inspecting a tcp/ip packet header using ebpf

Daniel Parker

3 min read

·

22-02-2025

11

0

Share

eBPF (extended Berkeley Packet Filter) is a powerful technology allowing you to run sandboxed programs in the Linux kernel. This opens up incredible possibilities for network monitoring and analysis. One common use case is inspecting the headers of TCP/IP packets in real-time without the performance overhead of traditional methods like tcpdump. This article will guide you through inspecting a TCP/IP packet header using eBPF.

Understanding the TCP/IP Header

Before diving into eBPF, let's briefly review the structure of a TCP/IP packet header. A typical packet consists of an IP header followed by a TCP header (or UDP, etc., depending on the transport protocol). Key fields we'll target for inspection include:

• IP Header: Source IP address, Destination IP address, Protocol (TCP, UDP, ICMP, etc.), Total Length.
• TCP Header: Source Port, Destination Port, Sequence Number, Acknowledgement Number, Flags (SYN, ACK, FIN, etc.).

Understanding these fields is crucial for writing effective eBPF programs.

Writing the eBPF Program (C)

We'll use the C language to write our eBPF program. This program will attach to the kprobe for the tcp_rcv_established kernel function, which is called when a TCP packet arrives in an established connection. This allows us to inspect the packet just after it's received by the kernel.

#include <uapi/linux/bpf.h>
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <net/inet_sock.h>

BPF_PERF_OUTPUT(events);

struct data_t {
    u32 saddr;
    u32 daddr;
    u16 sport;
    u16 dport;
};

int kprobe__tcp_rcv_established(struct pt_regs *ctx) {
    struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);
    struct inet_sock *inet = inet_csk(sk);
    struct data_t data = {};

    if (inet == NULL) return 0;


    data.saddr = inet->inet_saddr;
    data.daddr = inet->inet_daddr;
    data.sport = ntohs(inet->inet_sport);
    data.dport = ntohs(inet->inet_dport);

    events.perf_submit(ctx, &data, sizeof(data));
    return 0;
};

This code defines a structure data_t to hold the relevant header fields. The kprobe__tcp_rcv_established function extracts the information from the struct sock and struct inet_sock structures, converts the network byte order to host byte order using ntohs, and sends the data to userspace via events.perf_submit.

Compiling and Loading the eBPF Program

You'll need the bcc (BPF Compiler Collection) tools installed to compile and load the eBPF program. After saving the code as, for example, tcp_header_inspector.c, compile it using:

clang -O2 -emit-llvm -c tcp_header_inspector.c -o tcp_header_inspector.bc
llc -filetype=obj tcp_header_inspector.bc -o tcp_header_inspector.o

Then, you can load and run it using a Python script (provided by BCC). This script handles the communication with the kernel and prints the collected data. (Note: the exact script will depend on the specifics of your BCC setup). An example, adapted to our structure, might look like this:

from bcc import BPF

b = BPF(text="""
#include <uapi/linux/bpf.h>
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <net/inet_sock.h>

BPF_PERF_OUTPUT(events);

struct data_t {
    u32 saddr;
    u32 daddr;
    u16 sport;
    u16 dport;
};

int kprobe__tcp_rcv_established(struct pt_regs *ctx) {
    struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);
    struct inet_sock *inet = inet_csk(sk);
    struct data_t data = {};

    if (inet == NULL) return 0;


    data.saddr = inet->inet_saddr;
    data.daddr = inet->inet_daddr;
    data.sport = ntohs(inet->inet_sport);
    data.dport = ntohs(inet->inet_dport);

    events.perf_submit(ctx, &data, sizeof(data));
    return 0;
};
""")

def print_event(cpu, data, size):
    event = b["events"].event(data)
    print(f"Source IP: {event.saddr}, Destination IP: {event.daddr}, Source Port: {event.sport}, Destination Port: {event.dport}")


b["events"].open_perf_buffer(print_event)

while 1:
    try:
        b.perf_buffer_poll()
    except KeyboardInterrupt:
        exit()

Remember to adjust paths and potentially other aspects based on your environment and the specific BCC version.

Analyzing the Output

The Python script will print the source and destination IP addresses and ports of each TCP packet received. This information provides a real-time view into network traffic. You can further enhance this program to inspect other header fields or filter packets based on specific criteria.

Security Considerations

Always be mindful of security implications when running kernel-level programs like eBPF. Ensure your program is thoroughly tested and reviewed to prevent unintended consequences or vulnerabilities.

This example provides a foundation for more advanced network analysis using eBPF. You can expand upon this by adding more sophisticated filtering, data aggregation, and visualization techniques to gain deeper insights into your network traffic. Remember to consult the BCC documentation and eBPF resources for more advanced usage and troubleshooting.