https://github.com/yadutaf/tracepkt

Trace a ping packet journey across network interfaces and namespace on recent Linux. Supports IPv4 and IPv6.
https://github.com/yadutaf/tracepkt

ebpf networking tracing

Last synced: 3 months ago
JSON representation

Trace a ping packet journey across network interfaces and namespace on recent Linux. Supports IPv4 and IPv6.

• Host: GitHub
• URL: https://github.com/yadutaf/tracepkt
• Owner: yadutaf
• License: mit
• Archived: true
• Created: 2017-07-10T14:26:21.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2019-02-24T17:00:24.000Z (over 5 years ago)
• Last Synced: 2024-07-16T10:59:41.739Z (4 months ago)
• Topics: ebpf, networking, tracing
• Language: C
• Homepage: https://blog.yadutaf.fr/2017/07/28/tracing-a-packet-journey-using-linux-tracepoints-perf-ebpf/
• Size: 15.6 KB
• Stars: 239
• Watchers: 8
• Forks: 55
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-network-stuff - **134**星

README

        
# Tracepkt

Trace a ping packet on the L2 layer, as it crosses Linux network interfaces and namespaces. Supports IPv4 and IPv6.

```console

> modprobe ip_tables ip6_tables

> sudo python tracepkt.py 172.17.0.2

    NETWORK NS        INTERFACE    TYPE ADDRESSES                          IPTABLES

[           0]                  request 172.17.0.1 -> 172.17.0.2               nat.OUTPUT      :ACCEPT

[           0]                  request 172.17.0.1 -> 172.17.0.2            filter.OUTPUT      :ACCEPT

[  4026531992]          docker0 request 172.17.0.1 -> 172.17.0.2               nat.POSTROUTING :ACCEPT

[  4026531992]          docker0 request 172.17.0.1 -> 172.17.0.2          

[  4026531992]      veth61528aa request 172.17.0.1 -> 172.17.0.2          

[  4026533448]             eth0 request 172.17.0.1 -> 172.17.0.2          

[  4026533448]             eth0   reply 172.17.0.2 -> 172.17.0.1          

[  4026531992]      veth61528aa   reply 172.17.0.2 -> 172.17.0.1          

[  4026531992]          docker0   reply 172.17.0.2 -> 172.17.0.1          

[  4026531992]          docker0   reply 172.17.0.2 -> 172.17.0.1            filter.INPUT       :ACCEPT

```

The first 2 packets going from the current network namespace to a Docker container and going back, crossing a veth pair and a bridge.

## Features

* Record crossed Linux network interfaces

* Record crossed Linux network namespaces

* Record crossed iptables chains

**Note**: The iptables tracing support is ***experimental***. Tracing which specific

rule matches within a chain is not supported. This would require to hook into

``trace_packet`` netfilter function which is unfortunatly ``static`` and

therefore private.

## The full story

This project started as an illustration for a blog post on perf and eBPF https://blog.yadutaf.fr/2017/07/28/tracing-a-packet-journey-using-linux-tracepoints-perf-ebpf/.

## Usage

To use this project, you need a working / recent BCC install on your system. Read more about BCC on their Github repository: https://github.com/iovisor/bcc.

Additionally, you'll need a recent kernel (presumably >= 4.7) and full root privilege.

## License

MIT