void sinsp::open(uint32_t timeout_ms)
{
char error[SCAP_LASTERR_SIZE];
g_logger.log("starting live capture");
m_islive = true;
m_h = scap_open_live(error);
if(m_h == NULL)
{
throw sinsp_exception(error);
}
init();
}
int main()
{
uint32_t j;
char error[SCAP_LASTERR_SIZE];
int32_t ret;
char* buf;
uint32_t buflen;
uint32_t cur_evts[256];
int32_t ndevs;
uint32_t nloops = 0;
uint64_t totbytes = 0;
uint64_t totevents = 0;
uint64_t devicebytes[256];
uint64_t deviceevents[256];
uint64_t oldtotbytes = 0;
uint64_t oldtotevents = 0;
uint64_t olddevicebytes[256];
uint64_t olddeviceevents[256];
/*
unsigned long new_mask = 1 << (1);
sched_setaffinity(0,
sizeof(unsigned long),
&new_mask);
*/
scap_t* h = scap_open_live(error);
if(h == NULL)
{
fprintf(stderr, "%s\n", error);
return -1;
}
ndevs = scap_get_ndevs(h);
if(ndevs > sizeof(cur_evts)/sizeof(cur_evts[0]))
{
fprintf(stderr, "too many devices %u\n", ndevs);
return -1;
}
for(j = 0; j < ndevs; j++)
{
devicebytes[j] = 0;
deviceevents[j] = 0;
olddevicebytes[j] = 0;
olddeviceevents[j] = 0;
}
while(1)
{
for(j = 0; j < ndevs; j++)
{
uint32_t nevents;
ret = scap_readbuf(h, j, false, &buf, &buflen);
if(ret != SCAP_SUCCESS)
{
fprintf(stderr, "%s\n", scap_getlasterr(h));
scap_close(h);
return -1;
}
cur_evts[j] = -1;
if(g_check_integrity(&(cur_evts[j]), buf, buflen, &nevents) != SCAP_SUCCESS)
{
fprintf(stderr, "Integrity check failure at event %u.\nDumping buffer to dump.bin\n",
(cur_evts[j] == -1)?0:cur_evts[j]);
FILE* f;
f= fopen("dump.bin", "w");
fwrite(buf, buflen, 1, f);
fclose(f);
exit(-1);
}
totbytes += buflen;
totevents += nevents;
devicebytes[j] += buflen;
deviceevents[j] += nevents;
if(nloops == 1000)
{
printf(" %u)bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 " \n",
j,
(devicebytes[j] - olddevicebytes[j]),
devicebytes[j],
(deviceevents[j] - olddeviceevents[j]),
deviceevents[j]);
olddevicebytes[j] = devicebytes[j];
olddeviceevents[j] = deviceevents[j];
}
}
//
// XXX this should check the buffer sizes and sleep only if they are all below a certain
// threshold.
//
usleep(1000);
if(nloops == 1000)
{
printf("bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 "\n",
totbytes - oldtotbytes,
totbytes,
totevents - oldtotevents,
totevents);
oldtotbytes = totbytes;
oldtotevents = totevents;
nloops = 0;
}
nloops++;
}
scap_close(h);
return 0;
}
int main(int argc, char *argv[]) {
char error[256];
int capture = 1;
time_t last_refresh_t;
scap_t *h ;
//apro la cattura live degli eventi
read_argv(argc, argv);
if(global_data.export_elk)
init_connection_socket();
if(global_data.show_help_enabled){
print_help();
return(1);
}
printf("\n\t\t INIZIO INIZIALIZZAZIONE \n");
if( ( h = scap_open_live(error)) == NULL){
printf("Unable to connect to open sysdig: %s\n", error);
return(false);
}
//setto i filtri per gli eventi da catturare solo se la cattura รจ live
scap_clear_eventmask(h);
if(scap_set_eventmask(h, PPME_CLONE_16_X) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(scap_set_eventmask(h, PPME_PROCEXIT_E) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(scap_set_eventmask(h, PPM_SC_EXIT_GROUP) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(scap_set_eventmask(h, PPM_SC_EXIT) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(global_data.get_all_proc)
init_add_active_proc(h);
printf("\n\t\t FINE INIZIALIZZAZIONE \n");
//ciclo di cattura
last_refresh_t = time(NULL);
while(capture)
{
struct ppm_evt_hdr* ev;
u_int16_t cpuid;
int32_t res = scap_next(h, &ev, &cpuid);
if(res > 0 ) {
printf("[ERROR] %s\n", scap_getlasterr(h));
scap_close(h);
break;
} else if( res == SCAP_SUCCESS ) {
handle_event(ev,cpuid,h);
} else if( res != -1 ) //timeout
fprintf(stderr, "scap_next() returned %d\n", res);
/*si aggiornano i dati ogni refresh_t secondi (5 default)
(XXX numero da regolare) */
if( (time(NULL) - last_refresh_t) > global_data.refresh_t){
manage_data(h);
last_refresh_t = time(NULL);
}
}
//chiudo la cattura live degli eventi
close(global_data.socket_desc);
scap_close(h);
}
