-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathtcp1.cpp
More file actions
106 lines (85 loc) · 2.51 KB
/
tcp1.cpp
File metadata and controls
106 lines (85 loc) · 2.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#include <iostream>
#include <bcc/BPF.h>
#include <string>
#include <algorithm>
using namespace std;
struct stack_info_t {
pid_t pid;
char name[16];
int user_stack;
int kernel_stack;
};
std::string bpf_source = R"(
#include <linux/sched.h>
#include <uapi/linux/ptrace.h>
struct stack_info_t {
pid_t pid;
char name[16];
int user_stack;
int kernel_stack;
};
BPF_STACK_TRACE(stack_traces, 16384);
BPF_HASH(counts, struct stack_info_t, uint64_t);
int on_tcp_send(struct pt_regs *ctx)
{
struct stack_info_t data = {};
data.pid = (pid_t)(bpf_get_current_pid_tgid() >> 32);
bpf_get_current_comm(&data.name, sizeof(data.name));
data.kernel_stack = stack_traces.get_stackid(ctx, 0);
data.user_stack = stack_traces.get_stackid(ctx, BPF_F_USER_STACK);
u64 zero = 0, *val;
val = counts.lookup_or_try_init(&data, &zero);
if (val) {
(*val)++;
}
bpf_trace_printk("Hello world!\n");
return 0;
}
)";
int main(void) {
ebpf::BPF bpf;
bpf.init(bpf_source);
auto syscall = bpf.get_syscall_fnname("tcp_sendmsg");
cout << "the syscall we are looking for is called " <<syscall<< endl;
auto rc = bpf.attach_kprobe("tcp_sendmsg" , "on_tcp_send");
if (rc.code() != 0) {
cerr << rc.msg() << endl;
return 1;
}
sleep(10);
auto detach_res = bpf.detach_kprobe("tcp_sendmsg");
if (detach_res.code() != 0) {
cerr << rc.msg() << endl;
return 1;
}
auto table = bpf.get_hash_table<stack_info_t, uint64_t>("counts").get_table_offline();
sort(table.begin(), table.end(),
[](pair<stack_info_t, uint64_t> a,
pair<stack_info_t, uint64_t> b){return a.second < b.second;});
auto stacks = bpf.get_stack_table("stack_traces");
int lost_stacks = 0;
for (auto it : table) {
cout << "PID: " << it.first.pid << " (" << it.first.name << ") " << "made " << it.second << "TCP sends on the following stack: " << endl;
if (it.first.kernel_stack >= 0) {
cout << " Kernel Stack:" <<endl;
auto ksyms = stacks.get_stack_symbol(it.first.kernel_stack, -1);
for (auto ksym : ksyms) {
cout << " " << ksym << endl;
}
} else if (it.first.kernel_stack != -EFAULT) {
lost_stacks++;
cout << " [Lost Kernel Stack" << it.first.kernel_stack << "]" << endl;
}
if (it.first.user_stack >= 0) {
cout << " User Stack:" <<endl;
auto usyms = stacks.get_stack_symbol(it.first.user_stack, it.first.pid);
for (auto usym : usyms) {
cout << " " << usym << endl;
}
} else if (it.first.user_stack != -EFAULT) {
lost_stacks++;
cout << " [Lost User Stack" << it.first.kernel_stack << "]" << endl;
}
}
return 0;
}