void sinsp::open(uint32_t timeout_ms) { char error[SCAP_LASTERR_SIZE]; g_logger.log("starting live capture"); m_islive = true; m_h = scap_open_live(error); if(m_h == NULL) { throw sinsp_exception(error); } init(); }
int main() { uint32_t j; char error[SCAP_LASTERR_SIZE]; int32_t ret; char* buf; uint32_t buflen; uint32_t cur_evts[256]; int32_t ndevs; uint32_t nloops = 0; uint64_t totbytes = 0; uint64_t totevents = 0; uint64_t devicebytes[256]; uint64_t deviceevents[256]; uint64_t oldtotbytes = 0; uint64_t oldtotevents = 0; uint64_t olddevicebytes[256]; uint64_t olddeviceevents[256]; /* unsigned long new_mask = 1 << (1); sched_setaffinity(0, sizeof(unsigned long), &new_mask); */ scap_t* h = scap_open_live(error); if(h == NULL) { fprintf(stderr, "%s\n", error); return -1; } ndevs = scap_get_ndevs(h); if(ndevs > sizeof(cur_evts)/sizeof(cur_evts[0])) { fprintf(stderr, "too many devices %u\n", ndevs); return -1; } for(j = 0; j < ndevs; j++) { devicebytes[j] = 0; deviceevents[j] = 0; olddevicebytes[j] = 0; olddeviceevents[j] = 0; } while(1) { for(j = 0; j < ndevs; j++) { uint32_t nevents; ret = scap_readbuf(h, j, false, &buf, &buflen); if(ret != SCAP_SUCCESS) { fprintf(stderr, "%s\n", scap_getlasterr(h)); scap_close(h); return -1; } cur_evts[j] = -1; if(g_check_integrity(&(cur_evts[j]), buf, buflen, &nevents) != SCAP_SUCCESS) { fprintf(stderr, "Integrity check failure at event %u.\nDumping buffer to dump.bin\n", (cur_evts[j] == -1)?0:cur_evts[j]); FILE* f; f= fopen("dump.bin", "w"); fwrite(buf, buflen, 1, f); fclose(f); exit(-1); } totbytes += buflen; totevents += nevents; devicebytes[j] += buflen; deviceevents[j] += nevents; if(nloops == 1000) { printf(" %u)bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 " \n", j, (devicebytes[j] - olddevicebytes[j]), devicebytes[j], (deviceevents[j] - olddeviceevents[j]), deviceevents[j]); olddevicebytes[j] = devicebytes[j]; olddeviceevents[j] = deviceevents[j]; } } // // XXX this should check the buffer sizes and sleep only if they are all below a certain // threshold. // usleep(1000); if(nloops == 1000) { printf("bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 "\n", totbytes - oldtotbytes, totbytes, totevents - oldtotevents, totevents); oldtotbytes = totbytes; oldtotevents = totevents; nloops = 0; } nloops++; } scap_close(h); return 0; }
int main(int argc, char *argv[]) { char error[256]; int capture = 1; time_t last_refresh_t; scap_t *h ; //apro la cattura live degli eventi read_argv(argc, argv); if(global_data.export_elk) init_connection_socket(); if(global_data.show_help_enabled){ print_help(); return(1); } printf("\n\t\t INIZIO INIZIALIZZAZIONE \n"); if( ( h = scap_open_live(error)) == NULL){ printf("Unable to connect to open sysdig: %s\n", error); return(false); } //setto i filtri per gli eventi da catturare solo se la cattura è live scap_clear_eventmask(h); if(scap_set_eventmask(h, PPME_CLONE_16_X) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(scap_set_eventmask(h, PPME_PROCEXIT_E) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(scap_set_eventmask(h, PPM_SC_EXIT_GROUP) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(scap_set_eventmask(h, PPM_SC_EXIT) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(global_data.get_all_proc) init_add_active_proc(h); printf("\n\t\t FINE INIZIALIZZAZIONE \n"); //ciclo di cattura last_refresh_t = time(NULL); while(capture) { struct ppm_evt_hdr* ev; u_int16_t cpuid; int32_t res = scap_next(h, &ev, &cpuid); if(res > 0 ) { printf("[ERROR] %s\n", scap_getlasterr(h)); scap_close(h); break; } else if( res == SCAP_SUCCESS ) { handle_event(ev,cpuid,h); } else if( res != -1 ) //timeout fprintf(stderr, "scap_next() returned %d\n", res); /*si aggiornano i dati ogni refresh_t secondi (5 default) (XXX numero da regolare) */ if( (time(NULL) - last_refresh_t) > global_data.refresh_t){ manage_data(h); last_refresh_t = time(NULL); } } //chiudo la cattura live degli eventi close(global_data.socket_desc); scap_close(h); }