feat: Support pcap-filter expression for pcap mode

.github/workflows/codeql-analysis.yml

@@ -41,12 +41,15 @@ jobs:
         with:
           go-version: '1.21.0'
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          fetch-depth: 0
 
       - name: Install Compilers
         run: |
           sudo apt-get update
-          sudo apt-get install --yes build-essential pkgconf libelf-dev llvm-12 clang-12 linux-tools-common linux-tools-generic
+          sudo apt-get install --yes build-essential pkgconf libelf-dev llvm-12 clang-12 linux-tools-common linux-tools-generic flex bison
           for tool in "clang" "llc" "llvm-strip"
           do
             sudo rm -f /usr/bin/$tool

.github/workflows/go-c-cpp.yml

@@ -24,7 +24,10 @@ jobs:
             sudo ln -s /usr/bin/$tool-9 /usr/bin/$tool
           done
         shell: bash
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          fetch-depth: 0
       - name: Build
         run: |
           make clean
@@ -79,7 +82,10 @@ jobs:
             sudo ln -s /usr/bin/$tool-14 /usr/bin/$tool
           done
         shell: bash
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          submodules: 'recursive'
+          fetch-depth: 0
       - name: Build
         run: |
           make clean
@@ -127,8 +133,10 @@ jobs:
           - arch: aarch64
             distro: ubuntu22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
+          submodules: 'recursive'
+          fetch-depth: 0
           set-safe-directory: '/source_code'
       - name: Branch Name
         run: |
@@ -177,7 +185,7 @@ jobs:
           install: |
             uname -a
             apt-get update
-            apt-get install --yes wget git build-essential pkgconf libelf-dev llvm-12 clang-12  linux-tools-generic linux-tools-common
+            apt-get install --yes wget git build-essential pkgconf libelf-dev llvm-12 clang-12  linux-tools-generic linux-tools-common flex bison
             wget https://go.dev/dl/go1.21.0.linux-arm64.tar.gz
             rm -rf /usr/local/go
             tar -C /usr/local -xzf go1.21.0.linux-arm64.tar.gz

.github/workflows/release.yml

@@ -9,8 +9,9 @@ jobs:
   build:
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
+        submodules: 'recursive'
         fetch-depth: 0
     - name: Get the version
       id: get_tags
@@ -62,8 +63,10 @@ jobs:
           - arch: aarch64
             distro: ubuntu22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
+          submodules: 'recursive'
+          fetch-depth: 0
           set-safe-directory: '/source_code'
       - name: Get the version
         id: get_tags
@@ -126,7 +129,7 @@ jobs:
           install: |
             uname -a
             apt-get update
-            apt-get install --yes wget git build-essential pkgconf libelf-dev llvm-12 clang-12  linux-tools-generic linux-tools-common
+            apt-get install --yes wget git build-essential pkgconf libelf-dev llvm-12 clang-12  linux-tools-generic linux-tools-common flex bison
             wget https://go.dev/dl/go1.21.0.linux-arm64.tar.gz
             rm -rf /usr/local/go
             tar -C /usr/local -xzf go1.21.0.linux-arm64.tar.gz

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "lib/libpcap"]
+	path = lib/libpcap
+	url = https://github.com/the-tcpdump-group/libpcap.git

Makefile

@@ -58,12 +58,12 @@ ifeq ($(ANDROID),1)
 TARGET_TAG := androidgki
 endif
 
-EXTRA_CFLAGS ?= -O2 -mcpu=v1 \
+BPF_EXTRA_CFLAGS ?= -O2 -mcpu=v1 \
 	$(DEBUG_PRINT)	\
 	-nostdinc \
 	-Wno-pointer-sign
 
-EXTRA_CFLAGS_NOCORE ?= -emit-llvm -O2 -S\
+BPF_EXTRA_CFLAGS_NOCORE ?= -emit-llvm -O2 -S\
 	-xc -g \
 	-D__BPF_TRACING__ \
 	-D__KERNEL__ \
@@ -169,16 +169,22 @@ ifeq ($(UNAME_M),aarch64)
 				 -I ./kern/bpf/arm64
 	 AUTOGENCMD = ls -al kern/bpf/arm64/vmlinux.h
 	 IGNORE_LESS52 = -ignore '.*_less52\.o'
+	 LIBPCAP_ARCH = aarch64-unknown-linux-gnu
+	 SUDO =
 else
 	# x86_64 default
 	ARCH = x86_64
 	LINUX_ARCH = x86
 	GO_ARCH = amd64
 	BPFHEADER = -I ./kern \
 			    -I ./kern/bpf/x86
-	AUTOGENCMD = $(CMD_BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > kern/bpf/x86/vmlinux.h
+	AUTOGENCMD = test -f kern/bpf/x86/vmlinux.h || $(CMD_BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > kern/bpf/x86/vmlinux.h
+	LIBPCAP_ARCH = x86_64-unknown-linux-gnu
+	SUDO = sudo
 endif
 
+# Use clang as default compiler for both libpcap and cgo.
+CC = clang
 
 #
 # include vpath
@@ -191,6 +197,20 @@ KERN_SRC_PATH ?= $(if $(KERN_HEADERS),$(KERN_HEADERS),$(if $(wildcard /lib/modul
 BPF_NOCORE_TAG = $(subst .,_,$(KERN_RELEASE)).$(subst .,_,$(VERSION))
 
 
+#
+# cgo
+#
+
+CGO_ENABLED = 1
+
+
+#
+# libpcap
+#
+
+TARGET_LIBPCAP = /usr/local/lib/libpcap.a
+
+
 #
 # BPF Source file
 #
@@ -312,13 +332,13 @@ $(KERN_OBJECTS): %.o: %.c \
 	.checkver_$(CMD_GO) \
 	autogen
 	$(CMD_CLANG) -D__TARGET_ARCH_$(LINUX_ARCH) \
-		$(EXTRA_CFLAGS) \
+		$(BPF_EXTRA_CFLAGS) \
 		$(BPFHEADER) \
 		-target bpfel -c $< -o $(subst kern/,user/bytecode/,$@) \
 		-fno-ident -fdebug-compilation-dir . -g -D__BPF_TARGET_MISSING="GCC error \"The eBPF is using target specific macros, please provide -target\"" \
 		-MD -MP
 	$(CMD_CLANG) -D__TARGET_ARCH_$(LINUX_ARCH) \
-		$(EXTRA_CFLAGS) \
+		$(BPF_EXTRA_CFLAGS) \
 		$(BPFHEADER) \
 		-DKERNEL_LESS_5_2 \
 		-target bpfel -c $< -o $(subst kern/,user/bytecode/,$(subst .c,$(KERNEL_LESS_5_2_PREFIX),$<)) \
@@ -350,7 +370,7 @@ $(KERN_OBJECTS_NOCORE): %.nocore: %.c \
     		-I $(KERN_SRC_PATH)/include/uapi \
     		-I $(KERN_BUILD_PATH)/include/generated \
     		-I $(KERN_BUILD_PATH)/include/generated/uapi \
-    		$(EXTRA_CFLAGS_NOCORE) \
+    		$(BPF_EXTRA_CFLAGS_NOCORE) \
     		-c $< \
     		-o - |$(CMD_LLC) \
     		-march=bpf \
@@ -367,7 +387,7 @@ $(KERN_OBJECTS_NOCORE): %.nocore: %.c \
         		-I $(KERN_SRC_PATH)/include/uapi \
         		-I $(KERN_BUILD_PATH)/include/generated \
         		-I $(KERN_BUILD_PATH)/include/generated/uapi \
-        		$(EXTRA_CFLAGS_NOCORE) \
+        		$(BPF_EXTRA_CFLAGS_NOCORE) \
         		-DKERNEL_LESS_5_2 \
         		-c $< \
         		-o - |$(CMD_LLC) \
@@ -387,20 +407,51 @@ assets_nocore: \
 	ebpf_nocore
 	$(CMD_GO) run github.com/shuLhan/go-bindata/cmd/go-bindata $(IGNORE_LESS52) -pkg assets -o "assets/ebpf_probe.go" $(wildcard ./user/bytecode/*.o)
 
+
+$(TARGET_LIBPCAP):
+	test -f ./lib/libpcap/configure || git submodule update --init ./lib/libpcap
+	cd lib/libpcap && \
+		CC=$(CC) ./configure --disable-rdma --disable-shared --disable-usb \
+			--disable-netmap --disable-bluetooth --disable-dbus --without-libnl \
+			--without-dpdk --without-dag --without-septel --without-snf \
+			--without-turbocap --host=$(LIBPCAP_ARCH) && \
+		make && $(SUDO) make install
+
+
+BUILD_ECAPTURE = CC=$(CC) $(CMD_GO) build -tags $(TARGET_TAG) -ldflags "-w -s -X 'ecapture/cli/cmd.GitVersion=$(TARGET_TAG)_$(UNAME_M):$(VERSION):[CORE]'" -o bin/ecapture . && \
+	echo "Please ignore the above cgo libpcap warnings."
+
+
+.PHONY: build_ecapture
+build_ecapture:
+	$(BUILD_ECAPTURE)
+
+
 .PHONY: build
 build: \
 	.checkver_$(CMD_GO) \
-	assets
-	CGO_ENABLED=0 $(CMD_GO) build -tags $(TARGET_TAG) -ldflags "-w -s -X 'ecapture/cli/cmd.GitVersion=$(TARGET_TAG)_$(UNAME_M):$(VERSION):[CORE]'" -o bin/ecapture .
+	assets \
+	$(TARGET_LIBPCAP)
+	$(BUILD_ECAPTURE)
+
+
+BUILD_ECAPTURE_NOCORE = CC=$(CC) $(CMD_GO) build -tags $(TARGET_TAG) -ldflags "-w -s -X 'ecapture/cli/cmd.GitVersion=$(TARGET_TAG)_$(UNAME_M):$(VERSION):$(UNAME_R)' -X 'main.enableCORE=false'" -o bin/ecapture . && \
+	echo "Please ignore the above cgo libpcap warnings."
+
+
+.PHONY: build_ecapture_nocore
+build_ecapture_nocore:
+	$(BUILD_ECAPTURE_NOCORE)
 
 
 # FOR NON-CORE
 .PHONY: build_nocore
 build_nocore: \
 	.checkver_$(CMD_GO) \
 	assets_nocore \
-	ebpf_nocore
-	CGO_ENABLED=0 $(CMD_GO) build -tags $(TARGET_TAG) -ldflags "-w -s -X 'ecapture/cli/cmd.GitVersion=$(TARGET_TAG)_$(UNAME_M):$(VERSION):$(UNAME_R)' -X 'main.enableCORE=false'" -o bin/ecapture .
+	ebpf_nocore \
+	$(TARGET_LIBPCAP)
+	$(BUILD_ECAPTURE_NOCORE)
 
 # Format the code
 format:

README.md

@@ -74,7 +74,7 @@ The OpenSSL module supports three capture modes:
 You can specify `-m pcap` or `-m pcapng` and use it in conjunction with `--pcapfile` and `-i` parameters. The default value for `--pcapfile` is `ecapture_openssl.pcapng`.
 
 ```shell
-./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng --port=443
+./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443
 ```
 
 This command saves captured plaintext data packets as a pcapng file, which can be viewed using `Wireshark`.
@@ -145,7 +145,7 @@ ps -ef | grep foo
 # How to compile
 Linux Kernel: >= 4.18.
 
-## Tools 
+## Tools
 * golang 1.21 or newer
 * clang 9.0 or newer
 * cmake 3.18.4 or newer
@@ -167,8 +167,14 @@ In addition to the software listed in the 'Toolchain Version' section above, the
 * libelf-dev
 
 **Clone the repository code and compile it**
+
+Caution: The following `make` command will install libpcap into the system
+directory if `libpcap.a` does not exist under `/usr/local/lib`. If you have
+installed libpcap in system without `libpcap.a`, it maybe break your libpcap's
+headers.
+
 ```shell
-git clone git@github.com:gojue/ecapture.git
+git clone --recurse-submodules git@github.com:gojue/ecapture.git
 cd ecapture
 make
 bin/ecapture

README_CN.md

@@ -72,12 +72,12 @@ eCapture默认查找`/etc/ld.so.conf`文件，查找SO文件的加载目录，
 
 ## 模块介绍
 eCapture 有8个模块，分别支持openssl/gnutls/nspr/boringssl/gotls等类库的TLS/SSL加密类库的明文捕获、Bash、Mysql、PostGres软件审计。
-* bash		capture bash command 
-* gnutls	capture gnutls text content without CA cert for gnutls libraries. 
-* gotls		Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS. 
-* mysqld	capture sql queries from mysqld 5.6/5.7/8.0 . 
-* nss		capture nss/nspr encrypted text content without CA cert for nss/nspr libraries. 
-* postgres	capture sql queries from postgres 10+. 
+* bash		capture bash command
+* gnutls	capture gnutls text content without CA cert for gnutls libraries.
+* gotls		Capturing plaintext communication from Golang programs encrypted with TLS/HTTPS.
+* mysqld	capture sql queries from mysqld 5.6/5.7/8.0 .
+* nss		capture nss/nspr encrypted text content without CA cert for nss/nspr libraries.
+* postgres	capture sql queries from postgres 10+.
 * tls		use to capture tls/ssl text content without CA cert. (Support openssl 1.0.x/1.1.x/3.0.x or newer).
 
 你可以通过`ecapture -h`来查看这些自命令列表。
@@ -90,8 +90,8 @@ openssl模块支持3中捕获模式
 ### Pcap 模式
 你可以通过`-m pcap`或`-m pcapng`参数来指定，需要配合`--pcapfile`、`-i`参数使用。其中`--pcapfile`参数的默认值为`ecapture_openssl.pcapng`。
 ```shell
-./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng --port=443
-``` 
+./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng tcp port 443
+```
 将捕获的明文数据包保存为pcapng文件，可以使用`Wireshark`打开查看。
 
 ### keylog 模式
@@ -163,7 +163,7 @@ ps -ef | grep foo
 **推荐使用`UBUNTU 20.04` 及以上版本的Linux测试。**
 
 > **Note**
-> 
+>
 > Android版本编译方法见 [eCapture旁观者：Android HTTPS明文抓包](https://mp.weixin.qq.com/s/KWm5d0uuzOzReRtr9PmuWQ)
 
 ## 工具链版本
@@ -189,8 +189,13 @@ ps -ef | grep foo
 * libelf-dev
 
 **克隆仓库代码，并进行编译**
+
+注意：如果系统里没有 `/usr/local/lib/libpcap.a`，则下面 `make` 命令会将 libpcap
+编译并安装到 `/usr/local/lib` 目录下。如果系统里已经安装了 libpcap 但没有
+`/usr/local/lib/libpcap.a`，则 `make` 命令会破坏系统里的 libpcap 头文件。
+
 ```shell
-git clone git@github.com:gojue/ecapture.git
+git clone --recurse-submodules git@github.com:gojue/ecapture.git
 cd ecapture
 make
 bin/ecapture

README_JA.md

@@ -74,7 +74,7 @@ openssl模块支持3中捕获模式
 你可以通过`-m pcap`或`-m pcapng`参数来指定，需要配合`--pcapfile`、`-i`参数使用。其中`--pcapfile`参数的默认值为`ecapture_openssl.pcapng`。
 ```shell
 ./ecapture tls -m pcap -i eth0 --pcapfile=ecapture.pcapng --port=443
-``` 
+```
 将捕获的明文数据包保存为pcapng文件，可以使用`Wireshark`打开查看。
 
 ### keylog 模式
@@ -154,7 +154,7 @@ Linux カーネル: >= 4.18.
 
 **リポジトリのコードをクローンし、コンパイルしてください**
 ```shell
-git clone git@github.com:gojue/ecapture.git
+git clone --recurse-submodules git@github.com:gojue/ecapture.git
 cd ecapture
 make
 bin/ecapture

builder/init_env.sh

@@ -54,7 +54,7 @@ uname -a
 sudo apt-get update
 
 # 环境安装
-sudo apt-get install --yes build-essential pkgconf libelf-dev llvm-${CLANG_NUM} clang-${CLANG_NUM} linux-tools-common linux-tools-generic
+sudo apt-get install --yes build-essential pkgconf libelf-dev llvm-${CLANG_NUM} clang-${CLANG_NUM} linux-tools-common linux-tools-generic flex bison
 for tool in "clang" "llc" "llvm-strip"
 do
   sudo rm -f /usr/bin/$tool