Re: [ovs-dev] [PATCH v4 7/8] utilities: upcall_monitor: Add extra info to pcap.

Mon, 07 Apr 2025 02:52:09 -0700 

On Fri, Apr 04, 2025 at 12:19:44PM +0200, Eelco Chaudron wrote:
>
>
> On 31 Mar 2025, at 21:27, Adrian Moreno via dev wrote:
>
> > Use pcapng instead of pcap format and store the result, the key (if
> > available) and the input port name so they are visible in
> > wireshark/tshark.
> >
> > Signed-off-by: Adrian Moreno <amore...@redhat.com>
>
> Thanks for fixing the additional comment. I’ll wait for your feedback on 
> patch 3, and apply next week if it receives no further reviews/comments.
>

Thanks.
Adrián

> Cheers,
>
> Eelco
>
> Acked-by: Eelco Chaudron <echau...@redhat.com>
> > ---
> >  utilities/usdt-scripts/upcall_monitor.py | 70 +++++++++++++++++++-----
> >  1 file changed, 56 insertions(+), 14 deletions(-)
> >
> > diff --git a/utilities/usdt-scripts/upcall_monitor.py 
> > b/utilities/usdt-scripts/upcall_monitor.py
> > index a6ad3e5f0..596f66b33 100755
> > --- a/utilities/usdt-scripts/upcall_monitor.py
> > +++ b/utilities/usdt-scripts/upcall_monitor.py
> > @@ -118,9 +118,8 @@
> >
> >  from bcc import BPF, USDT, USDTException
> >  from os.path import exists, join
> > -from scapy.all import hexdump, wrpcap
> > +from scapy import VERSION as scapy_version
> >  from scapy.layers.l2 import Ether
> > -
> >  from usdt_lib import DpPortMapping
> >
> >  import argparse
> > @@ -129,6 +128,19 @@ import re
> >  import struct
> >  import sys
> >
> > +(scapy_mayor, scapy_minor, _) = scapy_version.split(".", 2)
> > +(scapy_mayor, scapy_minor) = (int(scapy_mayor), int(scapy_minor))
> > +
> > +scapy_supports_pcap_iface = False
> > +if scapy_mayor < 2 or (scapy_mayor == 2 and scapy_minor) <= 4:
> > +    from scapy.all import hexdump, wrpcap
> > +else:
> > +    from scapy.all import hexdump, PcapNgWriter
> > +    if scapy_mayor > 2 or (scapy_mayor == 2 and scapy_minor >= 6):
> > +        # Support for setting the iface name in the pcapng file was added 
> > in:
> > +        # 56b4fa4a pcapng enhancements (idb,epb) and some fixes (#4342)
> > +        scapy_supports_pcap_iface = True
> > +
> >  #
> >  # Actual eBPF source code
> >  #
> > @@ -282,40 +294,48 @@ int kretprobe__ovs_dp_upcall(struct pt_regs *ctx)
> >  #endif
> >  """
> >
> > +pcap_writer = None
> > +
> >
> >  #
> > -# print_key()
> > +# format_key()
> >  #
> > -def print_key(event, decode_dump):
> > +def format_key(event, decode_dump):
> > +    lines = []
> >      if event.key_size < options.flow_key_size:
> >          key_len = event.key_size
> >      else:
> >          key_len = options.flow_key_size
> >
> >      if not key_len:
> > -        return
> > +        return []
> >
> >      if options.flow_key_decode != 'none':
> > -        print("  Flow key size {} bytes, size captured {} bytes.".
> > -              format(event.key_size, key_len))
> > +        lines.append("  Flow key size {} bytes, size captured {} bytes.".
> > +                     format(event.key_size, key_len))
> >
> >      if options.flow_key_decode == 'hex':
> >          #
> >          # Abuse scapy's hex dump to dump flow key
> >          #
> > -        print(re.sub('^', ' ' * 4, 
> > hexdump(Ether(bytes(event.key)[:key_len]),
> > -                                           dump=True),
> > -                     flags=re.MULTILINE))
> > +        lines.extend(re.sub('^', ' ' * 4,
> > +            hexdump(
> > +                Ether(bytes(event.key)[:key_len]),
> > +                dump=True),
> > +            flags=re.MULTILINE).split("\n"))
> >
> >      if options.flow_key_decode == "nlraw":
> > -        for line in decode_dump:
> > -            print(line)
> > +        lines.extend(decode_dump)
> > +
> > +    return lines
> >
> >
> >  #
> >  # print_event()
> >  #
> >  def print_event(ctx, data, size):
> > +    global pcap_writer
> > +
> >      event = b["events"].event(data)
> >      dp = event.dpif_name.decode("utf-8")
> >
> > @@ -350,7 +370,9 @@ def print_event(ctx, data, size):
> >      #
> >      # Dump flow key information
> >      #
> > -    print_key(event, key_dump)
> > +    key_lines = format_key(event, key_dump)
> > +    for line in key_lines:
> > +        print(line)
> >
> >      #
> >      # Decode packet only if there is data
> > @@ -383,7 +405,27 @@ def print_event(ctx, data, size):
> >          print(re.sub('^', ' ' * 4, packet.show(dump=True), 
> > flags=re.MULTILINE))
> >
> >      if options.pcap is not None:
> > -        wrpcap(options.pcap, packet, append=True, 
> > snaplen=options.packet_size)
> > +        try:
> > +            if pcap_writer is None:
> > +                pcap_writer = PcapNgWriter(options.pcap)
> > +
> > +            comment = "cpu={} comm={} pid={} upcall_type={} result={}". 
> > format(
> > +                event.cpu, event.comm.decode("utf-8"), event.pid,
> > +                event.upcall_type, event.result)
> > +
> > +            if options.flow_key_decode != 'none':
> > +                comment = comment + "\n" + "\n".join(key_lines)
> > +
> > +            if scapy_supports_pcap_iface:
> > +                packet.sniffed_on = "{} ({})".format(port, dp)
> > +            else:
> > +                comment = "iface={}({}) ".format(port, dp) + comment
> > +
> > +            packet.comment = comment
> > +            pcap_writer.write(packet)
> > +        except NameError:  # PcapNgWriter not found
> > +            wrpcap(options.pcap, packet, append=True,
> > +                   snaplen=options.packet_size)
> >
> >
> >  #
> > --
> > 2.48.1
> >
> > _______________________________________________
> > dev mailing list
> > d...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to