All Projects → YutaroHayakawa → Ipftrace2

YutaroHayakawa / Ipftrace2

Licence: other
A packet oriented Linux kernel function call tracer

Programming Languages

c
50402 projects - #5 most used programming language

Projects that are alternatives of or similar to Ipftrace2

Ebpf exporter
Prometheus exporter for custom eBPF metrics
Stars: ✭ 829 (+329.53%)
Mutual labels:  linux-kernel, tracing, ebpf
ipftrace
[Deplicated] Now we have more sophisticated (and compact) implementation in ipftrace2 repository. Please check it as well.
Stars: ✭ 60 (-68.91%)
Mutual labels:  linux-kernel, tracing, ebpf
ebpfpub
ebpfpub is a generic function tracing library for Linux that supports tracepoints, kprobes and uprobes.
Stars: ✭ 86 (-55.44%)
Mutual labels:  tracing, ebpf
uprobe-http-tracer
uprobe-based HTTP tracer for Go binaries
Stars: ✭ 45 (-76.68%)
Mutual labels:  tracing, ebpf
Bpftrace
High-level tracing language for Linux eBPF
Stars: ✭ 4,526 (+2245.08%)
Mutual labels:  tracing, ebpf
ebpfkit-monitor
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits
Stars: ✭ 80 (-58.55%)
Mutual labels:  linux-kernel, ebpf
portablebpf
You came here so you could have a base code to serve you as an example on how to develop a BPF application, compatible to BCC and/or LIBBPF, specially LIBBPF, having the userland part made in C or PYTHON.
Stars: ✭ 32 (-83.42%)
Mutual labels:  linux-kernel, ebpf
pwru
Packet, where are you? -- Linux kernel networking debugger
Stars: ✭ 694 (+259.59%)
Mutual labels:  tracing, ebpf
Elinux
嵌入式 Linux 知识库 (elinux.org) 中文翻译计划;本项目发起人发布了《360° 剖析 Linux ELF》视频课程,欢迎订阅:https://www.cctalk.com/m/group/88089283
Stars: ✭ 193 (+0%)
Mutual labels:  network, tracing
Ntopng
Web-based Traffic and Security Network Traffic Monitoring
Stars: ✭ 4,313 (+2134.72%)
Mutual labels:  network, ebpf
Hubble
Hubble - Network, Service & Security Observability for Kubernetes using eBPF
Stars: ✭ 1,245 (+545.08%)
Mutual labels:  tracing, ebpf
ebpfkit
ebpfkit is a rootkit powered by eBPF
Stars: ✭ 472 (+144.56%)
Mutual labels:  linux-kernel, ebpf
rbbcc
BCC port for MRI - this is unofficial bonsai project.
Stars: ✭ 45 (-76.68%)
Mutual labels:  tracing, ebpf
Weaver
Trace Go program execution with uprobes and eBPF
Stars: ✭ 174 (-9.84%)
Mutual labels:  tracing, ebpf
bpfbox
🐝 BPFBox 📦 Exploring process confinement in eBPF
Stars: ✭ 93 (-51.81%)
Mutual labels:  linux-kernel, ebpf
kernel new features
一个深挖 Linux 内核的新功能特性,以 io_uring, cgroup, ebpf, llvm 为代表,包含开源项目,代码案例,文章,视频,架构脑图等
Stars: ✭ 1,094 (+466.84%)
Mutual labels:  linux-kernel, ebpf
Lttng Tools
The lttng-tools project provides a session daemon (lttng-sessiond) that acts as a tracing registry, the "lttng" command line for tracing control, a lttng-ctl library for tracing control and a lttng-relayd for network streaming.
Stars: ✭ 202 (+4.66%)
Mutual labels:  linux-kernel, tracing
Polycube
eBPF/XDP-based software framework for fast network services running in the Linux kernel.
Stars: ✭ 217 (+12.44%)
Mutual labels:  linux-kernel, ebpf
Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (+105.18%)
Mutual labels:  tracing, ebpf
Ebooks
A repository for ebooks, including C, C plus plus, Linux Kernel, Compiler, OS, Algorithm, Security, Database, Network, ML and DL
Stars: ✭ 151 (-21.76%)
Mutual labels:  network, linux-kernel

ipftrace2

ipftrace2 is a tool which allows you to trace the journey of packets inside the Linux kernel. It is similar to the ftrace in some sense but, you can trace which flow have gone through which functions inside the kernel which is usually more important information for the network people than which functions are called information provided by ftrace.

Concept

Supported environments

  • Architecture: (Currently) x86_64 only
  • Linux version: v4.17 or above

Install pre-compiled binary

Step1: Install ipft command

$ curl -OL https://github.com/YutaroHayakawa/ipftrace2/releases/download/v0.1.0/ipftrace2_amd64.tar.gz
$ tar xvf ipftrace2_amd64.tar.gz
$ sudo cp ipft /usr/local/bin/ipft

Step2: Prepare kernel BTF

If your kernel is compiled with CONFIG_DEBUG_INFO_BTF=y, you can skip this step. You should see /sys/kernel/btf/vmlinux file in this case.

Step2-1: Install pahole

Please install pahole >= v1.19

$ git clone https://git.kernel.org/pub/scm/devel/pahole/pahole.git
$ git checkout v1.19
$ cmake -DCMAKE_INSTALL_PREFIX="/usr/local" -DEXEC_INSTALL_PREFIX="" .
$ make
$ sudo make install

Step2-2: Install llvm-objcopy

Please install llvm-objcopy since pahole depends on it

# CentOS 8, Fedora 31, Fedora 32
$ sudo dnf install llvm

# Ubuntu 19.10, 20.04
$ sudo apt-get install llvm

Step2-3: Install DWARF debug information (please take care of the disk usage)

# CentOS 8
$ sudo dnf --enablerepo=base-debuginfo install kernel-debuginfo-$(uname -r)

# Fedora 31, 32
$ sudo dnf --enablerepo=fedora-debuginfo install kernel-debuginfo-$(uname -r)

# Ubuntu 19.10, 20.04
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys C8CAB6595FDFF622
$ codename=$(lsb_release -c | awk  '{print $2}')
$ sudo tee /etc/apt/sources.list.d/ddebs.list << EOF
deb http://ddebs.ubuntu.com/ ${codename}      main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-updates  main restricted universe multiverse
deb http://ddebs.ubuntu.com/ ${codename}-proposed main restricted universe multiverse
EOF
$ sudo apt-get update
$ sudo apt-get install linux-image-$(uname -r)-dbgsym

Step2-4 Encode BTF to debuginfo

$ sudo LD_LIBRARY_PATH=/usr/local/lib pahole -J

Step3: List the tracable functions

$ sudo ipft -l

Build from source

$ mkdir build
$ cd build
$ cmake ../
$ make

cmake will find the missing dependencies, please install it if your build failed.

Usage

Step1: Mark the packets you are interested in

ipftrace2 depends on the skb->mark to identify which packet to trace. There are several ways to mark the packet. Here are the examples by iptables . The essential part is -j MARK --set-mark 0xdeadbeef . You can use arbitrary matches you wish to use.

# by iptables (for RX)
$ sudo iptables -t raw -A PREROUTING -p icmp -s 1.1.1.1 -j MARK --set-mark 0xdeadbeef

# by iptables (for TX)
$ sudo iptables -t raw -A OUTPUT -p icmp -d 1.1.1.1 -j MARK --set-mark 0xdeadbeef

You can use other ways like below

Step2: Start tracing

Step2-1: Trace as much functions as we can

Here is the simplest example of tracing which is useful for debugging or learning purpose. But don't do this on your production environment. Because, ipftrace2 may attach the tracing eBPF program to hundreds or thousands of kernel functions which takes struct sk_buff * as argument by default. The overhead made by it shouldn't be acceptable.

$ sudo ipft -m 0xdeadbeef

Step2-2: Trace the subset of possible functions

If you don't want to trace all possible functions, you can specify Perl-style regex to filter the functions to trace by name. You can reduce the overhead of the tracing and time to attach the programs by this feature.

$ sudo ipft -m 0xdeadbeef -r "ip_.*"

Step2-3: Use custom script

ipftrace2 is capable of customizing the tracing by C and Lua script. By using this feature, you can trace more than just functions the packets have gone through, but the content of skb or any other data associate with it. Please see Scripting manual for more details. Also, you can find the example in example directory.

$ sudo ipft -m 0xdeadbeef -s example/gso.lua

Step-3: Generate the packet

Now you are ready to trace. Generate the packet from another shell.

$ curl https://1.1.1.1
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].