TCP socket events for EBPF #112
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pushed the proposed final version.
|
nicholasberlin
approved these changes
Feb 5, 2025
This implements basic socket events for TCP, it tracks
connect(2)/accept(2)/close(2) on respective sockets as well as builds the
initial snapshot of existing sockets by parsing /proc.
Sockets are expressed in quark_socket{} and correlate with processes. Since a
socket might be in more than one process, two fields are provided:
- pid_origin, the pid that established the connection.
- pid_last_use, the last pid that affected it, if another process did the final
close, pid_origin remains the same, but pid_last_use points to the last one.
We stash the lookup of quark_process_lookup(pid_origin) in the event process
pointer, which *can* be NULL, and the socket itself is stashed in the socket
member.
quark_event{} might need some adjustments in the future.
The EBPF probes are a bit subpar and they currently have two issues:
- A connection that never sent a byte doesn't produce an exit event.
elastic/ebpf#217
- Exit events happen before TCP close is issued
elastic/ebpf#216
I don't think this is good enough and will consider it experimental until both
issues are solved, first one has a fix on the way, second one likely involves
rewriting the whole probe.
Quark sockets don't produce snapshot events, because snapshot will be removed
and the user will have to use the iterator if desired.
In order to test this, pass -S to quark-mon(8).
Co-authored-by: Nicholas Berlin <56366649+nicholasberlin@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This implements basic socket events for TCP, it tracks
connect(2)/accept(2)/close(2) on respective sockets as well as builds the
initial snapshot of existing sockets by parsing /proc.
Sockets are expressed in quark_socket{} and correlate with processes. Since a
socket might be in more than one process, two fields are provided:
close, pid_origin remains the same, but pid_last_use points to the last one.
We stash the lookup of quark_process_lookup(pid_origin) in the event process
pointer, which can be NULL, and the socket itself is stashed in the socket
member.
quark_event{} might need some adjustments in the future.
The EBPF probes are a bit subpar and they currently have two issues:
CLOSE@TCP not issued if there was no traffic ebpf#217
Exit probe is too early, and we end up getting file descriptor closing events after exit. ebpf#216
I don't think this is good enough and will consider it experimental until both
issues are solved, first one has a fix on the way, second one likely involves
rewriting the whole probe.
Quark sockets don't produce snapshot events, because snapshot will be removed
and the user will have to use the iterator if desired.
In order to test this, pass -S to quark-mon(8).
Co-authored-by: Nicholas Berlin 56366649+nicholasberlin@users.noreply.github.com