Sometimes the tuple of the captured http2 packet is 0

[huaixia777]

Hello!
When I use this tool to capture http2 packets, sometimes the tuple of the packets is 0, that is, 0.0.0.0:0-0.0.0.0:0.
And I have not stopped the running of the tool during the capture.

Here are the results of my run, this question seems to arise easily.
"DestroyConn success fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443" printed before printing tuple information, maybe because the connection was destroyed when the tuple was fetched.

# ./ecapture-ctyun tls -i ens1f0 -d
2025-02-18T14:20:45+08:00 INF AppName="eCapture(旁观者)"
2025-02-18T14:20:45+08:00 INF HomePage=https://ecapture.cc
2025-02-18T14:20:45+08:00 INF Repository=https://github.com/gojue/ecapture
2025-02-18T14:20:45+08:00 INF Author="CFC4N <[email protected]>"
2025-02-18T14:20:45+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-18T14:20:45+08:00 INF Version=linux_amd64:v0.9.3-20250210-dcfc3cf:x86_64
2025-02-18T14:20:45+08:00 INF Listen=localhost:28256
2025-02-18T14:20:45+08:00 INF eCapture running logs logger=
2025-02-18T14:20:45+08:00 INF the file handler that receives the captured event eventCollector=
2025-02-18T14:20:45+08:00 INF listen=localhost:28256
2025-02-18T14:20:45+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-18T14:20:45+08:00 WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=4.19.90
2025-02-18T14:20:45+08:00 INF Kernel Info=4.19.90 Pid=396298
2025-02-18T14:20:45+08:00 INF BTF bytecode mode: non-CORE. btfMode=0
2025-02-18T14:20:45+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-02-18T14:20:45+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-18T14:20:45+08:00 INF Module.Run()
2025-02-18T14:20:45+08:00 INF origin versionKey="openssl 1.1.1f" versionKeyLower="openssl 1.1.1f"
2025-02-18T14:20:45+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1f"
2025-02-18T14:20:45+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/lib64/libssl.so.1.1
2025-02-18T14:20:45+08:00 WRN Your kernel version is less than 5.2, GlobalVar is disabled, the following parameters will be ignored:[target_pid, target_uid, target_port]
2025-02-18T14:20:45+08:00 INF setupManagers eBPFProgramType=Text
2025-02-18T14:20:45+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1d_kern_noncore_less52.o
2025-02-18T14:20:45+08:00 DBG upgrade check failed: local version is ahead of latest version
2025-02-18T14:20:46+08:00 INF perfEventReader created mapSize(MB)=4
2025-02-18T14:20:46+08:00 INF perfEventReader created mapSize(MB)=4
2025-02-18T14:20:46+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-18T14:20:48+08:00 DBG AddConn success fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG DestroyConn success fd=5 pid=396386 tuple=192.168.10.201:41370-192.168.10.41:4443
2025-02-18T14:20:48+08:00 DBG GetConn fd=5 pid=396386
2025-02-18T14:20:48+08:00 DBG SSLDataEvent bio_type=1285 fd=5 pid=396386 tuple=[TUPLE_NOT_FOUND]
2025-02-18T14:20:49+08:00 ??? UUID:396386_396386_curl_5_1_192.168.10.201:41370-192.168.10.41:4443, Name:HTTP2Request, Type:2, Length:392

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      WINDOW_UPDATE
Frame StreamID  =>      0

Frame Type      =>      HEADERS
Frame StreamID  =>      1
header field ":method" = "GET"
header field ":path" = "/"
header field ":scheme" = "https"
header field ":authority" = "192.168.10.41:4443"
header field "user-agent" = "curl/7.71.1"
header field "accept" = "*/*"

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

2025-02-18T14:20:49+08:00 ??? UUID:396386_396386_curl_5_0_192.168.10.201:41370-192.168.10.41:4443, Name:HTTP2Response, Type:4, Length:137

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      WINDOW_UPDATE
Frame StreamID  =>      0

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

2025-02-18T14:20:49+08:00 ??? UUID:396386_396386_curl_5_0_0.0.0.0:0-0.0.0.0:0, Name:HTTP2Response, Type:4, Length:2089

Frame Type      =>      HEADERS
Frame StreamID  =>      1
header field ":status" = "200"
header field "server" = "nginx/1.21.5"
header field "date" = "Tue, 18 Feb 2025 06:20:48 GMT"
header field "content-type" = "text/html"

Frame Type      =>      DATA
Frame StreamID  =>      1
<html>
<head><title>Index of /</title></head>
<body>
<h1>Index of /</h1><hr><pre><a href="../">../</a>
<a href="bak/">bak/</a>                                               18-Dec-2024 09:59       -
<a href="http2_test/">http2_test/</a>                                        17-Feb-2025 15:10       -
<a href="iso/">iso/</a>                                               22-Jan-2025 15:22       -
<a href="small/">small/</a>                                             19-Dec-2024 15:35       -
<a href="temp/">temp/</a>                                              18-Dec-2024 10:25       -
<a href="1.txt">1.txt</a>                                              23-Dec-2024 10:20      12
<a href="config.txt">config.txt</a>                                         23-Dec-2024 09:19     87K
</pre><hr></body>
</html>

……

Expect your reply!

[dosubot]

The issue of a connection tuple being logged as 0.0.0.0:0-0.0.0.0:0 in eCapture can occur when the connection information is not available at the time of logging. This can happen if the connection is destroyed before the tuple is fetched, as you suspected. The DestroyConn function removes the connection data from the internal maps, and if a subsequent attempt is made to retrieve the connection information, it may result in a default or placeholder value like 0.0.0.0:0-0.0.0.0:0 being logged ^[1].

To address this, you might want to ensure that the connection data is accessed and logged before the DestroyConn function is called. Additionally, reviewing the timing and sequence of events in your capture process could help in identifying if there are any adjustments needed to prevent premature destruction of connection data.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[huaixia777]

Hello! I continued to test and found the same test environment and methods, the http1.1 protocol did not have this problem, http2 protocol occasionally has this problem

[cfc4n]

Please provide steps to reproduce

[huaixia777]

My steps are as follows：

1.Run the ecapture
./ecapture-ctyun tls -i ens1f0

2.curl another machine's nginx server and its files
curl -k https://192.168.10.41:4443/
curl -k https://192.168.10.41:4443/1.txt

3.The result of ecapture is as follows

[root@xxx]# ./ecapture-ctyun tls -i ens1f0
2025-02-20T09:05:42+08:00 INF AppName="eCapture(旁观者)"
2025-02-20T09:05:42+08:00 INF HomePage=https://ecapture.cc
2025-02-20T09:05:42+08:00 INF Repository=https://github.com/gojue/ecapture
2025-02-20T09:05:42+08:00 INF Author="CFC4N <[email protected]>"
2025-02-20T09:05:42+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-20T09:05:42+08:00 INF Version=linux_amd64:v0.9.3-20250210-dcfc3cf:x86_64
2025-02-20T09:05:42+08:00 INF Listen=localhost:28256
2025-02-20T09:05:42+08:00 INF eCapture running logs logger=
2025-02-20T09:05:42+08:00 INF the file handler that receives the captured event eventCollector=
2025-02-20T09:05:42+08:00 INF listen=localhost:28256
2025-02-20T09:05:42+08:00 INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-20T09:05:42+08:00 WRN Kernel version is less than 5.2, Process filtering parameters do not take effect such as pid/uid. kernel=4.19.90
2025-02-20T09:05:42+08:00 INF Kernel Info=4.19.90 Pid=813217
2025-02-20T09:05:42+08:00 INF BTF bytecode mode: non-CORE. btfMode=0
2025-02-20T09:05:42+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-02-20T09:05:42+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-20T09:05:42+08:00 INF Module.Run()
2025-02-20T09:05:42+08:00 INF origin versionKey="openssl 1.1.1f" versionKeyLower="openssl 1.1.1f"
2025-02-20T09:05:42+08:00 INF OpenSSL/BoringSSL version found Android=false library version="openssl 1.1.1f"
2025-02-20T09:05:42+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/lib64/libssl.so.1.1
2025-02-20T09:05:42+08:00 WRN Your kernel version is less than 5.2, GlobalVar is disabled, the following parameters will be ignored:[target_pid, target_uid, target_port]
2025-02-20T09:05:42+08:00 INF setupManagers eBPFProgramType=Text
2025-02-20T09:05:42+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1d_kern_noncore_less52.o
2025-02-20T09:05:43+08:00 INF perfEventReader created mapSize(MB)=4
2025-02-20T09:05:43+08:00 INF perfEventReader created mapSize(MB)=4
2025-02-20T09:05:43+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-20T09:05:48+08:00 ??? UUID:813369_813369_curl_5_1_192.168.10.201:60676-192.168.10.41:4443, Name:HTTP2Request, Type:2, Length:392

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      WINDOW_UPDATE
Frame StreamID  =>      0

Frame Type      =>      HEADERS
Frame StreamID  =>      1
header field ":method" = "GET"
header field ":path" = "/"
header field ":scheme" = "https"
header field ":authority" = "192.168.10.41:4443"
header field "user-agent" = "curl/7.71.1"
header field "accept" = "*/*"

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

2025-02-20T09:05:48+08:00 ??? UUID:813369_813369_curl_5_0_192.168.10.201:60676-192.168.10.41:4443, Name:HTTP2Response, Type:4, Length:2226

Frame Type      =>      HEADERS
Frame StreamID  =>      1
header field ":status" = "200"
header field "server" = "nginx/1.21.5"
header field "date" = "Thu, 20 Feb 2025 01:05:47 GMT"
header field "content-type" = "text/html"

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      WINDOW_UPDATE
Frame StreamID  =>      0

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      DATA
Frame StreamID  =>      1
<html>
<head><title>Index of /</title></head>
<body>
<h1>Index of /</h1><hr><pre><a href="../">../</a>
<a href="bak/">bak/</a>                                               18-Dec-2024 09:59       -
<a href="http2_test/">http2_test/</a>                                        17-Feb-2025 15:10       -
<a href="iso/">iso/</a>                                               22-Jan-2025 15:22       -
<a href="small/">small/</a>                                             19-Dec-2024 15:35       -
<a href="temp/">temp/</a>                                              18-Dec-2024 10:25       -
<a href="1.txt">1.txt</a>                                              23-Dec-2024 10:20      12
<a href="config.txt">config.txt</a>                                         23-Dec-2024 09:19     87K
<a href="test.txt">test.txt</a>                                           24-Jan-2025 14:31      3M
</pre><hr></body>
</html>

2025-02-20T09:05:59+08:00 ??? UUID:813540_813540_curl_5_1_0.0.0.0:0-0.0.0.0:0, Name:HTTP2Response, Type:4, Length:44

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

2025-02-20T09:05:59+08:00 ??? UUID:813540_813540_curl_5_0_0.0.0.0:0-0.0.0.0:0, Name:HTTP2Response, Type:4, Length:577

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      WINDOW_UPDATE
Frame StreamID  =>      0

Frame Type      =>      SETTINGS
Frame StreamID  =>      0

Frame Type      =>      HEADERS
Frame StreamID  =>      1
header field ":status" = "200"
header field "server" = "nginx/1.21.5"
header field "date" = "Thu, 20 Feb 2025 01:05:58 GMT"
header field "content-type" = "text/plain"
header field "content-length" = "12"
header field "last-modified" = "Mon, 23 Dec 2024 02:20:35 GMT"
header field "etag" = "\"6768c8f3-c\""
header field "accept-ranges" = "bytes"

Frame Type      =>      DATA
Frame StreamID  =>      1
hello world

……

I may not be doing anything special, in my tests, this problem comes up occasionally, but it also comes up fairly easily.
Perhaps if you test more, you will find this problem,what's your opinion?
Thanks!

[chilli13]

same error occur on ubuntu 22.04(Linux cd-ubuntu 5.15.0-131-generic), with -d for more log, sometimes DestroyConn occurs before SSLDataEvent ? @dosu For https access, especially with http2, Is it possible for the kernel call SEC("kprobe/tcp_v4_destroy_sock") occurs before userspace call SEC("uretprobe/SSL_read") or SEC("uretprobe/SSL_write")?

sometimes found tuple failed for http2

root@cd-ubuntu:~/zhm/ecapture-gojue# ./bin/ecapture tls -d
2025-02-20T01:50:07Z INF AppName="eCapture(旁观者)"
2025-02-20T01:50:07Z INF HomePage=https://ecapture.cc
2025-02-20T01:50:07Z INF Repository=https://github.com/gojue/ecapture
2025-02-20T01:50:07Z INF Author="CFC4N <[email protected]>"
2025-02-20T01:50:07Z INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2025-02-20T01:50:07Z INF Version=linux_amd64:v0.9.3-20250214-d0245d5:5.15.0-131-generic
2025-02-20T01:50:07Z INF Listen=localhost:28256
2025-02-20T01:50:07Z INF eCapture running logs logger=
2025-02-20T01:50:07Z INF the file handler that receives the captured event eventCollector=
2025-02-20T01:50:07Z INF listen=localhost:28256
2025-02-20T01:50:07Z INF https server starting...You can upgrade the configuration file via the HTTP interface.
2025-02-20T01:50:07Z INF Kernel Info=5.15.168 Pid=30564
2025-02-20T01:50:07Z INF BTF bytecode mode: CORE. btfMode=0
2025-02-20T01:50:07Z INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2025-02-20T01:50:07Z INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-20T01:50:07Z INF Module.Run()
2025-02-20T01:50:07Z WRN OpenSSL/BoringSSL version not found. error="OpenSSL/BoringSSL version not found" soPath=/usr/lib/x86_64-linux-gnu/libssl.so.3
2025-02-20T01:50:07Z WRN Try to detect libcrypto.so.3. If you have doubts, See https://github.com/gojue/ecapture/discussions/675 for more information.
2025-02-20T01:50:07Z INF Try to detect imported libcrypto.so  imported=libcrypto.so.3 soPath=/usr/lib/x86_64-linux-gnu/libcrypto.so.3
2025-02-20T01:50:07Z INF origin versionKey="openssl 3.0.2" versionKeyLower="openssl 3.0.2"
2025-02-20T01:50:07Z INF OpenSSL/BoringSSL version found Android=false library version="openssl 3.0.2"
2025-02-20T01:50:07Z INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/usr/lib/x86_64-linux-gnu/libssl.so.3
2025-02-20T01:50:07Z INF target all process.
2025-02-20T01:50:07Z INF target all users.
2025-02-20T01:50:07Z INF setupManagers eBPFProgramType=Text
2025-02-20T01:50:07Z INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_0_0_kern_core.o
2025-02-20T01:50:07Z DBG upgrade check failed: local version is ahead of latest version
2025-02-20T01:50:08Z INF perfEventReader created mapSize(MB)=4
2025-02-20T01:50:08Z INF perfEventReader created mapSize(MB)=4
2025-02-20T01:50:08Z INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2025-02-20T01:50:09Z DBG AddConn success fd=5 pid=30573 tuple=192.168.10.122:43692-192.168.10.122:4443
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=192.168.10.122:43692-192.168.10.122:4443
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=192.168.10.122:43692-192.168.10.122:4443
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG DestroyConn success fd=5 pid=30573 tuple=192.168.10.122:43692-192.168.10.122:4443
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=[TUPLE_NOT_FOUND]
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=[TUPLE_NOT_FOUND]
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=[TUPLE_NOT_FOUND]
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=[TUPLE_NOT_FOUND]
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=[TUPLE_NOT_FOUND]
2025-02-20T01:50:09Z DBG GetConn fd=5 pid=30573
2025-02-20T01:50:09Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30573 tuple=[TUPLE_NOT_FOUND]
2025-02-20T01:50:11Z ??? UUID:30573_30573_curl_5_1_192.168.10.122:43692-192.168.10.122:4443, Name:HTTP2Request, Type:2, Length:44

Frame Type	=>	SETTINGS
Frame StreamID	=>	0

2025-02-20T01:50:11Z ??? UUID:30573_30573_curl_5_1_0.0.0.0:0-0.0.0.0:0, Name:HTTP2Response, Type:4, Length:353

Frame Type	=>	WINDOW_UPDATE
Frame StreamID	=>	0

Frame Type	=>	HEADERS
Frame StreamID	=>	1
header field ":method" = "GET"
header field ":path" = "/1.txt"
header field ":scheme" = "https"
header field ":authority" = "192.168.10.41:4443"
header field "user-agent" = "curl/7.81.0"
header field "accept" = "*/*"

Frame Type	=>	SETTINGS
Frame StreamID	=>	0

2025-02-20T01:50:11Z ??? UUID:30573_30573_curl_5_0_0.0.0.0:0-0.0.0.0:0, Name:HTTP2Response, Type:4, Length:577

Frame Type	=>	SETTINGS
Frame StreamID	=>	0

Frame Type	=>	WINDOW_UPDATE
Frame StreamID	=>	0

Frame Type	=>	SETTINGS
Frame StreamID	=>	0

Frame Type	=>	HEADERS
Frame StreamID	=>	1
header field ":status" = "200"
header field "server" = "nginx/1.21.5"
header field "date" = "Thu, 20 Feb 2025 01:50:09 GMT"
header field "content-type" = "text/plain"
header field "content-length" = "12"
header field "last-modified" = "Mon, 23 Dec 2024 02:20:35 GMT"
header field "etag" = "\"6768c8f3-c\""
header field "accept-ranges" = "bytes"

Frame Type	=>	DATA
Frame StreamID	=>	1
hello world

ok for http on same test environment

2025-02-20T01:50:16Z DBG AddConn success fd=5 pid=30575 tuple=192.168.10.122:53688-192.168.10.122:443
2025-02-20T01:50:16Z DBG GetConn fd=5 pid=30575
2025-02-20T01:50:16Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30575 tuple=192.168.10.122:53688-192.168.10.122:443
2025-02-20T01:50:16Z DBG GetConn fd=5 pid=30575
2025-02-20T01:50:16Z DBG SSLDataEvent bio_type=1285 fd=5 pid=30575 tuple=192.168.10.122:53688-192.168.10.122:443
2025-02-20T01:50:16Z DBG DestroyConn success fd=5 pid=30575 tuple=192.168.10.122:53688-192.168.10.122:443
2025-02-20T01:50:17Z ??? UUID:30575_30575_curl_5_1_192.168.10.122:53688-192.168.10.122:443, Name:HTTPRequest, Type:1, Length:82
GET /1.txt HTTP/1.1
Host: 192.168.10.41
Accept: */*
User-Agent: curl/7.81.0


2025-02-20T01:50:17Z ??? UUID:30575_30575_curl_5_0_192.168.10.122:53688-192.168.10.122:443, Name:HTTPResponse, Type:3, Length:248
HTTP/1.1 200 OK
Content-Length: 12
Accept-Ranges: bytes
Connection: keep-alive
Content-Type: text/plain
Date: Thu, 20 Feb 2025 01:50:16 GMT
Etag: "6768c8f3-c"
Last-Modified: Mon, 23 Dec 2024 02:20:35 GMT
Server: nginx/1.21.5

hello world

^C2025-02-20T01:50:24Z INF module close.
2025-02-20T01:50:24Z INF Module closed,message recived from Context
2025-02-20T01:50:24Z INF iModule module close
2025-02-20T01:50:24Z INF bye bye.

[dosubot]

The issue you're encountering, where HTTP/2 connections sometimes log a tuple as 0.0.0.0:0-0.0.0.0:0, while HTTP/1.1 does not, could be related to the timing of connection destruction and data capture. In eCapture, the DestroyConn function removes connection data from internal maps, and if a connection is destroyed before the data is fully captured, it may result in a default tuple being logged.

For HTTP/2, the interaction between kernel-level probes (SEC("kprobe/tcp_v4_destroy_sock")) and user-space probes (SEC("uretprobe/SSL_read") or SEC("uretprobe/SSL_write")) might lead to this issue. The kernel probe can trigger when a TCP socket is destroyed, potentially before the user-space probes have completed capturing the SSL/TLS data, especially in the case of HTTP/2 where the connection handling might differ from HTTP/1.1 ^[1].

To mitigate this, you could explore adjusting the sequence of events in your capture process to ensure that connection data is accessed and logged before the DestroyConn function is called. Additionally, reviewing the timing and sequence of events in your capture process could help in identifying if there are any adjustments needed to prevent premature destruction of connection data.

To continue talking to Dosu, mention @dosu.

---

^{Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other}

[chilli13]

@dosu HTTP/2 where the connection handling might differ from HTTP/1.1 -->Can you give a specific explanation of the differences and relevant literature references?