I am exploring tracepoint probes using the bcc framework and I intend to investigate the tracepointsock:inet_sock_set_state. I started with the examples in the bcc repo but I would like to make the code more modular and readable as I am using several other probes in a single ".c" file as the eBPF code as written in this tutorial
I have two questions with respect to inet_sock_set_state:
- How can I pass the argument
argsto another function. Specifically, what would be thedatatypeofargswhile defining the function that is being to achieve something like this:
static inline int fn_inet_sock_set_state(<datatype> args);
TRACEPOINT_PROBE(sock, inet_sock_set_state) {
return fn_inet_sock_set_state(args);
}
- In the tracepoint probe, I get
struct sock *sk = (struct sock *)args->skaddr;. Can I typecaststruct sock *skto astruct sk_buff *? The intention is to then use L4 headers to get the relevant information. I have tried doing things as mentioned below to extract the TCP packet sequence number but they do not work. Any leads would be helpful.
struct tcphdr *hdr;
struct sk_buff *skb = (struct sk_buff *)sk;
struct sk_buff *skb_t = sk->sk_rx_skb_cache;
struct tcphdr *tcp = (struct tcphdr *)(skb->head + skb->transport_header);
seq_tcphdr = tcp->seq;