Example eBPF program reading TCP "data" from sk_buff

marloncalvo

New Member
Joined
Jan 4, 2025
Messages
1
Reaction score
0
Credits
18
Hey folks,

Question​

I'm writing some packet-sniffing eBPF programs operating at packet-level (on sk_buff), but have been unsuccessful in reading "data" section of TCP packet from sk_buff. Are there any known examples to accomplish this?

I've basically tried a bunch of permutations using:
C:
bpf_probe_read(data, SIZE, skb->head + skb->transport_header + tcp_header.doff * 4 /*Have verified TCP header, and looks OK!*/)
.

I'm able to print TCP header, but all bytes after TCP header are either junk or 0.

Context​

Essentially, it's a bunch of "fentry/..." programs across the Linux kernel. To correlate these packets with userspace signals, cross-eBPF program signals, etc., I have some custom TCP server/client writing/reading some UUID-like ID from TCP packet which I'm using to correlate userspace and eBPF io_uring events.

To correlate my existing events with, say, netif_receive_skb or tcp_v4_rcv, I need two things:
1. A signal to correlate sk_buff packets.
2. A signal to correlate one sk_buff packet to ID in TCP packet.

To solve (2), the solution is to read "data" section of TCP packet from sk_buff.
 

Members online


Top