I am trying to measure the time it takes for a particular process to accept a connection using the 'accept' system call and close the connection. To accomplish this, I want to use eBPF to trace the 'accept' system call and calculate the wallclock time between 'accept' and 'close' of a specific process ID (PID).
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
// #include "net/sock.h"
char LICENSE[] SEC("license") = "Dual BSD/GPL";
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 8192);
__type(key, int);
__type(value, int);
} pid_map SEC(".maps");
u64 get_current_time(){
u64 ts = bpf_ktime_get_ns();
return ts;
}
SEC("kprobe/tcp_v4_do_rcv")
int bpf_prog(struct pt_regs *ctx)
{
int pid = bpf_get_current_pid_tgid() >> 32;
u64 start_time = get_current_time();
bpf_printk("BPF triggered from PID %d.\n", pid);
bpf_map_update_elem(&pid_map, &pid,&start_time, BPF_ANY);
return 0;
}
BPF code for this is shown above,
SEC("kprobe/tcp_close")
int bpf_prog2(struct pt_regs *ctx)
{
int pid = bpf_get_current_pid_tgid() >> 32;
u64 *pid_ptr = bpf_map_lookup_elem(&pid_map, &pid);
if (pid_ptr != NULL && *pid_ptr == pid && *pid_ptr>100ULL) {
bpf_printk("Process closed connection %d\n: ",pid);
}
return 0;
}
And I also wrote simple python script to open and close a port
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('www.google.com', 80))
s.send(b"GET / HTTP/1.1\r\nHost: www.google.com\r\n\r\n")
response = s.recv(1024)
print(response)
s.close()
Unfortunately I couldnt get any response.
Trie the following types to for accept
// SEC("kprobe/tcp_v4_do_rcv")
// SEC("kprobe/__x64_sys_accept")
// SEC("kprobe/tcp_v4_do_rcv")
// SEC("kprobe/inet_csk_accept")
and for close()
// SEC("kprobe/tcp_v6_destroy_sock")
// SEC("kprobe/tcp_v4_destroy_sock")
