[pcap-ng-format] In need for some additional epb_ options

Eelco Chaudron echaudro at redhat.com
Wed Mar 25 15:40:22 UTC 2020 

Hi All,

I'm working on an xdpdump tool, which is a Linux tool that allows you to 
capture the packet before and/or after an XDP program was run by the 
kernel. This is needed as these eBPF programs run before the kernel sees 
the packet, and hence packets can be discarded or altered.

I'm currently adding PcapNG support, and I need some ECB option 
extensions. Unfortunately, the RFC has not been released, so no way I 
can request some IANA numbers. So what is the right way to get options 
assigned? Do I send a pull request to change the spec, 
https://github.com/pcapng/pcapng ?


I require three new ECB options, the first two are rather general and 
the third one might be a bit more open (like the epb_hash one):

epb_packetid:
The epb_packetid option is a 64-bit unsigned integer that uniquely 
identifies a packet. If the same packet is seen by multiple interfaces 
and there is a way for the capture application to correlated them, the 
same

epb_packetid value should be used. An example could be where an XDP 
program on ingress captures a packet, which gets modified and exits the 
XDP program. In this example, two packets are in the capture file, which 
are not identical but with the epb_packetid can be correlated.

epb_queue:
The epb_queue option is a 32-bit unsigned integer that identifies on 
which queue of the interface the specific packet was received.

epb_verdict:
The third option is used to store a verdict on the packet. This verdict 
could be set by the hardware/kernel/XDP program/application. Taking the 
example of an XDP program, it can return what happens with the packet 
once/if it's released to the kernel, i.e. 
XDP_ABBORTED/DROP/PASS/TX/REDIRECT. The first octet specifies the 
verdict type (0 = hardware, eBPF_TC = 1, eBPF_XDP = 2, user_application 
= 3), where the following bytes depend on the verdict type. For 0 and 2, 
it depends on the hardware/application, for 1 and 2 it's a 64-bit signed 
integer.

Any thoughts?

Thanks,

Eelco

PS: Current code can be found here, 
https://github.com/chaudron/xdp-tools/tree/dev/pcapng/xdp-dump

More information about the pcap-ng-format mailing list