-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: use other hooks to probe 5-tuple #695
Conversation
no problem. |
@Asphaltt run success on kernel 4.19 with noncore , but can not get 4-tuple info when works as client(Actively initiate a connection)
work as client -- can not get 4-tupleAddConn success fd=3252076376 is not right
work as server -- ok
|
`__sys_connect_file` and `do_accept` are not found on v5.4 kernel. Then, use `inet_stream_connect` and `inet_accept` instead, as they are found on v4.19 and v5.4 kernels. Signed-off-by: Leon Hwang <hffilwlqm@gmail.com>
Thank you, bro @chilli13 I fixed it just now. |
Test passed on ubuntu 20.04 (kernel 5.4): sudo bin/ecapture tls -d -b 2
2024-12-18T22:38:37+08:00 INF AppName="eCapture(旁观者)"
2024-12-18T22:38:37+08:00 INF HomePage=https://ecapture.cc
2024-12-18T22:38:37+08:00 INF Repository=https://github.com/gojue/ecapture
2024-12-18T22:38:37+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-12-18T22:38:37+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-18T22:38:37+08:00 INF Version=linux_amd64:v0.9.0-20241218-2b7b128:x86_64
2024-12-18T22:38:37+08:00 INF Listen=localhost:28256
2024-12-18T22:38:37+08:00 INF eCapture running logs logger=
2024-12-18T22:38:37+08:00 INF the file handler that receives the captured event eventCollector=
2024-12-18T22:38:37+08:00 INF listen=localhost:28256
2024-12-18T22:38:37+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-18T22:38:37+08:00 INF Kernel Info=5.4.255 Pid=39517
2024-12-18T22:38:37+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-12-18T22:38:37+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-12-18T22:38:37+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-18T22:38:37+08:00 INF Module.Run()
2024-12-18T22:38:37+08:00 INF origin versionKey="openssl 1.1.1f" versionKeyLower="openssl 1.1.1f"
2024-12-18T22:38:37+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1f"
2024-12-18T22:38:37+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1
2024-12-18T22:38:37+08:00 INF target all process.
2024-12-18T22:38:37+08:00 INF target all users.
2024-12-18T22:38:37+08:00 INF setupManagers eBPFProgramType=Text
2024-12-18T22:38:37+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1d_kern_noncore.o
2024-12-18T22:38:37+08:00 DBG upgrade check failed: local version is ahead of latest version
2024-12-18T22:38:37+08:00 INF perfEventReader created mapSize(MB)=4
2024-12-18T22:38:37+08:00 INF perfEventReader created mapSize(MB)=4
2024-12-18T22:38:37+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-18T22:38:46+08:00 DBG AddConn success fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG DestroyConn success fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:47+08:00 ??? UUID:39581_39581_curl_5_1_172.19.100.17:48962-76.76.21.21:443, Name:HTTP2Request, Type:2, Length:305
Frame Type => SETTINGS
Frame Type => WINDOW_UPDATE
Frame Type => HEADERS
header field ":method" = "GET"
header field ":path" = "/"
header field ":scheme" = "https"
header field ":authority" = "ecapture.cc"
header field "user-agent" = "curl/7.68.0"
header field "accept" = "*/*"
Frame Type => SETTINGS
2024/12/18 22:38:47 [http2 response] Dump HTTP2 Frame error: unexpected EOF
2024-12-18T22:38:47+08:00 ??? UUID:39581_39581_curl_5_0_172.19.100.17:48962-76.76.21.21:443, Name:HTTP2Response, Type:4, Length:4278
Frame Type => SETTINGS
Frame Type => WINDOW_UPDATE
Frame Type => SETTINGS
Frame Type => HEADERS
header field ":status" = "200"
header field "accept-ranges" = "bytes"
header field "access-control-allow-origin" = "*"
header field "age" = "238524"
header field "cache-control" = "public, max-age=0, must-revalidate"
header field "content-disposition" = "inline"
header field "content-type" = "text/html; charset=utf-8"
header field "date" = "Wed, 18 Dec 2024 14:38:46 GMT"
header field "etag" = "\"6ec0d02787369e8ea7c44409db9cbe99\""
header field "last-modified" = "Sun, 15 Dec 2024 20:23:22 GMT"
header field "server" = "Vercel"
header field "strict-transport-security" = "max-age=63072000"
header field "x-vercel-cache" = "HIT"
header field "x-vercel-id" = "hkg1::m4dgh-1734532726185-a3d01f468486"
header field "content-length" = "24569"
Frame Type => DATA
<!DOCTYPE html>
<html lang="en-US" dir="ltr">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>eCapture - Capture SSL/TLS text content without CA cert using eBPF. | eCapture</title>
<meta name="description" content="eCapture - Capture SSL/TLS text content without CA certificate using eBPF">
<meta name="generator" content="VitePress v1.5.0">
<link rel="preload stylesheet" href="/assets/style.nptfy1Tr.css" as="style">
<link rel="preload stylesheet" href="/vp-icons.css" as="style">
<script type="module" src="/assets/app.DXOqA-Jf.js"></script>
<link rel="modulepreload" href="/assets/chunks/theme.BkHHwEhx.js">
<link rel="modulepreload" href="/assets/chunks/framework.tmAlGBxD.js">
<link rel="modulepreload" href="/assets/chunks/githubReleases.BcmQgaE5.js">
<link rel="modulepreload" href="/assets/index.md.CEuvy2gq.lean.js">
<link rel="icon" href="/logo.svg">
<link rel="preload" href="/assets/inter-latin.7b37fe23.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<script>(()=>{const e=(o,r,c=!1)=>{const s=localStorage.getItem(o);(s?s!=="false":c)&&document.documentElement.classList.add(r)};e("vue-docs-prefer-composition","prefer-composition"),e("vue-docs-prefer-sfc","prefer-sfc",!0),window.__VUE_BANNER_ID__="wip",e(`vue-docs-banner-${__VUE_BANNER_ID__}`,"banner-dismissed")})();</script>
<link rel="shortcut icon" href="https://ecapture.cc/assets/logo-300x300-v2.059cb3f9.svg">
<script id="check-dark-mode">(()=>{const e=localStorage.getItem("vitepress-theme-appearance")||"auto",a=window.matchMedia("(prefers-color-scheme: dark)").matches;(!e||e==="auto"?a:e==="dark")&&document.documentElement.classList.add("dark")})();</script>
<script id="check-mac-os">document.documentElement.classList.toggle("mac",/Mac|iPhone|iPod|iPad/i.test(navigator.platform));</script>
</head>
<body>
<div id="app"><div class="VPApp" data-v-ae2f6264><!--[--><span tabindex="-1" data-v-2ee4b9aa></span><a href="#VPContent" class="VPSkipLink visually-hidden" data-v-2ee4b9aa>Skip to content</a><!--]--><!----><!--[--><!--]--><header class="VPNav nav-bar stick" data-v-ae2f6264 data-v-c76f83a6><div class="VPNavBar" data-v-c76f83a6 data-v-9abe73e6><div class="container" data-v-9abe73e6><a class="VPNavBarTitle" href="/" data-v-9abe73e6 data-v-25a4f16b><!--[--><!--[--><!--[--><!--[--><!--[--><img class="logo" src="/assets/logo-300x300-v2.BBmMbtan.svg" alt="eCapture Logo" data-v-b49487b1><span class="text" data-v-b49487b1>eCapture(旁观者)</span><!--]--><!--]--><!--]--><!--]--><!--]--></a><div class="content" data-v-9abe73e6><!----><nav aria-labelledby="main-nav-aria-label" class="VPNavBarMenu menu" data-v-9abe73e6 data-v-44ff399f><span id="main-nav-aria-label" class="visually-hidden" data-v-44ff399f>Main Navigation</span><!--[--><!--[--><a class="vt-link link VPNavBarMenuLink active" href="/" data-v-44ff399f data-v-34040ca2><!--[-->English<!--]--><!----></a><!--]--><!--[--><a class="vt-link link VPNavBarMenuLink" href="/guide/introduction.html" data-v-44ff399f data-v-34040ca2><!--[-->Guide<!--]--><!----></a><!--]--><!--[--><a class="vt-link link VPNavBarMenuLink" href="/develop/compile.html" data-v-44ff399f data-v-34040ca2><!--[-->Develop<!--]--><!----></a><!--]--><!--[--><a class="vt-link link VPNavBarMenuLink" href="/download.html" data-v-44ff399f data-
^C2024-12-18T22:39:02+08:00 INF module close.
2024-12-18T22:39:02+08:00 INF Module closed,message recived from Context
2024-12-18T22:39:03+08:00 INF iModule module close
2024-12-18T22:39:03+08:00 INF bye bye. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thanks.
Fixes #693
__sys_connect_file
anddo_accept
are not found on v5.4 kernel.Then, use
inet_stream_connect
andinet_accept
instead, as they are found on v4.19 and v5.4 kernels.I've test it on v5.4, v5.15 and v6.8 kernels.
@cfc4n can you help to test noncore on v4.19 and v5.4 kernels?