* How to read tcp_payload from kprobe/inet_sendmsg
@ 2024-09-27 11:01 Rinat Gadelshin
0 siblings, 0 replies; only message in thread
From: Rinat Gadelshin @ 2024-09-27 11:01 UTC (permalink / raw)
To: bpf
Hello there!
I'm trying to read DNS queries from kprobe/inet_sendmsg and
kprobe/inet_recvmsg.
I just copy data by
bpf_probe_read(&memory_in_my_map,
size_from_kprobe_arg,
msg>msg_iter.iov->iov_base);
It works fine for UDP (I'm checking by `dig @8.8.4.4 google.com`)
Buf for TCP (`dig @8.8.4.4 google.com +tcp`) the payload isn's a valid
DNS request.
I'm using the same method for reading DNS response from
kretprobe/inet_recvmsg (arguments are stored by kprobe/inet_recvmsg).
Receiving DNS responses works well for UDP and TCP.
I've found some related but unanswered topics:
-
https://www.reddit.com/r/eBPF/comments/15fh3n4/accessing_the_content_of_tcp_packages_in_an_ebpf/
-
https://stackoverflow.com/questions/76782000/linux-tcp-packet-sniffing-with-ebpf-kprobe-reading-package-content-from-iov-ite
-https://github.com/replicatedhq/exfilter/issues/8
Please, tell me, what I'm doing wrong.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-09-27 11:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-27 11:01 How to read tcp_payload from kprobe/inet_sendmsg Rinat Gadelshin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox