eBPF数据包过滤器未提供正确数据。

huangapple go评论70阅读模式
英文:

eBPF packet filter not giving me correct data

问题

这是您提供的代码的翻译部分:

所以我一直在尝试看是否可以将eBPF数据包过滤器附加到网络接口enp32s0np1上我试图捕获所有传入的发件人IP地址然而运行下面的代码给我奇怪的反应我看到的不是发件人IP地址而是一些随机数字填充的内容

以下是代码

    from bcc import BPF
    
    # 要监视的网络接口
    INTERFACE = "enp32s0np1"
    
    bpf_text = """
    // 代码部分已被注释,因为这部分一直给我报错...
    """
    
    from ctypes import *
    import sys
    import socket
    import os
    import struct
    
    bpf = BPF(text=bpf_text)
    
    function_skb_matching = bpf.load_func("skb_matching", BPF.SOCKET_FILTER)
    
    BPF.attach_raw_socket(function_skb_matching, INTERFACE)
    
    print("=========================数据包监视器=============================\n")
    bpf.trace_print()

以下是结果:

    handler27-3403  [010] ..s1 135652.183626: 0: sss = -1062731519       handler27-3403  [010] ..s1 135652.183642: 0: 传入数据包!!
    handler27-3403  [010] ..s1 135652.183691: 0: sss = -1062731518       handler27-3403  [010] ..s1 135652.183695: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135653.184712: 0: sss = -1062731519          <idle>-0     [010] ..s. 135653.184728: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135653.184759: 0: sss = -1062731518          <idle>-0     [010] ..s. 135653.184760: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135654.205715: 0: sss = -1062731519          <idle>-0     [010] ..s. 135654.205734: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135654.205765: 0: sss = -1062731518          <idle>-0     [010] ..s. 135654.205766: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135655.229752: 0: sss = -1062731519          <idle>-0     [010] ..s. 135655.229771: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135655.229802: 0: sss = -1062731518          <idle>-0     [010] ..s. 135655.229802: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135656.253777: 0: sss = -1062731519          <idle>-0     [010] ..s. 135656.253796: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135656.253827: 0: sss = -1062731518          <idle>-0     [010] ..s. 135656.253828: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135657.194068: 0: sss = 16842752          <idle>-0     [010] ..s. 135657.194084: 0: 传入数据包!!
    handler27-3403  [010] ..s1 135657.195105: 0: sss = 16908309       handler27-3403  [010] ..s1 135657.195111: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135657.213711: 0: sss = 16908288          <idle>-0     [010] ..s. 135657.213727: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135657.213741: 0: sss = 16842773          <idle>-0     [010] ..s. 135657.213742: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135657.277815: 0: sss = -1062731519          <idle>-0     [010] ..s. 135657.277832: 0: 传入数据包!!
    <idle>-0     [010] ..s. 135657.277860: 0: sss = -1062731518          <idle>-0     [010] ..s. 135657.277861: 0: 传入数据包!!

请注意,您的代码中存在一些注释和被注释掉的部分,这些部分未被翻译。

英文:

So I've been trying to see if I could attach a eBPF packet filter to a network interface, enp32s0np1. I'm trying to catch all the incoming sender IP addresses. However, running the below code gives me weird reaction. Instead of seeing the sender IP address, I see some random numbers filled in.

Here's the code :

from bcc import BPF

# Network interface to be monoitored
INTERFACE = &quot;enp32s0np1&quot;

bpf_text = &quot;&quot;&quot;

#include &lt;linux/bpf.h&gt;
#include &lt;linux/if_ether.h&gt;
#include &lt;linux/if_packet.h&gt;
#include &lt;linux/ip.h&gt;
#include &lt;net/sock.h&gt;
#include &lt;bcc/proto.h&gt;
#include &lt;uapi/linux/ptrace.h&gt;

int skb_matching(struct __sk_buff *skb) {
u8 *cursor = 0;
u64 saddr =0;
void *data_end = (void*)(long)skb-&gt;data_end;
void *data = (void*)(long)skb-&gt;data;
struct ethhdr *eth = data;

u32 nh_off = 0;
nh_off = sizeof(*eth);

/* // Code here has been blocked because this part keeps giving me errors as well..
if (data + nh_off &gt; data_end ) { 
    bpf_trace_printk(&quot;error&quot;);
}
*/
//bpf_trace_printk(&quot;%p&quot;, data);

struct ethernet_t *ethernet = cursor_advance(cursor, sizeof(*ethernet));
struct ip_t *ip = cursor_advance(cursor,sizeof(*ip));
saddr = ip -&gt; dst;
bpf_trace_printk(&quot;sss = %d&quot;, saddr);

bpf_trace_printk(&quot;Incoming packet!\\n&quot;);
return -1;
}

&quot;&quot;&quot;

from ctypes import *
import sys
import socket
import os
import struct

bpf = BPF(text=bpf_text)

function_skb_matching = bpf.load_func(&quot;skb_matching&quot;, BPF.SOCKET_FILTER)

BPF.attach_raw_socket(function_skb_matching, INTERFACE)

print(&quot;=========================packet monitor=============================\n&quot;)
bpf.trace_print()

and here is the result :

   handler27-3403  [010] ..s1 135652.183626: 0: sss = -1062731519       handler27-3403  [010] ..s1 135652.183642: 0: Incoming packet!!
   handler27-3403  [010] ..s1 135652.183691: 0: sss = -1062731518       handler27-3403  [010] ..s1 135652.183695: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135653.184712: 0: sss = -1062731519          &lt;idle&gt;-0     [010] ..s. 135653.184728: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135653.184759: 0: sss = -1062731518          &lt;idle&gt;-0     [010] ..s. 135653.184760: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135654.205715: 0: sss = -1062731519          &lt;idle&gt;-0     [010] ..s. 135654.205734: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135654.205765: 0: sss = -1062731518          &lt;idle&gt;-0     [010] ..s. 135654.205766: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135655.229752: 0: sss = -1062731519          &lt;idle&gt;-0     [010] ..s. 135655.229771: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135655.229802: 0: sss = -1062731518          &lt;idle&gt;-0     [010] ..s. 135655.229802: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135656.253777: 0: sss = -1062731519          &lt;idle&gt;-0     [010] ..s. 135656.253796: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135656.253827: 0: sss = -1062731518          &lt;idle&gt;-0     [010] ..s. 135656.253828: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135657.194068: 0: sss = 16842752          &lt;idle&gt;-0     [010] ..s. 135657.194084: 0: Incoming packet!!
   handler27-3403  [010] ..s1 135657.195105: 0: sss = 16908309       handler27-3403  [010] ..s1 135657.195111: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135657.213711: 0: sss = 16908288          &lt;idle&gt;-0     [010] ..s. 135657.213727: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135657.213741: 0: sss = 16842773          &lt;idle&gt;-0     [010] ..s. 135657.213742: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135657.277815: 0: sss = -1062731519          &lt;idle&gt;-0     [010] ..s. 135657.277832: 0: Incoming packet!!
      &lt;idle&gt;-0     [010] ..s. 135657.277860: 0: sss = -1062731518          &lt;idle&gt;-0     [010] ..s. 135657.277861: 0: Incoming packet!!

答案1

得分: 2

**这些数字是你的IP地址,以十进制格式表示。**例如,如果我在一个终端中运行你的脚本,同时在另一个终端中ping 8.8.8.8,我会得到以下结果:

term1$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=9.80 ms
[...]

term2$ python test.py
[...]
            ping-6545  [004] ....  1876.984747: 0: sss = 134744072            ping-6545  [004] ....  1876.984763: 0: Incoming packet!
[...]

数字 134744072 对应于IP地址 8.8.8.8(你可以使用在线的 十进制转IP十进制转十六进制 转换工具来验证)。

你可以在Python端使用例如 IPAddress(参见bcc的示例 tunnel_monitor)将这些数字转换为通常的IP表示形式,但你需要使用性能环形缓冲区或映射来从内核侧传输数据到用户空间的Python侧。

英文:

Those numbers are your IP addresses, in decimal format. For example, if I launch your script in one terminal while I ping 8.8.8.8 in the other, I get:

term1$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=52 time=9.80 ms
[...]

term2$ python test.py
[...]
            ping-6545  [004] ....  1876.984747: 0: sss = 134744072            ping-6545  [004] ....  1876.984763: 0: Incoming packet!
[...]

The number 134744072 corresponds to IP 8.8.8.8 (you can use online decimal-to-IP or decimal-to-hex converters to check that).

You can convert these numbers to the usual IP representation with e.g., IPAddress on the Python side (see bcc's example tunnel_monitor), but you'll have to use a perf ring buffer or a map to transmit data from the kernel side to the userspace, Python side.

huangapple
  • 本文由 发表于 2020年1月6日 15:28:04
  • 转载请务必保留本文链接:https://go.coder-hub.com/59608202.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定