ebpf

package
v0.0.0-...-272cd41 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2026 License: Apache-2.0 Imports: 5 Imported by: 0

README

Note

This package is a fork of the weaveworks tcptracer-bpf package which focused on tracing TCP state events (connect, accept, close) without kernel specific runtime dependencies.

This fork adds support for UDP, as well as collection of metrics like bytes sent/received. It also opts for event collection via polling (using BPF maps) instead of being pushed event updates via perf buffers.

tracer-bpf

tracer-bpf is an eBPF program using kprobes to trace TCP/UDP events (connect, accept, close, send_msg, recv_msg).

The eBPF program is compiled to an ELF object file.

tracer-bpf also provides a Go library that provides a simple API for loading the ELF object file. Internally, it is using a fork of the cilium ebpf package.

tracer-bpf does not have any run-time dependencies on kernel headers and is not tied to a specific kernel version or kernel configuration. This is quite unusual for eBPF programs using kprobes: for example, eBPF programs using kprobes with bcc are compiled on the fly and depend on kernel headers. And perf tools compiled for one kernel version cannot be used on another kernel version.

To adapt to the currently running kernel at run-time, tracer-bpf creates a series of TCP connections with known parameters (such as known IP addresses and ports) and discovers where those parameters are stored in the kernel struct sock. The offsets of the struct sock fields vary depending on the kernel version and kernel configuration. Since an eBPF programs cannot loop, tracer-bpf does not directly iterate over the possible offsets. It is instead controlled from userspace by the Go library using a state machine.

Documentation

Overview

Package ebpf implements tracing network events with eBPF

Index

Constants

View Source 
const (
	ClassificationTLSClient ClassificationTLSProgram = 0x0
	ClassificationTLSServer ClassificationTLSProgram = 0x1
	ClassificationQueues    ClassificationProgram    = 0x2
	ClassificationDBs       ClassificationProgram    = 0x3
	ClassificationGRPC      ClassificationProgram    = 0x5
)
View Source 
const BatchSize = 0x4
View Source 
const SizeofBatch = 0x1f0
View Source 
const SizeofConn = 0x78

Variables

This section is empty.

Functions

This section is empty.

Types

type Batch 

type Batch struct {
	C0        Conn
	C1        Conn
	C2        Conn
	C3        Conn
	Id        uint64
	Cpu       uint32
	Len       uint16
	Pad_cgo_0 [2]byte
}

func ToBatch 

func ToBatch(data []byte) *Batch

ToBatch converts a byte slice to a Batch pointer.

type BindSyscallArgs 

type BindSyscallArgs struct {
	Addr uint64
	Sk   uint64
}

type CertDomain 

type CertDomain struct {
	Len  uint8
	Data [64]uint8
}

type CertItem 

type CertItem struct {
	Timestamp uint64
	Serial    CertSerial
	Domain    CertDomain
	Validity  CertValidity
	Pad_cgo_0 [2]byte
}

type CertSerial 

type CertSerial struct {
	Len  uint8
	Data [20]uint8
}

type CertValidity 

type CertValidity struct {
	Before [12]uint8
	After  [12]uint8
}

type ClassificationProgram 

type ClassificationProgram = uint32

type ClassificationTLSProgram 

type ClassificationTLSProgram = uint32

type Conn 

type Conn struct {
	Tup        ConnTuple
	Tcp_stats  TCPStats
	Conn_stats ConnStats
}

type ConnDirection 

type ConnDirection uint8
const (
	Unknown  ConnDirection = 0x0
	Incoming ConnDirection = 0x1
	Outgoing ConnDirection = 0x2
)

type ConnFamily 

type ConnFamily uint32
const (
	IPv4 ConnFamily = 0x0
	IPv6 ConnFamily = 0x2
)

func (ConnFamily) String 

func (c ConnFamily) String() string

type ConnFlags 

type ConnFlags uint32
const (
	LInit   ConnFlags = 0x1
	RInit   ConnFlags = 0x2
	Assured ConnFlags = 0x4
)

type ConnStats 

type ConnStats struct {
	Sent_bytes     uint64
	Recv_bytes     uint64
	Sent_packets   uint32
	Recv_packets   uint32
	Timestamp_ms   NetTimeMs
	Duration_ms    NetTimeMs
	Cookie         uint32
	Protocol_stack ProtocolStack
	Flags          uint8
	Direction      uint8
	Tls_tags       TLSTags
	Cert_id        uint32
}

func (ConnStats) ConnectionDirection 

func (cs ConnStats) ConnectionDirection() ConnDirection

ConnectionDirection returns the direction of the connection (incoming vs outgoing).

func (ConnStats) IsAssured 

func (cs ConnStats) IsAssured() bool

IsAssured returns whether the connection has seen traffic in both directions.

type ConnTuple 

type ConnTuple struct {
	Saddr_h  uint64
	Saddr_l  uint64
	Daddr_h  uint64
	Daddr_l  uint64
	Sport    uint16
	Dport    uint16
	Netns    uint32
	Pid      uint32
	Metadata uint32
}

func (ConnTuple) DestAddress 

func (t ConnTuple) DestAddress() util.Address

DestAddress returns the destination address

func (ConnTuple) DestEndpoint 

func (t ConnTuple) DestEndpoint() string

DestEndpoint returns the destination address and source port joined

func (ConnTuple) Family 

func (t ConnTuple) Family() ConnFamily

Family returns whether a tuple is IPv4 or IPv6

func (*ConnTuple) SetFamily 

func (t *ConnTuple) SetFamily(family ConnFamily)

SetFamily sets the family (IPv4 or IPv6) for a tuple.

func (*ConnTuple) SetType 

func (t *ConnTuple) SetType(connType ConnType)

SetType sets the type (TCP or UDP) for a tuple.

func (ConnTuple) SourceAddress 

func (t ConnTuple) SourceAddress() util.Address

SourceAddress returns the source address

func (ConnTuple) SourceEndpoint 

func (t ConnTuple) SourceEndpoint() string

SourceEndpoint returns the source address and source port joined

func (ConnTuple) String 

func (t ConnTuple) String() string

func (ConnTuple) Type 

func (t ConnTuple) Type() ConnType

Type returns whether a tuple is TCP or UDP

type ConnType 

type ConnType uint32
const (
	UDP ConnType = 0x0
	TCP ConnType = 0x1
)

func (ConnType) String 

func (c ConnType) String() string

type ConntrackTelemetry 

type ConntrackTelemetry struct {
	Registers uint64
}

type ConntrackTuple 

type ConntrackTuple struct {
	Saddr_h  uint64
	Saddr_l  uint64
	Daddr_h  uint64
	Daddr_l  uint64
	Sport    uint16
	Dport    uint16
	Netns    uint32
	Metadata uint32
	X_pad    uint32
}

func (ConntrackTuple) DestAddress 

func (t ConntrackTuple) DestAddress() util.Address

DestAddress returns the destination address

func (ConntrackTuple) DestEndpoint 

func (t ConntrackTuple) DestEndpoint() string

DestEndpoint returns the destination address and source port joined

func (ConntrackTuple) Family 

func (t ConntrackTuple) Family() ConnFamily

Family returns whether a tuple is IPv4 or IPv6

func (ConntrackTuple) SourceAddress 

func (t ConntrackTuple) SourceAddress() util.Address

SourceAddress returns the source address

func (ConntrackTuple) SourceEndpoint 

func (t ConntrackTuple) SourceEndpoint() string

SourceEndpoint returns the source address and source port joined

func (ConntrackTuple) String 

func (t ConntrackTuple) String() string

func (ConntrackTuple) Type 

func (t ConntrackTuple) Type() ConnType

Type returns whether a tuple is TCP or UDP

type NetTimeMs 

type NetTimeMs struct {
	Timestamp [3]uint16
}

type PIDFD 

type PIDFD struct {
	Pid uint32
	Fd  uint32
}

type PidTs 

type PidTs struct {
	Tgid      uint64
	Timestamp uint64
}

type PortBinding 

type PortBinding struct {
	Netns     uint32
	Port      uint16
	Pad_cgo_0 [2]byte
}

type ProtocolStack 

type ProtocolStack struct {
	Api         uint8
	Application uint8
	Encryption  uint8
	Flags       uint8
}

type ProtocolStackWrapper 

type ProtocolStackWrapper struct {
	Updated   uint64
	Stack     ProtocolStack
	Pad_cgo_0 [4]byte
}

type SSLHandshakeState 

type SSLHandshakeState struct {
	Item      CertItem
	Id        uint32
	Pad_cgo_0 [4]byte
}

type SkpConn 

type SkpConn struct {
	Sk  uint64
	Tup ConnTuple
}

type TCPState 

type TCPState uint8
const (
	Established TCPState = 0x1
	Close       TCPState = 0x7
)

type TCPStats 

type TCPStats struct {
	Rtt               uint32
	Rtt_var           uint32
	Retransmits       uint32
	State_transitions uint16
	Failure_reason    uint16
}

type TLSTags 

type TLSTags struct {
	Chosen_version   uint16
	Cipher_suite     uint16
	Offered_versions uint8
	Pad_cgo_0        [1]byte
}

type TLSTagsWrapper 

type TLSTagsWrapper struct {
	Updated   uint64
	Info      TLSTags
	Pad_cgo_0 [2]byte
}

type Telemetry 

type Telemetry struct {
	Tcp_sent_miscounts              uint64
	Unbatched_tcp_close             uint64
	Unbatched_udp_close             uint64
	Udp_sends_processed             uint64
	Udp_sends_missed                uint64
	Udp_dropped_conns               uint64
	Tcp_done_missing_pid            uint64
	Tcp_connect_failed_tuple        uint64
	Tcp_done_failed_tuple           uint64
	Tcp_finish_connect_failed_tuple uint64
	Tcp_close_target_failures       uint64
	Tcp_done_connection_flush       uint64
	Tcp_close_connection_flush      uint64
	Tcp_syn_retransmit              uint64
}

type UDPRecvSock 

type UDPRecvSock struct {
	Sk  uint64
	Msg uint64
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.