我正在尝试编写一个小型 eBPF 程序来捕获每个进程的网络 I/O 统计信息。我使用附加到 sock_recvmsg 和 sock_sendmsg 的 kprobe 和 kretprobes 来跟踪套接字上发送和接收的任何消息。
因为有不同类型的套接字,所以我尝试将它们过滤为仅 AF_INET 和 AF_INET6,以确保它们是“互联网”套接字。
当尝试访问 sk->__sk_common.skc_family 时,我得到的似乎是随机数字,而不是地址族。
#define AF_INET 2
#define AF_INET6 10
SEC("kprobe/sock_recvmsg")
int kprobe_sock_recvmsg(struct sock *sk)
{
u16 family;
bpf_probe_read_kernel(&family, sizeof(family), &sk->__sk_common.skc_family);
bpf_printk("kprobe/sock_recvmsg family 3: %d", family);
if (family == AF_INET || family == AF_INET6) {
u32 tid = bpf_get_current_pid_tgid() >> 32;
bpf_printk("kprobe/sock_recvmsg tid: %d", tid);
u32 value = 1; // is internet socket
bpf_map_update_elem(&inetsocket, &tid, &value, BPF_ANY);
}
return 0;
}
systemd-logind-1970 [000] ...21 71721.952455: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.952458: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.952462: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
dbus-broker-1978 [000] ...21 71721.952472: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.952488: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.952518: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.952521: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.952557: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.952567: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.952595: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.952602: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
systemd-1 [000] ...21 71721.952605: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.952930: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.952959: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-logind-1970 [000] ...21 71721.952977: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.952980: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953002: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953004: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953009: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
dbus-broker-1978 [000] ...21 71721.953018: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953033: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.953052: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.953055: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.953086: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.953096: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953122: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.953129: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
systemd-1 [000] ...21 71721.953131: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.953361: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953388: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-logind-1970 [000] ...21 71721.953406: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953409: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
dbus-broker-1978 [000] ...21 71721.953667: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953689: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-journal-1040 [000] ...21 71721.953715: bpf_trace_printk: kprobe/sock_recvmsg family 3: 44928
systemd-logind-1970 [000] ...21 71721.954150: bpf_trace_printk: kprobe/sock_recvmsg family 3: 65280
systemd-logind-1970 [000] ...21 71721.954182: bpf_trace_printk: kprobe/sock_recvmsg family 3: 65280
sshd-34026 [000] ...21 71721.966731: bpf_trace_printk: kprobe/sock_recvmsg family 3: 0
sshd-34026 [000] ...21 71722.882763: bpf_trace_printk: kprobe/sock_recvmsg family 3: 0
chronyd-2344 [000] ...21 71723.011551: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
chronyd-2344 [000] ...21 71723.011883: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
chronyd-2344 [000] .N.21 71739.299375: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
chronyd-2344 [000] ...21 71739.299738: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
没有一个地址族似乎是有效的,对于我期望通过 AF_INET 进行的事情,比如 sshd,我不确定为什么会返回 0
你的ebpf程序的参数是错误的,第一个参数不是
struct sock *skstruct socket *sockint sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags)
https://elixir.bootlin.com/linux/v5.13/source/net/socket.c#L902