Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add clone and tcpconnect tracer #28

Merged
merged 13 commits into from
Aug 31, 2023
Merged

Add clone and tcpconnect tracer #28

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
b4ef95d
new tracers
WYXsb Aug 30, 2023
1ff026d
Update duetector/tracers/tcpconnect.py
WYXsb Aug 30, 2023
145befb
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Aug 30, 2023
160d430
Add timeout for poll, make event configurable
Wh1isper Aug 30, 2023
f313ab0
Improve CLI and monitor on error (#29)
Wh1isper Aug 31, 2023
a334df8
Add many_attatchs in BccTracer (#32)
Wh1isper Aug 31, 2023
2021f7f
Support tcpconnect
Wh1isper Aug 31, 2023
09e08a0
Merge branch 'main' into main
Wh1isper Aug 31, 2023
901bd88
fix traces
WYXsb Aug 31, 2023
d265d49
fix traces v0.2
WYXsb Aug 31, 2023
cf6f910
intergrate inet_nota into _convert_data
WYXsb Aug 31, 2023
b2c8901
override _convert_data function of BccTracer in /duetector/tracers/t…
WYXsb Aug 31, 2023
ff5237e
use _replace for nametuple
Wh1isper Aug 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions duetector/tracers/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,14 @@ def _convert_data(self, data) -> NamedTuple:
v = getattr(data, k)
if isinstance(v, bytes):
v = v.decode("utf-8")
elif k == "saddr" or k == "daddr":
dq = b""
for i in range(0, 4):
dq = dq + str(v & 0xFF).encode()
if i != 3:
dq = dq + b"."
v = v >> 8
v = dq
wunder957 marked this conversation as resolved.
Show resolved Hide resolved

args[k] = v

Expand Down
6 changes: 5 additions & 1 deletion duetector/tracers/clone.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ def poll_args(self):
// define output data structure in C
struct data_t {
u32 pid;
u32 uid;
u32 gid;
u64 timestamp;
char comm[TASK_COMM_LEN];
};
Expand All @@ -43,6 +45,8 @@ def poll_args(self):
struct data_t data = {};

data.pid = bpf_get_current_pid_tgid();
data.uid = bpf_get_current_uid_gid();
data.gid = bpf_get_current_uid_gid() >> 32;
data.timestamp = bpf_ktime_get_ns();
bpf_get_current_comm(&data.comm, sizeof(data.comm));

Expand Down Expand Up @@ -79,7 +83,7 @@ def print_callback(data: NamedTuple):
if start == 0:
print(f"[{data.comm} ({data.pid})] 0 ")
else:
print(f"[{data.comm} ({data.pid})] {(data.timestamp-start)/1000000000}") # type: ignore
print(f"[{data.comm} ({data.pid}) {data.gid} {data.uid}] {(data.timestamp-start)/1000000000}") # type: ignore
start = data.timestamp

tracer.set_callback(b, print_callback)
Expand Down
20 changes: 8 additions & 12 deletions duetector/tracers/tcpconnect.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

class TcpconnectTracer(BccTracer):
"""
A tracer for openat2 syscall
A tracer for tcpconnect syscall
"""

default_config = {
Expand All @@ -26,7 +26,7 @@ class TcpconnectTracer(BccTracer):
def poll_args(self):
return {"timeout": int(self.config.poll_timeout)}

data_t = namedtuple("TcpTracking", ["pid", "comm", "saddr", "daddr", "dport"])
data_t = namedtuple("TcpTracking", ["pid", "uid", "gid", "comm", "saddr", "daddr", "dport"])

# define BPF program
prog = """
Expand All @@ -43,6 +43,8 @@ def poll_args(self):
u32 saddr;
u32 daddr;
u32 pid;
u32 uid;
u32 gid;
char comm[TASK_COMM_LEN];
};
int do_trace(struct pt_regs *ctx, struct sock *sk)
Expand All @@ -59,6 +61,7 @@ def poll_args(self):
{
int ret = PT_REGS_RC(ctx);
u32 pid = bpf_get_current_pid_tgid();

struct event event= {};

struct sock **skpp;
Expand All @@ -83,6 +86,8 @@ def poll_args(self):
event.daddr = daddr;
event.dport = dport;
event.pid = pid;
event.uid = bpf_get_current_uid_gid();
event.gid = bpf_get_current_uid_gid() >> 32;
bpf_get_current_comm(&event.comm, sizeof(event.comm));
// output
buffer.ringbuf_output(&event, sizeof(event), 0);
Expand Down Expand Up @@ -114,17 +119,8 @@ def init_tracer(config):
tracer = TcpconnectTracer()
tracer.attach(b)

def inet_ntoa(addr):
dq = b""
for i in range(0, 4):
dq = dq + str(addr & 0xFF).encode()
if i != 3:
dq = dq + b"."
addr = addr >> 8
return dq

def print_callback(data: NamedTuple):
print(f"[{data.comm} ({data.pid})] TCP_CONNECT SADDR:{inet_ntoa(data.saddr)} DADDR: {inet_ntoa(data.daddr)} DPORT:{data.dport}") # type: ignore
print(f"[{data.comm} ({data.pid}) {data.uid} {data.gid}] TCP_CONNECT SADDR:{data.saddr} DADDR: {data.daddr} DPORT:{data.dport}") # type: ignore

tracer.set_callback(b, print_callback)
poller = tracer.get_poller(b)
Expand Down