skbdump takes advantages of tc-bpf(8) to dump traffic on a network.
This tool is created by the following motives:
- tcpdump(8) is bypassed when a bpf program on a device redirects the skb to another device;
- tcpdump(8) works slowly and affects network performance;
- tcpdump(8)
-i anyrelies on Linux cooked-mode capture (SLL) and the link layer header isn't available; - tcpdump(8) doesn't reflect the information of direction: egress or ingress;
- tcpdump(8) can't capture the skb metadata in the
struct __sk_buff;
However, tcpdump(8) does have something I really appriciate, such as pcap-filter(7) for packet filtering, and I want to make sure my tool can still leverage the power of that.
Please download the latest binary in the releases.
libpcap is required for Linux, for Ubuntu:
apt install libpcap-devUsage of skbdump:
-i, --interface string interface to capture (default "lo")
-w, --pcap-filename string output pcap filename (default "skbdump.pcap")
--perf-output use bpf_perf_event_output to lift payload size limit
-s, --skb-filename string output skb filename (default "skbdump.skb")
Please be aware that every capture will dump two files, one is pcap file which I recommand you open it by wireshark, and the other is skb text file just simply recording skb metadata in JSON.
- skbdump -i eth0 port 80 and host 10.10.1.1
- skbdump -i eth0 udp or arp
- skbdump -i any icmp or icmp6
- skbdump -i any ip6 and dst host fd04::18ab
- skbdump -i veth 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
- Currently the tool only supports capturing packets with maximum 1500 bytes in default mode (bpf queue output mode).
- Using perf output mode can capture payload larger than 1500 bytes, but it's likely to mess up the event order and get some events lost.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent