The capturing speed of xdpcap about xdpcap HOT 15 CLOSED

I found xdp_hook.c.elf, is it the right example？When I want to load it in the kernel.

sudo ip link set dev veth-basic02 xdpgeneric obj xdp_hook.c.elf sec xdp

there is errors:
Note: 16 bytes struct bpf_elf_map fixup performed due to size mismatch!
Program section 'map' not found in ELF file!
Error fetching program/map!

Could you give me some hints to get xdpcap working? Thanks so much.

from xdpcap.

Unfortunately most eBPF loaders are not entirely compatible with one another, as they use different sections. xdp_hook.c.elf was built to be used with newtools/ebpf.

I'm not familiar with ./xdploader, but it seems to pin maps and load a program from a named ELF section. If so, you should be able to adapt https://github.com/xdp-project/xdp-tutorial/blob/master/basic04-pinning-maps/xdp_prog_kern.c, something like (untested):

#include <linux/bpf.h>
#include "bpf_helpers.h"

#include "xdpcap.h"

struct bpf_map_def SEC("maps") xdpcap_hook = XDPCAP_HOOK();

SEC("xdp_pass")
int  xdp_pass_func(struct xdp_md *ctx)
{
    return xdpcap_exit(ctx, &xdpcap_hook, XDP_PASS);
}

char _license[] SEC("license") = "GPL";

This uses xdpcap.h from this repo.

It seems /sys/fs/bpf/veth-basic02/ is a directory, xdpcap needs the path an actual map (probably somewhere in that directory).

from xdpcap.

Thanks a lot. I will try and let you know the result.

I have a very general question. Is xdpcap does actually the same to the dropped or aborted packets as tcpdump does to the normal packet. Both tcpdump and xcpcap need to copy the packet from the kernel space to the user space, correct?
is the only difference is that they manipulate differnt kinds of packets？ dropped packet or normal packet。

I am interested in the capturing speed. Do you have any comments on the capturing speed of xcpcap? is it faster than tcpdump? If so, what is the possible reasons?

Thanks so much.

from xdpcap.

You are correct. what xdploader does is to pin maps and load a program from a named ELF section.

I can not find xdpcap.h in this repository, do you actually mean hook.h?

Many thanks.

from xdpcap.

Correct, xdpcap copies packets to userspace. The only visible difference between tcpdump and xdpcap is that xdpcap can capture packets that are XDP_DROP, XDP_ABORTED or XDP_TX. These packets aren't visible in tcpdump.

I really can't speculate about the capturing speed, that's not a goal we had in mind when designing this. I think it might depend on the ratio of packets seen to packets captured.

Ah yes, oops. It's hook.h.

from xdpcap.

Thanks. Then my understanding is correct. by designing xdpcap, you can actually collect the dropped pkts.

after i copy hook.h in my directory and put your suggested codes in xdp_prog_kern.c. I compile the xdp_prog_kern.c. I meet errors as shown below:
./hook.h:30:2: error: implicit declaration of function 'tail_call' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
tail_call((void *)ctx, hook, action);
^
1 error generated.

How can I get through this? thanks again.

from xdpcap.

tail_call seems to be defined as bpf_tail_call in the XDP Tutorial header (https://github.com/xdp-project/xdp-tutorial/blob/master/headers/bpf_helpers.h#L40). You can probably replace tail_call with bpf_tail_call in hook.h.

(I've been meaning to test xdpcap with libbpf but haven't gotten around to it yet. This should work better).

from xdpcap.

compiling is fine now.
But still meet problem on the unpining map when I try to load xdp_prog_kernl.o into the kernel by "sudo ./xdp_loader --dev veth-basic02 --force"

Success: Loaded BPF-object(xdp_prog_kern.o) and used section(xdp_pass)

• XDP prog attached on device:veth-basic02(ifindex:10)
• Unpinning (remove) prev maps in /sys/fs/bpf/veth-basic02/
  ERR: UNpinning maps in /sys/fs/bpf/veth-basic02
  ERR: pinning maps

is there any prolems in the xdp_prog_kernel.c file? Thanks a lot.

Could I ask one more general question?
For the drop packet, I guess xdpcap first send them to the network stack, correct?
How do you manage to send the drop packet to the linux stack? Could you depict a very simple logic for me to understand your method since I find this working is very interesting.

If so, all xdpcap does in the following could be the same as tcpdump, is this the case?

If you by channce have a little more time to explain the code in general a little bit, that will be very appreciated.

Thanks again.

from xdpcap.

I load xdp_prog_kernl.o in another physical interface enp1s0f1, it works good.

Success: Loaded BPF-object(xdp_prog_kern.o) and used section(xdp_pass)

• XDP prog attached on device:enp1s0f1(ifindex:5)
• Pinning maps in /sys/fs/bpf/enp1s0f1/

i could find the map "xdpcap_hook" in the folder of /sys/fs/bpf/enp1s0f1/

However, when I use xdpcap to caputre the packet by " sudo xdpcap /sys/fs/bpf/enp1s0f1/xdpcap_hook dump.pcap "tcp and port 80" "

It tell me the below error.
Error: creating filter: loading hook map: object /sys/fs/bpf/enp1s0f1/xdpcap_hook: no such file or directory

I am sure that xdpcap_hook is in the directory of /sys/fs/bpf/enp1s0f1/

What's the problem? Thanks.

from xdpcap.

For the drop packet, I guess xdpcap first send them to the network stack, correct?

No, we just copy the packet (to get it to userspace), and then drop it.

Error: creating filter: loading hook map: object /sys/fs/bpf/enp1s0f1/xdpcap_hook: no such file or directory

Strange. As far as I can tell we don't do anything special when loading the map, we just use the bpf syscall. I guess ENOENT comes from https://elixir.bootlin.com/linux/latest/source/kernel/bpf/inode.c#L482

Is ./xdp_loader still running when you run ./xdpcap?

from xdpcap.

How do you copy the packet to userspace? by which function？ thanks.

I ony run ./xdp_loader ... by one time, then it will return

"Success: Loaded BPF-object(xdp_prog_kern.o) and used section(xdp_pass)
XDP prog attached on device:enp1s0f1(ifindex:5)
Pinning maps in /sys/fs/bpf/enp1s0f1/"

So I think it is not running since it is already successfully load the elf file in the kernel.

What do you mean ENOENT? Thanks.

from xdpcap.

Thanks a lot for your nice work. I read through your codes though I never write codes with go language.

I could follow the main logic in the codes. Function newProgram builds an eBPF program that copies packets matching a cBPF program to userspace via perf.

If the xdpcap filter expression is empty, all the dropped and aborted packets will be copied to userspace, is my understanding correct?

I am thinking another scenario without security issue.
For example an application is runing. I want to pass all the packets to the network stack to be sure that the application running normally. So I should set xdp_action as XDP_PASS, correct？
Meanwhile, I want to pick some packets to the userspace by xdpcap, is it feasible? I know that this is not the designing goal of xdpcap. But I am curious about the capturing capability of xdpcap.

Many many thanks.

from xdpcap.

from xdpcap.

Strange enough. I tried again. I first delete the map under the folder, then I pin the map again. Now it works.

Very appreciate to your nice work and kind exchanges. I will try to get more tests on the capturing speed of xdpcap. I will let you konw the results. Thanks again.

from xdpcap.

Glad to hear it works :)

from xdpcap.