Interesting New Set of Network/Socket Tracepoints

[jrmwooldridge]

I noticed there are a couple new tracepoints for the send and recv designed to help easily tie flows to particular processes. They might eventually be worth loading when the process tree related features are desired.

Upstream commit: torvalds/linux@6e6eda4

perf trace -e sock:sock_send_length,sock:sock_recv_length

[rafaeldtinoco]

Yep, those are great but, unfortunately, only available from 6.3 and on =(.

Either way, with the same concept/idea:

These hook functions may be in the soft interrupt context and cannot
directly obtain the pid. Some data structures are added to bind packets
and processes. For example, struct taskinfobucket, struct taskinfo ...

We have solved this issue already. For us, all the sockets (no matter if they are in the SoftIRQ phase during ingress) are tied to a process, and we can keep track of any flow in our eBPF code. So it is pretty easy for us to provide details of communications to any process in the OS.

Examples of that could be "amount of bytes transferred per socket, or per process", "average bytes/sec per socket, or per process, or per src/dst pairs".

My only problem is, we are driven by security needs. This looks like a network metric more than a specific need for security purposes. But, yes, this type of information might be useful to have tracked in the process tree, for sure.

@roikol any thoughts ? Have you even seen a need for such metrics ?

[roikol]

i think that we have some ideas internally (security oriented) involving such metrics. but as you say - i think we are able to get those from our existing solution, since these tracepoints are only for newer kernels

[rafaeldtinoco]

The only metrics we might not be able to get is "pkts/sec". That is because our network code relies in cgroup/skb programs. They get the packets already close to the program (we're not dealing with Layer 2 on purpose, so we don't have to attach a program to every existing (or created) network device), so some of the sk_bufs were already merged. Maybe I can get that info but not sure.