What is the correct way for reading kernel tracepoint arguments?

Question

I am trying to read the arguments of the following tracepoint program:


// Declared at /sys/kernel/debug/tracing/events/net/netif_receive_skb/format
struct netif_receive_skb_context {
    unsigned short  type;
    unsigned char   flags;
    unsigned char   preempt_count;
    int             pid;
    const void *skbaddr;
    unsigned int len;
    int data_loc_name;
};


// Userspace path: /sys/kernel/debug/tracing/events/net/netif_receive_skb
SEC("tracepoint/net/netif_receive_skb")
int netif_receive_skb(struct netif_receive_skb_context *ctx) {
    // Attempt to read socket buffer from kernel structure.
    struct __sk_buff skb;
    bpf_probe_read(&skb, sizeof(skb), ctx->skbaddr);
    
    void *data_end = (void *)(long)skb.data_end;
    void *data     = (void *)(long)skb.data;
    struct ethhdr *eth = data;
    // Retrieve L2 header.
    if ((void*)eth + sizeof(*eth) > data_end) {
        return 0;
    }

    
    // Retrieve IP header.
    struct iphdr *ip = data + sizeof(*eth);
    if ((void*)ip + sizeof(*ip) > data_end) {
        return 0;
    }

    unsigned char proto;
    bpf_probe_read(&proto, sizeof(proto), &ip->protocol);
    bpf_printk("Got here in netif_rx_entry with proto: %d\n", proto);

    return 0;
}

However I am consistently seeing IP protocol equals zero which makes no sense (I am sending a packet with TCP, proto=6).. How should I approach reading the memory and fields after assigning to skb?

What kernel version is this? On my 5.5, `skbaddr` is at offset 24, not offset 8. — pchaigno, Mar 03 '22 at 15:18
I'd expect the offset to be the same on 4.5 according to the source code. Could you share the output of `cat /sys/kernel/debug/tracing/events/net/netif_rx_entry/format`? — pchaigno, Mar 03 '22 at 21:23
Also, please upgrade. Linux 4.5 is very old. It doesn't even receive security fixes anymore. — pchaigno, Mar 03 '22 at 21:23
@pchaigno Oh sorry the comment is misplaced its `netif_receive_skb`. Sorry for the confusion. — Nimrodshn, Mar 04 '22 at 19:03
@pchaigno Sorry for the confusion - the kernel version is 5.4, I confused major and minor versions. — Nimrodshn, Mar 04 '22 at 19:50
Ok. Then I have the exact same layout for the `netif_receive_skb_context` structure than you have. — pchaigno, Mar 04 '22 at 22:03

score 0 · Answer 1 · answered May 10 '23 at 22:55

Firstly, one way to check whether your context structure is correct is to look for the corresponding structure in the vmlinux.h file. Here is a link to more about vmlinux.h and how to generate one from your local machine.

Secondly, it seems like your skb fields are empty. bpf_probe_read() reads struct sk_buff and not struct __sk_buff.

Thirdly, running your code, I am unsure which packets you are trying to catch. It seems like there is no ethernet header when packets are captured from this function.

To get the ip protocol of your packets, your function would look like

SEC("tracepoint/net/netif_receive_skb")
int netif_receive_skb(struct trace_event_raw_net_dev_template *ctx) {
    // Attempt to read socket buffer from kernel structure.
    struct sk_buff skb;
    bpf_probe_read(&skb, sizeof(skb), ctx->skbaddr);
    // Retrieve IP header.
    struct iphdr iph;
    bpf_probe_read(&iph, sizeof(struct iphdr), skb.data);
    bpf_printk("Got here in netif_receive_skb with proto: %d\n", iph.protocol);
    return 0;
}

What is the correct way for reading kernel tracepoint arguments?

1 Answers1