* feat: support for parsing ipip packet
This PR introduces a new feature for parsing IPIP packets and correctly associating them.
Additionally, this PR improves the current logic in processor.go to prevent the incorrect association of syscall and kernel events. When new events arrive, they are first enqueued and then processed only if they have been in the queue longer than a specified time limit. This is necessary because when many short connections use the same tgid-fd, syscall and kernel events may arrive asynchronously in user space. As a result, events from a new connection might reach user space before the connection event itself, causing the new connection's events to be incorrectly associated with the old connection and leading to erroneous time calculations.
And to ensure that the total time calculation is not negative, the syscall event will report the syscall start time and the syscall duration. By adding the start time and the duration, we can determine the end time. This way, when calculating the client's elapsed time, we can subtract the start time of the write syscall from the end time of the read syscall.
Additionally, to ensure that DEV_IN and TCP_IN events are present when the server receives the first request, the concept of a first packet event is introduced. Even if the kernel does not find conn_info or other information when reporting the event, as long as its seq=1, it will be considered a first packet. This allows it to be directly reported to user space. In user space, the connection is found based on its sock key, and then it is converted into a kernevent for processing. This way, even for the server's first request, we can see the total time and read from socket time.
* fix: remove bpf_printk statements
* feat: add first-packet-event-map-page-num option
* refactor: translate comments to english
* user: add command-line options to set perf event buffer size
add `syscall-mapsize` , `ssl-mapsize`, `conn-mapsize`, `kern-mapsize` command-line options to set `pageNum` of `PullSyscallDataEvents`, `PullSslDataEvents`, `PullConnDataEvents` and `PullKernEvents`.
* user: add command-line options to set pageNum of perf event buffer
add `syscall-perf-event-map-page-num`, `ssl-perf-event-map-page-num`, `conn-perf-event-map-page-num`, `kern-perf-event-map-page-num` command-line options to set pageNum of `SyscallDataEvents`, `SslDataEvents`, `ConnDataEvents` and `KernEvents`.
* mark `*-perf-event-map-page-num` options hidden
* feat: Introduce github.com/containerd/containerd/pkg/cap to check whether process has CAP_BPF privilege
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: better logs
* fix: adapt to e2e test env
* style: go mod tidy
* fix: make tests pass
* fix: DO NOT use containerd cap package
* test: introduce tests to verify agent/common/permission.go
* fix: correct implementation refer to https://man7.org/linux/man-pages/man2/capset.2.html
* test: test test_add_cap_bpf first
* test: cap-add difference capability for different kernal
* test: load btf file to container and run kyanos with --btf flag
* test: add missing capability CAP_SYS_RESOURCE
* test: try to use --privileged instead of cap-add
---------
Signed-off-by: spencercjh <spencercjh@gmail.com>
1. collect sendfile syscall event(nginx may send static file to client via sendfile syscall)
2. when conntrack created , transfer old connection's temp events to new conn, because some events may come in before conn created at userspace.
3. ignore recvmsg, recvfrom syscall with flags : MSG_OOB, MSG_PEEK.
* docs: introduce prettier and md-padding to format docs
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: make github alerts work
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: make all markdown extensions work
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: reformat new codes from main
Signed-off-by: spencercjh <spencercjh@gmail.com>
---------
Signed-off-by: spencercjh <spencercjh@gmail.com>
* feat: introduce path-regex and path-prefix to sub cmd http
Signed-off-by: spencercjh <spencercjh@gmail.com>
* style: reformat with goimports
Signed-off-by: spencercjh <spencercjh@gmail.com>
* fix: save FilterByRequest's result as HttpFilter's field
Signed-off-by: spencercjh <spencercjh@gmail.com>
* docs: update docs about HttpFilter
Signed-off-by: spencercjh <spencercjh@gmail.com>
---------
Signed-off-by: spencercjh <spencercjh@gmail.com>
- Introduced new Makefile targets for debugging: `dlv`, `kyanos-debug`, and `remote-debug`.
- The `dlv` target sets executable permissions and starts the debugger in headless mode.
- The `kyanos-debug` target builds the project with specific flags for debugging.
- The `remote-debug` target depends on building BPF and the `kyanos-debug` target, streamlining the debugging process.
* fix(stat): elapsed time is negative
introduce a new option `conntrack-close-wait-time-mills` which control how long time before a
connection turn into `closed` state. If too long, new connection with same tgidfd 's data may come
into old connection event stream or syscall data buffer. Set it to a relatively small value will
prevent this situation.
* fix: add missing argument
