netobserv
diff --git a/‎bpf/flows.c‎
Lines changed: 6 additions & 0 deletions b/‎bpf/flows.c‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎bpf/tls_tracker.h‎
Lines changed: 82 additions & 0 deletions b/‎bpf/tls_tracker.h‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎bpf/utils.h‎
Lines changed: 0 additions & 17 deletions b/‎bpf/utils.h‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎pkg/ebpf/bpf_arm64_bpfel.o‎
2.03 KB b/‎pkg/ebpf/bpf_arm64_bpfel.o‎
2.03 KB
diff --git a/‎pkg/ebpf/bpf_powerpc_bpfel.o‎
2.03 KB b/‎pkg/ebpf/bpf_powerpc_bpfel.o‎
2.03 KB
diff --git a/‎pkg/ebpf/bpf_s390_bpfeb.o‎
2.16 KB b/‎pkg/ebpf/bpf_s390_bpfeb.o‎
2.16 KB
diff --git a/‎pkg/ebpf/bpf_x86_bpfel.o‎
2.03 KB b/‎pkg/ebpf/bpf_x86_bpfel.o‎
2.03 KB
@@ -28,6 +28,11 @@
  */
 #include "dns_tracker.h"
 
+/*
+ * Defines the TLS tracker,
+ */
+#include "tls_tracker.h"
+
 /*
  * Defines an rtt tracker,
  * which runs inside flow_monitor. Is optional.
@@ -189,6 +194,7 @@ static inline int flow_monitor(struct __sk_buff *skb, u8 direction) {
     if (enable_dns_tracking) {
         dns_errno = track_dns_packet(skb, &pkt);
     }
+    track_tls_version(skb, &pkt);
     flow_metrics *aggregate_flow = (flow_metrics *)bpf_map_lookup_elem(&aggregated_flows, &id);
     if (aggregate_flow != NULL) {
         update_existing_flow(aggregate_flow, &pkt, len, flow_sampling, skb->ifindex, direction);
 
@@ -0,0 +1,82 @@
+/*
+    light weight TLS tracker.
+*/
+
+#ifndef __TLS_TRACKER_H__
+#define __TLS_TRACKER_H__
+#include "utils.h"
+
+#define CONTENT_TYPE_CHANGE_CIPHER 0x14
+#define CONTENT_TYPE_ALERT 0x15
+#define CONTENT_TYPE_HANDSHAKE 0x16
+#define CONTENT_TYPE_APP_DATA 0x17
+#define HANDSHAKE_CLIENT_HELLO 0x01
+#define HANDSHAKE_SERVER_HELLO 0x02
+
+// https://www.rfc-editor.org/rfc/rfc5246
+struct tls_record {
+    u8 content_type; // handshake, alert, change cipher, app data
+    u8 major;
+    u8 minor;
+    u16 length;
+};
+
+struct tls_handshake_header {
+    u8 content_type; // client hello, server hello ...
+    u8 len[3];
+};
+
+struct tls_handshake_version {
+    u8 major;
+    u8 minor;
+};
+
+// Extract TLS info
+static inline void track_tls_version(struct __sk_buff *skb, pkt_info *pkt) {
+    if (pkt->id->transport_protocol == IPPROTO_TCP) {
+        void *data_end = (void *)(long)skb->data_end;
+        struct tcphdr *tcp = (struct tcphdr *)pkt->l4_hdr;
+        if (!tcp || ((void *)tcp + sizeof(*tcp) > data_end)) {
+            return;
+        }
+
+        u8 len = tcp->doff * sizeof(u32);
+        if (!len) {
+            return;
+        }
+
+        struct tls_record rec;
+        u32 offset = (long)pkt->l4_hdr - (long)skb->data + len;
+
+        if ((bpf_skb_load_bytes(skb, offset, &rec, sizeof(rec))) < 0) {
+            return;
+        }
+
+        switch (rec.content_type) {
+        case CONTENT_TYPE_HANDSHAKE: {
+            pkt->ssl_version = ((u16)rec.major) << 8 | rec.minor;
+            struct tls_handshake_header handshake;
+            if (bpf_skb_load_bytes(skb, offset + sizeof(rec), &handshake, sizeof(handshake)) < 0) {
+                return;
+            }
+            if (handshake.content_type == HANDSHAKE_CLIENT_HELLO ||
+                handshake.content_type == HANDSHAKE_SERVER_HELLO) {
+                struct tls_handshake_version handshake_version;
+                if (bpf_skb_load_bytes(skb, offset + sizeof(rec) + sizeof(handshake),
+                                       &handshake_version, sizeof(handshake_version)) < 0) {
+                    return;
+                }
+                pkt->ssl_version = ((u16)handshake_version.major) << 8 | handshake_version.minor;
+            }
+            break;
+        }
+        case CONTENT_TYPE_CHANGE_CIPHER:
+        case CONTENT_TYPE_ALERT:
+        case CONTENT_TYPE_APP_DATA:
+            pkt->ssl_version = ((u16)rec.major) << 8 | rec.minor;
+            break;
+        }
+    }
+}
+
+#endif // __TLS_TRACKER_H__
@@ -50,22 +50,6 @@ static inline void set_flags(struct tcphdr *th, u16 *flags) {
     }
 }
 
-// Extract TLS info
-static inline void fill_tls_info(struct tcphdr *tcp, void *data_end, pkt_info *pkt) {
-    void *start_payload = ((void *)tcp) + (tcp->doff * 4);
-    if (start_payload + 5 <= data_end) {
-        if (((u8 *)start_payload)[0] == 0x16) {
-            // TODO handshake special case, see https://www.netmeister.org/blog/tcpdump-ssl-and-tls.html
-            pkt->ssl_version =
-                ((u16)(((u8 *)start_payload)[1])) << 8 | (u16)(((u8 *)start_payload)[2]);
-        } else if (((u8 *)start_payload)[0] == 0x14 || ((u8 *)start_payload)[0] == 0x15 ||
-                   ((u8 *)start_payload)[0] == 0x17) {
-            pkt->ssl_version =
-                ((u16)(((u8 *)start_payload)[1])) << 8 | (u16)(((u8 *)start_payload)[2]);
-        }
-    }
-}
-
 // Extract L4 info for the supported protocols
 static inline void fill_l4info(void *l4_hdr_start, void *data_end, u8 protocol, pkt_info *pkt) {
     flow_id *id = pkt->id;
@@ -78,7 +62,6 @@ static inline void fill_l4info(void *l4_hdr_start, void *data_end, u8 protocol,
             id->dst_port = bpf_ntohs(tcp->dest);
             set_flags(tcp, &pkt->flags);
             pkt->l4_hdr = (void *)tcp;
-            fill_tls_info(tcp, data_end, pkt);
         }
     } break;
     case IPPROTO_UDP: {