Packet, where are you? -- eBPF-based Linux kernel networking debugger
We are pleased to release the 1.0.6 version of pwru
.
The major changes include:
pwru
can track non-skb functions specified via --filter-non-skb-funcs
(#355). For example, one can use pwru --filter-non-skb-funcs='xfrm_state_look_at,xfrm_state_lookup,xfrm_state_lookup_byaddr,xfrm_state_lookup_byspi'
to enrich IPsec packet traces.--filter-track-skb-by-stackid
, one can trace packets if they were freed, and then rebuilt (e.g., L2 bridge traffic).pwru
is now able to output in JSON (#285). For example:# pwru --output-tuple --output-meta --output-json 'host 1.1.1.1' | jq .
<..>
{
"skb": "0xffff8fad947baf00",
"cpu": 10,
"process": "/usr/lib/firefox/firefox:1416291",
"func": "kfree_skbmem",
"iface": "0",
"proto": 2048,
"len": 94,
"tuple": {
"saddr": "1.1.1.1",
"daddr": "192.168.1.159",
"sport": 53,
"dport": 34815,
"proto": 17
}
}
Functional changes:
Dependency changes:
We are pleased to release the 1.0.5 version of pwru
.
The major changes include:
Functional changes:
Dependency changes:
We are pleased to release the 1.0.4 version of pwru
.
The major changes include:
pwru
is able to show TC BPF programs execution when --filter-trace-tc
is set (#271). For example:
0xffff91d7c885f0e8 5 [curl(261789)] cil_from_container netns=... mark=0x0 iface=11(lxc9376ae2995cc)
shows execution of the Cilium's cil_from_container BPF program.0xffffa0fbe16e1500 15 [kworker/15:3-wg-crypt-cilium_wg0(82260)] ....
shows a kernel thread handling WireGuard encryption for cilium_wg0
device.skb_clone()
and skb_copy
when --filter-trace-skb
is set (#275). This is useful to trace packets which get modified and no longer match given filters (e.g., after SNAT, tunnel encapsulation, encryption, etc).Functional changes:
Dependency changes:
We are pleased to release the 1.0.3 version of pwru.
The major changes include:
pwru 'arp and arp[6:2] == 2'
(https://github.com/cilium/pwru/pull/255).--filter-ifname
which allows users to select which device packets should be filtered. The option can be used with --filter-netns
which was changed to accept either inode number (inode:
) or a file path to a network namespace. For example, to filter only eth0
packets in the 42
pid's network namespace you can run pwru --filter-iface eth0 --filter-netns /proc/42/ns/net
(https://github.com/cilium/pwru/pull/257).--output-meta
was extended to print a network interface name. For example, iface=3(wlan0)
(https://github.com/cilium/pwru/pull/259).Functional changes:
Dependency changes:
We are pleased to release the 1.0.2 version of pwru.
This release fixes the bug in the v1.0.1 pwru due to invalid byte code produced by libpcap.a when compiled with LLVM 13 (https://github.com/cilium/pwru/issues/245):
Failed to inject filter ebpf for kprobe_skb_2: register r8 used twice
Functional changes:
Dependency changes:
We are pleased to release the 1.0.1 version of pwru.
The major changes include:
--filter-track-skb
is used, stop tracking a packet once it hits kfree_skbmem
. This significantly helps to reduce pwru
output volume.Functional changes:
Dependency changes:
We are pleased to release the 1.0.0 version of pwru
. It is the first major version ever released :tada:
The major changes include:
Added support for libpcap-based filtering (#198 by @jschwinger233). Now it's possible to filter packets in the same way as with tcpdump. For example, to trace only TCP SYN packets to 1.1.1.1 run pwru 'host 1.1.1.1 and tcp[tcpflags] == tcp-syn'
. Please refer to man 7 pcap-filter for the full filtering syntax.
Added --filter-track-skb
to trace packets even if they were modified and no longer match given filters (#194 by @jschwinger233). Useful when tracing packets which can be (d)encapsulated, SNAT-ed, encrypted, etc.
Fixed pwru
slow loading on Ubuntu due to the bug in pahole
(https://github.com/cilium/ebpf/pull/1084 by @lmb).
Fixed trace loses due to perf ring buffer being full (#195 by @jschwinger233). Now traces are stored in BPF_MAP_TYPE_QUEUE
instead of BPF_MAP_TYPE_PERF_EVENT_ARRAY
.
The userspace code was re-licensed under Apache-2.0, while the BPF under BSD 2-Clause and GPL-2.0 (#190 by @brb).
Functional changes:
Dependency changes:
We are pleased to release the 0.0.9 version of pwru
.
The major changes include:
--filter-{src,dst}-ip
and --filter-proto=icmp6
(#157 and #165).Functional changes:
Dependency changes:
We are pleased to release the 0.0.8 version of pwru
.
The major changes include:
--filter-port
to allow users to filter either source or destination L4 port (#141).kfree_skb_reason
(#148). For example:
free_skb_reason(SKB_DROP_REASON_NETFILTER_DROP) 2.2.2.2:52276->1.1.1.1:4240(tcp)
Functional changes:
Dependency changes (dependabot):
We are pleased to release the 0.0.7 version of pwru
.
The major changes include:
12fcaef - make: Use git safe.directory instead of mangling uid/gid (@brb)
120e969 - Add IPv6 test case (@brb)
6b118cf - Fix ipv6 filtering (@brb)
fe62d2c - Small vars declaration cleanup (@brb)
ee7e5e7 - Add type shim for kprobes representation in Go (@brb)
820fbb2 - Add multi-link kprobe support (@brb)
feba59a - Add HaveBPFLinkKprobeMulti (@brb)
5bd118a - bpf: Add kprobe.multi (@brb)
19ca0ed - bpf: Prepare for bpf_get_func_ip() (@brb)
93cf26f - Bump actions/setup-go from 3.4.0 to 3.5.0 (dependabot)
f37867b - Bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (dependabot)
f4bb669 - Bump actions/setup-go from 3.3.1 to 3.4.0 (dependabot)
32cf9dd - Bump actions/upload-artifact from 3.1.0 to 3.1.1 (dependabot)
fbdd809 - Bump cilium/little-vm-helper (dependabot)
b8de3be - Bump cilium/little-vm-helper (dependabot)
3d205fe - Add CI tests (@brb)
0a23f88 - Add hidden --ready-file (@brb)
0a62618 - Add --output-file to log traces (@brb)
2692f2e - Update after renaming to main
branch (@tklauser)