diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h index 89a5b9d91..332793957 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/common.bpf.h @@ -28,43 +28,42 @@ #include #include -struct ktime_info { // us time stamp info发送数据包 +struct ktime_info { // us time stamp info发送数据包 u64 qdisc_time; // tx包离开mac层时间戳 u64 mac_time; // tx、rx包到达mac层时间戳 u64 ip_time; // tx、rx包到达ip层时间戳 // u64 tcp_time; // tx、rx包到达tcp层时间戳 - u64 tran_time; // tx、rx包到达传输层时间戳 - u64 app_time; // rx包离开tcp层时间戳 - void *sk; // 此包所属 socket套接字 + u64 tran_time; // tx、rx包到达传输层时间戳 + u64 app_time; // rx包离开tcp层时间戳 + void *sk; // 此包所属 socket套接字 u8 data[MAX_HTTP_HEADER]; // 用户层数据 }; struct packet_tuple { unsigned __int128 saddr_v6; // ipv6 源地址 unsigned __int128 daddr_v6; // ipv6 目的地址 - u32 saddr; // 源地址 - u32 daddr; // 目的地址 - u16 sport; // 源端口号 - u16 dport; // 目的端口号 - u32 seq; // seq报文序号 - u32 ack; // ack确认号 - u32 tran_flag; // 1:tcp 2:udp + u32 saddr; // 源地址 + u32 daddr; // 目的地址 + u16 sport; // 源端口号 + u16 dport; // 目的端口号 + u32 seq; // seq报文序号 + u32 ack; // ack确认号 + u32 tran_flag; // 1:tcp 2:udp u32 len; }; struct tcpstate { - u32 saddr; - u32 daddr; + u32 saddr; + u32 daddr; u16 sport; - u16 dport; + u16 dport; u16 family; - int oldstate; - int newstate; + int oldstate; + int newstate; u64 time; }; -enum -{ +enum { e_ip_rcv = 0, e_ip_local_deliver, e_ip_local_deliver_finish, @@ -74,37 +73,42 @@ enum e_ip_finish_output, e_ip_forward, nf_max -}nf_hook; +} nf_hook; -struct filtertime { +struct filtertime { struct packet_tuple init; struct packet_tuple done; u64 time[nf_max]; }; -struct ip_packet -{ - unsigned int saddr; // 源地址 - unsigned int daddr; // 目的地址 +struct ip_packet { + unsigned int saddr; // 源地址 + unsigned int daddr; // 目的地址 }; struct dns_header { - u16 id;// 事务ID - u16 flags;// 标志字段 - u16 qdcount;// 问题部分计数 - u16 ancount;// 应答记录计数 - u16 nscount;// 授权记录计数 - u16 arcount;// 附加记录计数 + u16 id; // 事务ID + u16 flags; // 标志字段 + u16 qdcount; // 问题部分计数 + u16 ancount; // 应答记录计数 + u16 nscount; // 授权记录计数 + u16 arcount; // 附加记录计数 }; struct dns_query { - struct dns_header header;// DNS头部 - char data[64];// 可变长度数据(域名+类型+类) + struct dns_header header; // DNS头部 + char data[64]; // 可变长度数据(域名+类型+类) }; -struct dns{ - u32 saddr; - u32 daddr; +struct dns { + u32 saddr; + u32 daddr; +}; + +struct query_info { + char msql[256]; + u32 size; + u64 start_time; }; // 操作BPF映射的一个辅助函数 @@ -223,30 +227,31 @@ struct { __uint(max_entries, MAX_CONN *MAX_PACKET); __type(key, int); __type(value, struct packet_tuple); -} kfree SEC(".maps"); +} kfree SEC(".maps"); struct { __uint(type, BPF_MAP_TYPE_LRU_HASH); - __uint(max_entries, MAX_CONN * MAX_PACKET); + __uint(max_entries, MAX_CONN *MAX_PACKET); __type(key, struct ip_packet); - __type(value,unsigned long long); + __type(value, unsigned long long); } icmp_time SEC(".maps"); struct { - __uint(type, BPF_MAP_TYPE_HASH); - __uint(max_entries, 256*1024); - __type(key, struct sock *); - __type(value, __u64); + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 256 * 1024); + __type(key, struct sock *); + __type(value, __u64); } tcp_state SEC(".maps"); -//sql 耗时 +// sql 耗时 struct { - __uint(type, BPF_MAP_TYPE_HASH); - __uint(max_entries, 256*1024); - __type(key, __u32); - __type(value, __u64); + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 256 * 1024); + __type(key, __u32); + __type(value, __u64); } mysql_time SEC(".maps"); + //redis 耗时 struct { __uint(type, BPF_MAP_TYPE_HASH); @@ -255,29 +260,36 @@ struct { __type(value, struct redis_query); } redis_time SEC(".maps"); -//sql请求数 + struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1024); - __type(key,__u32); - __type(value,__u64); + __type(key, __u32); + __type(value, __u64); } sql_count SEC(".maps"); -//dns计数根据每个saddr、daddr +// dns计数根据每个saddr、daddr struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1024); - __type(key,struct dns); - __type(value,__u64); + __type(key, struct dns); + __type(value, __u64); } dns_request_count SEC(".maps"); struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1024); - __type(key,struct dns); - __type(value,__u64); + __type(key, struct dns); + __type(value, __u64); } dns_response_count SEC(".maps"); +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 1024); + __type(key, __u32); + __type(value, struct query_info); +} queries SEC(".maps"); + const volatile int filter_dport = 0; const volatile int filter_sport = 0; const volatile int all_conn = 0, err_packet = 0, extra_conn_info = 0, @@ -285,14 +297,15 @@ const volatile int all_conn = 0, err_packet = 0, extra_conn_info = 0, drop_reason = 0,icmp_info = 0 ,tcp_info = 0 ,dns_info = 0 ,stack_info = 0, mysql_info = 0, redis_info = 0; -/* help macro */ -#define FILTER \ - if(filter_dport&&filter_dport!= pkt_tuple.dport) \ - return 0; \ - if(filter_sport&&filter_sport!= pkt_tuple.sport) \ - return 0; \ +/* help macro */ + +#define FILTER \ + if (filter_dport && filter_dport != pkt_tuple.dport) \ + return 0; \ + if (filter_sport && filter_sport != pkt_tuple.sport) \ + return 0; // 连接的目标端口是否匹配于filter_dport的值 #define FILTER_DPORT \ @@ -327,7 +340,7 @@ const volatile int all_conn = 0, err_packet = 0, extra_conn_info = 0, conn.dport = __bpf_ntohs(dport); \ conn.init_timestamp = bpf_ktime_get_ns() / 1000; -//初始化conn_t地址相关信息 +// 初始化conn_t地址相关信息 #define CONN_ADD_ADDRESS \ if (family == AF_INET) { \ conn.saddr = BPF_CORE_READ(sk, __sk_common.skc_rcv_saddr); \ @@ -343,7 +356,7 @@ const volatile int all_conn = 0, err_packet = 0, extra_conn_info = 0, &sk->__sk_common.skc_v6_daddr.in6_u.u6_addr32); \ } -//初始化conn其余额外信息 +// 初始化conn其余额外信息 #define CONN_ADD_EXTRA_INFO \ if (extra_conn_info) { \ struct tcp_sock *tp = (struct tcp_sock *)sk; \ @@ -363,7 +376,6 @@ const volatile int all_conn = 0, err_packet = 0, extra_conn_info = 0, #define CONN_INFO_TRANSFER tinfo->sk = conn->sock; // 将conn->sock赋给tinfo->sk - #define PACKET_INIT_WITH_COMMON_INFO \ struct pack_t *packet; \ packet = bpf_ringbuf_reserve(&rb, sizeof(*packet), 0); \ @@ -379,33 +391,29 @@ const volatile int all_conn = 0, err_packet = 0, extra_conn_info = 0, /* help functions */ // 将struct sock类型的指针转化为struct tcp_sock类型的指针 -static __always_inline -struct tcp_sock *tcp_sk(const struct sock *sk) { +static __always_inline struct tcp_sock *tcp_sk(const struct sock *sk) { return (struct tcp_sock *)sk; } // 将struct sk_buff类型的指针转化为struct udphdr类型的指针 -static __always_inline -struct udphdr *skb_to_udphdr(const struct sk_buff *skb) { +static __always_inline struct udphdr *skb_to_udphdr(const struct sk_buff *skb) { return (struct udphdr *)(( BPF_CORE_READ(skb, head) + // 报文头部偏移 BPF_CORE_READ(skb, transport_header))); // 传输层部分偏移 } // 将struct sk_buff类型的指针转化为struct tcphdr类型的指针 -static __always_inline -struct tcphdr *skb_to_tcphdr(const struct sk_buff *skb) { +static __always_inline struct tcphdr *skb_to_tcphdr(const struct sk_buff *skb) { return (struct tcphdr *)(( BPF_CORE_READ(skb, head) + // 报文头部偏移 BPF_CORE_READ(skb, transport_header))); // 传输层部分偏移 } // 将struct sk_buff类型的指针转化为struct iphdr类型的指针 -static __always_inline -struct iphdr *skb_to_iphdr(const struct sk_buff *skb) { +static __always_inline struct iphdr *skb_to_iphdr(const struct sk_buff *skb) { return (struct iphdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, network_header)); } // 将struct sk_buff类型的指针转化为struct ipv6hdr类型的指针 -static __always_inline -struct ipv6hdr *skb_to_ipv6hdr(const struct sk_buff *skb) { +static __always_inline struct ipv6hdr * +skb_to_ipv6hdr(const struct sk_buff *skb) { return (struct ipv6hdr *)(BPF_CORE_READ(skb, head) + BPF_CORE_READ(skb, network_header)); } @@ -416,9 +424,9 @@ static void get_ip_pkt_tuple(struct ip_packet *ipk, struct iphdr *ip) { } // 初始化packet_tuple结构指针pkt_tuple -static __always_inline -void get_pkt_tuple(struct packet_tuple *pkt_tuple, struct iphdr *ip, - struct tcphdr *tcp) { +static __always_inline void get_pkt_tuple(struct packet_tuple *pkt_tuple, + struct iphdr *ip, + struct tcphdr *tcp) { pkt_tuple->saddr = BPF_CORE_READ(ip, saddr); pkt_tuple->daddr = BPF_CORE_READ(ip, daddr); u16 sport = BPF_CORE_READ(tcp, source); @@ -439,9 +447,9 @@ void get_pkt_tuple(struct packet_tuple *pkt_tuple, struct iphdr *ip, pkt_tuple->len = 0; } // 初始化packet_tuple结构指针pkt_tuple -static __always_inline -void get_udp_pkt_tuple(struct packet_tuple *pkt_tuple, struct iphdr *ip, - struct udphdr *udp) { +static __always_inline void get_udp_pkt_tuple(struct packet_tuple *pkt_tuple, + struct iphdr *ip, + struct udphdr *udp) { pkt_tuple->saddr = BPF_CORE_READ(ip, saddr); pkt_tuple->daddr = BPF_CORE_READ(ip, daddr); u16 sport = BPF_CORE_READ(udp, source); @@ -454,9 +462,9 @@ void get_udp_pkt_tuple(struct packet_tuple *pkt_tuple, struct iphdr *ip, pkt_tuple->tran_flag = UDP; // udp包 } -static __always_inline -void get_pkt_tuple_v6(struct packet_tuple *pkt_tuple, - struct ipv6hdr *ip6h, struct tcphdr *tcp) { +static __always_inline void get_pkt_tuple_v6(struct packet_tuple *pkt_tuple, + struct ipv6hdr *ip6h, + struct tcphdr *tcp) { bpf_probe_read_kernel(&pkt_tuple->saddr_v6, sizeof(pkt_tuple->saddr_v6), &ip6h->saddr.in6_u.u6_addr32); bpf_probe_read_kernel(&pkt_tuple->daddr_v6, sizeof(pkt_tuple->daddr_v6), @@ -472,31 +480,29 @@ void get_pkt_tuple_v6(struct packet_tuple *pkt_tuple, pkt_tuple->tran_flag = 1; // tcp包 } -int getstack(void *ctx) -{ +int getstack(void *ctx) { int pid = bpf_get_current_pid_tgid() >> 32; - int cpu_id = bpf_get_smp_processor_id(); - struct stacktrace_event *event; - int cp; + int cpu_id = bpf_get_smp_processor_id(); + struct stacktrace_event *event; + int cp; - event = bpf_ringbuf_reserve(&trace_rb, sizeof(*event), 0); - if (!event) - return 1; + event = bpf_ringbuf_reserve(&trace_rb, sizeof(*event), 0); + if (!event) + return 1; - event->pid = pid; - event->cpu_id = cpu_id; + event->pid = pid; + event->cpu_id = cpu_id; - if (bpf_get_current_comm(event->comm, sizeof(event->comm))) - event->comm[0] = 0; + if (bpf_get_current_comm(event->comm, sizeof(event->comm))) + event->comm[0] = 0; - event->kstack_sz = bpf_get_stack(ctx, event->kstack, sizeof(event->kstack), 0); - bpf_ringbuf_submit(event, 0); + event->kstack_sz = + bpf_get_stack(ctx, event->kstack, sizeof(event->kstack), 0); + bpf_ringbuf_submit(event, 0); - return 0; + return 0; } /* help functions end */ - - #endif diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h b/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h index cff8c950f..13e802887 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/mysql.bpf.h @@ -19,55 +19,38 @@ #include "mysql_helper.bpf.h" static __always_inline int __handle_mysql_start(struct pt_regs *ctx) { // dispatch_command(THD *thd, const COM_DATA *com_data, enum - char comm[16]; enum enum_server_command command = PT_REGS_PARM3(ctx); union COM_DATA *com_data = (union COM_DATA *)PT_REGS_PARM2(ctx); - pid_t pid = bpf_get_current_pid_tgid() >> 32; pid_t tid = bpf_get_current_pid_tgid(); void *thd = (void *)PT_REGS_PARM1(ctx); - char *sql; + struct query_info info; u32 size = 0; + char *sql; if (command != COM_QUERY) { return 0; } - u64 start_time = bpf_ktime_get_ns() / 1000; - bpf_map_update_elem(&mysql_time, &pid, &start_time, BPF_ANY); - - struct mysql_query *message = - bpf_ringbuf_reserve(&mysql_rb, sizeof(*message), 0); - if (!message) { - return 0; - } - - bpf_probe_read(&message->size, sizeof(message->size), - &com_data->com_query.length); + bpf_probe_read(&info.size, sizeof(info.size), &com_data->com_query.length); bpf_probe_read_str(&sql, sizeof(sql), &com_data->com_query.query); - bpf_probe_read_str(&message->msql, sizeof(message->msql), sql); - - message->pid = pid; - message->tid = tid; - bpf_get_current_comm(&message->comm, sizeof(comm)); - - bpf_ringbuf_submit(message, 0); + bpf_probe_read_str(&info.msql, sizeof(info.msql), sql); + // bpf_printk("sql1==%s size1==%lu", info.msql,info.size); + info.start_time = bpf_ktime_get_ns() / 1000; + bpf_map_update_elem(&queries, &tid, &info, BPF_ANY); return 0; } static __always_inline int __handle_mysql_end(struct pt_regs *ctx) { - + char comm[16]; pid_t pid = bpf_get_current_pid_tgid() >> 32; pid_t tid = bpf_get_current_pid_tgid(); - u64 *start_time_ptr, duration; - u64 end_time = bpf_ktime_get_ns() / 1000; - start_time_ptr = bpf_map_lookup_elem(&mysql_time, &pid); - if (!start_time_ptr) { + struct query_info *info = bpf_map_lookup_elem(&queries, &tid); + if (!info) { return 0; } - duration = end_time - *start_time_ptr; struct mysql_query *message = bpf_ringbuf_reserve(&mysql_rb, sizeof(*message), 0); if (!message) { @@ -78,13 +61,18 @@ static __always_inline int __handle_mysql_end(struct pt_regs *ctx) { if (count_ptr) { count = *count_ptr + 1; } + message->count = count; bpf_map_update_elem(&sql_count, &tid, &count, BPF_ANY); - - message->duratime = duration; + message->duratime = bpf_ktime_get_ns() / 1000 - info->start_time; + message->pid = pid; + message->tid = tid; + bpf_get_current_comm(&message->comm, sizeof(comm)); + message->size = info->size; + bpf_probe_read_str(&message->msql, sizeof(message->msql), info->msql); + // bpf_printk("C==%d D==%lu S==%lu SQL==%s",count, + // message->duratime,message->size,message->msql); bpf_ringbuf_submit(message, 0); - bpf_map_delete_elem(&mysql_time, &pid); - return 0; } diff --git a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c index 190c2689e..6c1b69992 100644 --- a/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c +++ b/eBPF_Supermarket/Network_Subsystem/net_watcher/netwatcher.c @@ -44,7 +44,7 @@ static int all_conn = 0, err_packet = 0, extra_conn_info = 0, layer_time = 0, http_info = 0, retrans_info = 0, udp_info = 0, net_filter = 0, drop_reason = 0, addr_to_func = 0, icmp_info = 0, tcp_info = 0, time_load = 0, dns_info = 0, stack_info = 0, mysql_info = 0, - redis_info = 0 ,count_info = 0;// flag + redis_info = 0, count_info = 0; // flag static const char *tcp_states[] = { [1] = "ESTABLISHED", [2] = "SYN_SENT", [3] = "SYN_RECV", @@ -193,8 +193,7 @@ enum MonitorMode get_monitor_mode() { return MODE_MYSQL; } else if (redis_info) { return MODE_REDIS; - } - else { + } else { return MODE_DEFAULT; } } @@ -234,7 +233,7 @@ void print_logo() { pclose(lolcat_pipe); } -static char binary_path[64]=""; +static char binary_path[64] = ""; #define __ATTACH_UPROBE(skel, sym_name, prog_name, is_retprobe) \ do { \ LIBBPF_OPTS(bpf_uprobe_opts, uprobe_opts, .func_name = #sym_name, \ @@ -785,7 +784,7 @@ static int print_conns(struct netwatcher_bpf *skel) { static int print_packet(void *ctx, void *packet_info, size_t size) { if (udp_info || net_filter || drop_reason || icmp_info || tcp_info || - dns_info || mysql_info||redis_info) + dns_info || mysql_info || redis_info) return 0; const struct pack_t *pack_info = packet_info; if (pack_info->mac_time > MAXTIME || pack_info->ip_time > MAXTIME || @@ -1110,7 +1109,6 @@ static int print_dns(void *ctx, void *packet_info, size_t size) { pack_info->rx); return 0; } -static mysql_query last_query; static int print_mysql(void *ctx, void *packet_info, size_t size) { if (!mysql_info) { @@ -1118,23 +1116,15 @@ static int print_mysql(void *ctx, void *packet_info, size_t size) { } const mysql_query *pack_info = packet_info; - if (pack_info->duratime == 0) { - - memcpy(&last_query, pack_info, sizeof(mysql_query)); + printf("%-20d %-20d %-20s %-20u %-41s", pack_info->pid, pack_info->tid, + pack_info->comm, pack_info->size, pack_info->msql); + // 当 duratime 大于 count_info 时,才打印 duratime + if (pack_info->duratime > count_info) { + printf("%-21llu", pack_info->duratime); } else { - - printf("%-20d %-20d %-20s %-20u %-40s", last_query.pid, last_query.tid, - last_query.comm, last_query.size, last_query.msql); - // 当 duratime 大于 count_info 时,才打印 duratime - if (pack_info->duratime > count_info) { - printf("%-21llu", pack_info->duratime); - } else { - printf("%-21s", ""); - } - - printf("%-20d\n", pack_info->count); - memset(&last_query, 0, sizeof(mysql_query)); + printf("%-21s", ""); } + printf("%-20d\n", pack_info->count); return 0; } static int print_redis(void *ctx, void *packet_info, size_t size) { @@ -1190,7 +1180,7 @@ static int print_trace(void *_ctx, void *data, size_t size) { } int attach_uprobe_mysql(struct netwatcher_bpf *skel) { - + ATTACH_UPROBE_CHECKED( skel, _Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command, query__start); @@ -1199,7 +1189,10 @@ int attach_uprobe_mysql(struct netwatcher_bpf *skel) { query__end); return 0; } + int attach_uprobe_redis(struct netwatcher_bpf *skel) { + + ATTACH_UPROBE_CHECKED(skel, processCommand, query__start_redis); ATTACH_UPROBE_CHECKED( skel, call, query__start_redis); @@ -1266,16 +1259,14 @@ int main(int argc, char **argv) { /* Attach tracepoint handler */ if (mysql_info) { - strcpy(binary_path, "/usr/sbin/mysqld"); + strcpy(binary_path, "/usr/sbin/mysqld"); err = attach_uprobe_mysql(skel); if (err) { fprintf(stderr, "failed to attach uprobes\n"); goto cleanup; } - } - else if(redis_info) - { + } else if (redis_info) { strcpy(binary_path, "/usr/bin/redis-server"); err = attach_uprobe_redis(skel); if (err) { @@ -1283,8 +1274,7 @@ int main(int argc, char **argv) { goto cleanup; } - } - else { + } else { err = netwatcher_bpf__attach(skel); if (err) { fprintf(stderr, "Failed to attach BPF skeleton\n"); @@ -1293,7 +1283,7 @@ int main(int argc, char **argv) { } enum MonitorMode mode = get_monitor_mode(); - //print_logo(); + // print_logo(); print_header(mode);