module

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2024 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ProbeTypeUprobe = "uprobe"
	ProbeTypeKprobe = "kprobe"
	ProbeTypeTC     = "TC"
	ProbeTypeTP     = "tracepoint"
	ProbeTypeXDP    = "XDP"
)
View Source 
const (
	ModuleNameBash     = "EBPFProbeBash"
	ModuleNameMysqld   = "EBPFProbeMysqld"
	ModuleNamePostgres = "EBPFProbePostgres"
	ModuleNameOpenssl  = "EBPFProbeOPENSSL"
	ModuleNameGnutls   = "EBPFProbeGNUTLS"
	ModuleNameNspr     = "EBPFProbeNSPR"
	ModuleNameGotls    = "EBPFProbeGoTLS"
)
View Source 
const (
	// 备选 HOOK的函数  SSL_is_init_finished \ SSL_get_wbio \ SSL_write
	MasterKeyHookFuncOpenSSL = "SSL_write"

	/*
		在boringSSL类库里,SSL_write函数调用了 SSL_do_handshake ,
		SSL_do_handshake 函数执行时,当前SSL链接握手可能还未完成,且
	*/
	// 2022-12-16 改为 SSL_in_init
	MasterKeyHookFuncBoringSSL = "SSL_in_init"
	MasterKeyHookFuncSSLBefore = "SSL_in_before"
	MasterKeyHookFuncSSLState  = "SSL_state"
)
View Source 
const (
	KernelLess52Prefix = "_less52.o"
	BtfNotSupport      = "You can compile the BTF-free version by using the command `make nocore`, please read the Makefile for more information."
	BtfModeSwitch      = "If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode."
)
View Source 
const (
	BashEventTypeReadline   = 0
	BashEventTypeRetval     = 1
	BashEventTypeExitOrExec = 2
)
View Source 
const (
	ConnNotFound = "[ADDR_NOT_FOUND]"
	DefaultAddr  = "0.0.0.0"
)
View Source 
const (
	Linuxdefaulefilename102 = "linux_default_1_0_2"
	Linuxdefaulefilename110 = "linux_default_1_1_0"
	Linuxdefaulefilename111 = "linux_default_1_1_1"
	Linuxdefaulefilename30  = "linux_default_3_0"
	Linuxdefaulefilename31  = "linux_default_3_0"
	Linuxdefaulefilename320 = "linux_default_3_2"
	AndroidDefauleFilename  = "android_default"

	OpenSslVersionLen = 30 // openssl version string length
)
View Source 
const (
	MaxSupportedOpenSSL102Version = 'u'
	MaxSupportedOpenSSL110Version = 'l'
	MaxSupportedOpenSSL111Version = 'w'
	MaxSupportedOpenSSL30Version  = 13
	MaxSupportedOpenSSL31Version  = 5
	MaxSupportedOpenSSL32Version  = 1
)
View Source 
const (
	BashErrnoDefault int = 128
)
View Source 
const EcaptureMagic = 0xCC0C4CFC

Variables

View Source 
var NotGoCompiledBin = errors.New("it is not a program compiled in the Go language")

Functions

func GetModuleFunc added in v0.8.1 

func GetModuleFunc(name string) func() IModule

GetModuleFunc get module function by name

func RegisteFunc added in v0.8.1 

func RegisteFunc(f func() IModule)

RegisteFunc register module function

Types

type GoTLSProbe 

type GoTLSProbe struct {
	MTCProbe
	// contains filtered or unexported fields
}

GoTLSProbe represents a probe for Go SSL

func (*GoTLSProbe) Close 

func (g *GoTLSProbe) Close() error

func (*GoTLSProbe) DecodeFun 

func (g *GoTLSProbe) DecodeFun(m *ebpf.Map) (event.IEventStruct, bool)

func (*GoTLSProbe) Dispatcher 

func (g *GoTLSProbe) Dispatcher(eventStruct event.IEventStruct)

func (*GoTLSProbe) Events 

func (g *GoTLSProbe) Events() []*ebpf.Map

func (*GoTLSProbe) Init 

func (g *GoTLSProbe) Init(ctx context.Context, l *zerolog.Logger, cfg config.IConfig) error

func (*GoTLSProbe) Name 

func (g *GoTLSProbe) Name() string

func (*GoTLSProbe) Start 

func (g *GoTLSProbe) Start() error

type IClose 

type IClose interface {
	Close() error
}

type IModule 

type IModule interface {
	// Init 初始化
	Init(context.Context, *zerolog.Logger, config.IConfig) error

	// Name 获取当前module的名字
	Name() string

	// Run 事件监听感知
	Run() error

	// Start 启动模块
	Start() error

	// Stop 停止模块
	Stop() error

	// Close 关闭退出
	Close() error

	SetChild(module IModule)

	Decode(*ebpf.Map, []byte) (event.IEventStruct, error)

	Events() []*ebpf.Map

	DecodeFun(p *ebpf.Map) (event.IEventStruct, bool)

	Dispatcher(event.IEventStruct)
}

func NewBashProbe added in v0.8.1 

func NewBashProbe() IModule

func NewGnutlsProbe added in v0.8.1 

func NewGnutlsProbe() IModule

func NewGoTLSProbe added in v0.8.1 

func NewGoTLSProbe() IModule

func NewMysqldProbe added in v0.8.1 

func NewMysqldProbe() IModule

func NewNsprProbe added in v0.8.1 

func NewNsprProbe() IModule

func NewOpenSSLProbe added in v0.8.1 

func NewOpenSSLProbe() IModule

func NewPostgresProbe added in v0.8.1 

func NewPostgresProbe() IModule

type MBashProbe 

type MBashProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MBashProbe) Close 

func (b *MBashProbe) Close() error

func (*MBashProbe) DecodeFun 

func (b *MBashProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MBashProbe) Dispatcher 

func (b *MBashProbe) Dispatcher(eventStruct event.IEventStruct)

func (*MBashProbe) Events 

func (b *MBashProbe) Events() []*ebpf.Map

func (*MBashProbe) Init 

func (b *MBashProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error

对象初始化

func (*MBashProbe) Start 

func (b *MBashProbe) Start() error

type MGnutlsProbe 

type MGnutlsProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MGnutlsProbe) Close 

func (g *MGnutlsProbe) Close() error

func (*MGnutlsProbe) DecodeFun 

func (g *MGnutlsProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MGnutlsProbe) Events 

func (g *MGnutlsProbe) Events() []*ebpf.Map

func (*MGnutlsProbe) Init 

func (g *MGnutlsProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error

对象初始化

func (*MGnutlsProbe) Start 

func (g *MGnutlsProbe) Start() error

type MMysqldProbe 

type MMysqldProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MMysqldProbe) Close 

func (m *MMysqldProbe) Close() error

func (*MMysqldProbe) DecodeFun 

func (m *MMysqldProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MMysqldProbe) Events 

func (m *MMysqldProbe) Events() []*ebpf.Map

func (*MMysqldProbe) Init 

func (m *MMysqldProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error

对象初始化

func (*MMysqldProbe) Start 

func (m *MMysqldProbe) Start() error

type MNsprProbe 

type MNsprProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MNsprProbe) Close 

func (n *MNsprProbe) Close() error

func (*MNsprProbe) DecodeFun 

func (n *MNsprProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MNsprProbe) Events 

func (n *MNsprProbe) Events() []*ebpf.Map

func (*MNsprProbe) Init 

func (n *MNsprProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error

对象初始化

func (*MNsprProbe) Start 

func (n *MNsprProbe) Start() error

type MOpenSSLProbe 

type MOpenSSLProbe struct {
	MTCProbe
	// contains filtered or unexported fields
}

func (*MOpenSSLProbe) AddConn 

func (m *MOpenSSLProbe) AddConn(pid, fd uint32, addr string)

func (*MOpenSSLProbe) Close 

func (m *MOpenSSLProbe) Close() error

func (*MOpenSSLProbe) DecodeFun 

func (m *MOpenSSLProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MOpenSSLProbe) DelConn 

func (m *MOpenSSLProbe) DelConn(pid, fd uint32)

process exit :fd is 0 , delete all pid map fd exit :pid > 0, fd > 0, delete fd value TODO add fd * pid exit event hook

func (*MOpenSSLProbe) Dispatcher 

func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct)

func (*MOpenSSLProbe) Events 

func (m *MOpenSSLProbe) Events() []*ebpf.Map

func (*MOpenSSLProbe) GetConn 

func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string

func (*MOpenSSLProbe) Init 

func (m *MOpenSSLProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error

对象初始化

func (*MOpenSSLProbe) Start 

func (m *MOpenSSLProbe) Start() error

type MPostgresProbe 

type MPostgresProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MPostgresProbe) Close 

func (p *MPostgresProbe) Close() error

func (*MPostgresProbe) DecodeFun 

func (p *MPostgresProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MPostgresProbe) Events 

func (p *MPostgresProbe) Events() []*ebpf.Map

func (*MPostgresProbe) Init 

func (p *MPostgresProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error

init probe

func (*MPostgresProbe) Start 

func (p *MPostgresProbe) Start() error

type MTCProbe 

type MTCProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MTCProbe) ServePcap 

func (t *MTCProbe) ServePcap()

ServePcap is used to serve pcapng file

type Module 

type Module struct {
	// contains filtered or unexported fields
}

func (*Module) Close 

func (m *Module) Close() error

func (*Module) Decode 

func (m *Module) Decode(em *ebpf.Map, b []byte) (event event.IEventStruct, err error)

func (*Module) DecodeFun 

func (m *Module) DecodeFun(p *ebpf.Map) (event.IEventStruct, bool)

func (*Module) Dispatcher 

func (m *Module) Dispatcher(e event.IEventStruct)

Dispatcher 写入数据,或者上传到远程数据库,写入到其他chan 等。

func (*Module) Events 

func (m *Module) Events() []*ebpf.Map

func (*Module) Init 

func (m *Module) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig)

Init 对象初始化

func (*Module) Name 

func (m *Module) Name() string

func (*Module) Run 

func (m *Module) Run() error

func (*Module) SetChild 

func (m *Module) SetChild(module IModule)

func (*Module) Start 

func (m *Module) Start() error

func (*Module) Stop 

func (m *Module) Stop() error

type NetCaptureData 

type NetCaptureData struct {
	PacketLength     uint32 `json:"pktLen"`
	ConfigIfaceIndex uint32 `json:"ifIndex"`
}

func (NetCaptureData) GetSizeBytes 

func (NetCaptureData) GetSizeBytes() uint32

type NetEventMetadata 

type NetEventMetadata struct {
	TimeStamp   uint64   `json:"timeStamp"`
	HostTid     uint32   `json:"hostTid"`
	ProcessName [16]byte `json:"processName"`
}

type TcPacket 

type TcPacket struct {
	// contains filtered or unexported fields
}

packets of TC probe

type Tls13MasterSecret 

type Tls13MasterSecret struct {
	ServerHandshakeTrafficSecret []byte
	ExporterSecret               []byte
	ServerTrafficSecret0         []byte
	ClientHandshakeTrafficSecret []byte
	ClientTrafficSecret0         []byte
}

type TlsCaptureModelType 

type TlsCaptureModelType uint8
const (
	TlsCaptureModelTypePcap TlsCaptureModelType = iota
	TlsCaptureModelTypeText
	TlsCaptureModelTypeKeylog
)

func (TlsCaptureModelType) String added in v0.8.1 

func (t TlsCaptureModelType) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.