skbdump is the tcpdump(8) implemented by eBPF.
skbdump tries to solve following tcpdump(8) issues without losing flexibility of pcap-filter(7):
- tcpdump(8) will be bypassed if a bpf program on a netdev redirects the skb to another netdev;
- tcpdump(8)
-i any
relies on Linux cooked-mode capture (SLL) so the link layer header isn't available; - tcpdump(8) can't capture skb metadata in the
struct __sk_buff
/struct sk_buff
; - tcpdump(8) can't dump traffic on specific kernel functions, e.g.
ip_rcv
;
Please download the latest binary in the releases.
Linux kernel version must be larger than 5.5.
Usage of skbdump:
-i, --interface string interface to capture (default "lo")
-a, --kaddrs string kernel addresses to trace, e.g. "0xffffffffa0272110,0xffffffffa0272118"
-f, --kfuncs string kernel functions to trace, e.g. "ip_rcv,icmp_rcv"
-n, --netns string netns specifier, e.g. "pid:1234", "path:/var/run/netns/foo"
-o, --output-fields string output fields of skb, e.g. "mark,cb"
-w, --pcap-filename string output pcap filename (default "skbdump.pcap")
-s, --skb-filename string output skb filename (default "skbdump.meta")
skbdump -i eth0 port 80 and host 10.10.1.1
skbdump -i eth0 udp or arp
skbdump -i any icmp or icmp6
skbdump -i any ip6 and dst host fd04::18ab
skbdump -i veth 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420'
skbdump -i veth -f arp_rcv,arp_process 'arp and arp[7] = 1 and arp[24]= 169 and arp[25] = 254 and arp[26] = 0 and arp[27] = 1'
start tracing
1 ffff9b30ec48ad00 in@15(zcv-peer) cb= Ethernet(a2:c4:a3:6b:6f:f8>ff:ff:ff:ff:ff:ff) | ARP(who-has 169.254.0.1 tell 192.168.0.1)
2 ffff9b30ec48ad00 arp_rcv@15(zcv-peer) cb=[28,] Ethernet(a2:c4:a3:6b:6f:f8>ff:ff:ff:ff:ff:ff) | ARP(who-has 169.254.0.1 tell 192.168.0.1)
3 ffff9b30ec48ad00 arp_rcv+r@15(zcv-peer) rv=0 cb= Ethernet(a2:c4:a3:6b:6f:f8>ff:ff:ff:ff:ff:ff) | ARP(who-has 169.254.0.1 tell 192.168.0.1)
- Doesn't support L3 netdev such as wireguard or tun.