cilium · brb · Jan 22, 2025 · Dec 6, 2024
@@ -64,7 +64,7 @@ struct tuple {
 	u16 dport;
 	u16 l3_proto;
 	u8 l4_proto;
-	u8 pad;
+	u8 tcp_flags;
 } __attribute__((packed));
 
 enum event_type {
@@ -313,6 +313,7 @@ __set_tuple(struct tuple *tpl, void *data, u16 l3_off, bool is_ipv4) {
 		struct tcphdr *tcp = (struct tcphdr *) (data + l4_off);
 		tpl->sport= BPF_CORE_READ(tcp, source);
 		tpl->dport= BPF_CORE_READ(tcp, dest);
+		bpf_probe_read_kernel(&tpl->tcp_flags, sizeof(tpl->tcp_flags), (void *)tcp + offsetof(struct tcphdr, window) - 1);
 	} else if (tpl->l4_proto == IPPROTO_UDP) {
 		struct udphdr *udp = (struct udphdr *) (data + l4_off);
 		tpl->sport= BPF_CORE_READ(udp, source);

@@ -77,6 +77,7 @@ type jsonTuple struct {
 	Sport uint16 `json:"sport,omitempty"`
 	Dport uint16 `json:"dport,omitempty"`
 	Proto uint8  `json:"proto,omitempty"`
+	Flags string `json:"flags,omitempty"`
 }
 
 func centerAlignString(s string, width int) string {
@@ -101,7 +102,7 @@ func NewOutput(flags *Flags, printSkbMap, printShinfoMap, printStackMap *ebpf.Ma
 
 	reasons, err := getKFreeSKBReasons(btfSpec)
 	if err != nil {
-		log.Printf("Unable to load packet drop reaons: %v", err)
+		log.Printf("Unable to load packet drop reasons: %v", err)
 	}
 
 	var ifs map[uint64]map[uint32]string
@@ -204,6 +205,7 @@ func (o *output) PrintJson(event *Event) {
 		t.Sport = byteorder.NetworkToHost16(event.Tuple.Sport)
 		t.Dport = byteorder.NetworkToHost16(event.Tuple.Dport)
 		t.Proto = event.Tuple.L4Proto
+		t.Flags = event.Tuple.TCPFlag.String()
 		d.Tuple = t
 	}
 
@@ -271,11 +273,17 @@ func getAddrByArch(event *Event, o *output) (addr uint64) {
 	return addr
 }
 
-func getTupleData(event *Event) (tupleData string) {
+func getTupleData(event *Event, outputTCPFlags bool) (tupleData string) {
+	var l4Info string
+	if event.Tuple.L4Proto == syscall.IPPROTO_TCP && event.Tuple.TCPFlag != 0 && outputTCPFlags {
+		l4Info = fmt.Sprintf("%s:%s", protoToStr(event.Tuple.L4Proto), event.Tuple.TCPFlag)
+	} else {
+		l4Info = protoToStr(event.Tuple.L4Proto)
+	}
 	tupleData = fmt.Sprintf("%s:%d->%s:%d(%s)",
 		addrToStr(event.Tuple.L3Proto, event.Tuple.Saddr), byteorder.NetworkToHost16(event.Tuple.Sport),
 		addrToStr(event.Tuple.L3Proto, event.Tuple.Daddr), byteorder.NetworkToHost16(event.Tuple.Dport),
-		protoToStr(event.Tuple.L4Proto))
+		l4Info)
 	return tupleData
 }
 
@@ -432,7 +440,7 @@ func (o *output) Print(event *Event) {
 	}
 
 	if o.flags.OutputTuple {
-		fprintWithPadding(o.writer, getTupleData(event), &maxTupleLengthSeen)
+		fprintWithPadding(o.writer, getTupleData(event, o.flags.OutputTCPFlags), &maxTupleLengthSeen)
 	}
 
 	if o.flags.OutputCaller {
@@ -499,7 +507,7 @@ func addrToStr(proto uint16, addr [16]byte) string {
 	}
 }
 
-// getKFreeSKBReasons dervices SKB drop reasons from the "skb_drop_reason" enum
+// getKFreeSKBReasons derives SKB drop reasons from the "skb_drop_reason" enum
 // defined in /include/net/dropreason.h.
 func getKFreeSKBReasons(spec *btf.Spec) (map[uint64]string, error) {
 	if _, err := spec.AnyTypeByName("kfree_skb_reason"); err != nil {

@@ -51,6 +51,7 @@ type Flags struct {
 	OutputSkbCB      bool
 	OutputFile       string
 	OutputJson       bool
+	OutputTCPFlags   bool
 
 	KMods    []string
 	AllKMods bool
@@ -86,6 +87,7 @@ func (f *Flags) SetFlags() {
 	flag.BoolVar(&f.OutputCaller, "output-caller", false, "print caller function name")
 	flag.Uint64Var(&f.OutputLimitLines, "output-limit-lines", 0, "exit the program after the number of events has been received/printed")
 	flag.BoolVar(&f.OutputSkbCB, "output-skb-cb", false, "print skb->cb")
+	flag.BoolVar(&f.OutputTCPFlags, "output-tcp-flags", false, "print TCP flags")
 
 	flag.StringVar(&f.OutputFile, "output-file", "", "write traces to file")
 
@@ -117,14 +119,38 @@ func (f *Flags) Parse() {
 	}
 }
 
+type tcpFlag uint8
+
+func (f tcpFlag) String() string {
+	tcpFlags := []string{
+		"FIN",
+		"SYN",
+		"RST",
+		"PSH",
+		"ACK",
+		"URG",
+		"ECE",
+		"CWR",
+	}
+
+	var flags []string
+	for i, flag := range tcpFlags {
+		if f&(1<<uint(i)) != 0 {
+			flags = append(flags, flag)
+		}
+	}
+
+	return strings.Join(flags, "|")
+}
+
 type Tuple struct {
 	Saddr   [16]byte
 	Daddr   [16]byte
 	Sport   uint16
 	Dport   uint16
 	L3Proto uint16
 	L4Proto uint8
-	Pad     uint8
+	TCPFlag tcpFlag
 }
 
 type Meta struct {
@@ -176,7 +202,7 @@ func (f *markFlagValue) String() string {
 
 func (f *markFlagValue) Set(value string) error {
 	parts := strings.Split(value, "/")
-	
+
 	mark, err := parseUint32HexOrDecimal(parts[0])
 	if err != nil {
 		return fmt.Errorf("invalid mark value: %v", err)
@@ -191,7 +217,7 @@ func (f *markFlagValue) Set(value string) error {
 		}
 		*f.mask = mask
 	}
-	
+
 	return nil
 }
 
@@ -205,7 +231,7 @@ func parseUint32HexOrDecimal(s string) (uint32, error) {
 		s = s[2:]
 		base = 16
 	}
-	
+
 	val, err := strconv.ParseUint(s, base, 32)
 	if err != nil {
 		return 0, err