1xdpdump(a8)simple tcpdump like tool for capturing packets at the XDP laxydeprdump(8)
2
3
4

xdpdump - a simple tcpdump like tool for capturing packets at the XDP layer

6       xdpdump  is a simple XDP packet capture tool that tries to behave simi‐
7       lar to tcpdump, however, it has no packet filter  or  decode  capabili‐
8       ties.
9
10
11       This  can be used for debugging XDP programs that are already loaded on
12       an interface.  Packets can be dumped/inspected before on entry  to  XDP
13       program,  or  after  at exit from an XDP program.  Furthermore, at exit
14       the XDP action is also captured.  This means that even packets that are
15       dropped at the XDP layer can be captured via this tool.
16
17
18       xdpdump  works by attaching a bpf trace program to the XDP entry and/or
19       exit function which stores the raw packet in a perf trace buffer. If no
20       XDP  program  is loaded this approach can not be used and the tool will
21       use a libpcap live-capture to be backward compatible.
22
23
24   Running xdpdump
25       The syntax for running xdpdump is:
26
27              Usage: xdpdump [options]
28
29               XDPDump tool to dump network traffic
30
31              Options:
32                   --rx-capture <mode>    Capture point for the rx direction (valid values: entry,exit)
33               -D, --list-interfaces      Print the list of available interfaces
34               -i, --interface <ifname>   Name of interface to capture on
35               -p, --program-names <prog>  Specific program to attach to
36               -s, --snapshot-length <snaplen>  Minimum bytes of packet to capture
37                   --use-pcap             Use legacy pcap format for XDP traces
38               -w, --write <file>         Write raw packets to pcap file
39               -x, --hex                  Print the full packet in hex
40               -v, --verbose              Enable verbose logging (-vv: more verbose)
41                   --v1.0.0~beta3              Display v1.0.0~beta3 information
42               -h, --help                 Show this help
43
44

The options explained

46       The xdpdump tool tries to mimic the basic tcpdump options, but just  in
47       case below each of the available options is explained:
48
49
50   --rx-capture <mode>
51       Specify  where the ingress packet gets captured. Either at the entry of
52       the XDP program and/or exit of  the  XDP  program.  Valid  options  are
53       entry,  exit, or both entry,exit. The packet at exit can be modified by
54       the XDP program. If you are interested to see  both  the  original  and
55       modified  packet,  use the entry,exit option. With this, each packet is
56       captured twice. The default value for this is entry.
57
58   -D, --list-interfaces
59       Display a list of available interfaces and any XDP program loaded
60
61   -i, --interface <ifname>
62       Listen on interface ifname. Note that if no XDP program  is  loaded  on
63       the  interface  it  will use libpcap's live capture mode to capture the
64       packets.
65
66   -p, --program-names <prog>
67       The Linux API does not provide the full name of the attached eBPF entry
68       function  if  it's longer than 15 characters. xdpdump will try to guess
69       the correct function name from the  available  BTF  debug  information.
70       However, if multiple functions exist with the same leading name, it can
71       not pick the correct one. It will dump the available functions, and you
72       can choose the correct one, and supply it with this option.
73
74   -P, --promiscuous-mode
75       This option puts the interface into promiscuous mode.
76
77   -s, --snapshot-length <snaplen>
78       Capture snaplen bytes of a packet rather than the default 262144 bytes.
79
80   --use-pcap
81       Use  legacy  pcap  format  for  XDP traces. By default, it will use the
82       PcapNG format so that it can store various metadata.
83
84   -w, --write <file>
85       Write the raw packets to a pcap file  rather  than  printing  them  out
86       hexadecimal. Standard output is used if file is -.
87
88   -x, --hex
89       When  dumping packets on the console also print the full packet content
90       in hex.
91
92   -v, --verbose
93       Enable debug logging. Specify twice for even more verbosity.
94
95   --v1.0.0~beta3
96       Display xpdump v1.0.0~beta3 information and exit.
97
98   -h, --help
99       Display a summary of the available options
100
101

Examples

103       The below will load the xdp-filter program on eth0, but it does not  do
104       any actual filtering:
105
106              # xdp-filter load --mode skb eth0
107              #
108              # xdpdump -D
109              if_index  if_name           XDP program entry function
110              --------  ----------------  --------------------------------------------------
111              1         lo                <No XDP program loaded!>
112              2         eth0              xdpfilt_dny_all()
113
114
115       Now we can try xdpdump:
116
117              # xdpdump -i eth0 -x
118              listening on eth0, ingress XDP program xdpfilt_dny_all, capture mode entry, capture size 262144 bytes
119              1584373839.460733895: packet size 102 bytes, captured 102 bytes on if_index 2, rx queue 0, @entry
120                0x0000:  52 54 00 db 44 b6 52 54 00 34 38 da 08 00 45 48  RT..D.RT.48...EH
121                0x0010:  00 58 d7 dd 40 00 40 06 ec c3 c0 a8 7a 01 c0 a8  .X..@.@.....z...
122                0x0020:  7a 64 9c de 00 16 0d d5 c6 bc 46 c9 bb 11 80 18  zd........F.....
123                0x0030:  01 f5 7b b4 00 00 01 01 08 0a 77 0a 8c b8 40 12  ..{.......w...@.
124                0x0040:  cc a6 00 00 00 10 54 ce 6e 20 c3 e7 da 6c 08 42  ......T.n ...l.B
125                0x0050:  d6 d9 ee 42 42 f0 82 c9 4f 12 ed 7b 19 ab 22 0d  ...BB...O..{..".
126                0x0060:  09 29 a9 ee df 89                                .)....
127
128              1584373839.462340808: packet size 66 bytes, captured 66 bytes on if_index 2, rx queue 0, @entry
129                0x0000:  52 54 00 db 44 b6 52 54 00 34 38 da 08 00 45 48  RT..D.RT.48...EH
130                0x0010:  00 34 d7 de 40 00 40 06 ec e6 c0 a8 7a 01 c0 a8  .4..@.@.....z...
131                0x0020:  7a 64 9c de 00 16 0d d5 c6 e0 46 c9 bc 85 80 10  zd........F.....
132                0x0030:  01 f5 74 0c 00 00 01 01 08 0a 77 0a 8c ba 40 12  ..t.......w...@.
133                0x0040:  d2 34                                            .4
134              ^C
135              2 packets captured
136              0 packets dropped by perf ring
137
138
139       Below  are two more examples redirecting the capture file to tcpdump or
140       tshark:
141
142              # xdpdump -i eth0 -w - | tcpdump -r - -n
143              listening on eth0, ingress XDP program xdpfilt_dny_all, capture mode entry, capture size 262144 bytes
144              reading from file -, link-type EN10MB (Ethernet)
145              15:55:09.075887 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [P.], seq 3857553815:3857553851, ack 3306438882, win 501, options [nop,nop,TS val 1997449167 ecr 1075234328], length 36
146              15:55:09.077756 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [.], ack 37, win 501, options [nop,nop,TS val 1997449169 ecr 1075244363], length 0
147              15:55:09.750230 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [P.], seq 36:72, ack 37, win 501, options [nop,nop,TS val 1997449842 ecr 1075244363], length 36
148
149              # xdpdump -i eth0 -w - | tshark -r - -n
150              listening on eth0, ingress XDP program xdpfilt_dny_all, capture mode entry, capture size 262144 bytes
151                  1   0.000000 192.168.122.1 → 192.168.122.100 SSH 102 Client: Encrypted packet (len=36)
152                  2   0.000646 192.168.122.1 → 192.168.122.100 TCP 66 40158 → 22 [ACK] Seq=37 Ack=37 Win=1467 Len=0 TSval=1997621571 TSecr=1075416765
153                  3  12.218164 192.168.122.1 → 192.168.122.100 SSH 102 Client: Encrypted packet (len=36)
154
155

BUGS

157       Please report any bugs on  Github:  https://github.com/xdp-project/xdp-
158       tools/issues
159
160

AUTHOR

162       xdpdump was written by Eelco Chaudron
163
164
165
166V1.0.0~BETA3                     JULY 30, 2020                      xdpdump(8)