Merge 53ce68e into f929c68

Author: cfc4n

internal/output/writers/keylog_writer.go

@@ -34,5 +34,9 @@ func NewPcapKeylogWriter(pw *PcapWriter) *PcapKeylogWriter {
 }
 
 func (w *PcapKeylogWriter) Write(p []byte) (n int, err error) {
-	return len(p), w.PcapWriter.WriteKeyLog(p)
+	// Create a copy to avoid modifying the provided buffer
+	data := make([]byte, len(p)+1)
+	copy(data, p)
+	data[len(p)] = '\n'
+	return len(p), w.PcapWriter.WriteKeyLog(data)
 }

internal/probe/base/handlers/keylog_handler.go

@@ -150,7 +150,7 @@ func (h *KeylogHandler) handleTLS12(event MasterSecretEvent) error {
 	}
 
 	// Format: CLIENT_RANDOM <client_random> <master_secret>
-	line := fmt.Sprintf("%s %x %x\n",
+	line := fmt.Sprintf("%s %x %x",
 		KeyLogLabelTLS12,
 		clientRandom[:Ssl3RandomSize],
 		masterKey[:MasterSecretMaxLen])
@@ -199,7 +199,7 @@ func (h *KeylogHandler) handleGoTLS(event GoTLSMasterSecretEvent) error {
 
 	// Format: LABEL <client_random_hex> <secret_hex>
 	// This is the standard NSS Key Log Format used by Wireshark
-	line := fmt.Sprintf("%s %x %x\n", label, clientRandom, secret)
+	line := fmt.Sprintf("%s %x %x", label, clientRandom, secret)
 
 	// Use label+client_random as dedup key to avoid multiple captures
 	dedupKey := fmt.Sprintf("%s_%x", label, clientRandom)
@@ -250,7 +250,7 @@ func (h *KeylogHandler) handleTLS13(event MasterSecretEvent) error {
 			continue // Already written this secret type for this connection
 		}
 
-		line := fmt.Sprintf("%s %s %x\n", secret.label, clientRandomHex, secret.data)
+		line := fmt.Sprintf("%s %s %x", secret.label, clientRandomHex, secret.data)
 
 		// Write to output
 		if _, err := h.writer.Write([]byte(line)); err != nil {

internal/probe/bash/bash_test.go

@@ -133,9 +133,6 @@ func TestNewProbe(t *testing.T) {
 	if err != nil {
 		t.Fatalf("NewProbe() error = %v", err)
 	}
-	if probe == nil {
-		t.Fatal("NewProbe() returned nil")
-	}
 	if probe.Name() != "Bash" {
 		t.Errorf("expected name 'bash', got %s", probe.Name())
 	}

internal/probe/gotls/config_test.go

@@ -25,9 +25,6 @@ import (
 
 func TestNewConfig(t *testing.T) {
 	cfg := NewConfig()
-	if cfg == nil {
-		t.Fatal("NewConfig() returned nil")
-	}
 
 	if cfg.CaptureMode != "text" {
 		t.Errorf("expected default CaptureMode='text', got '%s'", cfg.CaptureMode)

internal/probe/mysql/mysql_test.go

@@ -224,9 +224,6 @@ func TestEvent_Methods(t *testing.T) {
 
 func TestProbe_Creation(t *testing.T) {
 	probe := NewProbe()
-	if probe == nil {
-		t.Fatal("NewProbe() returned nil")
-	}
 
 	if probe.Name() != "MySQL" {
 		t.Errorf("Probe.Name() = %v, want %v", probe.Name(), "MySQL")

internal/probe/openssl/config.go

@@ -170,10 +170,7 @@ func (c *Config) validateCaptureMode() error {
 
 // IsSupportedVersion checks if the detected version is supported.
 func (c *Config) IsSupportedVersion() bool {
-	if c.SslVersion != "" {
-		return true
-	}
-	return false
+	return c.SslVersion != ""
 }
 
 // GetBPFFileName returns the eBPF object file name for the detected version.
@@ -326,9 +323,6 @@ func (c *Config) getSslBpfFile(soPath, sslVersion string) error {
 				//c.Logger().Warn().Err(err).Str("soPath", soPath).Str("imported", libcryptoName).Msgf("OpenSSL(libcrypto.so.3) version not found.%s", fmt.Sprintf(OpensslNoticeUsedDefault, OpensslNoticeVersionGuideLinux))
 				return err
 			}
-			if goerrors.Is(err, ErrProbeOpensslVerNotFound) {
-				//c.Logger().Info().Str("soPath", soPath).Str("imported", libcryptoName).Str("version", verString).Msg("OpenSSL/BoringSSL version found from imported libcrypto.so")
-			}
 		}
 	}
 
@@ -354,9 +348,8 @@ func (c *Config) getSslBpfFile(soPath, sslVersion string) error {
 			c.SslBpfFile = bpfFile
 			//c.Logger().Info().Bool("Android", isAndroid).Str("library version", bpfFileKey).Msg("OpenSSL/BoringSSL version found")
 			return nil
-		} else {
-			//c.Logger().Warn().Str("version", bpfFileKey).Err(ErrProbeOpensslVerBytecodeNotFound).Msg("Please send an issue to https://github.com/gojue/ecapture/issues")
 		}
+		//c.Logger().Warn().Str("version", bpfFileKey).Err(ErrProbeOpensslVerBytecodeNotFound).Msg("Please send an issue to https://github.com/gojue/ecapture/issues")
 	}
 
 	bpfFile = c.autoDetectBytecode(bpfFileKey, soPath, isAndroid)
@@ -484,13 +477,12 @@ func (c *Config) autoDetectBytecode(ver, soPath string, isAndroid bool) string {
 	}
 
 	// auto downgrade openssl version
-	var isDowngrade bool
-	bpfFile, isDowngrade = c.downgradeOpensslVersion(ver, soPath)
-	if isDowngrade {
-		//c.Logger().Error().Str("OpenSSL Version", ver).Str("bpfFile", bpfFile).Msgf("OpenSSL/BoringSSL version not found, used downgrade version. %s", fmt.Sprintf(OpensslNoticeUsedDefault, OpensslNoticeVersionGuideLinux))
-	} else {
-		//c.Logger().Error().Str("OpenSSL Version", ver).Str("bpfFile", bpfFile).Msgf("OpenSSL/BoringSSL version not found, used default version. %s", fmt.Sprintf(OpensslNoticeUsedDefault, OpensslNoticeVersionGuideLinux))
-	}
+	//var isDowngrade bool
+	bpfFile, _ = c.downgradeOpensslVersion(ver, soPath)
+	//if isDowngrade {
+	//c.Logger().Error().Str("OpenSSL Version", ver).Str("bpfFile", bpfFile).Msgf("OpenSSL/BoringSSL version not found, used downgrade version. %s", fmt.Sprintf(OpensslNoticeUsedDefault, OpensslNoticeVersionGuideLinux))
+	//}
+	//c.Logger().Error().Str("OpenSSL Version", ver).Str("bpfFile", bpfFile).Msgf("OpenSSL/BoringSSL version not found, used default version. %s", fmt.Sprintf(OpensslNoticeUsedDefault, OpensslNoticeVersionGuideLinux))
 
 	return bpfFile
 }

internal/probe/openssl/event.go

@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"time"
 
+	"golang.org/x/sys/unix"
+
 	"github.com/gojue/ecapture/internal/domain"
 	"github.com/gojue/ecapture/internal/errors"
 )
@@ -31,31 +33,91 @@ const (
 
 	// MaxDataSize is the maximum TLS data size from eBPF
 	// Increased to 16KB, fix: https://github.com/gojue/ecapture/issues/740
-	MaxDataSize = 1024 * 16
-
+	MaxDataSize   = 1024 * 16
 	ChunkSize     = 32
 	ChunkSizeHalf = ChunkSize / 2
 )
 
+type AttachType int64
+
+const (
+	ProbeEntry AttachType = iota
+	ProbeRet
+)
+
+const (
+	Ssl2Version   = 0x0002
+	Ssl3Version   = 0x0300
+	Tls1Version   = 0x0301
+	Tls11Version  = 0x0302
+	Tls12Version  = 0x0303
+	Tls13Version  = 0x0304
+	Dtls1Version  = 0xFEFF
+	Dtls12Version = 0xFEFD
+)
+
+type TlsVersion struct {
+	Version int32
+}
+
+func (t TlsVersion) String() string {
+	switch t.Version {
+	case Ssl2Version:
+		return "SSL2_VERSION"
+	case Ssl3Version:
+		return "SSL3_VERSION"
+	case Tls1Version:
+		return "TLS1_VERSION"
+	case Tls11Version:
+		return "TLS1_1_VERSION"
+	case Tls12Version:
+		return "TLS1_2_VERSION"
+	case Tls13Version:
+		return "TLS1_3_VERSION"
+	case Dtls1Version:
+		return "DTLS1_VERSION"
+	case Dtls12Version:
+		return "DTLS1_2_VERSION"
+	}
+	return fmt.Sprintf("TLS_VERSION_UNKNOWN_%d", t.Version)
+}
+
+/*
+struct ssl_data_event_t {
+    enum ssl_data_event_type type;
+    u64 timestamp_ns;
+    u32 pid;
+    u32 tid;
+    char data[MAX_DATA_SIZE_OPENSSL];
+    s32 data_len;
+    char comm[TASK_COMM_LEN];
+    u32 fd;
+    s32 version;
+    u32 bio_type;
+};
+*/
 // Event represents an OpenSSL TLS data event from eBPF.
 type Event struct {
-	Timestamp   uint64            `json:"timestamp"` // Nanosecond timestamp
-	Pid         uint32            `json:"pid"`       // Process ID
-	Tid         uint32            `json:"tid"`       // Thread ID
-	DataLen     int32             `json:"dataLen"`   // Length of actual data
-	PayloadType uint8             `json:"payloadType"`
-	Data        [MaxDataSize]byte `json:"data"` // TLS data payload
-	Comm        [16]byte          `json:"comm"` // Process name
-
-	DataType uint8  `json:"dataType"`
-	Fd       uint32 `json:"fd"`
-	Version  uint32 `json:"version"` // TLS version (e.g., 771 for TLS 1.2)
+	DataType  int64             `json:"dataType"`
+	Timestamp uint64            `json:"timestamp"` // Nanosecond timestamp
+	Pid       uint32            `json:"pid"`       // Process ID
+	Tid       uint32            `json:"tid"`       // Thread ID
+	Data      [MaxDataSize]byte `json:"data"`      // TLS data payload
+	DataLen   int32             `json:"dataLen"`   // Length of actual data
+	Comm      [TaskCommLen]byte `json:"comm"`      // Process name
+	Fd        uint32            `json:"fd"`
+	Version   int32             `json:"version"` // TLS version (e.g., 771 for TLS 1.2)
+	Tuple     string
+	BioType   uint32
+	Sock      uint64
 }
 
 // DecodeFromBytes deserializes the event from raw eBPF data.
 func (e *Event) DecodeFromBytes(data []byte) error {
 	buf := bytes.NewBuffer(data)
-
+	if err := binary.Read(buf, binary.LittleEndian, &e.DataType); err != nil {
+		return errors.NewEventDecodeError("openssl.DataType", err)
+	}
 	// Read fields in order matching the eBPF structure
 	if err := binary.Read(buf, binary.LittleEndian, &e.Timestamp); err != nil {
 		return errors.NewEventDecodeError("openssl.Timestamp", err)
@@ -66,26 +128,25 @@ func (e *Event) DecodeFromBytes(data []byte) error {
 	if err := binary.Read(buf, binary.LittleEndian, &e.Tid); err != nil {
 		return errors.NewEventDecodeError("openssl.Tid", err)
 	}
-	if err := binary.Read(buf, binary.LittleEndian, &e.DataLen); err != nil {
-		return errors.NewEventDecodeError("openssl.DataLen", err)
-	}
-	if err := binary.Read(buf, binary.LittleEndian, &e.PayloadType); err != nil {
-		return errors.NewEventDecodeError("openssl.PayloadType", err)
-	}
 	if err := binary.Read(buf, binary.LittleEndian, &e.Data); err != nil {
 		return errors.NewEventDecodeError("openssl.Data", err)
 	}
+	if err := binary.Read(buf, binary.LittleEndian, &e.DataLen); err != nil {
+		return errors.NewEventDecodeError("openssl.DataLen", err)
+	}
 	if err := binary.Read(buf, binary.LittleEndian, &e.Comm); err != nil {
 		return errors.NewEventDecodeError("openssl.Comm", err)
 	}
-
-	if err := binary.Read(buf, binary.LittleEndian, &e.Comm); err != nil {
+	if err := binary.Read(buf, binary.LittleEndian, &e.Fd); err != nil {
+		return errors.NewEventDecodeError("openssl.Fd", err)
+	}
+	if err := binary.Read(buf, binary.LittleEndian, &e.Version); err != nil {
 		return errors.NewEventDecodeError("openssl.Version", err)
 	}
-
-	if e.Timestamp == 0 {
-		e.Timestamp = uint64(time.Now().UnixNano())
+	if err := binary.Read(buf, binary.LittleEndian, &e.BioType); err != nil {
+		return errors.NewEventDecodeError("openssl.BioType", err)
 	}
+
 	return nil
 }
 
@@ -96,11 +157,22 @@ func (e *Event) String() string {
 		direction = "READ"
 	}
 
-	ts := time.Unix(0, int64(e.Timestamp))
+	// 2. 获取时间偏移量
+	offsetNs, err := getClockOffset()
+	if err != nil {
+		panic(err)
+	}
+	// 3. 计算绝对时间戳（纳秒）
+	absoluteTimeNs := int64(e.Timestamp) + offsetNs
+
+	// 4. 将纳秒转换为 Go 的 time.Time 对象
+	// time.Unix(sec, nsec)
+	eventTime := time.Unix(0, absoluteTimeNs)
+
 	dataStr := string(e.GetData())
 
 	return fmt.Sprintf("[%s] PID:%d TID:%d Comm:%s FD:%d %s (%d bytes):\n%s",
-		ts.Format("2006-01-02 15:04:05.000"),
+		eventTime.Format("2006-01-02 15:04:05.000"),
 		e.Pid,
 		e.Tid,
 		e.GetComm(),
@@ -118,7 +190,7 @@ func (e *Event) StringHex() string {
 		direction = "READ"
 	}
 
-	ts := time.Unix(0, int64(e.Timestamp))
+	ts := time.Unix(int64(e.Timestamp), 0)
 
 	hexData := dumpByteSlice(e.GetData(), "")
 
@@ -134,6 +206,25 @@ func (e *Event) StringHex() string {
 	)
 }
 
+func (e *Event) BaseInfo() string {
+	addr := "[TODO]"
+	if e.Tuple != "" {
+		addr = e.Tuple
+	}
+	var connInfo string
+	switch AttachType(e.DataType) {
+	case ProbeEntry:
+		connInfo = fmt.Sprintf("Received %d bytes from %s", e.DataLen, addr)
+	case ProbeRet:
+		connInfo = fmt.Sprintf("Send %d bytes to %s", e.DataLen, addr)
+	default:
+		connInfo = fmt.Sprintf("UNKNOWN_%d", e.DataType)
+	}
+	v := TlsVersion{Version: e.Version}
+	s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, Version:%s, %s", e.Pid, commStr(e.Comm[:]), e.Tid, v.String(), connInfo)
+	return s
+}
+
 // Clone creates a new instance of the event.
 func (e *Event) Clone() domain.Event {
 	clone := *e
@@ -213,17 +304,17 @@ func commToString(data []byte) string {
 	return string(data)
 }
 
-// Decode implements domain.EventDecoder interface for TLS data events.
-func (e *Event) Decode(data []byte) (domain.Event, error) {
-	event := &Event{}
-	if err := event.DecodeFromBytes(data); err != nil {
-		return nil, err
-	}
-	if err := event.Validate(); err != nil {
-		return nil, err
-	}
-	return event, nil
-}
+//// Decode implements domain.EventDecoder interface for TLS data events.
+//func (e *Event) Decode(data []byte) (domain.Event, error) {
+//	event := &Event{}
+//	if err := event.DecodeFromBytes(data); err != nil {
+//		return nil, err
+//	}
+//	if err := event.Validate(); err != nil {
+//		return nil, err
+//	}
+//	return event, nil
+//}
 
 func dumpByteSlice(b []byte, prefix string) *bytes.Buffer {
 	var a [ChunkSize]byte
@@ -267,3 +358,25 @@ func dumpByteSlice(b []byte, prefix string) *bytes.Buffer {
 	}
 	return bb
 }
+
+// getClockOffset 计算 CLOCK_REALTIME (绝对时间) 和 CLOCK_MONOTONIC (单调时间) 之间的差值。
+// 这个差值实际上就是系统的启动时间 (Boot Time)。
+func getClockOffset() (int64, error) {
+	var tsReal, tsMono unix.Timespec
+
+	// 获取当前墙上时间 (绝对时间)
+	if err := unix.ClockGettime(unix.CLOCK_REALTIME, &tsReal); err != nil {
+		return 0, fmt.Errorf("failed to get CLOCK_REALTIME: %w", err)
+	}
+
+	// 获取当前单调时间 (自启动以来的时间)
+	if err := unix.ClockGettime(unix.CLOCK_MONOTONIC, &tsMono); err != nil {
+		return 0, fmt.Errorf("failed to get CLOCK_MONOTONIC: %w", err)
+	}
+
+	// 转换为纳秒并计算差值
+	realNs := tsReal.Sec*1e9 + tsReal.Nsec
+	monoNs := tsMono.Sec*1e9 + tsMono.Nsec
+
+	return realNs - monoNs, nil
+}