GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → cilium → pwru

cilium / pwru

Licence: GPL-2.0 License
Packet, where are you? -- Linux kernel networking debugger

Programming Languages

c
50402 projects - #5 most used programming language

Labels

linuxkernelnetworktracingebpfbpf

Projects that are alternatives of or similar to pwru

Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (-42.94%)
Mutual labels:  kernel, tracing, ebpf, bpf
KubeArmor
Cloud-native Runtime Security Enforcement System
Stars: ✭ 434 (-37.46%)
Mutual labels:  kernel, ebpf, bpf
Cilium
eBPF-based Networking, Security, and Observability
Stars: ✭ 10,256 (+1377.81%)
Mutual labels:  kernel, ebpf, bpf
bpflock
bpflock - eBPF driven security for locking and auditing Linux machines
Stars: ✭ 54 (-92.22%)
Mutual labels:  kernel, ebpf, bpf
Bpftrace
High-level tracing language for Linux eBPF
Stars: ✭ 4,526 (+552.16%)
Mutual labels:  tracing, ebpf, bpf
Ebpf exporter
Prometheus exporter for custom eBPF metrics
Stars: ✭ 829 (+19.45%)
Mutual labels:  tracing, ebpf, bpf
oxdpus
A toy tool that leverages the super powers of XDP to bring in-kernel IP filtering
Stars: ✭ 59 (-91.5%)
Mutual labels:  kernel, ebpf, bpf
ebpfpub
ebpfpub is a generic function tracing library for Linux that supports tracepoints, kprobes and uprobes.
Stars: ✭ 86 (-87.61%)
Mutual labels:  tracing, ebpf, bpf
portablebpf
You came here so you could have a base code to serve you as an example on how to develop a BPF application, compatible to BCC and/or LIBBPF, specially LIBBPF, having the userland part made in C or PYTHON.
Stars: ✭ 32 (-95.39%)
Mutual labels:  ebpf, bpf
ebpfault
A BPF-based syscall fault injector
Stars: ✭ 65 (-90.63%)
Mutual labels:  ebpf, bpf
ebpf
eBPF package for Go
Stars: ✭ 25 (-96.4%)
Mutual labels:  ebpf, bpf
libbpf-sys
Rust bindings to libbpf from the Linux kernel
Stars: ✭ 103 (-85.16%)
Mutual labels:  ebpf, bpf
rbbcc
BCC port for MRI - this is unofficial bonsai project.
Stars: ✭ 45 (-93.52%)
Mutual labels:  tracing, ebpf
Memstrack
A memory allocation tracer combined with stack trace.
Stars: ✭ 60 (-91.35%)
Mutual labels:  kernel, tracing
Schedviz
A tool for gathering and visualizing kernel scheduling traces on Linux machines
Stars: ✭ 426 (-38.62%)
Mutual labels:  kernel, tracing
sqredirect
Redirection and filtering Source Engine game traffic in bundle with sqproxy
Stars: ✭ 21 (-96.97%)
Mutual labels:  kernel, ebpf
ipftrace
[Deplicated] Now we have more sophisticated (and compact) implementation in ipftrace2 repository. Please check it as well.
Stars: ✭ 60 (-91.35%)
Mutual labels:  tracing, ebpf
uprobe-http-tracer
uprobe-based HTTP tracer for Go binaries
Stars: ✭ 45 (-93.52%)
Mutual labels:  tracing, ebpf
go-tc
traffic control in pure go - it allows to read and alter queues, filters and classes
Stars: ✭ 245 (-64.7%)
Mutual labels:  ebpf, bpf
XDP-Firewall
An XDP firewall that is capable of filtering specific packets based off of filtering rules specified in a config file. IPv6 is supported!
Stars: ✭ 129 (-81.41%)
Mutual labels:  ebpf, bpf
View All Similar Projects ➔

pwru (packet, where are you?)

logo

pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.

The following example shows where the packets of a curl request are dropped after installing an IP tables rule:

demo

Quick start with Vagrant

If you have Vagrant installed, you can run the above example with the following commands.

  1. In a terminal (terminal 1), bring up the Vagrant box:

    $ vagrant up

    This will take a few minutes to download and provision the box.

  2. Connect to the Vagrant box:

    $ vagrant ssh

  3. Build pwru:

    $ cd /pwru
$ make

  4. Run pwru:

    $ sudo ./pwru --filter-dst-ip=1.1.1.1 --filter-dst-port=80 --filter-proto=tcp --output-tuple

  5. In a new terminal (terminal 2), connect to the Vagrant box:

    $ vagrant ssh

  6. In terminal 2, run curl to generate some traffic to 1.1.1.1:

    $ curl 1.1.1.1

    Observe the output of pwru in terminal 1.

  7. In terminal 2, add an iptables rule to block traffic to 1.1.1.1:

    $ sudo iptables -t filter -I OUTPUT 1 -m tcp --proto tcp --dst 1.1.1.1/32 -j DROP

  8. In terminal 2, run curl to generate some traffic to 1.1.1.1:

    $ curl 1.1.1.1

    Observe the output of pwru in terminal 1.

  9. To clean up, press Ctrl+C to terminate pwru in terminal 1, exit both shells, and run:

    $ vagrant destroy

Running

Requirements

pwru requires >= 5.5 kernel to run. For --output-skb >= 5.9 kernel is required.

The following kernel configuration is required.

Option Note
CONFIG_DEBUG_INFO_BTF=y Available since >= 5.3
CONFIG_KPROBES=y
CONFIG_PERF_EVENTS=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y

You can use zgrep $OPTION /proc/config.gz to validate whether option is enabled.

Downloading

You can download the statically linked executable for x86_64 arch which includes the eBPF bytecode from the release page.

Usage

Usage of ./pwru:
      --filter-dst-ip string        filter destination IP addr
      --filter-dst-port uint16      filter destination port
      --filter-func string          filter kernel functions to be probed by name (exact match, supports RE2 regular expression)
      --filter-mark uint32          filter skb mark
      --filter-netns uint32         filter netns inode
      --filter-proto string         filter L4 protocol (tcp, udp, icmp)
      --filter-src-ip string        filter source IP addr
      --filter-src-port uint16      filter source port
      --output-limit-lines uint     exit the program after the number of events has been received/printed
      --output-meta                 print skb metadata
      --output-relative-timestamp   print relative timestamp per skb
      --output-skb                  print skb
      --output-stack                print stack
      --output-tuple                print L4 tuple

If multiple filters are specified, all of them have to match in order for a packet to be traced.

The --filter-func switch does an exact match on function names i.e. --filter-func=foo only matches foo(); for a wildcarded match, try --filter-func=".*foo.*" instead.

Developing

Dependencies

  • Go >= 1.16
  • LLVM/clang >= 1.12

Building

make

Alternatively, you can build and run in the Docker container:

docker build -t pwru .
docker run --privileged -it pwru [filter1] [filtern]

Contributing

pwru is an open source project licensed under GPLv2. Everybody is welcome to contribute. Contributors are required to follow the Contributor Covenant Code of Conduct and must adhere to the Developer Certificate of Origin by adding a Signed-off-by line to their commit messages.

Logo Credits

The detective gopher is based on the Go gopher designed by Renee French.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].