* The preliminary parsing of the MongoDB protocol has been completed, but there are still issues such as incorrect end times.
* Mongodb Unit test done
* The preliminary parsing of the MongoDB protocol has been completed, but there are still issues such as incorrect end times.
* Mongodb Unit test done
* feat: support mongo
* fix: install mongsh failed
* fix: install mongodb shell
---------
Signed-off-by: 烈香 <hengyoush1@163.com>
Co-authored-by: xiaoweihao <xiaoweihao@tp-link.com.hk>
Co-authored-by: 烈香 <hengyoush1@163.com>
* feat: support for parsing ipip packet
This PR introduces a new feature for parsing IPIP packets and correctly associating them.
Additionally, this PR improves the current logic in processor.go to prevent the incorrect association of syscall and kernel events. When new events arrive, they are first enqueued and then processed only if they have been in the queue longer than a specified time limit. This is necessary because when many short connections use the same tgid-fd, syscall and kernel events may arrive asynchronously in user space. As a result, events from a new connection might reach user space before the connection event itself, causing the new connection's events to be incorrectly associated with the old connection and leading to erroneous time calculations.
And to ensure that the total time calculation is not negative, the syscall event will report the syscall start time and the syscall duration. By adding the start time and the duration, we can determine the end time. This way, when calculating the client's elapsed time, we can subtract the start time of the write syscall from the end time of the read syscall.
Additionally, to ensure that DEV_IN and TCP_IN events are present when the server receives the first request, the concept of a first packet event is introduced. Even if the kernel does not find conn_info or other information when reporting the event, as long as its seq=1, it will be considered a first packet. This allows it to be directly reported to user space. In user space, the connection is found based on its sock key, and then it is converted into a kernevent for processing. This way, even for the server's first request, we can see the total time and read from socket time.
* fix: remove bpf_printk statements
* feat: add first-packet-event-map-page-num option
* refactor: translate comments to english
* user: add command-line options to set perf event buffer size
add `syscall-mapsize` , `ssl-mapsize`, `conn-mapsize`, `kern-mapsize` command-line options to set `pageNum` of `PullSyscallDataEvents`, `PullSslDataEvents`, `PullConnDataEvents` and `PullKernEvents`.
* user: add command-line options to set pageNum of perf event buffer
add `syscall-perf-event-map-page-num`, `ssl-perf-event-map-page-num`, `conn-perf-event-map-page-num`, `kern-perf-event-map-page-num` command-line options to set pageNum of `SyscallDataEvents`, `SslDataEvents`, `ConnDataEvents` and `KernEvents`.
* mark `*-perf-event-map-page-num` options hidden
* feat: introduce path-regex and path-prefix to sub cmd http
Signed-off-by: spencercjh <spencercjh@gmail.com>
* style: reformat with goimports
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: save FilterByRequest's result as HttpFilter's field
Signed-off-by: spencercjh <spencercjh@gmail.com>
* docs: update docs about HttpFilter
Signed-off-by: spencercjh <spencercjh@gmail.com>
---------
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix(stat): elapsed time is negative
introduce a new option `conntrack-close-wait-time-mills` which control how long time before a
connection turn into `closed` state. If too long, new connection with same tgidfd 's data may come
into old connection event stream or syscall data buffer. Set it to a relatively small value will
prevent this situation.
* fix: add missing argument
1. Reduced the number of loop iterations.
2. Added support for loading external BTF files.
3. Added unroll pragma to the for loop.
4. Temporarily removed raw tracepoints.
5. Cast `ctx` to `void*` first when accessing variables from tracepoints (due to the absence of the `ctx` type in the 3.10 BTF file).
6. Replaced syscalls like `sendmsg` and `recvmsg` with a custom `user_msghdr` (due to the absence of the `user_msghdr` type in the 3.10 BTF file).
7. Modified some system calls from using kprobe to tracepoint/syscalls.
8. Fixed issues with `__skb_datagram_iter` and `__ip_queue_xmit` not being found in the 3.10 kernel.
