Documentation
¶
Overview ¶
Copyright © 2022 Hengqi Chen
Index ¶
- Constants
- Variables
- func GetAllModules() map[string]IModule
- func Register(p IModule)
- type GoTLSProbe
- func (g *GoTLSProbe) Close() error
- func (g *GoTLSProbe) DecodeFun(m *ebpf.Map) (event.IEventStruct, bool)
- func (g *GoTLSProbe) Dispatcher(eventStruct event.IEventStruct)
- func (g *GoTLSProbe) Events() []*ebpf.Map
- func (g *GoTLSProbe) Init(ctx context.Context, l *log.Logger, cfg config.IConfig) error
- func (g *GoTLSProbe) Name() string
- func (g *GoTLSProbe) Start() error
- type IClose
- type IModule
- type MBashProbe
- func (b *MBashProbe) Close() error
- func (b *MBashProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
- func (b *MBashProbe) Dispatcher(eventStruct event.IEventStruct)
- func (b *MBashProbe) Events() []*ebpf.Map
- func (b *MBashProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error
- func (b *MBashProbe) Start() error
- type MGnutlsProbe
- type MMysqldProbe
- type MNsprProbe
- type MOpenSSLProbe
- func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string)
- func (m *MOpenSSLProbe) Close() error
- func (m *MOpenSSLProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
- func (m *MOpenSSLProbe) DelConn(pid, fd uint32)
- func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct)
- func (m *MOpenSSLProbe) Events() []*ebpf.Map
- func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string
- func (m *MOpenSSLProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error
- func (m *MOpenSSLProbe) Start() error
- type MPostgresProbe
- type MTCProbe
- type Module
- func (m *Module) Close() error
- func (m *Module) Decode(em *ebpf.Map, b []byte) (event event.IEventStruct, err error)
- func (m *Module) DecodeFun(p *ebpf.Map) (event.IEventStruct, bool)
- func (m *Module) Dispatcher(e event.IEventStruct)
- func (m *Module) Events() []*ebpf.Map
- func (m *Module) Init(ctx context.Context, logger *log.Logger, conf config.IConfig)
- func (m *Module) Name() string
- func (m *Module) Run() error
- func (m *Module) SetChild(module IModule)
- func (m *Module) Start() error
- func (m *Module) Stop() error
- type NetCaptureData
- type NetEventMetadata
- type TcPacket
- type Tls13MasterSecret
- type TlsCaptureModelType
Constants ¶
View Source
const ( ProbeTypeUprobe = "uprobe" ProbeTypeKprobe = "kprobe" ProbeTypeTC = "TC" ProbeTypeTP = "tracepoint" ProbeTypeXDP = "XDP" )
View Source
const ( ModuleNameBash = "EBPFProbeBash" ModuleNameMysqld = "EBPFProbeMysqld" ModuleNamePostgres = "EBPFProbePostgres" ModuleNameOpenssl = "EBPFProbeOPENSSL" ModuleNameGnutls = "EBPFProbeGNUTLS" ModuleNameNspr = "EBPFProbeNSPR" ModuleNameGotls = "EBPFProbeGoTLS" )
View Source
const ( // 备选 HOOK的函数 SSL_is_init_finished \ SSL_get_wbio \ SSL_write MasterKeyHookFuncOpenSSL = "SSL_write" /* 在boringSSL类库里,SSL_write函数调用了 SSL_do_handshake , SSL_do_handshake 函数执行时,当前SSL链接握手可能还未完成,且 */ // 2022-12-16 改为 SSL_in_init MasterKeyHookFuncBoringSSL = "SSL_in_init" MasterKeyHookFuncSSLBefore = "SSL_in_before" MasterKeyHookFuncSSLState = "SSL_state" )
View Source
const ( KernelLess52Prefix = "_less52.o" BtfNotSupport = "You can compile the BTF-free version by using the command `make nocore`, please read the Makefile for more information." BtfModeSwitch = "If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode." )
View Source
const ( BASH_EVENT_TYPE_READLINE = 0 BASH_EVENT_TYPE_RETVAL = 1 BASH_EVENT_TYPE_EXIT_OR_EXEC = 2 )
View Source
const ( ConnNotFound = "[ADDR_NOT_FOUND]" DefaultAddr = "0.0.0.0" )
View Source
const ( LinuxDefauleFilename_1_0_2 = "linux_default_1_0_2" LinuxDefauleFilename_1_1_0 = "linux_default_1_1_0" LinuxDefauleFilename_1_1_1 = "linux_default_1_1_1" LinuxDefauleFilename_3_0 = "linux_default_3_0" LinuxDefauleFilename_3_1 = "linux_default_3_0" LinuxDefauleFilename_3_2_0 = "linux_default_3_2" AndroidDefauleFilename = "android_default" OpenSslVersionLen = 30 // openssl version string length )
View Source
const ( MaxSupportedOpenSSL102Version = 'u' MaxSupportedOpenSSL110Version = 'l' MaxSupportedOpenSSL111Version = 'u' MaxSupportedOpenSSL30Version = 12 MaxSupportedOpenSSL31Version = 4 MaxSupportedOpenSSL32Version = 0 )
View Source
const BASH_ERRNO_DEFAULT = 128
View Source
const (
BashErrnoDefault int = 128
)
View Source
const EcaptureMagic = 0xCC0C4CFC
Variables ¶
View Source
var NotGoCompiledBin = errors.New("It is not a program compiled in the Go language.")
Functions ¶
Types ¶
type GoTLSProbe ¶
type GoTLSProbe struct {
MTCProbe
// contains filtered or unexported fields
}
GoTLSProbe represents a probe for Go SSL
func (*GoTLSProbe) Close ¶
func (g *GoTLSProbe) Close() error
func (*GoTLSProbe) DecodeFun ¶
func (g *GoTLSProbe) DecodeFun(m *ebpf.Map) (event.IEventStruct, bool)
func (*GoTLSProbe) Dispatcher ¶
func (g *GoTLSProbe) Dispatcher(eventStruct event.IEventStruct)
func (*GoTLSProbe) Events ¶
func (g *GoTLSProbe) Events() []*ebpf.Map
func (*GoTLSProbe) Name ¶
func (g *GoTLSProbe) Name() string
func (*GoTLSProbe) Start ¶
func (g *GoTLSProbe) Start() error
type IModule ¶
type IModule interface {
// Init 初始化
Init(context.Context, *log.Logger, config.IConfig) error
// Name 获取当前module的名字
Name() string
// Run 事件监听感知
Run() error
// Start 启动模块
Start() error
// Stop 停止模块
Stop() error
// Close 关闭退出
Close() error
SetChild(module IModule)
Decode(*ebpf.Map, []byte) (event.IEventStruct, error)
Events() []*ebpf.Map
DecodeFun(p *ebpf.Map) (event.IEventStruct, bool)
Dispatcher(event.IEventStruct)
}
func GetModuleByName ¶
GetModulesByName 根据模块名获取modules列表
type MBashProbe ¶
type MBashProbe struct {
Module
// contains filtered or unexported fields
}
func (*MBashProbe) Close ¶
func (b *MBashProbe) Close() error
func (*MBashProbe) DecodeFun ¶
func (b *MBashProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
func (*MBashProbe) Dispatcher ¶
func (b *MBashProbe) Dispatcher(eventStruct event.IEventStruct)
func (*MBashProbe) Events ¶
func (b *MBashProbe) Events() []*ebpf.Map
func (*MBashProbe) Start ¶
func (b *MBashProbe) Start() error
type MGnutlsProbe ¶
type MGnutlsProbe struct {
Module
// contains filtered or unexported fields
}
func (*MGnutlsProbe) Close ¶
func (g *MGnutlsProbe) Close() error
func (*MGnutlsProbe) DecodeFun ¶
func (g *MGnutlsProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
func (*MGnutlsProbe) Events ¶
func (g *MGnutlsProbe) Events() []*ebpf.Map
func (*MGnutlsProbe) Start ¶
func (g *MGnutlsProbe) Start() error
type MMysqldProbe ¶
type MMysqldProbe struct {
Module
// contains filtered or unexported fields
}
func (*MMysqldProbe) Close ¶
func (m *MMysqldProbe) Close() error
func (*MMysqldProbe) DecodeFun ¶
func (m *MMysqldProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
func (*MMysqldProbe) Events ¶
func (m *MMysqldProbe) Events() []*ebpf.Map
func (*MMysqldProbe) Start ¶
func (m *MMysqldProbe) Start() error
type MNsprProbe ¶
type MNsprProbe struct {
Module
// contains filtered or unexported fields
}
func (*MNsprProbe) Close ¶
func (n *MNsprProbe) Close() error
func (*MNsprProbe) DecodeFun ¶
func (n *MNsprProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
func (*MNsprProbe) Events ¶
func (n *MNsprProbe) Events() []*ebpf.Map
func (*MNsprProbe) Start ¶
func (n *MNsprProbe) Start() error
type MOpenSSLProbe ¶
type MOpenSSLProbe struct {
MTCProbe
// contains filtered or unexported fields
}
func (*MOpenSSLProbe) AddConn ¶
func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string)
func (*MOpenSSLProbe) Close ¶
func (m *MOpenSSLProbe) Close() error
func (*MOpenSSLProbe) DecodeFun ¶
func (m *MOpenSSLProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
func (*MOpenSSLProbe) DelConn ¶
func (m *MOpenSSLProbe) DelConn(pid, fd uint32)
process exit :fd is 0 , delete all pid map fd exit :pid > 0, fd > 0, delete fd value TODO add fd * pid exit event hook
func (*MOpenSSLProbe) Dispatcher ¶
func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct)
func (*MOpenSSLProbe) Events ¶
func (m *MOpenSSLProbe) Events() []*ebpf.Map
func (*MOpenSSLProbe) GetConn ¶
func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string
func (*MOpenSSLProbe) Start ¶
func (m *MOpenSSLProbe) Start() error
type MPostgresProbe ¶
type MPostgresProbe struct {
Module
// contains filtered or unexported fields
}
func (*MPostgresProbe) Close ¶
func (p *MPostgresProbe) Close() error
func (*MPostgresProbe) DecodeFun ¶
func (p *MPostgresProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)
func (*MPostgresProbe) Events ¶
func (p *MPostgresProbe) Events() []*ebpf.Map
func (*MPostgresProbe) Start ¶
func (p *MPostgresProbe) Start() error
type Module ¶
type Module struct {
// contains filtered or unexported fields
}
func (*Module) Dispatcher ¶
func (m *Module) Dispatcher(e event.IEventStruct)
Dispatcher 写入数据,或者上传到远程数据库,写入到其他chan 等。
type NetCaptureData ¶
type NetCaptureData struct {
PacketLength uint32 `json:"pktLen"`
ConfigIfaceIndex uint32 `json:"ifIndex"`
}
func (NetCaptureData) GetSizeBytes ¶
func (NetCaptureData) GetSizeBytes() uint32
type NetEventMetadata ¶
type TcPacket ¶
type TcPacket struct {
// contains filtered or unexported fields
}
packets of TC probe
type Tls13MasterSecret ¶
type TlsCaptureModelType ¶
type TlsCaptureModelType uint8
const ( TlsCaptureModelTypePcap TlsCaptureModelType = iota TlsCaptureModelTypeText TlsCaptureModelTypeKeylog )
Source Files
¶
- const.go
- iclose.go
- imodule.go
- probe_bash.go
- probe_gnutls.go
- probe_gotls.go
- probe_gotls_keylog.go
- probe_gotls_pcap.go
- probe_gotls_text.go
- probe_mysqld.go
- probe_nspr.go
- probe_openssl.go
- probe_openssl_keylog.go
- probe_openssl_lib.go
- probe_openssl_pcap.go
- probe_openssl_text.go
- probe_pcap.go
- probe_postgres.go
- register.go
Click to show internal directories.
Click to hide internal directories.