Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/weaveworks/tcptracer-bpf

eBPF program using kprobes to trace TCP events without run-time compilation dependencies
https://github.com/weaveworks/tcptracer-bpf

connection-tracking ebpf golang no-dependencies tcp

Last synced: 11 days ago
JSON representation

eBPF program using kprobes to trace TCP events without run-time compilation dependencies

Host: GitHub
URL: https://github.com/weaveworks/tcptracer-bpf
Owner: weaveworks
License: apache-2.0
Archived: true
Created: 2017-01-20T10:57:20.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2023-10-24T15:12:08.000Z (over 1 year ago)
Last Synced: 2024-09-30T08:01:20.598Z (4 months ago)
Topics: connection-tracking, ebpf, golang, no-dependencies, tcp
Language: Shell
Homepage:
Size: 283 KB
Stars: 409
Watchers: 64
Forks: 61
Open Issues: 13
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# DEPRECATED: tcptracer-bpf

tcptracer-bpf is an eBPF program using kprobes to trace TCP events (connect,
accept, close). The eBPF program is compiled to an ELF object file.

tcptracer-bpf also provides a Go library that provides a simple API for loading
the ELF object file. Internally, it is using the [gobpf elf
package](https://github.com/iovisor/gobpf).

tcptracer-bpf does not have any run-time dependencies on kernel headers and is
not tied to a specific kernel version or kernel configuration. This is quite
unusual for eBPF programs using kprobes: for example, eBPF programs using
kprobes with [bcc](https://github.com/iovisor/bcc) are compiled on the fly and
depend on kernel headers. And [perf tools](https://perf.wiki.kernel.org)
compiled for one kernel version cannot be used on another kernel version.

To adapt to the currently running kernel at run-time, tcptracer-bpf creates a
series of TCP connections with known parameters (such as known IP addresses and
ports) and discovers where those parameters are stored in the [kernel struct
sock](https://github.com/torvalds/linux/blob/v4.4/include/net/sock.h#L248). The
offsets of the struct sock fields vary depending on the kernel version and
kernel configuration. Since an eBPF programs cannot loop, tcptracer-bpf does
not directly iterate over the possible offsets. It is instead controlled from
userspace by the Go library using a state machine.

See `tests/tracer.go` for an example how to use tcptracer-bpf.

## Build the elf object

```
make
```

The object file can be found in `ebpf/tcptracer-ebpf.o`.

## Test

```
cd tests
make
sudo ./run
```

## Vendoring

We use [gvt](https://github.com/FiloSottile/gvt).

## Getting Help

If you have any questions about, feedback for or problems with `tcptracer-bpf`:

- Invite yourself to the Weave Users Slack.
- Ask a question on the [#general](https://weave-community.slack.com/messages/general/) slack channel.
- [File an issue](https://github.com/weaveworks/tcptracer-bpf/issues/new).

Weaveworks follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md). Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting a Weaveworks project maintainer, or Alexis Richardson ([email protected]).

Your feedback is always welcome!