Re: [ovs-dev] [PATCH v3 7/8] utilities: upcall_monitor: Add extra info to pcap.

Sat, 05 Apr 2025 10:17:14 -0700 

On Tue, Mar 11, 2025 at 04:06:41PM +0100, Eelco Chaudron wrote:
>
>
> On 11 Mar 2025, at 16:01, Eelco Chaudron wrote:
>
> > On 27 Feb 2025, at 18:23, Adrian Moreno wrote:
> >
> >> Use pcapng instead of pcap format and store the result, the key (if
> >> available) and the input port name so they are visible in
> >> wireshark/tshark.
> >>
> >> Signed-off-by: Adrian Moreno <amore...@redhat.com>
> >
> > Some comments minor below.
>
> Did some testing and the port number does not seem to be part of the capture.
>
> ./upcall_monitor.py -d decode -k nlraw -r error -w error.pcap
>
> $ tshark -r error.pcap -V
> Packet comments
>     cpu=18 comm=ksoftirqd/18 pid=128 upcall_type=1 result=-11
>
>         [Expert Info (Comment/Comment): cpu=18 comm=ksoftirqd/18 pid=128 
> upcall_type=1 result=-11
> ]
>             [cpu=18 comm=ksoftirqd/18 pid=128 upcall_type=1 result=-11
> ]
>             [Severity level: Comment]
>             [Group: Comment]
> Frame 1: 1496 bytes on wire (11968 bits), 64 bytes captured (512 bits) on 
> interface unknown, id 0
>     Interface id: 0 (unknown)
>         Interface name: unknown
>                         ^^^^^^^
>

That's weird, I cannot reproduce it. How did you generate the failed
upcall?


> >> ---
> >>  utilities/usdt-scripts/upcall_monitor.py | 53 +++++++++++++++++++-----
> >>  1 file changed, 42 insertions(+), 11 deletions(-)
> >>
> >> diff --git a/utilities/usdt-scripts/upcall_monitor.py 
> >> b/utilities/usdt-scripts/upcall_monitor.py
> >> index a1adeee0a..77378751f 100755
> >> --- a/utilities/usdt-scripts/upcall_monitor.py
> >> +++ b/utilities/usdt-scripts/upcall_monitor.py
> >> @@ -118,7 +118,12 @@
> >>
> >>  from bcc import BPF, USDT, USDTException
> >>  from os.path import exists
> >> -from scapy.all import hexdump, wrpcap
> >> +try:
> >> +    # Try using pcapng support from scapy >= 2.4.
> >> +    from scapy.all import hexdump, PcapNgWriter
> >> +except ImportError:
> >> +    from scapy.all import hexdump, wrpcap
> >> +
> >>  from scapy.layers.l2 import Ether
> >>
> >>  from usdt_lib import DpPortMapping
> >> @@ -282,40 +287,48 @@ int kretprobe__ovs_dp_upcall(struct pt_regs *ctx)
> >>  #endif
> >>  """
> >>
> >> +pcap_writer = None
> >> +
> >>
> >>  #
> >>  # print_key()
> >>  #
> >>  def print_key(event, decode_dump):
> >
> > As this is no longer printing a key, I would change it to format_key().
> >
> >> +    lines = []
> >>      if event.key_size < options.flow_key_size:
> >>          key_len = event.key_size
> >>      else:
> >>          key_len = options.flow_key_size
> >>
> >>      if not key_len:
> >> -        return
> >> +        return []
> >>
> >>      if options.flow_key_decode != 'none':
> >> -        print("  Flow key size {} bytes, size captured {} bytes.".
> >> -              format(event.key_size, key_len))
> >> +        lines.append("  Flow key size {} bytes, size captured {} bytes.".
> >> +                     format(event.key_size, key_len))
> >>
> >>      if options.flow_key_decode == 'hex':
> >>          #
> >>          # Abuse scapy's hex dump to dump flow key
> >>          #
> >> -        print(re.sub('^', ' ' * 4, 
> >> hexdump(Ether(bytes(event.key)[:key_len]),
> >> -                                           dump=True),
> >> -                     flags=re.MULTILINE))
> >> +        lines.extend(re.sub('^', ' ' * 4,
> >> +            hexdump(
> >> +                Ether(bytes(event.key)[:key_len]),
> >> +                dump=True),
> >> +            flags=re.MULTILINE).split("\n"))
> >>
> >>      if options.flow_key_decode == "nlraw":
> >> -        for line in decode_dump:
> >> -            print(line)
> >> +        lines.extend(decode_dump)
> >> +
> >> +    return lines
> >>
> >>
> >>  #
> >>  # print_event()
> >>  #
> >>  def print_event(ctx, data, size):
> >> +    global pcap_writer
> >> +
> >>      event = b["events"].event(data)
> >>      dp = event.dpif_name.decode("utf-8")
> >>
> >> @@ -350,7 +363,9 @@ def print_event(ctx, data, size):
> >>      #
> >>      # Dump flow key information
> >>      #
> >> -    print_key(event, key_dump)
> >> +    key_lines = print_key(event, key_dump)
> >> +    for line in key_lines:
> >> +        print(line)
> >>
> >>      #
> >>      # Decode packet only if there is data
> >> @@ -383,7 +398,23 @@ def print_event(ctx, data, size):
> >>          print(re.sub('^', ' ' * 4, packet.show(dump=True), 
> >> flags=re.MULTILINE))
> >>
> >>      if options.pcap is not None:
> >> -        wrpcap(options.pcap, packet, append=True, 
> >> snaplen=options.packet_size)
> >> +        try:
> >> +            if pcap_writer is None:
> >> +                pcap_writer = PcapNgWriter(options.pcap)
> >> +
> >> +            comment = "cpu={} comm={} pid={} upcall_type={} result={}". 
> >> format(
> >
> > Adding the time stamp here might also be useful to “quickly” see the 
> > inter-packet gap.
> >
> >> +                event.cpu, event.comm.decode("utf-8"), event.pid,
> >> +                event.upcall_type, event.result)
> >> +
> >> +            if options.flow_key_decode != 'none':
> >> +                comment = comment + "\n" + "\n".join(key_lines)
> >> +
> >> +            packet.comment = comment
> >> +            packet.sniffed_on = "{} ({})".format(port, dp)
> >> +            pcap_writer.write(packet)
> >> +        except NameError:  # PcapNgWriter not found
> >> +            wrpcap(options.pcap, packet, append=True,
> >> +                   snaplen=options.packet_size)
> >>
> >>
> >>  #
> >> --
> >> 2.48.1
> >>
> >> _______________________________________________
> >> dev mailing list
> >> d...@openvswitch.org
> >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to