void sinsp_dumper::open(const string& filename) { if(m_inspector->m_h == NULL) { throw sinsp_exception("can't start event dump, inspector not opened yet"); } m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str()); if(m_dumper == NULL) { throw sinsp_exception(scap_getlasterr(m_inspector->m_h)); } }
void sinsp::autodump_start(const string dump_filename) { if(NULL == m_h) { throw sinsp_exception("inspector not opened yet"); } m_dumper = scap_dump_open(m_h, dump_filename.c_str()); if(NULL == m_dumper) { throw sinsp_exception(scap_getlasterr(m_h)); } }
void sinsp_container_manager::dump_containers(scap_dumper_t* dumper) { for(unordered_map<string, sinsp_container_info>::const_iterator it = m_containers.begin(); it != m_containers.end(); ++it) { if(container_to_sinsp_event(container_to_json(it->second), &m_inspector->m_meta_evt)) { int32_t res = scap_dump(m_inspector->m_h, dumper, m_inspector->m_meta_evt.m_pevt, m_inspector->m_meta_evt.m_cpuid, 0); if(res != SCAP_SUCCESS) { throw sinsp_exception(scap_getlasterr(m_inspector->m_h)); } } } }
void sinsp_dumper::dump(sinsp_evt* evt) { if(m_dumper == NULL) { throw sinsp_exception("dumper not opened yet"); } int32_t res = scap_dump(m_inspector->m_h, m_dumper, evt->m_pevt, evt->m_cpuid); if(res != SCAP_SUCCESS) { throw sinsp_exception(scap_getlasterr(m_inspector->m_h)); } }
void sinsp::autodump_start(const string& dump_filename, bool compress) { if(NULL == m_h) { throw sinsp_exception("inspector not opened yet"); } if(compress) { m_dumper = scap_dump_open(m_h, dump_filename.c_str(), SCAP_COMPRESSION_GZIP); } else { m_dumper = scap_dump_open(m_h, dump_filename.c_str(), SCAP_COMPRESSION_NONE); } if(NULL == m_dumper) { throw sinsp_exception(scap_getlasterr(m_h)); } }
void sinsp_dumper::open(const string& filename, bool compress) { if(m_inspector->m_h == NULL) { throw sinsp_exception("can't start event dump, inspector not opened yet"); } if(compress) { m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str(), SCAP_COMPRESSION_GZIP); } else { m_dumper = scap_dump_open(m_inspector->m_h, filename.c_str(), SCAP_COMPRESSION_NONE); } if(m_dumper == NULL) { throw sinsp_exception(scap_getlasterr(m_inspector->m_h)); } }
scap_t* scap_open_offline(const char* fname, char *error) { scap_t* handle = NULL; // // Allocate the handle // handle = (scap_t*)malloc(sizeof(scap_t)); if(!handle) { snprintf(error, SCAP_LASTERR_SIZE, "error allocating the scap_t structure"); return NULL; } // // Preliminary initializations // handle->m_devs = NULL; handle->m_ndevs = 0; handle->m_proclist = NULL; handle->m_pollfds = NULL; handle->m_evtcnt = 0; handle->m_file = NULL; handle->m_addrlist = NULL; handle->m_userlist = NULL; handle->m_machine_info.num_cpus = (uint32_t)-1; handle->m_file_evt_buf = (char*)malloc(FILE_READ_BUF_SIZE); if(!handle->m_file_evt_buf) { snprintf(error, SCAP_LASTERR_SIZE, "error allocating the read buffer"); scap_close(handle); return NULL; } // // Open the file // handle->m_file = gzopen(fname, "rb"); if(handle->m_file == NULL) { snprintf(error, SCAP_LASTERR_SIZE, "can't open file %s", fname); scap_close(handle); return NULL; } // // Validate the file and load the non-event blocks // if(scap_read_init(handle, handle->m_file) != SCAP_SUCCESS) { snprintf(error, SCAP_LASTERR_SIZE, "%s", scap_getlasterr(handle)); scap_close(handle); return NULL; } // // Add the fake process for kernel threads // handle->m_fake_kernel_proc.tid = -1; handle->m_fake_kernel_proc.pid = -1; handle->m_fake_kernel_proc.flags = 0; snprintf(handle->m_fake_kernel_proc.comm, SCAP_MAX_PATH_SIZE, "kernel"); snprintf(handle->m_fake_kernel_proc.exe, SCAP_MAX_PATH_SIZE, "kernel"); handle->m_fake_kernel_proc.args[0] = 0; //scap_proc_print_table(handle); return handle; }
int main() { uint32_t j; char error[SCAP_LASTERR_SIZE]; int32_t ret; char* buf; uint32_t buflen; uint32_t cur_evts[256]; int32_t ndevs; uint32_t nloops = 0; uint64_t totbytes = 0; uint64_t totevents = 0; uint64_t devicebytes[256]; uint64_t deviceevents[256]; uint64_t oldtotbytes = 0; uint64_t oldtotevents = 0; uint64_t olddevicebytes[256]; uint64_t olddeviceevents[256]; /* unsigned long new_mask = 1 << (1); sched_setaffinity(0, sizeof(unsigned long), &new_mask); */ scap_t* h = scap_open_live(error); if(h == NULL) { fprintf(stderr, "%s\n", error); return -1; } ndevs = scap_get_ndevs(h); if(ndevs > sizeof(cur_evts)/sizeof(cur_evts[0])) { fprintf(stderr, "too many devices %u\n", ndevs); return -1; } for(j = 0; j < ndevs; j++) { devicebytes[j] = 0; deviceevents[j] = 0; olddevicebytes[j] = 0; olddeviceevents[j] = 0; } while(1) { for(j = 0; j < ndevs; j++) { uint32_t nevents; ret = scap_readbuf(h, j, false, &buf, &buflen); if(ret != SCAP_SUCCESS) { fprintf(stderr, "%s\n", scap_getlasterr(h)); scap_close(h); return -1; } cur_evts[j] = -1; if(g_check_integrity(&(cur_evts[j]), buf, buflen, &nevents) != SCAP_SUCCESS) { fprintf(stderr, "Integrity check failure at event %u.\nDumping buffer to dump.bin\n", (cur_evts[j] == -1)?0:cur_evts[j]); FILE* f; f= fopen("dump.bin", "w"); fwrite(buf, buflen, 1, f); fclose(f); exit(-1); } totbytes += buflen; totevents += nevents; devicebytes[j] += buflen; deviceevents[j] += nevents; if(nloops == 1000) { printf(" %u)bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 " \n", j, (devicebytes[j] - olddevicebytes[j]), devicebytes[j], (deviceevents[j] - olddeviceevents[j]), deviceevents[j]); olddevicebytes[j] = devicebytes[j]; olddeviceevents[j] = deviceevents[j]; } } // // XXX this should check the buffer sizes and sleep only if they are all below a certain // threshold. // usleep(1000); if(nloops == 1000) { printf("bps:%" PRIu64 " totbytes:%" PRIu64 " - evts/s:%" PRIu64 " totevs:%" PRIu64 "\n", totbytes - oldtotbytes, totbytes, totevents - oldtotevents, totevents); oldtotbytes = totbytes; oldtotevents = totevents; nloops = 0; } nloops++; } scap_close(h); return 0; }
int main(int argc, char *argv[]) { char error[256]; int capture = 1; time_t last_refresh_t; scap_t *h ; //apro la cattura live degli eventi read_argv(argc, argv); if(global_data.export_elk) init_connection_socket(); if(global_data.show_help_enabled){ print_help(); return(1); } printf("\n\t\t INIZIO INIZIALIZZAZIONE \n"); if( ( h = scap_open_live(error)) == NULL){ printf("Unable to connect to open sysdig: %s\n", error); return(false); } //setto i filtri per gli eventi da catturare solo se la cattura è live scap_clear_eventmask(h); if(scap_set_eventmask(h, PPME_CLONE_16_X) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(scap_set_eventmask(h, PPME_PROCEXIT_E) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(scap_set_eventmask(h, PPM_SC_EXIT_GROUP) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(scap_set_eventmask(h, PPM_SC_EXIT) != SCAP_SUCCESS) printf("[ERROR] scap call failed: old driver ?\n"); if(global_data.get_all_proc) init_add_active_proc(h); printf("\n\t\t FINE INIZIALIZZAZIONE \n"); //ciclo di cattura last_refresh_t = time(NULL); while(capture) { struct ppm_evt_hdr* ev; u_int16_t cpuid; int32_t res = scap_next(h, &ev, &cpuid); if(res > 0 ) { printf("[ERROR] %s\n", scap_getlasterr(h)); scap_close(h); break; } else if( res == SCAP_SUCCESS ) { handle_event(ev,cpuid,h); } else if( res != -1 ) //timeout fprintf(stderr, "scap_next() returned %d\n", res); /*si aggiornano i dati ogni refresh_t secondi (5 default) (XXX numero da regolare) */ if( (time(NULL) - last_refresh_t) > global_data.refresh_t){ manage_data(h); last_refresh_t = time(NULL); } } //chiudo la cattura live degli eventi close(global_data.socket_desc); scap_close(h); }