英文:
eBPF packet filter not giving me correct data
问题
这是您提供的代码的翻译部分:
所以我一直在尝试看是否可以将eBPF数据包过滤器附加到网络接口enp32s0np1上。我试图捕获所有传入的发件人IP地址。然而,运行下面的代码给我奇怪的反应。我看到的不是发件人IP地址,而是一些随机数字填充的内容。
以下是代码:
from bcc import BPF
# 要监视的网络接口
INTERFACE = "enp32s0np1"
bpf_text = """
// 代码部分已被注释,因为这部分一直给我报错...
"""
from ctypes import *
import sys
import socket
import os
import struct
bpf = BPF(text=bpf_text)
function_skb_matching = bpf.load_func("skb_matching", BPF.SOCKET_FILTER)
BPF.attach_raw_socket(function_skb_matching, INTERFACE)
print("=========================数据包监视器=============================\n")
bpf.trace_print()
以下是结果:
handler27-3403 [010] ..s1 135652.183626: 0: sss = -1062731519 handler27-3403 [010] ..s1 135652.183642: 0: 传入数据包!!
handler27-3403 [010] ..s1 135652.183691: 0: sss = -1062731518 handler27-3403 [010] ..s1 135652.183695: 0: 传入数据包!!
<idle>-0 [010] ..s. 135653.184712: 0: sss = -1062731519 <idle>-0 [010] ..s. 135653.184728: 0: 传入数据包!!
<idle>-0 [010] ..s. 135653.184759: 0: sss = -1062731518 <idle>-0 [010] ..s. 135653.184760: 0: 传入数据包!!
<idle>-0 [010] ..s. 135654.205715: 0: sss = -1062731519 <idle>-0 [010] ..s. 135654.205734: 0: 传入数据包!!
<idle>-0 [010] ..s. 135654.205765: 0: sss = -1062731518 <idle>-0 [010] ..s. 135654.205766: 0: 传入数据包!!
<idle>-0 [010] ..s. 135655.229752: 0: sss = -1062731519 <idle>-0 [010] ..s. 135655.229771: 0: 传入数据包!!
<idle>-0 [010] ..s. 135655.229802: 0: sss = -1062731518 <idle>-0 [010] ..s. 135655.229802: 0: 传入数据包!!
<idle>-0 [010] ..s. 135656.253777: 0: sss = -1062731519 <idle>-0 [010] ..s. 135656.253796: 0: 传入数据包!!
<idle>-0 [010] ..s. 135656.253827: 0: sss = -1062731518 <idle>-0 [010] ..s. 135656.253828: 0: 传入数据包!!
<idle>-0 [010] ..s. 135657.194068: 0: sss = 16842752 <idle>-0 [010] ..s. 135657.194084: 0: 传入数据包!!
handler27-3403 [010] ..s1 135657.195105: 0: sss = 16908309 handler27-3403 [010] ..s1 135657.195111: 0: 传入数据包!!
<idle>-0 [010] ..s. 135657.213711: 0: sss = 16908288 <idle>-0 [010] ..s. 135657.213727: 0: 传入数据包!!
<idle>-0 [010] ..s. 135657.213741: 0: sss = 16842773 <idle>-0 [010] ..s. 135657.213742: 0: 传入数据包!!
<idle>-0 [010] ..s. 135657.277815: 0: sss = -1062731519 <idle>-0 [010] ..s. 135657.277832: 0: 传入数据包!!
<idle>-0 [010] ..s. 135657.277860: 0: sss = -1062731518 <idle>-0 [010] ..s. 135657.277861: 0: 传入数据包!!
请注意,您的代码中存在一些注释和被注释掉的部分,这些部分未被翻译。
英文:
So I've been trying to see if I could attach a eBPF packet filter to a network interface, enp32s0np1. I'm trying to catch all the incoming sender IP addresses. However, running the below code gives me weird reaction. Instead of seeing the sender IP address, I see some random numbers filled in.
Here's the code :
from bcc import BPF
# Network interface to be monoitored
INTERFACE = "enp32s0np1"
bpf_text = """
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/if_packet.h>
#include <linux/ip.h>
#include <net/sock.h>
#include <bcc/proto.h>
#include <uapi/linux/ptrace.h>
int skb_matching(struct __sk_buff *skb) {
u8 *cursor = 0;
u64 saddr =0;
void *data_end = (void*)(long)skb->data_end;
void *data = (void*)(long)skb->data;
struct ethhdr *eth = data;
u32 nh_off = 0;
nh_off = sizeof(*eth);
/* // Code here has been blocked because this part keeps giving me errors as well..
if (data + nh_off > data_end ) {
bpf_trace_printk("error");
}
*/
//bpf_trace_printk("%p", data);
struct ethernet_t *ethernet = cursor_advance(cursor, sizeof(*ethernet));
struct ip_t *ip = cursor_advance(cursor,sizeof(*ip));
saddr = ip -> dst;
bpf_trace_printk("sss = %d", saddr);
bpf_trace_printk("Incoming packet!\\n");
return -1;
}
"""
from ctypes import *
import sys
import socket
import os
import struct
bpf = BPF(text=bpf_text)
function_skb_matching = bpf.load_func("skb_matching", BPF.SOCKET_FILTER)
BPF.attach_raw_socket(function_skb_matching, INTERFACE)
print("=========================packet monitor=============================\n")
bpf.trace_print()
and here is the result :
handler27-3403 [010] ..s1 135652.183626: 0: sss = -1062731519 handler27-3403 [010] ..s1 135652.183642: 0: Incoming packet!!
handler27-3403 [010] ..s1 135652.183691: 0: sss = -1062731518 handler27-3403 [010] ..s1 135652.183695: 0: Incoming packet!!
<idle>-0 [010] ..s. 135653.184712: 0: sss = -1062731519 <idle>-0 [010] ..s. 135653.184728: 0: Incoming packet!!
<idle>-0 [010] ..s. 135653.184759: 0: sss = -1062731518 <idle>-0 [010] ..s. 135653.184760: 0: Incoming packet!!
<idle>-0 [010] ..s. 135654.205715: 0: sss = -1062731519 <idle>-0 [010] ..s. 135654.205734: 0: Incoming packet!!
<idle>-0 [010] ..s. 135654.205765: 0: sss = -1062731518 <idle>-0 [010] ..s. 135654.205766: 0: Incoming packet!!
<idle>-0 [010] ..s. 135655.229752: 0: sss = -1062731519 <idle>-0 [010] ..s. 135655.229771: 0: Incoming packet!!
<idle>-0 [010] ..s. 135655.229802: 0: sss = -1062731518 <idle>-0 [010] ..s. 135655.229802: 0: Incoming packet!!
<idle>-0 [010] ..s. 135656.253777: 0: sss = -1062731519 <idle>-0 [010] ..s. 135656.253796: 0: Incoming packet!!
<idle>-0 [010] ..s. 135656.253827: 0: sss = -1062731518 <idle>-0 [010] ..s. 135656.253828: 0: Incoming packet!!
<idle>-0 [010] ..s. 135657.194068: 0: sss = 16842752 <idle>-0 [010] ..s. 135657.194084: 0: Incoming packet!!
handler27-3403 [010] ..s1 135657.195105: 0: sss = 16908309 handler27-3403 [010] ..s1 135657.195111: 0: Incoming packet!!
<idle>-0 [010] ..s. 135657.213711: 0: sss = 16908288 <idle>-0 [010] ..s. 135657.213727: 0: Incoming packet!!
<idle>-0 [010] ..s. 135657.213741: 0: sss = 16842773 <idle>-0 [010] ..s. 135657.213742: 0: Incoming packet!!
<idle>-0 [010] ..s. 135657.277815: 0: sss = -1062731519 <idle>-0 [010] ..s. 135657.277832: 0: Incoming packet!!
<idle>-0 [010] ..s. 135657.277860: 0: sss = -1062731518 <idle>-0 [010] ..s. 135657.277861: 0: Incoming packet!!
答案1
得分: 2
**这些数字是你的IP地址,以十进制格式表示。**例如,如果我在一个终端中运行你的脚本,同时在另一个终端中ping 8.8.8.8,我会得到以下结果:
term1$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=9.80 ms
[...]
term2$ python test.py
[...]
ping-6545 [004] .... 1876.984747: 0: sss = 134744072 ping-6545 [004] .... 1876.984763: 0: Incoming packet!
[...]
数字 134744072 对应于IP地址 8.8.8.8(你可以使用在线的 十进制转IP 或 十进制转十六进制 转换工具来验证)。
你可以在Python端使用例如 IPAddress(参见bcc的示例 tunnel_monitor)将这些数字转换为通常的IP表示形式,但你需要使用性能环形缓冲区或映射来从内核侧传输数据到用户空间的Python侧。
英文:
Those numbers are your IP addresses, in decimal format. For example, if I launch your script in one terminal while I ping 8.8.8.8 in the other, I get:
term1$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=9.80 ms
[...]
term2$ python test.py
[...]
ping-6545 [004] .... 1876.984747: 0: sss = 134744072 ping-6545 [004] .... 1876.984763: 0: Incoming packet!
[...]
The number 134744072 corresponds to IP 8.8.8.8 (you can use online decimal-to-IP or decimal-to-hex converters to check that).
You can convert these numbers to the usual IP representation with e.g., IPAddress on the Python side (see bcc's example tunnel_monitor), but you'll have to use a perf ring buffer or a map to transmit data from the kernel side to the userspace, Python side.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论