Adding tracing04-xdp-tcpdump example

In this lesson we will show how to dump the packet samples
from XDP program all the way to the pcap dump file.

Adding support for example specific libraries to be specified
with USER_LIBS variable. Using it for -lpcap in here.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>

Author: olsajiri

common/common.mk

@@ -42,7 +42,7 @@ CFLAGS ?= -I$(LIBBPF_DIR)/root/usr/include/ -g
 CFLAGS += -I../headers/
 LDFLAGS ?= -L$(LIBBPF_DIR)
 
-LIBS = -l:libbpf.a -lelf
+LIBS = -l:libbpf.a -lelf $(USER_LIBS)
 
 all: llvm-check $(USER_TARGETS) $(XDP_OBJ) $(COPY_LOADER) $(COPY_STATS)
 

tracing03-xdp-debug-print/README.org

@@ -87,7 +87,7 @@ $ sudo ../testenv/testenv.sh setup --name veth-basic02
 #+end_example
 
 Load XDP program from xdp_prog_kern.o that will print
-ethertnet header on every incomming packet:
+ethertnet header on every incoming packet:
 
 #+begin_example sh
 $ sudo ../basic02-prog-by-name/xdp_loader --dev veth-basic02 --force --progsec xdp

tracing04-xdp-tcpdump/Makefile

@@ -0,0 +1,15 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+XDP_TARGETS := xdp_sample_pkts_kern
+USER_TARGETS := xdp_sample_pkts_user
+USER_LIBS=-lpcap
+
+LLC ?= llc
+CLANG ?= clang
+CC := gcc
+
+LIBBPF_DIR = ../libbpf/src/
+COMMON_DIR = ../common/
+
+include $(COMMON_DIR)/common.mk
+COMMON_OBJS := $(COMMON_DIR)/common_params.o

tracing04-xdp-tcpdump/README.org

@@ -0,0 +1,119 @@
+# -*- fill-column: 76; -*-
+#+TITLE: Tutorial: Tracing04 - tcpdump
+#+OPTIONS: ^:nil
+
+In this lesson we will show how to dump the packet samples
+from XDP program all the way to the pcap dump file.
+
+
+* Table of Contents                                                     :TOC:
+- [[#dump-the-packet-sample][Dump the packet sample]]
+- [[#assignments][Assignments]]
+  - [[#assignment-1-setup][Assignment 1: Setting up your test lab]]
+  - [[#assignment-2-pcap-dump][Assignment 2: The PCAP dump file]]
+
+* Dump the packet sample
+
+In this example we will show how to send data and packet sample
+into user space via perf event.
+
+First you need to define the event map, which will allow you
+to send events to the user space via perf event ring buffer:
+
+#+begin_example sh
+struct bpf_map_def SEC("maps") my_map = {
+        .type		= BPF_MAP_TYPE_PERF_EVENT_ARRAY,
+        .key_size	= sizeof(int),
+        .value_size	= sizeof(__u32),
+        .max_entries	= MAX_CPUS,
+};
+#+end_example
+
+The value_size determines the size of the event data we will
+be posting to the user space through perf event ring buffer.
+In our case it's sizeof(u32) which is size of following structure:
+
+#+begin_example sh
+struct S {
+        __u16 cookie;
+        __u16 pkt_len;
+} __packed;
+#+end_example
+
+We set the values of the event (metadata variable) and pass them
+into the bpf_perf_event_output call:
+
+#+begin_example sh
+int xdp_sample_prog(struct xdp_md *ctx)
+{
+        void *data_end = (void *)(long)ctx->data_end;
+        void *data = (void *)(long)ctx->data;
+
+	...
+
+        __u64 flags = BPF_F_CURRENT_CPU;
+        struct S metadata;
+
+        metadata.cookie = 0xdead;
+        metadata.pkt_len = (__u16)(data_end - data);
+
+	ret = bpf_perf_event_output(ctx, &my_map, flags,
+				    &metadata, sizeof(metadata));
+	...
+#+end_example
+
+To add the actual packet dump to the event, we can
+set flags upper 32 bits with the size of the requested sample
+and the bpf_perf_event_output will attach the specified
+amount of bytes from packet to the perf event:
+
+
+#+begin_example sh
+__u64 flags = BPF_F_CURRENT_CPU;
+
+flags |= (__u64)sample_size << 32;
+
+ret = bpf_perf_event_output(ctx, &my_map, flags,
+                            &metadata, sizeof(metadata));
+#+end_example
+
+Please check the whole eBPF code in xdp_sample_pkts_kern.c file.
+
+* Assignments
+
+** Assignment 1: Setting up your test lab
+
+In this lesson we will use the setup of the previous lesson:
+Basic02 - loading a program by name [[https://github.com/xdp-project/xdp-tutorial/tree/master/basic02-prog-by-name#assignment-2-add-xdp_abort-program]]
+
+#+begin_example sh
+$ sudo ../testenv/testenv.sh setup --name veth-basic02
+#+end_example
+
+and make some packets:
+
+#+begin_example sh
+$ sudo ../testenv/testenv.sh enter --name veth-basic02
+# ping  fc00:dead:cafe:1::1
+PING fc00:dead:cafe:1::1(fc00:dead:cafe:1::1) 56 data bytes
+#+end_example
+
+** Assignment 2: The PCAP dump file
+
+Load the eBPF kernel packets dump program and store the packets to the dump file:
+
+#+begin_example sh
+$ sudo ./xdp_sample_pkts_user -d veth-basic02 -F
+pkt len: 118   bytes. hdr: 76 58 28 55 df 4e fa e2 b6 27 8e 79 86 dd 60 0d 48 1b 00 40 3a 40 fc 00 de ad ca fe 00 ...
+pkt len: 118   bytes. hdr: 76 58 28 55 df 4e fa e2 b6 27 8e 79 86 dd 60 0d 48 1b 00 40 3a 40 fc 00 de ad ca fe 00 ...
+^C
+2 packet samples stored in samples.pcap
+#+end_example
+
+Check the pcap dump with the tcpdump application:
+#+begin_example sh
+$ tcpdump -r ./samples.pcap
+reading from file ./samples.pcap, link-type EN10MB (Ethernet)
+12:12:04.553039 IP6 fc00:dead:cafe:1::2 > krava: ICMP6, echo request, seq 2177, length 64
+12:12:05.576864 IP6 fc00:dead:cafe:1::2 > krava: ICMP6, echo request, seq 2178, length 64
+#+end_example

tracing04-xdp-tcpdump/xdp_sample_pkts_kern.c

@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <string.h>
+#include "bpf_helpers.h"
+
+#define SAMPLE_SIZE 1024ul
+#define MAX_CPUS 128
+
+#ifndef __packed
+#define __packed __attribute__((packed))
+#endif
+
+#define min(x, y) ((x) < (y) ? (x) : (y))
+
+#define bpf_printk(fmt, ...)					\
+({								\
+	       char ____fmt[] = fmt;				\
+	       bpf_trace_printk(____fmt, sizeof(____fmt),	\
+				##__VA_ARGS__);			\
+})
+
+/* Metadata will be in the perf event before the packet data. */
+struct S {
+	__u16 cookie;
+	__u16 pkt_len;
+} __packed;
+
+struct bpf_map_def SEC("maps") my_map = {
+	.type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
+	.key_size = sizeof(int),
+	.value_size = sizeof(__u32),
+	.max_entries = MAX_CPUS,
+};
+
+SEC("xdp_sample")
+int xdp_sample_prog(struct xdp_md *ctx)
+{
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+
+	if (data < data_end) {
+		/* The XDP perf_event_output handler will use the upper 32 bits
+		 * of the flags argument as a number of bytes to include of the
+		 * packet payload in the event data. If the size is too big, the
+		 * call to bpf_perf_event_output will fail and return -EFAULT.
+		 *
+		 * See bpf_xdp_event_output in net/core/filter.c.
+		 *
+		 * The BPF_F_CURRENT_CPU flag means that the event output fd
+		 * will be indexed by the CPU number in the event map.
+		 */
+		__u64 flags = BPF_F_CURRENT_CPU;
+		__u16 sample_size;
+		int ret;
+		struct S metadata;
+
+		metadata.cookie = 0xdead;
+		metadata.pkt_len = (__u16)(data_end - data);
+		sample_size = min(metadata.pkt_len, SAMPLE_SIZE);
+
+		flags |= (__u64)sample_size << 32;
+
+		ret = bpf_perf_event_output(ctx, &my_map, flags,
+					    &metadata, sizeof(metadata));
+		if (ret)
+			bpf_printk("perf_event_output failed: %d\n", ret);
+	}
+
+	return XDP_PASS;
+}
+
+char _license[] SEC("license") = "GPL";