Is there any way to get the five-tuple info with -m text

[chilli13]

I noticed that the UUID field in -m text seems to obtain the IP address and port of the https server. Is there a way to obtain the complete five-tuple information?

2024-12-05T16:31:52+08:00 ??? UUID:38935_38935_curl_5_0_39.156.66.10:443, Name:HTTPResponse, Type:3, Length:357

# ecapture tls
2024-12-05T16:27:20+08:00 INF AppName="eCapture(旁观者)"
2024-12-05T16:27:20+08:00 INF HomePage=https://ecapture.cc
2024-12-05T16:27:20+08:00 INF Repository=https://github.com/gojue/ecapture
2024-12-05T16:27:20+08:00 INF Author="CFC4N <cfc4ncs@gmail.com>"
2024-12-05T16:27:20+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-12-05T16:27:20+08:00 INF Version=linux_amd64:v0.8.9:6.5.0-1025-azure
2024-12-05T16:27:20+08:00 INF Listen=localhost:28256
2024-12-05T16:27:20+08:00 INF eCapture running logs logger=
2024-12-05T16:27:20+08:00 INF the file handler that receives the captured event eventCollector=
2024-12-05T16:27:20+08:00 WRN ========== module starting. ==========
2024-12-05T16:27:20+08:00 INF Kernel Info=5.10.0 Pid=38903
2024-12-05T16:27:20+08:00 INF listen=localhost:28256
2024-12-05T16:27:20+08:00 INF BTF bytecode mode: CORE. btfMode=0
2024-12-05T16:27:20+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-12-05T16:27:20+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-12-05T16:27:20+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-12-05T16:27:20+08:00 INF Module.Run()
2024-12-05T16:27:20+08:00 INF OpenSSL/BoringSSL version found origin versionKey="OpenSSL 1.1.1wa" versionKeyLower="openssl 1.1.1wa"
2024-12-05T16:27:20+08:00 WRN OpenSSL/BoringSSL version not found from shared library file, used default version OpenSSL Version=linux_default_1_1_1
2024-12-05T16:27:20+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/lib64/libssl.so.1.1
2024-12-05T16:27:20+08:00 INF target all process.
2024-12-05T16:27:20+08:00 INF target all users.
2024-12-05T16:27:20+08:00 INF setupManagers eBPFProgramType=Text
2024-12-05T16:27:20+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_1_1_1j_kern_core.o
2024-12-05T16:27:20+08:00 INF perfEventReader created mapSize(MB)=4
2024-12-05T16:27:20+08:00 INF perfEventReader created mapSize(MB)=4
2024-12-05T16:27:20+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL


2024-12-05T16:27:26+08:00 ??? UUID:38819_38819_nginx_27_1_0.0.0.0, Name:HTTPResponse, Type:3, Length:249
HTTP/1.1 200 OK
Content-Length: 13
Accept-Ranges: bytes
Connection: keep-alive
Content-Type: text/plain
Date: Thu, 05 Dec 2024 08:27:25 GMT
Etag: "673d398c-d"
Last-Modified: Wed, 20 Nov 2024 01:21:16 GMT
Server: nginx/1.21.5

hello world

2024-12-05T16:27:26+08:00 ??? UUID:38819_38819_nginx_27_0_0.0.0.0, Name:HTTPRequest, Type:1, Length:85
GET /bak/1.txt HTTP/1.1
Host: zhm.test.com
Accept: */*
User-Agent: curl/7.71.1

2024-12-05T16:31:52+08:00 ??? UUID:38935_38935_curl_5_1_39.156.66.10:443, Name:HTTPRequest, Type:1, Length:73
GET / HTTP/1.1
Host: baidu.com
Accept: */*
User-Agent: curl/7.79.1


2024-12-05T16:31:52+08:00 ??? UUID:38935_38935_curl_5_0_39.156.66.10:443, Name:HTTPResponse, Type:3, Length:357
HTTP/1.1 302 Moved Temporarily
Content-Length: 161
Connection: keep-alive
Content-Type: text/html
Date: Thu, 05 Dec 2024 08:31:51 GMT
Location: http://www.baidu.com/
Server: bfe/1.0.8.18

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>bfe/1.0.8.18</center>
</body>
</html>

os info

# uname -a
Linux zhm-cd-vm 5.10.0-216.0.0.115.oe2203sp4.x86_64 #1 SMP Thu Jun 27 15:13:44 CST 2024 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/os-release 
NAME="openEuler"
VERSION="22.03 (LTS-SP4)"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 (LTS-SP4)"
ANSI_COLOR="0;31"

# openssl version
OpenSSL 1.1.1wa  16 Nov 2023

[chilli13]

According to the following code, it seems that only the dst ip/port can be obtained. If ecapture runs on the tls server, it is more important to obtain the src ip/port who initiated the connection. Is there any recommended solution?
Will P.S. support ipv6 AF_INET6 in the future?

SEC("kprobe/sys_connect")
...
    bpf_probe_read_user(&address_family, sizeof(address_family),
                        &saddr->sa_family);

[Asphaltt]

It seems tracepoint/sock/inet_sock_set_state is a better choice to get 5-tuple info, as AF_INET and AF_INET6 are both supported.

[chilli13]

It seems tracepoint/sock/inet_sock_set_state is a better choice to get 5-tuple info, as AF_INET and AF_INET6 are both supported.

inet_sock_set_state seems unable to directly obtain fd

[cfc4n]

In text mode, to obtain the target IP, use the FD of the SSL_set_fd function to associate it with the FD of the connect function of kporbe, and then associate the remote IP corresponding to this fd. In the BIO mode of openssl, the SSL_set_fd function is no longer called, and it cannot be associated with fd, so the ability to associate remote IP is lost.

Therefore, in the current solution, obtaining the association of the remote IP faces challenges, let alone completing the TCP 5-tuple. I think it will be more difficult. Of course, I hope everyone has a better solution.