rafaeldtinoco
commented
1 year ago Hello, could you clarify how you are running tracee, how is your net topology/configuration and what makes you think traffic isn't being captured ?
Open anjmao opened 1 year ago
rafaeldtinoco
commented
1 year ago Hello, could you clarify how you are running tracee, how is your net topology/configuration and what makes you think traffic isn't being captured ?
anjmao
commented
1 year ago Tracee is installed with helm. I updated default policy to trace only event=net_packet_tcp
helm install tracee aqua/tracee \
--namespace tracee-system --create-namespace \
--set hostPID=trueSearching via loki I can't find any logs matching my ip {namespace="tracee-system"} |= 'xx.xx.xx.xx'. Also checked directly by using grep on container logs.
On the other hand {namespace="tracee-system"} |= "10.72.0.13" finds packets to other internal demo app services as expected.
Topology: I have 2 e2-standard-2 nodes with 1.25.8-gke.1000 cluster and Ubuntu OS.
rafaeldtinoco
commented
1 year ago Alright. Tracee does not trace network packets in the network card level, it does in the application level.
The packets you are likely seeing are the packets already mangled by your CNI already (with external IPs converted into internals ones, either by the proxy service or load balancing), no ?
Just making sure I understand it right.
anjmao
commented
1 year ago Hi @rafaeldtinoco
Yes, you are correct. Here is some traffic capture:
10:27:09.804823 ens4 In IP xx.xx.xx.xx.54906 > 34.30.75.102.80: Flags [SEW], seq 413257011, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4123177096 ecr 0,sackOK,eol], length 0
10:27:09.804938 gke6b61c6ada6e Out IP xx.xx.xx.xx.54906 > 10.72.1.16.8080: Flags [SEW], seq 413257011, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 4123177096 ecr 0,sackOK,eol], length 0
10:27:09.805016 gke6b61c6ada6e In IP 10.72.1.16.8080 > xx.xx.xx.xx.54906: Flags [S.E], seq 3062156739, ack 413257012, win 43648, options [mss 1420,sackOK,TS val 820676078 ecr 4123177096,nop,wscale 7], length 0
10:27:09.805034 ens4 Out IP 34.30.75.102.80 > xx.xx.xx.xx.54906: Flags [S.E], seq 3062156739, ack 413257012, win 43648, options [mss 1420,sackOK,TS val 820676078 ecr 4123177096,nop,wscale 7], length 0
10:27:09.966789 ens4 In IP xx.xx.xx.xx.54906 > 34.30.75.102.80: Flags [.], ack 1, win 2068, options [nop,nop,TS val 4123177282 ecr 820676078], length 0
10:27:09.966879 gke6b61c6ada6e Out IP xx.xx.xx.xx.54906 > 10.72.1.16.8080: Flags [.], ack 1, win 2068, options [nop,nop,TS val 4123177282 ecr 820676078], length 0
10:27:09.967559 ens4 In IP xx.xx.xx.xx.54906 > 34.30.75.102.80: Flags [P.], seq 1:572, ack 1, win 2068, options [nop,nop,TS val 4123177282 ecr 820676078], length 571: HTTP: GET /product/OLJCESPC7Z HTTP/1.1
10:27:09.967617 gke6b61c6ada6e Out IP xx.xx.xx.xx.54906 > 10.72.1.16.8080: Flags [P.], seq 1:572, ack 1, win 2068, options [nop,nop,TS val 4123177282 ecr 820676078], length 571: HTTP: GET /product/OLJCESPC7Z HTTP/1.1
10:27:09.967689 gke6b61c6ada6e In IP 10.72.1.16.8080 > xx.xx.xx.xx.54906: Flags [.], ack 572, win 337, options [nop,nop,TS val 820676241 ecr 4123177282], length 0
10:27:09.967722 ens4 Out IP 34.30.75.102.80 > xx.xx.xx.xx.54906: Flags [.], ack 572, win 337, options [nop,nop,TS val 820676241 ecr 4123177282], length 0I modified cgroup_skb_generic a bit just to capture TCP IPv4 headers and output into test perf buf. Wasn't able to make it work with original code. Is it correct to expect that I should hit this place https://github.com/aquasecurity/tracee/blob/main/pkg/ebpf/c/tracee.bpf.c#L5561 if network context is not available for this data path?
statfunc u32 cgroup_skb_generic_simple(struct __sk_buff *ctx)
{
struct sk_buff *skb = (void *) ctx;
void *skb_head = BPF_CORE_READ(skb, head);
u16 l3_off = BPF_CORE_READ(skb, network_header);
u16 l4_off = BPF_CORE_READ(skb, transport_header);
struct iphdr *l3_hdr = (struct iphdr *) (skb_head + l3_off);
u8 ip_vsn = BPF_CORE_READ_BITFIELD_PROBED(l3_hdr, version);
if (ip_vsn != 4) {
return 1;
}
struct iphdr *ip4 = (struct iphdr *) l3_hdr;
u16 l4_proto = BPF_CORE_READ(ip4, protocol);
if (l4_proto != IPPROTO_TCP) {
return 1;
}
struct tcphdr *tcp = (struct tcphdr *) (skb_head + l4_off);
tuple_t ev = {0};
ev.saddr = BPF_CORE_READ(ip4, saddr);
if (is_v4_loopback(ev.saddr)) {
return 1;
}
ev.daddr = BPF_CORE_READ(ip4, daddr);
ev.sport = bpf_ntohs(BPF_CORE_READ(tcp, source));
ev.dport = bpf_ntohs(BPF_CORE_READ(tcp, dest));
ev.family = ctx->family;
bpf_perf_event_output(ctx, &tc_events, BPF_F_CURRENT_CPU, &ev, sizeof(tuple_t));
return 1;
}I modified cgroup_skb_generic a bit just to capture TCP IPv4 headers and output into test perf buf. Wasn't able to make it work with original code. Is it correct to expect that I should hit this place https://github.com/aquasecurity/tracee/blob/main/pkg/ebpf/c/tracee.bpf.c#L5561 if network context is not available for this data path?
Ok, before answering you I need to understand what Tracee was able to capture (until now you just showed me the output of your code test).
rafaeldtinoco
commented
1 year ago I'll try to reproduce at my end today so its clear to me. Let me know the output of tracee (in comparison to your tool) when you run tracee in the compute node with:
docker run --name tracee --rm -it --pid=host --cgroupns=host --privileged -v /etc/os-release:/etc/os-release-host:ro -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host -v /boot/config-$(uname -r):/boot/config-$(uname -r):ro aquasec/tracee:$(uname -m) --filter event=net_packet_ipv4Here is some output. Just run without any filter.
14:21:39:904504 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 2428 8291 2 0 64 TCP 4887 127.0.0.1 127.0.0.1}
14:21:39:914070 0 containerd 2343 14866 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8292 2 0 64 TCP 7258 127.0.0.1 127.0.0.1}
14:21:39:914131 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8292 2 0 64 TCP 7258 127.0.0.1 127.0.0.1}
14:21:39:914271 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 52 49261 2 0 64 TCP 31828 127.0.0.1 127.0.0.1}
14:21:39:914313 0 containerd 2343 14866 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 52 49261 2 0 64 TCP 31828 127.0.0.1 127.0.0.1}
14:21:39:915570 0 containerd 2343 14866 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8293 2 0 64 TCP 7257 127.0.0.1 127.0.0.1}
14:21:39:915629 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8293 2 0 64 TCP 7257 127.0.0.1 127.0.0.1}
14:21:39:915760 0 containerd 2343 14866 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 1634 8294 2 0 64 TCP 5678 127.0.0.1 127.0.0.1}
14:21:39:915786 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 1634 8294 2 0 64 TCP 5678 127.0.0.1 127.0.0.1}
14:21:39:916598 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 52 49262 2 0 64 TCP 31827 127.0.0.1 127.0.0.1}
14:21:39:916647 0 containerd 2343 14866 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 52 49262 2 0 64 TCP 31827 127.0.0.1 127.0.0.1}
14:21:39:920789 0 containerd 2343 56290 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8295 2 0 64 TCP 7255 127.0.0.1 127.0.0.1}
14:21:39:920833 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8295 2 0 64 TCP 7255 127.0.0.1 127.0.0.1}
14:21:39:921786 0 containerd 2343 56290 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8296 2 0 64 TCP 7254 127.0.0.1 127.0.0.1}
14:21:39:921833 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 56 8296 2 0 64 TCP 7254 127.0.0.1 127.0.0.1}
14:21:39:921956 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 52 49263 2 0 64 TCP 31826 127.0.0.1 127.0.0.1}
14:21:39:921989 0 containerd 2343 56290 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 52 49263 2 0 64 TCP 31826 127.0.0.1 127.0.0.1}
14:21:39:922690 0 containerd 2343 56290 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 1242 8297 2 0 64 TCP 6067 127.0.0.1 127.0.0.1}
14:21:39:922740 0 kubelet 2462 2529 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 1242 8297 2 0 64 TCP 6067 127.0.0.1 127.0.0.1}
14:21:39:923777 1001 sidecar 1 13 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 55 4900 2 0 64 UDP 10640 127.0.0.1 127.0.0.1}
14:21:39:924243 0 dnsmasq 11 11 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 73 40355 2 0 64 UDP 40702 127.0.0.1 127.0.0.1}
14:21:39:924283 1001 sidecar 1 13 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 73 40355 2 0 64 UDP 40702 127.0.0.1 127.0.0.1}
14:21:39:924825 1001 sidecar 1 13 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 57 22966 2 0 64 UDP 58107 127.0.0.1 127.0.0.1}
14:21:39:924863 0 dnsmasq 11 11 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 57 22966 2 0 64 UDP 58107 127.0.0.1 127.0.0.1}
14:21:39:925005 0 dnsmasq 11 11 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 75 40356 2 0 64 UDP 40699 127.0.0.1 127.0.0.1}
14:21:39:925032 1001 sidecar 1 13 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 75 40356 2 0 64 UDP 40699 127.0.0.1 127.0.0.1}
14:21:39:925836 1001 sidecar 1 13 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 60 65069 2 0 64 UDP 16001 127.0.0.1 127.0.0.1}
14:21:39:925859 0 dnsmasq 11 11 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 60 65069 2 0 64 UDP 16001 127.0.0.1 127.0.0.1}
14:21:39:926376 0 dnsmasq 11 11 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 74 40357 2 0 64 UDP 40699 127.0.0.1 127.0.0.1}
14:21:39:926400 1001 sidecar 1 13 0 net_packet_ipv4 src: 127.0.0.1, dst: 127.0.0.1, proto_ipv4: {4 5 0 74 40357 2 0 64 UDP 40699 127.0.0.1 127.0.0.1}Grep by frontend pod ip and trigger traffic from external LB:
14:25:51:059401 1000 server 1 11 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.85, proto_ipv4: {4 5 0 95 7252 2 0 64 TCP 77 10.72.1.16 10.76.8.85}
14:25:51:060091 1000 server 1 11 0 net_packet_ipv4 src: 10.76.8.85, dst: 10.72.1.16, proto_ipv4: {4 5 0 82 6497 2 0 62 TCP 1357 10.76.8.85 10.72.1.16}
14:25:51:060133 1000 server 1 11 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.85, proto_ipv4: {4 5 0 52 7253 2 0 64 TCP 119 10.72.1.16 10.76.8.85}
14:25:51:060210 1000 server 1 11 0 net_packet_ipv4 src: 10.76.8.85, dst: 10.72.1.16, proto_ipv4: {4 5 0 263 6498 2 0 62 TCP 1175 10.76.8.85 10.72.1.16}
14:25:51:060223 1000 server 1 11 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.85, proto_ipv4: {4 5 0 52 7254 2 0 64 TCP 118 10.72.1.16 10.76.8.85}
14:25:51:061189 1000 server 1 10 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.15.208, proto_ipv4: {4 5 0 137 1165 2 0 64 TCP 4207 10.72.1.16 10.76.15.208}
14:25:51:061353 1000 server 1 10 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.85, proto_ipv4: {4 5 0 99 7255 2 0 64 TCP 70 10.72.1.16 10.76.8.85}
14:25:51:061862 1000 server 1 10 0 net_packet_ipv4 src: 10.76.8.85, dst: 10.72.1.16, proto_ipv4: {4 5 0 69 6499 2 0 62 TCP 1368 10.76.8.85 10.72.1.16}
14:25:51:066624 1000 server 1 10 0 net_packet_ipv4 src: 10.76.15.208, dst: 10.72.1.16, proto_ipv4: {4 5 0 119 58207 2 0 62 TCP 13230 10.76.15.208 10.72.1.16}
14:25:51:066655 1000 server 1 10 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.15.208, proto_ipv4: {4 5 0 52 1166 2 0 64 TCP 4291 10.72.1.16 10.76.15.208}
14:25:51:069154 1000 server 1 10 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.15.208, proto_ipv4: {4 5 0 82 1167 2 0 64 TCP 4260 10.72.1.16 10.76.15.208}
14:25:51:069717 1000 server 1 10 0 net_packet_ipv4 src: 10.76.15.208, dst: 10.72.1.16,
....
14:25:54:692451 1000 server 1 10 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.0.10, proto_ipv4: {4 5 0 81 49875 2 0 64 UDP 25115 10.72.1.16 10.76.0.10}
14:25:54:692568 0 dnsmasq 11 11 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.72.1.5, proto_ipv4: {4 5 0 81 49875 2 0 63 UDP 25124 10.72.1.16 10.72.1.5}
14:25:54:692713 1000 server 1 10 0 net_packet_ipv4 src: 10.76.0.10, dst: 10.72.1.16, proto_ipv4: {4 5 0 81 40062 2 0 62 UDP 35440 10.76.0.10 10.72.1.16}
14:25:54:693140 0 dnsmasq 11 11 0 net_packet_ipv4 src: 10.72.1.5, dst: 10.72.1.16, proto_ipv4: {4 5 0 97 31119 2 0 64 UDP 43608 10.72.1.5 10.72.1.16}
14:25:54:693235 1000 server 1 10 0 net_packet_ipv4 src: 10.76.0.10, dst: 10.72.1.16, proto_ipv4: {4 5 0 97 31119 2 0 63 UDP 44111 10.76.0.10 10.72.1.16}
14:25:54:694934 1000 server 1 11 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.4.64, proto_ipv4: {4 5 0 92 64123 2 0 64 TCP 9789 10.72.1.16 10.76.4.64}
...
14:25:57:926182 1000 server 1 1 0 net_packet_ipv4 src: 10.76.8.94, dst: 10.72.1.16, proto_ipv4: {4 5 0 93 63262 2 0 63 TCP 9851 10.76.8.94 10.72.1.16}
14:25:57:927876 1000 server 1 15 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.94, proto_ipv4: {4 5 0 82 65096 2 0 64 TCP 7772 10.72.1.16 10.76.8.94}
14:25:57:928036 1000 server 1 1 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.15.208, proto_ipv4: {4 5 0 52 1196 2 0 64 TCP 4261 10.72.1.16 10.76.15.208}
14:25:57:929020 1000 server 1 15 0 net_packet_ipv4 src: 10.76.8.94, dst: 10.72.1.16, proto_ipv4: {4 5 0 80 63263 2 0 63 TCP 9863 10.76.8.94 10.72.1.16}
14:25:57:929623 1000 server 1 1 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.94, proto_ipv4: {4 5 0 103 65097 2 0 64 TCP 7750 10.72.1.16 10.76.8.94}
14:25:57:931194 1000 server 1 1 0 net_packet_ipv4 src: 10.76.8.94, dst: 10.72.1.16, proto_ipv4: {4 5 0 93 63264 2 0 63 TCP 9849 10.76.8.94 10.72.1.16}
14:25:57:931480 1000 server 1 1 0 net_packet_ipv4 src: 10.76.8.94, dst: 10.72.1.16, proto_ipv4: {4 5 0 63 63265 2 0 63 TCP 9878 10.76.8.94 10.72.1.16}
14:25:57:931635 1000 server 1 15 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.94, proto_ipv4: {4 5 0 52 65098 2 0 64 TCP 7800 10.72.1.16 10.76.8.94}
14:25:57:931938 1000 server 1 15 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.94, proto_ipv4: {4 5 0 133 65099 2 0 64 TCP 7718 10.72.1.16 10.76.8.94}
14:25:57:934112 1000 server 1 15 0 net_packet_ipv4 src: 10.76.8.94, dst: 10.72.1.16, proto_ipv4: {4 5 0 110 63266 2 0 63 TCP 9830 10.76.8.94 10.72.1.16}
14:25:57:935094 1000 server 1 15 0 net_packet_ipv4 src: 10.72.1.16, dst: 10.76.8.94, proto_ipv4: {4 5 0 82 65100 2 0 64 TCP 7768 10.72.1.16 10.76.8.94}
14:25:57:935595 1000 server 1 15 0 net_packet_ipv4 src: 10.76.8.94, dst: 10.72.1.16, proto_ipv4: {4 5 0 63 63267 2 0 63 TCP 9876 10.76.8.94 10.72.1.16}What did you run without any filter ? Tracee within k8s as a deamonset or manually using docker ? Where is the output from ? From your run ?
I see you grep for external IPs and you find them. Isn't this expected ? What did you expect ? Why do you say there are missing packets ?
anjmao
commented
1 year ago What did you run without any filter ? Tracee within k8s as a deamonset or manually using docker ? Where is the output from ? From your run ?
Run from k8s node the same command as suggested.
docker run --name tracee --rm -it --pid=host --cgroupns=host --privileged -v /etc/os-release:/etc/os-release-host:ro -e LIBBPFGO_OSRELEASE_FILE=/etc/os-release-host -v /boot/config-$(uname -r):/boot/config-$(uname -r):ro aquasec/tracee:$(uname -m) --filter event=net_packet_ipv4I see you grep for external IPs and you find them. Isn't this expected ? What did you expect ? Why do you say there are missing packets ?
Sorry, could you clarify. In my example output all ips are private in 10.0.0.0/8 subnet. I used grep for 10.72.1.16 pod's internal ip.
Description
Hi team. Looks that some igress/egress tcp packets are not capture for Kubernetes load balancer to pod traffic data path.
You can check it by installing onlineboutique demo app from microsoft.
It contains frontend pod which is exposed to the internet via LoadBalancer. I'm using simple GKE cluster with DataPlane V2 (cilium).
I traced __cgroup_bpf_run_filter_skb kprobe with pwru running in separate tracee container and I can see my public IP xx.xx.xx.xx
Output of
tracee version:Output of
uname -a: