예제 #1
0
void sinsp_dumper::open(const string& filename)
{
	if(m_inspector->m_h == NULL)
	{
		throw sinsp_exception("can't start event dump, inspector not opened yet");
	}

	m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str());
	if(m_dumper == NULL)
	{
		throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
	}
}
예제 #2
0
파일: sinsp.cpp 프로젝트: respi-chan/sysdig
void sinsp::autodump_start(const string dump_filename)
{
	if(NULL == m_h)
	{
		throw sinsp_exception("inspector not opened yet");
	}

	m_dumper = scap_dump_open(m_h, dump_filename.c_str());
	if(NULL == m_dumper)
	{
		throw sinsp_exception(scap_getlasterr(m_h));
	}
}
예제 #3
0
void sinsp_container_manager::dump_containers(scap_dumper_t* dumper)
{
	for(unordered_map<string, sinsp_container_info>::const_iterator it = m_containers.begin(); it != m_containers.end(); ++it)
	{
		if(container_to_sinsp_event(container_to_json(it->second), &m_inspector->m_meta_evt))
		{
			int32_t res = scap_dump(m_inspector->m_h, dumper, m_inspector->m_meta_evt.m_pevt, m_inspector->m_meta_evt.m_cpuid, 0);
			if(res != SCAP_SUCCESS)
			{
				throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
			}
		}
	}
}
예제 #4
0
void sinsp_dumper::dump(sinsp_evt* evt)
{
	if(m_dumper == NULL)
	{
		throw sinsp_exception("dumper not opened yet");
	}

	int32_t res = scap_dump(m_inspector->m_h, 
		m_dumper, evt->m_pevt, evt->m_cpuid);

	if(res != SCAP_SUCCESS)
	{
		throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
	}
}
예제 #5
0
파일: sinsp.cpp 프로젝트: ldegio/sysdig
void sinsp::autodump_start(const string& dump_filename, bool compress)
{
	if(NULL == m_h)
	{
		throw sinsp_exception("inspector not opened yet");
	}

	if(compress)
	{
		m_dumper = scap_dump_open(m_h, dump_filename.c_str(), SCAP_COMPRESSION_GZIP);
	}
	else
	{
		m_dumper = scap_dump_open(m_h, dump_filename.c_str(), SCAP_COMPRESSION_NONE);
	}

	if(NULL == m_dumper)
	{
		throw sinsp_exception(scap_getlasterr(m_h));
	}
}
예제 #6
0
파일: dumper.cpp 프로젝트: 17twenty/sysdig
void sinsp_dumper::open(const string& filename, bool compress)
{
	if(m_inspector->m_h == NULL)
	{
		throw sinsp_exception("can't start event dump, inspector not opened yet");
	}

	if(compress)
	{
		m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str(), SCAP_COMPRESSION_GZIP);
	}
	else
	{
		m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str(), SCAP_COMPRESSION_NONE);
	}

	if(m_dumper == NULL)
	{
		throw sinsp_exception(scap_getlasterr(m_inspector->m_h));
	}
}
예제 #7
0
파일: scap.c 프로젝트: 17twenty/sysdig
scap_t* scap_open_offline(const char* fname, char *error)
{
	scap_t* handle = NULL;

	//
	// Allocate the handle
	//
	handle = (scap_t*)malloc(sizeof(scap_t));
	if(!handle)
	{
		snprintf(error, SCAP_LASTERR_SIZE, "error allocating the scap_t structure");
		return NULL;
	}

	//
	// Preliminary initializations
	//
	handle->m_devs = NULL;
	handle->m_ndevs = 0;
	handle->m_proclist = NULL;
	handle->m_pollfds = NULL;
	handle->m_evtcnt = 0;
	handle->m_file = NULL;
	handle->m_addrlist = NULL;
	handle->m_userlist = NULL;
	handle->m_machine_info.num_cpus = (uint32_t)-1;

	handle->m_file_evt_buf = (char*)malloc(FILE_READ_BUF_SIZE);
	if(!handle->m_file_evt_buf)
	{
		snprintf(error, SCAP_LASTERR_SIZE, "error allocating the read buffer");
		scap_close(handle);
		return NULL;
	}

	//
	// Open the file
	//
	handle->m_file = gzopen(fname, "rb");
	if(handle->m_file == NULL)
	{
		snprintf(error, SCAP_LASTERR_SIZE, "can't open file %s", fname);
		scap_close(handle);
		return NULL;
	}

	//
	// Validate the file and load the non-event blocks
	//
	if(scap_read_init(handle, handle->m_file) != SCAP_SUCCESS)
	{
		snprintf(error, SCAP_LASTERR_SIZE, "%s", scap_getlasterr(handle));
		scap_close(handle);
		return NULL;
	}

	//
	// Add the fake process for kernel threads
	//
	handle->m_fake_kernel_proc.tid = -1;
	handle->m_fake_kernel_proc.pid = -1;
	handle->m_fake_kernel_proc.flags = 0;
	snprintf(handle->m_fake_kernel_proc.comm, SCAP_MAX_PATH_SIZE, "kernel");
	snprintf(handle->m_fake_kernel_proc.exe, SCAP_MAX_PATH_SIZE, "kernel");
	handle->m_fake_kernel_proc.args[0] = 0;

//scap_proc_print_table(handle);

	return handle;
}
예제 #8
0
파일: test.c 프로젝트: kjseefried/sysdig
int main()
{
    uint32_t j;
    char error[SCAP_LASTERR_SIZE];
    int32_t ret;
    char* buf;
    uint32_t buflen;
    uint32_t cur_evts[256];
    int32_t ndevs;
    uint32_t nloops = 0;
    uint64_t totbytes = 0;
    uint64_t totevents = 0;
    uint64_t devicebytes[256];
    uint64_t deviceevents[256];
    uint64_t oldtotbytes = 0;
    uint64_t oldtotevents = 0;
    uint64_t olddevicebytes[256];
    uint64_t olddeviceevents[256];

    /*
    	unsigned long new_mask = 1 << (1);
    	sched_setaffinity(0,
    		sizeof(unsigned long),
    		&new_mask);
    */

    scap_t* h = scap_open_live(error);
    if(h == NULL)
    {
        fprintf(stderr, "%s\n", error);
        return -1;
    }

    ndevs = scap_get_ndevs(h);

    if(ndevs > sizeof(cur_evts)/sizeof(cur_evts[0]))
    {
        fprintf(stderr, "too many devices %u\n", ndevs);
        return -1;
    }

    for(j = 0; j < ndevs; j++)
    {
        devicebytes[j] = 0;
        deviceevents[j] = 0;
        olddevicebytes[j] = 0;
        olddeviceevents[j] = 0;
    }

    while(1)
    {
        for(j = 0; j < ndevs; j++)
        {
            uint32_t nevents;

            ret = scap_readbuf(h, j, false, &buf, &buflen);

            if(ret != SCAP_SUCCESS)
            {
                fprintf(stderr, "%s\n", scap_getlasterr(h));
                scap_close(h);
                return -1;
            }

            cur_evts[j] = -1;

            if(g_check_integrity(&(cur_evts[j]), buf, buflen, &nevents) != SCAP_SUCCESS)
            {
                fprintf(stderr, "Integrity check failure at event %u.\nDumping buffer to dump.bin\n",
                        (cur_evts[j] == -1)?0:cur_evts[j]);

                FILE* f;
                f= fopen("dump.bin", "w");
                fwrite(buf, buflen, 1, f);
                fclose(f);
                exit(-1);
            }

            totbytes += buflen;
            totevents += nevents;
            devicebytes[j] += buflen;
            deviceevents[j] += nevents;

            if(nloops == 1000)
            {
                printf(" %u)bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 " \n",
                       j,
                       (devicebytes[j] - olddevicebytes[j]),
                       devicebytes[j],
                       (deviceevents[j] - olddeviceevents[j]),
                       deviceevents[j]);

                olddevicebytes[j] = devicebytes[j];
                olddeviceevents[j] = deviceevents[j];
            }
        }

        //
        // XXX this should check the buffer sizes and sleep only if they are all below a certain
        // threshold.
        //
        usleep(1000);

        if(nloops == 1000)
        {
            printf("bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 "\n",
                   totbytes - oldtotbytes,
                   totbytes,
                   totevents - oldtotevents,
                   totevents);

            oldtotbytes = totbytes;
            oldtotevents = totevents;

            nloops = 0;
        }

        nloops++;
    }

    scap_close(h);
    return 0;
}
예제 #9
0
int main(int argc, char *argv[]) {

  char error[256];
  int capture = 1;
  time_t last_refresh_t;
  scap_t *h ;
  //apro la cattura live degli eventi
  
  
  read_argv(argc, argv);

  if(global_data.export_elk)
    init_connection_socket();

  if(global_data.show_help_enabled){
    print_help();
    return(1);
  }
  printf("\n\t\t INIZIO INIZIALIZZAZIONE \n");
  if( ( h = scap_open_live(error)) == NULL){
    printf("Unable to connect to open sysdig: %s\n", error);
    return(false);
    }


  //setto i filtri per gli eventi da catturare solo se la cattura è live
    scap_clear_eventmask(h);
    if(scap_set_eventmask(h, PPME_CLONE_16_X) != SCAP_SUCCESS)
      printf("[ERROR] scap call failed: old driver ?\n");
    if(scap_set_eventmask(h, PPME_PROCEXIT_E) != SCAP_SUCCESS)
      printf("[ERROR] scap call failed: old driver ?\n");
    if(scap_set_eventmask(h, PPM_SC_EXIT_GROUP) != SCAP_SUCCESS)
      printf("[ERROR] scap call failed: old driver ?\n");
    if(scap_set_eventmask(h, PPM_SC_EXIT) != SCAP_SUCCESS)
      printf("[ERROR] scap call failed: old driver ?\n");

  if(global_data.get_all_proc)
    init_add_active_proc(h);

  printf("\n\t\t FINE INIZIALIZZAZIONE \n");
  //ciclo di cattura
  last_refresh_t = time(NULL);
  while(capture)
    {	
      struct ppm_evt_hdr* ev;
      u_int16_t cpuid;
      int32_t res = scap_next(h, &ev, &cpuid);

      if(res > 0 ) {
	printf("[ERROR] %s\n", scap_getlasterr(h));
	scap_close(h);
	break;
      } else if( res == SCAP_SUCCESS ) {
	handle_event(ev,cpuid,h);
      } else if( res != -1 ) 	//timeout
	fprintf(stderr, "scap_next() returned %d\n", res);
      /*si aggiornano i dati ogni refresh_t secondi (5 default)
	(XXX numero da regolare) */
      if( (time(NULL) - last_refresh_t) > global_data.refresh_t){
        manage_data(h);
	last_refresh_t = time(NULL);
      }
    }
  //chiudo la cattura live degli eventi
  close(global_data.socket_desc);
  scap_close(h);
}