qjawls2003 / eBPF-Remote-Client-Tracing

eBPF agent to trace processes back to SSH Client IP
GNU General Public License v3.0
17 stars 0 forks source link

Need help #20

Open hatamiarash7 opened 8 months ago

hatamiarash7 commented 8 months ago

What version of kernel is this project built with? Currently, on Ubuntu 22.04.4 with kernel version 6.5.0, I cannot use the existing binary, and after opening the session, the following error appears:

22:31:24 INFO  sshtrace.c:514: Starting program...
libbpf: failed to dup FD 0 to FD > 2: -24
libbpf: failed to dup FD 0 to FD > 2: -24
libbpf: failed to dup FD 0 to FD > 2: -24
libbpf: failed to dup FD 0 to FD > 2: -24

I also can't build it myself.

sshtrace.bpf.c:124:13: warning: implicit declaration of function 'bpf_strncmp' is invalid in C99 [-Wimplicit-function-declaration]
  int res = bpf_strncmp(data.command, 8, "sshd");
            ^
sshtrace.bpf.c:169:13: warning: implicit declaration of function 'bpf_strncmp' is invalid in C99 [-Wimplicit-function-declaration]
  int res = bpf_strncmp(data.command, 8, "ssh");
            ^
2 warnings generated.
llvm-strip -g sshtrace.bpf.o
bpftool gen skeleton sshtrace.bpf.o > sshtrace.skel.h
libbpf: failed to find BTF for extern 'bpf_strncmp': -2
Error: failed to open BPF object file: No such file or directory
make: *** [Makefile:29: sshtrace.skel.h] Error 254

Is it possible to guide me?

qjawls2003 commented 7 months ago

Hi, I apologize for the late response. This program was built on 22.04.1 Ubuntu with 6.2.0-33-generic kernel and also tested on Kali 2023 (Debian 6.1.12 with 6.1.0-kali5-am64 kernel). I will need some time testing this with the higher kernel versions. Give us a few days to figure this out. Thanks! @abemelvin

kncxstudio commented 3 months ago

This problem is also reproduced in kali GNU/Linux Rolling x86_64 6.8.11-amd64.