TcpconnectTracer

class duetector.tracers.bcc.tcpconnect.TcpconnectTracer(config: Config | dict[str, Any] | None = None, *args, **kwargs)[source]

Bases: BccTracer

A tracer for tcpconnect syscall

_convert_data(data) namedtuple[source]

Convert raw data to data_t.

data_t

alias of TcpTracking

default_config = {'disabled': False, 'poll_timeout': 10}

Default config for this tracer.

many_attatchs: list[tuple[str, dict[str, str]]] = [('kprobe', {'event': 'tcp_v4_connect', 'fn_name': 'do_trace'}), ('kretprobe', {'event': 'tcp_v4_connect', 'fn_name': 'do_return'})]

List of attatch function name and args. attatch_type, attatch_args will merge to this list.

name: str | None = 'tcp_v4_connect'

Name for this tracer. Will be used for collecting data.

property poll_args

dict() -> new empty dictionary dict(mapping) -> new dictionary initialized from a mapping object’s

(key, value) pairs

dict(iterable) -> new dictionary initialized as if via:

d = {} for k, v in iterable:

d[k] = v

dict(**kwargs) -> new dictionary initialized with the name=value pairs

in the keyword argument list. For example: dict(one=1, two=2)

poll_fn: str = 'ring_buffer_poll'

Poll function name in bcc.BPF

prog: str = '\n    #include <uapi/linux/ptrace.h>\n    #include <net/sock.h>\n    #include <bcc/proto.h>\n    #define TASK_COMM_LEN 16\n\n    BPF_RINGBUF_OUTPUT(buffer, 1 << 4);\n    BPF_HASH(currsock, u32, struct sock *);\n\n    struct event {\n        u32 dport;\n        u32 saddr;\n        u32 daddr;\n        u32 pid;\n        u32 uid;\n        u32 gid;\n\n        u64 timestamp;\n        char comm[TASK_COMM_LEN];\n    };\n    int do_trace(struct pt_regs *ctx, struct sock *sk)\n    {\n\t    u32 pid = bpf_get_current_pid_tgid();\n\n\t    // stash the sock ptr for lookup on return\n\t    currsock.update(&pid, &sk);\n\n\t    return 0;\n    }\n\n    int do_return(struct pt_regs *ctx)\n    {\n\t    int ret = PT_REGS_RC(ctx);\n\t    u32 pid = bpf_get_current_pid_tgid();\n\n        struct event event= {};\n\n\t    struct sock **skpp;\n\t    skpp = currsock.lookup(&pid);\n\t    if (skpp == 0) {\n\t\t    return 0;\t// missed entry\n\t    }\n\n\t    if (ret != 0) {\n\t\t    // failed to send SYNC packet, may not have populated\n\t\t    // socket __sk_common.{skc_rcv_saddr, ...}\n\t\t    currsock.delete(&pid);\n\t\t    return 0;\n\t    }\n\n\t    // pull in details\n\t    struct sock *skp = *skpp;\n\t    u32 saddr = skp->__sk_common.skc_rcv_saddr;\n\t    u32 daddr = skp->__sk_common.skc_daddr;\n\t    u16 dport = skp->__sk_common.skc_dport;\n        event.saddr = saddr;\n        event.daddr = daddr;\n        event.dport = dport;\n        event.pid = pid;\n        event.uid = bpf_get_current_uid_gid();\n        event.gid = bpf_get_current_uid_gid() >> 32;\n        event.timestamp = bpf_ktime_get_ns();\n        bpf_get_current_comm(&event.comm, sizeof(event.comm));\n\t    // output\n\t    buffer.ringbuf_output(&event, sizeof(event), 0);\n\t    //bpf_trace_printk("trace_tcp4connect %x %x %d\\n", saddr, daddr, ntohs(dport));\n\n\t    currsock.delete(&pid);\n\n\t    return 0;\n    }\n    '

bpf program

set_callback(host, callback: Callable[[namedtuple], None])[source]

Set callback function to host.

Should implemented by subclass.