDTO is a data transfer object used to communicate between filter and consumer
type NetTopData ¶
type NetTopData struct {
// addr to row
Rows map[string]*NetTopRow
// contains filtered or unexported fields
}
NetTopData contains the entire nettop display table
type NetTopRow ¶
type NetTopRow struct {
QueryAddr string
ResponseAddr string
DNS percentField
NXDOM percentField
NOERR percentField
SERVF percentField
A percentField
AAAA percentField
PTR percentField
// contains filtered or unexported fields
}
NetTopRow contains data about each row in nettop display
type NetTopState ¶
type NetTopState struct {
// contains filtered or unexported fields
}
NetTopState is the current state of the interactive env
type Probe ¶
Probe is the BPF handler which attaches kprobes to kernel functions It receives kernel data each time one of these functions is called
type ProbeDTO ¶
type ProbeDTO struct {
ProbeData EnhancedProbeData
}
ProbeDTO is a data transfer object used to communicate between probe and consumer
type ProbeEventData ¶
type ProbeEventData struct {
UserStack [maxStackRawtp]uint64
// Tgid is the thread group id
Tgid uint32
// Pid is the process id
Pid uint32
// SockPortNr is the socket number used to send_msg
SockPortNr int32
//
UserStackSize int32
// FnID is the identifier of the function
FnID uint8
}
ProbeEventData is a struct populated with data from kernel It must match the struct in the BPF program
type ProcInfo ¶
type ProcInfo struct {
// contains filtered or unexported fields
}
ProcInfo stores data about a process
type RawDecoder ¶
type RawDecoder interface {
// Unmarshal populates the struct of the specific packet
Unmarshal([]byte) error
// DstPort returns destination port of the packet
DstPort() (int, error)
// DstAddr returns destination address of the packet
DstAddr() (net.IP, error)
// SrcPort returns source port of the packet
SrcPort() (int, error)
// SrcAddr returns source address of the packet
SrcAddr() (net.IP, error)
// Header returns the titles for a specific port
Header() []string
// Row returns data about the packet in the same order as Header
Row() ([]string, error)
// BPFrule returns the bpf filter in bpf format
BPFrule() string
// Valid returns true if the packet contains valid data, false otherwise
Valid() bool
}
RawDecoder used to decode raw packets, starting with Eth layer DstPort and SrcPort are used to compute latency on a specific port Header and Row are used to print specific data for different protocols
func RawDecoderByType ¶
func RawDecoderByType(pktType string) (RawDecoder, error)
RawDecoderByType factory method used to return a specific type of RawDecoder To add a new packet type: add a new case & add a new struct that implements RawDecoder methods
type SqllikeData ¶
SqllikeData used to store filtering information and the dataframe table
func (*SqllikeData) Print ¶
func (s *SqllikeData) Print(path string)
Print used to display on stdout the dataframe
func (*SqllikeData) Setup ¶
func (s *SqllikeData) Setup(m []map[string]interface{})
Setup used to create dataframe from list of maps
func (*SqllikeData) SolveGroupby ¶
func (s *SqllikeData) SolveGroupby()
SolveGroupby groups columns based on the groupby list
func (*SqllikeData) SolveOrderby ¶
func (s *SqllikeData) SolveOrderby()
SolveOrderby sorts data based on the Orderby priority list ex: QNAME;-LATENCY means first sort by qname then reverse sort by latency
func (*SqllikeData) SolveWhere ¶
func (s *SqllikeData) SolveWhere()
SolveWhere filters the data based on the Where list ex: PNAME=smcc;LATENCY>200 means display only rows with PNAME = smcc and latency > 200 microseconds
type ToplikeData ¶
type ToplikeData struct {
// PID to row
Rows map[int]*ToplikeRow
// contains filtered or unexported fields
}
ToplikeData contains the entire toplike display table
type ToplikeRow ¶
type ToplikeRow struct {
PID int
Comm string
DNS percentField
NXDOM percentField
NOERR percentField
SERVF percentField
A percentField
AAAA percentField
PTR percentField
// contains filtered or unexported fields
}
ToplikeRow contains data about each row in toplike display
type ToplikeState ¶
type ToplikeState struct {
// contains filtered or unexported fields
}
ToplikeState is the current state of the interactive env
Source Files
Directories