search

mozillazg / ptcpdump

Process-aware, eBPF-based tcpdump
MIT License
573 stars 41 forks source link

Add MPTCP support #148

Closed matttbe closed 1 month ago

matttbe commented 1 month ago

Hello,

Thank you for developing this nice project!

It is very useful, but in my case, I cannot use it because it doesn't support MPTCP which is what I'm working on for the moment:

$ sudo ./ptcpdump -i any -- mptcpize run curl https://check.mptcp.dev
(...)
12:35:04.875198 eth0 curl.1976134 Out IP6 (...) > 2001:41d0:a:ffcf::1.443: Flags [S], seq 521413668, win 64440, length 0, ParentProc [ptcpdump.1976108]
12:35:04.929839 eth0 curl.1976134 In IP6 2001:41d0:a:ffcf::1.443 > (....): Flags [S.], seq 909521152, ack 521413669, win 32844, length 0, ParentProc [ptcpdump.1976108]

When I use the -v option, we can now see unknown-30, because MPTCP is using the TCP option 30. 

$ sudo ./ptcpdump -i any -v tcp -- mptcpize run curl https://check.mptcp.dev
(...)
12:42:10.148275 eth0 Out IP6 (flowlabel 0x905e4, hlim 255, next-header TCP (6), payload length: 44)
    (...) > 2001:41d0:a:ffcf::1.443: Flags [S], cksum 0xfe19, seq 886560320, win 64440, options [mss 1432,sackOK,TS val 84066822 ecr 0,nop,wscale 7,unknown-30 0x0101], length 0
    Process (pid 1984631, cmd /usr/bin/curl, args curl https://check.mptcp.dev)
    ParentProc (pid 1984620, cmd /dev/ptcpdump, args ./ptcpdump -- mptcpize run curl https://check.mptcp.dev)
12:42:10.202750 eth0 In IP6 (flowlabel 0x873cc, hlim 55, next-header TCP (6), payload length: 52)
    2001:41d0:a:ffcf::1.443 > (...): Flags [S.], cksum 0xd4c9, seq 1532299343, ack 886560321, win 32844, options [mss 1432,sackOK,TS val 3692507947 ecr 84066822,nop,wscale 7,unknown-30 0x010163ed2d6a8558847a], length 0
    Process (pid 1984631, cmd /usr/bin/curl, args curl https://check.mptcp.dev)
    ParentProc (pid 1984620, cmd /dev/ptcpdump, args ./ptcpdump -- mptcpize run curl https://check.mptcp.dev)

FYI, here is the output with tcpdump:

12:43:38.324129 IP6 (...) > 2001:41d0:a:ffcf::1.443: Flags [S], seq 151560491, win 64440, options [mss 1432,sackOK,TS val 84154998 ecr 0,nop,wscale 7,mptcp 4 capable v1], length 0
12:43:38.354375 IP6 2001:41d0:a:ffcf::1.443 > (...): Flags [S.], seq 4232734517, ack 151560492, win 32844, options [mss 1432,sackOK,TS val 3692596123 ecr 84154998,nop,wscale 7,mptcp 12 capable v1 {0xd820c69ace854fab}], length 0

It looks like this parsing is done with gopacket. The modification to display MPTCP instead of unknown-30 is easy, see https://github.com/gopacket/gopacket/pull/63. But it might be better to display more info about the options, similar to what TCPDump is doing. For that, there is https://github.com/gopacket/gopacket/pull/66, but it is still waiting for a review.

Because you are already maintaining a fork of gopacket, do you think you could include this PR https://github.com/gopacket/gopacket/pull/66 into your fork to support MPTCP? :)

mozillazg commented 1 month ago

@matttbe Thanks for your suggestion! I will take a look into it.