Improve comm output. Improve docs.

dkorunic · dkorunic · commit 816261f2fb46 · 2025-02-13T14:45:00.000+01:00
diff --git a/README.md b/README.md
@@ -11,7 +11,9 @@
 
 pktstat-bpf is a simple replacement for ncurses/libpcap-based [pktstat](https://github.com/dleonard0/pktstat), using Linux eBPF ([extended Berkeley Packet Filter](https://prototype-kernel.readthedocs.io/en/latest/bpf/)) program, allowing packet statistics gathering even under **very high traffic volume** conditions, typically several million packets per second even on an average server. In this scenario (high volume, DoS attacks etc.) typically regular packet capture solutions start being unreliable due to increasing packet loss.
 
-By default it uses **TC** (Traffic Control) eBPF hooks with TCX attaching requiring at minimum Linux kernel **v6.6** for both ingress and egress traffic statistics. Alternatively it can switch to [XDP](https://github.com/xdp-project/xdp-tutorial) (eXpress Data Path) hook but with a consequence of **losing egress statistics** since **XDP** works only in ingress path. XDP mode due to XDP program to network interface attaching calls requires at minimum Linux kernel **v5.9**. Some distributions might have backported XDP/TC patches (notable example is Red Hat Enterprise Linux kernel) and eBPF program might work on older kernels too.
+By default it uses **TC** (Traffic Control) eBPF hooks with TCX attaching requiring at minimum Linux kernel **v6.6** for both ingress and egress traffic statistics for TCP, UDP, ICMPv4 and ICMPv6. It can also switch to even faster [XDP](https://github.com/xdp-project/xdp-tutorial) (eXpress Data Path) hook but with a consequence of **losing egress statistics** since **XDP** works only in ingress path. XDP mode due to XDP program to network interface attaching calls requires at minimum Linux kernel **v5.9**. Some distributions might have backported XDP/TC patches (notable example is Red Hat Enterprise Linux kernel) and eBPF program might work on older kernels too.
+
+Alternatively it can use **KProbes** to monitor TCP, UDP, ICMPv4 and ICMPv6 communication throughout all containers, K8s pods, translations and forwards and display process ID as well as process name, if the traffic was being sent or delivered to userspace application. KProbes traditionally work the slowest, being closest to the userspace -- but they bring sometimes useful process information.
 
 At the end of the execution program will display per-IP and per-protocol statistics sorted by per-connection bps, packets and (source-IP:port, destination-IP:port) tuples.
 
@@ -37,7 +39,7 @@ The following table maps features, requirements and expected performance for des
 | --------------------------------------------------- | ------- | ------ | -------------- | ---------------- | --------------- | ----------------- |
 | Generic [PCAP](https://github.com/dkorunic/pktstat) | Yes     | Yes    | Low            | No               | Any             | No                |
 | [AF_PACKET](https://github.com/dkorunic/pktstat)    | Yes     | Yes    | Medium         | No               | v2.2            | No                |
-| Kprobes                                             | Yes     | Yes    | Medium+        | **Yes**              | v2.6            | No                |
+| KProbes                                             | Yes     | Yes    | Medium+        | **Yes**          | v2.6            | No                |
 | TC                                                  | Yes     | Yes    | **High**       | No               | v6.6            | No                |
 | XDP Generic                                         | Yes     | **No** | **High**       | No               | v5.9            | No                |
 | XDP Native                                          | Yes     | **No** | **Very high**  | No               | v5.9            | No                |
diff --git a/flags.go b/flags.go
@@ -40,7 +40,7 @@ const (
 
 var (
 	ifname, xdpMode                               *string
-	jsonOutput, version, help, useXDP, useKprobes *bool
+	jsonOutput, version, help, useXDP, useKProbes *bool
 	timeout                                       *time.Duration
 	xdpAttachFlags                                link.XDPAttachFlags
 )
@@ -51,7 +51,7 @@ func parseFags() {
 	help = fs.Bool('?', "help", "display help")
 	jsonOutput = fs.Bool('j', "json", "if true, output in JSON format")
 	useXDP = fs.Bool('x', "xdp", "if true, use XDP instead of TC (this disables egress statistics)")
-	useKprobes = fs.Bool('k', "kprobes", "if true, use kprobes for per-proces TCP/UDP statistics")
+	useKProbes = fs.Bool('k', "kprobes", "if true, use KProbes for per-proces TCP/UDP statistics")
 
 	version = fs.BoolLong("version", "display program version")
 
diff --git a/main.go b/main.go
@@ -68,8 +68,8 @@ func main() {
 	}()
 
 	switch {
-	// Kprobes w/ PID tracking
-	case *useKprobes:
+	// KProbes w/ PID tracking
+	case *useKProbes:
 		hooks := []kprobeHook{
 			{kprobe: "tcp_sendmsg", prog: objs.TcpSendmsg},
 			{kprobe: "tcp_cleanup_rbuf", prog: objs.TcpCleanupRbuf},
@@ -81,7 +81,7 @@ func main() {
 			{kprobe: "icmpv6_rcv", prog: objs.Icmpv6Rcv},
 		}
 
-		links = startKprobes(hooks, links)
+		links = startKProbes(hooks, links)
 	// XDP
 	case *useXDP:
 		links = startXDP(objs, iface, links)
@@ -125,28 +125,28 @@ func main() {
 	}
 }
 
-// startKprobes attaches a series of eBPF programs to kernel functions using Kprobes.
+// startKProbes attaches a series of eBPF programs to kernel functions using KProbes.
 //
 // This function iterates over a slice of kprobeHook structs, each containing a kernel function
 // name (kprobe) and an associated eBPF program. It attempts to attach each eBPF program to its
-// respective kernel function using Kprobes. If a Kprobe cannot be attached, an error message
+// respective kernel function using KProbes. If a Kprobe cannot be attached, an error message
 // is logged, but the function continues with the next Kprobe.
 //
-// The function first checks if Kprobes are supported by the current kernel. If not supported,
+// The function first checks if KProbes are supported by the current kernel. If not supported,
 // it logs a fatal error and terminates the program.
 //
 // Parameters:
 //
 //	hooks []kprobeHook: A slice of kprobeHook structs, where each struct contains a kernel
 //	function name and an associated eBPF program.
 //
-//	links []link.Link: A slice of link.Link objects to which successfully attached Kprobes
+//	links []link.Link: A slice of link.Link objects to which successfully attached KProbes
 //	are appended.
 //
 // Returns:
 //
-//	[]link.Link: The updated slice of link.Link objects, including any newly attached Kprobes.
-func startKprobes(hooks []kprobeHook, links []link.Link) []link.Link {
+//	[]link.Link: The updated slice of link.Link objects, including any newly attached KProbes.
+func startKProbes(hooks []kprobeHook, links []link.Link) []link.Link {
 	var l link.Link
 
 	err := features.HaveProgramType(ebpf.Kprobe)
diff --git a/output.go b/output.go
@@ -38,7 +38,7 @@ const (
 	Mbps               = 1000 * Kbps
 	Gbps               = 1000 * Mbps
 	Tbps               = 1000 * Gbps
-	KernelComm         = "kernel"
+	KernelComm         = "[kernel]"
 )
 
 // processMap generates statEntry objects from an ebpf.Map using the provided start time.
@@ -120,7 +120,7 @@ func outputPlain(m []statEntry) {
 				formatBitrate(v.Bitrate), v.Packets, v.Bytes, v.Proto, v.SrcIP, v.SrcPort, v.DstIP, v.DstPort))
 		}
 
-		if *useKprobes {
+		if *useKProbes {
 			sb.WriteString(fmt.Sprintf(", pid: %d, comm: %v", v.Pid, v.Comm))
 		}
 
@@ -149,16 +149,17 @@ func outputJSON(m []statEntry) {
 // Otherwise, it creates a new byte slice, copies the input byte slice into it,
 // trims any null bytes from the end of the slice, and returns the result as a string.
 func comm2String(bs []int8) string {
-	if len(bs) == 0 {
-		return KernelComm
-	}
-
 	b := make([]byte, len(bs))
 	for i, v := range bs {
 		b[i] = byte(v)
 	}
 
+	// trim excess NULLs
 	b = bytes.Trim(b, "\x00")
 
+	if len(b) == 0 {
+		return KernelComm
+	}
+
 	return string(b)
 }
