use tcp_connect kprobe to get tcp handshake packets #861
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yanivagman
reviewed
Aug 2, 2021
021c630 to
e6cd85d
Compare
yanivagman
approved these changes
Aug 3, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
using kprobe tcp_connect, in order to capture tcp SYN and SYN-ACK packets.
this internal kernel function is a good place to identify outgoing tcp connections:
we no longer have use of the tcp states TCP_SYN_SENT and TCP_ESTABLISHED in the inet_sock_set_state tracepoint - this is because these states were only used to capture outgoing tcp connections.
TCP_LISTEN is still needed because it is used to capture incoming tcp connections.
TCP_CLOSE is now used for both outgoing and incoming tcp connections, but we have to update sock_ctx_map in tcp_connect, so we can remove this network flow from network_map on TCP_CLOSE state.