Re: [ovs-dev] [PATCH v3 7/8] utilities: upcall_monitor: Add extra info to pcap.

Tue, 11 Mar 2025 08:07:17 -0700 


On 11 Mar 2025, at 16:01, Eelco Chaudron wrote:

> On 27 Feb 2025, at 18:23, Adrian Moreno wrote:
>
>> Use pcapng instead of pcap format and store the result, the key (if
>> available) and the input port name so they are visible in
>> wireshark/tshark.
>>
>> Signed-off-by: Adrian Moreno <amore...@redhat.com>
>
> Some comments minor below.

Did some testing and the port number does not seem to be part of the capture.

./upcall_monitor.py -d decode -k nlraw -r error -w error.pcap

$ tshark -r error.pcap -V
Packet comments
    cpu=18 comm=ksoftirqd/18 pid=128 upcall_type=1 result=-11

        [Expert Info (Comment/Comment): cpu=18 comm=ksoftirqd/18 pid=128 
upcall_type=1 result=-11
]
            [cpu=18 comm=ksoftirqd/18 pid=128 upcall_type=1 result=-11
]
            [Severity level: Comment]
            [Group: Comment]
Frame 1: 1496 bytes on wire (11968 bits), 64 bytes captured (512 bits) on 
interface unknown, id 0
    Interface id: 0 (unknown)
        Interface name: unknown
                        ^^^^^^^

>> ---
>>  utilities/usdt-scripts/upcall_monitor.py | 53 +++++++++++++++++++-----
>>  1 file changed, 42 insertions(+), 11 deletions(-)
>>
>> diff --git a/utilities/usdt-scripts/upcall_monitor.py 
>> b/utilities/usdt-scripts/upcall_monitor.py
>> index a1adeee0a..77378751f 100755
>> --- a/utilities/usdt-scripts/upcall_monitor.py
>> +++ b/utilities/usdt-scripts/upcall_monitor.py
>> @@ -118,7 +118,12 @@
>>
>>  from bcc import BPF, USDT, USDTException
>>  from os.path import exists
>> -from scapy.all import hexdump, wrpcap
>> +try:
>> +    # Try using pcapng support from scapy >= 2.4.
>> +    from scapy.all import hexdump, PcapNgWriter
>> +except ImportError:
>> +    from scapy.all import hexdump, wrpcap
>> +
>>  from scapy.layers.l2 import Ether
>>
>>  from usdt_lib import DpPortMapping
>> @@ -282,40 +287,48 @@ int kretprobe__ovs_dp_upcall(struct pt_regs *ctx)
>>  #endif
>>  """
>>
>> +pcap_writer = None
>> +
>>
>>  #
>>  # print_key()
>>  #
>>  def print_key(event, decode_dump):
>
> As this is no longer printing a key, I would change it to format_key().
>
>> +    lines = []
>>      if event.key_size < options.flow_key_size:
>>          key_len = event.key_size
>>      else:
>>          key_len = options.flow_key_size
>>
>>      if not key_len:
>> -        return
>> +        return []
>>
>>      if options.flow_key_decode != 'none':
>> -        print("  Flow key size {} bytes, size captured {} bytes.".
>> -              format(event.key_size, key_len))
>> +        lines.append("  Flow key size {} bytes, size captured {} bytes.".
>> +                     format(event.key_size, key_len))
>>
>>      if options.flow_key_decode == 'hex':
>>          #
>>          # Abuse scapy's hex dump to dump flow key
>>          #
>> -        print(re.sub('^', ' ' * 4, 
>> hexdump(Ether(bytes(event.key)[:key_len]),
>> -                                           dump=True),
>> -                     flags=re.MULTILINE))
>> +        lines.extend(re.sub('^', ' ' * 4,
>> +            hexdump(
>> +                Ether(bytes(event.key)[:key_len]),
>> +                dump=True),
>> +            flags=re.MULTILINE).split("\n"))
>>
>>      if options.flow_key_decode == "nlraw":
>> -        for line in decode_dump:
>> -            print(line)
>> +        lines.extend(decode_dump)
>> +
>> +    return lines
>>
>>
>>  #
>>  # print_event()
>>  #
>>  def print_event(ctx, data, size):
>> +    global pcap_writer
>> +
>>      event = b["events"].event(data)
>>      dp = event.dpif_name.decode("utf-8")
>>
>> @@ -350,7 +363,9 @@ def print_event(ctx, data, size):
>>      #
>>      # Dump flow key information
>>      #
>> -    print_key(event, key_dump)
>> +    key_lines = print_key(event, key_dump)
>> +    for line in key_lines:
>> +        print(line)
>>
>>      #
>>      # Decode packet only if there is data
>> @@ -383,7 +398,23 @@ def print_event(ctx, data, size):
>>          print(re.sub('^', ' ' * 4, packet.show(dump=True), 
>> flags=re.MULTILINE))
>>
>>      if options.pcap is not None:
>> -        wrpcap(options.pcap, packet, append=True, 
>> snaplen=options.packet_size)
>> +        try:
>> +            if pcap_writer is None:
>> +                pcap_writer = PcapNgWriter(options.pcap)
>> +
>> +            comment = "cpu={} comm={} pid={} upcall_type={} result={}". 
>> format(
>
> Adding the time stamp here might also be useful to “quickly” see the 
> inter-packet gap.
>
>> +                event.cpu, event.comm.decode("utf-8"), event.pid,
>> +                event.upcall_type, event.result)
>> +
>> +            if options.flow_key_decode != 'none':
>> +                comment = comment + "\n" + "\n".join(key_lines)
>> +
>> +            packet.comment = comment
>> +            packet.sniffed_on = "{} ({})".format(port, dp)
>> +            pcap_writer.write(packet)
>> +        except NameError:  # PcapNgWriter not found
>> +            wrpcap(options.pcap, packet, append=True,
>> +                   snaplen=options.packet_size)
>>
>>
>>  #
>> -- 
>> 2.48.1
>>
>> _______________________________________________
>> dev mailing list
>> d...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to