scap.h File Reference

#include <time.h>
#include "uthash.h"
#include "./common/sysdig_types.h"
#include "./driver/ppm_events_public.h"

Go to the source code of this file.

Data Structures
struct	scap_stats
	Statistics about an in progress capture. More...
struct	evt_param_info
	Information about the parameter of an event. More...
struct	scap_fdinfo
	Information about a file descriptor. More...
struct	scap_threadinfo
	Process information. More...
struct	scap_mountinfo
	Mount information. More...
struct	scap_open_args
struct	_scap_machine_info
	Machine information. More...
struct	scap_ifinfo_ipv4
	IPv4 interface address information. More...
struct	scap_ifinfo_ipv4_nolinkspeed
	For backward compatibility only. More...
struct	scap_ifinfo_ipv6
	IPv6 interface address information. More...
struct	scap_ifinfo_ipv6_nolinkspeed
	For backword compatibility only. More...
struct	scap_addrlist
	List of the machine network interfaces. More...
struct	scap_userinfo
	Information about one of the machine users. More...
struct	scap_groupinfo
	Information about one of the machine user groups. More...
struct	scap_userlist
	List of the machine users and groups. More...
struct	ppm_syscall_desc
	System call description struct. More...
struct	udig_ring_buffer_status

Macros
#define	SCAP_SUCCESS   0
#define	SCAP_FAILURE   1
#define	SCAP_TIMEOUT   -1
#define	SCAP_ILLEGAL_INPUT   3
#define	SCAP_NOTFOUND   4
#define	SCAP_INPUT_TOO_SMALL   5
#define	SCAP_EOF   6
#define	SCAP_UNEXPECTED_BLOCK   7
#define	SCAP_VERSION_MISMATCH   8
#define	SCAP_NOT_SUPPORTED   9
#define	SCAP_LASTERR_SIZE   256
#define	SCAP_MAX_PATH_SIZE   1024
#define	SCAP_MAX_ARGS_SIZE   4096
#define	SCAP_MAX_ENV_SIZE   4096
#define	SCAP_MAX_CGROUPS_SIZE   4096
#define	SCAP_MAX_SUPPRESSED_COMMS   32
#define	SCAP_IPV6_ADDR_LEN   16
#define	MAX_CREDENTIALS_STR_LEN   256
#define	USERBLOCK_TYPE_USER   0
#define	USERBLOCK_TYPE_GROUP   1
#define	IN
#define	OUT
#define	UDIG_RING_SM_FNAME   "udig_buf"
#define	UDIG_RING_DESCS_SM_FNAME   "udig_descs"
#define	UDIG_RING_SIZE   (8 * 1024 * 1024)

Typedefs
typedef struct scap	scap_t
typedef struct ppm_evt_hdr	scap_evt
typedef struct scap_stats	scap_stats
	Statistics about an in progress capture. More...
typedef struct evt_param_info	evt_param_info
	Information about the parameter of an event. More...
typedef enum scap_fd_type	scap_fd_type
	File Descriptor type. More...
typedef enum scap_l4_proto	scap_l4_proto
	Socket type / transport protocol. More...
typedef struct scap_fdinfo	scap_fdinfo
	Information about a file descriptor. More...
typedef struct scap_threadinfo	scap_threadinfo
	Process information. More...
typedef void(*	proc_entry_callback) (void *context, scap_t *handle, int64_t tid, scap_threadinfo *tinfo, scap_fdinfo *fdinfo)
typedef struct scap_open_args	scap_open_args
typedef struct _scap_machine_info	scap_machine_info
	Machine information. More...
typedef enum scap_ifinfo_type	scap_ifinfo_type
	Interface address type. More...
typedef struct scap_ifinfo_ipv4	scap_ifinfo_ipv4
	IPv4 interface address information. More...
typedef struct scap_ifinfo_ipv4_nolinkspeed	scap_ifinfo_ipv4_nolinkspeed
	For backward compatibility only. More...
typedef struct scap_ifinfo_ipv6	scap_ifinfo_ipv6
	IPv6 interface address information. More...
typedef struct scap_ifinfo_ipv6_nolinkspeed	scap_ifinfo_ipv6_nolinkspeed
	For backword compatibility only. More...
typedef struct scap_addrlist	scap_addrlist
	List of the machine network interfaces. More...
typedef struct scap_userinfo	scap_userinfo
	Information about one of the machine users. More...
typedef struct scap_groupinfo	scap_groupinfo
	Information about one of the machine user groups. More...
typedef struct scap_userlist	scap_userlist
	List of the machine users and groups. More...
typedef enum scap_os_platform	scap_os_platform
	The OS on which the capture was made. More...
typedef enum event_direction	event_direction
	Indicates if an event is an enter one or an exit one. More...
typedef enum compression_mode	compression_mode
	Indicates the compression type used when writing a tracefile. More...
typedef enum scap_dump_flags	scap_dump_flags
	Flags for scap_dump. More...
typedef struct scap_dumper	scap_dumper_t
typedef struct ppm_ring_buffer_info	ppm_ring_buffer_info

Enumerations
enum	scap_fd_type {   SCAP_FD_UNINITIALIZED = -1, SCAP_FD_UNKNOWN = 0, SCAP_FD_FILE = 1, SCAP_FD_DIRECTORY = 2,   SCAP_FD_IPV4_SOCK = 3, SCAP_FD_IPV6_SOCK = 4, SCAP_FD_IPV4_SERVSOCK = 5, SCAP_FD_IPV6_SERVSOCK = 6,   SCAP_FD_FIFO = 7, SCAP_FD_UNIX_SOCK = 8, SCAP_FD_EVENT = 9, SCAP_FD_UNSUPPORTED = 10,   SCAP_FD_SIGNALFD = 11, SCAP_FD_EVENTPOLL = 12, SCAP_FD_INOTIFY = 13, SCAP_FD_TIMERFD = 14,   SCAP_FD_NETLINK = 15, SCAP_FD_FILE_V2 = 16 }
	File Descriptor type. More...
enum	scap_l4_proto {   SCAP_L4_UNKNOWN = 0, SCAP_L4_NA = 1, SCAP_L4_TCP = 2, SCAP_L4_UDP = 3,   SCAP_L4_ICMP = 4, SCAP_L4_RAW = 5 }
	Socket type / transport protocol. More...
enum	scap_mode_t { SCAP_MODE_NONE = 0, SCAP_MODE_CAPTURE, SCAP_MODE_LIVE, SCAP_MODE_NODRIVER }
	Arguments for scap_open. More...
enum	scap_ifinfo_type {   SCAP_II_UNKNOWN = 0, SCAP_II_IPV4 = 1, SCAP_II_IPV6 = 2, SCAP_II_IPV4_NOLINKSPEED = 3,   SCAP_II_IPV6_NOLINKSPEED = 4 }
	Interface address type. More...
enum	scap_os_platform {   SCAP_PFORM_UNKNOWN = 0, SCAP_PFORM_LINUX_I386 = 1, SCAP_PFORM_LINUX_X64 = 2, SCAP_PFORM_WINDOWS_I386 = 3,   SCAP_PFORM_WINDOWS_X64 = 4 }
	The OS on which the capture was made. More...
enum	event_direction { SCAP_ED_IN = 0, SCAP_ED_OUT = 1 }
	Indicates if an event is an enter one or an exit one. More...
enum	compression_mode { SCAP_COMPRESSION_NONE = 0, SCAP_COMPRESSION_GZIP = 1 }
	Indicates the compression type used when writing a tracefile. More...
enum	scap_dump_flags { SCAP_DF_NONE = 0, SCAP_DF_STATE_ONLY = 1, SCAP_DF_TRACER = (1 << 1) }
	Flags for scap_dump. More...

Functions
int32_t	udig_alloc_ring (int *ring_fd, uint8_t **ring, uint32_t *ringsize, char *error)
int32_t	udig_alloc_ring_descriptors (int *ring_descs_fd, struct ppm_ring_buffer_info **ring_info, struct udig_ring_buffer_status **ring_status, char *error)
void	udig_free_ring (uint8_t *addr, uint32_t size)
void	udig_free_ring_descriptors (uint8_t *addr)
scap_t *	scap_open_live (char *error, int32_t *rc)
	Start a live event capture. More...
scap_t *	scap_open_offline (const char *fname, char *error, int32_t *rc)
	Start an event capture from file. More...
scap_t *	scap_open_offline_fd (int fd, char *error, int32_t *rc)
	Start an event capture from an already opened file descriptor. More...
scap_t *	scap_open (scap_open_args args, char *error, int32_t *rc)
	Advanced function to start a capture. More...
void	scap_close (scap_t *handle)
	Close a capture handle. More...
scap_os_platform	scap_get_os_platform (scap_t *handle)
	Retrieve the OS platform for the given capture handle. More...
const char *	scap_getlasterr (scap_t *handle)
	Return a string with the last error that happened on the given capture. More...
uint64_t	scap_max_buf_used (scap_t *handle)
	returns the maximum amount of memory used by any driver queue More...
int32_t	scap_next (scap_t *handle, OUT scap_evt **pevent, OUT uint16_t *pcpuid)
	Get the next event from the from the given capture instance. More...
uint32_t	scap_event_getlen (scap_evt *e)
	Get the length of an event. More...
uint64_t	scap_event_get_ts (scap_evt *e)
	Get the timestamp of an event. More...
uint64_t	scap_event_get_num (scap_t *handle)
	Get the number of events that have been captured from the given capture instance. More...
void	scap_event_reset_count (scap_t *handle)
	Reset the event count to 0. More...
const struct ppm_event_info *	scap_event_getinfo (scap_evt *e)
	Return the meta-information describing the given event. More...
uint32_t	scap_event_get_dump_flags (scap_t *handle)
	Return the dump flags for the last event received from this handle. More...
int64_t	scap_get_readfile_offset (scap_t *handle)
	Return the current offset in the file opened by scap_open_offline(), or -1 if this is a live capture. More...
scap_dumper_t *	scap_dump_open (scap_t *handle, const char *fname, compression_mode compress, bool skip_proc_scan)
	Open a trace file for writing. More...
scap_dumper_t *	scap_dump_open_fd (scap_t *handle, int fd, compression_mode compress, bool skip_proc_scan)
	Open a trace file for writing, using the provided fd. More...
void	scap_dump_close (scap_dumper_t *d)
	Close a trace file. More...
int64_t	scap_dump_get_offset (scap_dumper_t *d)
	Return the current size of a trace file. More...
int64_t	scap_dump_ftell (scap_dumper_t *d)
	Return the position for the next write to a trace file. This uses gztell, while scap_dump_get_offset uses gzoffset. More...
void	scap_dump_flush (scap_dumper_t *d)
	Flush all pending output into the file. More...
int32_t	scap_number_of_bytes_to_write (scap_evt *e, uint16_t cpuid, int32_t *bytes)
	Tell how many bytes would be written (a dry run of scap_dump) More...
int32_t	scap_dump (scap_t *handle, scap_dumper_t *d, scap_evt *e, uint16_t cpuid, uint32_t flags)
	Write an event to a trace file. More...
scap_threadinfo *	scap_get_proc_table (scap_t *handle)
	Get the process list for the given capture instance. More...
int32_t	scap_get_stats (scap_t *handle, OUT scap_stats *stats)
	Return the capture statistics for the given capture handle. More...
int32_t	scap_stop_capture (scap_t *handle)
	This function can be used to temporarily interrupt event capture. More...
int32_t	scap_start_capture (scap_t *handle)
	Start capture the events, if it was stopped with scap_stop_capture. More...
scap_addrlist *	scap_get_ifaddr_list (scap_t *handle)
	Return the list of the the user interfaces of the machine from which the events are being captured. More...
scap_userlist *	scap_get_user_list (scap_t *handle)
	Return the machine user and group lists. More...
const struct ppm_event_info *	scap_get_event_info_table ()
	Retrieve the table with the description of every event type that the capture driver supports. More...
const struct ppm_syscall_desc *	scap_get_syscall_info_table ()
	Retrieve the table with the description of system call that the capture driver supports. More...
const scap_machine_info *	scap_get_machine_info (scap_t *handle)
	Get generic machine information. More...
int32_t	scap_set_snaplen (scap_t *handle, uint32_t snaplen)
	Set the capture snaplen, i.e. the maximum size an event parameter can reach before the driver starts truncating it. More...
int32_t	scap_clear_eventmask (scap_t *handle)
	Clear the event mask: no events will be passed to sysdig. More...
int32_t	scap_set_eventmask (scap_t *handle, uint32_t event_id)
	Set the event into the eventmask so that sysdig-based apps can receive the event. Useful for offloading operations such as evt.type=open. More...
int32_t	scap_unset_eventmask (scap_t *handle, uint32_t event_id)
	Unset the event into the eventmask so that sysdig-based apps can no longer receive the event. It is the opposite of scap_set_eventmask. More...
const char *	scap_get_host_root ()
	Get the root directory of the system. This usually changes if sysdig runs in a container, so that all the information for the host can be correctly extracted. More...
struct ppm_proclist_info *	scap_get_threadlist (scap_t *handle)
	Get the process list. More...
const char *	scap_get_bpf_probe_from_env ()
bool	scap_get_bpf_enabled (scap_t *handle)
int32_t	scap_suppress_events_comm (scap_t *handle, const char *comm)
	stop returning events for all subsequently spawned processes with the provided comm, as well as their children. This includes fork()/clone()ed processes that might later exec to a different comm. More...
bool	scap_check_suppressed_tid (scap_t *handle, int64_t tid)
	return whether the provided tid is currently being suppressed. More...
uint32_t	scap_get_ndevs (scap_t *handle)
int32_t	scap_readbuf (scap_t *handle, uint32_t cpuid, OUT char **buf, OUT uint32_t *len)
struct scap_threadinfo *	scap_proc_get (scap_t *handle, int64_t tid, bool scan_sockets)
bool	scap_is_thread_alive (scap_t *handle, int64_t pid, int64_t tid, const char *comm)
int32_t	scap_getpid_global (scap_t *handle, int64_t *pid)
struct scap_threadinfo *	scap_proc_alloc (scap_t *handle)
void	scap_proc_free (scap_t *handle, struct scap_threadinfo *procinfo)
void	scap_dev_delete (scap_t *handle, scap_mountinfo *dev)
int32_t	scap_stop_dropping_mode (scap_t *handle)
int32_t	scap_start_dropping_mode (scap_t *handle, uint32_t sampling_ratio)
int32_t	scap_enable_dynamic_snaplen (scap_t *handle)
int32_t	scap_disable_dynamic_snaplen (scap_t *handle)
void	scap_proc_free_table (scap_t *handle)
void	scap_free_device_table (scap_t *handle)
void	scap_refresh_iflist (scap_t *handle)
void	scap_refresh_proc_table (scap_t *handle)
void	scap_set_refresh_proc_table_when_saving (scap_t *handle, bool refresh)
uint64_t	scap_ftell (scap_t *handle)
void	scap_fseek (scap_t *handle, uint64_t off)
int32_t	scap_enable_tracers_capture (scap_t *handle)
int32_t	scap_enable_page_faults (scap_t *handle)
uint64_t	scap_get_unexpected_block_readsize (scap_t *handle)
int32_t	scap_proc_add (scap_t *handle, uint64_t tid, scap_threadinfo *tinfo)
int32_t	scap_fd_add (scap_t *handle, scap_threadinfo *tinfo, uint64_t fd, scap_fdinfo *fdinfo)
scap_dumper_t *	scap_memory_dump_open (scap_t *handle, uint8_t *targetbuf, uint64_t targetbufsize)
uint8_t *	scap_get_memorydumper_curpos (scap_dumper_t *d)
int32_t	scap_write_proc_fds (scap_t *handle, struct scap_threadinfo *tinfo, scap_dumper_t *d)
int32_t	scap_write_proclist_header (scap_t *handle, scap_dumper_t *d, uint32_t totlen)
int32_t	scap_write_proclist_trailer (scap_t *handle, scap_dumper_t *d, uint32_t totlen)
int32_t	scap_write_proclist_entry (scap_t *handle, scap_dumper_t *d, struct scap_threadinfo *tinfo, uint32_t len)
int32_t	scap_write_proclist_entry_bufs (scap_t *handle, scap_dumper_t *d, struct scap_threadinfo *tinfo, uint32_t len, const char *comm, const char *exe, const char *exepath, const struct iovec *args, int argscnt, const struct iovec *envs, int envscnt, const char *cwd, const struct iovec *cgroups, int cgroupscnt, const char *root)
int32_t	scap_enable_simpledriver_mode (scap_t *handle)
int32_t	scap_get_n_tracepoint_hit (scap_t *handle, long *ret)
int32_t	scap_set_fullcapture_port_range (scap_t *handle, uint16_t range_start, uint16_t range_end)
int32_t	scap_set_statsd_port (scap_t *handle, uint16_t port)