feat(pcapng): Write Inbound/Outbound flag into the pcapng file and su…

…pport parse it from file (#171)

write the flag via epb_flags (Enhanced Packet Block Flags Word)

bpf/ptcpdump.c

@@ -25,8 +25,8 @@
 #define TC_ACT_UNSPEC (-1)
 #define AF_INET 2
 #define AF_INET6 10
-#define INGRESS_PACKET 0
-#define EGRESS_PACKET 1
+#define INGRESS_PACKET 1
+#define EGRESS_PACKET 2
 #define EXEC_FILENAME_LEN 512
 #define EXEC_ARGS_LEN 4096
 

go.mod

@@ -104,7 +104,7 @@ require (
 )
 
 replace (
-	github.com/gopacket/gopacket => github.com/mozillazg/gopacket v0.0.0-20241005073024-5750600e7922
+	github.com/gopacket/gopacket => github.com/mozillazg/gopacket v0.0.0-20241026043817-048341de5231
 	// github.com/gopacket/gopacket => ../../gopacket/gopacket
 	github.com/x-way/pktdump => github.com/mozillazg/pktdump v0.0.9-0.20241003022253-cbafa8b6312d
 	// github.com/x-way/pktdump => ../../x-way/pktdump

go.sum

@@ -186,8 +186,8 @@ github.com/mozillazg/cri-api v0.32.0-alpha.1.0.20241019013855-3dc36f8743df h1:90
 github.com/mozillazg/cri-api v0.32.0-alpha.1.0.20241019013855-3dc36f8743df/go.mod h1:ca9lKDUa9PmUGVDSSetDQqgf0dyk/NW8u+MpJo7JaYA=
 github.com/mozillazg/cri-client v0.31.0-alpha.0.0.20241019023238-87687176fd67 h1:M4+V89TNUGmRgSJZcH2nvotyqnFkmDl+MGApFoZbJY0=
 github.com/mozillazg/cri-client v0.31.0-alpha.0.0.20241019023238-87687176fd67/go.mod h1:pFm23AAi/gIlW9FGrWPTPnGe1xsyGHPFFO/zezc4w90=
-github.com/mozillazg/gopacket v0.0.0-20241005073024-5750600e7922 h1:bZVEO1gdL8XNhxbtpSd3HhCVUdvVk+g1GF7AkVkp2Ds=
-github.com/mozillazg/gopacket v0.0.0-20241005073024-5750600e7922/go.mod h1:lnXM4VDqJTe4d2NoZr8DZMtidkhss2Y82QFlamXWfXo=
+github.com/mozillazg/gopacket v0.0.0-20241026043817-048341de5231 h1:uvhf0oGPfJ24Lc5/N2ysh9sQc71Pog67zxKiLVS4/Qg=
+github.com/mozillazg/gopacket v0.0.0-20241026043817-048341de5231/go.mod h1:WnFrU1Xkf5lWKV38uKNR9+yYtppn+ZYzOyNqMeH4oNE=
 github.com/mozillazg/pktdump v0.0.9-0.20241003022253-cbafa8b6312d h1:3K1bsX3osp69xQnbvrXHokKRebpiENUUgGLA6OC5Jd8=
 github.com/mozillazg/pktdump v0.0.9-0.20241003022253-cbafa8b6312d/go.mod h1:Vh2MvrLyL23PaYh0Dp2Ihg6qTmNydO2su6ngpJEp/hM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

internal/event/net.go

@@ -15,8 +15,8 @@ import (
 type packetType int
 
 const (
-	packetTypeIngress packetType = 0
-	packetTypeEgress  packetType = 1
+	packetTypeIngress packetType = 1
+	packetTypeEgress  packetType = 2
 )
 
 type Packet struct {
@@ -51,9 +51,7 @@ func ParsePacketEvent(deviceCache *metadata.DeviceCache, event bpf.BpfPacketEven
 	log.Infof("new packet event, pid: %d mntns: %d, netns: %d, cgroupName: %s",
 		p.Pid, p.MntNs, p.NetNs, p.CgroupName)
 
-	if event.Meta.PacketType == 1 {
-		p.Type = packetTypeEgress
-	}
+	p.Type = packetType(event.Meta.PacketType)
 	if event.Meta.PacketSize > event.Meta.PayloadLen {
 		p.Truncated = true
 	}
@@ -77,14 +75,22 @@ func FromPacket(ci gopacket.CaptureInfo, data []byte) (*Packet, error) {
 	return &p, nil
 }
 
-func (p Packet) Ingress() bool {
+func (p *Packet) Ingress() bool {
 	return p.Type == packetTypeIngress
 }
 
-func (p Packet) Egress() bool {
+func (p *Packet) Egress() bool {
 	return p.Type == packetTypeEgress
 }
 
+func (p *Packet) MarkIngress() {
+	p.Type = packetTypeIngress
+}
+
+func (p *Packet) MarkEgress() {
+	p.Type = packetTypeEgress
+}
+
 func strComm(comm [16]int8) string {
 	b := make([]byte, len(comm))
 	for i, c := range comm {

internal/parser/pcapng.go

@@ -44,6 +44,14 @@ func (p *PcapNGParser) Parse() (*event.Packet, error) {
 			NetNs:   nil,
 		}
 	}
+	if opts.Flags != nil {
+		switch {
+		case opts.Flags.Direction == pcapgo.NgEpbFlagDirectionInbound:
+			e.MarkIngress()
+		case opts.Flags.Direction == pcapgo.NgEpbFlagDirectionOutbound:
+			e.MarkEgress()
+		}
+	}
 
 	exec, ctx := event.FromPacketOptions(opts)
 	e.Pid = exec.Pid

internal/writer/pcapng.go

@@ -64,6 +64,13 @@ func (w *PcapNGWriter) Write(e *event.Packet) error {
 				p.Pod.Name, p.Pod.Namespace, p.Pod.Uid, p.Pod.FormatLabels(), p.Pod.FormatAnnotations()),
 		)
 	}
+	opts.Flags = &pcapgo.NgEpbFlags{}
+	switch {
+	case e.Ingress():
+		opts.Flags.Direction = pcapgo.NgEpbFlagDirectionInbound
+	case e.Egress():
+		opts.Flags.Direction = pcapgo.NgEpbFlagDirectionOutbound
+	}
 
 	if err := w.writeTLSKeyLogs(); err != nil {
 		return err

testdata/test_arp.sh

@@ -30,7 +30,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_base.sh

@@ -29,7 +29,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" |tee "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 

testdata/test_containerd.sh

@@ -34,7 +34,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 10 1.1.1.1.* $cid1"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 5 1.1.1.1.* $cid2"

testdata/test_containerd_container_id_filter.sh

@@ -25,7 +25,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 10 1.1.1.1.* $cid1"
 }

testdata/test_containerd_container_name_filter.sh

@@ -27,7 +27,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 10 1.1.1.1.* $cid1"
 }

testdata/test_default.sh

@@ -29,7 +29,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" |tee "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_docker.sh

@@ -34,7 +34,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 10 1.1.1.1.* $cid1"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 5 1.1.1.1.* $cid2"

testdata/test_docker_container_id_filter.sh

@@ -25,7 +25,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 10 1.1.1.1.* $cid1"
 }

testdata/test_docker_container_name_filter.sh

@@ -26,7 +26,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     cat "${RNAME}" | grep "> 1.1.1.1.80: Flags .*, args wget -T 10 1.1.1.1.* $cid1"
 }

testdata/test_icmp.sh

@@ -31,7 +31,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_k8s.sh

@@ -26,7 +26,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_k8s_filter_by_container_id.sh

@@ -27,7 +27,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_k8s_filter_by_pod.sh

@@ -28,7 +28,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_k8s_filter_by_pod_2.sh

@@ -29,7 +29,7 @@ function test_ptcpdump() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} --oneline -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_parent_info.sh

@@ -30,7 +30,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_pid_filter.sh

@@ -32,7 +32,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_pname_filter.sh

@@ -32,7 +32,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_sub_curl_domain_program.sh

@@ -26,7 +26,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }

testdata/test_sub_program.sh

@@ -30,7 +30,7 @@ function test_tcpdump_read() {
 
 function test_ptcpdump_read() {
     EXPECT_NAME="${LNAME}.read.expect"
-    sed 's/ \(In\|Out\) / /g' "${LNAME}" > "${EXPECT_NAME}"
+    cat "${LNAME}" > "${EXPECT_NAME}"
     timeout 30s ${CMD} -v -r "${FNAME}" > "${RNAME}"
     diff "${EXPECT_NAME}" "${RNAME}"
 }