Network probe manager
Network probe manager tracks incoming and outgoing network packets in a
system (packet information as interpret by the bpf
module in AIX®). Probe specification allows the user to specify Berkeley Packet Filter
(BPF) filters, similar to tcpdump filter expression for granular tracking.
You can use built-in variables to collect packet header and payload information for Internet protocols. For example, Ethernet, Internet Protocol Version 4/Version 6 (IPv4/v6), Transmission Control Protocol (TCP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), Internet Group Message Protocol (IGMP), and Address Resolution Protocol (ARP) protocols.
Network probe manager reports critical protocol-specific events (TCP state changes, round-trip times, retransmissions, UDP buffer overflows).
The network probe manager addresses following primary use cases:
- Provide the following packet-specific information according to the bpf module based on IP
address and ports:
- Track the incoming and outgoing bytes for a connection.
- Use following built-ins to gather protocol header and payload information.
- TCP flags (SYN, FIN), TCP sequence and acknowledgment number.
- IPv4/IPv6 (IP addresses, protocol types: tcp, udp, icmp, igmp, and so on).
- ICMP (packet type: ECHO REQUEST, ECHO RESPONSE, and so on).
- Provide access to complete RAW network packet for probe script processing.
- Report the following protocol-related events:
- Track TCP sender and receiver buffer full events.
- TCP connection state changes from SYN-SENT state to ESTABLISHED state or from ESTABLISHED state to CLOSE state.
- Monitor delta time between state changes (for example, time that is taken from SYN-SENT state to ESTABLISHED state).
- Identify the listener (connection information) that discarded connections because the listener's queue is full.
- Identify retransmissions (second and further retransmission for a packet) for TCP connections.
- Identify the UDP socket that dropped packets because of insufficient receiving buffer.
Probe specification
Probe specification for network probe manager contains
three or five tuples that are separated by : (colon). First tuple is always
@@net
.
Network probe manager supports two major categories of specifications: One category gathers packet-specific information and another category gathers protocol-specific information.
- Format to gather packet specific
information:
@@net:bpf:<interface1>|<interface 2>|…..:<protocol>:<Filter>
- Format to gather protocol specific information
@@net:tcp:<event_name>
@@net:udp:<event_name>
Probe sub type
The second tuple signifies the sub type of the probe that indicates which layer of AIX network stack contains the probe. This tuple can have one of the following values (it cannot be *):
Second Tuple (sub type) | Description |
---|---|
bpf | This probe starts at network interface layer when a packet matches the specific filter. |
tcp | This probe starts for TCP protocol-specific events. |
udp | This probe starts for UDP protocol-specific events. |
Probe network event or gather network packet information
The third tuple is specific to particular sub type (specified in second tuple). It cannot have a value of *.
bpf-based probes
The specification contains 5 tuples for bpf-based probes that are described in the following table:
Second tuple (Sub type) | Subsequent tuples | Description |
---|---|---|
bpf |
Third tuple: interface names | This tuple specifies an interface or a list of interfaces for which the packet information
can be captured. Possible values are enX (for example,
en0 ,en1 ) and lo0 . The * value is not supported
for this tuple. You can specify one or more interfaces at a time by using | as delimiter. |
Fourth tuple: protocol | This tuple specifies the network protocol to start the probe. Possible values are
ether, arp, rarp, ipv4, ipv6, tcp, udp, icmp4, icmp6 and igmp .
Protocol-specific built-ins are populated for access in Vue script. For example, a protocol value of
ipv4 populates __ip4hdr built-ins.The * value for this tuple indicates that the
probe starts for all protocol types that match the specified filter. When the protocol is *, none of
the built-in values that are supported by network probe manager are available to Vue scripts. You
can access the raw packet data of requested size by using the Vue function
copy_kdata
() and map to corresponding protocol headers.Note: Specifying * as a value can be
performance intensive as the probe is started for all incoming and outgoing packets on the specified
interfaces that match the filter. There are also copies involved when the packet information is
spanned across multiple packet buffers.
|
|
bpf |
Fifth tuple: bpf filter string | This tuple specifies the bpf filter expression (filter expressions as specified in tcpdump command). Filter expression must be provided in the double quotation marks. Filter expression and protocol that is specified in the fourth tuple must be compatible. The * value is not supported in this tuple. |
- Specification format to access the built-in variables that are related to Ethernet header
(
__etherhdr
), IP header(__ip4hdr
) or (__ip6hdr
), and TCP header (__tcphdr
) information from the Vue script when interface en0 receives or sends packet on port 23 (filter string ” port 23”):@@net:bpf:en0:tcp:“port 23”
- Specification format to access the built-in variables related to Ethernet
header(
__etherhdr
), IP header(__ip4hdr
or__ip6hdr
), and UDP header (__udphdr
) information from the Vue script when system receives or sends packet from host example.com (filter string “example.com”) on en0 and en1 interfaces:@@net:bpf:en0|en1:udp:“host example.com”
- Specification format to access the raw packet information when system receives or sends packet
from or to "host example.com":
@@net:bpf:en1:*:“host example.com”
bpf
probe specification uses a bpf
device. These
devices are shared by ProbeVue,
tcpdump, and any other application that uses the libpcap
or
bpf
services for packet capture and injection. The number of bpf probes depends on
the number of available bpf devices in the system. When a bpf
probe is started,
the __mdata variable contains the raw packet data. You can access the raw data of
requested size by using the Vue function copy_kdata ()
and map to the ether_header,
ip header, and so on. Use the following structures to find out the header and payload data
information.
Example
VUE script to access the raw packet data when the “*” is specified as the protocol.
/* Define the ether header structure */
struct ether_header {
char ether_dhost[6];
char ether_shost[6];
short ether_type;
};
/* ProbeVue script to access and interpret the data from RAW packet */
@@net:bpf:en0:*:"port 23"
{
/* define the script local variables */
__auto struct ether_header eth;
__auto char *mb;
/* __mdata contains the address of packet data */
mb =(char *) __mdata;
printf("Network probevue\n");
/*
* Use already available “copy_kdata(…)” VUE function to copy data of
* requested size (size of ether_header) from mbuf data pointer to eth
* (ether_header) variable.
*/
copy_kdata (mb, eth);
printf("Ether Type from raw data :%x\n",eth.ether_type);
}
TCP probes
The specification contains three tuples for TCP probes as described in the following table:
Second tuple (Sub type) |
Events (Third tuple) The * value is not supported in this tuple. |
Description |
---|---|---|
tcp | state_change | This probe is started whenever the TCP state changes. |
send_buf_full | This probe is started whenever the send buffer full event occurs. | |
recv_buf_full | This probe is started whenever the receive buffer full event occurs. | |
retransmit | This probe is started whenever the re-transmission of packet happens for TCP connection. | |
listen_q_full | This probe is started whenever a server (listener socket) discards the new connection requests due to listener’s queue being full. |
__proto_info built-in variable provides the TCP connection (four tuple) information (local IP, remote IP, local port, and remote port) whenever the TCP-related event occurs. Remote port and IP address contains a value of NULL for the listen_q_full event.
Example
Probe specifications for TCP protocol state changes:
@@net:tcp:state_change
udp probes
For udp
probes the specification contains three tuples as described in the
following table:
Second tuple (Sub type) | Events (third tuple) The * value is not supported in this tuple. |
Description |
---|---|---|
udp | sock_recv_buf_overflow | This probe is started whenever the datagram or the UDP socket’s receive buffer overflows. |
The __proto_info
built-in variable provides the UDP protocol
related data (source IP and destination IP addresses, source and destination port numbers) whenever
socket receive buffer overflow event
occurs.
@@net:udp:sock_recv_buf_overflow
Example
Probe specifications for UDP socket’s receive buffer overflow:
@@net:udp:sock_recv_buf_overflow
Network probe-related built-in variables for Vue scripts
Network related events can be probed using following built-in variables.
__etherhdr
built-in variable
The __etherhdr
variable is a special built-in variable to get ether header information from filtered packet. This
built-in variable is available when you probe the packet information at interface layer with any one
of these protocols: “ether”, “ipv4”, “ipv6”, “tcp”, “udp”, “icmp4”, icmp6”, “igmp”, “arp”, and
“rarp”. This variable is available in probes of sub type bpf
. Its member elements
can be accessed by using the syntax __etherhdr->member
.
The __etherhdr built-in value has the following members:
Member name | Type | Description |
---|---|---|
src_addr |
mac_addr_t |
Source MAC address. The data type mac_addr_t is used to store the MAC address. Use format specifier “M” to print the MAC address. |
dst_addr | mac_addr_t | Destination MAC address. The data type mac_addr_t is used to store the MAC address. Use format specifier “M” to print the MAC address. |
ether_type | unsigned short | This name indicates the protocol encapsulated in the payload of an Ethernet frame. Protocols
can be IPv4, IPv6, ARP, and REVARP. It can match one of the following built-in constant values for ether_type:
Refer the header files |
The __ip4hdr variable is
a special built-in variable to get the IPv4 header information from filtered packet. This variable
is available when you probe the packet information at interface layer with any one of the protocols:
“ipv4”,“tcp”, “udp”, “icmp4”, and “igmp”. And, it has valid data when IP version is IPv4. This
variable is available in probes of sub type bpf
. Its member elements can be
accessed by using the syntax __ip4hdr->member
.
This built-in variable has the following members:
Member name | Type | Description |
---|---|---|
src_addr |
ip_addr_t |
Source IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address in dotted decimal format and use format specifier “H” to print the host name. Host name printing is a costly operation. |
dst_addr | ip_addr_t | Destination IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address in dotted decimal format and use format specifier “H” to print host name. Host name printing is a costly operation. |
protocol | unsigned short | This member name indicates the protocol that is used in the data portion of the IP datagram.
Protocols can be TCP, UDP, ICMP, IGMP, FRAGMENTED, and so on. It can match one of the following built-in constant values for protocol.
Refer
the header file |
ttl | unsigned short | Time to live or hop limit. |
cksum | unsigned short | IP header checksum. |
id | unsigned short | Identification number. This member is used for uniquely identifying the group of fragments of a single IP datagram. |
total_len | unsigned short | Total length. This value is entire packet (fragment) size, including IP header and data in bytes. |
hdr_len | unsigned short | Size of the IP header. |
tos | unsigned short | Type of service. |
frag_offset | unsigned short | Fragment offset. This value specifies the offset of particular fragment, relative to beginning of the original un fragmented IP datagram. The first fragment has an offset of zero. It can match one of the built-in constant
Refer the header file |
__ip6hdr built-in variable
The __ip6hdr variable is a special
built-in variable to get the IPv6 header information from filtered packet. This variable is
available when user probes the packet information at interface layer. This variable with any one of
the protocols (“ipv6”, “tcp”, “udp” and “icmp6”) has valid data when IP version is IPv6. This
variable is available in probes of sub type bpf
. Its member elements can be
accessed by using the syntax __ip6hdr->member
.
This built-in variable has the following members:
Member name | Type | Description |
---|---|---|
src_addr |
ip_addr_t |
Source IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address and use format specifier “H” to print the host name. Host name printing is a costly operation. |
dst_addr | ip_addr_t | Destination IP address. The data type ip_addr_t is used to store the IP address. Use format specifier “I” to print the IP address and use format specifier “H” to print host name. Host name printing is costly operation. |
protocol | unsigned short | This value indicates the protocol that is used in the data portion of the IP datagram.
Protocols can be TCP, UDP, and ICMPV6, and so on. It can match one of the following built-in constant values for protocol: IPPROTO_TCP,IPPROTO_UDP, IPPROTO_ROUTING, IPPROTO_ICMPV6,
IPPROTO_NONE, IPPROTO_DSTOPTS, IPPROTO_LOCAL Refer the header file
|
hop_limit | unsigned short | Hop limit (time to live). |
total_len | unsigned short | Total length (payload length). The size of the payload including any extension headers. |
next_hdr | unsigned short | Specifies the type of the next header. This field usually specifies the transport layer protocol that is used by a packet's payload. When extension headers are present in the packet, this field indicates which extension header follows. The values are shared with those used for the IPv4 protocol field. |
flow_label | unsigned int | Flow label. |
traffic_class | unsigned int | Traffic class. |
__tcphdr built-in variable
The __tcphdr variable is a special built-in variable to get the tcp header information from
filtered packet. This variable is available when you probe the packet information at interface layer
with tcp protocol. It is available in probes of sub type bpf. Its member elements can be accessed by
using the syntax __tcphdr->member
.
The __tcphdr built-in variable has the following members:
Member name | Type | Description |
---|---|---|
src_port | unsigned short | Source port of the packet. |
dst_port | unsigned short | Destination port of the packet. |
flags | unsigned short | These values are the control bits and are set to indicate the communication of control
information. 1 bit for each flag. It can match one of the built-in constant flag values. The flag values must be bitwise and with the built-in constant flag value to validate the presence of the particular flag.
Refer TCP documentation for detailed information about these flags and refer the header
file |
seq_num | unsigned int | Sequence number. |
ack_num | unsigned int | Acknowledgment number. |
hdr_len | unsigned int | TCP header length information |
cksum | unsigned short | Checksum. |
window | unsigned short | Window size. |
urg_ptr | unsigned short | Urgent pointer. |
__udphdr built-in variable
The __udphdr is a special built-in
variable that is used to get the udp
header information from filtered packet. This
built-in is available when user probes the packet information at interface layer with udp as
protocol. It is available in probes of sub type bpf
. Its member elements can be
accessed by using the syntax __udphdr->member
.
__udphdr built-in variable has the following members:
Member name | Type | Description |
---|---|---|
src_port | unsigned short | Source port of the packet. |
dst_port | unsigned short | Destination port of the packet. |
length | unsigned short | UDP header and data length information. |
cksum | unsigned short | Checksum. |
__icmp built-in variable
The __icmp is a special built-in variable
that is used to get the icmp header information from filtered packet. This built-in is available
when user probes the packet information at interface layer with icmp protocol. It is available in
probes of sub type bpf. Its member elements can be accessed by using the syntax
__icmp->member
.
This built-in variable has the following members:
Member name | Type | Description |
---|---|---|
type | unsigned short | Type of ICMP message. For example: 0 - echo reply, 8 - echo request, 3 - destination unreachable. Look in for all the types. For more information, refer to the standard network documentation. It can match one of the following built-in constant values for of ICMP message types:
Refer
the header file Note: All
possible message type values are not defined, and hence there can be other options present in the
value.
|
code | unsigned short | Subtype of ICMP message. For each type of message, several different codes and subtypes are defined. For example, no route to destination, communication with destination administratively prohibited, not a neighbor, address unreachable, port unreachable. For more information, refer to the standard network documentation. It can match one of the following built-in constant values for ICMP sub types: ICMP_UNREACH_NET ICMP_UNREACH_HOST ICMP_UNREACH_PROTOCOL ICMP_UNREACH_PORT ICMP_UNREACH_NEEDFRAG ICMP_UNREACH_SRCFAIL ICMP_UNREACH_NET_ADMIN_PROHIBITED ICMP_UNREACH_HOST_ADMIN_PROHIBITED Subtype values for type 4 The subtype values for type 4 are as follows:
Subtype values for type 6 The subtype values for type 6 are as follows:
Subtype values for type 7 The subtype values for type 7 are as follows: ICMP_PARAMPROB_PTR ICMP_PARAMPROB_MISSING Refer the header file /usr/include/netinet/ip_icmp.h for message subtype values. Note: Not all possible message sub types values are defined, and hence there might be other options present in the message sub type value. |
cksum | unsigned short | Checksum. |
__icmp6 built-in variable
__icmp6 is a special built-in variable
that is used to get the icmpv6 header information from filtered packet. This is available when user
probes the packet information at interface layer with icmp6
protocol. It is
available in probes of sub type bpf
. Member elements of this built-in variable can
be accessed using syntax “__icmp6->member”.
__icmp6 has the following members:
Member name | Type | Description |
---|---|---|
type | unsigned short | Type of ICMPV6 message. This specifies the type of message, which determines the format of the remaining data. It can match one of the following built-in constant values for ICMPV6 types.
Refer
the header file Note: Not all
possible message type values are defined, and hence there might be other options present in the
value.
|
code | unsigned short | Subtype of ICMPV6 message. This value depends on the message type. It provides an extra level of message granularity. It can match one of the following built-in constant values for ICMPV6 sub types.
Refer
the header file Note: Not all possible message sub type values are defined, and hence there might be
other options present in the value.
|
cksum | unsigned short | Checksum. |
__igmp built-in variable
__igmp is a special built-in variable
that is used to get the igmp
header information from filtered packet. This is
available when user probes the packet information at interface layer with igmp
protocol. This is available in probes of sub type bpf
. Its member elements can be
accessed using syntax “__igmp->member”.
__igmp built-in has the following members:
Member name | Type | Description |
---|---|---|
type | unsigned short |
Type of IGMP message. For example: It can match one of the following built-in constant values for IGMP Message types.
Refer the header file Note: Not all possible message type values are defined, and hence there could be other options present in the value. |
code | unsigned short |
Subtype of IGMP type. It can match one of the following built-in constant values for IGMP Message subtypes. Subtype values for type no 3.
Note: Not all possible message sub type values are defined, and hence there could be other options
present in the value.
|
cksum | unsigned short | IGMP Checksum value. |
group_addr | ip_addr_t |
Group address that is reported or queried. This address is the multicast address that is queried when you are sending a Group-Specific or Group-and-Source-Specific Query. The field has a value of zero when you are sending a General Query. The data type ip_addr_t is used to store the group IP address. Use format specifier “I” to print the IP address. |
__arphdr built-in variable
The __arphdr variable
is a special built-in variable that is used to get the arphdr
header information
from filtered packet. This variable is available when user probes the packet information at
interface layer with arp
or rarp
protocol. It is available in
probes of sub type bpf
.The __arphdr member elements can be accessed by using the
syntax __arphdr->member
.
The __arphdr built-in variable has following members:
Member name | Type | Description |
---|---|---|
hw_addr_type | unsigned short | Format of the hardware address type. This field identifies the specific data-link protocol
that is being used. It can match one of the following built-in constant values for data link protocol:
Refer the header file /usr/include/net/if_arp.h for protocol values. |
protocol_type | unsigned short | Format of the protocol address type. This field identifies the specific network protocol that
is being used. It can match one of the following built-in constant values for network protocol:
Refer
the header file |
hdr_len | unsigned short | Mac or hardware address length. |
proto_len | unsigned short | Protocol or IP address length. |
operation | unsigned short | Specifies the operation that the sender is performing: 1 for request, 2 for reply. It can match one of the following built-in constant values for network protocol:
Refer the header file
|
src_mac_addr | mac_addr_t | Sender or source MAC address. Sender hardware or mac address is stored in mac_addr_t data type. The format specifier “%M” is used to print sender MAC or hardware address. |
dst_mac_addr | mac_addr_t | Target or Destination MAC address. Target hardware or MAC address is stored in mac_addr_t data type. The format specifier “%M” is used to print target MAC or hardware address. |
src_ip | ip_addr_t | Source or sender IP address. Sender IP address is stored in The format specifier “%I” is used to print sender IP address. |
dst_ip | ip_addr_t | Target or Destination IP address. Target IP address is stored in The format specifier “%I” is used to print target IP address. |
Example
Vue script to probe packet header information for packets
received or sent over port 23. Provides the source and destination node information and also
tcp
header length information
@@net:bpf:en0:tcp:"port 23"
{
printf("src_addr:%I and dst_addr:%I\n",__ip4hdr->src_addr,__ip4hdr->dst_addr);
printf("src port:%d\n",__tcphdr->src_port);
printf("dst port:%d\n",__tcphdr->dst_port);
printf("tcp hdr_len:%d\n",__tcphdr->hdr_len);
}
Output:
# probevue bpf_tcp.e
src_addr:10.10.10.12 and dst_addr:10.10.18.231
src port:48401
dst port:23
tcp hdr_len:20
..................
.................
__proto_info built-in variable
The __proto_info variable is a special built-in
variable that is used to get the protocol (source and destination IP addresses and ports)
information for TCP or UDP events. The __proto_info variable is available in probes of sub type
tcp
or udp
. Its member elements can be accessed by using the
syntax __proto_info->member
.
The __proto_info built-in variable has the following members:
Member name | Type | Description |
---|---|---|
local_port | unsigned short | Local port |
remote_port | unsigned short | Remote port |
local_addr | ip_addr_t | Local address |
remote_addr | ip_addr_t | Remote address |
Additional information for TCP-specific events
The TCP state change events are described in the following table:
Name | Type | Description |
---|---|---|
__prev_state | short | Previous state information for connection. |
__cur_state | short | Present state information for connection. |
It can match one of the following built-in constant values for TCP states:
The values are defined in exported header file
|
Example:
The following Vue script provides state change information for a particular connection:
@@net:tcp:state_change
when(__proto_info->local_addr ==”10.10.10.1” and __proto_info->remote_addr == 10.10.10.2”
and __proto_info->local_port =”8000” and __proto_info->remote_port =”9000”)
{
printf(“Previous state:%d and current_state:%d\n”,__prev_state,__cur_state);
}
TCP retransmit event
Name | Type | Description |
---|---|---|
__nth_retransmit | unsigned short | Nth retransmission |
Examples
1. Following example Identifies the listener which has discarded connections due to listener's queue is full.
@@net:tcp:listen_q_full
{
printf(“Listener IP address:%I and Port number is:%d\n”,__proto_info->local_addr, __proto_info->local_port);
}
2. Following example Identifies connection which drop packets due to socket buffer overflows
@@net:udp:sock_recv_buf_overflow
{
printf("Connection information which drops packet due to socket buffer overflows:\n");
printf("Local IP address:%I and Remote IP address:%I\n",__proto_info->local_addr,__proto_info->remote_addr);
printf("local port :%d and remote port:%d\n",__proto_info->local_port, __proto_info->remote_port);
}
3. Identify retransmissions (second & further retransmission for a packet) for TCP connections for particular connection.
@@net:tcp:retransmit
when (__proto_info->local_addr == "10.10.10.1" &&
__proto_info->remote_addr == "10.10.10.2" &&
__proto_info->local_port == "4000" &&
__proto_info->remote_port == "5000")
{
printf(" %d th re-transmition for this connection\n", _nth_retransmit);
}
4. Identify the connection information whenever sender buffer full event occurs .
@@net:tcp:send_buf_full
{
printf("Connection information whenever send buffer full event occurs:\n");
printf("Local IP address:%I and Remote IP address:%I\n",__proto_info->local_addr,__proto_info->remote_addr);
printf("local port :%d and remote port:%d\n",__proto_info->local_port, __proto_info->remote_port);
}