ptcpdump: 基于 eBPF 的抓包神器,支持抓取进程、容器或 Pod 的网络流量

发布时间: 更新时间: 总字数:699 阅读时间:2m 作者: IP上海 分享 网址

ptcpdump 是一款进程感知、基于 eBPF 实现的 tcpdump,

介绍

  • 进程感知
    • 感知与数据包相关的进程信息
    • 支持按进程 ID 和进程名称过滤数据包
  • 容器感知和 Kubernetes 感知
    • 感知与数据包相关的容器和 pod 信息
    • 支持多个容器运行时:支持按容器 ID、容器名称和 pod 名称过滤数据包
  • 支持使用 pcap-filter(7) 语法过滤数据包
  • 直接在内核空间应用过滤器
  • 支持将捕获的数据包保存为 PcapNG 格式,以便使用 Wireshark 等第三方工具进行离线分析

安装

help

ptcpdump --help ...
$ ptcpdump --help
Usage:
  ptcpdump [flags] [expression] [-- command [args]]

Examples:
  sudo ptcpdump -i any tcp
  sudo ptcpdump -i eth0 -i lo
  sudo ptcpdump -i eth0 --pid 1234 port 80 and host 10.10.1.1
  sudo ptcpdump -i any --pname curl
  sudo ptcpdump -i any -- curl ubuntu.com
  sudo ptcpdump -i any -w ptcpdump.pcapng
  sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
  sudo ptcpdump -i any -w - port 80 | tshark -r -
  ptcpdump -r ptcpdump.pcapng

Expression: see "man 7 pcap-filter"

Flags:
  --container-id string        Filter by container id (only TCP and UDP packets are supported)
  --container-name string      Filter by container name (only TCP and UDP packets are supported)
  --containerd-address string  Address of containerd service (default "/run/containerd/containerd.sock")
  --count                      Print only on stdout the packet count when reading capture file instead of parsing/printing the packets
  --cri-runtime-address string Address of CRI container runtime service (default: uses in order the first successful one of [/run/containerd/containerd.sock, /run/crio/crio.sock, /var/run/cri-dockerd.sock, /var/run/dockershim.sock])
  -Q, --direction string       Choose send/receive direction for which packets should be captured. Possible values are 'in', 'out' and 'inout' (default "inout")
  --docker-address string      Address of Docker Engine service (default "/var/run/docker.sock")
  -f, --follow-forks           Trace child processes as they are created by currently traced processes when filter by process
  -h, --help                   help for ptcpdump
  -i, --interface strings      Interfaces to capture (default [lo])
      --list-interfaces        Print the list of the network interfaces available on the system
      --log-level string       Set the logging level ("debug", "info", "warn", "error", "fatal") (default "warn")
      --oneline                Print parsed packet output in a single line
      --pid uint               Filter by process ID (only TCP and UDP packets are supported)
      --pname string           Filter by process name (only TCP and UDP packets are supported)
      --pod-name string        Filter by pod name (format: NAME.NAMESPACE, only TCP and UDP packets are supported)
      --print                  Print parsed packet output, even if the raw packets are being saved to a file with the -w flag
  -r, --read-file string       Read packets from file (which was created with the -w option). e.g. ptcpdump.pcapng
  -c, --receive-count uint     Exit after receiving count packets
  -s, --snapshot-length uint32 Snarf snaplen bytes of data from each packet rather than the default of 262144 bytes (default 262144)
  -v, --verbose count          When parsing and printing, produce (slightly more) verbose output
      --version                Print the ptcpdump and libpcap version strings and exit
  -w, --write-file string      Write the raw packets to file rather than parsing and printing

示例

Filter like tcpdump:

sudo ptcpdump -i eth0 tcp
sudo ptcpdump -i eth0 tcp and port 80 and host 10.10.1.1
sudo ptcpdump -i eth0 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0'

Multiple interfaces:

sudo ptcpdump -i eth0 -i lo

Filter by process:

sudo ptcpdump -i any --pid 1234
sudo ptcpdump -i any --pname curl

Capture by process via run target program:

sudo ptcpdump -i any -- curl ubuntu.com

Filter by container:

sudo ptcpdump -i any --container-id 36f0310403b1
sudo ptcpdump -i any --container-name test

Filter by Pod:

sudo ptcpdump -i any --pod-name test.default

Save data in PcapNG format:

sudo ptcpdump -i any -w demo.pcapng
sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
sudo ptcpdump -i any -w - port 80 | tshark -r -

参考

  1. https://github.com/mozillazg/ptcpdump
Home Archives Categories Tags Statistics
本文总阅读量 次 本站总访问量 次 本站总访客数