Ryan Assis
Reputation: 1
eBPF returning weird values for socket family
I'm trying to write a small eBPF program to capture per process network I/O statistics. I'm using kprobe and kretprobes attached to sock_recvmsg and sock_sendmsg to track any messages sent and received on a socket.
Because there's different types of sockets, I'm trying to filter these to only AF_INET and AF_INET6 to be sure they're "internet" sockets.
When trying to access sk->__sk_common.skc_family I get seemingly random numbers rather than an address family.
#define AF_INET 2
#define AF_INET6 10
SEC("kprobe/sock_recvmsg")
int kprobe_sock_recvmsg(struct sock *sk)
{
u16 family;
bpf_probe_read_kernel(&family, sizeof(family), &sk->__sk_common.skc_family);
bpf_printk("kprobe/sock_recvmsg family 3: %d", family);
if (family == AF_INET || family == AF_INET6) {
u32 tid = bpf_get_current_pid_tgid() >> 32;
bpf_printk("kprobe/sock_recvmsg tid: %d", tid);
u32 value = 1; // is internet socket
bpf_map_update_elem(&inetsocket, &tid, &value, BPF_ANY);
}
return 0;
}
systemd-logind-1970 [000] ...21 71721.952455: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.952458: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.952462: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
dbus-broker-1978 [000] ...21 71721.952472: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.952488: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.952518: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.952521: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.952557: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.952567: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.952595: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.952602: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
systemd-1 [000] ...21 71721.952605: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.952930: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.952959: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-logind-1970 [000] ...21 71721.952977: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.952980: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953002: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953004: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953009: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
dbus-broker-1978 [000] ...21 71721.953018: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953033: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.953052: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.953055: bpf_trace_printk: kprobe/sock_recvmsg family 3: 47312
systemd-1 [000] ...21 71721.953086: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.953096: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953122: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-1 [000] ...21 71721.953129: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
systemd-1 [000] ...21 71721.953131: bpf_trace_printk: kprobe/sock_recvmsg family 3: 46112
dbus-broker-1978 [000] ...21 71721.953361: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953388: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-logind-1970 [000] ...21 71721.953406: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
systemd-logind-1970 [000] ...21 71721.953409: bpf_trace_printk: kprobe/sock_recvmsg family 3: 63824
dbus-broker-1978 [000] ...21 71721.953667: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
dbus-broker-1978 [000] ...21 71721.953689: bpf_trace_printk: kprobe/sock_recvmsg family 3: 24800
systemd-journal-1040 [000] ...21 71721.953715: bpf_trace_printk: kprobe/sock_recvmsg family 3: 44928
systemd-logind-1970 [000] ...21 71721.954150: bpf_trace_printk: kprobe/sock_recvmsg family 3: 65280
systemd-logind-1970 [000] ...21 71721.954182: bpf_trace_printk: kprobe/sock_recvmsg family 3: 65280
sshd-34026 [000] ...21 71721.966731: bpf_trace_printk: kprobe/sock_recvmsg family 3: 0
sshd-34026 [000] ...21 71722.882763: bpf_trace_printk: kprobe/sock_recvmsg family 3: 0
chronyd-2344 [000] ...21 71723.011551: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
chronyd-2344 [000] ...21 71723.011883: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
chronyd-2344 [000] .N.21 71739.299375: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
chronyd-2344 [000] ...21 71739.299738: bpf_trace_printk: kprobe/sock_recvmsg family 3: 3520
None of the address families seem to be valid, for things I'd expect to be over an AF_INET, like sshd, I'm unsure why that returns a 0
Upvotes: 0
Views: 116
Answers (1)
mozillazg
Reputation: 770
The argument of your ebpf program is wrong, the first arg is not struct sock *sk but is struct socket *sock.
int sock_recvmsg(struct socket *sock, struct msghdr *msg, int flags)
https://elixir.bootlin.com/linux/v5.13/source/net/socket.c#L902
Upvotes: 1
Related Questions
- eBPF for changing block IO requests
- Header files for types of contexts passed into eBPF programs
- How to create virtual interfaces for eBPF packet switching flow?
- Sending custom data to socket using eBPF
- ebpf: drop ICMP packet in socket filter program on lo interface
- is there a way I can share some ebpf map between ebpf program and userspace program that has value struct using libbpf for keys
- context for each type of ebpf program
- eBPF, track values longer than stack size?
- Get address family from socket. Linux