void sinsp_dumper::open(const string& filename)
{
if(m_inspector->m_h == NULL)
{
throw sinsp_exception("can't start event dump, inspector not opened yet");
}
m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str());
if(m_dumper == NULL)
{
throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
}
}
void sinsp::autodump_start(const string dump_filename)
{
if(NULL == m_h)
{
throw sinsp_exception("inspector not opened yet");
}
m_dumper = scap_dump_open(m_h, dump_filename.c_str());
if(NULL == m_dumper)
{
throw sinsp_exception(scap_getlasterr(m_h));
}
}
void sinsp_container_manager::dump_containers(scap_dumper_t* dumper)
{
for(unordered_map<string, sinsp_container_info>::const_iterator it = m_containers.begin(); it != m_containers.end(); ++it)
{
if(container_to_sinsp_event(container_to_json(it->second), &m_inspector->m_meta_evt))
{
int32_t res = scap_dump(m_inspector->m_h, dumper, m_inspector->m_meta_evt.m_pevt, m_inspector->m_meta_evt.m_cpuid, 0);
if(res != SCAP_SUCCESS)
{
throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
}
}
}
}
void sinsp_dumper::dump(sinsp_evt* evt)
{
if(m_dumper == NULL)
{
throw sinsp_exception("dumper not opened yet");
}
int32_t res = scap_dump(m_inspector->m_h,
m_dumper, evt->m_pevt, evt->m_cpuid);
if(res != SCAP_SUCCESS)
{
throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
}
}
void sinsp::autodump_start(const string& dump_filename, bool compress)
{
if(NULL == m_h)
{
throw sinsp_exception("inspector not opened yet");
}
if(compress)
{
m_dumper = scap_dump_open(m_h, dump_filename.c_str(), SCAP_COMPRESSION_GZIP);
}
else
{
m_dumper = scap_dump_open(m_h, dump_filename.c_str(), SCAP_COMPRESSION_NONE);
}
if(NULL == m_dumper)
{
throw sinsp_exception(scap_getlasterr(m_h));
}
}
void sinsp_dumper::open(const string& filename, bool compress)
{
if(m_inspector->m_h == NULL)
{
throw sinsp_exception("can't start event dump, inspector not opened yet");
}
if(compress)
{
m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str(), SCAP_COMPRESSION_GZIP);
}
else
{
m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str(), SCAP_COMPRESSION_NONE);
}
if(m_dumper == NULL)
{
throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
}
}
scap_t* scap_open_offline(const char* fname, char *error)
{
scap_t* handle = NULL;
//
// Allocate the handle
//
handle = (scap_t*)malloc(sizeof(scap_t));
if(!handle)
{
snprintf(error, SCAP_LASTERR_SIZE, "error allocating the scap_t structure");
return NULL;
}
//
// Preliminary initializations
//
handle->m_devs = NULL;
handle->m_ndevs = 0;
handle->m_proclist = NULL;
handle->m_pollfds = NULL;
handle->m_evtcnt = 0;
handle->m_file = NULL;
handle->m_addrlist = NULL;
handle->m_userlist = NULL;
handle->m_machine_info.num_cpus = (uint32_t)-1;
handle->m_file_evt_buf = (char*)malloc(FILE_READ_BUF_SIZE);
if(!handle->m_file_evt_buf)
{
snprintf(error, SCAP_LASTERR_SIZE, "error allocating the read buffer");
scap_close(handle);
return NULL;
}
//
// Open the file
//
handle->m_file = gzopen(fname, "rb");
if(handle->m_file == NULL)
{
snprintf(error, SCAP_LASTERR_SIZE, "can't open file %s", fname);
scap_close(handle);
return NULL;
}
//
// Validate the file and load the non-event blocks
//
if(scap_read_init(handle, handle->m_file) != SCAP_SUCCESS)
{
snprintf(error, SCAP_LASTERR_SIZE, "%s", scap_getlasterr(handle));
scap_close(handle);
return NULL;
}
//
// Add the fake process for kernel threads
//
handle->m_fake_kernel_proc.tid = -1;
handle->m_fake_kernel_proc.pid = -1;
handle->m_fake_kernel_proc.flags = 0;
snprintf(handle->m_fake_kernel_proc.comm, SCAP_MAX_PATH_SIZE, "kernel");
snprintf(handle->m_fake_kernel_proc.exe, SCAP_MAX_PATH_SIZE, "kernel");
handle->m_fake_kernel_proc.args[0] = 0;
//scap_proc_print_table(handle);
return handle;
}
int main()
{
uint32_t j;
char error[SCAP_LASTERR_SIZE];
int32_t ret;
char* buf;
uint32_t buflen;
uint32_t cur_evts[256];
int32_t ndevs;
uint32_t nloops = 0;
uint64_t totbytes = 0;
uint64_t totevents = 0;
uint64_t devicebytes[256];
uint64_t deviceevents[256];
uint64_t oldtotbytes = 0;
uint64_t oldtotevents = 0;
uint64_t olddevicebytes[256];
uint64_t olddeviceevents[256];
/*
unsigned long new_mask = 1 << (1);
sched_setaffinity(0,
sizeof(unsigned long),
&new_mask);
*/
scap_t* h = scap_open_live(error);
if(h == NULL)
{
fprintf(stderr, "%s\n", error);
return -1;
}
ndevs = scap_get_ndevs(h);
if(ndevs > sizeof(cur_evts)/sizeof(cur_evts[0]))
{
fprintf(stderr, "too many devices %u\n", ndevs);
return -1;
}
for(j = 0; j < ndevs; j++)
{
devicebytes[j] = 0;
deviceevents[j] = 0;
olddevicebytes[j] = 0;
olddeviceevents[j] = 0;
}
while(1)
{
for(j = 0; j < ndevs; j++)
{
uint32_t nevents;
ret = scap_readbuf(h, j, false, &buf, &buflen);
if(ret != SCAP_SUCCESS)
{
fprintf(stderr, "%s\n", scap_getlasterr(h));
scap_close(h);
return -1;
}
cur_evts[j] = -1;
if(g_check_integrity(&(cur_evts[j]), buf, buflen, &nevents) != SCAP_SUCCESS)
{
fprintf(stderr, "Integrity check failure at event %u.\nDumping buffer to dump.bin\n",
(cur_evts[j] == -1)?0:cur_evts[j]);
FILE* f;
f= fopen("dump.bin", "w");
fwrite(buf, buflen, 1, f);
fclose(f);
exit(-1);
}
totbytes += buflen;
totevents += nevents;
devicebytes[j] += buflen;
deviceevents[j] += nevents;
if(nloops == 1000)
{
printf(" %u)bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 " \n",
j,
(devicebytes[j] - olddevicebytes[j]),
devicebytes[j],
(deviceevents[j] - olddeviceevents[j]),
deviceevents[j]);
olddevicebytes[j] = devicebytes[j];
olddeviceevents[j] = deviceevents[j];
}
}
//
// XXX this should check the buffer sizes and sleep only if they are all below a certain
// threshold.
//
usleep(1000);
if(nloops == 1000)
{
printf("bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 "\n",
totbytes - oldtotbytes,
totbytes,
totevents - oldtotevents,
totevents);
oldtotbytes = totbytes;
oldtotevents = totevents;
nloops = 0;
}
nloops++;
}
scap_close(h);
return 0;
}
int main(int argc, char *argv[]) {
char error[256];
int capture = 1;
time_t last_refresh_t;
scap_t *h ;
//apro la cattura live degli eventi
read_argv(argc, argv);
if(global_data.export_elk)
init_connection_socket();
if(global_data.show_help_enabled){
print_help();
return(1);
}
printf("\n\t\t INIZIO INIZIALIZZAZIONE \n");
if( ( h = scap_open_live(error)) == NULL){
printf("Unable to connect to open sysdig: %s\n", error);
return(false);
}
//setto i filtri per gli eventi da catturare solo se la cattura è live
scap_clear_eventmask(h);
if(scap_set_eventmask(h, PPME_CLONE_16_X) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(scap_set_eventmask(h, PPME_PROCEXIT_E) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(scap_set_eventmask(h, PPM_SC_EXIT_GROUP) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(scap_set_eventmask(h, PPM_SC_EXIT) != SCAP_SUCCESS)
printf("[ERROR] scap call failed: old driver ?\n");
if(global_data.get_all_proc)
init_add_active_proc(h);
printf("\n\t\t FINE INIZIALIZZAZIONE \n");
//ciclo di cattura
last_refresh_t = time(NULL);
while(capture)
{
struct ppm_evt_hdr* ev;
u_int16_t cpuid;
int32_t res = scap_next(h, &ev, &cpuid);
if(res > 0 ) {
printf("[ERROR] %s\n", scap_getlasterr(h));
scap_close(h);
break;
} else if( res == SCAP_SUCCESS ) {
handle_event(ev,cpuid,h);
} else if( res != -1 ) //timeout
fprintf(stderr, "scap_next() returned %d\n", res);
/*si aggiornano i dati ogni refresh_t secondi (5 default)
(XXX numero da regolare) */
if( (time(NULL) - last_refresh_t) > global_data.refresh_t){
manage_data(h);
last_refresh_t = time(NULL);
}
}
//chiudo la cattura live degli eventi
close(global_data.socket_desc);
scap_close(h);
}
