pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

Overview

pwru (packet, where are you?)

logo

pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.

The following example shows where the packets of a curl request are dropped after installing an IP tables rule:

demo

Running

Requirements

pwru requires >= 5.3 kernel to run. For --output-skb >= 5.9 kernel is required.

The following kernel configuration is required.

Option Note
CONFIG_DEBUG_INFO_BTF=y Available since >= 5.3
CONFIG_KPROBES=y
CONFIG_PERF_EVENTS=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALLS=y

You can use zgrep $OPTION /proc/config.gz to validate whether option is enabled.

Downloading

You can download the statically linked executable for x86_64 arch which includes the eBPF bytecode from the release page.

Usage

Usage of ./pwru:
  -filter-dst-ip string
        filter destination IP addr
  -filter-dst-port string
        filter destination port
  -filter-mark int
        filter skb mark
  -filter-proto string
        filter L4 protocol (tcp, udp, icmp)
  -filter-src-ip string
        filter source IP addr
  -filter-src-port string
        filter source port
  -output-meta
        print skb metadata
  -output-relative-timestamp
        print relative timestamp per skb
  -output-skb
        print skb
  -output-tuple
        print L4 tuple

If multiple filters are specified, all of them have to match in order for a packet to be traced.

Developing

Dependencies

  • Go >= 1.16
  • LLVM/clang >= 1.12

Building

go generate .
go build .

Alternatively, you can build and run in the Docker container:

docker build -t pwru .
docker run --privileged -it pwru [filter1] [filtern]

Contributing

pwru is an open source project licensed under GPLv2. Everybody is welcome to contribute. Contributors are required to follow the Contributor Covenant Code of Conduct and must adhere to the Developer Certificate of Origin by adding a Signed-off-by line to their commit messages.

Logo Credits

The detective gopher is based on the Go gopher designed by Renee French.

Issues
  • Wrap `BPF_CORE_*` helper calls with kernel version checks

    Wrap `BPF_CORE_*` helper calls with kernel version checks

    Hi,

    I am trying to use pwru to trouble shoot issue https://github.com/cilium/cilium/issues/17528. this is on 5.4 kernel, I got error

    [[email protected] pwru]# ./pwru --filter-dst-ip=10.169.72.236 --filter-dst-port=8472 --filter-proto=udp --output-stack

    2021/10/20 13:24:35 Loading objects: field KprobeSkb1: program kprobe_skb_1: load program: invalid argument: ; int kprobe_skb_1(struct pt_regs *ctx) {
    0: (bf) r6 = r1
    ; struct sk_buff *skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
    1: (79) r9 = *(u64 *)(r6 +112)
    2: (b7) r1 = 0
    ; struct event_t event = {};
    3: (7b) *(u64 *)(r10 -56) = r1
    last_idx 3 first_idx 0
    regs=2 stack=0 before 2: (b7) r1 = 0
    4: (7b) *(u64 *)(r10 -64) = r1
    5: (7b) *(u64 *)(r10 -72) = r1
    6: (7b) *(u64 *)(r10 -80) = r1
    7: (7b) *(u64 *)(r10 -88) = r1
    8: (7b) *(u64 *)(r10 -96) = r1
    9: (7b) *(u64 *)(r10 -104) = r1
    10: (7b) *(u64 *)(r10 -112) = r1
    11: (7b) *(u64 *)(r10 -120) = r1
    12: (7b) *(u64 *)(r10 -128) = r1
    13: (7b) *(u64 *)(r10 -136) = r1
    ; u32 index = 0;
    14: (63) *(u32 *)(r10 -140) = r1
    15: (bf) r2 = r10
    ; 
    16: (07) r2 += -140
    ; struct config *cfg = bpf_map_lookup_elem(&cfg_map, &index);
    17: (18) r1 = 0xffff9c67d9e55400
    19: (85) call bpf_map_lookup_elem#1
    20: (bf) r7 = r0
    ; if (cfg) {
    21: (15) if r7 == 0x0 goto pc+430
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    ; if (cfg->mark) {
    22: (71) r1 = *(u8 *)(r7 +1)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    23: (67) r1 <<= 8
    24: (71) r2 = *(u8 *)(r7 +0)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    25: (4f) r1 |= r2
    26: (71) r2 = *(u8 *)(r7 +2)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    27: (71) r3 = *(u8 *)(r7 +3)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    28: (67) r3 <<= 8
    29: (4f) r3 |= r2
    30: (67) r3 <<= 16
    31: (4f) r3 |= r1
    ; if (cfg->mark) {
    32: (15) if r3 == 0x0 goto pc+19
     R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1=inv(id=0) R2=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R3=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9=inv(id=0) R10=fp0 fp-56=00000000 fp-64=00000000 fp-72=00000000 fp-80=00000000 fp-88=00000000 fp-96=00000000 fp-104=00000000 fp-112=00000000 fp-120=00000000 fp-128=00000000 fp-136=00000000 fp-144=mmmm????
    33: (b7) r1 = 164
    34: (bf) r3 = r9
    35: (0f) r3 += r1
    36: (bf) r1 = r10
    ; 
    37: (07) r1 += -24
    ; mark = BPF_CORE_READ(skb, mark);
    38: (b7) r2 = 4
    39: (85) call unknown#113
    invalid func unknown#113
    processed 39 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1```
    enhancement help wanted 
    opened by vincentmli 19
  • Perf event ring buffer full, dropped 16 samples

    Perf event ring buffer full, dropped 16 samples

    [email protected]:~# ./pwru --filter-proto icmp  --output-tuple
    2022/01/21 04:44:15 Attaching kprobes...
    577 / 577 [---------------------------------------------------------------------------------------------------------------------------------] 100.00% 34 p/s
    2022/01/21 04:44:32 Attached (ignored 13)
    2022/01/21 04:44:32 Listening for events..
                   SKB         PROCESS                     FUNC        TIMESTAMP
    0xffff96f353734300          [ping]           __ip_local_out   52052971636335 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                ip_output   52052971655120 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]             nf_hook_slow   52052971658827 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping] __cgroup_bpf_run_filter_skb   52052971662013 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     neigh_resolve_output   52052971666902 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       __neigh_event_send   52052971669217 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]               eth_header   52052971673094 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                 skb_push   52052971676681 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]           dev_queue_xmit   52052971678785 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      netdev_core_pick_tx   52052971681881 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       netif_skb_features   52052971684686 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]  passthru_features_check   52052971686700 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     skb_network_protocol   52052971689855 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       validate_xmit_xfrm   52052971693733 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      dev_hard_start_xmit   52052971695646 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]   skb_clone_tx_timestamp   52052971699343 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]        __dev_forward_skb   52052971701788 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]         skb_scrub_packet   52052971704002 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]           eth_type_trans   52052971706256 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                 netif_rx   52052971708560 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     tcf_classify_ingress   52052971727115 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971788730 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971790414 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971791676 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971792948 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]          skb_do_redirect   52052971820830 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                   ip_rcv   52052971825740 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]               sock_wfree   52052971829246 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     ip_route_input_noref   52052971832592 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       ip_route_input_rcu   52052971834256 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      fib_validate_source   52052971839766 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]         ip_local_deliver   52052971843844 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]  ip_protocol_deliver_rcu   52052971846338 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]        raw_local_deliver   52052971848362 10.0.1.30:0->10.0.1.23:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 3 samples
    0xffff96f353734300          [ping]     fib_compute_spec_dst   52052971858761 10.0.1.30:0->10.0.1.23:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 5 samples
    0xffff96f353734b00          [ping]     neigh_resolve_output   52052971871024 10.0.1.23:0->10.0.1.30:0(icmp)
    ### 2022/01/21 04:44:35 Perf event ring buffer full, dropped 16 samples
    0xffff96f353734300       [<empty>]   skb_release_head_state   52052971885111 10.0.1.30:0->10.0.1.23:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 1 samples
    0xffff96f353734b00       [<empty>]      skb_ensure_writable   52052971919565 10.0.1.23:0->10.0.1.30:0(icmp)
    0xffff96f353734b00       [<empty>]      skb_ensure_writable   52052971921188 10.0.1.23:0->10.0.1.30:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 2 samples
    0xffff96f353734b00       [<empty>]          skb_do_redirect   52052971938721 10.0.1.23:0->10.0.1.30:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 13 samples
    0xffff96f353734300       [<empty>]       sk_filter_trim_cap   52052971953108 10.0.1.23:0->10.0.1.30:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 9 samples
    0xffff96f353734300       [<empty>]        skb_free_datagram   52052971971122 10.0.1.23:0->10.0.1.30:0(icmp)
    ^C2022/01/21 04:44:43 Received signal, exiting program..
    [email protected]:~#
    
    
    [email protected]:~# kubectl get pods -o wide
    NAME        READY   STATUS    RESTARTS   AGE   IP           NODE   NOMINATED NODE   READINESS GATES
    cni-bpz2q   1/1     Running   0          14h   10.0.1.23    bpf2   <none>           <none>
    cni-hx8gz   1/1     Running   0          14h   10.0.0.159   bpf1   <none>           <none>
    same        1/1     Running   0          79s   10.0.1.30    bpf2   <none>           <none>
    [email protected]:~# kubectl exec -it same -- ping -c 1 10.0.1.23
    PING 10.0.1.23 (10.0.1.23): 56 data bytes
    64 bytes from 10.0.1.23: seq=0 ttl=63 time=0.269 ms
    
    --- 10.0.1.23 ping statistics ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 0.269/0.269/0.269 ms
    

    How about the issue when monitor the two pods communicate to each other on the same node.

    2022/01/21 04:44:35 Perf event ring buffer full, dropped 3 samples

    which is it means that the ring buffer is full? ENV:

    [email protected]:~# uname -a
    Linux bpf2 5.10.0-051000-generic #202012132330 SMP Sun Dec 13 23:33:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    [email protected]:~#
    
    opened by BurlyLuo 14
  • Not able to run pwru with --filter-dst-port option due to OOM

    Not able to run pwru with --filter-dst-port option due to OOM

    [[email protected] ~]$ sudo ./pwru --filter-dst-port=11211
    2022/01/07 03:50:20 Attaching kprobes...
    473 / 1333 [-----------------------------------------------   35.48% 17 p/s
    Killed
    

    i am able to run pwru just like sudo ./pwru but not able to apply any filters

    bug 
    opened by achilles-git 7
  • Build static binaries by default, various other improvements

    Build static binaries by default, various other improvements

    Make sure statically linked binaries are built for the release. Also drop the dependency on github.com/cilium/cilium to avoid pulling in lots of transitive dependencies.

    See individual commit messages for details.

    opened by tklauser 6
  • Can only probe kfree_skb?

    Can only probe kfree_skb?

    The kernel calls kfree_skb when the packet is finally dropped, and most of the time this is the first thing we look at, so we can print out the kernel stack and get a general idea of the problem. However, the current default is to probe all functions that contain skb, which is a bit time consuming.

    enhancement 
    opened by duanjiong 6
  • Allow pod names/labels as filters

    Allow pod names/labels as filters

    Currently, users are required to specify source/destination pod IP addresses as filters. Allow users to pass pod identifiers such as name or label along with the namespace as filters. The mapping from pod identifiers to their IPs can potentially be retrieved from Hubble.

    enhancement 
    opened by aditighag 5
  • build failure

    build failure

    [Sun Oct 17 21:42:38][#94# ] (master)$go build main.go

    command-line-arguments

    ./main.go:68:15: undefined: signal.NotifyContext ./main.go:85:11: undefined: KProbePWRUObjects ./main.go:86:13: undefined: LoadKProbePWRUObjects ./main.go:99:11: undefined: KProbePWRUWithoutOutputSKBObjects ./main.go:100:13: undefined: LoadKProbePWRUWithoutOutputSKBObjects note: module requires Go 1.17

    opened by zhangbo1882 5
  • Add argument per-cpu-buffer and fix Vagrant setup

    Add argument per-cpu-buffer and fix Vagrant setup

    Following up on this comment https://github.com/cilium/pwru/issues/46#issuecomment-1023213310 adding a new command line argument to set the per CPU buffer. Fixed an issue in the Vagrant setup where llvm-strip is not in $PATH and make fails.

    opened by dezmodue 4
  • support output stack

    support output stack

    1. add options --output-stack
    2. Added a bpf map of type BPF_MAP_TYPE_STACK_TRACE to hold the stack, with a maximum stack depth of 50
    3. sort the symbols in /proc/kallsyms, then find the closest symbol and print it

    Signed-off-by: Duan Jiong [email protected]

    opened by duanjiong 4
  • refactor filter config map

    refactor filter config map

    1. use array map instead of hash map
    2. reorder the internal logic inside the filter_l3_and_l4 function to make it look smoother

    Signed-off-by: Duan Jiong [email protected]

    opened by duanjiong 4
  • [Question] How are each of the kprobe programs getting access to the `sk_buff`

    [Question] How are each of the kprobe programs getting access to the `sk_buff`

    I noticed in the section of the code below, that there are 5 kprobe programs and each of them are reading the sk_buff for the intercepted data from different params 1-5 respectively.

    The question is, what is the significance of PT_REG_PARMx and also why do we need 5 kprobe programs?

    https://github.com/cilium/pwru/blob/master/bpf/kprobe_pwru.c#L359-L392

    opened by nitishm 3
  • Func name resolution is broken on 5.18

    Func name resolution is broken on 5.18

    On 5.18, both PT_REGS_IP(ctx) and bpf_get_func_ip(ctx) return addrs which are +4 compared to 5.17. This breaks IP => func name resolution via /proc/kallsyms.

    @YutaroHayakawa found this commit https://github.com/torvalds/linux/commit/7f0059b58f0257d895fafd2f2e3afe3bbdf21e64 which might explain the +4.

    To apply the same fix we might need to teach https://github.com/cilium/ebpf how to load the kernel config.

    bug 
    opened by brb 0
  • Print packet drop reason collected from `kfree_skb_reason`

    Print packet drop reason collected from `kfree_skb_reason`

    Details are in the lwn article - https://lwn.net/Articles/885729/.

    This information is not actually useful to the kernel, but it has been added to the existing kfree_skb tracepoint, making it available to any program that connects to that tracepoint.

    It looks like the drop reasons are available with the existing trace point.

    enhancement 
    opened by aditighag 1
  • failed to `--output-skb`

    failed to `--output-skb`

    # ./pwru --output-skb
    2021/11/25 16:47:00 Loading objects: field KprobeSkb1: program kprobe_skb_1: load program: invalid argument: BPF_STX uses reserved fields
    processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
    

    The running OS:

    # lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description:    Ubuntu 21.04
    Release:        21.04
    Codename:       hirsute
    
    # uname -a
    Linux pagani 5.11.0-31-generic #33-Ubuntu SMP Wed Aug 11 13:19:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    

    bpf:

    # cat /boot/config-$(uname -r) | grep BPF
    CONFIG_CGROUP_BPF=y
    CONFIG_BPF=y
    CONFIG_BPF_LSM=y
    CONFIG_BPF_SYSCALL=y
    CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
    CONFIG_BPF_JIT_ALWAYS_ON=y
    CONFIG_BPF_JIT_DEFAULT_ON=y
    # CONFIG_BPF_PRELOAD is not set
    CONFIG_IPV6_SEG6_BPF=y
    CONFIG_NETFILTER_XT_MATCH_BPF=m
    CONFIG_BPFILTER=y
    CONFIG_BPFILTER_UMH=m
    CONFIG_NET_CLS_BPF=m
    CONFIG_NET_ACT_BPF=m
    CONFIG_BPF_JIT=y
    CONFIG_BPF_STREAM_PARSER=y
    CONFIG_LWTUNNEL_BPF=y
    CONFIG_HAVE_EBPF_JIT=y
    CONFIG_BPF_EVENTS=y
    CONFIG_BPF_KPROBE_OVERRIDE=y
    CONFIG_TEST_BPF=m
    
    # cat /boot/config-$(uname -r) | grep BTF
    CONFIG_VIDEO_SONY_BTF_MPX=m
    CONFIG_DEBUG_INFO_BTF=y
    CONFIG_PAHOLE_HAS_SPLIT_BTF=y
    CONFIG_DEBUG_INFO_BTF_MODULES=y
    

    llvm:

    # llc --version
    LLVM (http://llvm.org/):
      LLVM version 12.0.0
    
      Optimized build.
      Default target: x86_64-pc-linux-gnu
      Host CPU: skylake
    
      Registered Targets:
        bpf        - BPF (host endian)
        bpfeb      - BPF (big endian)
        bpfel      - BPF (little endian)
    

    how error happens

    I run Ubuntu 21.04 as a VirtualBox VM. go generate, go build and ./pwru --output-skb, then the error comes.

    what I try

    check the kprobe_pwru.c:

    static __always_inline void
    set_skb_btf(struct sk_buff *skb, typeof(print_skb_id) *event_id) {
    #ifdef OUTPUT_SKB
    	static struct btf_ptr p = {};
    	typeof(print_skb_id) id;
    	char *str;
    
    	p.type_id = bpf_core_type_id_kernel(struct sk_buff);
    	p.ptr = skb;
    	id = __sync_fetch_and_add(&print_skb_id, 1) % 256;
    
    	str = bpf_map_lookup_elem(&print_skb_map, (u32 *) &id);
    	if (!str)
    		return;
    
    	if (bpf_snprintf_btf(str, PRINT_SKB_STR_SIZE, &p, sizeof(p), 0) < 0)
    		return;
    
    	*event_id = id;
    #endif
    }
    

    check the kernel bpf verifier.c:

    		if (BPF_CLASS(insn->code) == BPF_STX &&
    		    ((BPF_MODE(insn->code) != BPF_MEM &&
    		      BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
    			verbose(env, "BPF_STX uses reserved fields\n");
    			return -EINVAL;
    		}
    

    and learn BPF and XDP Reference Guide:

    BPF_ST, BPF_STX: Both classes are for store operations. Similar to BPF_LDX the BPF_STX is the store counterpart and is used to 
    
    store the data from a register into memory, which, again, can be stack memory, map value, packet data, etc. BPF_STX also holds 
    
    special instructions for performing word and double-word based atomic add operations, which can be used for counters, for 
    
    example. The BPF_ST class is similar to BPF_STX by providing instructions for storing data into memory only that the source 
    
    operand is an immediate value.
    

    also to check its assembly code:

    # clang -I./bpf/headers -O2 -target bpf -c bpf/kprobe_pwru.c -o kprobe_pwru.elf -g -DOUTPUT_SKB
    # llvm-objdump -S ./kprobe_pwru.elf > kprobe_pwru.elf.txt
    

    But at the end, I don't know how to fix it.

    bug 
    opened by Asphaltt 4
  • introduce builtin memcmp etc., like bpf in cilium

    introduce builtin memcmp etc., like bpf in cilium

    When writing bpf programs, you may need to use some basic memory operations, such as memcmp, etc.

    https://github.com/cilium/cilium/blob/master/bpf/include/bpf/builtins.h

    enhancement help wanted 
    opened by duanjiong 6
Releases(v0.0.4)
  • v0.0.4(Jul 21, 2022)

    We are pleased to release the 0.0.4 version of pwru.

    The major changes include:

    • Kernel modules support #64 (@brb)
    • Support kernels w/o BTF #71 (@Asphaltt)

    Full changelog:

    • 2625e36 - Bump KyleMayes/install-llvm-action from 1.5.3 to 1.5.4 (dependabot)
    • 4a04b90 - Bump actions/cache from 3.0.4 to 3.0.5 (dependabot)
    • 61a3d0a - Bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (dependabot)
    • 13ed259 - Update README.md (@brb)
    • bed215a - Add --kmods (@brb)
    • 3e2aa32 - Update cilium/ebpf (@brb)
    • c8620f9 - Run with specified kernel BTF file (@Asphaltt)
    • 4044993 - make: run release build as regular user (@tklauser)
    • 7396d9d - .gitignore: ignore release directory (@tklauser)
    • 3e7141c - Update Go to 1.18.3, alpine to 3.16 (@tklauser)
    • db7466b - Silence clang build warnings complaining address-of-packed-member (@chendotjs)
    • c18ec7b - Makefile: fix release target (@chendotjs)
    • 482c349 - Fix again min kernel vsn in README.md (@brb)
    • 4a066b0 - Bump actions/cache from 3.0.3 to 3.0.4 (dependabot)
    • c9fba89 - Bump actions/cache from 3.0.2 to 3.0.3 (dependabot)
    • ebaab02 - go.mod, vendor: update github.com/cilium/ebpf to v0.9.0 (@tklauser)
    • c8f45af - Bump KyleMayes/install-llvm-action from 1.4.1 to 1.5.3 (dependabot)
    • 91a539a - .github: un-ignore cilium/ebpf in dependabot config (@tklauser)
    • 8a2bb78 - go.mod: update to Go 1.18 (@tklauser)
    • 932cd15 - .github/workflows: build release with Go 1.18 (@tklauser)
    • f81d64e - Switch to gh/cilium/ebpf (@brb)
    • 20c3741 - Bump actions/checkout from 2 to 3 (dependabot)
    • 5ec925b - Bump actions/setup-go from 2 to 3 (dependabot)
    • 0abfd13 - .github: fix label for dependabot PRs (@tklauser)
    • e51fbd1 - Bump actions/cache from 2.1.6 to 3.0.2 (dependabot)
    • 1d42d3f - make: allow running git status during release build (@tklauser)
    • 17c6410 - Update Go to 1.18.2 (@tklauser)
    • 077fd49 - .github: add dependabot configuration (@tklauser)
    • 4c25bb1 - Better defaults for per-cpu-buffer (@dezmodue)
    • 0597bc4 - Add argument per-cpu-buffer and fix Vagrant setup (@dezmodue)
    • f9f48c0 - Bump cilium/bpf dependency (@brb)
    • fb02554 - doc: Add a known issue doc with OOM issue description (@YutaroHayakawa)
    • 45d5182 - install make to build binary inside VM (@Shikugawa)
    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.53 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.41 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.3(Jan 25, 2022)

    We are pleased to release the 0.0.3 version of pwru.

    The major changes include:

    • ARM64 support (@tklauser)
    • Various improvements to output such as limiting output size (@Asphaltt)
    • Filtering network namespace (@Asphaltt)
    • Automating release process (@tklauser)

    Full changelog:

    • ad9a560 - Makefile: fix arm64 cross release build @tklauser
    • d3da8d9 - Dockerfile, README.md: consistently use make to build pwru @tklauser
    • 18e1063 - Makefile: set CGO_ENABLED=0 to build statically linked binaries @tklauser
    • a799086 - Drop dependency on github.com/cilium/cilium @tklauser
    • 722d306 - .github/workflows: check Go module vendoring @tklauser
    • d672722 - Revert "support output cpu" @brb
    • 8c3ac7f - Makefile: fix release target @tklauser
    • b59d564 - RELEASE.md: document release process @tklauser
    • cfce136 - .github/workflows: add release workflow @tklauser
    • eb02934 - README.md: use make in build instructions @tklauser
    • ce9cb04 - Add minimal Makefile @tklauser
    • 6ae255d - Add --version flag to report pwru version @tklauser
    • ea2dca0 - internal/pwru: Match entire string for --filter-func @ypl-coffee
    • ec75700 - internal/pwru: fix printing of function names on arm64 @tklauser
    • 9f9e33b - bpf/headers: add separate vmlinux.h for arm64 @tklauser
    • 303ea8d - Include bpf_tracing.h for PT_REGS_* macros @tklauser
    • d4006b5 - go.mod, vendor: update cilium to v1.11.0 @tklauser
    • 12b7ed8 - tools: add dummy package for bpf2go vendoring @tklauser
    • a992490 - bpf/headers: add script to update headers from libbpf @tklauser
    • 015a734 - support output cpu (8 weeks ago) @Asphaltt
    • 35f8017 - add option --output-limit-lines (8 weeks ago) @Asphaltt
    • 534118d - Update README.md (9 weeks ago) @szuecs
    • e9dda50 - add option --filter-netns (9 weeks ago) @Asphaltt
    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.91 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.74 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.2(Oct 25, 2021)

    We are pleased to release the 0.0.2 version of pwru.

    The major changes include:

    • The new filter param --filter-func which selects to which functions pwru should attach the BPF tracing programs. It accepts regexp syntax (RE2). This can be used to drastically reduce the load time (@duanjiong).
    • IPv6 support both in filtering and outputting tuples (@duanjiong).
    • Optimize the configuration retrieval in the BPF programs (@duanjiong).

    The pwru asset includes the statically linked binary for x86_64 arch (amd64) which includes the eBPF bytecode.

    Contributors:

    • @brb
    • @duanjiong
    • @mfrw
    • @twpayne
    Source code(tar.gz)
    Source code(zip)
    pwru(6.68 MB)
  • v0.0.1(Oct 15, 2021)

    We are pleased to release the very first version of pwru.

    The first version includes the basic filtering based on the following filters:

    • --filter-mark (skb mark)
    • --filter-proto (L4 protocol; udp, tcp, icmp)
    • --filter-{src,dst}-ip (IPv4 addr)
    • --filter-{src,dst}-port (TCP/UDP port)

    The output can be enhanced by the following options:

    • --output-tuple (prints L3/L4 tuple)
    • --output-skb (prints skb with BTF)
    • --output-meta (prints some skb's metadata)
    • --output-relative-timestamp (prints relative timestamp; useful for identifying performance issues)

    The pwru asset includes the statically linked binary for x86_64 arch (amd64) which includes the eBPF bytecode.

    Contributors:

    • @aditighag
    • @brb
    • @gandro
    Source code(tar.gz)
    Source code(zip)
    pwru(6.59 MB)
Owner
Cilium
eBPF-based Networking, Security, and Observability
Cilium
A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

Montimage 3 Apr 14, 2022
Source-code based coverage for eBPF programs actually running in the Linux kernel

bpfcov Source-code based coverage for eBPF programs actually running in the Linux kernel This project provides 2 main components: libBPFCov.so - an ou

elastic 109 May 24, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 255 Aug 7, 2022
The BNG Blaster is a test tool to simulate thousands of PPPoE or IPoE subscribers including IPTV, traffic verification and convergence testing capabilities.

RtBrick BNG Blaster The BNG Blaster is a test tool to simulate thousands of PPPoE or IPoE subscribers including IPTV, traffic verification and converg

RtBrick 89 Jul 6, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 650 Aug 3, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Aug 2, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Feb 4, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 108 Aug 5, 2022
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Robert David Graham 19.4k Aug 5, 2022
XDP programs that increment stat counters for packets/bytes.

XDP Stats Description This is a program that calculates stats inside of an XDP program (support for both XDP_DROP and XDP_TX). As of right now, the st

Christian Deacon 7 May 31, 2022
A program that implements the forwading of packets from a router.

Nume: Dragne Lavinia-Stefana Grupa: 324 CA PROTOCOALE DE COMUNICATIE Tema #1 - Router Continutul proiectului este urmatorul: - dir

null 1 Jun 22, 2022
This repository contains a set of InternalBlue patches for the BCM4375B1 Bluetooth controller, allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets from a Samsung Galaxy S20 smartphone.

RadioSploit 1.0 - Patches This repository contains a set of InternalBlue patches for the BCM4375B1 Bluetooth controller, allowing to sniff and inject

Romain Cayre 11 Aug 29, 2021
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

MASSCAN-NG: Mass IP port scanner This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million p

BI.ZONE 47 Jul 15, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 88 Aug 9, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 63 Jul 26, 2022
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Aug 3, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 170 Aug 2, 2022