Add BPF-based sockets_events table on Linux.

This is still experimental and may require further tuning to improve the data being returned.
zeek · Jan 12, 2024 · 327e8ae · 327e8ae
1 parent cdaf328
commit 327e8ae
Show file tree

Hide file tree

Showing 6 changed files with 560 additions and 2 deletions.
diff --git a/src/platform/linux/bpf.cc b/src/platform/linux/bpf.cc
@@ -116,7 +116,7 @@ Result<Nothing> BPF::init(const std::string& name, void* ring_buffer) {
     }
     else {
         if ( auto rc = ring_buffer__add(_ring_buffers, bpf_map__fd(reinterpret_cast<struct bpf_map*>(ring_buffer)),
-                                        skel.event_callback, nullptr);
+                                        skel.event_callback, skel.event_context);
              rc != 0 ) {
             return error(skel.name, "creation of another ring buffer failed");
         }

diff --git a/src/tables/sockets/CMakeLists.txt b/src/tables/sockets/CMakeLists.txt
@@ -7,6 +7,7 @@ if ( HAVE_DARWIN )
 endif ()
 
 if ( HAVE_LINUX )
+    generate_bpf_code(zeek-agent sockets sockets.linux.bpf.c)
     target_sources(zeek-agent PRIVATE sockets.linux.cc)
 endif ()
 

diff --git a/src/tables/sockets/sockets.h b/src/tables/sockets/sockets.h
@@ -44,7 +44,7 @@ class SocketsEventsCommon : public EventTable {
             .description = R"(
                 The table reports IP sockets opening and closing on the endpoint.
                 )",
-            .platforms = { Platform::Darwin },
+            .platforms = { Platform::Darwin, Platform::Linux },
             .columns = {
                 {.name = "time", .type = value::Type::Time, .summary = "timestamp"},
                 {.name = "pid", .type = value::Type::Count, .summary = "ID of process holding socket"},
@@ -63,4 +63,5 @@ class SocketsEventsCommon : public EventTable {
         };
     }
 };
+
 } // namespace zeek::agent::table