diff --git a/bpftrace/tcp_connect.pxl b/bpftrace/tcp_connect.pxl new file mode 100644 index 00000000000..ffe9fd0eb1c --- /dev/null +++ b/bpftrace/tcp_connect.pxl @@ -0,0 +1,61 @@ +# Copyright 2018- The Pixie Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +import pxtrace +import px + +# Adapted from https://github.com/iovisor/bpftrace/blob/master/tools/tcpconnect.bt + +program = """ + +#include +#include + +kprobe:tcp_connect +{ + $sk = ((struct sock *) arg0); + $inet_family = $sk->__sk_common.skc_family; + + if ($inet_family == 2 || $inet_family == 10) { + if ($inet_family == 2) { + $daddr = ntop($sk->__sk_common.skc_daddr); + $saddr = ntop($sk->__sk_common.skc_rcv_saddr); + } else { + $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8); + $saddr = ntop($sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8); + } + $lport = $sk->__sk_common.skc_num; + $dport = $sk->__sk_common.skc_dport; + + // Destination port is big endian, it must be flipped + $dport = ($dport >> 8) | (($dport << 8) & 0x00FF00); + + + + printf(\"_pid:%d _comm:%s _saddr:%s _lport:%d _daddr:%s _dport:%d\",pid, comm, $saddr, $lport, $daddr, $dport); + } +} +""" +def tcp_func(): + table_name = 'tcp_connect_table' + pxtrace.UpsertTracepoint('tcp_connect_tracer', + table_name, + program, + pxtrace.kprobe(), + "10m") + df = px.DataFrame(table=table_name) + + return df \ No newline at end of file