* The preliminary parsing of the MongoDB protocol has been completed, but there are still issues such as incorrect end times.
* Mongodb Unit test done
* The preliminary parsing of the MongoDB protocol has been completed, but there are still issues such as incorrect end times.
* Mongodb Unit test done
* feat: support mongo
* fix: install mongsh failed
* fix: install mongodb shell
---------
Signed-off-by: 烈香 <hengyoush1@163.com>
Co-authored-by: xiaoweihao <xiaoweihao@tp-link.com.hk>
Co-authored-by: 烈香 <hengyoush1@163.com>
fix: handle big syscall data (truncated) properly
When we fail to read the body, it might be due to the response being too large, causing syscall data
to be missing when transferred to user space. Here, we attempt to find a boundary. If found, that's
ideal and we return immediately. Otherwise, we try to locate a Fake Data Mark (FDM). When user space
detects missing data from the kernel (possibly due to exceeding MAX_MSG_SIZE or situations like
readv/writev where a buffer array is read/written at once), it supplements with fake data in user
space. At the beginning of this fake data, an FDM is set, which is a special string. Following the
FDM, the length of the supplemental fake data (minus the length of the FDM) is written.
* feat: support for parsing ipip packet
This PR introduces a new feature for parsing IPIP packets and correctly associating them.
Additionally, this PR improves the current logic in processor.go to prevent the incorrect association of syscall and kernel events. When new events arrive, they are first enqueued and then processed only if they have been in the queue longer than a specified time limit. This is necessary because when many short connections use the same tgid-fd, syscall and kernel events may arrive asynchronously in user space. As a result, events from a new connection might reach user space before the connection event itself, causing the new connection's events to be incorrectly associated with the old connection and leading to erroneous time calculations.
And to ensure that the total time calculation is not negative, the syscall event will report the syscall start time and the syscall duration. By adding the start time and the duration, we can determine the end time. This way, when calculating the client's elapsed time, we can subtract the start time of the write syscall from the end time of the read syscall.
Additionally, to ensure that DEV_IN and TCP_IN events are present when the server receives the first request, the concept of a first packet event is introduced. Even if the kernel does not find conn_info or other information when reporting the event, as long as its seq=1, it will be considered a first packet. This allows it to be directly reported to user space. In user space, the connection is found based on its sock key, and then it is converted into a kernevent for processing. This way, even for the server's first request, we can see the total time and read from socket time.
* fix: remove bpf_printk statements
* feat: add first-packet-event-map-page-num option
* refactor: translate comments to english
* user: add command-line options to set perf event buffer size
add `syscall-mapsize` , `ssl-mapsize`, `conn-mapsize`, `kern-mapsize` command-line options to set `pageNum` of `PullSyscallDataEvents`, `PullSslDataEvents`, `PullConnDataEvents` and `PullKernEvents`.
* user: add command-line options to set pageNum of perf event buffer
add `syscall-perf-event-map-page-num`, `ssl-perf-event-map-page-num`, `conn-perf-event-map-page-num`, `kern-perf-event-map-page-num` command-line options to set pageNum of `SyscallDataEvents`, `SslDataEvents`, `ConnDataEvents` and `KernEvents`.
* mark `*-perf-event-map-page-num` options hidden
* feat: Introduce github.com/containerd/containerd/pkg/cap to check whether process has CAP_BPF privilege
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: better logs
* fix: adapt to e2e test env
* style: go mod tidy
* fix: make tests pass
* fix: DO NOT use containerd cap package
* test: introduce tests to verify agent/common/permission.go
* fix: correct implementation refer to https://man7.org/linux/man-pages/man2/capset.2.html
* test: test test_add_cap_bpf first
* test: cap-add difference capability for different kernal
* test: load btf file to container and run kyanos with --btf flag
* test: add missing capability CAP_SYS_RESOURCE
* test: try to use --privileged instead of cap-add
---------
Signed-off-by: spencercjh <spencercjh@gmail.com>
1. collect sendfile syscall event(nginx may send static file to client via sendfile syscall)
2. when conntrack created , transfer old connection's temp events to new conn, because some events may come in before conn created at userspace.
3. ignore recvmsg, recvfrom syscall with flags : MSG_OOB, MSG_PEEK.
* feat: introduce path-regex and path-prefix to sub cmd http
Signed-off-by: spencercjh <spencercjh@gmail.com>
* style: reformat with goimports
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: save FilterByRequest's result as HttpFilter's field
Signed-off-by: spencercjh <spencercjh@gmail.com>
* docs: update docs about HttpFilter
Signed-off-by: spencercjh <spencercjh@gmail.com>
---------
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix(stat): elapsed time is negative
introduce a new option `conntrack-close-wait-time-mills` which control how long time before a
connection turn into `closed` state. If too long, new connection with same tgidfd 's data may come
into old connection event stream or syscall data buffer. Set it to a relatively small value will
prevent this situation.
* fix: add missing argument
