snoop

package
v0.0.0-...-213dce7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2026 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	FieldPID = iota
	FieldPNAME
	FieldLAT
	FieldTYPE
	FieldQNAME
	FieldRCODE
	FieldRIP
	FieldQTIME
	FieldRTIME
	FieldTID
	FieldCMDLINE
	FieldQADDR
	FieldRADDR
	FieldSTACK
)

Field constants

View Source 
const UNK = "UNK"

UNK string to be displayed for unknown info

Variables

View Source 
var FieldToMeta = map[FieldID]FieldMeta{
	FieldPID:     {"PID", "%-7v "},
	FieldPNAME:   {"PNAME", "%-15v "},
	FieldLAT:     {"LAT", "%-5v "},
	FieldTYPE:    {"TYPE", "%-5v "},
	FieldQNAME:   {"QNAME", "%-80v "},
	FieldRCODE:   {"RCODE", "%-8v "},
	FieldRIP:     {"RIP", "%-40v "},
	FieldQTIME:   {"QTIME", "%-16v "},
	FieldRTIME:   {"RTIME", "%-16v "},
	FieldTID:     {"TID", "%-7v "},
	FieldCMDLINE: {"CMDLINE", "%-120v "},
	FieldQADDR:   {"QADDR", "%-40v "},
	FieldRADDR:   {"RADDR", "%-40v "},
	FieldSTACK:   {"STACK", "%-40v "},
}

FieldToMeta maps fields to metadata

View Source 
var PortToProtocol = map[PortNr]string{
	// contains filtered or unexported fields
}

PortToProtocol maps port to protocol string

Functions

func AllFieldNames 

func AllFieldNames() []string

AllFieldNames returns list of all acceptable field names

func DisplayHeader 

func DisplayHeader(fields []FieldID) string

DisplayHeader displays the header the field list

func MBtoB 

func MBtoB(b int) int

MBtoB converts megabytes to bytes

func Run 

func Run(c *Config) error

Run setups and starts BPF filter and BPF probe

func SetBPFFilter 

func SetBPFFilter(h *afpacket.TPacket, filter string, snapLen int) error

SetBPFFilter translates a BPF filter string into BPF RawInstruction and applies them.

func StartNetTop 

func StartNetTop(refreshChan <-chan map[UniqueDNS]*DisplayInfo, stopChan chan<- bool, refTime time.Duration)

StartNetTop is the nettop stdout handler

func StartTopLike 

func StartTopLike(refreshChan <-chan *ToplikeData, stopChan chan<- bool, refTime time.Duration)

StartTopLike is the toplike stdout handler

Types

type Config 

type Config struct {
	Host           HostData
	LogLevel       string
	Interface      string
	Port           int
	FilterDebug    bool
	ProbeDebug     bool
	RingSizeMB     int
	CleanPeriod    time.Duration
	Fields         string
	ExporterListen string
	Exporter       bool
	Detailed       bool
	Toplike        bool
	NetTop         bool
	Sqllike        bool
	Csv            string
	Where          string
	Orderby        string
	Groupby        string
}

Config contains data needed for setup

type Consumer 

type Consumer struct {
	Config *Config
	Fields []FieldID
	// contains filtered or unexported fields
}

Consumer listens on both probe and filter queues

func (*Consumer) CleanDisplayMap 

func (c *Consumer) CleanDisplayMap()

CleanDisplayMap displays to stdout the attribute displayMap

func (*Consumer) Setup 

func (c *Consumer) Setup()

Setup initializes Consumer queues and maps

func (*Consumer) Watch 

func (c *Consumer) Watch()

Watch listens on Consumer queues

type DNSDecoder 

type DNSDecoder struct {
	// contains filtered or unexported fields
}

DNSDecoder used to decode DNS raw packets

func (*DNSDecoder) BPFrule 

func (d *DNSDecoder) BPFrule() string

BPFrule for DNS

func (*DNSDecoder) DstAddr 

func (d *DNSDecoder) DstAddr() (net.IP, error)

DstAddr returns destination address of the packet

func (*DNSDecoder) DstPort 

func (d *DNSDecoder) DstPort() (int, error)

DstPort returns destination port of the packet

func (*DNSDecoder) Header 

func (d *DNSDecoder) Header() []string

Header returns DNS specific data headers

func (*DNSDecoder) Print 

func (d *DNSDecoder) Print()

Print displays on stdout info about the packet Debug purposes

func (*DNSDecoder) Row 

func (d *DNSDecoder) Row() ([]string, error)

Row returns values ordered by fields in Header

func (*DNSDecoder) SrcAddr 

func (d *DNSDecoder) SrcAddr() (net.IP, error)

SrcAddr returns source address of the packet

func (*DNSDecoder) SrcPort 

func (d *DNSDecoder) SrcPort() (int, error)

SrcPort returns source port of the packet

func (*DNSDecoder) Unmarshal 

func (d *DNSDecoder) Unmarshal(data []byte) error

Unmarshal populates the struct with specific DNS data

func (*DNSDecoder) Valid 

func (d *DNSDecoder) Valid() bool

Valid is true if the DNSDecoder contains a DNS packet

type DisplayInfo 

type DisplayInfo struct {
	ProcInfo
	// contains filtered or unexported fields
}

DisplayInfo stores data about a complete match between (DNS query, DNS response, calling process)

func (*DisplayInfo) DetailedString 

func (d *DisplayInfo) DetailedString() string

DetailedString returns a dig like string

func (*DisplayInfo) FieldValue 

func (d *DisplayInfo) FieldValue(field FieldID) string

FieldValue returns the string of a field in displayinfo

func (*DisplayInfo) String 

func (d *DisplayInfo) String() string

String returns the string containing only the fields specified

type EnhancedProbeData 

type EnhancedProbeData struct {
	// Tgid is the thread group id
	Tgid uint32
	// Pid is the process id
	Pid uint32
	// // Comm is the task comm
	Comm [commLength]byte
	// // Cmdline is the process cmdline
	Cmdline [cmdlineLength]byte
	// SockPortNr is the socket number used to send_msg
	SockPortNr int32
	// FnID is the identifier of the function
	FnID uint8
	// Stack is the stack trace
	Stack []string
}

EnhancedProbeData is an extended version of the ProbeEventData struct populated with data from kernel which is then later enhanced by comm and cmdline by the userspace code

type FieldID 

type FieldID int

FieldID label for field

func FieldFromString 

func FieldFromString(field string) (FieldID, error)

FieldFromString returns FieldID from a string input

func ParseFields 

func ParseFields(fieldString string) ([]FieldID, error)

ParseFields parses a comma separated string to a list of FieldID ex: "PNAME,PID,TYPE" -> [1,0,3]

type FieldMeta 

type FieldMeta struct {
	Title  string
	Format string
}

FieldMeta describes the data format for each field

type Filter 

type Filter struct {
	Rule       string
	Interface  string
	Debug      bool
	RingSizeMB int
	// contains filtered or unexported fields
}

Filter is the BPF filter + Packet MMAPer used to receive and read packets in UserSpace.

func (*Filter) Run 

func (f *Filter) Run(decoder RawDecoder, ch chan<- *FilterDTO) error

Run is used to start reading the packets received by BPF

func (*Filter) Setup 

func (f *Filter) Setup() error

Setup used to set the BPF Filter and map the ring buffer in memory

type FilterDTO 

type FilterDTO struct {
	Timestamp int64
	SrcPort   uint16
	SrcAddr   net.IP
	DstPort   uint16
	DstAddr   net.IP
	DNS       *layers.DNS
}

FilterDTO is a data transfer object used to communicate between filter and consumer

type FnID 

type FnID uint8

FnID identifier for function names

type HostData 

type HostData struct {
	Name   string
	Prefix string
}

HostData stores data about the host machine

type NetTopData 

type NetTopData struct {
	// addr to row
	Rows map[string]*NetTopRow
	// contains filtered or unexported fields
}

NetTopData contains the entire nettop display table

type NetTopRow 

type NetTopRow struct {
	QueryAddr    string
	ResponseAddr string

	DNS   percentField
	NXDOM percentField
	NOERR percentField
	SERVF percentField
	A     percentField
	AAAA  percentField
	PTR   percentField
	// contains filtered or unexported fields
}

NetTopRow contains data about each row in nettop display

type NetTopState 

type NetTopState struct {
	// contains filtered or unexported fields
}

NetTopState is the current state of the interactive env

type PortNr 

type PortNr uint16

PortNr is a type for port number

type Probe 

type Probe struct {
	Port  int
	Debug bool
	// contains filtered or unexported fields
}

Probe is the BPF handler which attaches kprobes to kernel functions It receives kernel data each time one of these functions is called

func (*Probe) Run 

func (p *Probe) Run(ch chan<- *ProbeDTO) error

Run is used to setup and listen for probe events To avoid kernel memory leaks, the Run method will setup the bpfModule, and defer the Close method

type ProbeDTO 

type ProbeDTO struct {
	ProbeData EnhancedProbeData
}

ProbeDTO is a data transfer object used to communicate between probe and consumer

type ProbeEventData 

type ProbeEventData struct {
	UserStack [maxStackRawtp]uint64
	// Tgid is the thread group id
	Tgid uint32
	// Pid is the process id
	Pid uint32
	// SockPortNr is the socket number used to send_msg
	SockPortNr int32
	//
	UserStackSize int32
	// FnID is the identifier of the function
	FnID uint8
}

ProbeEventData is a struct populated with data from kernel It must match the struct in the BPF program

type ProcInfo 

type ProcInfo struct {
	// contains filtered or unexported fields
}

ProcInfo stores data about a process

type RawDecoder 

type RawDecoder interface {
	// Unmarshal populates the struct of the specific packet
	Unmarshal([]byte) error

	// DstPort returns destination port of the packet
	DstPort() (int, error)

	// DstAddr returns destination address of the packet
	DstAddr() (net.IP, error)

	// SrcPort returns source port of the packet
	SrcPort() (int, error)

	// SrcAddr returns source address of the packet
	SrcAddr() (net.IP, error)

	// Header returns the titles for a specific port
	Header() []string

	// Row returns data about the packet in the same order as Header
	Row() ([]string, error)

	// BPFrule returns the bpf filter in bpf format
	BPFrule() string

	// Valid returns true if the packet contains valid data, false otherwise
	Valid() bool
}

RawDecoder used to decode raw packets, starting with Eth layer DstPort and SrcPort are used to compute latency on a specific port Header and Row are used to print specific data for different protocols

func RawDecoderByType 

func RawDecoderByType(pktType string) (RawDecoder, error)

RawDecoderByType factory method used to return a specific type of RawDecoder To add a new packet type: add a new case & add a new struct that implements RawDecoder methods

type SqllikeData 

type SqllikeData struct {
	Where   string
	Orderby string
	Groupby string
	Df      df.DataFrame
}

SqllikeData used to store filtering information and the dataframe table

func (*SqllikeData) Print 

func (s *SqllikeData) Print(path string)

Print used to display on stdout the dataframe

func (*SqllikeData) Setup 

func (s *SqllikeData) Setup(m []map[string]interface{})

Setup used to create dataframe from list of maps

func (*SqllikeData) SolveGroupby 

func (s *SqllikeData) SolveGroupby()

SolveGroupby groups columns based on the groupby list

func (*SqllikeData) SolveOrderby 

func (s *SqllikeData) SolveOrderby()

SolveOrderby sorts data based on the Orderby priority list ex: QNAME;-LATENCY means first sort by qname then reverse sort by latency

func (*SqllikeData) SolveWhere 

func (s *SqllikeData) SolveWhere()

SolveWhere filters the data based on the Where list ex: PNAME=smcc;LATENCY>200 means display only rows with PNAME = smcc and latency > 200 microseconds

type ToplikeData 

type ToplikeData struct {
	// PID to row
	Rows map[int]*ToplikeRow
	// contains filtered or unexported fields
}

ToplikeData contains the entire toplike display table

type ToplikeRow 

type ToplikeRow struct {
	PID  int
	Comm string

	DNS   percentField
	NXDOM percentField
	NOERR percentField
	SERVF percentField
	A     percentField
	AAAA  percentField
	PTR   percentField
	// contains filtered or unexported fields
}

ToplikeRow contains data about each row in toplike display

type ToplikeState 

type ToplikeState struct {
	// contains filtered or unexported fields
}

ToplikeState is the current state of the interactive env

type UniqueDNS 

type UniqueDNS struct {
	// contains filtered or unexported fields
}

UniqueDNS uniquely identifies DNS pair query-response

Source Files

View all Source files

Directories

Path Synopsis
Package blazesym provides a CGO wrapper around the Blazesym library.
 Package blazesym provides a CGO wrapper around the Blazesym library.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.