Documentation
¶
Index ¶
- Constants
- func Events() <-chan interface{}
- func GetPid(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstPort uint) (*procmon.Process, bool, error)
- func NewEbpfCache() *ebpfCacheType
- func NewEbpfCacheItem(key []byte, pid int) *ebpfCacheItem
- func PrintEverything()
- func Stop()
- type Config
- type Error
Constants ¶
const ( NoError = iota NotAvailable EventsNotAvailable )
list of returned errors
const ( EV_TYPE_NONE = iota EV_TYPE_EXEC EV_TYPE_EXECVEAT EV_TYPE_FORK EV_TYPE_SCHED_EXIT )
List of supported events
const MaxArgLen = 256
MaxArgLen defines the maximum length of each argument. NOTE: this value is 131072 (PAGE_SIZE * 32) https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/binfmts.h#L16
const MaxArgs = 20
MaxArgs defines the maximum number of arguments allowed
const MaxPathLen = 4096
MaxPathLen defines the maximum length of a path, as defined by the kernel: https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/limits.h#L13
const TaskCommLen = 16
TaskCommLen is the maximum num of characters of the comm field
Variables ¶
This section is empty.
Functions ¶
func GetPid ¶
func GetPid(proto string, srcPort uint, srcIP net.IP, dstIP net.IP, dstPort uint) (*procmon.Process, bool, error)
GetPid looks up process pid in a bpf map. If it's not found, it searches already-established TCP connections. Returns the process if found. Additionally, if the process has been found by swapping fields, it'll return a flag indicating it.
func NewEbpfCacheItem ¶
NewEbpfCacheItem creates a new cache item.
func PrintEverything ¶
func PrintEverything()
PrintEverything prints all the stats. used only for debugging
Types ¶
type Config ¶
type Config struct {
ModulesPath string `json:"ModulesPath"`
// system default value is 8, but it's not enough to handle "high" loads such
// http downloads, torrent traffic, etc. (just regular desktop usage)
// We set it to 64 by default (* PAGE_SIZE, which is usually 4a).
RingBuffSize int `json:"RingBuffSize"`
// number of workers to handle events from kernel
EventsWorkers int `json:"EventsWorkers"`
// max number of events in the queue received from the kernel.
// 0 - Default behaviour. Each goroutine will wait for incoming messages, to
// dispatch them one at a time.
// > 0 - same as above, but if the daemon is not fast enough to dispatch the
// events, they'll be queued. Once the daemon queue is full, kernel ebpf program
// will have to wait/discard new events. (XXX: citation/testing needed).
QueueEventsSize int `json:"QueueEventsSize"`
}
Config holds the configuration to customize ebpf module behaviour.
Source Files