Comments (9)
@cfc4n , I am investigating the issue. I will keep you updated.
from ecapture.
Indeed, as you said, eCapture occupies a relatively large amount of memory.
BufferSizeOfEbpfMap
= 40M : this is to prevent tls events from being lost. Many times, when network traffic is particularly high, it is easy to fill up the ebpf map.- per CPU : per CPU type maps have better concurrency safety to avoid errors caused by data write order.
- 3 modules : This is indeed an area that can be optimized.
Currently, eCapture supports three libraries: openssl\nss\nspr; however, openssl has the highest usage and supports the most mature library compared to the other two which are more niche.
I plan to default close those two modules or create a new subcommand for separate support. Do you have any better ideas?
from ecapture.
Regarding BufferSizeOfEbpfMap
this is to prevent tls events from being lost
I agree with this, but I think setting it to 40M
by default is not a good idea.
I checked the tetragon implementation, I noticed following things;
So, I think we should do similar things,
- Reduce the default size.
- Make it configurable using a flag, so that end-user can adjust it as per need.
How are your thoughts on this ?
Regarding per CPU types map performance
I am having a little doubt about the performance of per-cpu-buffers
Give a read to: https://nakryiko.com/posts/bpf-ringbuf
I plan to default close those two modules or create a new subcommand for separate support
Disabling unnecessary modules by default seems good idea
fyi @cfc4n
from ecapture.
Thank you for your suggestion.
from ecapture.
I will submit another PR for the custom mapSize
flag tomorrow . @h0x0er
good night.
from ecapture.
This calculation is inaccurate. It's best to only look at the resource usage of eCapture.
For example, top -p $ECAPTURE_PID
.
from ecapture.
Following are some details
- While creating perf buffer, notice the size of
perCpuBuffer
perCpuBuffer := os.Getpagesize() * BufferSizeOfEbpfMap
ecapture/user/module/imodule.go
Lines 192 to 194 in db7e37a
-
BufferSizeofEbpfMap is declared as
ecapture/user/module/const_linux.go
Lines 6 to 8 in db7e37a
-
Inside
perf.NewReader()
, buffer of perCPUBuffer size is allocated for each CPU by callingnewPerfEventRing()
- Per CPU Memory allocation inside
newPerfEventRing()
from line 45-49
https://github.com/cilium/ebpf/blob/f0d238d1934f15fe8c5ef8755337be11bbc114e9/perf/ring.go#L25-L49
Calculations
For my machine
- os.Getpagesize() = 4096 (bytes)
- BufferSizeOfEbpfMap = 10240 (bytes)
- perCpuBuffer = os.Getpagesize() * BufferSizeOfEbpfMap = 41943040 (bytes) = 40 MB
- Total CPUs = 8
- Memory Allocated for 1 module = 40 * 8 = 320 MB
- In case of
ecapture tls
3 modules are initialised ,
therefore Memory allocated forecapture tls
= 3 * 320 = 960 MB
Almost 1GB of RAM
fyi @cfc4n
from ecapture.
Thanks @cfc4n . Good Night 🌃
from ecapture.
fixed at #435
Terminal 1
sudo free -m
[sudo] password for cfc4n:
total used free shared buff/cache available
Mem: 3876 477 277 1 3121 3106
Swap: 3893 0 3893
#### exec ecapture at other terminal.
sudo free -m
total used free shared buff/cache available
Mem: 3876 513 240 1 3121 3069
Swap: 3893 0 3893
Terminal 2
sudo bin/ecapture tls
and , openssl module create 3 ebpf maps.
{
Name: "tls_events",
},
{
Name: "connect_events",
},
{
Name: "mastersecret_events",
},
- mapSizePerCPU = 5M
- 2 CPUS
- 3 eBPF maps
all eBPF maps used memory = 2 * 5 * 3 = 30MB.
now, eCapture used memory (include ebpf maps) = 513-477 ≈ 277-240 ≈ 36M .
As expected.
from ecapture.
Related Issues (20)
- gotls 捕获golang程序,不能写pcapfile文件,不能看到响应的内容 HOT 4
- Not working with redroid HOT 13
- windows也有ebpf,是否兼容适配? HOT 1
- 鸿蒙4.0支持分析https内容不 HOT 3
- 关于在pcap模式中tc层skb_data payload数据传输的问题 HOT 3
- eCapture run failed, error log: invalid memory address or nil pointer dereference HOT 3
- Build 2 Android Arm64 HOT 1
- ssh加解密教程 HOT 4
- gotls 访问百度,https 包无法获取、只能截取 http 包 HOT 2
- 加解密模式对性能的影响是多少 HOT 2
- tls 模式,app抓包解密失败 HOT 1
- error: couldn't start bootstrap manager error HOT 3
- TLS 模式下,对被检测程序的性能影响。 HOT 9
- The SSL structure in openssl 3.2.0 has been modified HOT 4
- PCAP mode can only decrypt partial HTTPS traffic, not all of it HOT 8
- fatal error: concurrent map read and map write HOT 1
- 这是我姿势不对么?最新版本的总提示No runnable modules, Exit(1) HOT 2
- tls子命令可否支持ip过滤 HOT 6
- archlinux不存在/boot/config-`uname -r`文件,导致启动程序时报错 HOT 6
- I am new. How to use software? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecapture.