container-aware: support containerd (#51)

* Add container (runtime: docker engine) info to the packet context

* improve test

* support write and read container context to/from pcapng file

* reuse struct process_meta_t

* container-aware: support containerd

* tidy container name

* update docs

.circleci/config.yml

@@ -18,6 +18,17 @@ jobs:
 
     steps:
       - checkout
+
+      - run:
+          name: setup containerd
+          command: |
+            wget https://github.com/containerd/nerdctl/releases/download/v1.7.6/nerdctl-1.7.6-linux-arm64.tar.gz
+            sudo tar Cxzvvf /usr/local/bin nerdctl-1.7.6-linux-arm64.tar.gz
+
+            wget https://github.com/containernetworking/plugins/releases/download/v1.5.0/cni-plugins-linux-arm64-v1.5.0.tgz
+            sudo mkdir -p /opt/cni/bin
+            sudo tar Cxzvvf /opt/cni/bin cni-plugins-linux-arm64-v1.5.0.tgz
+
       - restore_cache:
           keys:
             - go-mod-v4-{{ checksum "go.sum" }}
@@ -98,6 +109,11 @@ jobs:
           command: |
             sudo bash testdata/test_docker.sh ./ptcpdump
 
+      - run:
+          name: e2e (test containerd)
+          command: |
+            sudo bash testdata/test_containerd.sh ./ptcpdump
+
 
 workflows:
   e2e:

README.md

@@ -1,5 +1,7 @@
 # ptcpdump
 
+<div id="top"></div>
+
 ![amd64-e2e](https://img.shields.io/github/actions/workflow/status/mozillazg/ptcpdump/test.yml?label=x86_64%20(amd64)%20e2e)
 ![arm64-e2e](https://img.shields.io/circleci/build/gh/mozillazg/ptcpdump/master?label=aarch64%20(arm64)%20e2e)
 
@@ -15,21 +17,27 @@ Table of Contents
 
 * [Features](#features)
 * [Installation](#installation)
-  * [Requirements](#requirements)
+   * [Requirements](#requirements)
 * [Usage](#usage)
-  * [Example output](#example-output)
+   * [Example commands](#example-commands)
+   * [Example output](#example-output)
+   * [Flags](#flags)
 * [Compare with tcpdump](#compare-with-tcpdump)
 * [Build](#build)
 
 
 ## Features
 
-* Aware of the process information associated with the packets.
+* Process-aware
+  * Aware of the process information associated with the packets.
+  * Supports filtering packets by process ID and process name.
 * Supports using pcap-filter(7) syntax for filtering packets.
-* Supports filtering packets by process ID and process name.
 * Directly applies filters in the kernel space.
 * Supports saving captured packets in the PcapNG format for offline analysis with third-party tools such as Wireshark.
 * Supports reading packets from pcapng file.
+* Container-aware
+  * Aware of the container information associated with the packets.
+  * Supports multiple container runtimes: Docker Engine and containerd
 
 
 ## Installation
@@ -40,9 +48,47 @@ Please download the latest binary in the [releases](https://github.com/mozillazg
 
 Linux kernel version >= 5.2.
 
+<p align="right"><a href="#top">🔝</a></p>
+
 
 ## Usage
 
+### Example commands
+
+```
+sudo ptcpdump -i any tcp
+sudo ptcpdump -i eth0 -i lo
+sudo ptcpdump -i eth0 --pid 1234 port 80 and host 10.10.1.1
+sudo ptcpdump -i any --pname curl
+sudo ptcpdump -i any -- curl ubuntu.com
+sudo ptcpdump -i any -w demo.pcapng
+sudo ptcpdump -i any -w - port 80 | tcpdump -n -r -
+sudo ptcpdump -i any -w - port 80 | tshark -r -
+ptcpdump -r demo.pcapng
+```
+
+<p align="right"><a href="#top">🔝</a></p>
+
+
+### Example output
+
+```
+12:10:14.384352 wlp4s0 Out IP (tos 0x0, ttl 63, id 14146, offset 0, flags [DF], ip_proto TCP (6), length 52)
+    192.168.1.50.44318 > 139.178.84.217.80: Flags [F.], cksum 0xa28c, seq 945708706, ack 3673127374, win 501, options [nop,nop,TS val 3474241628 ecr 766303359], length 0
+    Process (pid 751465, cmd /usr/bin/wget, args wget kernel.org)
+    Container (name demo, id 087cb587a02f039609061e0e78bf74f8d146fbcb42d1d5647a6776f315d121eb, image docker.io/alpine:3.18, labels {})
+12:10:14.622421 wlp4s0 In IP (tos 0x4, ttl 47, id 43987, offset 0, flags [DF], ip_proto TCP (6), length 52)
+    139.178.84.217.80 > 192.168.1.50.44318: Flags [.], cksum 0xa787, seq 3673127374, ack 945708707, win 114, options [nop,nop,TS val 766303761 ecr 3474241628], length 0
+    Process (pid 751465, cmd /usr/bin/wget, args wget kernel.org)
+    Container (name demo, id 087cb587a02f039609061e0e78bf74f8d146fbcb42d1d5647a6776f315d121eb, image docker.io/alpine:3.18, labels {})
+```
+
+<p align="right"><a href="#top">🔝</a></p>
+
+
+### Flags
+
+
 ```
 Usage:
   ptcpdump [flags] [expression] [-- command [args]]
@@ -76,17 +122,8 @@ Flags:
   -w, --write-file string    Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is '-'. e.g. ptcpdump.pcapng
 ```
 
+<p align="right"><a href="#top">🔝</a></p>
 
-### Example output
-
-```
-18:05:35.441022 wlp4s0 In IP (tos 0x4, ttl 51, id 0, offset 0, flags [DF], ip_proto TCP (6), length 60)
-    185.125.190.29.80 > 192.168.1.50.41966: Flags [S.], cksum 0x68fd, seq 3647722906, ack 1664327469, win 65160, options [mss 1452,sackOK,TS val 1103153989 ecr 3934018003,nop,wscale 7], length 0
-    Process (pid 892817, cmd /usr/bin/curl, args curl ubuntu.com)
-18:05:35.441298 wlp4s0 Out IP (tos 0x0, ttl 64, id 19415, offset 0, flags [DF], ip_proto TCP (6), length 126)
-    192.168.1.50.41966 > 185.125.190.29.80: Flags [P.], cksum 0x39e6, seq 1664327469:1664327543, ack 3647722907, win 502, options [nop,nop,TS val 3934018248 ecr 1103153989], length 74
-    Process (pid 892817, cmd /usr/bin/curl, args curl ubuntu.com)
-```
 
 ## Compare with tcpdump
 
@@ -163,6 +200,8 @@ Flags:
 | -z *postrotate-command*                           | ✅       |                          |
 | -Z *user*, --relinquish-privileges=*user*         | ✅       |                          |
 
+<p align="right"><a href="#top">🔝</a></p>
+
 
 ## Build
 
@@ -177,3 +216,5 @@ Flags:
     ```
     make build
     ```
+
+<p align="right"><a href="#top">🔝</a></p>

go.mod

@@ -4,49 +4,72 @@ go 1.21.0
 
 require (
 	github.com/cilium/ebpf v0.15.0
+	github.com/containerd/containerd v1.7.18
+	github.com/containerd/typeurl/v2 v2.1.1
 	github.com/docker/docker v26.1.3+incompatible
 	github.com/florianl/go-tc v0.4.3
 	github.com/gopacket/gopacket v1.2.0
 	github.com/jschwinger233/elibpcap v0.0.0-20231010035657-e99300096f5e
 	github.com/shirou/gopsutil/v3 v3.24.4
 	github.com/spf13/cobra v1.8.0
-	github.com/vishvananda/netlink v1.1.0
+	github.com/vishvananda/netlink v1.2.1-beta.2
 	github.com/x-way/pktdump v0.0.5
 	golang.org/x/sys v0.20.0
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028
 )
 
 require (
-	github.com/Microsoft/go-winio v0.4.14 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/Microsoft/hcsshim v0.11.5 // indirect
 	github.com/cloudflare/cbpfc v0.0.0-20230809125630-31aa294050ff // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/continuity v0.4.2 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/containerd/ttrpc v1.2.4 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
+	github.com/klauspost/compress v1.16.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/mdlayher/netlink v1.6.0 // indirect
 	github.com/mdlayher/socket v0.1.1 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/sys/mountinfo v0.6.2 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
 	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
 	go.opentelemetry.io/otel v1.26.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.26.0 // indirect
@@ -55,8 +78,13 @@ require (
 	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
 	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
+	google.golang.org/grpc v1.63.2 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
 	gotest.tools/v3 v3.5.1 // indirect
 )