Releases: retis-org/retis
v1.3.0
This version includes multiple improvements, new features and fixes. 136 commits since v1.2.0!
PCAP post-processing
A new post-processing command, pcap, is introduced and can be used to generate pcap-ng files for consumption by other tools. First, a capture of events must be performed using Retis. Then, the pcap post-processing command can be used to generate pcap-ng files (filtering for a single probe for now).
$ retis -p pcap,generic collect -o
$ retis pcap --probe tp:net:netif_receive_skb | tcpdump -nnr -
$ retis pcap --probe tp:net:net_dev_start_xmit -o retis.pcap
$ wireshark retis.pcap
More information in the online documentation.
Meta filtering
Meta filtering allows to match packets based on their metadata, aka. direct field checking in struct sk_buff. Metadata filters can match against any subfield of the sk_buff and subsequent inner data structures. Meta filtering also automatically follows struct pointers, so indirect access to structures pointed by an sk_buff field is possible.
$ retis collect -m 'sk_buff.dev.nd_net.net.ns.inum == 4026531840'
$ retis collect -m 'sk_buff.dev.name == "eth0"'
More information in the online documentation.
L3 filtering
Retis now automatically detects and generates L2/L3 filters based on the expression. This allows to match both packets fully formed and packets not having a valid L2 header yet. The following filter internally generates two filters. For packets not having a valid L2 header the filter would match packets with tcp source or destination port 443. For packets with valid L2 header both arp and tcp packets would be matched.
$ retis collect -f 'arp or tcp port 443'
L2+L3 packet filter(s) loaded
More information in the online documentation.
Other improvements
- Wildcard support for all probe types (was kprobe-only). Eg.
$ retis collect -p tp:skb:* - Pager support in post-processing commands.
- Non-core drop reasons support.
- Improved logging.
- Mulitple improvements & fixes.