On 27 Feb 2025, at 18:23, Adrian Moreno wrote:
> Use pcapng instead of pcap format and store the result, the key (if > available) and the input port name so they are visible in > wireshark/tshark. > > Signed-off-by: Adrian Moreno <[email protected]> Some comments minor below. > --- > utilities/usdt-scripts/upcall_monitor.py | 53 +++++++++++++++++++----- > 1 file changed, 42 insertions(+), 11 deletions(-) > > diff --git a/utilities/usdt-scripts/upcall_monitor.py > b/utilities/usdt-scripts/upcall_monitor.py > index a1adeee0a..77378751f 100755 > --- a/utilities/usdt-scripts/upcall_monitor.py > +++ b/utilities/usdt-scripts/upcall_monitor.py > @@ -118,7 +118,12 @@ > > from bcc import BPF, USDT, USDTException > from os.path import exists > -from scapy.all import hexdump, wrpcap > +try: > + # Try using pcapng support from scapy >= 2.4. > + from scapy.all import hexdump, PcapNgWriter > +except ImportError: > + from scapy.all import hexdump, wrpcap > + > from scapy.layers.l2 import Ether > > from usdt_lib import DpPortMapping > @@ -282,40 +287,48 @@ int kretprobe__ovs_dp_upcall(struct pt_regs *ctx) > #endif > """ > > +pcap_writer = None > + > > # > # print_key() > # > def print_key(event, decode_dump): As this is no longer printing a key, I would change it to format_key(). > + lines = [] > if event.key_size < options.flow_key_size: > key_len = event.key_size > else: > key_len = options.flow_key_size > > if not key_len: > - return > + return [] > > if options.flow_key_decode != 'none': > - print(" Flow key size {} bytes, size captured {} bytes.". > - format(event.key_size, key_len)) > + lines.append(" Flow key size {} bytes, size captured {} bytes.". > + format(event.key_size, key_len)) > > if options.flow_key_decode == 'hex': > # > # Abuse scapy's hex dump to dump flow key > # > - print(re.sub('^', ' ' * 4, hexdump(Ether(bytes(event.key)[:key_len]), > - dump=True), > - flags=re.MULTILINE)) > + lines.extend(re.sub('^', ' ' * 4, > + hexdump( > + Ether(bytes(event.key)[:key_len]), > + dump=True), > + flags=re.MULTILINE).split("\n")) > > if options.flow_key_decode == "nlraw": > - for line in decode_dump: > - print(line) > + lines.extend(decode_dump) > + > + return lines > > > # > # print_event() > # > def print_event(ctx, data, size): > + global pcap_writer > + > event = b["events"].event(data) > dp = event.dpif_name.decode("utf-8") > > @@ -350,7 +363,9 @@ def print_event(ctx, data, size): > # > # Dump flow key information > # > - print_key(event, key_dump) > + key_lines = print_key(event, key_dump) > + for line in key_lines: > + print(line) > > # > # Decode packet only if there is data > @@ -383,7 +398,23 @@ def print_event(ctx, data, size): > print(re.sub('^', ' ' * 4, packet.show(dump=True), > flags=re.MULTILINE)) > > if options.pcap is not None: > - wrpcap(options.pcap, packet, append=True, > snaplen=options.packet_size) > + try: > + if pcap_writer is None: > + pcap_writer = PcapNgWriter(options.pcap) > + > + comment = "cpu={} comm={} pid={} upcall_type={} result={}". > format( Adding the time stamp here might also be useful to “quickly” see the inter-packet gap. > + event.cpu, event.comm.decode("utf-8"), event.pid, > + event.upcall_type, event.result) > + > + if options.flow_key_decode != 'none': > + comment = comment + "\n" + "\n".join(key_lines) > + > + packet.comment = comment > + packet.sniffed_on = "{} ({})".format(port, dp) > + pcap_writer.write(packet) > + except NameError: # PcapNgWriter not found > + wrpcap(options.pcap, packet, append=True, > + snaplen=options.packet_size) > > > # > -- > 2.48.1 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
