def bpf_hook_socket(): # initialize BPF - load source code from http-parse-simple.c host_ip, host_port = bpf_tool.convert_host_addr(CONFIG.host_ip) params = { "HOST_IP": hex(host_ip or 0), } bpf_text = bpf_tool.load_bpf_prog(CONFIG.http_filter_ebpf, params) bpf = BPF(text=bpf_text, debug=0) # print(dir(bpf)) # print(bpf.dump_func("my_filter")) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_http_filter = bpf.load_func(CONFIG.http_ebpf_section, BPF.SOCKET_FILTER) bpf_tool.bpf_dump_func(bpf, CONFIG.http_ebpf_section, CONFIG.http_filter_ebpf) #create raw socket, bind it to interface #attach bpf program to socket created BPF.attach_raw_socket(function_http_filter, CONFIG.net_interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_http_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) return bpf, socket_fd
def run(self): # ENABLE THIS PART TO ENABLE SINGLE PACKET MONITOR - END (2/1) bpf_text = self.get_bpf_text_file(self.map_name) self._logger.debug(bpf_text) bpf = BPF(text=bpf_text) # bpf = BPF(src_file="flow_measure.c", cflags=["-w", "-DMAPNAME=%s" % map_name]) function_skb_matching = bpf.load_func("flow_measure", BPF.SOCKET_FILTER) BPF.attach_raw_socket(function_skb_matching, self.networking_port) flow_cnt_table = bpf.get_table(self.map_name) # retrieve packet_cnt map self._logger.info("Measurement Function {} was successfully loaded.".format(self.networking_port)) try: while True: start_time = time.time() flow_tuples = flow_cnt_table.items() if len(flow_tuples) != 0: flow_cnt_table.clear() msgs = self.create_message(flow_tuples) # self._logger.debug(msgs) try: producer = KafkaProducer(bootstrap_servers=[self.kafka_url]) _bucket = [] for msg in msgs: _bucket.append(msg) if len(_bucket) > 5000: producer.send(self.kafka_topic, json.dumps(_bucket).encode('utf-8')) self._logger.info("Measured Flows: {}".format(_bucket)) _bucket.clear() if len(_bucket) > 0: producer.send(self.kafka_topic, json.dumps(_bucket).encode('utf-8')) self._logger.info("Measured Flows: {}".format(_bucket)) _bucket.clear() producer.close() self._logger.info("Send kafka message successfully") except NoBrokersAvailable as noBrokerExt: self._logger.error("Kafka Broker in Security Post is not accessible") end_time = time.time() next_sleep_interval = float(self.setting["output_interval"]) - (end_time - start_time) if next_sleep_interval > 0: time.sleep(float(self.setting["output_interval"])) except KeyboardInterrupt: flow_cnt_table.clear() self._logger.warning("Keyboard Interrupted") exit()
def load_ebpf_program(): print("Loading program into Interface") mode = BPF.SOCKET_FILTER func_name = "colletor" #load eBPF program bpf = BPF(src_file="colletor.c", debug=8) #load function function = bpf.load_func(func_name, mode) #attach functino to network interface bpf.attach_raw_socket(function, interface) return bpf
def loadFilter(program, function): # initialize BPF - load source code from filters/program.c bpf.append(BPF(src_file = "filters/"+program,debug = 0)) #load eBPF program function of type SOCKET_FILTER into the kernel eBPF vm function_mail_filter.append(bpf[-1].load_func(function, BPF.SOCKET_FILTER)) #create raw socket, bind it to interface #attach bpf program to socket created BPF.attach_raw_socket(function_mail_filter[-1], interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd.append(function_mail_filter[-1].sock) #create python socket object, from the file descriptor sock.append(socket.fromfd(socket_fd[-1],socket.PF_PACKET,socket.SOCK_RAW,socket.IPPROTO_IP)) #set it as blocking socket sock[-1].setblocking(True) return socket_fd[-1]
def _init_bpf(self): # initialize BPF - load source code from http-parse-simple.c self._bpf_bytecode = BPF(src_file=self._bpf_file, debug=0) # load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm # more info about eBPF program types http://man7.org/linux/man-pages/man2/bpf.2.html function_ip_filter = self._bpf_bytecode.load_func( self._bpf_func, BPF.SOCKET_FILTER) # create raw socket, bind it to eth0 # attach bpf program to socket created BPF.attach_raw_socket(function_ip_filter, self._target_net_if) # get file descriptor of the socket previously created inside BPF.attach_raw_socket self._socket_fd = function_ip_filter.sock # create python socket object, from the file descriptor self._socket = socket.fromfd(self._socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) # set it as blocking socket self._socket.setblocking(True)
if len(argv) > 3: usage() print("binding socket to '%s'" % interface) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="http-parse-simple.c", debug=0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_http_filter = bpf.load_func("http_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to interface #attach bpf program to socket created BPF.attach_raw_socket(function_http_filter, interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_http_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) while 1: #retrieve raw packet from socket packet_str = os.read(socket_fd, 2048) #DEBUG - print raw packet in hex format
def print_skb_event(cpu, data, size): global tester_send class SkbEvent(ct.Structure): # _fields_ = [ ("magic", ct.c_uint32),("magic2", ct.c_uint32)] _fields_ = [("magic", ct.c_uint32)] skb_event = ct.cast(data, ct.POINTER(SkbEvent)).contents bpf = BPF(text=bpf_text) function_skb_matching = bpf.load_func("packet_monitor", BPF.SOCKET_FILTER) BPF.attach_raw_socket(function_skb_matching, INTERFACE) bpf["skb_events"].open_perf_buffer(print_skb_event) # retrieeve packet_cnt map packet_cnt = bpf.get_table('packet_cnt') # retrieeve packet_cnt map #sys.stdout = open('myoutput.txt','w') def decimal_to_human(input_value): input_value = int(input_value) hex_value = hex(input_value)[2:] pt3 = literal_eval((str('0x' + str(hex_value[-2:])))) pt2 = literal_eval((str('0x' + str(hex_value[-4:-2])))) pt1 = literal_eval((str('0x' + str(hex_value[-6:-4]))))
import sys import socket import os # initialize BPF - load source code from http-parse.c bpf = BPF(src_file = "http-parse.c",debug = 0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_http_filter = bpf.load_func("http_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_http_filter, "eth0") #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_http_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd,socket.PF_PACKET,socket.SOCK_RAW,socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) while 1: #retrieve raw packet from socket packet_str = os.read(socket_fd,2048) #DEBUG - print raw packet in hex format #packet_hex = toHex(packet_str)
if len(hv) == 1: hv = '0' + hv lst.append(hv) return reduce(lambda x, y:x + y, lst) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="mcd_planes_tracing.c", debug=0) # load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm # more info about eBPF program types http://man7.org/linux/man-pages/man2/bpf.2.html function_ip_filter = bpf.load_func("ip_filter", BPF.SOCKET_FILTER) # create raw socket, bind it to eth0 # attach bpf program to socket created BPF.attach_raw_socket(function_ip_filter, "eno2") ni.ifaddresses('eno2') ip = ni.ifaddresses('eno2')[ni.AF_INET][0]['addr'] # get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_ip_filter.sock # create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) # set it as blocking socket sock.setblocking(True) print("MachineIP Hostname ipver Src IP Addr Dst IP Addr src Port Dst Port protocol TCP_Window_Size Packet_Length")
if len(argv) > 5: usage() print("binding socket to '%s'" % interface) #initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="data-plane-tracing.c", debug=0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types http://man7.org/linux/man-pages/man2/bpf.2.html function_vlan_filter = bpf.load_func("vlan_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_vlan_filter, interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_vlan_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) #get interface ip address. In case ip is not set then just add 127.0.0.1. ni.ifaddresses(interface) try: ip = ni.ifaddresses(interface)[ni.AF_INET][0]['addr']
def main(): """Main loop""" # Parse args parser = argparse.ArgumentParser( description='Append timestamps to all UDP packets received from SFC.', formatter_class=argparse.RawTextHelpFormatter ) parser.add_argument('--in_ifce', help="Ingress interface.", default='eth1') parser.add_argument('--eg_ifce', help="Egress interface.", default='eth2') args = parser.parse_args() in_ifce = args.in_ifce eg_ifce = args.eg_ifce # --- Ingress Interface --- # Load BPF program, written in C code bpf = BPF(src_file="./udp_filter.c", debug=0) filter_func = bpf.load_func("udp_filter", BPF.SOCKET_FILTER) # Bind a new raw socket to the ingress interface BPF.attach_raw_socket(filter_func, in_ifce) print('[INFO] Attach eBPF raw socket to interface: %s' % in_ifce) recv_sock_fd = filter_func.sock recv_sock = socket.fromfd(recv_sock_fd, socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3)) recv_sock.setblocking(True) # --- Egress Interface --- send_sock = socket.socket( socket.AF_PACKET, socket.SOCK_RAW, socket.htons(3)) send_sock.bind((eg_ifce, 0)) print('[INFO] Bind send socket to interface: %s' % eg_ifce) # --- Frame Processing --- eth_frame = bytearray(BUFFER_SIZE) # Recv loop # MARK: Looks same with my raw socket implementation in the DA print('[INFO] Enter main looping...') try: while True: # MARK: Use blocking IO frame_len = recv_sock.recv_into(eth_frame, BUFFER_SIZE) # Get time stamp in microseconds. recv_time_b = struct.pack('!Q', int(time.time() * 1e6)) ts_len = len(recv_time_b) # Append time stamps hd_offset = 0 hd_offset += ETH_HDL # move to IP header # Check IP version and calc header length ver_ihl = struct.unpack('>B', eth_frame[hd_offset:hd_offset + 1])[0] ihl = 4 * int(hex(ver_ihl)[-1]) # IP total length old_ip_tlen = struct.unpack( '>H', eth_frame[hd_offset + 2:hd_offset + 4])[0] hd_offset += ihl # move to UDP header udp_pl_offset = hd_offset + UDP_HDL # UDP payload length old_udp_pl_len = struct.unpack( '>H', eth_frame[hd_offset + 4:hd_offset + 6] )[0] - UDP_HDL # Append recv time stamp at end eth_frame[udp_pl_offset + old_udp_pl_len:udp_pl_offset + old_udp_pl_len + ts_len] = recv_time_b # Set UDP and IP total length with new payload new_udp_tlen = struct.pack( '>H', (old_udp_pl_len + UDP_HDL + ts_len), ) eth_frame[hd_offset + 4:hd_offset + 6] = new_udp_tlen # MARK: Recalculate the UDP checksum # Assume that the SRC_IP and DST_IP are always not modified by # the SFC # TODO: Such information SHOULD provided by BPF # Get UDP pseudo header: src_ip, dst_ip, zero, protocol, udp_length # Set checksum to zero eth_frame[hd_offset + 6:hd_offset + 8] = struct.pack('>H', 0) # Create the pseudo UDP header pseudo_udp_header = struct.pack('!BBH', 0, socket.IPPROTO_UDP, old_udp_pl_len + ts_len + UDP_HDL) pseudo_udp_header = SRC_IP_B + DST_IP_B + pseudo_udp_header # src_port, dst_port, udp_length, 0 udp_header = eth_frame[hd_offset:hd_offset + 8] udp_cksum = calc_udp_cksum(pseudo_udp_header+udp_header+eth_frame[ udp_pl_offset:udp_pl_offset+old_udp_pl_len + ts_len]) eth_frame[hd_offset + 6:hd_offset + 8] = struct.pack('>H', udp_cksum) # Move back to IP header hd_offset -= ihl new_ip_tlen = struct.pack( '>H', (old_ip_tlen + ts_len) ) eth_frame[hd_offset + 2:hd_offset + 4] = new_ip_tlen # Set checksum field to zero eth_frame[hd_offset + 10:hd_offset + 12] = struct.pack('>H', 0) new_iph_cksum = calc_ih_cksum( eth_frame[hd_offset:hd_offset + ihl] ) eth_frame[hd_offset + 10:hd_offset + 12] = struct.pack('<H', new_iph_cksum) frame_len += ts_len eth_frame[0:MAC_LEN] = DST_MAC_B eth_frame[MAC_LEN:MAC_LEN * 2] = SRC_MAC_B send_sock.send(eth_frame[0: frame_len]) except KeyboardInterrupt: print("[INFO] KeyboardInterrupt detected, exits...") recv_sock.close() send_sock.close() sys.exit(0)
def main(): global interface_name arg1 = str(argv[1]) if 1 < len(argv) else None arg2 = str(argv[2]) if 2 < len(argv) else None no_args = (len(argv) == 1) one_arg = (len(argv) == 2) two_args = (len(argv) == 3) three_or_more_args = (len(argv) > 3) help_flag = (str(arg1) == "-h") interface_flag = (str(arg1) == "-i") if DEBUG_ARGS: print("arg1 = {}".format(arg1)) print("arg2 = {}".format(arg2)) print("no_args = {}".format(no_args)) print("one_arg = {}".format(one_arg)) print("two_args = {}".format(two_args)) print("three_or_more_args = {}".format(three_or_more_args)) print("help_flag = {}".format(help_flag)) print("interface_flag = {}".format(interface_flag)) if one_arg and help_flag: help() exit() if three_or_more_args or \ (two_args and not interface_flag) or \ (one_arg and not help_flag): usage() exit() if two_args and interface_flag: interface_name = argv[2] bpf = BPF(text=prog, debug=2) is_is_filter = bpf.load_func("isis_filter", BPF.SOCKET_FILTER) print("binding socket to '%s'" % interface_name) BPF.attach_raw_socket(is_is_filter, interface_name) # get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = is_is_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.AF_PACKET, socket.SOCK_RAW, 0) sock.setblocking(True) print("Starting to listen on socket {} - use CTRL-C to terminate. \n". format(interface_name)) pcap_fp = open('data.pcapng', 'wb') shb_opts = [ pcapng.option.ShbHardware("Dell"), pcapng.option.ShbOs("Ubuntu"), pcapng.option.ShbUserAppl("IntelliJ Idea") ] shb_obj = pcapng.block.SectionHeaderBlock(shb_opts) shb_packed_bytes = shb_obj.pack() pcap_fp.write(shb_packed_bytes) # must be 1st block idb_opts = [ pcapng.option.IdbName(interface_name), pcapng.option.IdbDescription("primary interface on host"), pcapng.option.IdbSpeed(12345) ] idb_obj = pcapng.block.InterfaceDescBlock( pcapng.linktype.LINKTYPE_ETHERNET, idb_opts) # optional block pcap_fp.write(idb_obj.pack()) count = 0 while True: count += 1 dummy, remainder = divmod(count, 100) if (remainder == 0): print('.', end='') sys.stdout.flush() if False: pkt_bytes = get_next_packet(socket_fd) dbg_print(pkt_bytes) pcap_fp.write(pcapng.block.SimplePacketBlock(pkt_bytes).pack()) if True: pkt_bytes = get_next_packet(socket_fd) dbg_print(pkt_bytes) epb_opts = [ pcapng.option.EpbFlags([13, 14, 15, 16]), pcapng.option.EpbHash('just about any hash spec can go here'), pcapng.option.EpbDropCount(13) ] pcap_fp.write( pcapng.block.EnhancedPacketBlock(0, pkt_bytes, len(pkt_bytes), epb_opts).pack())
i += 1 return (c_ubyte * size).from_buffer(b) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="dns_matching.c", debug=0) # print(bpf.dump_func("dns_test")) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_dns_matching = bpf.load_func("dns_matching", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_dns_matching, "eth1") # Get the table. cache = bpf.get_table("cache") # Create first entry for foo.bar key = cache.Key() key.p = encode_dns("foo.bar") leaf = cache.Leaf() leaf.p = (c_ubyte * 4).from_buffer(bytearray(4)) cache[key] = leaf bpf.trace_print()
hv = '0' + hv lst.append(hv) return reduce(lambda x, y: x + y, lst) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="mcd_planes_tracing.c", debug=0) # load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm # more info about eBPF program types http://man7.org/linux/man-pages/man2/bpf.2.html function_vxlan_filter = bpf.load_func("vxlan_filter", BPF.SOCKET_FILTER) # create raw socket, bind it to eth0 # attach bpf program to socket created BPF.attach_raw_socket(function_vxlan_filter, "eno5") ni.ifaddresses('eno2') ip = ni.ifaddresses('eno2')[ni.AF_INET][0]['addr'] # get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_vxlan_filter.sock # create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) # set it as blocking socket sock.setblocking(True) print(
if len(argv) > 5: usage() print ("binding socket to '%s'" % interface) #initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file = "data-plane-tracing.c", debug = 0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types http://man7.org/linux/man-pages/man2/bpf.2.html function_vlan_filter = bpf.load_func("vlan_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_vlan_filter, interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_vlan_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd,socket.PF_PACKET,socket.SOCK_RAW,socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) #get interface ip address. In case ip is not set then just add 127.0.0.1. ni.ifaddresses(interface) try: ip = ni.ifaddresses(interface)[ni.AF_INET][0]['addr'] except:
sh.setLevel(logging.INFO) _logger.addHandler(sh) fh = logging.FileHandler(filename="./flow_measure.log") fh.setFormatter(fm) fh.setLevel(logging.DEBUG) _logger.addHandler(fh) # ENABLE THIS PART TO ENABLE SINGLE PACKET MONITOR - END (2/1) bpf_text = get_bpf_text_file(map_name) _logger.debug(bpf_text) bpf = BPF(text=bpf_text) # bpf = BPF(src_file="flow_measure.c", cflags=["-w", "-DMAPNAME=%s" % map_name]) function_skb_matching = bpf.load_func("flow_measure", BPF.SOCKET_FILTER) BPF.attach_raw_socket(function_skb_matching, networking_point) flow_cnt_table = bpf.get_table(map_name) # retrieve packet_cnt map _logger.info("Measurement Function {} was successfully loaded.".format(function_name)) try: while True: start_time = time.time() flow_tuples = flow_cnt_table.items() if len(flow_tuples) != 0: flow_cnt_table.clear() msg_dict = create_message(flow_tuples) msg_dict["point"] = "{}.{}".format(where, networking_point)
usage() print("binding socket to '%s'" % interface) # initialize BPF - load source code from mqtts_dumper.c bpf = BPF(src_file="mqtts_dumper.c", cflags=["-DFILTER_PORT=" + str(filter_port)]) #load eBPF program mqtts_dumper of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_mqtts_dumper = bpf.load_func("mqtts_dumper", BPF.SOCKET_FILTER) #create raw socket, bind it to interface #attach bpf program to socket created BPF.attach_raw_socket(function_mqtts_dumper, interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_mqtts_dumper.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) while True: #retrieve raw packet from socket packet_bytes = os.read(socket_fd, 2048) print('PKTPKTs')
def setUp(self): b = BPF(arg1, arg2, debug=0) fn = b.load_func("on_packet", BPF.SOCKET_FILTER) BPF.attach_raw_socket(fn, "eth0") self.stats = b.get_table("stats", Key, Leaf)
return (c_ubyte * size).from_buffer(b) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file = "dns_matching.c", debug=0) # print(bpf.dump_func("dns_test")) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_dns_matching = bpf.load_func("dns_matching", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_dns_matching, "eth1") # Get the table. cache = bpf.get_table("cache") # Create first entry for foo.bar key = cache.Key() key.p = encode_dns("foo.bar") leaf = cache.Leaf() leaf.p = (c_ubyte * 4).from_buffer(bytearray(4)) cache[key] = leaf bpf.trace_print()
if len(argv) > 3: usage() print ("binding socket to '%s'" % interface) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file = "http-parse-simple.c",debug = 0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_http_filter = bpf.load_func("http_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to interface #attach bpf program to socket created BPF.attach_raw_socket(function_http_filter, interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_http_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd,socket.PF_PACKET,socket.SOCK_RAW,socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) while 1: #retrieve raw packet from socket packet_str = os.read(socket_fd,2048) #DEBUG - print raw packet in hex format #packet_hex = toHex(packet_str)
lst.append(hv) return reduce(lambda x, y: x + y, lst) # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="packet_tracing.c", debug=0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_http_filter = bpf.load_func("http_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_http_filter, "enp0s25") ni.ifaddresses('enp0s25') ip = '' #ip = ni.ifaddresses('ens2f2')[ni.AF_INET][0]['addr'] #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_http_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) print( "MachineIP ipver Src IP Addr src Port Dst IP Addr Dst Port Packet Length protocol Local_Src_Addr Local_des_Addr VNI VLANID "
help='List of domain names separated by space. For example: -d abc.def xyz.mno') args = parser.parse_args() # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file = "dns_matching.c", debug=0) # print(bpf.dump_func("dns_test")) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_dns_matching = bpf.load_func("dns_matching", BPF.SOCKET_FILTER) #create raw socket, bind it to user provided interface #attach bpf program to socket created BPF.attach_raw_socket(function_dns_matching, args.interface) # Get the table. cache = bpf.get_table("cache") # Add cache entries for e in args.domains: print(">>>> Adding map entry: ", e) add_cache_entry(cache, e) print("\nTry to lookup some domain names using nslookup from another terminal.") print("For example: nslookup foo.bar") print("\nBPF program will filter-in DNS packets which match with map entries.") print("Packets received by user space program will be printed here") print("\nHit Ctrl+C to end...")
data.pid = bpf_get_current_pid_tgid(); data.ts = bpf_ktime_get_ns(); bpf_get_current_comm(&data.comm, sizeof(data.comm)); events.perf_submit(ctx, &data, sizeof(data)); return 0; } """ # load BPF program b = BPF(text=prog) #b.attach_kprobe(event=b.get_syscall_fnname("clone"), fn_name="hello") function_skb = b.load_func("hello", BPF.SOCKET_FILTER) BPF.attach_raw_socket(function_skb, INTERFACE) # header print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "MESSAGE")) # process event start = 0 def print_event(cpu, data, size): global start event = b["events"].event(data) if start == 0: start = event.ts time_s = (float(event.ts - start)) / 1000000000 printb(b"%-18.9f %-16s %-6d %s" %
# can't exceed BPF_HASH() size if len(args.target_uri) > 128: print("%s: error: too many arguments" % parser.prog) parser.print_help() sys.exit(-1) # initialize BPF - load source code from ebpf_ttl.c bpf = BPF(src_file="ebpf_ttl.c", debug=0) #load eBPF program synack_ttl of type SOCKET_FILTER into the kernel eBPF vm function_synack_ttl = bpf.load_func("synack_ttl", BPF.SOCKET_FILTER) #create raw socket, bind it to interface #attach bpf program to socket created BPF.attach_raw_socket(function_synack_ttl, interface) # Get the table. ttlmap = bpf.get_table("ttlmap") # Add cache entries for t in args.target_uri: print(">>>> Adding map entry: ", t) add_ttlmap_entry(ttlmap, t) socket.setdefaulttimeout(1) for t in args.target_uri: addr, port, af = parse_dst(t) s = socket.socket(af, socket.SOCK_STREAM) s.connect((addr, port))
if len(argv) == 3: if str(argv[1]) == '-i': interface = argv[2] else: usage() if len(argv) > 3: usage() # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file = "dns_record.c", debug=0) # load bpf -- it's a socket filter f_dns = bpf.load_func("dns_record", BPF.SOCKET_FILTER) # create a raw socket on eth0 and attach our bpf BPF.attach_raw_socket(f_dns, interface) # bytecode_str = bpf.dump_func("dns_record") # print(":".join("{:02x}".format(ord(c)) for c in bytecode_str)) # # dump the BPF program # bpf.dump_func("dns_record") # Create first entry for foo.bar # key = cache.Key() # key.p = encode_dns("foo.bar") # leaf = cache.Leaf() # leaf.p = (c_ubyte * 4).from_buffer(bytearray(4))
help= 'List of domain names separated by space. For example: -d abc.def xyz.mno') args = parser.parse_args() # initialize BPF - load source code from http-parse-simple.c bpf = BPF(src_file="dns_matching.c", debug=0) # print(bpf.dump_func("dns_test")) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_dns_matching = bpf.load_func("dns_matching", BPF.SOCKET_FILTER) #create raw socket, bind it to user provided interface #attach bpf program to socket created BPF.attach_raw_socket(function_dns_matching, args.interface) # Get the table. cache = bpf.get_table("cache") # Add cache entries for e in args.domains: print(">>>> Adding map entry: ", e) add_cache_entry(cache, e) print( "\nTry to lookup some domain names using nslookup from another terminal.") print("For example: nslookup foo.bar") print("\nBPF program will filter-in DNS packets which match with map entries.") print("Packets received by user space program will be printed here") print("\nHit Ctrl+C to end...")
return #-----FUNCTIONS-END-------------------------# # initialize BPF - load source code from http-parse-complete.c bpf = BPF(src_file = "http-parse-complete.c",debug = 0) #load eBPF program http_filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html function_http_filter = bpf.load_func("http_filter", BPF.SOCKET_FILTER) #create raw socket, bind it to eth0 #attach bpf program to socket created BPF.attach_raw_socket(function_http_filter, "eth0") #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_http_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd,socket.PF_PACKET,socket.SOCK_RAW,socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) #get pointer to bpf map of type hash bpf_sessions = bpf.get_table("sessions") #packets counter packet_count = 0
def bpf_handler(): global current_connection #arguments interface = "eth0" if len(argv) == 2: if str(argv[1]) == '-h': help() else: usage() if len(argv) == 3: if str(argv[1]) == '-i': interface = argv[2] else: usage() if len(argv) > 3: usage() success_text = open("./success", "rb").read() print("binding socket to '%s'" % interface) # initialize BPF - load source code from parse.c bpf = BPF(src_file="parse.c", debug=0) #load eBPF program filter of type SOCKET_FILTER into the kernel eBPF vm #more info about eBPF program types #http://man7.org/linux/man-pages/man2/bpf.2.html logging.info('JIT eBPF Code') function_filter = bpf.load_func("filter", BPF.SOCKET_FILTER) #create raw socket, bind it to interface #attach bpf program to socket created logging.info('Creating Raw Socket') BPF.attach_raw_socket(function_filter, interface) #get file descriptor of the socket previously created inside BPF.attach_raw_socket socket_fd = function_filter.sock #create python socket object, from the file descriptor sock = socket.fromfd(socket_fd, socket.PF_PACKET, socket.SOCK_RAW, socket.IPPROTO_IP) #set it as blocking socket sock.setblocking(True) while True: #retrieve raw packet from socket packet_str = os.read(socket_fd, 2048) packet_bytearray = bytearray(packet_str) # Parse RAW data using scapy.. super general and easy c = Ether(packet_bytearray) if c.haslayer(IP): layer_ip = c.getlayer(IP) logging.info('IP: {} said the magic word ;-)'.format(layer_ip.src)) if len(current_connection) > 0: for con, addr in current_connection: if (layer_ip.src, layer_ip.sport) == addr: con.send(success_text) logging.info('Sending success text now to: {}'.format( layer_ip.src))