-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathmain.bpf.c
57 lines (45 loc) · 1.43 KB
/
main.bpf.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
#include "main.h"
struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(key_size, sizeof(u32));
__uint(value_size, sizeof(u32));
} events SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 10240);
__type(key, u64);
__type(value, struct sock *);
} socks SEC(".maps");
SEC("kprobe/tcp_v4_connect")
int BPF_KPROBE(kprobe_tcp_v4_connect, struct sock *sk) {
u64 tid = bpf_get_current_pid_tgid();
bpf_map_update_elem(&socks, &tid, &sk, BPF_ANY);
return 0;
}
SEC("kretprobe/tcp_v4_connect")
int BPF_KRETPROBE(kretprobe_tcp_v4_connect) {
struct event_t event = {};
struct sock **sk_pp;
struct sock *sk;
u64 tid = bpf_get_current_pid_tgid();
sk_pp = bpf_map_lookup_elem(&socks, &tid);
if (!sk_pp)
return 0;
sk = *sk_pp;
// 源地址
BPF_CORE_READ_INTO(&event.src_addr, sk, __sk_common.skc_rcv_saddr);
// 源端口
BPF_CORE_READ_INTO(&event.src_port, sk, __sk_common.skc_num);
// 目标地址
BPF_CORE_READ_INTO(&event.dst_addr, sk, __sk_common.skc_daddr);
// 目标端口
BPF_CORE_READ_INTO(&event.dst_port, sk, __sk_common.skc_dport);
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
bpf_map_delete_elem(&socks, &tid);
return 0;
}
char _license[] SEC("license") = "GPL";