Go to the documentation of this file.
65 #include "./common/sysdig_types.h"
66 #include "./driver/ppm_events_public.h"
71 #define SCAP_SUCCESS 0
72 #define SCAP_FAILURE 1
73 #define SCAP_TIMEOUT -1
74 #define SCAP_ILLEGAL_INPUT 3
75 #define SCAP_NOTFOUND 4
76 #define SCAP_INPUT_TOO_SMALL 5
78 #define SCAP_UNEXPECTED_BLOCK 7
79 #define SCAP_VERSION_MISMATCH 8
80 #define SCAP_NOT_SUPPORTED 9
85 #define SCAP_LASTERR_SIZE 256
113 #define SCAP_MAX_PATH_SIZE 1024
114 #define SCAP_MAX_ARGS_SIZE 4096
115 #define SCAP_MAX_ENV_SIZE 4096
116 #define SCAP_MAX_CGROUPS_SIZE 4096
117 #define SCAP_MAX_SUPPRESSED_COMMS 32
320 #pragma pack(push, 1)
339 #define SCAP_IPV6_ADDR_LEN 16
427 #define MAX_CREDENTIALS_STR_LEN 256
428 #define USERBLOCK_TYPE_USER 0
429 #define USERBLOCK_TYPE_GROUP 1
532 #define UDIG_RING_SM_FNAME "udig_buf"
533 #define UDIG_RING_DESCS_SM_FNAME "udig_descs"
534 #define UDIG_RING_SIZE (8 * 1024 * 1024)
549 int32_t
udig_alloc_ring(
int* ring_fd, uint8_t** ring, uint32_t *ringsize,
char *error);
1018 #ifdef PPM_ENABLE_SENTINEL
1020 uint32_t scap_event_get_sentinel_begin(
scap_evt* e);
1054 int32_t compr(uint8_t* dest, uint64_t* destlen,
const uint8_t* source, uint64_t sourcelen,
int level);
1068 const struct iovec *
args,
int argscnt,
1069 const struct iovec *envs,
int envscnt,
1071 const struct iovec *
cgroups,
int cgroupscnt,
1078 #ifdef CYGWING_AGENT
1079 typedef struct wh_t wh_t;
1080 wh_t* scap_get_wmi_handle(
scap_t* handle);
uint64_t n_drops_buffer
Number of dropped events caused by full buffer.
uint16_t dport
Destination port.
#define SCAP_MAX_ARGS_SIZE
int32_t scap_enable_tracers_capture(scap_t *handle)
uint64_t start_offset
Used to start reading a capture file from an arbitrary offset. This is leveraged when opening merged ...
int32_t scap_next(scap_t *handle, OUT scap_evt **pevent, OUT uint16_t *pcpuid)
Get the next event from the from the given capture instance.
bool scap_get_bpf_enabled(scap_t *handle)
struct udig_consumer_t m_consumer
int32_t scap_proc_add(scap_t *handle, uint64_t tid, scap_threadinfo *tinfo)
int32_t scap_get_stats(scap_t *handle, OUT scap_stats *stats)
Return the capture statistics for the given capture handle.
uint32_t dip
Destination IP.
uint16_t sport
Source Port.
uint64_t n_drops_pf
Number of dropped events caused by invalid memory access.
uint32_t scap_get_ndevs(scap_t *handle)
uint64_t n_suppressed
Number of events skipped due to the tid being in a set of suppressed tids.
For backward compatibility only.
uint64_t n_tids_suppressed
Number of threads currently being suppressed.
scap_fd_type type
This file descriptor's type.
UT_hash_handle hh
makes this structure hashable
int32_t scap_get_n_tracepoint_hit(scap_t *handle, long *ret)
scap_t * scap_open_offline(const char *fname, char *error, int32_t *rc)
Start an event capture from file.
char addr[SCAP_IPV6_ADDR_LEN]
Interface address.
uint64_t n_drops_bug
Number of dropped events caused by an invalid condition in the kernel instrumentation.
#define SCAP_IPV6_ADDR_LEN
uint64_t linkspeed
Interface link speed.
uint64_t reserved2
reserved for future use
int32_t scap_stop_dropping_mode(scap_t *handle)
uint64_t ino
For unix sockets, the inode.
char cgroups[SCAP_MAX_CGROUPS_SIZE]
uint64_t sid
The session id of the process containing this thread.
uint32_t dip
Destination IP.
event_direction
Indicates if an event is an enter one or an exit one.
struct scap_fdinfo::@0::@4 ipv6serverinfo
Information specific to IPv6 server sockets, e.g. sockets used for bind().
void scap_proc_free_table(scap_t *handle)
uint64_t ptid
The id of the thread that created this thread.
void scap_refresh_proc_table(scap_t *handle)
char comm[SCAP_MAX_PATH_SIZE+1]
Command name (e.g. "top")
char name[MAX_CREDENTIALS_STR_LEN]
Group name.
uint32_t len
The event total length.
uint32_t nusers
Number of users.
bool scap_is_thread_alive(scap_t *handle, int64_t pid, int64_t tid, const char *comm)
char env[SCAP_MAX_ENV_SIZE+1]
Environment.
char netmask[SCAP_IPV6_ADDR_LEN]
Interface netmask.
const char * scap_getlasterr(scap_t *handle)
Return a string with the last error that happened on the given capture.
Information about a file descriptor.
struct scap_stats scap_stats
Statistics about an in progress capture.
UT_hash_handle hh
makes this structure hashable
volatile int m_capturing_pid
int32_t scap_fd_add(scap_t *handle, scap_threadinfo *tinfo, uint64_t fd, scap_fdinfo *fdinfo)
uint32_t vmswap_kb
swapped memory (as kb)
@ SCAP_II_IPV6_NOLINKSPEED
char cwd[SCAP_MAX_PATH_SIZE+1]
The current working directory.
void scap_free_device_table(scap_t *handle)
char exe[SCAP_MAX_PATH_SIZE+1]
argv0
enum ppm_event_flags flags
uint8_t l4proto
Transport protocol. See scap_l4_proto.
@ SCAP_DF_TRACER
This event is a tracer.
scap_fdinfo * fdlist
The fd table for this process.
uint32_t n_v4_addrs
Number of IPv4 addresses.
uint16_t args_len
Command line arguments length.
uint8_t * scap_get_memorydumper_curpos(scap_dumper_t *d)
struct _scap_machine_info scap_machine_info
Machine information.
uint32_t ngroups
Number of groups.
#define MAX_CREDENTIALS_STR_LEN
scap_t * scap_open_offline_fd(int fd, char *error, int32_t *rc)
Start an event capture from an already opened file descriptor.
enum ppm_event_category category
const char * scap_get_bpf_probe_from_env()
int64_t fdlimit
The maximum number of files this thread is allowed to open.
int32_t scap_disable_dynamic_snaplen(scap_t *handle)
char name[MAX_CREDENTIALS_STR_LEN]
Username.
union scap_fdinfo::@0 info
uint32_t scap_event_get_dump_flags(scap_t *handle)
Return the dump flags for the last event received from this handle.
IPv6 interface address information.
scap_groupinfo * groups
Group list.
uint16_t dport
Destination Port.
uint32_t num_cpus
Number of processors.
Statistics about an in progress capture.
#define SCAP_MAX_PATH_SIZE
uint64_t n_evts
Total number of events that were received by the driver.
uint64_t pfminor
number of minor page faults since start
char ifname[SCAP_MAX_PATH_SIZE]
uint64_t pfmajor
number of major page faults since start
scap_dump_flags
Flags for scap_dump.
uint32_t vmsize_kb
total virtual memory (as kb)
int32_t scap_start_capture(scap_t *handle)
Start capture the events, if it was stopped with scap_stop_capture.
struct scap_fdinfo::@0::@5 unix_socket_info
Information specific to unix sockets.
uint64_t scap_event_get_ts(scap_evt *e)
Get the timestamp of an event.
int32_t scap_write_proc_fds(scap_t *handle, struct scap_threadinfo *tinfo, scap_dumper_t *d)
void scap_dump_close(scap_dumper_t *d)
Close a trace file.
uint64_t scap_max_buf_used(scap_t *handle)
returns the maximum amount of memory used by any driver queue
bool import_users
true if the user list should be created when opening the capture.
int32_t scap_enable_page_faults(scap_t *handle)
compression_mode
Indicates the compression type used when writing a tracefile.
struct scap_ifinfo_ipv6 scap_ifinfo_ipv6
IPv6 interface address information.
void * proc_callback_context
Opaque pointer that will be included in the calls to proc_callback. Ignored if proc_callback is NULL.
void scap_dev_delete(scap_t *handle, scap_mountinfo *dev)
const struct ppm_event_info * scap_event_getinfo(scap_evt *e)
Return the meta-information describing the given event.
bool scap_check_suppressed_tid(scap_t *handle, int64_t tid)
return whether the provided tid is currently being suppressed.
int64_t scap_get_readfile_offset(scap_t *handle)
Return the current offset in the file opened by scap_open_offline(), or -1 if this is a live capture.
uint64_t scap_ftell(scap_t *handle)
uint64_t n_drops
Number of dropped events.
int32_t udig_alloc_ring(int *ring_fd, uint8_t **ring, uint32_t *ringsize, char *error)
uint64_t destination
Destination socket endpoint.
struct ppm_proclist_info * scap_get_threadlist(scap_t *handle)
Get the process list.
const char * fname
The name of the file to open. NULL for live captures.
uint8_t l4proto
Transport protocol. See scap_l4_proto.
char ifname[SCAP_MAX_PATH_SIZE]
interface name (e.g. "eth0")
scap_addrlist * scap_get_ifaddr_list(scap_t *handle)
Return the list of the the user interfaces of the machine from which the events are being captured.
int32_t scap_number_of_bytes_to_write(scap_evt *e, uint16_t cpuid, int32_t *bytes)
Tell how many bytes would be written (a dry run of scap_dump)
int32_t scap_set_eventmask(scap_t *handle, uint32_t event_id)
Set the event into the eventmask so that sysdig-based apps can receive the event. Useful for offloadi...
char args[SCAP_MAX_ARGS_SIZE+1]
Command line arguments (e.g. "-d1")
uint32_t addr
Interface address.
int32_t scap_getpid_global(scap_t *handle, int64_t *pid)
scap_userinfo * users
User list.
@ SCAP_L4_NA
protocol not available, because the fd is not a socket
int32_t scap_write_proclist_header(scap_t *handle, scap_dumper_t *d, uint32_t totlen)
int32_t scap_write_proclist_trailer(scap_t *handle, scap_dumper_t *d, uint32_t totlen)
int32_t scap_enable_dynamic_snaplen(scap_t *handle)
struct scap_threadinfo * scap_proc_alloc(scap_t *handle)
int32_t scap_set_fullcapture_port_range(scap_t *handle, uint16_t range_start, uint16_t range_end)
struct scap_ifinfo_ipv6_nolinkspeed scap_ifinfo_ipv6_nolinkspeed
For backword compatibility only.
struct scap_threadinfo scap_threadinfo
Process information.
struct evt_param_info evt_param_info
Information about the parameter of an event.
proc_entry_callback proc_callback
Callback to be invoked for each thread/fd that is extracted from /proc, or NULL if no callback is nee...
char netmask[SCAP_IPV6_ADDR_LEN]
int32_t scap_unset_eventmask(scap_t *handle, uint32_t event_id)
Unset the event into the eventmask so that sysdig-based apps can no longer receive the event....
int32_t udig_alloc_ring_descriptors(int *ring_descs_fd, struct ppm_ring_buffer_info **ring_info, struct udig_ring_buffer_status **ring_status, char *error)
const char * bpf_probe
The name of the BPF probe to open. If NULL, the kernel driver will be used.
char bcast[SCAP_IPV6_ADDR_LEN]
Interface broadcast address.
int32_t scap_readbuf(scap_t *handle, uint32_t cpuid, OUT char **buf, OUT uint32_t *len)
uint64_t scap_event_get_num(scap_t *handle)
Get the number of events that have been captured from the given capture instance.
@ SCAP_PFORM_WINDOWS_I386
int64_t scap_dump_ftell(scap_dumper_t *d)
Return the position for the next write to a trace file. This uses gztell, while scap_dump_get_offset ...
int32_t loginuid
loginuid (auid)
List of the machine network interfaces.
char exepath[SCAP_MAX_PATH_SIZE+1]
full executable path
struct ppm_ring_buffer_info ppm_ring_buffer_info
void scap_dump_flush(scap_dumper_t *d)
Flush all pending output into the file.
struct scap_dumper scap_dumper_t
char fname[SCAP_MAX_PATH_SIZE]
Name associated to this unix socket.
List of the machine users and groups.
uint64_t scap_get_unexpected_block_readsize(scap_t *handle)
scap_l4_proto
Socket type / transport protocol.
scap_mode_t
Arguments for scap_open.
uint32_t vmrss_kb
resident non-swapped memory (as kb)
uint32_t netmask
Interface netmask.
uint32_t bcast
Interface broadcast address.
uint8_t l4proto
Transport protocol. See scap_l4_proto.
struct scap_fdinfo::@0::@3 ipv4serverinfo
Information specific to IPv4 server sockets, e.g. sockets used for bind().
uint32_t scap_event_getlen(scap_evt *e)
Get the length of an event.
struct scap_ifinfo_ipv4 scap_ifinfo_ipv4
IPv4 interface address information.
struct scap_fdinfo scap_fdinfo
Information about a file descriptor.
uint32_t n_v6_addrs
Number of IPv6 addresses.
char * val
The event data.
uint32_t totsavelen
For internal use.
struct scap_open_args scap_open_args
UT_hash_handle hh
makes this structure hashable
void(* proc_entry_callback)(void *context, scap_t *handle, int64_t tid, scap_threadinfo *tinfo, scap_fdinfo *fdinfo)
uint32_t dev
device number
volatile struct timespec m_last_print_time
int32_t scap_set_snaplen(scap_t *handle, uint32_t snaplen)
Set the capture snaplen, i.e. the maximum size an event parameter can reach before the driver starts ...
uint64_t vpgid
The process group of this thread, as seen from its current pid namespace.
System call description struct.
uint16_t env_len
Environment length.
@ SCAP_II_IPV4_NOLINKSPEED
struct scap_ifinfo_ipv4_nolinkspeed scap_ifinfo_ipv4_nolinkspeed
For backward compatibility only.
void scap_set_refresh_proc_table_when_saving(scap_t *handle, bool refresh)
void udig_free_ring_descriptors(uint8_t *addr)
int64_t fd
The FD number, which uniquely identifies this file descriptor.
struct scap_threadinfo * scap_proc_get(scap_t *handle, int64_t tid, bool scan_sockets)
scap_ifinfo_ipv4 * v4list
List of IPv4 Addresses.
char homedir[SCAP_MAX_PATH_SIZE]
Home directory.
volatile int m_initialized
int32_t scap_set_statsd_port(scap_t *handle, uint16_t port)
struct scap_fdinfo::@0::@6 regularinfo
Information specific to regular files.
uint32_t flags
the process flags.
uint64_t reserved1
reserved for future use
uint64_t mount_id
mount id from /proc/self/mountinfo
uint8_t l4proto
Transport protocol. See scap_l4_proto.
int32_t scap_write_proclist_entry(scap_t *handle, scap_dumper_t *d, struct scap_threadinfo *tinfo, uint32_t len)
const char * scap_get_host_root()
Get the root directory of the system. This usually changes if sysdig runs in a container,...
void scap_refresh_iflist(scap_t *handle)
scap_os_platform
The OS on which the capture was made.
char ifname[SCAP_MAX_PATH_SIZE]
interface name (e.g. "eth0")
struct scap_fdinfo::@0::@2 ipv6info
Information specific to IPv6 sockets.
int filtered_out
nonzero if this entry should not be saved to file
@ SCAP_L4_UNKNOWN
unknown protocol, likely caused by some parsing problem
int32_t scap_write_proclist_entry_bufs(scap_t *handle, scap_dumper_t *d, struct scap_threadinfo *tinfo, uint32_t len, const char *comm, const char *exe, const char *exepath, const struct iovec *args, int argscnt, const struct iovec *envs, int envscnt, const char *cwd, const struct iovec *cgroups, int cgroupscnt, const char *root)
scap_t * scap_open(scap_open_args args, char *error, int32_t *rc)
Advanced function to start a capture.
int32_t scap_clear_eventmask(scap_t *handle)
Clear the event mask: no events will be passed to sysdig.
scap_threadinfo * scap_get_proc_table(scap_t *handle)
Get the process list for the given capture instance.
char hostname[128]
The machine hostname.
Information about the parameter of an event.
struct scap_addrlist scap_addrlist
List of the machine network interfaces.
Information about one of the machine users.
uint64_t tid
The thread/task id.
struct scap_userinfo scap_userinfo
Information about one of the machine users.
char ifname[SCAP_MAX_PATH_SIZE]
#define SCAP_MAX_CGROUPS_SIZE
uint64_t memory_size_bytes
Physical memory size.
scap_t * scap_open_live(char *error, int32_t *rc)
Start a live event capture.
uint16_t type
Interface type.
struct scap_groupinfo scap_groupinfo
Information about one of the machine user groups.
int64_t scap_dump_get_offset(scap_dumper_t *d)
Return the current size of a trace file.
scap_ifinfo_type
Interface address type.
uint64_t linkspeed
Interface link speed.
struct scap_userlist scap_userlist
List of the machine users and groups.
uint32_t dev
Major/minor number of the device containing this file.
void scap_event_reset_count(scap_t *handle)
Reset the event count to 0.
uint32_t totlen
For internal use.
uint16_t sport
Source port.
#define SCAP_MAX_ENV_SIZE
char bcast[SCAP_IPV6_ADDR_LEN]
int32_t scap_stop_capture(scap_t *handle)
This function can be used to temporarily interrupt event capture.
uint32_t type
The event type. See the ppm_event_type enum in driver/ppm_events_public.h.
scap_dumper_t * scap_dump_open(scap_t *handle, const char *fname, compression_mode compress, bool skip_proc_scan)
Open a trace file for writing.
uint64_t max_pid
Highest PID number on this machine.
scap_ifinfo_ipv6 * v6list
List of IPv6 Addresses.
scap_fd_type
File Descriptor type.
IPv4 interface address information.
char shell[SCAP_MAX_PATH_SIZE]
Shell program.
uint64_t n_preemptions
Number of preemptions.
uint64_t reserved4
reserved for future use
int32_t scap_enable_simpledriver_mode(scap_t *handle)
uint32_t mount_id
The id of the vfs mount the file is in until we find dev major:minor.
scap_userlist * scap_get_user_list(scap_t *handle)
Return the machine user and group lists.
Information about one of the machine user groups.
int32_t scap_dump(scap_t *handle, scap_dumper_t *d, scap_evt *e, uint16_t cpuid, uint32_t flags)
Write an event to a trace file.
const char * suppressed_comms[SCAP_MAX_SUPPRESSED_COMMS]
A list of processes (comm) for which no.
const struct ppm_syscall_desc * scap_get_syscall_info_table()
Retrieve the table with the description of system call that the capture driver supports.
const scap_machine_info * scap_get_machine_info(scap_t *handle)
Get generic machine information.
uint64_t reserved3
reserved for future use
bool udig
If true, UDIG will be used for event capture. Otherwise, the kernel driver will be used.
struct scap_fdinfo::@0::@1 ipv4info
Information specific to IPv4 sockets.
scap_dumper_t * scap_dump_open_fd(scap_t *handle, int fd, compression_mode compress, bool skip_proc_scan)
Open a trace file for writing, using the provided fd.
struct ppm_evt_hdr scap_evt
#define SCAP_MAX_SUPPRESSED_COMMS
char root[SCAP_MAX_PATH_SIZE+1]
For backword compatibility only.
void udig_free_ring(uint8_t *addr, uint32_t size)
const struct ppm_event_info * scap_get_event_info_table()
Retrieve the table with the description of every event type that the capture driver supports.
uint32_t open_flags
Flags associated with the file.
void scap_fseek(scap_t *handle, uint64_t off)
int32_t scap_start_dropping_mode(scap_t *handle, uint32_t sampling_ratio)
volatile uint64_t m_buffer_lock
char addr[SCAP_IPV6_ADDR_LEN]
uint64_t source
Source socket endpoint.
scap_dumper_t * scap_memory_dump_open(scap_t *handle, uint8_t *targetbuf, uint64_t targetbufsize)
uint64_t pid
The id of the process containing this thread. In single thread processes, this is equal to tid.
void scap_close(scap_t *handle)
Close a capture handle.
void scap_proc_free(scap_t *handle, struct scap_threadinfo *procinfo)
scap_os_platform scap_get_os_platform(scap_t *handle)
Retrieve the OS platform for the given capture handle.
int32_t scap_suppress_events_comm(scap_t *handle, const char *comm)
stop returning events for all subsequently spawned processes with the provided comm,...
const char * name
The event name.
