Under *VERY* high throught, net_packet parsing errors are expected, fix message

[rafaeldtinoco]

Description

$ sudo rm -rf /tmp/tracee/out/pcap && sudo ./dist/tracee-ebpf --install-path /tmp/tracee --output option:parse-arguments --capabilities bypass=false --trace 1:event=net_packet_ipv4 --output none --metrics --pprof 

These errors:

{"level":"error","ts":1674854764.3162627,"msg":"tracee encountered an error","error":"failed to read argument 0 of event net_packet_ip_base: error reading byte array: can't read context from buffer: buffer too short"}
{"level":"error","ts":1674854764.3163967,"msg":"tracee encountered an error","error":"failed to derive event 2000: no payload ?"}
{"level":"error","ts":1674854796.3150368,"msg":"tracee encountered an error","error":"failed to read argument 0 of event net_packet_ip_base: error reading byte array: can't read context from buffer: buffer too short"}
{"level":"error","ts":1674854796.3152056,"msg":"tracee encountered an error","error":"failed to derive event 2000: no payload ?"}
{"level":"error","ts":1674854818.3218899,"msg":"tracee encountered an error","error":"failed to read argument 0 of event net_packet_ip_base: error reading byte array: can't read context from buffer: buffer too short"}
{"level":"error","ts":1674854818.3220773,"msg":"tracee encountered an error","error":"failed to derive event 2000: no payload ?"}
{"level":"error","ts":1674854859.3140833,"msg":"tracee encountered an error","error":"failed to read argument 0 of event net_packet_ip_base: error reading byte array: can't read context from buffer: buffer too short"}
{"level":"error","ts":1674854859.3142867,"msg":"tracee encountered an error","error":"failed to derive event 2000: no payload ?"}
{"level":"error","ts":1674854915.3177035,"msg":"tracee encountered an error","error":"failed to derive event 2000: empty payload ?"}
{"level":"error","ts":1674854932.3170898,"msg":"tracee encountered an error","error":"failed to read argument 0 of event net_packet_ip_base: error reading byte array: can't read context from buffer: buffer too short"}
{"level":"error","ts":1674854932.3173602,"msg":"tracee encountered an error","error":"failed to derive event 2000: no payload ?"}
{"level":"error","ts":1674854975.3167198,"msg":"tracee encountered an error","error":"failed to read argument 0 of event net_packet_ip_base: error reading byte array: can't read context from buffer: buffer too short"}
{"level":"error","ts":1674854975.3168201,"msg":"tracee encountered an error","error":"failed to derive event 2000: no payload ?"}

Should be informational I believe. If the perfbuffer gets full, then some packet headers, being sent from SKB progs to userland, might get corrupted indeed. This is not an error. Considering I was sustaining a 5Gbit/sec throughput, the amount of errors is very very low, but still.. its an informative error.

Output of tracee -v:

v0.10.0-102-g13364719

Output of uname -a:

5.15.0-60-generic

Additional details

[NDStrahilevitz]

But if this was happening in a low throughput environment then it wouldn't be an expected issue right? So just cataloguing this as not an error doesn't seem entirely correct to me, it's circumstantial if this is an error or a warning.

[geyslan]

Those outputs are handled by general purpose functions. To tackle this in a proper way, we would need circumstantial information coming from the bpf land.