ecapture 0.7.6依旧无法抓取docker pull的完全URL

Question

ecapture 0.7.6依旧无法抓取docker pull的完全URL

Closed this issue 2 months ago · 8 comments

189er commented 3 months ago

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

Go to '...'
Click on '....'
Scroll down to '....'
See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Linux Server/Android (please complete the following information):

Env: [run make env to get the environment variables]
OS: [e.g. Ubuntu 21.04]
Arch: [e.g. arm_aarch64]
Kernel Version: [e.g. 5.10]
Version: [e.g. 0.1.3-20220313-69c1e0]

Additional context
Add any other context about the problem here.

ecapture gotls --elfpath=/usr/bin/docker --hex;

docker pull redis ;

Answer 1 · 2024-03-05T01:53:23.000Z

@ruitianzhong can you take a look at this issue?

Answer 2 · 2024-03-05T07:50:50.000Z

On my Ubuntu 22.04:

sudo ../bin/ecapture gotls --elfpath=/usr/bin/docker --hex
tls_2024/03/05 15:34:46 ECAPTURE :: ecapture Version : linux_x86_64:0.7.5-20240303-bfb4a8c:[CORE]
tls_2024/03/05 15:34:46 ECAPTURE :: Pid Info : 97130
tls_2024/03/05 15:34:46 ECAPTURE :: Kernel Info : 6.5.8
tls_2024/03/05 15:34:46 EBPFProbeGoTLS	module initialization failed. [skip it]. error:symbol not found

some context information:

file /usr/bin/docker
/usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped

eCapture hooks crypto/tls.(*Conn).Read() and looks for it when start up. But /usr/bin/docker seems to not contain this symbol, so the error is returned.

Is that the case? Can you provide more detailed information. @189er

Answer 3 · 2024-03-05T16:32:21.000Z

Docker use /usr/bin/dockerd to pull images and log in.

Try to use :
ecapture gotls --elfpath=/usr/bin/dockerd --hex

Answer 4 · 2024-03-09T07:36:59.000Z

Docker use /usr/bin/dockerd to pull images and log in.

Try to use : ecapture gotls --elfpath=/usr/bin/dockerd --hex

@189er Hello？

Answer 5 · 2024-03-28T07:38:42.000Z

Docker use /usr/bin/dockerd to pull images and log in.
Try to use : ecapture gotls --elfpath=/usr/bin/dockerd --hex

@189er Hello？

root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# ./ecapture gotls --elfpath=/usr/bin/dockerd --hex;
tls_2024/03/28 07:35:48 ECAPTURE :: ecapture Version : linux_x86_64:0.6.3-20230927-f0cfbdf:5.15.0-1046-azure
tls_2024/03/28 07:35:48 ECAPTURE :: Pid Info : 840788
tls_2024/03/28 07:35:48 ECAPTURE :: Kernel Info : 6.2.16
tls_2024/03/28 07:35:48 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/docker
/usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/dockerd
/usr/bin/dockerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95915fdb7e8b49dcbdadb3b01be93be5bf57fdca, for GNU/Linux 3.2.0, stripped
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# uname -a
Linux ip-172-31-6-36 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#

Answer 6 · 2024-03-28T07:39:33.000Z

On my Ubuntu 22.04:

sudo ../bin/ecapture gotls --elfpath=/usr/bin/docker --hex
tls_2024/03/05 15:34:46 ECAPTURE :: ecapture Version : linux_x86_64:0.7.5-20240303-bfb4a8c:[CORE]
tls_2024/03/05 15:34:46 ECAPTURE :: Pid Info : 97130
tls_2024/03/05 15:34:46 ECAPTURE :: Kernel Info : 6.5.8
tls_2024/03/05 15:34:46 EBPFProbeGoTLS	module initialization failed. [skip it]. error:symbol not found

some context information:

file /usr/bin/docker
/usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped

eCapture hooks crypto/tls.(*Conn).Read() and looks for it when start up. But /usr/bin/docker seems to not contain this symbol, so the error is returned.

Is that the case? Can you provide more detailed information. @189er

root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# ./ecapture gotls --elfpath=/usr/bin/dockerd --hex; tls_2024/03/28 07:35:48 ECAPTURE :: ecapture Version : linux_x86_64:0.6.3-20230927-f0cfbdf:5.15.0-1046-azure tls_2024/03/28 07:35:48 ECAPTURE :: Pid Info : 840788 tls_2024/03/28 07:35:48 ECAPTURE :: Kernel Info : 6.2.16 tls_2024/03/28 07:35:48 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/docker /usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/dockerd /usr/bin/dockerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95915fdb7e8b49dcbdadb3b01be93be5bf57fdca, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# uname -a Linux ip-172-31-6-36 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#

Answer 7 · 2024-03-28T14:14:53.000Z

Docker use /usr/bin/dockerd to pull images and log in.
Try to use : ecapture gotls --elfpath=/usr/bin/dockerd --hex

@189er Hello？

root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# ./ecapture gotls --elfpath=/usr/bin/dockerd --hex; tls_2024/03/28 07:35:48 ECAPTURE :: ecapture Version : linux_x86_64:0.6.3-20230927-f0cfbdf:5.15.0-1046-azure tls_2024/03/28 07:35:48 ECAPTURE :: Pid Info : 840788 tls_2024/03/28 07:35:48 ECAPTURE :: Kernel Info : 6.2.16 tls_2024/03/28 07:35:48 EBPFProbeGoTLS module initialization failed. [skip it]. error:no symbol section root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/docker /usr/bin/docker: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=3529861e1bdd15d5629062d4788080311e847984, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# file /usr/bin/dockerd /usr/bin/dockerd: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=95915fdb7e8b49dcbdadb3b01be93be5bf57fdca, for GNU/Linux 3.2.0, stripped root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64# uname -a Linux ip-172-31-6-36 6.2.0-1017-aws #17~22.04.1-Ubuntu SMP Fri Nov 17 21:07:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux root@ip-172-31-6-36:/tmp/ecapture-v0.6.3-linux-x86_64#

In my test environment, version 0.6.3 does return the no symbol section error, but the latest 0.7.5 version works fine.

So, please try again with version 0.7.5

Answer 8 · 2024-03-30T14:33:14.000Z

在你提这个问题时，ecapture 0.7.6还没发布，最新的是0.7.5，刚刚发布了0.7.6，你可以再试试。