前言
本文仅作为本人初学XDP的记录,水平很低,酌情参考!
提示:以下是本篇文章正文内容,下面案例可供参考
一、环境准备
我使用的虚拟机环境为CENTOS7,内核版本Linux5.4.215-1.el7.elrepo.x86_64,在开始前需要安装一系列的依赖。
Libbpf简化了bpf程序的开发和加载。库libbpf是tools/lib/bpf下的内核树的一部分,但是Facebook工程师在GitHub上https://github.com/libbpf/libbpf下维护一个独立的构建。
主要依赖项有libbpf、llvm、clang和libelf。LLVM+clang将我们的限制性c程序编译成bpf字节码,存储在ELF对象文件(libelf)中,libbpf通过bpf系统调用将该文件加载到内核中。这些依赖在xdp依赖安装里有详细描述。
LLVM这个依赖项不能使用系统yum默认安装的旧版本,需要自行安装最新版本,在centos7源码编译安装LLVM11.0.0有详细描述,麻烦得很,但必不可少(此生不愿再尝试)。
二、使用步骤
我使用的xdp抓包工具在github上找到——https://github.com/xdp-project/xdp-tools,但在./configure执行后,make可能会出现一些问题,解决办法就是去更新libbpf或者内核版本。
在安装完成后,在系统命令行终端就可以使用xdpdump命令进行抓包了。
Usage: xdpdump [options]
XDPDump tool to dump network traffic
Options:
--rx-capture <mode> Capture point for the rx direction (valid values: entry,exit)
-D, --list-interfaces Print the list of available interfaces
-i, --interface <ifname> Name of interface to capture on
--perf-wakeup <events> Wake up xdpdump every <events> packets
-p, --program-names <prog> Specific program to attach to
-s, --snapshot-length <snaplen> Minimum bytes of packet to capture
--use-pcap Use legacy pcap format for XDP traces
-w, --write <file> Write raw packets to pcap file
-x, --hex Print the full packet in hex
-v, --verbose Enable verbose logging (-vv: more verbose)
--version Display version information
-h, --help Show this help我们可以使用如下命令检查xdpdump是否能够正常抓取网卡上的包
# xdpdump -i ens33 -x
[root@blackt xdp-dump]# xdpdump -i ens33 -x
WARNING: Specified interface does not have an XDP program loaded,
capturing in legacy mode!
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
1665970250.034940: packet size 90 bytes, captured 90 bytes on if_name "ens33"
0x0000: 00 50 56 e2 7c 77 00 0c 29 19 39 3f 08 00 45 00 .PV.|w..).9?..E.
0x0010: 00 4c 19 c6 40 00 40 11 52 6b c0 a8 dc 82 c1 b6 .L..@.@.Rk......
0x0020: 6f 8e 89 db 00 7b 00 38 ce b9 23 00 09 20 00 00 o....{.8..#.. ..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0050: 00 00 81 70 fe 4f 90 56 9c 0f ...p.O.V..
1665970252.611616: packet size 90 bytes, captured 90 bytes on if_name "ens33"
0x0000: 00 50 56 e2 7c 77 00 0c 29 19 39 3f 08 00 45 00 .PV.|w..).9?..E.
0x0010: 00 4c f2 04 40 00 40 11 f6 8e c0 a8 dc 82 4e 2e .L..@.@.......N.
0x0020: 66 b4 b8 65 00 7b 00 38 52 57 23 00 07 20 00 00 f..e.{.8RW#.. ..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0050: 00 00 0b 7d 49 7a d6 d5 19 32 ...}Iz...2
1665970252.933547: packet size 90 bytes, captured 90 bytes on if_name "ens33"
0x0000: 00 0c 29 19 39 3f 00 50 56 e2 7c 77 08 00 45 00 ..).9?.PV.|w..E.
0x0010: 00 4c 8f a4 00 00 80 11 58 ef 4e 2e 66 b4 c0 a8 .L......X.N.f...
0x0020: dc 82 00 7b b8 65 00 38 72 9e 24 03 07 e6 00 00 ...{.e.8r.$.....
0x0030: 02 36 00 00 04 6a 38 01 81 ec e6 f7 2e 0b ca 34 .6...j8........4
0x0040: 88 ae 0b 7d 49 7a d6 d5 19 32 e6 f7 2e cc b9 6a ...}Iz...2.....j
0x0050: af 3f e6 f7 2e cc b9 6b 9a f6 .?.....k..
1665970255.048272: packet size 42 bytes, captured 42 bytes on if_name "ens33"
0x0000: 00 50 56 e2 7c 77 00 0c 29 19 39 3f 08 06 00 01 .PV.|w..).9?....
0x0010: 08 00 06 04 00 01 00 0c 29 19 39 3f c0 a8 dc 82 ........).9?....
0x0020: 00 00 00 00 00 00 c0 a8 dc 02 ..........
1665970255.048662: packet size 60 bytes, captured 60 bytes on if_name "ens33"
0x0000: 00 0c 29 19 39 3f 00 50 56 e2 7c 77 08 06 00 01 ..).9?.PV.|w....
0x0010: 08 00 06 04 00 02 00 50 56 e2 7c 77 c0 a8 dc 02 .......PV.|w....
0x0020: 00 0c 29 19 39 3f c0 a8 dc 82 00 00 00 00 00 00 ..).9?..........
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 ............
1665970259.403261: packet size 90 bytes, captured 90 bytes on if_name "ens33"
0x0000: 00 50 56 e2 7c 77 00 0c 29 19 39 3f 08 00 45 00 .PV.|w..).9?..E.
0x0010: 00 4c a6 f7 40 00 40 11 8b 63 c0 a8 dc 82 a2 9f .L..@.@..c......
0x0020: c8 7b da a5 00 7b 00 38 08 90 23 00 09 20 00 00 .{...{.8..#.. ..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0050: 00 00 8c a9 98 e9 1f 8f 1b f4 ..........
1665970260.205514: packet size 90 bytes, captured 90 bytes on if_name "ens33"
0x0000: 00 50 56 e2 7c 77 00 0c 29 19 39 3f 08 00 45 00 .PV.|w..).9?..E.
0x0010: 00 4c f6 fa 40 00 40 11 4f 76 c0 a8 dc 82 5b ec .L..@.@.Ov....[.
0x0020: fb 18 a0 fa 00 7b 00 38 f4 79 23 00 07 20 00 00 .....{.8.y#.. ..
0x0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0050: 00 00 e8 22 cc 90 cd db 92 db ..."......
^C
7 packets captured
0 packets dropped by kernel如果想要查看虚拟机的网卡,使用ifconfig命令即可
[root@blackt xdp-dump]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.220.130 netmask 255.255.255.0 broadcast 192.168.220.255
inet6 fe80::799b:3fe5:9280:995 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:19:39:3f txqueuelen 1000 (Ethernet)
RX packets 436 bytes 252075 (246.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 380 bytes 36705 (35.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 56 bytes 4536 (4.4 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 56 bytes 4536 (4.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:87:ec:19 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
如果想将抓住的包写入pcap文件,使用以下命令:
#xdpdump -i ens33 --use-pcap -w capture
--use-pcap对XDP跟踪使用pcap格式。默认情况下,它将使用PcapNG格式,以便能够存储各种元数据。
-w将数据存储入capture文件。
抓到的pcap文件用wireshark打开后,确实可以抓到。
到此算是圆满了(可能还不是那么圆满)。
总结
因为跨越的时间太长,其中很多卡住的点我都没办法第一时间想起,如果各位在过程中出现问题的话请及时联系我,我也只是作为一个初学者身份尽量与大家讨论,还望包涵!
175
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
