init with documents from eunomia-bpf

2026-05-09 07:12:18 +08:00 · 2022-12-02 19:18:03 +08:00
parent 1179ec171e
commit 81d749a9cc
85 changed files with 11876 additions and 0 deletions
--- a/14-tcpstates/.gitignore
+++ b/14-tcpstates/.gitignore
@@ -0,0 +1,5 @@
+.vscode
+package.json
+eunomia-exporter
+ecli
+ 
--- a/14-tcpstates/README.md
+++ b/14-tcpstates/README.md
@@ -0,0 +1,56 @@
+---
+layout: post
+title: tcpstates
+date: 2022-10-10 16:18
+category: bpftools
+author: yunwei37
+tags: [bpftools, syscall, network]
+summary: Tcpstates prints TCP state change information, including the duration in each state as milliseconds
+---
+
+
+## origin
+
+origin from:
+
+https://github.com/iovisor/bcc/blob/master/libbpf-tools/tcpconnlat.bpf.c
+
+## Compile and Run
+
+Compile:
+
+```shell
+docker run -it -v `pwd`/:/src/ yunwei37/ebpm:latest
+```
+Run:
+
+```shell
+sudo ./ecli run package.json
+```
+
+## details in bcc
+
+Demonstrations of tcpstates, the Linux BPF/bcc version.
+
+
+tcpstates prints TCP state change information, including the duration in each
+state as milliseconds. For example, a single TCP session:
+```console
+# tcpstates
+SKADDR           C-PID C-COMM     LADDR           LPORT RADDR           RPORT OLDSTATE    -> NEWSTATE    MS
+ffff9fd7e8192000 22384 curl       100.66.100.185  0     52.33.159.26    80    CLOSE       -> SYN_SENT    0.000
+ffff9fd7e8192000 0     swapper/5  100.66.100.185  63446 52.33.159.26    80    SYN_SENT    -> ESTABLISHED 1.373
+ffff9fd7e8192000 22384 curl       100.66.100.185  63446 52.33.159.26    80    ESTABLISHED -> FIN_WAIT1   176.042
+ffff9fd7e8192000 0     swapper/5  100.66.100.185  63446 52.33.159.26    80    FIN_WAIT1   -> FIN_WAIT2   0.536
+ffff9fd7e8192000 0     swapper/5  100.66.100.185  63446 52.33.159.26    80    FIN_WAIT2   -> CLOSE       0.006
+^C
+```
+This showed that the most time was spent in the ESTABLISHED state (which then
+transitioned to FIN_WAIT1), which was 176.042 milliseconds.
+
+The first column is the socked address, as the output may include lines from
+different sessions interleaved. The next two columns show the current on-CPU
+process ID and command name: these may show the process that owns the TCP
+session, depending on whether the state change executes synchronously in
+process context. If that's not the case, they may show kernel details.
+
--- a/14-tcpstates/tcpstates.bpf.c
+++ b/14-tcpstates/tcpstates.bpf.c
@@ -0,0 +1,109 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+/* Copyright (c) 2021 Hengqi Chen */
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+#include "tcpstates.bpf.h"
+
+#define MAX_ENTRIES 10240
+#define AF_INET 2
+#define AF_INET6 10
+
+const volatile bool filter_by_sport = false;
+const volatile bool filter_by_dport = false;
+const volatile short target_family = 0;
+
+struct
+{
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, MAX_ENTRIES);
+	__type(key, __u16);
+	__type(value, __u16);
+} sports SEC(".maps");
+
+struct
+{
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, MAX_ENTRIES);
+	__type(key, __u16);
+	__type(value, __u16);
+} dports SEC(".maps");
+
+struct
+{
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, MAX_ENTRIES);
+	__type(key, struct sock *);
+	__type(value, __u64);
+} timestamps SEC(".maps");
+
+struct
+{
+	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+	__uint(key_size, sizeof(__u32));
+	__uint(value_size, sizeof(__u32));
+} events SEC(".maps");
+
+SEC("tracepoint/sock/inet_sock_set_state")
+int handle_set_state(struct trace_event_raw_inet_sock_set_state *ctx)
+{
+	struct sock *sk = (struct sock *)ctx->skaddr;
+	__u16 family = ctx->family;
+	__u16 sport = ctx->sport;
+	__u16 dport = ctx->dport;
+	__u64 *tsp, delta_us, ts;
+	struct event event = {};
+
+	if (ctx->protocol != IPPROTO_TCP)
+		return 0;
+
+	if (target_family && target_family != family)
+		return 0;
+
+	if (filter_by_sport && !bpf_map_lookup_elem(&sports, &sport))
+		return 0;
+
+	if (filter_by_dport && !bpf_map_lookup_elem(&dports, &dport))
+		return 0;
+
+	tsp = bpf_map_lookup_elem(&timestamps, &sk);
+	ts = bpf_ktime_get_ns();
+	if (!tsp)
+		delta_us = 0;
+	else
+		delta_us = (ts - *tsp) / 1000;
+
+	event.skaddr = (__u64)sk;
+	event.ts_us = ts / 1000;
+	event.delta_us = delta_us;
+	event.pid = bpf_get_current_pid_tgid() >> 32;
+	event.oldstate = ctx->oldstate;
+	event.newstate = ctx->newstate;
+	event.family = family;
+	event.sport = sport;
+	event.dport = dport;
+	bpf_get_current_comm(&event.task, sizeof(event.task));
+
+	if (family == AF_INET)
+	{
+		bpf_probe_read_kernel(&event.saddr, sizeof(event.saddr), &sk->__sk_common.skc_rcv_saddr);
+		bpf_probe_read_kernel(&event.daddr, sizeof(event.daddr), &sk->__sk_common.skc_daddr);
+	}
+	else
+	{ /* family == AF_INET6 */
+		bpf_probe_read_kernel(&event.saddr, sizeof(event.saddr), &sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr32);
+		bpf_probe_read_kernel(&event.daddr, sizeof(event.daddr), &sk->__sk_common.skc_v6_daddr.in6_u.u6_addr32);
+	}
+
+	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+
+	if (ctx->newstate == TCP_CLOSE)
+		bpf_map_delete_elem(&timestamps, &sk);
+	else
+		bpf_map_update_elem(&timestamps, &sk, &ts, BPF_ANY);
+
+	return 0;
+}
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
--- a/14-tcpstates/tcpstates.bpf.h
+++ b/14-tcpstates/tcpstates.bpf.h
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+/* Copyright (c) 2021 Hengqi Chen */
+#ifndef __TCPSTATES_H
+#define __TCPSTATES_H
+
+#define TASK_COMM_LEN 16
+
+struct event
+{
+	unsigned __int128 saddr;
+	unsigned __int128 daddr;
+	__u64 skaddr;
+	__u64 ts_us;
+	__u64 delta_us;
+	__u32 pid;
+	int oldstate;
+	int newstate;
+	__u16 family;
+	__u16 sport;
+	__u16 dport;
+	char task[TASK_COMM_LEN];
+};
+
+#endif /* __TCPSTATES_H */