From a0d1de768ba1070f8f9b777e3c169b2363389fb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iago=20L=C3=B3pez=20Galeiras?= Date: Wed, 21 Sep 2016 16:36:15 +0200 Subject: [PATCH] tcpv4tracer: get the kernel TGID instead of the PID bfp_get_current_pid_tgid() returns a u64 containing "current->tgid << 32 | current->pid". We were storing the return value in a u32, which means we got "current->pid". In kernel terms, the PID is actually what userspace calls a thread ID. What we actually want is what the userspace calls PID, and that's the kernel's TGID. Store the return value of bfp_get_current_pid_tgid() in a u64 and store it right-shifted 32 bits so we get the actual PID (TGID). --- examples/tracing/tcpv4tracer.py | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/examples/tracing/tcpv4tracer.py b/examples/tracing/tcpv4tracer.py index a2d204e2d74a..28072cff9a34 100755 --- a/examples/tracing/tcpv4tracer.py +++ b/examples/tracing/tcpv4tracer.py @@ -47,12 +47,12 @@ }; BPF_PERF_OUTPUT(tcp_event); -BPF_HASH(connectsock, u32, struct sock *); -BPF_HASH(closesock, u32, struct sock *); +BPF_HASH(connectsock, u64, struct sock *); +BPF_HASH(closesock, u64, struct sock *); int kprobe__tcp_v4_connect(struct pt_regs *ctx, struct sock *sk) { - u32 pid = bpf_get_current_pid_tgid(); + u64 pid = bpf_get_current_pid_tgid(); ##FILTER_PID## @@ -65,7 +65,7 @@ int kretprobe__tcp_v4_connect(struct pt_regs *ctx) { int ret = PT_REGS_RC(ctx); - u32 pid = bpf_get_current_pid_tgid(); + u64 pid = bpf_get_current_pid_tgid(); struct sock **skpp; skpp = connectsock.lookup(&pid); @@ -104,7 +104,7 @@ // output struct tcp_event_t evt = { .type = TCP_EVENT_TYPE_CONNECT, - .pid = pid, + .pid = pid >> 32, .saddr = saddr, .daddr = daddr, .sport = ntohs(sport), @@ -126,7 +126,7 @@ int kprobe__tcp_close(struct pt_regs *ctx, struct sock *sk) { - u32 pid = bpf_get_current_pid_tgid(); + u64 pid = bpf_get_current_pid_tgid(); ##FILTER_PID## @@ -138,7 +138,7 @@ int kretprobe__tcp_close(struct pt_regs *ctx) { - u32 pid = bpf_get_current_pid_tgid(); + u64 pid = bpf_get_current_pid_tgid(); struct sock **skpp; skpp = closesock.lookup(&pid); @@ -169,7 +169,7 @@ // output struct tcp_event_t evt = { .type = TCP_EVENT_TYPE_CLOSE, - .pid = pid, + .pid = pid >> 32, .saddr = saddr, .daddr = daddr, .sport = ntohs(sport), @@ -192,7 +192,7 @@ int kretprobe__inet_csk_accept(struct pt_regs *ctx) { struct sock *newsk = (struct sock *)PT_REGS_RC(ctx); - u32 pid = bpf_get_current_pid_tgid(); + u64 pid = bpf_get_current_pid_tgid(); ##FILTER_PID## @@ -226,7 +226,8 @@ ##FILTER_NETNS## if (family == AF_INET) { - struct tcp_event_t evt = {.type = TCP_EVENT_TYPE_ACCEPT, .pid = pid, .netns = net_ns_inum}; + struct tcp_event_t evt = {.type = TCP_EVENT_TYPE_ACCEPT, .netns = net_ns_inum}; + evt.pid = pid >> 32; bpf_probe_read(&evt.saddr, sizeof(u32), &newsk->__sk_common.skc_rcv_saddr); bpf_probe_read(&evt.daddr, sizeof(u32),