在之前,我写了一个《eBPF bpftrace 实现个UNIX socket抓包试试》,但是很受限啊,不能完整打印包数据信息,今天又写了一个BCC的,感觉没问题了。

不多说,直接上代码:

#!/usr/bin/python
# @lint-avoid-python-3-compatibility-imports
#
# undump        Dump UNIX socket packets.
#               For Linux, uses BCC, eBPF. Embedded C.
# USAGE: undump [-h] [-t] [-p PID]
#
# This uses dynamic tracing of kernel functions, and will need to be updated
# to match kernel changes.
#
# Copyright (c) 2021 Rong Tao.
# Licensed under the GPL License, Version 2.0
#
# 27-Aug-2021   Rong Tao   Created this.
#
from __future__ import print_function
from bcc import BPF
from bcc.containers import filter_by_containers
from bcc.utils import printb
import argparse
from socket import inet_ntop, ntohs, AF_INET, AF_INET6
from struct import pack
from time import sleep
from datetime import datetime
import sys# arguments
examples = """examples:./undump           # trace/dump all UNIX packets./undump -t        # include timestamps./undump -p 181    # only trace/dump PID 181
"""
parser = argparse.ArgumentParser(description="Dump UNIX socket packets",formatter_class=argparse.RawDescriptionHelpFormatter,epilog=examples)parser.add_argument("-t", "--timestamp", action="store_true", help="include timestamp on output")
parser.add_argument("-p", "--pid",help="trace this PID only")
args = parser.parse_args()# define BPF program
bpf_text = """
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <bcc/proto.h>
#include <linux/aio.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/fs.h>
#include <linux/mount.h>
#include <linux/module.h>
#include <net/sock.h>
#include <net/af_unix.h>// separate data structs for ipv4 and ipv6
struct stream_data_t {u64 ts_us;u32 pid;u32 uid;u32 sock_state;u32 sock_type;  //type of socket[STREAM|DRGMA]u64 sock_flags;char task[TASK_COMM_LEN];char *unix_sock_path;int msg_namelen;
};
BPF_PERF_OUTPUT(stream_recvmsg_events);#define MAX_PKT 512
struct recv_data_t {u32 recv_len;u8  pkt[MAX_PKT];
};// single element per-cpu array to hold the current event off the stack
BPF_PERCPU_ARRAY(unix_data, struct recv_data_t,1);BPF_PERF_OUTPUT(unix_recv_events);//static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
//                 size_t size, int flags)
int trace_stream_entry(struct pt_regs *ctx)
{int ret = PT_REGS_RC(ctx);u64 pid_tgid = bpf_get_current_pid_tgid();u32 pid = pid_tgid >> 32;u32 tid = pid_tgid;FILTER_PIDstruct stream_data_t data4 = {.pid = pid,};data4.uid = bpf_get_current_uid_gid();data4.ts_us = bpf_ktime_get_ns() / 1000;struct socket *sock = (struct socket *)PT_REGS_PARM1(ctx);   struct msghdr *msg = (struct msghdr *)PT_REGS_PARM2(ctx);    data4.sock_state = sock->state;data4.sock_type = sock->type;data4.sock_flags = sock->flags;data4.msg_namelen = msg->msg_namelen;bpf_get_current_comm(&data4.task, sizeof(data4.task));struct unix_sock *unsock = (struct unix_sock *)sock->sk;data4.unix_sock_path = (char *)unsock->path.dentry->d_name.name;stream_recvmsg_events.perf_submit(ctx, &data4, sizeof(data4));return 0;
};int trace_unix_stream_read_actor(struct pt_regs *ctx)
{u32 zero = 0;int ret = PT_REGS_RC(ctx);u64 pid_tgid = bpf_get_current_pid_tgid();u32 pid = pid_tgid >> 32;u32 tid = pid_tgid;FILTER_PIDstruct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM1(ctx);struct recv_data_t *data = unix_data.lookup(&zero);if (!data) return 0;unsigned int data_len = skb->len;if(data_len > MAX_PKT)return 0;void *iodata = (void *)skb->data;data->recv_len = data_len;bpf_probe_read(data->pkt, data_len, iodata);unix_recv_events.perf_submit(ctx, data, data_len+sizeof(u32));return 0;
}"""if args.pid:bpf_text = bpf_text.replace('FILTER_PID','if (pid != %s) { return 0; }' % args.pid)bpf_text = bpf_text.replace('FILTER_PID', '')# process event
def print_stream_event(cpu, data, size):event = b["stream_recvmsg_events"].event(data)global start_tsif args.timestamp:if start_ts == 0:start_ts = event.ts_usprintb(b"%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), nl="")printb(b"%-6s %-12s" % (event.pid, event.task))# process event
def print_recv_pkg(cpu, data, size):event = b["unix_recv_events"].event(data)print("----------------", end="")for i in range(0, event.recv_len):print("%02x " % event.pkt[i], end="")sys.stdout.flush()if (i+1)%16 == 0:print("")print("----------------", end="")print("\n----------------recv %d bytes" % event.recv_len)# initialize BPF
b = BPF(text=bpf_text)
b.attach_kprobe(event="unix_stream_recvmsg", fn_name="trace_stream_entry")
b.attach_kprobe(event="unix_stream_read_actor", fn_name="trace_unix_stream_read_actor")print("Tracing UNIX socket packets ... Hit Ctrl-C to end")# header
if args.timestamp:print("%-9s" % ("TIME(s)"), end="")print("%-6s %-12s" % ("PID", "COMM"), end="")
print()print()
start_ts = 0# read events
b["stream_recvmsg_events"].open_perf_buffer(print_stream_event)
b["unix_recv_events"].open_perf_buffer(print_recv_pkg)while True:try:b.perf_buffer_poll()except KeyboardInterrupt:exit()

help信息

[root@localhost study]# ./undump.py -h
usage: undump.py [-h] [-t] [-p PID]Dump UNIX socket packetsoptional arguments:-h, --help         show this help message and exit-t, --timestamp    include timestamp on output-p PID, --pid PID  trace this PID onlyexamples:./undump           # trace/dump all UNIX packets./undump -t        # include timestamps./undump -p 181    # only trace/dump PID 181

效果:

abcdef前面的字段是我的消息头

struct MsgHdr {int src;int dst;int id;char data[];
}__attribute__((packed));

eBPF BCC 实现UNIX socket抓包相关推荐

  1. eBPF bpftrace 实现个UNIX socket抓包试试

    https://github.com/Rtoax/test/tree/master/bpf/bpftrace/study #!/usr/bin/bpftrace// 荣涛 // UNIX socket ...

  2. socket抓包_64、抓包分析tcp与udp

    从前面的两个案例,我们了解到了如何通过原生socket函数分别创建tcp和udp服务,以及通过相应的客户端进行连接测试.在本文中,我们将继续深入地去了解tcp和udp的差别,和思考它们两者如何应该多个 ...

  3. java socket 抓包_linux下用socket的抓包程序

    void die(char *why, int n) { perror(why); exit(n); } int do_promisc(char *nif, int sock ) { struct i ...

  4. 如何给UNIX域Socket套接字抓包?

    目录 源代码 client.c common.c common.h Makefile server.c undump.sh 测试 源代码 https://github.com/Rtoax/test/t ...

  5. 转载:实用 FRIDA 进阶 --- objection :内存漫游、hook anywhere、抓包

    转载:实用FRIDA进阶:内存漫游.hook anywhere.抓包:https://www.anquanke.com/post/id/197657 frida github 地址:https://g ...

  6. Linux系统无线网络抓包程序(分析手机WIFI MAC地址)

    前面讲述了使用tcpdump和wireshark抓WIFI包,但这只是使用工具的层面,再深一层则是自己写代码实现这个功能.本文在前面文章<Linux系统有线网络抓包程序>的基础上添加实现无 ...

  7. :实用 FRIDA 进阶 --- objection :内存漫游、hook anywhere、抓包

    转载:实用FRIDA进阶:内存漫游.hook anywhere.抓包:https://www.anquanke.com/post/id/197657 frida github 地址:https://g ...

  8. 实用frida进阶:内存漫游、hook anywhere、抓包

    目录 1 内存漫游 1.1 获取基本信息 1.2 提取内存信息 1.3 内存堆搜索与执行 1.4 启动activity或service 2 Frida hook anywhere 2.1 object ...

  9. 网络编程_5(超时检测+UNIX域套接字+抓包工具+包头分析)

    一二章请点击:网络编程_1(网络基础+跨主机传输) 三四章请点击:网络编程_2(网络属性+UDP(UDP模型+广播组播)) 第五章请点击:网络编程_3(TCP) 第六章请点击:网络编程_4(IO模型) ...

最新文章

  1. Version 1.3.1_01 of the JVM is not suitable for this product.Version:1.4.1 or greater is required。
  2. 超酷的Android 侧滑(双向滑动菜单)效果
  3. 2.HTML基本格式
  4. EOS账户系统(7)权限评估
  5. mysql 导入主键冲突_MySQL 处理插入过程中的主键唯一键重复值的解决方法
  6. linux 64 内存管理,[内存管理]linux X86_64处理器的内存布局图
  7. 大数据到底在用什么姿势塑造我们?
  8. Python实现CGI环境
  9. Zabbix 通过 API 监控 k8s | 技巧
  10. 天下谁人不识君:awt如何使用弹窗功能?
  11. html的动态页面包含,在html页面中包含静态或动态页面方法
  12. 【转载】异步调用与多线程的区别
  13. 客户端向hdfs读写数据流程
  14. angular 2+ innerHTML属性中内联样式丢失
  15. 超全AD常用封装库,官方下载地址分享
  16. oracle数据库查看建表语句,oracle 查看建表语句
  17. Vplayer服务配置-手机播放局域网视频
  18. 微软与三维图形:抑制竞争和创新的案例研究
  19. 【NOIP】【codevs】【DP】1169传纸条
  20. Miktex 修改经验

热门文章

  1. 面试官:你对多线程熟悉吗,谈谈线程安全中的原子性,有序性和可见性?
  2. Java连接sap无明显报错信息,Kettle连接SAP报错问题
  3. 深度优先搜索之城堡问题
  4. 如何快速准确的识别出一个文件的具体类型
  5. 什么时候学习编程都不晚
  6. ASP.NET Core 中的 ORM 之 Entity Framework
  7. 织梦个人空间中调用ip,会员类型,邮箱,金币,会员积分
  8. iOS用户体验之-导航之道
  9. Jenkins 安装FAQ
  10. Android SQL语句实现数据库的增删改查