您好，我想请问kern/tc.h中skb_data_event_t结构体中只包含了timestamp，pid，comm，len和ifindex <div class

<div class="highlight highlight-source-c notranslate position-relative overflow-auto" dir="auto" dat

关于在pcap模式中tc层skb_data payload数据传输的问题 about ecapture HOT 3 CLOSED

caffe-in commented on July 2, 2024

关于在pcap模式中tc层skb_data payload数据传输的问题

from ecapture.

Comments (3)

cfc4n commented on July 2, 2024 1

    u64 flags = BPF_F_CURRENT_CPU;
    flags |= (u64)skb->len << 32;
    size_t pkt_size = TC_PACKET_MIN_SIZE;
    bpf_perf_event_output(skb, &skb_events, flags, &event, pkt_size);

重点是flags参数，以及 bpf_perf_event_output 函数的使用。

long bpf_perf_event_output(void *ctx, struct bpf_map *map, u64
flags, void *data, u64 size)

          Description
                 Write raw data blob into a special BPF perf event
                 held by map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY.
                 This perf event must have the following attributes:
                 PERF_SAMPLE_RAW as sample_type, PERF_TYPE_SOFTWARE
                 as type, and PERF_COUNT_SW_BPF_OUTPUT as config.

                 The flags are used to indicate the index in map for
                 which the value must be put, masked with
                 BPF_F_INDEX_MASK.  Alternatively, flags can be set
                 to BPF_F_CURRENT_CPU to indicate that the index of
                 the current CPU core should be used.

                 The value to write, of size, is passed through eBPF
                 stack and pointed by data.

                 The context of the program ctx needs also be passed
                 to the helper.

                 On user space, a program willing to read the values
                 needs to call perf_event_open() on the perf event
                 (either for one or for all CPUs) and to store the
                 file descriptor into the map. This must be done
                 before the eBPF program can send data into it. An
                 example is available in file
                 samples/bpf/trace_output_user.c in the Linux kernel
                 source tree (the eBPF program counterpart is in
                 samples/bpf/trace_output_kern.c).

                 bpf_perf_event_output() achieves better performance
                 than bpf_trace_printk() for sharing data with user
                 space, and is much better suitable for streaming
                 data from eBPF programs.

                 Note that this helper is not restricted to tracing
                 use cases and can be used with programs attached to
                 TC or XDP as well, where it allows for passing data
                 to user space listeners. Data can be:

                 • Only custom structs,

                 • Only the packet payload, or

                 • A combination of both.

          Return 0 on success, or a negative error in case of
                 failure.

Linux Kernel demo ： https://elixir.bootlin.com/linux/v5.4/source/samples/bpf/xdp_sample_pkts_kern.c

from ecapture.

cfc4n commented on July 2, 2024

还有其他问题吗？

from ecapture.

caffe-in commented on July 2, 2024

没有了，谢谢您慷慨的解答'◡'

from ecapture.

Recommend Projects