From 166049f80cd80ee1ec5d96a7b52a8e7ddbb27a78 Mon Sep 17 00:00:00 2001 From: wynyibo Date: Sun, 9 Jun 2024 13:05:57 +0800 Subject: [PATCH 1/6] add sql request conut --- .../net_watcher/common.bpf.h | 9 ++++++++- .../Network_Subsystem/net_watcher/mysql.bpf.h | 19 +++++++++++++++---- .../net_watcher/netwatcher.c | 13 ++++++++----- .../net_watcher/netwatcher.h | 2 ++ 4 files changed, 33 insertions(+), 10 deletions(-) diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h index b5e3f4aa1..6fa70b340 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h @@ -228,13 +228,20 @@ struct { __type(key, struct sock *); __type(value, __u64); } tcp_state SEC(".maps"); - +//sql 耗时 struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 256*1024); __type(key, __u32); __type(value, __u64); } mysql_time SEC(".maps"); +//sql请求数 +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 1024); + __type(key,__u32); + __type(value,__u64); +} sql_count SEC(".maps"); const volatile int filter_dport = 0; const volatile int filter_sport = 0; diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h index b2c065148..cff8c950f 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h @@ -24,6 +24,7 @@ static __always_inline int __handle_mysql_start(struct pt_regs *ctx) { union COM_DATA *com_data = (union COM_DATA *)PT_REGS_PARM2(ctx); pid_t pid = bpf_get_current_pid_tgid() >> 32; + pid_t tid = bpf_get_current_pid_tgid(); void *thd = (void *)PT_REGS_PARM1(ctx); char *sql; u32 size = 0; @@ -32,7 +33,7 @@ static __always_inline int __handle_mysql_start(struct pt_regs *ctx) { return 0; } - u64 start_time = bpf_ktime_get_ns()/1000; + u64 start_time = bpf_ktime_get_ns() / 1000; bpf_map_update_elem(&mysql_time, &pid, &start_time, BPF_ANY); struct mysql_query *message = @@ -45,20 +46,22 @@ static __always_inline int __handle_mysql_start(struct pt_regs *ctx) { &com_data->com_query.length); bpf_probe_read_str(&sql, sizeof(sql), &com_data->com_query.query); bpf_probe_read_str(&message->msql, sizeof(message->msql), sql); - bpf_printk("%s",sql); message->pid = pid; + message->tid = tid; bpf_get_current_comm(&message->comm, sizeof(comm)); - + bpf_ringbuf_submit(message, 0); + return 0; } static __always_inline int __handle_mysql_end(struct pt_regs *ctx) { pid_t pid = bpf_get_current_pid_tgid() >> 32; + pid_t tid = bpf_get_current_pid_tgid(); u64 *start_time_ptr, duration; - u64 end_time = bpf_ktime_get_ns()/1000; + u64 end_time = bpf_ktime_get_ns() / 1000; start_time_ptr = bpf_map_lookup_elem(&mysql_time, &pid); if (!start_time_ptr) { return 0; @@ -70,10 +73,18 @@ static __always_inline int __handle_mysql_end(struct pt_regs *ctx) { if (!message) { return 0; } + u64 *count_ptr, count = 1; + count_ptr = bpf_map_lookup_elem(&sql_count, &tid); + if (count_ptr) { + count = *count_ptr + 1; + } + message->count = count; + bpf_map_update_elem(&sql_count, &tid, &count, BPF_ANY); message->duratime = duration; bpf_ringbuf_submit(message, 0); bpf_map_delete_elem(&mysql_time, &pid); + return 0; } diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index 7ff8a7bed..8e24d770d 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -605,8 +605,8 @@ static void print_header(enum MonitorMode mode) { "====================MYSQL " "INFORMATION====================================================" "============================\n"); - printf("%-20s %-20s %-20s %-40s %-20s \n", "Pid", "Comm", "Size", "Sql", - "duration/μs"); + printf("%-20s %-20s %-20s %-20s %-40s %-20s %-20s \n", "Pid","Tid", "Comm", "Size", "Sql", + "Duration/μs","Request"); break; case MODE_DEFAULT: printf("===============================================================" @@ -921,6 +921,9 @@ static int print_netfilter(void *ctx, void *packet_info, size_t size) { return 0; unsigned int saddr = pack_info->saddr; unsigned int daddr = pack_info->daddr; + if ((daddr & 0x0000FFFF) == 0x0000007F || + (saddr & 0x0000FFFF) == 0x0000007F) + return 0; printf("%-20s %-20s %-12d %-12d %-8lld %-8lld% -8lld %-8lld %-8lld %-8d", inet_ntop(AF_INET, &saddr, s_str, sizeof(s_str)), inet_ntop(AF_INET, &daddr, d_str, sizeof(d_str)), pack_info->sport, @@ -1085,9 +1088,9 @@ static int print_mysql(void *ctx, void *packet_info, size_t size) { memcpy(&last_query, pack_info, sizeof(mysql_query)); } else { // 结束事件 合并 - printf("%-20d %-20s %-20u %-40s %-20llu\n", last_query.pid, + printf("%-20d %-20d %-20s %-20u %-40s %-20llu %-20d\n", last_query.pid,last_query.tid, last_query.comm, last_query.size, last_query.msql, - pack_info->duratime); + pack_info->duratime,pack_info->count); // 重置 memset(&last_query, 0, sizeof(last_query)); } @@ -1213,7 +1216,7 @@ int main(int argc, char **argv) { } enum MonitorMode mode = get_monitor_mode(); - print_logo(); + print_logo(); print_header(mode); diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h index c64d351c9..cbdb580bd 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h @@ -170,10 +170,12 @@ struct stacktrace_event { typedef struct mysql_query { int pid; + int tid; char comm[20]; u32 size; char msql[256]; u64 duratime; + int count; } mysql_query; #endif /* __NETWATCHER_H */ \ No newline at end of file From ffc610543ea995cfe4c87d3241da46bf71cbc040 Mon Sep 17 00:00:00 2001 From: wynyibo Date: Sun, 9 Jun 2024 16:27:34 +0800 Subject: [PATCH 2/6] add dns request and response count --- .../net_watcher/common.bpf.h | 19 ++++++++++ .../net_watcher/netwatcher.c | 25 ++++++------ .../net_watcher/netwatcher.h | 2 + .../Network_Subsystem/net_watcher/udp.bpf.h | 38 ++++++++++++++++++- 4 files changed, 71 insertions(+), 13 deletions(-) diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h index 6fa70b340..c2341f13b 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h @@ -102,6 +102,11 @@ struct dns_query { char data[64];// 可变长度数据(域名+类型+类) }; +struct dns{ + u32 saddr; + u32 daddr; +}; + // 操作BPF映射的一个辅助函数 static __always_inline void * //__always_inline强制内联 bpf_map_lookup_or_try_init(void *map, const void *key, const void *init) { @@ -242,6 +247,20 @@ struct { __type(key,__u32); __type(value,__u64); } sql_count SEC(".maps"); +//dns计数根据每个saddr、daddr +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 1024); + __type(key,struct dns); + __type(value,__u64); +} dns_request_count SEC(".maps"); + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 1024); + __type(key,struct dns); + __type(value,__u64); +} dns_response_count SEC(".maps"); const volatile int filter_dport = 0; const volatile int filter_sport = 0; diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index 8e24d770d..512bbdee7 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -596,17 +596,17 @@ static void print_header(enum MonitorMode mode) { "====================DNS " "INFORMATION====================================================" "============================\n"); - printf("%-20s %-20s %-12s %-12s %-5s %-5s %-5s %-5s %-47s %5s \n", + printf("%-20s %-20s %-12s %-12s %-5s %-5s %-5s %-5s %-47s %-10s %-10s %-10s \n", "Saddr", "Daddr", "Id", "Flags", "Qd", "An", "Ns", "Ar", "Qr", - "RX/direction"); + "Qc","Sc", "RX/direction"); break; case MODE_MYSQL: printf("===============================================================" "====================MYSQL " "INFORMATION====================================================" "============================\n"); - printf("%-20s %-20s %-20s %-20s %-40s %-20s %-20s \n", "Pid","Tid", "Comm", "Size", "Sql", - "Duration/μs","Request"); + printf("%-20s %-20s %-20s %-20s %-40s %-20s %-20s \n", "Pid", "Tid", + "Comm", "Size", "Sql", "Duration/μs", "Request"); break; case MODE_DEFAULT: printf("===============================================================" @@ -1069,11 +1069,14 @@ static int print_dns(void *ctx, void *packet_info, size_t size) { inet_ntop(AF_INET, &daddr, d_str, sizeof(d_str)); print_domain_name((const unsigned char *)pack_info->data, domain_name); - - printf("%-20s %-20s %-#12x %-#12x %-5x %-5x %-5x %-5x %-47s %-10d\n", s_str, + if(pack_info->daddr == 0) + { + return 0; + } + printf("%-20s %-20s %-#12x %-#12x %-5x %-5x %-5x %-5x %-47s %-10d %-10d %-10d \n", s_str, d_str, pack_info->id, pack_info->flags, pack_info->qdcount, pack_info->ancount, pack_info->nscount, pack_info->arcount, - domain_name, pack_info->rx); + domain_name, pack_info->request_count,pack_info->response_count,pack_info->rx); return 0; } @@ -1088,9 +1091,9 @@ static int print_mysql(void *ctx, void *packet_info, size_t size) { memcpy(&last_query, pack_info, sizeof(mysql_query)); } else { // 结束事件 合并 - printf("%-20d %-20d %-20s %-20u %-40s %-20llu %-20d\n", last_query.pid,last_query.tid, - last_query.comm, last_query.size, last_query.msql, - pack_info->duratime,pack_info->count); + printf("%-20d %-20d %-20s %-20u %-40s %-20llu %-20d\n", last_query.pid, + last_query.tid, last_query.comm, last_query.size, + last_query.msql, pack_info->duratime, pack_info->count); // 重置 memset(&last_query, 0, sizeof(last_query)); } @@ -1216,7 +1219,7 @@ int main(int argc, char **argv) { } enum MonitorMode mode = get_monitor_mode(); - print_logo(); + print_logo(); print_header(mode); diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h index cbdb580bd..de8aa5e7a 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.h @@ -155,6 +155,8 @@ struct dns_information { u16 arcount; char data[64]; int rx; + int response_count; + int request_count; }; #define MAX_STACK_DEPTH 128 typedef u64 stack_trace_t[MAX_STACK_DEPTH]; diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h index af739e859..71aaf3bc0 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h @@ -123,7 +123,8 @@ static __always_inline int __ip_send_skb(struct sk_buff *skb) { static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { if (skb == NULL) return 0; - + u16 QR_flags; + u64 *count_ptr, response_count = 0, request_count = 0; struct sock *sk = BPF_CORE_READ(skb, sk); struct packet_tuple pkt_tuple = { .saddr = BPF_CORE_READ(sk, __sk_common.skc_rcv_saddr), @@ -131,6 +132,8 @@ static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { .sport = BPF_CORE_READ(sk, __sk_common.skc_num), .dport = __bpf_ntohs(BPF_CORE_READ(sk, __sk_common.skc_dport)), .tran_flag = UDP}; + // 使用saddr、daddr作为key + struct dns key = {.saddr = pkt_tuple.saddr, .daddr = pkt_tuple.daddr}; if ((pkt_tuple.sport != 53) && (pkt_tuple.dport != 53)) return 0; @@ -151,7 +154,36 @@ static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { bpf_probe_read_kernel(message->data, sizeof(message->data), BPF_CORE_READ(skb, head) + dns_offset + sizeof(struct dns_header)); - + QR_flags = __bpf_ntohs(query.header.flags); + // 响应 QR=1 + if (QR_flags & 0x8000) { + count_ptr = bpf_map_lookup_elem(&dns_response_count, &key); + if (count_ptr) { + response_count = *count_ptr + 1; + } else { + response_count = 1; + } + bpf_map_update_elem(&dns_response_count, &key, &response_count, + BPF_ANY); + count_ptr = bpf_map_lookup_elem(&dns_request_count, &key); + if (count_ptr) { + request_count = *count_ptr; + } + // bpf_printk("qr1=%d", response_count); + } else { // 请求 QR=0 + count_ptr = bpf_map_lookup_elem(&dns_request_count, &key); + if (count_ptr) { + request_count = *count_ptr + 1; + } else { + request_count = 1; + } + bpf_map_update_elem(&dns_request_count, &key, &request_count, BPF_ANY); + count_ptr = bpf_map_lookup_elem(&dns_response_count, &key); + if (count_ptr) { + response_count = *count_ptr; + } + // bpf_printk("qr2=%d", request_count); + } message->saddr = rx ? pkt_tuple.saddr : pkt_tuple.daddr; message->daddr = rx ? pkt_tuple.daddr : pkt_tuple.saddr; message->id = __bpf_ntohs(query.header.id); @@ -160,6 +192,8 @@ static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { message->ancount = __bpf_ntohs(query.header.ancount); message->nscount = __bpf_ntohs(query.header.nscount); message->arcount = __bpf_ntohs(query.header.arcount); + message->request_count = request_count; + message->response_count = response_count; message->rx = rx; bpf_ringbuf_submit(message, 0); From 4242db476c812bbdc90d0b356e9753ffed25a504 Mon Sep 17 00:00:00 2001 From: wynyibo Date: Sun, 9 Jun 2024 16:48:04 +0800 Subject: [PATCH 3/6] add dns request and response count --- .../Network_Subsystem/net_watcher/common.bpf.h | 3 +++ .../Network_Subsystem/net_watcher/netwatcher.c | 4 ++-- .../Network_Subsystem/net_watcher/udp.bpf.h | 15 +++++++++------ 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h index c2341f13b..90ad50757 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h @@ -233,6 +233,7 @@ struct { __type(key, struct sock *); __type(value, __u64); } tcp_state SEC(".maps"); + //sql 耗时 struct { __uint(type, BPF_MAP_TYPE_HASH); @@ -240,6 +241,7 @@ struct { __type(key, __u32); __type(value, __u64); } mysql_time SEC(".maps"); + //sql请求数 struct { __uint(type, BPF_MAP_TYPE_HASH); @@ -247,6 +249,7 @@ struct { __type(key,__u32); __type(value,__u64); } sql_count SEC(".maps"); + //dns计数根据每个saddr、daddr struct { __uint(type, BPF_MAP_TYPE_HASH); diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index 512bbdee7..0a70a1808 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -74,11 +74,11 @@ static const struct argp_option opts[] = { {"dns", 'D', 0, 0, "set to trace dns information info include Id 事务ID、Flags 标志字段、Qd " "问题部分计数、An 应答记录计数、Ns 授权记录计数、Ar 附加记录计数、Qr " - "域名、rx 收发包 "}, + "域名、rx 收发包 、Qc请求数、Sc响应数"}, {"stack", 'A', 0, 0, "set to trace of stack "}, {"mysql", 'M', 0, 0, "set to trace mysql information info include Pid 进程id、Comm " - "进程名、Size sql语句字节大小、Sql 语句"}, + "进程名、Size sql语句字节大小、Sql 语句、Duration Sql耗时、Request Sql请求数"}, {}}; static error_t parse_arg(int key, char *arg, struct argp_state *state) { diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h index 71aaf3bc0..d39da361d 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/udp.bpf.h @@ -155,8 +155,11 @@ static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { BPF_CORE_READ(skb, head) + dns_offset + sizeof(struct dns_header)); QR_flags = __bpf_ntohs(query.header.flags); - // 响应 QR=1 - if (QR_flags & 0x8000) { + /* + 1000 0000 0000 0000 + &运算提取最高位QR, QR=1 Response QR=0 Request + */ + if (QR_flags & 0x8000) { // 响应 count_ptr = bpf_map_lookup_elem(&dns_response_count, &key); if (count_ptr) { response_count = *count_ptr + 1; @@ -165,12 +168,12 @@ static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { } bpf_map_update_elem(&dns_response_count, &key, &response_count, BPF_ANY); + // 保留映射中的请求计数值 count_ptr = bpf_map_lookup_elem(&dns_request_count, &key); if (count_ptr) { request_count = *count_ptr; } - // bpf_printk("qr1=%d", response_count); - } else { // 请求 QR=0 + } else { // 请求 count_ptr = bpf_map_lookup_elem(&dns_request_count, &key); if (count_ptr) { request_count = *count_ptr + 1; @@ -178,11 +181,11 @@ static __always_inline int process_dns_packet(struct sk_buff *skb, int rx) { request_count = 1; } bpf_map_update_elem(&dns_request_count, &key, &request_count, BPF_ANY); + // 保留映射中的响应计数值 count_ptr = bpf_map_lookup_elem(&dns_response_count, &key); if (count_ptr) { response_count = *count_ptr; - } - // bpf_printk("qr2=%d", request_count); + } } message->saddr = rx ? pkt_tuple.saddr : pkt_tuple.daddr; message->daddr = rx ? pkt_tuple.daddr : pkt_tuple.saddr; From 9213143abdb5e499556a59a3f354462ffecda90e Mon Sep 17 00:00:00 2001 From: wynyibo Date: Sun, 9 Jun 2024 22:09:32 +0800 Subject: [PATCH 4/6] update --- .../net_watcher/netwatcher.c | 46 ++++++++++++------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index 0a70a1808..5fe5837d9 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -78,7 +78,8 @@ static const struct argp_option opts[] = { {"stack", 'A', 0, 0, "set to trace of stack "}, {"mysql", 'M', 0, 0, "set to trace mysql information info include Pid 进程id、Comm " - "进程名、Size sql语句字节大小、Sql 语句、Duration Sql耗时、Request Sql请求数"}, + "进程名、Size sql语句字节大小、Sql 语句、Duration Sql耗时、Request " + "Sql请求数"}, {}}; static error_t parse_arg(int key, char *arg, struct argp_state *state) { @@ -357,6 +358,9 @@ struct LayerDelayInfo { #define GRANULARITY 3 #define ALPHA 0.2 // 衰减因子 #define MAXTIME 10000 +#define SLOW_QUERY_THRESHOLD 10000 // +#define ANSI_COLOR_RED "\x1b[31m" +#define ANSI_COLOR_RESET "\x1b[0m" // 全局变量用于存储每层的移动平均值 float ewma_values[NUM_LAYERS] = {0}; @@ -596,9 +600,10 @@ static void print_header(enum MonitorMode mode) { "====================DNS " "INFORMATION====================================================" "============================\n"); - printf("%-20s %-20s %-12s %-12s %-5s %-5s %-5s %-5s %-47s %-10s %-10s %-10s \n", + printf("%-20s %-20s %-12s %-12s %-5s %-5s %-5s %-5s %-47s %-10s %-10s " + "%-10s \n", "Saddr", "Daddr", "Id", "Flags", "Qd", "An", "Ns", "Ar", "Qr", - "Qc","Sc", "RX/direction"); + "Qc", "Sc", "RX/direction"); break; case MODE_MYSQL: printf("===============================================================" @@ -921,9 +926,9 @@ static int print_netfilter(void *ctx, void *packet_info, size_t size) { return 0; unsigned int saddr = pack_info->saddr; unsigned int daddr = pack_info->daddr; - if ((daddr & 0x0000FFFF) == 0x0000007F || - (saddr & 0x0000FFFF) == 0x0000007F) - return 0; + // if ((daddr & 0x0000FFFF) == 0x0000007F || + // (saddr & 0x0000FFFF) == 0x0000007F) + // return 0; printf("%-20s %-20s %-12d %-12d %-8lld %-8lld% -8lld %-8lld %-8lld %-8d", inet_ntop(AF_INET, &saddr, s_str, sizeof(s_str)), inet_ntop(AF_INET, &daddr, d_str, sizeof(d_str)), pack_info->sport, @@ -1069,14 +1074,15 @@ static int print_dns(void *ctx, void *packet_info, size_t size) { inet_ntop(AF_INET, &daddr, d_str, sizeof(d_str)); print_domain_name((const unsigned char *)pack_info->data, domain_name); - if(pack_info->daddr == 0) - { + if (pack_info->daddr == 0) { return 0; } - printf("%-20s %-20s %-#12x %-#12x %-5x %-5x %-5x %-5x %-47s %-10d %-10d %-10d \n", s_str, - d_str, pack_info->id, pack_info->flags, pack_info->qdcount, + printf("%-20s %-20s %-#12x %-#12x %-5x %-5x %-5x %-5x %-47s %-10d %-10d " + "%-10d \n", + s_str, d_str, pack_info->id, pack_info->flags, pack_info->qdcount, pack_info->ancount, pack_info->nscount, pack_info->arcount, - domain_name, pack_info->request_count,pack_info->response_count,pack_info->rx); + domain_name, pack_info->request_count, pack_info->response_count, + pack_info->rx); return 0; } @@ -1084,17 +1090,23 @@ static int print_dns(void *ctx, void *packet_info, size_t size) { static mysql_query last_query; static int print_mysql(void *ctx, void *packet_info, size_t size) { + const mysql_query *pack_info = packet_info; - // 假设duratime总是0 + if (pack_info->duratime == 0) { // 存储开始事件数据 memcpy(&last_query, pack_info, sizeof(mysql_query)); } else { - // 结束事件 合并 - printf("%-20d %-20d %-20s %-20u %-40s %-20llu %-20d\n", last_query.pid, - last_query.tid, last_query.comm, last_query.size, - last_query.msql, pack_info->duratime, pack_info->count); - // 重置 + printf("%-20d %-20d %-20s %-20u %-40s ", last_query.pid, last_query.tid, + last_query.comm, last_query.size, last_query.msql); + if (pack_info->duratime > SLOW_QUERY_THRESHOLD) { + printf(ANSI_COLOR_RED); + } + printf("%-20llu", pack_info->duratime); + if (pack_info->duratime > SLOW_QUERY_THRESHOLD) { + printf(ANSI_COLOR_RESET); + } + printf(" %-20d\n", pack_info->count); memset(&last_query, 0, sizeof(last_query)); } return 0; From 692ac2a1bb7986a7b69997320cd7b8f526102a7a Mon Sep 17 00:00:00 2001 From: wynyibo Date: Thu, 13 Jun 2024 14:59:55 +0800 Subject: [PATCH 5/6] update --- .../net_watcher/netwatcher.c | 44 ++++++++++++------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index 5fe5837d9..c00e31c1a 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -43,7 +43,7 @@ static int sport = 0, dport = 0; // for filter static int all_conn = 0, err_packet = 0, extra_conn_info = 0, layer_time = 0, http_info = 0, retrans_info = 0, udp_info = 0, net_filter = 0, drop_reason = 0, addr_to_func = 0, icmp_info = 0, tcp_info = 0, - time_load = 0, dns_info = 0, stack_info = 0, mysql_info = 0; // flag + time_load = 0, dns_info = 0, stack_info = 0, mysql_info = 0,count_info = 0; // flag static const char *tcp_states[] = { [1] = "ESTABLISHED", [2] = "SYN_SENT", [3] = "SYN_RECV", @@ -54,7 +54,6 @@ static const char *tcp_states[] = { }; static const char argp_program_doc[] = "Watch tcp/ip in network subsystem \n"; - static const struct argp_option opts[] = { {"all", 'a', 0, 0, "set to trace CLOSED connection"}, {"err", 'e', 0, 0, "set to trace TCP error packets"}, @@ -80,6 +79,7 @@ static const struct argp_option opts[] = { "set to trace mysql information info include Pid 进程id、Comm " "进程名、Size sql语句字节大小、Sql 语句、Duration Sql耗时、Request " "Sql请求数"}, + {"count", 'C', "NUMBER", 0, "specify the time to count the number of requests"}, {}}; static error_t parse_arg(int key, char *arg, struct argp_state *state) { @@ -139,6 +139,9 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state) { case 'M': mysql_info = 1; break; + case 'C': + count_info =strtoul(arg,&end, 10); + break; default: return ARGP_ERR_UNKNOWN; } @@ -254,7 +257,7 @@ static const char binary_path[] = "/usr/sbin/mysqld"; __ATTACH_UPROBE_CHECKED(skel, sym_name, prog_name, false) #define ATTACH_URETPROBE_CHECKED(skel, sym_name, prog_name) \ __ATTACH_UPROBE_CHECKED(skel, sym_name, prog_name, true) - +static time_t last_check_time = 0; struct SymbolEntry symbols[300000]; int num_symbols = 0; // 定义快表 @@ -1059,6 +1062,15 @@ static void print_domain_name(const unsigned char *data, char *output) { output[pos] = '\0'; // 确保字符串正确结束 } +bool check_time() +{ + if(time(NULL)-last_check_time >= count_info){ + last_check_time=time(NULL); + return true; + } + return false; +} + static int print_dns(void *ctx, void *packet_info, size_t size) { if (!packet_info) return 0; @@ -1083,31 +1095,31 @@ static int print_dns(void *ctx, void *packet_info, size_t size) { pack_info->ancount, pack_info->nscount, pack_info->arcount, domain_name, pack_info->request_count, pack_info->response_count, pack_info->rx); - return 0; } - static mysql_query last_query; static int print_mysql(void *ctx, void *packet_info, size_t size) { + if (!mysql_info) { + return 0; + } const mysql_query *pack_info = packet_info; - if (pack_info->duratime == 0) { - // 存储开始事件数据 + memcpy(&last_query, pack_info, sizeof(mysql_query)); } else { - printf("%-20d %-20d %-20s %-20u %-40s ", last_query.pid, last_query.tid, + + printf("%-20d %-20d %-20s %-20u %-40s", last_query.pid, last_query.tid, last_query.comm, last_query.size, last_query.msql); - if (pack_info->duratime > SLOW_QUERY_THRESHOLD) { - printf(ANSI_COLOR_RED); - } - printf("%-20llu", pack_info->duratime); - if (pack_info->duratime > SLOW_QUERY_THRESHOLD) { - printf(ANSI_COLOR_RESET); + // 当 duratime 大于 count_info 时,才打印 duratime + if (pack_info->duratime > count_info) { + printf("%-21llu", pack_info->duratime); + }else { + printf("%-21s", ""); } - printf(" %-20d\n", pack_info->count); - memset(&last_query, 0, sizeof(last_query)); + printf("%-20d\n", pack_info->count); + memset(&last_query, 0, sizeof(mysql_query)); } return 0; } From 713190af59b65dd1c59df8983ca56ca0c5099d89 Mon Sep 17 00:00:00 2001 From: wynyibo Date: Thu, 13 Jun 2024 21:46:22 +0800 Subject: [PATCH 6/6] update --- .../net_watcher/netwatcher.c | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index c00e31c1a..c2ba5490e 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -43,7 +43,8 @@ static int sport = 0, dport = 0; // for filter static int all_conn = 0, err_packet = 0, extra_conn_info = 0, layer_time = 0, http_info = 0, retrans_info = 0, udp_info = 0, net_filter = 0, drop_reason = 0, addr_to_func = 0, icmp_info = 0, tcp_info = 0, - time_load = 0, dns_info = 0, stack_info = 0, mysql_info = 0,count_info = 0; // flag + time_load = 0, dns_info = 0, stack_info = 0, mysql_info = 0, + count_info = 0; // flag static const char *tcp_states[] = { [1] = "ESTABLISHED", [2] = "SYN_SENT", [3] = "SYN_RECV", @@ -79,7 +80,8 @@ static const struct argp_option opts[] = { "set to trace mysql information info include Pid 进程id、Comm " "进程名、Size sql语句字节大小、Sql 语句、Duration Sql耗时、Request " "Sql请求数"}, - {"count", 'C', "NUMBER", 0, "specify the time to count the number of requests"}, + {"count", 'C', "NUMBER", 0, + "specify the time to count the number of requests"}, {}}; static error_t parse_arg(int key, char *arg, struct argp_state *state) { @@ -140,7 +142,7 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state) { mysql_info = 1; break; case 'C': - count_info =strtoul(arg,&end, 10); + count_info = strtoul(arg, &end, 10); break; default: return ARGP_ERR_UNKNOWN; @@ -257,7 +259,6 @@ static const char binary_path[] = "/usr/sbin/mysqld"; __ATTACH_UPROBE_CHECKED(skel, sym_name, prog_name, false) #define ATTACH_URETPROBE_CHECKED(skel, sym_name, prog_name) \ __ATTACH_UPROBE_CHECKED(skel, sym_name, prog_name, true) -static time_t last_check_time = 0; struct SymbolEntry symbols[300000]; int num_symbols = 0; // 定义快表 @@ -1042,6 +1043,7 @@ static int print_icmptime(void *ctx, void *packet_info, size_t size) { printf("\n"); return 0; } + // 从DNS数据包中提取并打印域名 static void print_domain_name(const unsigned char *data, char *output) { const unsigned char *next = data; @@ -1062,15 +1064,6 @@ static void print_domain_name(const unsigned char *data, char *output) { output[pos] = '\0'; // 确保字符串正确结束 } -bool check_time() -{ - if(time(NULL)-last_check_time >= count_info){ - last_check_time=time(NULL); - return true; - } - return false; -} - static int print_dns(void *ctx, void *packet_info, size_t size) { if (!packet_info) return 0; @@ -1101,23 +1094,24 @@ static mysql_query last_query; static int print_mysql(void *ctx, void *packet_info, size_t size) { if (!mysql_info) { - return 0; + return 0; } const mysql_query *pack_info = packet_info; if (pack_info->duratime == 0) { - + memcpy(&last_query, pack_info, sizeof(mysql_query)); } else { - + printf("%-20d %-20d %-20s %-20u %-40s", last_query.pid, last_query.tid, last_query.comm, last_query.size, last_query.msql); - // 当 duratime 大于 count_info 时,才打印 duratime + // 当 duratime 大于 count_info 时,才打印 duratime if (pack_info->duratime > count_info) { printf("%-21llu", pack_info->duratime); - }else { + } else { printf("%-21s", ""); } + printf("%-20d\n", pack_info->count); memset(&last_query, 0, sizeof(mysql_query)); }