fix: use other hooks to probe 5-tuple #695
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
no problem. |
|
@Asphaltt run success on kernel 4.19 with noncore , but can not get 4-tuple info when works as client(Actively initiate a connection) work as client -- can not get 4-tupleAddConn success fd=3252076376 is not right work as server -- ok |
`__sys_connect_file` and `do_accept` are not found on v5.4 kernel. Then, use `inet_stream_connect` and `inet_accept` instead, as they are found on v4.19 and v5.4 kernels. Signed-off-by: Leon Hwang <[email protected]>
Thank you, bro @chilli13 I fixed it just now. |
|
Test passed on ubuntu 20.04 (kernel 5.4): sudo bin/ecapture tls -d -b 2
2024-12-18T22:38:37+08:00 INF AppName="eCapture(旁观者)"
2024-12-18T22:38:37+08:00 INF HomePage=https://ecapture.cc
2024-12-18T22:38:37+08:00 INF Repository=https://github.com/gojue/ecapture
2024-12-18T22:38:37+08:00 INF Author="CFC4N <[email protected]>"
2024-12-18T22:38:37+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-18T22:38:37+08:00 INF Version=linux_amd64:v0.9.0-20241218-2b7b128:x86_64
2024-12-18T22:38:37+08:00 INF Listen=localhost:28256
2024-12-18T22:38:37+08:00 INF eCapture running logs logger=
2024-12-18T22:38:37+08:00 INF the file handler that receives the captured event eventCollector=
2024-12-18T22:38:37+08:00 INF listen=localhost:28256
2024-12-18T22:38:37+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2024-12-18T22:38:37+08:00 INF Kernel Info=5.4.255 Pid=39517
2024-12-18T22:38:37+08:00 INF BTF bytecode mode: non-CORE. btfMode=2
2024-12-18T22:38:37+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-12-18T22:38:37+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-18T22:38:37+08:00 INF Module.Run()
2024-12-18T22:38:37+08:00 INF origin versionKey="openssl 1.1.1f" versionKeyLower="openssl 1.1.1f"
2024-12-18T22:38:37+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1f"
2024-12-18T22:38:37+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.1.1
2024-12-18T22:38:37+08:00 INF target all process.
2024-12-18T22:38:37+08:00 INF target all users.
2024-12-18T22:38:37+08:00 INF setupManagers eBPFProgramType=Text
2024-12-18T22:38:37+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1d_kern_noncore.o
2024-12-18T22:38:37+08:00 DBG upgrade check failed: local version is ahead of latest version
2024-12-18T22:38:37+08:00 INF perfEventReader created mapSize(MB)=4
2024-12-18T22:38:37+08:00 INF perfEventReader created mapSize(MB)=4
2024-12-18T22:38:37+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-18T22:38:46+08:00 DBG AddConn success fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG GetConn fd=5 pid=39581
2024-12-18T22:38:46+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:46+08:00 DBG DestroyConn success fd=5 pid=39581 tuple=172.19.100.17:48962-76.76.21.21:443
2024-12-18T22:38:47+08:00 ??? UUID:39581_39581_curl_5_1_172.19.100.17:48962-76.76.21.21:443, Name:HTTP2Request, Type:2, Length:305
Frame Type => SETTINGS
Frame Type => WINDOW_UPDATE
Frame Type => HEADERS
header field ":method" = "GET"
header field ":path" = "/"
header field ":scheme" = "https"
header field ":authority" = "ecapture.cc"
header field "user-agent" = "curl/7.68.0"
header field "accept" = "*/*"
Frame Type => SETTINGS
2024/12/18 22:38:47 [http2 response] Dump HTTP2 Frame error: unexpected EOF
2024-12-18T22:38:47+08:00 ??? UUID:39581_39581_curl_5_0_172.19.100.17:48962-76.76.21.21:443, Name:HTTP2Response, Type:4, Length:4278
Frame Type => SETTINGS
Frame Type => WINDOW_UPDATE
Frame Type => SETTINGS
Frame Type => HEADERS
header field ":status" = "200"
header field "accept-ranges" = "bytes"
header field "access-control-allow-origin" = "*"
header field "age" = "238524"
header field "cache-control" = "public, max-age=0, must-revalidate"
header field "content-disposition" = "inline"
header field "content-type" = "text/html; charset=utf-8"
header field "date" = "Wed, 18 Dec 2024 14:38:46 GMT"
header field "etag" = "\"6ec0d02787369e8ea7c44409db9cbe99\""
header field "last-modified" = "Sun, 15 Dec 2024 20:23:22 GMT"
header field "server" = "Vercel"
header field "strict-transport-security" = "max-age=63072000"
header field "x-vercel-cache" = "HIT"
header field "x-vercel-id" = "hkg1::m4dgh-1734532726185-a3d01f468486"
header field "content-length" = "24569"
Frame Type => DATA
<!DOCTYPE html>
<html lang="en-US" dir="ltr">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>eCapture - Capture SSL/TLS text content without CA cert using eBPF. | eCapture</title>
<meta name="description" content="eCapture - Capture SSL/TLS text content without CA certificate using eBPF">
<meta name="generator" content="VitePress v1.5.0">
<link rel="preload stylesheet" href="/assets/style.nptfy1Tr.css" as="style">
<link rel="preload stylesheet" href="/vp-icons.css" as="style">
<script type="module" src="/assets/app.DXOqA-Jf.js"></script>
<link rel="modulepreload" href="/assets/chunks/theme.BkHHwEhx.js">
<link rel="modulepreload" href="/assets/chunks/framework.tmAlGBxD.js">
<link rel="modulepreload" href="/assets/chunks/githubReleases.BcmQgaE5.js">
<link rel="modulepreload" href="/assets/index.md.CEuvy2gq.lean.js">
<link rel="icon" href="/logo.svg">
<link rel="preload" href="/assets/inter-latin.7b37fe23.woff2" as="font" type="font/woff2" crossorigin="anonymous">
<script>(()=>{const e=(o,r,c=!1)=>{const s=localStorage.getItem(o);(s?s!=="false":c)&&document.documentElement.classList.add(r)};e("vue-docs-prefer-composition","prefer-composition"),e("vue-docs-prefer-sfc","prefer-sfc",!0),window.__VUE_BANNER_ID__="wip",e(`vue-docs-banner-${__VUE_BANNER_ID__}`,"banner-dismissed")})();</script>
<link rel="shortcut icon" href="https://ecapture.cc/assets/logo-300x300-v2.059cb3f9.svg">
<script id="check-dark-mode">(()=>{const e=localStorage.getItem("vitepress-theme-appearance")||"auto",a=window.matchMedia("(prefers-color-scheme: dark)").matches;(!e||e==="auto"?a:e==="dark")&&document.documentElement.classList.add("dark")})();</script>
<script id="check-mac-os">document.documentElement.classList.toggle("mac",/Mac|iPhone|iPod|iPad/i.test(navigator.platform));</script>
</head>
<body>
<div id="app"><div class="VPApp" data-v-ae2f6264><!--[--><span tabindex="-1" data-v-2ee4b9aa></span><a href="#VPContent" class="VPSkipLink visually-hidden" data-v-2ee4b9aa>Skip to content</a><!--]--><!----><!--[--><!--]--><header class="VPNav nav-bar stick" data-v-ae2f6264 data-v-c76f83a6><div class="VPNavBar" data-v-c76f83a6 data-v-9abe73e6><div class="container" data-v-9abe73e6><a class="VPNavBarTitle" href="/" data-v-9abe73e6 data-v-25a4f16b><!--[--><!--[--><!--[--><!--[--><!--[--><img class="logo" src="/assets/logo-300x300-v2.BBmMbtan.svg" alt="eCapture Logo" data-v-b49487b1><span class="text" data-v-b49487b1>eCapture(旁观者)</span><!--]--><!--]--><!--]--><!--]--><!--]--></a><div class="content" data-v-9abe73e6><!----><nav aria-labelledby="main-nav-aria-label" class="VPNavBarMenu menu" data-v-9abe73e6 data-v-44ff399f><span id="main-nav-aria-label" class="visually-hidden" data-v-44ff399f>Main Navigation</span><!--[--><!--[--><a class="vt-link link VPNavBarMenuLink active" href="/" data-v-44ff399f data-v-34040ca2><!--[-->English<!--]--><!----></a><!--]--><!--[--><a class="vt-link link VPNavBarMenuLink" href="/guide/introduction.html" data-v-44ff399f data-v-34040ca2><!--[-->Guide<!--]--><!----></a><!--]--><!--[--><a class="vt-link link VPNavBarMenuLink" href="/develop/compile.html" data-v-44ff399f data-v-34040ca2><!--[-->Develop<!--]--><!----></a><!--]--><!--[--><a class="vt-link link VPNavBarMenuLink" href="/download.html" data-v-44ff399f data-
^C2024-12-18T22:39:02+08:00 INF module close.
2024-12-18T22:39:02+08:00 INF Module closed,message recived from Context
2024-12-18T22:39:03+08:00 INF iModule module close
2024-12-18T22:39:03+08:00 INF bye bye. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #693
__sys_connect_fileanddo_acceptare not found on v5.4 kernel.Then, use
inet_stream_connectandinet_acceptinstead, as they are found on v4.19 and v5.4 kernels.I've test it on v5.4, v5.15 and v6.8 kernels.
@cfc4n can you help to test noncore on v4.19 and v5.4 kernels?