snapshots.go

package main

import (
	"encoding/binary"
	"fmt"
	"log"

	"github.com/cilium/ebpf"
	"github.com/cilium/ebpf/perf"
	"github.com/google/gopacket"
	"github.com/google/gopacket/layers"
)

const (
	bpfMapPath = "/sys/fs/bpf/tc/globals"
)

const (
	PP_PACKET_ETHER = iota
	PP_PACKET_IP4
	PP_PACKET_IP6
	PP_DATA
)

func handle(buf []byte) {
	var packet gopacket.Packet

	if binary.BigEndian.Uint16(buf[0:]) != 0xabed {
		log.Printf("[martian]")
		return
	}

	if len(buf) < 6 {
		log.Printf("[truncated]")
		return
	}

	switch buf[2] {
	case PP_PACKET_ETHER:
		packet = gopacket.NewPacket(buf[6:], layers.LayerTypeEthernet, gopacket.Default)

	case PP_PACKET_IP4:
		packet = gopacket.NewPacket(buf[6:], layers.LayerTypeIPv4, gopacket.Default)

	case PP_PACKET_IP6:
		packet = gopacket.NewPacket(buf[6:], layers.LayerTypeIPv6, gopacket.Default)

	case PP_DATA:
		if len(buf) < 68 {
			log.Printf("[truncated data]")
			return
		}

		log.Printf(`flags: %x
a0: %0.8x a4: %0.8x
a1: %0.8x a5: %0.8x
a2: %0.8x a6: %0.8x
a3: %0.8x a7: %0.8x
`, buf[3],
			binary.LittleEndian.Uint64(buf[4+(0*8):]),
			binary.LittleEndian.Uint64(buf[4+(4*8):]),
			binary.LittleEndian.Uint64(buf[4+(1*8):]),
			binary.LittleEndian.Uint64(buf[4+(5*8):]),
			binary.LittleEndian.Uint64(buf[4+(2*8):]),
			binary.LittleEndian.Uint64(buf[4+(6*8):]),
			binary.LittleEndian.Uint64(buf[4+(3*8):]),
			binary.LittleEndian.Uint64(buf[4+(7*8):]))
		return
	}

	log.Printf("\n%s", packet.Dump())
}

func main() {
	bmap, err := ebpf.LoadPinnedMap(fmt.Sprintf("%s/perf_map", bpfMapPath))
	if err != nil {
		log.Fatalf("can't load map \"%s/incoming_ip_map\": %s", bpfMapPath, err)
	}

	reader, err := perf.NewReader(bmap, 4096*10)
	if err != nil {
		log.Fatalf("can't read perf: %s", err)
	}

	for {
		rec, err := reader.Read()
		if err != nil {
			log.Printf("can't read: %s", err)
			continue
		}

		handle(rec.RawSample)
	}

}