big snaplen port range #1256
big snaplen port range #1256
Conversation
…th bigger snaplen (20000)
driver/bpf/filler_helpers.h
Outdated
| /* | ||
| * mpegts detection | ||
| */ | ||
| return 16000; |
There was a problem hiding this comment.
Minor: eventually move this to a define since it's shared between bpf and driver (wasn't done for the other part of the function as part of the initial porting because I didn't want to cause a large diff in the driver code). Not a deal breaker considering the current status.
userspace/libscap/scap.c
Outdated
| // | ||
| if(handle->m_mode != SCAP_MODE_LIVE) | ||
| { | ||
| snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "scap_set_fullcapture_port_range not supported on this scap mode"); |
There was a problem hiding this comment.
Minor: there seems to be a spurious tab instead of a whitespace.
userspace/libsinsp/sinsp.cpp
Outdated
| throw sinsp_exception("set_fullcapture_port_range called before capture start"); | ||
| } | ||
|
|
||
| if(is_live() && scap_set_fullcapture_port_range(m_h, range_start, range_end) != SCAP_SUCCESS) |
There was a problem hiding this comment.
If we call this function on an offline inspector we don't get an error, the call silently ignores everything, is that expected?
Perhaps is_live() could be moved to a separate check and throw an exception if false, or removed altogether and let scap return error if opened on a trace file.
| @@ -206,6 +206,8 @@ struct sysdig_bpf_settings { | |||
| bool dropping_mode; | |||
| bool is_dropping; | |||
| bool tracers_enabled; | |||
| uint16_t fullcapture_port_range_start; | |||
| uint16_t fullcapture_port_range_end; | |||
There was a problem hiding this comment.
It seems like these values are never initialized in scap. BPF maps are not automatically cleared, so we essentially get garbage by default. Please look at the set_default_settings function in scap_bpf.c.
We're using the wrong placeholders in some calls to printf-like functions. This problem was identified when we started building with -Wextra. This change use %zu for size_t, PRIu64 for uint64_t and PRId64 for int64_t.
* added the ability to specify a set of ports where data is captured with bigger snaplen (20000)
* fixes based on gianluca's review
* new chisel: udp_extract
* Fix snprintf placeholder for size_t/{u,}int64_t (#1279)
We're using the wrong placeholders in some calls to printf-like
functions. This problem was identified when we started building
with -Wextra. This change use %zu for size_t, PRIu64 for uint64_t
and PRId64 for int64_t.
added the ability to specify a set of ports where data is captured with bigger snaplen (20000)