Giter Site home page Giter Site logo

Comments (6)

cfc4n avatar cfc4n commented on August 20, 2024 1

@cfc4n I am actually curious why ecapture requires SEC("uprobe/connect") https://github.com/ehids/ecapture/blob/master/kern/openssl_kern.c#L285-L291, pardon me that I am not familiar with how bpf uprobe works, I thought SEC("uprobe/SSL_read") and SEC("uprobe/SSL_write") alone would give us the SSL payload, no? it must require SEC("uprobe/connect")?

HOOK SEC("uprobe/connect") to capture IP ADDRESS, because HOOK SEC("uprobe/SSL_write")SEC("uprobe/SSL_read") can only capture plaintext buf of SSL, not include IP ADDRESS info.

from ecapture.

vincentmli avatar vincentmli commented on August 20, 2024

@cfc4n I am actually curious why ecapture requires SEC("uprobe/connect") https://github.com/ehids/ecapture/blob/master/kern/openssl_kern.c#L285-L291, pardon me that I am not familiar with how bpf uprobe works, I thought SEC("uprobe/SSL_read") and SEC("uprobe/SSL_write") alone would give us the SSL payload, no? it must require SEC("uprobe/connect")?

from ecapture.

vincentmli avatar vincentmli commented on August 20, 2024

[root@cilium-dev home]# kubectl exec -it netshoot-ecap -- /bin/bash

bash-5.1# ecapture tls --pthread=/mnt/lib64/libpthread.so.0 --libssl=/mnt/lib64/libssl.so.1.1.1g --hex

2022/06/05 16:46:48 pid info :3305486
2022/06/05 16:46:48 start to run EBPFProbeOPENSSL module
2022/06/05 16:46:48 start to run EBPFProbeGNUTLS module
2022/06/05 16:46:48 lstat /etc/ld.so.conf: no such file or directory <===
2022/06/05 16:46:48 invalid argument <====

@cfc4n after add log in ecapture, I know what's wrong, got to read the output carefully, from above output, the error actually is caused by start to run EBPFProbeGNUTLS module, when runs ecapture in container with --libssl and --pthread, ecapture still tries to auto-probing libs for gnutls and result in lstat /etc/ld.so.conf: no such file or directory, after I made the change like below to test, the problem went away.

diff --git a/cli/cmd/tls.go b/cli/cmd/tls.go
index dc6135c..69a4f7d 100644
--- a/cli/cmd/tls.go
+++ b/cli/cmd/tls.go
@@ -57,7 +57,8 @@ func openSSLCommandFunc(command *cobra.Command, args []string) {
        }
        log.Printf("pid info :%d", os.Getpid())
 
-       modNames := []string{user.MODULE_NAME_OPENSSL, user.MODULE_NAME_GNUTLS, user.MODULE_NAME_NSPR}
+       modNames := []string{user.MODULE_NAME_OPENSSL}

from ecapture.

vincentmli avatar vincentmli commented on August 20, 2024

@cfc4n after add log in ecapture, I know what's wrong, got to read the output carefully, from above output, the error actually is caused by start to run EBPFProbeGNUTLS module, when runs ecapture in container with --libssl and --pthread, ecapture still tries to auto-probing libs for gnutls and result in lstat /etc/ld.so.conf: no such file or directory, after I made the change like below to test, the problem went away.

I think we could introduce another argument something like single-mod to only trace one tls type connection user.MODULE_NAME_OPENSSL, user.MODULE_NAME_GNUTLS, user.MODULE_NAME_NSPR, I could send a PR if you agree @cfc4n

from ecapture.

vincentmli avatar vincentmli commented on August 20, 2024

following diff does the work, I will send a PR.

diff --git a/cli/cmd/global.go b/cli/cmd/global.go
index 0d7c5f3..3c72e7e 100644
--- a/cli/cmd/global.go
+++ b/cli/cmd/global.go
@@ -11,9 +11,10 @@ import (
 // GlobalFlags are flags that defined globally
 // and are inherited to all sub-commands.
 type GlobalFlags struct {
-       IsHex bool
-       Debug bool
-       Pid   uint64 // PID
+       IsHex        bool
+       Debug        bool
+       Pid          uint64 // PID
+       IsSingleMode bool   // only trace one TLS type connection
 }
 
 func getGlobalConf(command *cobra.Command) (conf GlobalFlags, err error) {
@@ -31,5 +32,10 @@ func getGlobalConf(command *cobra.Command) (conf GlobalFlags, err error) {
        if err != nil {
                return
        }
+
+       conf.IsSingleMode, err = command.Flags().GetBool("single-mode")
+       if err != nil {
+               return
+       }
        return
 }
diff --git a/cli/cmd/root.go b/cli/cmd/root.go
index 7bc7bfc..c236438 100644
--- a/cli/cmd/root.go
+++ b/cli/cmd/root.go
@@ -73,5 +73,6 @@ func init() {
        //rootCmd.Flags().BoolP("toggle", "t", false, "Help message for toggle")
        rootCmd.PersistentFlags().BoolVarP(&globalFlags.Debug, "debug", "d", false, "enable debug logging")
        rootCmd.PersistentFlags().BoolVar(&globalFlags.IsHex, "hex", false, "print byte strings as hex encoded strings")
+       rootCmd.PersistentFlags().BoolVar(&globalFlags.IsSingleMode, "single-mode", false, "single tls mode trace")
        rootCmd.PersistentFlags().Uint64VarP(&globalFlags.Pid, "pid", "p", defaultPid, "if pid is 0 then we target all pids")
 }
diff --git a/cli/cmd/tls.go b/cli/cmd/tls.go
index dc6135c..b7132aa 100644
--- a/cli/cmd/tls.go
+++ b/cli/cmd/tls.go
@@ -108,7 +108,13 @@ func openSSLCommandFunc(command *cobra.Command, args []string) {
                                return
                        }
                }(mod)
+
                runMods++
+
+               if gConf.IsSingleMode {
+                       log.Printf("single mode\n")
+                       break
+               }
        }
 
        // needs runmods > 0

test

 kubectl exec -it netshoot-ecap -- /bin/bash
bash-5.1# ecapture tls --pthread=/mnt/lib64/libpthread.so.0 --libssl=/mnt/lib64/libssl.so.1.1.1g --hex --single-mode=true
2022/06/07 16:27:39 pid info :962631
2022/06/07 16:27:39 start to run EBPFProbeOPENSSL module
2022/06/07 16:27:39 single mode
2022/06/07 16:27:39 HOOK type:2, binrayPath:/mnt/lib64/libssl.so.1.1.1g
2022/06/07 16:27:39 libPthread so Path:/mnt/lib64/libpthread.so.0
2022/06/07 16:27:39 target all process. 

2022/06/07 16:28:25 PID:963154, Comm:curl, TID:963154, Version:TLS1_2_VERSION, Send 76 bytes to 10.169.72.34:443, Payload:
GET / HTTP/1.1
Host: 10.169.72.34
User-Agent: curl/7.61.1
Accept: */*


2022/06/07 16:28:25 PID:963154, Comm:curl, TID:963154, Version:TLS1_2_VERSION, Recived 538 bytes from 10.169.72.34:443, Payload:
HTTP/1.1 200 OK
Date: Tue, 07 Jun 2022 16:28:30 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=16070400; includeSubDomains
Last-Modified: Sat, 04 Jun 2022 11:42:36 GMT

from ecapture.

cfc4n avatar cfc4n commented on August 20, 2024

@vincentmli PR merged, please test it again.

from ecapture.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.