rbbcc 0.11.6 → 0.11.8

data/examples/bitehist.rb

@@ -1,46 +0,0 @@
-#!/usr/bin/env ruby
-#
-# bitehist.rb, ported from bitehist.py. See license on that file
-#
-# Written as a basic example of using histograms to show a distribution.
-#
-# A Ctrl-C will print the gathered histogram then exit.
-#
-
-require 'rbbcc'
-include RbBCC
-
-b = BCC.new(text: <<CLANG)
-#include <uapi/linux/ptrace.h>
-#include <linux/blkdev.h>
-
-BPF_HISTOGRAM(dist);
-BPF_HISTOGRAM(dist_linear);
-
-int kprobe__blk_account_io_done(struct pt_regs *ctx, struct request *req)
-{
-  dist.increment(bpf_log2l(req->__data_len / 1024));
-  dist_linear.increment(req->__data_len / 1024);
-  return 0;
-}
-CLANG
-
-puts "Tracing... Hit Ctrl-C to end."
-
-loop do
-  begin
-    sleep 0.1
-  rescue Interrupt
-    puts
-    break
-  end
-end
-
-puts "log2 histogram"
-puts "~~~~~~~~~~~~~~"
-b["dist"].print_log2_hist("kbytes")
-
-puts
-puts "linear histogram"
-puts "~~~~~~~~~~~~~~~~"
-b["dist_linear"].print_linear_hist("kbytes")

data/examples/charty/Gemfile

@@ -1,11 +0,0 @@
-# frozen_string_literal: true
-
-source "https://rubygems.org"
-
-git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
-
-gem "rbbcc", path: '../../'
-gem "charty", path: '/usr/local/ghq/github.com/udzura/charty'
-gem "unicode_plot"
-gem "numo"
-gem "matplotlib"

data/examples/charty/Gemfile.lock

@@ -1,48 +0,0 @@
-PATH
-  remote: ../..
-  specs:
-    rbbcc (0.2.0)
-
-PATH
-  remote: /usr/local/ghq/github.com/udzura/charty
-  specs:
-    charty (0.2.2)
-      red-colors
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    enumerable-statistics (2.0.1)
-    matplotlib (1.1.0)
-      pycall (>= 1.0.0)
-    numo (0.1.1)
-      numo-fftw (~> 0.1.1)
-      numo-gnuplot (~> 0.2.4)
-      numo-gsl (~> 0.1.1)
-      numo-linalg (~> 0.1.0)
-      numo-narray (~> 0.9.1)
-    numo-fftw (0.1.1)
-      numo-narray (~> 0.9.0)
-    numo-gnuplot (0.2.4)
-    numo-gsl (0.1.2)
-      numo-narray (>= 0.9.0.8)
-    numo-linalg (0.1.5)
-      numo-narray (>= 0.9.1.4)
-    numo-narray (0.9.1.6)
-    pycall (1.3.0)
-    red-colors (0.1.1)
-    unicode_plot (0.0.4)
-      enumerable-statistics (>= 2.0.1)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  charty!
-  matplotlib
-  numo
-  rbbcc!
-  unicode_plot
-
-BUNDLED WITH
-   2.0.2

data/examples/charty/bitehist-unicode.rb

@@ -1,87 +0,0 @@
-#!/usr/bin/env ruby
-#
-# bitehist.rb, ported from bitehist.py. See license on that file
-#
-# Written as a basic example of using histograms to show a distribution.
-#
-# A Ctrl-C will print the gathered histogram then exit.
-#
-
-require 'rbbcc'
-include RbBCC
-
-b = BCC.new(text: <<CLANG)
-#include <uapi/linux/ptrace.h>
-#include <linux/blkdev.h>
-
-BPF_HISTOGRAM(dist);
-BPF_HISTOGRAM(dist_linear);
-
-int kprobe__blk_account_io_completion(struct pt_regs *ctx, struct request *req)
-{
-  dist.increment(bpf_log2l(req->__data_len / 1024));
-  dist_linear.increment(req->__data_len / 1024);
-  return 0;
-}
-CLANG
-
-puts "Tracing... Hit Ctrl-C to end."
-
-loop do
-  begin
-    sleep 0.1
-  rescue Interrupt
-    puts
-    break
-  end
-end
-
-require 'unicode_plot'
-def log2hist_unicode(table)
-  strip_leading_zero = true
-  vals = Array.new($log2_index_max) { 0 }
-  data = {}
-  table.each_pair do |k, v|
-    vals[k.to_bcc_value] = v.to_bcc_value
-  end
-
-  log2_dist_max = 64
-  idx_max = -1
-  val_max = 0
-
-  vals.each_with_index do |v, i|
-    idx_max = i if v > 0
-    val_max = v if v > val_max
-  end
-
-  (1...(idx_max + 1)).each do |i|
-    low = (1 << i) >> 1
-    high = (1 << i)
-    if (low == high)
-      low -= 1
-    end
-    val = vals[i]
-
-    if strip_leading_zero
-      if val
-        data["[#{low}, #{high})"] = val
-        strip_leading_zero = false
-      end
-    else
-      data["[#{low}, #{high})"] = val
-    end
-  end
-
-  unless data.empty?
-    puts UnicodePlot.barplot(ylabel: "kbytes", data: data, title: "log2 histogram", color: :magenta).render
-  else
-    puts "No sample found."
-  end
-end
-
-log2hist_unicode b["dist"]
-
-# puts
-# puts "linear histogram"
-# puts "~~~~~~~~~~~~~~~~"
-# b["dist_linear"].print_linear_hist("kbytes")

data/examples/collectsyscall.rb

@@ -1,182 +0,0 @@
-#!/usr/bin/env ruby
-#
-# Example to use complecated structure in BPF Map key:
-# This program collects and shows raw syscall usage summary.
-#
-# Usage:
-#     bundle exec ruby examples/collectsyscall.rb
-#
-# Output example:
-#     Collecting syscalls...
-#     ^C
-#     PID=1098(maybe: gmain) --->
-#       inotify_add_watch      4    0.019 ms
-#       poll                   1    0.000 ms
-#
-#     PID=1114(maybe: dbus-daemon) --->
-#       stat                  12    0.021 ms
-#       openat                 3    0.015 ms
-#       getdents               2    0.013 ms
-#       recvmsg                2    0.006 ms
-#       sendmsg                1    0.008 ms
-#       close                  1    0.002 ms
-#       fstat                  1    0.002 ms
-#       epoll_wait             1    0.000 ms
-#
-#     PID=1175(maybe: memcached) --->
-#       epoll_wait             3 2012.455 ms
-#
-#     PID=1213(maybe: redis-server) --->
-#       read                  64    0.736 ms
-#       epoll_wait            32 3782.098 ms
-#       openat                32    1.149 ms
-#       getpid                32    0.074 ms
-#       close                 32    0.045 ms
-#     ....
-
-require 'rbbcc'
-include RbBCC
-
-$pid = nil
-$comm = nil
-
-if ARGV.size == 2 &&
-   ARGV[0] == '-p'
-  $pid = ARGV[1].to_i
-elsif ARGV.size == 2 &&
-   ARGV[0] == '-c'
-  $comm = ARGV[1]
-elsif ARGV[0] == '-h' ||
-      ARGV[0] == '--help'
-  $stderr.puts "Usage: #{$0} [-p PID]"
-  exit 1
-end
-
-SYSCALL_MAP = `ausyscall --dump`
-                .lines
-                .map{|l| l.chomp.split }
-                .each_with_object(Hash.new) {|(k, v), ha| ha[k.to_i] = v }
-
-# if no ausyscall(8) then shows number itself
-# it is included in auditd package (e.g. Ubuntu)
-def to_name(nr)
-  SYSCALL_MAP[nr] || nr.to_s
-end
-
-prog = <<BPF
-#include <uapi/linux/ptrace.h>
-
-struct key_t {
-  u32 pid;
-  u64 syscall_nr;
-};
-struct leaf_t{
-  u64 count;
-  u64 elapsed_ns;
-  u64 enter_ns;
-  char comm[16];
-};
-BPF_HASH(store, struct key_t, struct leaf_t);
-
-TRACEPOINT_PROBE(raw_syscalls, sys_enter) {
-    struct key_t key = {0};
-    struct leaf_t initial = {0}, *val_;
-    char comm[16];
-
-    // key.pid = bpf_get_current_pid_tgid();
-    key.pid = (bpf_get_current_pid_tgid() >> 32);
-    key.syscall_nr = args->id;
-
-    DO_FILTER_BY_PID
-    bpf_get_current_comm(&comm, sizeof(comm));
-    DO_FILTER_BY_COMM
-
-    val_ = store.lookup_or_try_init(&key, &initial);
-    if (val_) {
-      struct leaf_t val = *val_;
-      val.count++;
-      val.enter_ns = bpf_ktime_get_ns();
-      bpf_get_current_comm(&val.comm, sizeof(val.comm));
-      store.update(&key, &val);
-    }
-    return 0;
-}
-
-TRACEPOINT_PROBE(raw_syscalls, sys_exit) {
-    struct key_t key = {0};
-    struct leaf_t *val_;
-
-    key.pid = (bpf_get_current_pid_tgid() >> 32);
-    key.syscall_nr = args->id;
-
-    val_ = store.lookup(&key);
-    if (val_) {
-      struct leaf_t val = *val_;
-      if(val.enter_ns) {
-        u64 delta = bpf_ktime_get_ns() - val.enter_ns;
-        val.enter_ns = 0;
-        val.elapsed_ns += delta;
-      }
-      store.update(&key, &val);
-    }
-    return 0;
-}
-BPF
-
-if $pid
-  prog.sub!('DO_FILTER_BY_PID', <<~FILTER)
-    if (key.pid != #{$pid}) return 0;
-  FILTER
-else
-  prog.sub!('DO_FILTER_BY_PID', '')
-end
-
-if $comm
-  prog.sub!('DO_FILTER_BY_COMM', <<~FILTER)
-    int idx;
-    int matched = 1;
-    char *needle = "#{$comm}";
-    for(idx=0;idx<sizeof(comm);++idx) {
-      if (comm[idx] != needle[idx]) matched = 0;
-      if (!needle[idx]) break;
-      if (!comm[idx]) break;
-    }
-    if(!matched) return 0;
-  FILTER
-else
-  prog.sub!('DO_FILTER_BY_COMM', '')
-end
-
-b = BCC.new(text: prog)
-
-puts "Collecting syscalls..."
-begin
-  sleep(99999999)
-rescue Interrupt
-  puts
-end
-
-info_by_pids = {}
-comms = {}
-store = b.get_table("store")
-store.items.each do |k, v|
-  #require 'pry'; binding.pry
-  count, elapsed_ns, _dummy, comm = v[0, 40].unpack("Q Q Q Z16")
-  info_by_pids[k.pid] ||= {}
-  info_by_pids[k.pid][k.syscall_nr] = {
-    name: to_name(k.syscall_nr),
-    count: count,
-    elapsed_ms: elapsed_ns / 1000000.0
-  }
-  comms[k.pid] ||= comm
-end
-
-pids = info_by_pids.keys.sort
-pids.each do |pid|
-  puts "PID=#{pid}(maybe: #{comms[pid]}) --->"
-  i = info_by_pids[pid]
-  i.to_a.sort_by {|k, v| [-v[:count], -v[:elapsed_ms]] }.each do |nr, record|
-    puts "\t%<name>-22s %<count>7d %<elapsed_ms>10.3f ms" % record
-  end
-  puts
-end

data/examples/dddos.rb

@@ -1,112 +0,0 @@
-#!/usr/bin/env ruby
-#
-# dddos.rb	DDOS dectection system, ported from python code.
-#
-# Written as a basic tracing example of using ePBF
-# to detect a potential DDOS attack against a system.
-#
-# See Copyright and License on bcc project:
-#     examples/tracing/dddos.py
-#
-# 14-Jan-2019 Jugurtha BELKALEM Created dddos.py.
-
-require 'rbbcc'
-include RbBCC
-
-prog = """
-#include <linux/skbuff.h>
-#include <uapi/linux/ip.h>
-
-#define MAX_NB_PACKETS 1000
-#define LEGAL_DIFF_TIMESTAMP_PACKETS 1000000
-
-BPF_HASH(rcv_packets);
-
-struct detectionPackets {
-    u64 nb_ddos_packets;
-};
-
-BPF_PERF_OUTPUT(events);
-
-int detect_ddos(struct pt_regs *ctx, void *skb){
-    struct detectionPackets detectionPacket = {};
-
-    // Used to count number of received packets
-    u64 rcv_packets_nb_index = 0, rcv_packets_nb_inter=1, *rcv_packets_nb_ptr;
-
-    // Used to measure elapsed time between 2 successive received packets
-    u64 rcv_packets_ts_index = 1, rcv_packets_ts_inter=0, *rcv_packets_ts_ptr;
-
-    /* The algorithm analyses packets received by ip_rcv function
-    * and measures the difference in reception time between each packet.
-    * DDOS flooders send millions of packets such that difference of
-    * timestamp between 2 successive packets is so small
-    * (which is not like regular applications behaviour).
-    * This script looks for this difference in time and if it sees
-    * more than MAX_NB_PACKETS succesive packets with a difference
-    * of timestamp between each one of them less than
-    * LEGAL_DIFF_TIMESTAMP_PACKETS ns,
-    * ------------------ It Triggers an ALERT -----------------
-    * Those settings must be adapted depending on regular network traffic
-    * -------------------------------------------------------------------
-    * Important: this is a rudimentary intrusion detection system, one can
-    * test a real case attack using hping3. However; if regular network
-    * traffic increases above predefined detection settings, a false
-    * positive alert will be triggered (an example would be the
-      case of large file downloads).
-    */
-    rcv_packets_nb_ptr = rcv_packets.lookup(&rcv_packets_nb_index);
-    rcv_packets_ts_ptr = rcv_packets.lookup(&rcv_packets_ts_index);
-    if(rcv_packets_nb_ptr != 0 && rcv_packets_ts_ptr != 0){
-        rcv_packets_nb_inter = *rcv_packets_nb_ptr;
-        rcv_packets_ts_inter = bpf_ktime_get_ns() - *rcv_packets_ts_ptr;
-        if(rcv_packets_ts_inter < LEGAL_DIFF_TIMESTAMP_PACKETS){
-            rcv_packets_nb_inter++;
-        } else {
-            rcv_packets_nb_inter = 0;
-        }
-        if(rcv_packets_nb_inter > MAX_NB_PACKETS){
-            detectionPacket.nb_ddos_packets = rcv_packets_nb_inter;
-            events.perf_submit(ctx, &detectionPacket, sizeof(detectionPacket));
-        }
-    }
-    rcv_packets_ts_inter = bpf_ktime_get_ns();
-    rcv_packets.update(&rcv_packets_nb_index, &rcv_packets_nb_inter);
-    rcv_packets.update(&rcv_packets_ts_index, &rcv_packets_ts_inter);
-    return 0;
-}
-"""
-
-# Loads eBPF program
-b = BCC.new(text: prog)
-
-# Attach kprobe to kernel function and sets detect_ddos as kprobe handler
-b.attach_kprobe(event: "ip_rcv", fn_name: "detect_ddos")
-
-DetectionTimestamp = \
-  Fiddle::Importer.struct(["unsigned long long nb_ddos_packets"])
-
-# Show message when ePBF stats
-puts("DDOS detector started ... Hit Ctrl-C to end!")
-
-puts("%-26s %-10s" % ["TIME(s)", "MESSAGE"])
-
-trigger_alert_event = lambda { |cpu, data, size|
-  # data is raw Fiddle::Pointer instance
-  event = DetectionTimestamp.malloc
-  Fiddle::Pointer.new(event.to_ptr)[0, DetectionTimestamp.size] = data[0, DetectionTimestamp.size]
-  puts("%-26s %s %d" % [
-         Time.now,
-         "DDOS Attack => nb of packets up to now : ",
-         event.nb_ddos_packets])
-}
-
-# loop with callback to trigger_alert_event
-b["events"].open_perf_buffer(&trigger_alert_event)
-loop do
-  begin
-    b.perf_buffer_poll
-  rescue Interrupt
-    exit
-  end
-end

data/examples/disksnoop.rb

@@ -1,73 +0,0 @@
-#!/usr/bin/env ruby
-#
-# disksnoop.rb	Trace block device I/O: basic version of iosnoop.
-#		For Linux, uses BCC, eBPF. Embedded C.
-# This is ported from original disksnoop.py
-#
-# Written as a basic example of tracing latency.
-#
-# Licensed under the Apache License, Version 2.0 (the "License")
-#
-# 11-Aug-2015	Brendan Gregg	Created disksnoop.py
-
-require 'rbbcc'
-include RbBCC
-
-REQ_WRITE = 1		# from include/linux/blk_types.h
-
-# load BPF program
-b = BCC.new(text: <<CLANG)
-#include <uapi/linux/ptrace.h>
-#include <linux/blkdev.h>
-
-BPF_HASH(start, struct request *);
-
-void trace_start(struct pt_regs *ctx, struct request *req) {
-  // stash start timestamp by request ptr
-  u64 ts = bpf_ktime_get_ns();
-
-  start.update(&req, &ts);
-}
-
-void trace_completion(struct pt_regs *ctx, struct request *req) {
-  u64 *tsp, delta;
-
-  tsp = start.lookup(&req);
-  if (tsp != 0) {
-    delta = bpf_ktime_get_ns() - *tsp;
-    bpf_trace_printk("%d %x %d\\n", req->__data_len,
-        req->cmd_flags, delta / 1000);
-    start.delete(&req);
-  }
-}
-CLANG
-
-if BCC.get_kprobe_functions('blk_start_request')
-  b.attach_kprobe(event: "blk_start_request", fn_name: "trace_start")
-end
-b.attach_kprobe(event: "blk_mq_start_request", fn_name: "trace_start")
-b.attach_kprobe(event: "blk_account_io_completion", fn_name: "trace_completion")
-
-# header
-puts("%-18s %-2s %-7s %8s" % ["TIME(s)", "T", "BYTES", "LAT(ms)"])
-
-# format output
-loop do
-  begin
-    task, pid, cpu, flags, ts, msg = b.trace_fields
-    bytes_s, bflags_s, us_s = msg.split
-
-    if (bflags_s.to_i(16) & REQ_WRITE).nonzero?
-      type_s = "W"
-    elsif bytes_s == "0" # see blk_fill_rwbs() for logic
-      type_s = "M"
-    else
-      type_s = "R"
-    end
-    ms = us_s.to_i.to_f / 1000
-
-    puts("%-18.9f %-2s %-7s %8.2f" % [ts, type_s, bytes_s, ms])
-  rescue Interrupt
-    exit
-  end
-end

data/examples/dns_blocker.rb

@@ -1,134 +0,0 @@
-#!/usr/bin/env ruby
-#
-# dns_blocker.rb  Block DNS queries for a specified domain using TC/eBPF.
-#
-# Uses TC clsact qdisc and attaches a SCHED_CLS BPF program to the
-# egress path.  Because pyroute2 is unavailable in Ruby, the BPF
-# program is pinned to /sys/fs/bpf and attached via the `tc` shell
-# command.
-#
-# Usage (must be run as root):
-#   ruby dns_blocker.rb -i eth0 -d ruby-lang.org
-#
-
-require 'rbbcc'
-require 'optparse'
-
-include RbBCC
-
-def domain_to_payload_check_code(domain)
-  # Convert a domain name to DNS wire format (length-prefixed labels)
-  # For example, "example.com" becomes "\\x07example\\x03com\\x00"
-  dns_expression = domain.split('.').map { |label| "#{label.length.chr}#{label}" }.join + "\x00"
-  c_check_code = dns_expression.chars.map.with_index { |c, i| "payload[offset+#{i}] == #{c.ord}" }.join(" &&\n  ")
-  c_check_code
-end
-
-BPF_TEXT = ->(domain) {
-  <<~CLANG
-  // Some Hack :(
-  #define BPF_LOAD_ACQ -1
-  #define BPF_STORE_REL -2
-
-  #include <uapi/linux/bpf.h>
-  #include <uapi/linux/pkt_cls.h>
-  #include <linux/if_ether.h>
-  #include <linux/ip.h>
-  #include <linux/udp.h>
-
-  int block_dns(struct __sk_buff *skb) {
-      void *data     = (void *)(long)skb->data;
-      void *data_end = (void *)(long)skb->data_end;
-
-      // Ethernet header check
-      struct ethhdr *eth = data;
-      if ((void *)(eth + 1) > data_end) return TC_ACT_OK;
-      if (eth->h_proto != bpf_htons(ETH_P_IP)) return TC_ACT_OK;
-
-      // IP header check
-      struct iphdr *ip = (void *)(eth + 1);
-      if ((void *)(ip + 1) > data_end) return TC_ACT_OK;
-      if (ip->protocol != IPPROTO_UDP) return TC_ACT_OK;
-
-      // UDP header check
-      struct udphdr *udp = (void *)ip + (ip->ihl * 4);
-      if ((void *)(udp + 1) > data_end) return TC_ACT_OK;
-
-      // Only care about port 53 (DNS) egress queries
-      if (udp->dest != bpf_htons(53)) return TC_ACT_OK;
-
-      // DNS payload boundary check: DNS header (12 bytes) + "example.com" wire format (13 bytes)
-      unsigned char *payload = (unsigned char *)(udp + 1);
-      if ((void *)(payload + 12 + 13) > data_end) return TC_ACT_OK;
-
-      // "example.com" in DNS wire format: \\x07example\\x03com\\x00
-      int offset = 12;
-      if (#{domain_to_payload_check_code(domain)}) {
-          bpf_trace_printk("Blocked DNS query for #{domain}\\n");
-          return TC_ACT_SHOT;
-      }
-
-      return TC_ACT_OK;
-  }
-  CLANG
-  }
-
-PIN_PATH = "/sys/fs/bpf/dns_blocker_prog"
-
-def setup_tc(interface)
-  # Run idempotently
-  system("sudo tc qdisc add dev #{interface} clsact 2>/dev/null")
-end
-
-def attach_tc(interface)
-  system(
-    "sudo tc filter add dev #{interface} egress" +
-    " bpf pinned #{PIN_PATH} da",
-    exception: true
-  )
-end
-
-def cleanup_tc(interface)
-  # Run idempotently
-  system("sudo tc qdisc del dev #{interface} clsact 2>/dev/null")
-  File.unlink(PIN_PATH) if File.exist?(PIN_PATH)
-end
-
-options = {domain: "example.com"}
-OptionParser.new { |opts|
-  opts.banner = "Usage: #{$0} -i INTERFACE"
-  opts.on("-i", "--interface IFACE", "Network interface to monitor (e.g. eth0)") do |v|
-    options[:interface] = v
-  end
-  opts.on("-d", "--domain DOMAIN", "Domain to block (default: example.com)") do |v|
-    options[:domain] = v
-  end
-}.parse!
-
-iface = options[:interface] || abort("Error: Interface name is required")
-
-# Clean up any leftover state from a previous run
-cleanup_tc(iface)
-
-puts "[*] Compiling BPF program..."
-b = BCC.new(text: BPF_TEXT.call(options[:domain]))
-fn = b.load_func("block_dns", BPF::SCHED_CLS)
-
-# Pin the loaded BPF program so that `tc` can reference it by path
-puts "[*] Pinning BPF program to #{PIN_PATH} ..."
-BCC.pin!(fn, PIN_PATH)
-
-# Set up clsact qdisc and attach the pinned program to egress
-puts "[*] Attaching TC filter to #{iface} (egress) ..."
-setup_tc(iface)
-attach_tc(iface)
-
-puts "[*] Blocking DNS queries for #{options[:domain]} on #{iface}. Press Ctrl+C to stop."
-begin
-  b.trace_print
-rescue Interrupt
-  puts "\n[*] Shutting down..."
-ensure
-  cleanup_tc(iface)
-  puts "[*] Cleanup done."
-end