marloncalvo
New Member
Hey folks,
I've basically tried a bunch of permutations using:
.
I'm able to print TCP header, but all bytes after TCP header are either junk or 0.
To correlate my existing events with, say, netif_receive_skb or tcp_v4_rcv, I need two things:
1. A signal to correlate sk_buff packets.
2. A signal to correlate one sk_buff packet to ID in TCP packet.
To solve (2), the solution is to read "data" section of TCP packet from sk_buff.
Question
I'm writing some packet-sniffing eBPF programs operating at packet-level (on sk_buff), but have been unsuccessful in reading "data" section of TCP packet from sk_buff. Are there any known examples to accomplish this?I've basically tried a bunch of permutations using:
C:
bpf_probe_read(data, SIZE, skb->head + skb->transport_header + tcp_header.doff * 4 /*Have verified TCP header, and looks OK!*/)
I'm able to print TCP header, but all bytes after TCP header are either junk or 0.
Context
Essentially, it's a bunch of "fentry/..." programs across the Linux kernel. To correlate these packets with userspace signals, cross-eBPF program signals, etc., I have some custom TCP server/client writing/reading some UUID-like ID from TCP packet which I'm using to correlate userspace and eBPF io_uring events.To correlate my existing events with, say, netif_receive_skb or tcp_v4_rcv, I need two things:
1. A signal to correlate sk_buff packets.
2. A signal to correlate one sk_buff packet to ID in TCP packet.
To solve (2), the solution is to read "data" section of TCP packet from sk_buff.