Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(driver): add 2 new scap stats #1303

Merged
merged 5 commits into from
Aug 23, 2023
Merged

new(driver): add 2 new scap stats #1303

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
920785e
new(driver): add 2 new scap stats
Andreagit97 Aug 21, 2023
fb43003
new(sinsp): introduce a common print stats function
Andreagit97 Aug 21, 2023
ed8276a
new(sinsp): add some debug logs when the capture is closed
Andreagit97 Aug 21, 2023
11c0b2c
cleanup(driver): remove old event versions
Andreagit97 Aug 23, 2023
d22d8b7
docs: update scap-open README
Andreagit97 Aug 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion driver/API_VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
4.0.2
5.0.0
38 changes: 10 additions & 28 deletions driver/bpf/fillers.h
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice cleanup :D

Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,6 @@ FILLER_RAW(terminate_filler)
// enter
case PPME_SYSCALL_OPEN_E:
case PPME_SYSCALL_CREAT_E:
case PPME_SYSCALL_OPENAT_E:
case PPME_SYSCALL_OPENAT_2_E:
case PPME_SYSCALL_OPENAT2_E:
case PPME_SYSCALL_OPEN_BY_HANDLE_AT_E:
Expand All @@ -125,40 +124,28 @@ FILLER_RAW(terminate_filler)
case PPME_SYSCALL_LCHOWN_E:
case PPME_SYSCALL_FCHOWN_E:
case PPME_SYSCALL_FCHOWNAT_E:
case PPME_SYSCALL_LINK_E:
case PPME_SYSCALL_LINK_2_E:
case PPME_SYSCALL_LINKAT_E:
case PPME_SYSCALL_LINKAT_2_E:
case PPME_SYSCALL_MKDIR_E:
case PPME_SYSCALL_MKDIR_2_E:
case PPME_SYSCALL_MKDIRAT_E:
case PPME_SYSCALL_MOUNT_E:
case PPME_SYSCALL_UMOUNT_E:
case PPME_SYSCALL_UMOUNT_1_E:
case PPME_SYSCALL_UMOUNT2_E:
case PPME_SYSCALL_RENAME_E:
case PPME_SYSCALL_RENAMEAT_E:
case PPME_SYSCALL_RENAMEAT2_E:
case PPME_SYSCALL_RMDIR_E:
case PPME_SYSCALL_RMDIR_2_E:
case PPME_SYSCALL_SYMLINK_E:
case PPME_SYSCALL_SYMLINKAT_E:
case PPME_SYSCALL_UNLINK_E:
case PPME_SYSCALL_UNLINK_2_E:
case PPME_SYSCALL_UNLINKAT_E:
case PPME_SYSCALL_UNLINKAT_2_E:
if (state->n_drops_buffer_dir_file_enter != ULLONG_MAX) {
++state->n_drops_buffer_dir_file_enter;
}
break;
case PPME_SYSCALL_CLONE_11_E:
case PPME_SYSCALL_CLONE_16_E:
case PPME_SYSCALL_CLONE_17_E:
case PPME_SYSCALL_CLONE_20_E:
case PPME_SYSCALL_CLONE3_E:
case PPME_SYSCALL_FORK_E:
case PPME_SYSCALL_FORK_20_E:
case PPME_SYSCALL_VFORK_E:
case PPME_SYSCALL_VFORK_20_E:
if (state->n_drops_buffer_clone_fork_enter != ULLONG_MAX) {
++state->n_drops_buffer_clone_fork_enter;
Expand All @@ -175,7 +162,6 @@ FILLER_RAW(terminate_filler)
++state->n_drops_buffer_connect_enter;
}
break;
case PPME_SYSCALL_BPF_E:
case PPME_SYSCALL_BPF_2_E:
case PPME_SYSCALL_SETPGID_E:
case PPME_SYSCALL_PTRACE_E:
Expand All @@ -190,10 +176,14 @@ FILLER_RAW(terminate_filler)
++state->n_drops_buffer_other_interest_enter;
}
break;
case PPME_PROCEXIT_1_E:
if (state->n_drops_buffer_proc_exit != ULLONG_MAX) {
++state->n_drops_buffer_proc_exit;
}
break;
// exit
case PPME_SYSCALL_OPEN_X:
case PPME_SYSCALL_CREAT_X:
case PPME_SYSCALL_OPENAT_X:
case PPME_SYSCALL_OPENAT_2_X:
case PPME_SYSCALL_OPENAT2_X:
case PPME_SYSCALL_OPEN_BY_HANDLE_AT_X:
Expand All @@ -209,40 +199,28 @@ FILLER_RAW(terminate_filler)
case PPME_SYSCALL_LCHOWN_X:
case PPME_SYSCALL_FCHOWN_X:
case PPME_SYSCALL_FCHOWNAT_X:
case PPME_SYSCALL_LINK_X:
case PPME_SYSCALL_LINK_2_X:
case PPME_SYSCALL_LINKAT_X:
case PPME_SYSCALL_LINKAT_2_X:
case PPME_SYSCALL_MKDIR_X:
case PPME_SYSCALL_MKDIR_2_X:
case PPME_SYSCALL_MKDIRAT_X:
case PPME_SYSCALL_MOUNT_X:
case PPME_SYSCALL_UMOUNT_X:
case PPME_SYSCALL_UMOUNT_1_X:
case PPME_SYSCALL_UMOUNT2_X:
case PPME_SYSCALL_RENAME_X:
case PPME_SYSCALL_RENAMEAT_X:
case PPME_SYSCALL_RENAMEAT2_X:
case PPME_SYSCALL_RMDIR_X:
case PPME_SYSCALL_RMDIR_2_X:
case PPME_SYSCALL_SYMLINK_X:
case PPME_SYSCALL_SYMLINKAT_X:
case PPME_SYSCALL_UNLINK_X:
case PPME_SYSCALL_UNLINK_2_X:
case PPME_SYSCALL_UNLINKAT_X:
case PPME_SYSCALL_UNLINKAT_2_X:
if (state->n_drops_buffer_dir_file_exit != ULLONG_MAX) {
++state->n_drops_buffer_dir_file_exit;
}
break;
case PPME_SYSCALL_CLONE_11_X:
case PPME_SYSCALL_CLONE_16_X:
case PPME_SYSCALL_CLONE_17_X:
case PPME_SYSCALL_CLONE_20_X:
case PPME_SYSCALL_CLONE3_X:
case PPME_SYSCALL_FORK_X:
case PPME_SYSCALL_FORK_20_X:
case PPME_SYSCALL_VFORK_X:
case PPME_SYSCALL_VFORK_20_X:
if (state->n_drops_buffer_clone_fork_exit != ULLONG_MAX) {
++state->n_drops_buffer_clone_fork_exit;
Expand All @@ -259,7 +237,6 @@ FILLER_RAW(terminate_filler)
++state->n_drops_buffer_connect_exit;
}
break;
case PPME_SYSCALL_BPF_X:
case PPME_SYSCALL_BPF_2_X:
case PPME_SYSCALL_SETPGID_X:
case PPME_SYSCALL_PTRACE_X:
Expand All @@ -274,6 +251,11 @@ FILLER_RAW(terminate_filler)
++state->n_drops_buffer_other_interest_exit;
}
break;
case PPME_SYSCALL_CLOSE_X:
if (state->n_drops_buffer_close_exit != ULLONG_MAX) {
++state->n_drops_buffer_close_exit;
}
break;
default:
break;
}
Expand Down
2 changes: 2 additions & 0 deletions driver/bpf/types.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,6 +270,8 @@ struct scap_bpf_per_cpu_state {
unsigned long long n_drops_buffer_dir_file_exit;
unsigned long long n_drops_buffer_other_interest_enter; /* Category of other system calls of interest, not all other system calls that did not match a category from above. */
unsigned long long n_drops_buffer_other_interest_exit;
unsigned long long n_drops_buffer_close_exit;
unsigned long long n_drops_buffer_proc_exit;
unsigned long long n_drops_scratch_map; /* Number of kernel side scratch map drops. */
unsigned long long n_drops_pf; /* Number of kernel side page faults drops (invalid memory access). */
unsigned long long n_drops_bug; /* Number of kernel side bug drops (invalid condition in the kernel instrumentation). */
Expand Down
44 changes: 14 additions & 30 deletions driver/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -591,7 +591,7 @@ static int ppm_release(struct inode *inode, struct file *filp)
goto cleanup_release;
}

vpr_info("closing ring %d, consumer:%p evt:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n",
vpr_info("closing ring %d, consumer:%p evt:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_buf_close_exit:%llu, dr_buf_proc_exit:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n",
ring_no,
consumer_id,
ring->info->n_evts,
Expand All @@ -608,6 +608,8 @@ static int ppm_release(struct inode *inode, struct file *filp)
ring->info->n_drops_buffer_dir_file_exit,
ring->info->n_drops_buffer_other_interest_enter,
ring->info->n_drops_buffer_other_interest_exit,
ring->info->n_drops_buffer_close_exit,
ring->info->n_drops_buffer_proc_exit,
ring->info->n_drops_pf,
ring->info->n_preemptions,
ring->info->n_context_switches);
Expand Down Expand Up @@ -1451,7 +1453,6 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
// enter
case PPME_SYSCALL_OPEN_E:
case PPME_SYSCALL_CREAT_E:
case PPME_SYSCALL_OPENAT_E:
case PPME_SYSCALL_OPENAT_2_E:
case PPME_SYSCALL_OPENAT2_E:
case PPME_SYSCALL_OPEN_BY_HANDLE_AT_E:
Expand All @@ -1465,38 +1466,26 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
case PPME_SYSCALL_LCHOWN_E:
case PPME_SYSCALL_FCHOWN_E:
case PPME_SYSCALL_FCHOWNAT_E:
case PPME_SYSCALL_LINK_E:
case PPME_SYSCALL_LINK_2_E:
case PPME_SYSCALL_LINKAT_E:
case PPME_SYSCALL_LINKAT_2_E:
case PPME_SYSCALL_MKDIR_E:
case PPME_SYSCALL_MKDIR_2_E:
case PPME_SYSCALL_MKDIRAT_E:
case PPME_SYSCALL_MOUNT_E:
case PPME_SYSCALL_UMOUNT_E:
case PPME_SYSCALL_UMOUNT_1_E:
case PPME_SYSCALL_UMOUNT2_E:
case PPME_SYSCALL_RENAME_E:
case PPME_SYSCALL_RENAMEAT_E:
case PPME_SYSCALL_RENAMEAT2_E:
case PPME_SYSCALL_RMDIR_E:
case PPME_SYSCALL_RMDIR_2_E:
case PPME_SYSCALL_SYMLINK_E:
case PPME_SYSCALL_SYMLINKAT_E:
case PPME_SYSCALL_UNLINK_E:
case PPME_SYSCALL_UNLINK_2_E:
case PPME_SYSCALL_UNLINKAT_E:
case PPME_SYSCALL_UNLINKAT_2_E:
ring_info->n_drops_buffer_dir_file_enter++;
break;
case PPME_SYSCALL_CLONE_11_E:
case PPME_SYSCALL_CLONE_16_E:
case PPME_SYSCALL_CLONE_17_E:
case PPME_SYSCALL_CLONE_20_E:
case PPME_SYSCALL_CLONE3_E:
case PPME_SYSCALL_FORK_E:
case PPME_SYSCALL_FORK_20_E:
case PPME_SYSCALL_VFORK_E:
case PPME_SYSCALL_VFORK_20_E:
ring_info->n_drops_buffer_clone_fork_enter++;
break;
Expand All @@ -1507,7 +1496,6 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
case PPME_SOCKET_CONNECT_E:
ring_info->n_drops_buffer_connect_enter++;
break;
case PPME_SYSCALL_BPF_E:
case PPME_SYSCALL_BPF_2_E:
case PPME_SYSCALL_SETPGID_E:
case PPME_SYSCALL_PTRACE_E:
Expand All @@ -1520,10 +1508,12 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
case PPME_SYSCALL_CAPSET_E:
ring_info->n_drops_buffer_other_interest_enter++;
break;
case PPME_PROCEXIT_1_E:
ring_info->n_drops_buffer_proc_exit++;
break;
// exit
case PPME_SYSCALL_OPEN_X:
case PPME_SYSCALL_CREAT_X:
case PPME_SYSCALL_OPENAT_X:
case PPME_SYSCALL_OPENAT_2_X:
case PPME_SYSCALL_OPENAT2_X:
case PPME_SYSCALL_OPEN_BY_HANDLE_AT_X:
Expand All @@ -1537,38 +1527,26 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
case PPME_SYSCALL_LCHOWN_X:
case PPME_SYSCALL_FCHOWN_X:
case PPME_SYSCALL_FCHOWNAT_X:
case PPME_SYSCALL_LINK_X:
case PPME_SYSCALL_LINK_2_X:
case PPME_SYSCALL_LINKAT_X:
case PPME_SYSCALL_LINKAT_2_X:
case PPME_SYSCALL_MKDIR_X:
case PPME_SYSCALL_MKDIR_2_X:
case PPME_SYSCALL_MKDIRAT_X:
case PPME_SYSCALL_MOUNT_X:
case PPME_SYSCALL_UMOUNT_X:
case PPME_SYSCALL_UMOUNT_1_X:
case PPME_SYSCALL_UMOUNT2_X:
case PPME_SYSCALL_RENAME_X:
case PPME_SYSCALL_RENAMEAT_X:
case PPME_SYSCALL_RENAMEAT2_X:
case PPME_SYSCALL_RMDIR_X:
case PPME_SYSCALL_RMDIR_2_X:
case PPME_SYSCALL_SYMLINK_X:
case PPME_SYSCALL_SYMLINKAT_X:
case PPME_SYSCALL_UNLINK_X:
case PPME_SYSCALL_UNLINK_2_X:
case PPME_SYSCALL_UNLINKAT_X:
case PPME_SYSCALL_UNLINKAT_2_X:
ring_info->n_drops_buffer_dir_file_exit++;
break;
case PPME_SYSCALL_CLONE_11_X:
case PPME_SYSCALL_CLONE_16_X:
case PPME_SYSCALL_CLONE_17_X:
case PPME_SYSCALL_CLONE_20_X:
case PPME_SYSCALL_CLONE3_X:
case PPME_SYSCALL_FORK_X:
case PPME_SYSCALL_FORK_20_X:
case PPME_SYSCALL_VFORK_X:
case PPME_SYSCALL_VFORK_20_X:
ring_info->n_drops_buffer_clone_fork_exit++;
break;
Expand All @@ -1579,7 +1557,6 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
case PPME_SOCKET_CONNECT_X:
ring_info->n_drops_buffer_connect_exit++;
break;
case PPME_SYSCALL_BPF_X:
case PPME_SYSCALL_BPF_2_X:
case PPME_SYSCALL_SETPGID_X:
case PPME_SYSCALL_PTRACE_X:
Expand All @@ -1592,6 +1569,9 @@ static inline void drops_buffer_syscall_categories_counters(ppm_event_code event
case PPME_SYSCALL_CAPSET_X:
ring_info->n_drops_buffer_other_interest_exit++;
break;
case PPME_SYSCALL_CLOSE_X:
ring_info->n_drops_buffer_close_exit++;
break;
default:
break;
}
Expand Down Expand Up @@ -2088,7 +2068,7 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
}

if (MORE_THAN_ONE_SECOND_AHEAD(ns, ring->last_print_time + 1) && !(drop_flags & UF_ATOMIC)) {
vpr_info("consumer:%p CPU:%d, use:%lu%%, ev:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n",
vpr_info("consumer:%p CPU:%d, use:%lu%%, ev:%llu, dr_buf:%llu, dr_buf_clone_fork_e:%llu, dr_buf_clone_fork_x:%llu, dr_buf_execve_e:%llu, dr_buf_execve_x:%llu, dr_buf_connect_e:%llu, dr_buf_connect_x:%llu, dr_buf_open_e:%llu, dr_buf_open_x:%llu, dr_buf_dir_file_e:%llu, dr_buf_dir_file_x:%llu, dr_buf_other_e:%llu, dr_buf_other_x:%llu, dr_buf_close_exit:%llu, dr_buf_proc_exit:%llu, dr_pf:%llu, pr:%llu, cs:%llu\n",
consumer->consumer_id,
smp_processor_id(),
(usedspace * 100) / consumer->buffer_bytes_dim,
Expand All @@ -2106,6 +2086,8 @@ static int record_event_consumer(struct ppm_consumer_t *consumer,
ring_info->n_drops_buffer_dir_file_exit,
ring_info->n_drops_buffer_other_interest_enter,
ring_info->n_drops_buffer_other_interest_exit,
ring->info->n_drops_buffer_close_exit,
ring->info->n_drops_buffer_proc_exit,
ring_info->n_drops_pf,
ring_info->n_preemptions,
ring->info->n_context_switches);
Expand Down Expand Up @@ -2620,6 +2602,8 @@ static void reset_ring_buffer(struct ppm_ring_buffer_context *ring)
ring->info->n_drops_buffer_dir_file_exit = 0;
ring->info->n_drops_buffer_other_interest_enter = 0;
ring->info->n_drops_buffer_other_interest_exit = 0;
ring->info->n_drops_buffer_close_exit = 0;
ring->info->n_drops_buffer_proc_exit = 0;
ring->info->n_drops_pf = 0;
ring->info->n_preemptions = 0;
ring->info->n_context_switches = 0;
Expand Down
Loading