1xdpdump(a8)simple tcpdump like tool for capturing packets at the XDP laxydeprdump(8)
2
3
4

xdpdump - a simple tcpdump like tool for capturing packets at the XDP layer

6       xdpdump  is a simple XDP packet capture tool that tries to behave simi‐
7       lar to tcpdump, however, it has no packet filter  or  decode  capabili‐
8       ties.
9
10
11       This  can be used for debugging XDP programs that are already loaded on
12       an interface.  Packets can be dumped/inspected before on entry  to  XDP
13       program,  or  after  at exit from an XDP program.  Furthermore, at exit
14       the XDP action is also captured.  This means that even packets that are
15       dropped at the XDP layer can be captured via this tool.
16
17
18       xdpdump  works by attaching a bpf trace program to the XDP entry and/or
19       exit function which stores the raw packet in a perf trace buffer. If no
20       XDP  program  is loaded this approach can not be used and the tool will
21       use a libpcap live-capture to be backward compatible.
22
23
24   Running xdpdump
25       The syntax for running xdpdump is:
26
27              Usage: xdpdump [options]
28
29               XDPDump tool to dump network traffic
30
31              Options:
32                   --rx-capture <mode>    Capture point for the rx direction (valid values: entry,exit)
33               -D, --list-interfaces      Print the list of available interfaces
34               -i, --interface <ifname>   Name of interface to capture on
35                   --perf-wakeup <events>  Wake up xdpdump every <events> packets
36               -p, --program-names <prog>  Specific program to attach to
37               -s, --snapshot-length <snaplen>  Minimum bytes of packet to capture
38                   --use-pcap             Use legacy pcap format for XDP traces
39               -w, --write <file>         Write raw packets to pcap file
40               -x, --hex                  Print the full packet in hex
41               -v, --verbose              Enable verbose logging (-vv: more verbose)
42                   --v1.1.1              Display v1.1.1 information
43               -h, --help                 Show this help
44
45

The options explained

47       The xdpdump tool tries to mimic the basic tcpdump options, but just  in
48       case below each of the available options is explained:
49
50
51   --rx-capture <mode>
52       Specify  where the ingress packet gets captured. Either at the entry of
53       the XDP program and/or exit of the XDP program. Valid options  are  en‐
54       try,  exit,  or  both entry,exit. The packet at exit can be modified by
55       the XDP program. If you are interested to see  both  the  original  and
56       modified  packet,  use the entry,exit option. With this, each packet is
57       captured twice. The default value for this is entry.
58
59   -D, --list-interfaces
60       Display a list of available interfaces and any XDP program loaded
61
62   --load-xdp-mode
63       Specifies which loader mode to use with the --load-xdp-program  option.
64       The valid values are ‘native’, which is the default in-driver XDP mode,
65       ‘skb’, which causes the so-called skb mode (also known as generic  XDP)
66       to  be used, ‘hw’ which causes the program to be offloaded to the hard‐
67       ware, or ‘unspecified’ which leaves it up to the kernel to pick a  mode
68       (which  it will do by picking native mode if the driver supports it, or
69       generic mode otherwise). Note that using ‘unspecified’ can make it dif‐
70       ficult  to predict what mode a program will end up being loaded in. For
71       this reason, the default is ‘native’.
72
73   --load-xdp-program
74       If no XDP program is loaded on the interface, by default, xdpdump  will
75       fallback  to libpcap's live capture mode to capture the packets. Alter‐
76       natively, with this option, you can ask xdpdump to load an XDP  program
77       to capture the packets directly.
78
79   -i, --interface <ifname>
80       Listen  on  interface  ifname. Note that if no XDP program is loaded on
81       the interface it will use libpcap's live capture mode  to  capture  the
82       packets.
83
84   --perf-wakeup <events>
85       Let  the Kernel wake up xdpdump once for every <events> being posted in
86       the perf ring buffer. The higher the number the less the impact  is  on
87       the  actual  XDP  program.  The default value is 0, which automatically
88       calculates the value based on the available CPUs/buffers. Use -v to see
89       the actual used value.
90
91   -p, --program-names [<prog>|all]
92       This  option  allows  you to capture packets for a specific, set of, or
93       all XDP programs loaded on the interface. You can  either  specify  the
94       actual  program  names  or program IDs separated by commas. In the case
95       where multiple programs are attached with the same name, you should use
96       the  program ID. Use the -D option to see the loaded programs and their
97       IDs.
98
99
100
101       In addition, the Linux API does not provide the full name  of  the  at‐
102       tached  eBPF  entry function if it's longer than 15 characters. xdpdump
103       will try to guess the correct function name from the available BTF  de‐
104       bug  information.  However,  if  multiple functions exist with the same
105       leading name, it can not pick the correct one. It will dump the  avail‐
106       able  functions, and you can choose the correct one, and supply it with
107       this option. If you have programs with duplicate long names,  you  also
108       need  to specify the program ID with the full name. This can be done by
109       adding the id to the name with the @<id> suffix.
110
111   -P, --promiscuous-mode
112       This option puts the interface into promiscuous mode.
113
114   -s, --snapshot-length <snaplen>
115       Capture snaplen bytes of a packet rather than the default 262144 bytes.
116
117   --use-pcap
118       Use legacy pcap format for XDP traces. By  default,  it  will  use  the
119       PcapNG format so that it can store various metadata.
120
121   -w, --write <file>
122       Write  the  raw  packets  to  a pcap file rather than printing them out
123       hexadecimal. Standard output is used if file is -.
124
125   -x, --hex
126       When dumping packets on the console also print the full packet  content
127       in hex.
128
129   -v, --verbose
130       Enable debug logging. Specify twice for even more verbosity.
131
132   --v1.1.1
133       Display xpdump v1.1.1 information and exit.
134
135   -h, --help
136       Display a summary of the available options
137
138

Examples

140       The  below will load the xdp-filter program on eth0, but it does not do
141       any actual filtering:
142
143              # xdp-filter load --mode skb eth0
144              #
145              # xdpdump -D
146              Interface        Prio  Program name      Mode     ID   Tag               Chain actions
147              --------------------------------------------------------------------------------------
148              lo                     <No XDP program loaded!>
149              eth0                   xdp_dispatcher    skb      10651 d51e469e988d81da
150               =>              10     xdpfilt_alw_all           10669 0b394f43ab24501c  XDP_PASS
151
152
153       Now we can try xdpdump:
154
155              # xdpdump -i eth0 -x
156              listening on eth0, ingress XDP program ID 10651 func xdp_dispatcher, capture mode entry, capture size 262144 bytes
157              1584373839.460733895: xdp_dispatcher()@entry: packet size 102 bytes, captured 102 bytes on if_index 2, rx queue 0, id 1
158                0x0000:  52 54 00 db 44 b6 52 54 00 34 38 da 08 00 45 48  RT..D.RT.48...EH
159                0x0010:  00 58 d7 dd 40 00 40 06 ec c3 c0 a8 7a 01 c0 a8  .X..@.@.....z...
160                0x0020:  7a 64 9c de 00 16 0d d5 c6 bc 46 c9 bb 11 80 18  zd........F.....
161                0x0030:  01 f5 7b b4 00 00 01 01 08 0a 77 0a 8c b8 40 12  ..{.......w...@.
162                0x0040:  cc a6 00 00 00 10 54 ce 6e 20 c3 e7 da 6c 08 42  ......T.n ...l.B
163                0x0050:  d6 d9 ee 42 42 f0 82 c9 4f 12 ed 7b 19 ab 22 0d  ...BB...O..{..".
164                0x0060:  09 29 a9 ee df 89                                .)....
165
166              1584373839.462340808: xdp_dispatcher()@entry: packet size 66 bytes, captured 66 bytes on if_index 2, rx queue 0, id 2
167                0x0000:  52 54 00 db 44 b6 52 54 00 34 38 da 08 00 45 48  RT..D.RT.48...EH
168                0x0010:  00 34 d7 de 40 00 40 06 ec e6 c0 a8 7a 01 c0 a8  .4..@.@.....z...
169                0x0020:  7a 64 9c de 00 16 0d d5 c6 e0 46 c9 bc 85 80 10  zd........F.....
170                0x0030:  01 f5 74 0c 00 00 01 01 08 0a 77 0a 8c ba 40 12  ..t.......w...@.
171                0x0040:  d2 34                                            .4
172              ^C
173              2 packets captured
174              0 packets dropped by perf ring
175
176
177       Below are two more examples redirecting the capture file to tcpdump  or
178       tshark:
179
180              # xdpdump -i eth0 -w - | tcpdump -r - -n
181              listening on eth0, ingress XDP program ID 10651 func xdp_dispatcher, capture mode entry, capture size 262144 bytes
182              reading from file -, link-type EN10MB (Ethernet)
183              15:55:09.075887 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [P.], seq 3857553815:3857553851, ack 3306438882, win 501, options [nop,nop,TS val 1997449167 ecr 1075234328], length 36
184              15:55:09.077756 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [.], ack 37, win 501, options [nop,nop,TS val 1997449169 ecr 1075244363], length 0
185              15:55:09.750230 IP 192.168.122.1.40928 > 192.168.122.100.ssh: Flags [P.], seq 36:72, ack 37, win 501, options [nop,nop,TS val 1997449842 ecr 1075244363], length 36
186
187              # xdpdump -i eth0 -w - | tshark -r - -n
188              listening on eth0, ingress XDP program ID 10651 func xdp_dispatcher, capture mode entry, capture size 262144 bytes
189                  1   0.000000 192.168.122.1 → 192.168.122.100 SSH 102 Client: Encrypted packet (len=36)
190                  2   0.000646 192.168.122.1 → 192.168.122.100 TCP 66 40158 → 22 [ACK] Seq=37 Ack=37 Win=1467 Len=0 TSval=1997621571 TSecr=1075416765
191                  3  12.218164 192.168.122.1 → 192.168.122.100 SSH 102 Client: Encrypted packet (len=36)
192
193
194       One  final example capturing specific XDP programs loaded on the inter‐
195       face:
196
197              # xdpdump -D
198              Interface        Prio  Program name      Mode     ID   Tag               Chain actions
199              --------------------------------------------------------------------------------------
200              lo                     <No XDP program loaded!>
201              eth0                   xdp_dispatcher    skb      10558 d51e469e988d81da
202               =>              5      xdp_test_prog_w           10576 b5a46c6e9935298c  XDP_PASS
203               =>              10     xdp_pass                  10582 3b185187f1855c4c  XDP_PASS
204               =>              10     xdp_pass                  10587 3b185187f1855c4c  XDP_PASS
205
206
207       We would like to see the packets on the xdp_dispatcher()  and  the  2nd
208       xdp_pass() program:
209
210              # xdpdump -i eth0 --rx-capture=entry,exit -p xdp_dispatcher,xdp_pass@10587
211                or
212              # xdpdump -i eth0 --rx-capture=entry,exit -p 10558,10587
213              listening on eth0, ingress XDP program ID 10558 func xdp_dispatcher, ID 10587 func xdp_pass, capture mode entry/exit, capture size 262144 bytes
214              1607694215.501287259: xdp_dispatcher()@entry: packet size 102 bytes on if_index 2, rx queue 0, id 1
215              1607694215.501371504: xdp_pass()@entry: packet size 102 bytes on if_index 2, rx queue 0, id 1
216              1607694215.501383099: xdp_pass()@exit[PASS]: packet size 102 bytes on if_index 2, rx queue 0, id 1
217              1607694215.501394709: xdp_dispatcher()@exit[PASS]: packet size 102 bytes on if_index 2, rx queue 0, id 1
218              ^C
219              4 packets captured
220              0 packets dropped by perf ring
221
222

BUGS

224       Please  report  any bugs on Github: https://github.com/xdp-project/xdp-
225       tools/issues
226
227

AUTHOR

229       xdpdump was written by Eelco Chaudron
230
231
232
233V1.1.1                         FEBRUARY  8, 2021                    xdpdump(8)