big snaplen port range (#1256)

ldegio · thom-sd · commit 6ad3bd315117 · 2018-12-21T13:59:46.000-08:00
* added the ability to specify a set of ports where data is captured with bigger snaplen (20000) * fixes based on gianluca's review * new chisel: udp_extract * Fix snprintf placeholder for size_t/{u,}int64_t (#1279) We're using the wrong placeholders in some calls to printf-like functions. This problem was identified when we started building with -Wextra. This change use %zu for size_t, PRIu64 for uint64_t and PRId64 for int64_t.
diff --git a/driver/bpf/filler_helpers.h b/driver/bpf/filler_helpers.h
@@ -357,6 +357,14 @@ static __always_inline u32 bpf_compute_snaplen(struct filler_data *data,
 		return 2000;
 	} else if (dport == PPM_PORT_STATSD) {
 		return 2000;
+	} else if (data->settings->fullcapture_port_range_end != 0 &&
+				((sport >= data->settings->fullcapture_port_range_start && sport <= data->settings->fullcapture_port_range_end) ||
+				(dport >= data->settings->fullcapture_port_range_start && dport <= data->settings->fullcapture_port_range_end)
+			)) {
+		/*
+		* mpegts detection
+		*/
+		return RW_MAX_FULLCAPTURE_PORT_SNAPLEN;
 	} else {
 		if (lookahead_size >= 5) {
 			u32 buf = *(u32 *)&get_buf(0);
diff --git a/driver/bpf/types.h b/driver/bpf/types.h
@@ -206,6 +206,8 @@ struct sysdig_bpf_settings {
 	bool dropping_mode;
 	bool is_dropping;
 	bool tracers_enabled;
+	uint16_t fullcapture_port_range_start;
+	uint16_t fullcapture_port_range_end;
 } __attribute__((packed));
 
 struct tail_context {
diff --git a/driver/main.c b/driver/main.c
@@ -428,6 +428,8 @@ static int ppm_open(struct inode *inode, struct file *filp)
 	consumer->do_dynamic_snaplen = false;
 	consumer->need_to_insert_drop_e = 0;
 	consumer->need_to_insert_drop_x = 0;
+	consumer->fullcapture_port_range_start = 0;
+	consumer->fullcapture_port_range_end = 0;
 	bitmap_fill(g_events_mask, PPM_EVENT_MAX); /* Enable all syscall to be passed to userspace */
 	reset_ring_buffer(ring);
 	ring->open = true;
@@ -883,6 +885,22 @@ static long ppm_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 		ret = 0;
 		goto cleanup_ioctl;
 	}
+	case PPM_IOCTL_SET_FULLCAPTURE_PORT_RANGE:
+	{
+		u32 encoded_port_range;
+
+		vpr_info("PPM_IOCTL_SET_FULLCAPTURE_PORT_RANGE, consumer %p\n", consumer_id);
+		encoded_port_range = (u32)arg;
+
+		consumer->fullcapture_port_range_start = encoded_port_range & 0xFFFF;
+		consumer->fullcapture_port_range_end = encoded_port_range >> 16;
+
+		pr_info("new fullcapture_port_range_start: %d\n", (int)consumer->fullcapture_port_range_start);
+		pr_info("new fullcapture_port_range_end: %d\n", (int)consumer->fullcapture_port_range_end);
+
+		ret = 0;
+		goto cleanup_ioctl;
+	}
 	case PPM_IOCTL_MASK_ZERO_EVENTS:
 	{
 		vpr_info("PPM_IOCTL_MASK_ZERO_EVENTS, consumer %p\n", consumer_id);
diff --git a/driver/ppm.h b/driver/ppm.h
@@ -72,6 +72,8 @@ struct ppm_consumer_t {
 	volatile int need_to_insert_drop_e;
 	volatile int need_to_insert_drop_x;
 	struct list_head node;
+	uint16_t fullcapture_port_range_start;
+	uint16_t fullcapture_port_range_end;
 };
 
 #define STR_STORAGE_SIZE PAGE_SIZE
diff --git a/driver/ppm_events.c b/driver/ppm_events.c
@@ -382,6 +382,15 @@ inline u32 compute_snaplen(struct event_filler_arguments *args, char *buf, u32 l
 					} else if (dport == PPM_PORT_STATSD) {
 						sockfd_put(sock);
 						return 2000;
+					} else if (args->consumer->fullcapture_port_range_end != 0 &&
+								((sport >= args->consumer->fullcapture_port_range_start && sport <= args->consumer->fullcapture_port_range_end) ||
+								(dport >= args->consumer->fullcapture_port_range_start && dport <= args->consumer->fullcapture_port_range_end)
+							)) {
+						/*
+						 * mpegts detection
+						 */
+						sockfd_put(sock);
+						return RW_MAX_FULLCAPTURE_PORT_SNAPLEN;
 					} else {
 						if (lookahead_size >= 5) {
 							if (*(u32 *)buf == g_http_get_intval ||
diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -1453,6 +1453,7 @@ struct ppm_evt_hdr {
 #define PPM_IOCTL_ENABLE_PAGE_FAULTS _IO(PPM_IOCTL_MAGIC, 19)
 #define PPM_IOCTL_GET_N_TRACEPOINT_HIT _IO(PPM_IOCTL_MAGIC, 20)
 #define PPM_IOCTL_GET_PROBE_VERSION _IO(PPM_IOCTL_MAGIC, 21)
+#define PPM_IOCTL_SET_FULLCAPTURE_PORT_RANGE _IO(PPM_IOCTL_MAGIC, 22)
 #endif // CYGWING_AGENT
 
 extern const struct ppm_name_value socket_families[];
@@ -1590,5 +1591,6 @@ struct ppm_event_entry {
 
 #define RW_SNAPLEN 80
 #define RW_MAX_SNAPLEN PPM_MAX_ARG_SIZE
+#define RW_MAX_FULLCAPTURE_PORT_SNAPLEN 16000
 
 #endif /* EVENTS_PUBLIC_H_ */
diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c
@@ -2000,3 +2000,62 @@ bool scap_check_suppressed_tid(scap_t *handle, int64_t tid)
 
 	return (stid != NULL);
 }
+
+int32_t scap_set_fullcapture_port_range(scap_t* handle, uint16_t range_start, uint16_t range_end)
+{
+	//
+	// Not supported on files
+	//
+	if(handle->m_mode != SCAP_MODE_LIVE)
+	{
+		snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "scap_set_fullcapture_port_range not supported on this scap mode");
+		return SCAP_FAILURE;
+	}
+
+#if !defined(HAS_CAPTURE) || defined(CYGWING_AGENT)
+	snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "live capture not supported on %s", PLATFORM_NAME);
+	return SCAP_FAILURE;
+#else
+
+	if(handle->m_bpf)
+	{
+		return scap_bpf_set_fullcapture_port_range(handle, range_start, range_end);
+	}
+	else
+	{
+		//
+		// Encode the port range
+		//
+		uint32_t arg = (range_end << 16) + range_start;
+
+		//
+		// Beam the value down to the module
+		//
+		if(ioctl(handle->m_devs[0].m_fd, PPM_IOCTL_SET_FULLCAPTURE_PORT_RANGE, arg))
+		{
+			snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "scap_set_fullcapture_port_range failed");
+			ASSERT(false);
+			return SCAP_FAILURE;
+		}
+
+		{
+			uint32_t j;
+
+			//
+			// Force a flush of the read buffers, so we don't capture events with the old snaplen
+			//
+			for(j = 0; j < handle->m_ndevs; j++)
+			{
+				scap_readbuf(handle,
+							j,
+							&handle->m_devs[j].m_sn_next_event,
+							&handle->m_devs[j].m_sn_len);
+
+				handle->m_devs[j].m_sn_len = 0;
+			}
+		}
+	}
+
+	return SCAP_SUCCESS;
+#endif
+}
diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h
@@ -1007,6 +1007,7 @@ int32_t scap_get_n_tracepoint_hit(scap_t* handle, long* ret);
 typedef struct wh_t wh_t;
 wh_t* scap_get_wmi_handle(scap_t* handle);
 #endif
+int32_t scap_set_fullcapture_port_range(scap_t* handle, uint16_t range_start, uint16_t range_end);
 
 #ifdef __cplusplus
 }
diff --git a/userspace/libscap/scap_bpf.c b/userspace/libscap/scap_bpf.c
@@ -881,6 +881,28 @@ int32_t scap_bpf_set_snaplen(scap_t* handle, uint32_t snaplen)
 	return SCAP_SUCCESS;
 }
 
+int32_t scap_bpf_set_fullcapture_port_range(scap_t* handle, uint16_t range_start, uint16_t range_end)
+{
+	struct sysdig_bpf_settings settings;
+	int k = 0;
+
+	if(bpf_map_lookup_elem(handle->m_bpf_map_fds[SYSDIG_SETTINGS_MAP], &k, &settings) != 0)
+	{
+		snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "SYSDIG_SETTINGS_MAP bpf_map_lookup_elem < 0");
+		return SCAP_FAILURE;
+	}
+
+	settings.fullcapture_port_range_start = range_start;
+	settings.fullcapture_port_range_end = range_end;
+	if(bpf_map_update_elem(handle->m_bpf_map_fds[SYSDIG_SETTINGS_MAP], &k, &settings, BPF_ANY) != 0)
+	{
+		snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "SYSDIG_SETTINGS_MAP bpf_map_update_elem < 0");
+		return SCAP_FAILURE;
+	}
+
+	return SCAP_SUCCESS;
+}
+
 int32_t scap_bpf_disable_dynamic_snaplen(scap_t* handle)
 {
 	struct sysdig_bpf_settings settings;
@@ -1199,6 +1221,8 @@ static int32_t set_default_settings(scap_t *handle)
 	settings.page_faults = false;
 	settings.dropping_mode = false;
 	settings.is_dropping = false;
+	settings.fullcapture_port_range_start = 0;
+	settings.fullcapture_port_range_end = 0;
 
 	int k = 0;
 	if(bpf_map_update_elem(handle->m_bpf_map_fds[SYSDIG_SETTINGS_MAP], &k, &settings, BPF_ANY) != 0)
diff --git a/userspace/libscap/scap_bpf.h b/userspace/libscap/scap_bpf.h
@@ -38,6 +38,7 @@ int32_t scap_bpf_start_capture(scap_t *handle);
 int32_t scap_bpf_stop_capture(scap_t *handle);
 int32_t scap_bpf_close(scap_t *handle);
 int32_t scap_bpf_set_snaplen(scap_t* handle, uint32_t snaplen);
+int32_t scap_bpf_set_fullcapture_port_range(scap_t* handle, uint16_t range_start, uint16_t range_end);
 int32_t scap_bpf_enable_dynamic_snaplen(scap_t* handle);
 int32_t scap_bpf_disable_dynamic_snaplen(scap_t* handle);
 int32_t scap_bpf_enable_page_faults(scap_t* handle);
diff --git a/userspace/libsinsp/sinsp.cpp b/userspace/libsinsp/sinsp.cpp
@@ -1602,7 +1602,7 @@ void sinsp::set_snaplen(uint32_t snaplen)
 	// If set_snaplen is called before opening of the inspector,
 	// we register the value to be set after its initialization.
 	//
-	if (m_h == NULL)
+	if(m_h == NULL)
 	{
 		m_snaplen = snaplen;
 		return;
@@ -1614,6 +1614,28 @@ void sinsp::set_snaplen(uint32_t snaplen)
 	}
 }
 
+void sinsp::set_fullcapture_port_range(uint16_t range_start, uint16_t range_end)
+{
+	//
+	// If set_snaplen is called before opening of the inspector,
+	// we register the value to be set after its initialization.
+	//
+	if(m_h == NULL)
+	{
+		throw sinsp_exception("set_fullcapture_port_range called before capture start");
+	}
+
+	if(!is_live())
+	{
+		throw sinsp_exception("set_fullcapture_port_range called on a trace file");
+	}
+
+	if(scap_set_fullcapture_port_range(m_h, range_start, range_end) != SCAP_SUCCESS)
+	{
+		throw sinsp_exception(scap_getlasterr(m_h));
+	}
+}
+
 void sinsp::stop_capture()
 {
 	if(scap_stop_capture(m_h) != SCAP_SUCCESS)
diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h
@@ -884,6 +884,8 @@ class SINSP_PUBLIC sinsp
 
 	void set_query_docker_image_info(bool query_image_info);
 
+	void set_fullcapture_port_range(uint16_t range_start, uint16_t range_end);
+
 VISIBILITY_PRIVATE
 
         static inline ppm_event_flags falco_skip_flags()
diff --git a/userspace/sysdig/chisels/udp_extract.lua b/userspace/sysdig/chisels/udp_extract.lua
@@ -0,0 +1,72 @@
+--[[
+Copyright (C) 2018 Draios inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 2 as
+published by the Free Software Foundation.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+--]]
+local OUTPUT_DIR_NAME = "./udp_dump_files"
+
+description = "This chisel parses a trace file, identifies file descriptors carrying UDP network traffic (DNS excluded) and dumps the content of each FD into a different file in the " .. OUTPUT_DIR_NAME .. " directory. Files are named after the UDP tuple they contain.";
+short_description = "extract data from UDP streams to files.";
+category = "I/O";
+
+args = {}
+
+files = {}
+
+function mkdir(dirname)
+	os.execute('mkdir ' .. dirname .. " 2> /dev/null")
+	os.execute('md ' .. dirname .. " 2> nul")
+end
+
+function on_init()
+	fbuf = chisel.request_field("evt.rawarg.data")
+	fres = chisel.request_field("evt.rawarg.res")
+	ffdname = chisel.request_field("fd.name")
+	ffdtype = chisel.request_field("fd.type")
+
+	mkdir(OUTPUT_DIR_NAME)
+
+	sysdig.set_snaplen(16384)
+	chisel.set_filter("evt.dir=< and evt.rawres>=0 and fd.l4proto=udp and evt.is_io=true")
+	return true
+end
+
+function on_capture_start()
+	if sysdig.is_live() then
+		print("live capture not supported")
+		return false
+	end
+	return true
+end
+
+function on_event()
+	local buf = evt.field(fbuf)
+	local etype = evt.get_type()
+	local res = evt.field(fres)
+	local fdname = evt.field(ffdname)
+	local fdtype = evt.field(fdtype)
+	local containername = evt.field(fcontainername)
+	local is_io_read = evt.field(fis_io_read)
+	local is_io_write = evt.field(fis_io_write)
+
+	if not files[fdname] then
+		file_name = OUTPUT_DIR_NAME .. "/" .. fdname
+		file_name = string.gsub(file_name, ":", "_")
+		file_name = string.gsub(file_name, ">", "-")
+		files[fdname] = io.open(file_name, "w")
+	end
+
+	files[fdname]:write(buf)
+
+	return true
+end

Original file line number	Diff line number	Diff line change
`@@ -1007,6 +1007,7 @@ int32_t scap_get_n_tracepoint_hit(scap_t* handle, long* ret);`
`1007`	`1007`	`typedef struct wh_t wh_t;`
`1008`	`1008`	`wh_t* scap_get_wmi_handle(scap_t* handle);`
`1009`	`1009`	`#endif`
	`1010`	`+int32_t scap_set_fullcapture_port_range(scap_t* handle, uint16_t range_start, uint16_t range_end);`
`1010`	`1011`
`1011`	`1012`	`#ifdef __cplusplus`
`1012`	`1013`	`}`