When the XDP entrypoint has been loaded with the xdp.frags mode, xdpcap can't be attached.

when exec xdpcap /path/to/pinned/map dump.pcap "tcp and port 80" console print a error!
Error: creating output: open /path/to/pinned/map: is a directory.
what is the '/map'?

How to use this tools ? Is there a more detailed instructions， it's difficult for me to use it.

Hi,

I started exploring for tcpdump kind of tool for XDP programs and came across this tool and blog. I am really happy to see this tool which simplifies the debugging process with XDP code. Thanks you for making life easy.

I have developed the XDP code using bcc project. I want to explore this xdpcap with the developed sample code. But it is throwing continuous null pointers exception. The Code and error details are as follows.

Code:
`
from bcc import BPF, libbcc
import time
import sys

code = """
#include <uapi/linux/bpf.h>
#include "../hook.h"

int tail_call(void *ctx, void *map, int index);
BPF_TABLE("array", int, int, xdp_hooks, 5);
BPF_TABLE("array", uint32_t, long, packet_counter, 1);

int counter(struct xdp_md *ctx) {
uint32_t index = 0;
long *value = packet_counter.lookup(&index);
if (value)
*value += 1;
return xdpcap_exit(ctx, &xdp_hooks, XDP_PASS);
}
"""
device="eth0"
pin_path="/sys/fs/bpf/xdp_hooks"
mode = BPF.XDP
ctxtype = "xdp_md"

b = BPF(text = code, cflags=["-w", "-DCTXTYPE=%s" % ctxtype])
fn = b.load_func("counter", mode)

print("Program loaded \n")

b.attach_xdp(device, fn, 0)
counter = b.get_table("packet_counter")

xdp_hooks = b.get_table("xdp_hooks")
print("map fd: {}".format(counter.map_fd))
ret = libbcc.lib.bpf_obj_pin(xdp_hooks.map_fd, ctypes.c_char_p(pin_path))
if ret != 0:
raise Exception("Failed to pin map")
print("Pinned at: {}".format(pin_path))

print("Hit CTRL+C to stop")
while True:
try:
print(counter[0].value)
time.sleep(1)
except KeyboardInterrupt:
print("Removing filter from device")
break
b.remove_xdp(device, flags)
`
Error:

python: /usr/lib/llvm-6.0/include/llvm/Support/Casting.h:106: static bool llvm::isa_impl_cl<To, const From*>::doit(const From*) [with To = clang::VarDecl; From = clang::Decl]: Assertion `Val && "isa<> used on a null pointer"' failed.
Aborted (core dumped)

I tried this code using llvm-6.0 and llvm7-0. I am getting the same error again and again. I mounted the filesystem also.

Environment Details:
OS: Ubuntu 18.04
Kernel : 5.3

Also tested this code another environment also
OS: Debian 10
Kernel: 5.4

Can you help me to resolve this issue?

From #5 :

Patching Program doesn't work because it's already loaded, using a ProgramSpec doesn't quite work either I think:
We can't remove the map from the CollectionSpec, so it will be created, duplicating the map created by hook.go. NewCollection() will overwrite the instructions we overwrote with RewriteMap to use the map it created, because RewriteMap preserves the instruction.Reference.

@lmb 's comments:

We can't remove the map from the CollectionSpec, so it will be created, duplicating the map created by hook.go

I'm not super fussed by this, tbh. As long as the collection is closed it'll be closed afterwards. Something similar already happens for nested maps, etc.

overwrite the instructions we overwrote with RewriteMap to use the map it created

That's an interesting case. Should the collection loader in that case refrain from patching the map twice? We could look at ins.Constant = 0.

Does Packets captured by xdpcap go across Protocol stack?
Thanks !

Add a way of specifying the desired XDP actions on the command line, and only expose packets with those actions (by only attaching eBPF programs for those actions).

Filter, Packet, etc. It's impossible to import from main packages, so we should either move these, or unexport them.

Hi！
here are codes and operators.

`//xdp-pass-ebpf.c
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/udp.h>

#include <stdint.h>

#define SEC(NAME) attribute((section(NAME), used))

#define htons(x) ((__be16)___constant_swab16((x)))
#define htonl(x) ((__be32)___constant_swab32((x)))

#define PIN_GLOBAL_NS 2

struct bpf_elf_map {
__u32 type;
__u32 size_key;
__u32 size_value;
__u32 max_elem;
__u32 flags;
__u32 id;
__u32 pinning;
};

struct bpf_elf_map SEC("maps") action_map = {
.type = BPF_MAP_TYPE_PROG_ARRAY,
.size_key = sizeof(int),
.size_value = sizeof(int),
.pinning = PIN_GLOBAL_NS,
.max_elem = 100,
};

SEC("prog")
int xdp_pass_benchmark_traffic(struct xdp_md *ctx)
{

    return XDP_PASS;

}

char _license[] SEC("license") = "GPL";
`

//1--set xdp obj to nic

root@xxx:/home/tttt/bin# ip link set dev ens3 xdp obj xdp-pass-ebpf.o
Note: 8 bytes struct bpf_elf_map fixup performed due to size mismatch!
root@xxx:/home/tttt/bin#

//2--pinned map is created by above cmd
root@xxx:/sys/fs/bpf/xdp/globals# ll /sys/fs/bpf/xdp/globals/action_map
-rw------- 1 root root 0 12月 16 23:24 /sys/fs/bpf/xdp/globals/action_map
root@xxx:/sys/fs/bpf/xdp/globals#

//3--show dev
root@xxx:/home/tttt/bin# ip link show dev ens3
2: ens3: <BROADCAST,MULTICAST> mtu 1500 xdp qdisc mq state DOWN mode DEFAULT group default qlen 1000
link/ether fa:16:3e:b6:9e:8f brd ff:ff:ff:ff:ff:ff
prog/xdp id 8 tag 3b185187f1855c4c jited

//ping 168.168.208.37 --> 168.168.208.36
64 bytes from 168.168.208.36: icmp_seq=180 ttl=64 time=0.305 ms
64 bytes from 168.168.208.36: icmp_seq=181 ttl=64 time=0.328 ms
64 bytes from 168.168.208.36: icmp_seq=182 ttl=64 time=0.335 ms
64 bytes from 168.168.208.36: icmp_seq=183 ttl=64 time=0.288 ms

//capture -- why i can't any packets , action is xdp_pass
root@xxx:/home/tttt/bin# ./xdpcap /sys/fs/bpf/xdp/globals/action_map dump.pcap
ws----- os.Args[0]= ./xdpcap [1:]= [/sys/fs/bpf/xdp/globals/action_map dump.pcap]
aborted: 0/0 drop: 0/0 pass: 0/0 tx: 0/0 redirect: 0/0 xdpAction(5): 0/0 xdpAction(6): 0/0 xdpAction(7): 0/0 xdpAction(8): 0/0 xdpAction(9): 0/0 xdpAction(10): 0/0 xdpAction(11): 0/0 xdpAction(12): 0/0 xdpAction(13): 0/0 xdpAction(14): 0/0 xdpAction(15): 0/0 xdpAction(16): 0/0 xdpAction(17): 0/0 xdpAction(18): 0/0 xdpAction(19): 0/0 xdpAction(20): 0/0 xdpAction(21): 0/0 xdpAction(22): 0/0 xdpAction(23): 0/0 xdpAction(24): 0/0 xdpAction(25): 0/0 xdpAction(26): 0/0 xdpAction(27): 0/0 xdpAction(28): 0/0 xdpAction(29): 0/0 xdpAction(30): 0/0 xdpAction(31): 0/0 xdpAction(32): 0/0 xdpAction(33): 0/0 xdpAction(34): 0/0 xdpAction(35): 0/0 xdpAction(36): 0/0 xdpAction(37): 0/0 xdpAction(38): 0/0 xdpAction(39): 0/0 xdpAction(40): 0/0 x

//but tcpdump can find packets on ens3
root@xxx:/home/tttt/bin# tcpdump -i ens3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
23:36:04.136424 IP 168.168.208.37 > xxx: ICMP echo request, id 1259, seq 1, length 64
23:36:04.136472 IP xxx > 168.168.208.37: ICMP echo reply, id 1259, seq 1, length 64
23:36:05.151978 IP 168.168.208.37 > xxx: ICMP echo request, id 1259, seq 2, length 64
23:36:05.152015 IP xxx > 168.168.208.37: ICMP echo reply, id 1259, seq 2, length 64
23:36:06.175955 IP 168.168.208.37 > xxx: ICMP echo request, id 1259, seq 3, length 64
23:36:06.175998 IP xxx > 168.168.208.37: ICMP echo reply, id 1259, seq 3, length 64
6 packets captured

root@xxx:/home/tttt/bin# ifconfig ens3
ens3 Link encap:Ethernet HWaddr fa:16:3e:b6:9e:8f
inet addr:168.168.208.36 Bcast:168.168.208.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:feb6:9e8f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1254 errors:0 dropped:0 overruns:0 frame:0
TX packets:1345 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:120679 (120.6 KB) TX bytes:130643 (130.6 KB)

root@xxx:/home/tttt/bin#

In xdpcap , perfMapSpec's type is ebpf.PerfEventArray, is there some examples for ebpf.PerCPUHash or ebpf.PerCpuArray which has high performance ?

static inline void xdpcap_enter(struct xdp_md *ctx, void *hook_map)

if the feature sounds rational, I'd like to PR this.

i start xdpcap like this:

sudo -E env "PATH=$PATH"  xdpcap /sys/fs/bpf/hookmap -  'icmp[icmptype] = icmp-echo'   | tcpdump -n -r - 

then ping my machine(xdpcap running in this machine) from another machine , xdpcap does work:

reading from file -, link-type EN10MB (Ethernet)
18:40:48.100177 IP 192.168.254.10 > 192.168.254.29: ICMP echo request, id 8744, seq 1, length 64
18:40:49.101541 IP 192.168.254.10 > 192.168.254.29: ICMP echo request, id 8744, seq 2, length 64
18:40:50.103620 IP 192.168.254.10 > 192.168.254.29: ICMP echo request, id 8744, seq 3, length 64
18:40:51.107921 IP 192.168.254.10 > 192.168.254.29: ICMP echo request, id 8744, seq 4, length 64
18:40:52.122960 IP 192.168.254.10 > 192.168.254.29: ICMP echo request, id 8744, seq 5, length 64
18:40:53.124194 IP 192.168.254.10 > 192.168.254.29: ICMP echo request, id 8744, seq 6, length 64

but when i open another terminal on my machine:

ping  1.1.1.1

xdpcap capture nothing, is there some way to capture egress traffic?

Timestamps are currently added in userspace and likely to be inaccurate: https://github.com/cloudflare/xdpcap/blob/master/cmd/xdpcap/main.go#L120

Switch timestamps to BPF using bpf_ktime_get_ns (which is clock_gettime(CLOCK_MONOTONIC) and not the actual time, so will need some adjusting in userspace).

Maybe the previous bfd packets( data of udp ) add to the next udp packets?
Has same problem with tcpdump ?

tcpdump -r xxxx.pcap -vvv -nn -XX | more
reading from file xxxx.pcap, link-type EN10MB (Ethernet)
15:47:30.778123 IP6 (class 0xe0, hlim 255, next-header UDP (17) payload length: 32) xxxx:xxxx:xxxx:xxxx::1.49200 > xxxx:xxxx:xxxx:3::2.3785: [udp sum o
k] BFD, Echo, length: 24
0x0000: 20c0 0618 0000 0000 0000 0831 0000 c350
0x0010: 0000 c350 0004 93e0
0x0000: fa16 3e3a 53e6 00d0 d01c 3d2d 8100 0c29 ..>:S.....=-...)
0x0010: 86dd 6e00 0000 0020 11ff xxx xxx xxx ..n.......$.....
0x0020: xxx 0000 0000 0000 0001 xxx xxx xxx '..............U
0x0030: 0003 0000 0000 0000 0002 c030 0ec9 0020 ...........0....
0x0040: 7463 20c0 0618 0000 0000 0000 0831 0000 tc...........1..
0x0050: c350 0000 c350 0004 93e0 .P...P....

Thanks for your reply！

Hello!
As I see this application can capture only packets when they leave xdp-program.
I have some application when packets changing. I suggest for such programs might be useful to capture income packet before modification and also outcome packet when it was changed.

What do you think about this?

Have a nice day!

Hi,

Summary: I am trying to use xdpcap to capture the packets which have IP-in-IP additional header. I couldn't capture the packets with xdpcap.

Issue:
The packets structure is as follows
eth header + ip-ip tunnel header + ip header + tcp/udp header + data

Setup:
Source machine -> Proxy server( where xdpcap runs) -> destination

I am doing some processing in proxy server and apply XDP_TX on the data. I want to trace this data.

Can you suggest how to capture the packets?

Add the XDP_REDIRECT action in.

Currently, by default, xdpcap will attach for every known action. New actions may be added in the future however (for example see XDP_REDIRECT, which we don't currently support). While we support parsing unknown actions (by using their numerical / enum value), they won't be used by default.

Add a new "meta" action, "all", that attaches the filter to all entries in the pinned hook map.

Is xdpcap filtering packets in user mode?

Can xdpcap filtering packets in kernel mode by ebpf bytes?

I user xdp_drop actoion without any filter express, that is to say capture all pakcets from ring buffer in kernel mode, and not to sava packets in use mode.
Speed is 244 pakckets per second. Cpu is in low usage.

I found there some lost packets in console. I can't find the reason。
Thanks a lot!
What do I need to do ？ Change perfMapSpec's type ?
root@tecs-OpenStack-Nova:/home/tecs/wangshuai_vm# taskset -c 3 ./xdpcap /sys/fs/bpf/xdp/globals/action_map ll.pcap
Error: lost 1 packets
aborted: 0/0 drop: 244/244 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
Error: lost 3 packets
aborted: 0/0 drop: 488/488 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
Error: lost 3 packets
Error: lost 1 packets
Error: lost 1 packets
aborted: 0/0 drop: 732/732 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
Error: lost 5 packets
aborted: 0/0 drop: 977/977 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
aborted: 0/0 drop: 1221/1221 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
aborted: 0/0 drop: 1465/1465 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
aborted: 0/0 drop: 1709/1709 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)
Error: lost 7 packets
aborted: 0/0 drop: 1953/1953 pass: 0/0 tx: 0/0 redirect: 0/0 (received/matched packets)

I run iperf on two servers. and the packet length of the flow is in the range of 1500~65536 bytes.

However, with wireshark I can observer the maximum packet length of the captured packet is 1518 bytes of the files caputred by xdpcap.

with another captured tool. I could find that packet length is not a fixed value 1518.

Does xdpcap change the packet header? otherwise, the packet length should be the initial value between 1500 ~ 65536, rather than 1518

Thanks.

Linux now supports attaching BPF programs just before (fentry) and after (fexit) an XDP program.
This allows packets to be captured before and after an XDP program runs, from unmodified XDP programs (no "hook" map).

xdpdump already supports this, but without filtering: https://github.com/xdp-project/xdp-tools/tree/master/xdp-dump/.

https://github.com/xdp-project/xdp-tools
https://www.redhat.com/en/blog/capturing-network-traffic-express-data-path-xdp-environment

Has another tool called xdpdump. It was built around ebpf as well, specifically:

xdpdump to capture the original packet at ingress and the modifications the XDP program has made to the packet after execution

Is this the same for xdpcap?

Hello, in my last question.

I want to test the caputring speed that xdpcap can achieve? wireshark achieves around 1Gbps. netmap is at around 6 Gbps. I am curious wherther xdpcap can achieve 10Gbps or even higher such as 40Gbps.

While you answered me that xdpcap is an introspection tool for XDP programs, it's not in any way meant to be faster than other options. I'll defer this to @arthurfabre, but from my POV your use case is out of scope for us.

Is there any comments form arthurfabre? thanks.

I go through the xdp-tutorial (https://github.com/xdp-project/xdp-tutorial/tree/master/basic04-pinning-maps ), and I want to test xdpcap with xdp program.

However, I do not know exactly how to do that.

I load the xdp program in the kernel by
"sudo ./xdp_loader --dev veth-basic02 --force" in xdp-tutorial (basic04-pinning-maps)
I got the following output.
Success: Loaded BPF-object(xdp_prog_kern.o) and used section(xdp_pass)

• XDP prog attached on device:veth-basic02(ifindex:10)
• Unpinning (remove) prev maps in /sys/fs/bpf/veth-basic02/
• Pinning maps in /sys/fs/bpf/veth-basic02/

I know I should run " xdpcap /sys/fs/bpf/veth-basic02/ dump.pcap "tcp and port 80" " to capture the packet and store them in the dump.pcap file. but I fail.

It complains that "Error: creating filter: invalid hook map ABI: expected map type ProgramArray, have Array"

In the example xdp program, the map type is BPF_MAP_TYPE_ARRAY or
BPF_MAP_TYPE_PERCUPU_ARRAY. It is not ProgramArray.

If I simply change the map type to ProgramArray, the xdp program will not work.

I want to have an example xdp program that works with xdpcap. Could you kindly provide with one very simple example?

Really thanks a lot.

Hello, I am new to eBPF. After I run
xdpcap /path/to/pinned/map dump.pcap "tcp and port 80"
I have the below errors.

Error setting locked memory limit: operation not permitted
Error: creating filter: loading hook map: object /path/to/pinned/map: no such file or directory

I do not understand where is the path to pinned map? could you provide me an example? Thanks a lot. Why I also has the locked memory limit?

go version go1.12.5 linux/amd64

Thanks a lot.

`attribute((always_inline))
static inline enum xdp_action xdpcap_exit(struct xdp_md *ctx, void hook_map, enum xdp_action action) {
// tail_call
// Some headers define tail_call (Cilium), others bpf_tail_call (kernel self tests). Use the helper ID directly
((int ()(struct xdp_md *, void *, int))12)(ctx, hook_map, action);
return action;
}

SEC("prog")
int xdp_pass_benchmark_traffic(struct xdp_md *ctx)
{

    //return XDP_PASS;
    return xdpcap_exit(ctx, &action_map, XDP_PASS);

}`

I exec sudo ./xdpcap /path/to/pinned/map dump.pcap "tcp and port 80", after i copy xdp_hook.c.elf to /path/to/pinned/map . Then raise a error:
"Error: creating filter: loading hook map: get object /path/to/pinned/map: permission denied"

Support capturing from multiple hooks at the same time, and add the hook the packet was received on to the pcap metadata.

With libbpf 1.0.0 the expected way that a map is defined has changed. This means that users who wish to integrate xdpcap need to use a different way to define their maps than the one suggested in hook.h. Update documentation accordingly.

The Libbpf release is on the horizon, and will break some of the functionality provided by xdpcap (detailed here).

This will break the uses of the old-style map definitions, and possibly other behaviour.

Consider this eBPF program:

It roughly translates to:

struct {
    u64 action;
    u64 packet_length;
} data = { ..., len };
bpf_perf_event_output(ctx, map, (len << 32) | BPF_F_CURRENT_CPU,
                      &data, sizeof(data));

These events are consumed here:

How did the packet data (struct xdp_md::data) end up in the BPF map? I did not run the code, but manually reviewed it in order to understand how it works. What am I missing?

The question was prompted by a proposal to add dedicated helpers for packet capture:
https://lkml.kernel.org/r/[email protected]

/go_root/pkg/mod/github.com/cloudflare/[email protected]/c.go:9:2: read /go_root/pkg/mod/github.com/pkg/[email protected]/bench_test.go: unexpected NUL in input

Rust is a language I've been interested in for awhile but I aint very good at it 2bh. But if stuff like this would be possible to use in that I might think of using it over c because i'm not that good at that either and rust can be used for much more other things that I would want to do. Thanks.

I think this is because we're not adjusting the memory lock limit.

Options:

• Set a default mem lock limit, make it overridable via flag
• Approximate something from the per CPU buffer size

xdpcap only explicitly flushes the pcapgo writer on exit. When writing to a regular file, this works fine. When writing to stdout though (eg to pipe the pcap to tcpdump), this means we only try to flush the data out after receiving SIGPIPE, at which point it's too late.

Flush the data more frequently to avoid this.

Pinned hook maps exposed by long running daemons may change from under us, for example due to a graceful reload or configuration change.

Monitor the pinned maps (inotify?), and if they are replaced with new maps reattach the capture programs.

xdpcap currently creates the following output when capturing into a file:

aborted: 0/0	drop: 0/0	pass: 255/211	tx: 0/0	(received/matched packets)
Error: lost 10 packets
Error: lost 4 packets

First, it's not entirely clear to me what the distinction between received / matched is. Maybe it would be nicer if there was a separate "all" column that just counted the number of packets without filtering and just showing the number of matched packets per action:

aborted: 0	drop: 0	pass: 211	tx: 0	total: 255 (of which 211 matched)

Second, the message for lost packets can be a bit noisy. Maybe that become a column as well:

aborted: 0	drop: 0	pass: 211	tx: 0	lost: 14	total: 255 (of which 211 matched)

Another option would be to only print the number of lost packets when exiting via Ctrl-C, similar to tcpdump.

Sometimes the verifier might complain about the program that is being loaded (hopefully very rarely). Allow the user to see the verifier logs to figure out what went wrong. The verifier log buffer size should also be configurable because the verifier logs could be substantial.