Releases: retis-org/retis
v1.5.0
This version includes major new features, improvements and fixes. It includes 278 non-merge commits since v1.4.0! Many thanks to all the contributors 🥳
Python post-processing
Retis now supports converting its events to Python objects which enables post-processing a collection using custom scripts. A built-in Python interpreter can be used (and can run external Python scripts) as well as an external Python library. All details can be found in the documentation.
This is a major feature enabling users to automate the post-processing inspection of events and to tailor the logic to their exact needs. This can also be used in CI or for writing external tools.
$ retis -p ifdump collect -o --cmd 'ping -c1 1.1.1.1'
...
$ retis python
Python 3.13.0 (main, Oct 8 2024, 00:00:00) [GCC 14.2.1 20240912 (Red Hat 14.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> for e in reader.events():
... if "skb" in e and getattr(e["skb"], "ip", None):
... print(e["skb"].ip.daddr)
...
1.1.1.1
192.168.0.42
>>>
Advanced features for meta-filters
Meta-filters can be used to filter packets based on struct sk_buff values, including nested ones. It gains the ability to perform advanced operations like masking and following pointers embedded in a different type. See all the details on the filtering documentation.
Aarch64 support
Retis now compiles and runs on aarch64 machines (and can even be cross-compiled).
Improved date formatting
Timestamps can now be displayed as UTC using the --utc parameter for the collect, print and sort sub-commands.
New ifdump profile
A new profile was added to dump packets after the device in ingress and before the device in egress; like AF_PACKET utilities.
$ retis -p ifdump collect
...
Other improvements
- Support for parent information, mark and labels in the conntrack collector.
- Meta-filtering now supports the
!=operator on strings. - Easier definition of probes when collecting events (the type is not required anymore if it can be inferred).
- The documentation and the project README were improved significantly.
- Bindgen is now used internally for types shared between eBPF and Rust.
- Better handling of unknown packets.
- Drop action support for the OvS collector.
- And many others!
v1.4.0
This version includes multiple improvements, features and fixes. 119 non-merge commits since v1.3.0! Thanks to everyone who contributed 😄
Auto-completion
Retis now supports auto-completion. For Bash this can be set up using source <(retis sh-complete --shell bash). See the official documentation for more details.
Bitfield support in meta-filtering
Meta filtering allows to match packets based on their metadata, aka. direct field checking in struct sk_buff. This now also supports bitfields. See the official documentation for more details.
Retis inspect command
A new sub-command was added, inspect, to filter and display compatible probes on a running kernel. This can be used to get a list of where Retis could add probes. See retis inspect --help for more information.
Probe-stack mode
A new parameter was added to the collect sub-command, --probe-stack. When this is set Retis evaluates where additional probes could be added based on functions reported in the stack traces; and installs probes on those functions at runtime. See retis collect --help.
Other improvements
- Better support of early Rx and Tx packets.
--skb-sectionsselection simplifications (as a side effectpcapsubcommand does not require a special collection configuration anymore).- ICMPv6, GSO support and better csum info in the skb events. SMP id is also now reported on all events.
- Complete rework of our build system (now using
make). - And many more (logging in BPF, authors file, bug fixes, etc)!
v1.3.2
10 non-merge commits since v1.3.1.
- Wait for probes to be installed before starting the collection of events. This fixes potential inconsistencies in the first events (some missing events and some issues with tracking).
- Updated
btf-rsto 1.1. This fixes a corner case issue where some symbols could not be found, eg. when using user-defined probes.
v1.3.1
A few fixes. 16 non-merge commits since v1.3.0.
- Improved symbols validation.
- Fixed packet size computation in BPF for some cases.
- Improved meta filtering input validation.
- Better fixed a BPF verifier issue on older kernels.
- Fixed a BPF verifier issue on newer kernels.
- Added Centos Stream 8 to the runtime CI and upgraded f38 to f39.
v1.3.0
This version includes multiple improvements, new features and fixes. 136 commits since v1.2.0!
PCAP post-processing
A new post-processing command, pcap, is introduced and can be used to generate pcap-ng files for consumption by other tools. First, a capture of events must be performed using Retis. Then, the pcap post-processing command can be used to generate pcap-ng files (filtering for a single probe for now).
$ retis -p pcap,generic collect -o
$ retis pcap --probe tp:net:netif_receive_skb | tcpdump -nnr -
$ retis pcap --probe tp:net:net_dev_start_xmit -o retis.pcap
$ wireshark retis.pcap
More information in the online documentation.
Meta filtering
Meta filtering allows to match packets based on their metadata, aka. direct field checking in struct sk_buff. Metadata filters can match against any subfield of the sk_buff and subsequent inner data structures. Meta filtering also automatically follows struct pointers, so indirect access to structures pointed by an sk_buff field is possible.
$ retis collect -m 'sk_buff.dev.nd_net.net.ns.inum == 4026531840'
$ retis collect -m 'sk_buff.dev.name == "eth0"'
More information in the online documentation.
L3 filtering
Retis now automatically detects and generates L2/L3 filters based on the expression. This allows to match both packets fully formed and packets not having a valid L2 header yet. The following filter internally generates two filters. For packets not having a valid L2 header the filter would match packets with tcp source or destination port 443. For packets with valid L2 header both arp and tcp packets would be matched.
$ retis collect -f 'arp or tcp port 443'
L2+L3 packet filter(s) loaded
More information in the online documentation.
Other improvements
- Wildcard support for all probe types (was kprobe-only). Eg.
$ retis collect -p tp:skb:* - Pager support in post-processing commands.
- Non-core drop reasons support.
- Improved logging.
- Mulitple improvements & fixes.