ecapture icon indicating copy to clipboard operation
ecapture copied to clipboard
verified publisher icon gojue

Add the common info of the original event to the event_processor for easy direct printing

Open cfc4n opened this issue 7 months ago • 15 comments

Add the common part of the original event to the event_processor for easy direct printing

cfc4n avatar Jun 09 '25 15:06 cfc4n

Are you referring to the various fields defined in IEventStruct, such as:

type BaseEvent struct {
    eventType event.EventType
    DataType  int64
    Timestamp uint64
    Pid       uint32
    Tid       uint32
    Data      [MaxDataSize]byte
    DataLen   int32
    Comm      [16]byte
    Fd        uint32
    Version   int32
}

zenyanle avatar Jun 10 '25 05:06 zenyanle

Yes, it is expected that when processing IEventStruct in the Processor, it can also print this information, rather than just processing Payload().

// imodule.go
m.processor.Write(e)

// iworker.go
ew.payload.Write(e.Payload())

cfc4n avatar Jun 10 '25 15:06 cfc4n

Got it, thanks for clarifying. Is the intention here to print this information primarily for debugging purposes? If that's the case, would you prefer this output to go through a unified logger interface, or is a direct print to standard output (e.g., fmt.Println) acceptable?

zenyanle avatar Jun 10 '25 15:06 zenyanle

The main purpose is to expect that when the received event is processed by the Processor, it can still print the basic information within BaseEvent.

cfc4n avatar Jun 11 '25 14:06 cfc4n

What about adding a LogFields method to IEventStruct interface, the fields of each struct which implements IEventStruct differs

zenyanle avatar Jun 13 '25 04:06 zenyanle

The frequency of event output may be high.I am considering adding a buffer in front of Logger(io writter)

zenyanle avatar Jun 13 '25 08:06 zenyanle

Why is the frequency of log output very high? It should be equivalent to the frequency of ew.payload.Write(e.Payload()).

cfc4n avatar Jun 13 '25 16:06 cfc4n

For ew.payload.Write,This is an in-memory operation.

zenyanle avatar Jun 13 '25 16:06 zenyanle

As we design the eBPF instrumentation for OpenSSL, we should plan for the high frequency of uprobe triggers on functions like SSL_read.

At high network speeds, the call rate can be substantial. This is expected, as it reflects how applications use buffered reads to process data streams. For context, a 100 Mbps transfer can lead to over 3,000 SSL_read calls per second (using a 4 KB buffer). We'll need to factor this call volume into our design to manage the potential performance overhead

zenyanle avatar Jun 13 '25 16:06 zenyanle

In my local environment, which has 100MB bandwidth, a atomic counter triggerd 12442 within 18 seconds

zenyanle avatar Jun 14 '25 03:06 zenyanle

A regular visit to google.com index page using http2 triggerd 26 within 300ms

zenyanle avatar Jun 14 '25 03:06 zenyanle

The readability should be taken into consideration

zenyanle avatar Jun 14 '25 03:06 zenyanle

The entire program's mechanism is based on Hook, and no matter how the Event is handled, it cannot be avoided. Right?

cfc4n avatar Jun 14 '25 07:06 cfc4n

Yes. So, what we need is an asynchronous, buffered approach to prevent ew.payload.Write from being blocked by excessive write operations to stdout.

zenyanle avatar Jun 14 '25 07:06 zenyanle

I think set a rate limit can be a solution, can we accept drop some logs when the frequency is too high? I have an idea to implement that. @cfc4n

zenyanle avatar Jun 14 '25 15:06 zenyanle

@cfc4n Check this demo

zenyanle avatar Jun 16 '25 13:06 zenyanle

Already submitted in https://github.com/gojue/ecapture/pull/814.

cfc4n avatar Aug 14 '25 14:08 cfc4n