1xdpdump(a8)simple tcpdump like tool for capturing packets at the XDP laxydeprdump(8)
2
3
4
6 xdpdump is a simple XDP packet capture tool that tries to behave simi‐
7 lar to tcpdump, however, it has no packet filter or decode capabili‐
8 ties.
9
10
11 This can be used for debugging XDP programs that are already loaded on
12 an interface. Packets can be dumped/inspected before on entry to XDP
13 program, or after at exit from an XDP program. Furthermore, at exit
14 the XDP action is also captured. This means that even packets that are
15 dropped at the XDP layer can be captured via this tool.
16
17
18 xdpdump works by attaching a bpf trace program to the XDP entry and/or
19 exit function which stores the raw packet in a perf trace buffer. If no
20 XDP program is loaded this approach can not be used and the tool will
21 use a libpcap live-capture to be backward compatible.
22
23
24 Running xdpdump
25 The syntax for running xdpdump is:
26
27 Usage: xdpdump [options]
28
29 XDPDump tool to dump network traffic
30
31 Options:
32 --rx-capture <mode> Capture point for the rx direction (valid values: entry,exit)
33 -D, --list-interfaces Print the list of available interfaces
34 -i, --interface <ifname> Name of interface to capture on
35 -p, --program-names <prog> Specific program to attach to
36 -s, --snapshot-length <snaplen> Minimum bytes of packet to capture
37 --use-pcap Use legacy pcap format for XDP traces
38 -w, --write <file> Write raw packets to pcap file
39 -x, --hex Print the full packet in hex
40 -v, --verbose Enable verbose logging (-vv: more verbose)
41 --v1.0.0~beta3 Display v1.0.0~beta3 information
42 -h, --help Show this help
43
44
46 The xdpdump tool tries to mimic the basic tcpdump options, but just in
47 case below each of the available options is explained:
48
49
50 --rx-capture <mode>
51 Specify where the ingress packet gets captured. Either at the entry of
52 the XDP program and/or exit of the XDP program. Valid options are
53 entry, exit, or both entry,exit. The packet at exit can be modified by
54 the XDP program. If you are interested to see both the original and
55 modified packet, use the entry,exit option. With this, each packet is
56 captured twice. The default value for this is entry.
57
58 -D, --list-interfaces
59 Display a list of available interfaces and any XDP program loaded
60
61 -i, --interface <ifname>
62 Listen on interface ifname. Note that if no XDP program is loaded on
63 the interface it will use libpcap's live capture mode to capture the
64 packets.
65
66 -p, --program-names <prog>
67 The Linux API does not provide the full name of the attached eBPF entry
68 function if it's longer than 15 characters. xdpdump will try to guess
69 the correct function name from the available BTF debug information.
70 However, if multiple functions exist with the same leading name, it can
71 not pick the correct one. It will dump the available functions, and you
72 can choose the correct one, and supply it with this option.
73
74 -P, --promiscuous-mode
75 This option puts the interface into promiscuous mode.
76
77 -s, --snapshot-length <snaplen>
78 Capture snaplen bytes of a packet rather than the default 262144 bytes.
79
80 --use-pcap
81 Use legacy pcap format for XDP traces. By default, it will use the
82 PcapNG format so that it can store various metadata.
83
84 -w, --write <file>
85 Write the raw packets to a pcap file rather than printing them out
86 hexadecimal. Standard output is used if file is -.
87
88 -x, --hex
89 When dumping packets on the console also print the full packet content
90 in hex.
91
92 -v, --verbose
93 Enable debug logging. Specify twice for even more verbosity.
94
95 --v1.0.0~beta3
96 Display xpdump v1.0.0~beta3 information and exit.
97
98 -h, --help
99 Display a summary of the available options
100
101
103 The below will load the xdp-filter program on eth0, but it does not do
104 any actual filtering:
105
106 # xdp-filter load --mode skb eth0
107 #
108 # xdpdump -D
109 if_index if_name XDP program entry function
110 -------- ---------------- --------------------------------------------------
111 1 lo <No XDP program loaded!>
112 2 eth0 xdpfilt_dny_all()
113
114
115 Now we can try xdpdump:
116
117 # xdpdump -i eth0 -x
118 listening on eth0, ingress XDP program xdpfilt_dny_all, capture mode entry, capture size 262144 bytes
119 1584373839.460733895: packet size 102 bytes, captured 102 bytes on if_index 2, rx queue 0, @entry
120 0x0000: 52 54 00 db 44 b6 52 54 00 34 38 da 08 00 45 48 RT..D.RT.48...EH
121 0x0010: 00 58 d7 dd 40 00 40 06 ec c3 c0 a8 7a 01 c0 a8 .X..@.@.....z...
122 0x0020: 7a 64 9c de 00 16 0d d5 c6 bc 46 c9 bb 11 80 18 zd........F.....
123 0x0030: 01 f5 7b b4 00 00 01 01 08 0a 77 0a 8c b8 40 12 ..{.......w...@.
124 0x0040: cc a6 00 00 00 10 54 ce 6e 20 c3 e7 da 6c 08 42 ......T.n ...l.B
125 0x0050: d6 d9 ee 42 42 f0 82 c9 4f 12 ed 7b 19 ab 22 0d ...BB...O..{..".
126 0x0060: 09 29 a9 ee df 89 .)....
127
128 1584373839.462340808: packet size 66 bytes, captured 66 bytes on if_index 2, rx queue 0, @entry
129 0x0000: 52 54 00 db 44 b6 52 54 00 34 38 da 08 00 45 48 RT..D.RT.48...EH
130 0x0010: 00 34 d7 de 40 00 40 06 ec e6 c0 a8 7a 01 c0 a8 .4..@.@.....z...
131 0x0020: 7a 64 9c de 00 16 0d d5 c6 e0 46 c9 bc 85 80 10 zd........F.....
132 0x0030: 01 f5 74 0c 00 00 01 01 08 0a 77 0a 8c ba 40 12 ..t.......w...@.
133 0x0040: d2 34 .4
134 ^C
135 2 packets captured
136 0 packets dropped by perf ring
137
138
139 Below are two more examples redirecting the capture file to tcpdump or
140 tshark:
141
142 # xdpdump -i eth0 -w - | tcpdump -r - -n
143 listening on eth0, ingress XDP program xdpfilt_dny_all, capture mode entry, capture size 262144 bytes
144 reading from file -, link-type EN10MB (Ethernet)
145 15:55:09.075887 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [P.], seq 3857553815:3857553851, ack 3306438882, win 501, options [nop,nop,TS val 1997449167 ecr 1075234328], length 36
146 15:55:09.077756 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [.], ack 37, win 501, options [nop,nop,TS val 1997449169 ecr 1075244363], length 0
147 15:55:09.750230 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [P.], seq 36:72, ack 37, win 501, options [nop,nop,TS val 1997449842 ecr 1075244363], length 36
148
149 # xdpdump -i eth0 -w - | tshark -r - -n
150 listening on eth0, ingress XDP program xdpfilt_dny_all, capture mode entry, capture size 262144 bytes
151 1 0.000000 192.168.122.1 → 192.168.122.100 SSH 102 Client: Encrypted packet (len=36)
152 2 0.000646 192.168.122.1 → 192.168.122.100 TCP 66 40158 → 22 [ACK] Seq=37 Ack=37 Win=1467 Len=0 TSval=1997621571 TSecr=1075416765
153 3 12.218164 192.168.122.1 → 192.168.122.100 SSH 102 Client: Encrypted packet (len=36)
154
155
157 Please report any bugs on Github: https://github.com/xdp-project/xdp-
158 tools/issues
159
160
162 xdpdump was written by Eelco Chaudron
163
164
165
166V1.0.0~BETA3 JULY 30, 2020 xdpdump(8)