1. 环境说明

• 操作系统：Ubuntu 20.10

2. 下载 bpftrace 和 bpftool

去 Github Releases 页面，下载相应版本的 bpftrace，本文使用的版本是 v0.19.1。

xxxxxxxxxx
curl --location-trusted -O https://github.com/iovisor/bpftrace/releases/download/v0.19.1/bpftrace
chmod a+x bpftrace
./bpftrace -h

安装 bpftool：

xxxxxxxxxx
apt install -y linux-tools-`uname -r`
bpftool version

3. https_test.bt

xxxxxxxxxx
#ifndef BPFTRACE_HAVE_BTF
#include <net/tcp_states.h>
#include <net/sock.h>
#include <linux/socket.h>
#include <linux/tcp.h>
#else
#include <sys/socket.h>
#endif

uprobe:/usr/local/lib/libssl.so:SSL_write
{
    @write_buf[tid] = arg1;
}

uretprobe:/usr/local/lib/libssl.so:SSL_write
/@write_buf[tid]/
{
    $buf = @write_buf[tid];
  $len = (int32)retval;
    if ($len <= 0) {
        return;
    }
    @write_sock[tid] = true;

  $i = 0;
  $consumed = 0;
  printf("write[%d] starting\n", $len);
  while ($i <= 500) {
    $i += 1;
    if ($len - $consumed > 64) {
      printf("%r\n", buf($buf, 64));
      $buf += (uint64)64;
      $consumed += 64;
    } else {
      $remaining = $len - $consumed;
      printf("%r\n", buf($buf, $remaining));
      $buf += (uint64)$remaining;
      $consumed = $len;
      break;
    }
  }
  printf("write[%d] ending\n", $len);
    delete(@write_buf[tid]);
}

kprobe:tcp_sendmsg
/@write_sock[tid]/
{
    $sk = (struct sock *)arg0;
    $lport = $sk->__sk_common.skc_num;
    $dport = $sk->__sk_common.skc_dport;
    $dport = bswap($dport);
    $saddr = ntop(0);
    $daddr = ntop(0);
    $family = $sk->__sk_common.skc_family;
    if ($family == AF_INET) {
        $saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);
        $daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
    } else {
        // AF_INET6
        $saddr = ntop(AF_INET6,
            $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
        $daddr = ntop(AF_INET6,
            $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
    }
    printf("send: %-15s %-5d %-15s %-6d\n", $saddr, $lport, $daddr, $dport);
    delete(@write_sock[tid]);
}

uprobe:/usr/local/lib/libssl.so:SSL_read
{
  @read_buf[tid] = arg1;
}

uretprobe:/usr/local/lib/libssl.so:SSL_read
/@read_buf[tid]/
{
  $buf = @read_buf[tid];
  $len = (int32)retval;
  if ($len <= 0) {
    return;
  }
    @read_sock[tid] = true;

  $i = 0;
  $consumed = 0;
  printf("read[%d] starting\n", $len);
  while ($i <= 500) {
    $i += 1;
    if ($len - $consumed > 64) {
      printf("%r\n", buf($buf, 64));
      $buf += (uint64)64;
      $consumed += 64;
    } else {
      $remaining = $len - $consumed;
      printf("%r\n", buf($buf, $remaining));
      $buf += (uint64)$remaining;
      $consumed = $len;
      break;
    }
  }
  printf("read[%d] ending\n", $len);
  delete(@read_buf[tid]);
}

kprobe:tcp_recvmsg
/@read_sock[tid]/
{
    $sk = (struct sock *)arg0;
    $lport = $sk->__sk_common.skc_num;
    $dport = $sk->__sk_common.skc_dport;
    $dport = bswap($dport);
    $saddr = ntop(0);
    $daddr = ntop(0);
    $family = $sk->__sk_common.skc_family;
    if ($family == AF_INET) {
        $saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);
        $daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
    } else {
        // AF_INET6
        $saddr = ntop(AF_INET6,
            $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
        $daddr = ntop(AF_INET6,
            $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
    }
    printf("recv: %-15s %-5d %-15s %-6d\n", $saddr, $lport, $daddr, $dport);
    delete(@read_sock[tid]);
}

4. 参考文档

• https://github.com/iovisor/bpftrace