gojue · cfc4n · Feb 10, 2025 · Feb 10, 2025
diff --git a/kern/openssl.h b/kern/openssl.h
@@ -39,16 +39,17 @@ struct ssl_data_event_t {
 };
 
 struct connect_event_t {
+    unsigned __int128 saddr;
+    unsigned __int128 daddr;
+    char comm[TASK_COMM_LEN];
     u64 timestamp_ns;
+    u64 sock;
     u32 pid;
     u32 tid;
     u32 fd;
+    u16 family;
     u16 sport;
     u16 dport;
-    __be32 saddr;
-    __be32 daddr;
-    char comm[TASK_COMM_LEN];
-    u64 sock;
     u8 is_destroy;
     u8 pad[7];
 } __attribute__((packed)); // NOTE: do not leave padding hole in this struct.
@@ -503,7 +504,8 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
     u64 current_uid_gid = bpf_get_current_uid_gid();
     u32 uid = current_uid_gid;
     u16 address_family = 0;
-    u64 addrs;
+    unsigned __int128 saddr;
+    unsigned __int128 daddr;
     u32 ports;
 
 #ifndef KERNEL_LESS_5_2
@@ -517,35 +519,43 @@ static __inline int kretprobe_connect(struct pt_regs *ctx, int fd, struct sock *
 #endif
 
     bpf_probe_read_kernel(&address_family, sizeof(address_family), &sk->__sk_common.skc_family);
-    if (address_family != AF_INET) {
+    debug_bpf_printk("@ sockaddr FM :%d\n", address_family);
+
+    if (address_family == AF_INET) {
+        u64 addrs;
+        bpf_probe_read_kernel(&addrs, sizeof(addrs), &sk->__sk_common.skc_addrpair);
+        saddr = (__be32)(addrs >> 32);
+        daddr = (__be32)addrs;
+    } else if (address_family == AF_INET6) {
+        bpf_probe_read_kernel(&saddr, sizeof(saddr), &sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr32);
+        bpf_probe_read_kernel(&daddr, sizeof(daddr), &sk->__sk_common.skc_v6_daddr.in6_u.u6_addr32);
+    } else {
         return 0;
     }
 
     // if the connection hasn't been established yet, the ports or addrs are 0.
-    bpf_probe_read_kernel(&addrs, sizeof(addrs), &sk->__sk_common.skc_addrpair);
     bpf_probe_read_kernel(&ports, sizeof(ports), &sk->__sk_common.skc_portpair);
-    if (ports == 0 || addrs == 0) {
+    if (ports == 0 || saddr == 0 || daddr == 0) {
         return 0;
     }
 
-    debug_bpf_printk("@ sockaddr FM :%d\n", address_family);
-
     struct connect_event_t conn;
     __builtin_memset(&conn, 0, sizeof(conn));
     conn.timestamp_ns = bpf_ktime_get_ns();
     conn.pid = pid;
     conn.tid = current_pid_tgid;
     conn.fd = fd;
+    conn.family = address_family;
     if (active) {
         conn.dport = bpf_ntohs((u16)ports);
         conn.sport = ports >> 16;
-        conn.daddr = (__be32)addrs;
-        conn.saddr = (__be32)(addrs >> 32);
+        conn.saddr = saddr;
+        conn.daddr = daddr;
     } else {
         conn.sport = bpf_ntohs((u16)ports);
         conn.dport = ports >> 16;
-        conn.saddr = (__be32)addrs;
-        conn.daddr = (__be32)(addrs >> 32);
+        conn.saddr = daddr;
+        conn.daddr = saddr;
     }
     bpf_get_current_comm(&conn.comm, sizeof(conn.comm));
     conn.sock = (u64)sk;

diff --git a/user/event/event_openssl.go b/user/event/event_openssl.go
@@ -18,6 +18,7 @@ import (
 	"bytes"
 	"encoding/binary"
 	"fmt"
+	"golang.org/x/sys/unix"
 	"net/netip"
 	"strings"
 	"unsafe"
@@ -197,25 +198,32 @@ func (se *SSLDataEvent) EventType() EventType {
 
 //  connect_events map
 /*
-  uint64_t timestamp_ns;
-  uint32_t pid;
-  uint32_t tid;
-  uint32_t fd;
-  char ports[4];
-  char addrs[8];
-  char Comm[TASK_COMM_LEN];
+   unsigned __int128 saddr;
+   unsigned __int128 daddr;
+   char comm[TASK_COMM_LEN];
+   u64 timestamp_ns;
+   u64 sock;
+   u32 pid;
+   u32 tid;
+   u32 fd;
+   u16 family;
+   u16 sport;
+   u16 dport;
+   u8 is_destroy;
+   u8 pad[7];
 */
 type connDataEvent struct {
+	Saddr       [16]byte `json:"saddr"`
+	Daddr       [16]byte `json:"daddr"`
+	Comm        [16]byte `json:"Comm"`
 	TimestampNs uint64   `json:"timestampNs"`
+	Sock        uint64   `json:"sock"`
 	Pid         uint32   `json:"pid"`
 	Tid         uint32   `json:"tid"`
 	Fd          uint32   `json:"fd"`
+	Family      uint16   `json:"family"`
 	Sport       uint16   `json:"sport"`
 	Dport       uint16   `json:"dport"`
-	Saddr       [4]byte  `json:"saddr"`
-	Daddr       [4]byte  `json:"daddr"`
-	Comm        [16]byte `json:"Comm"`
-	Sock        uint64   `json:"sock"`
 	IsDestroy   uint8    `json:"isDestroy"`
 	Pad         [7]byte  `json:"-"`
 
@@ -231,9 +239,15 @@ func (ce *ConnDataEvent) Decode(payload []byte) (err error) {
 	data := unsafe.Slice((*byte)(unsafe.Pointer(&ce.connDataEvent)), int(unsafe.Sizeof(ce.connDataEvent)))
 	copy(data, payload)
 
-	saddr, daddr := netip.AddrFrom4(ce.Saddr), netip.AddrFrom4(ce.Daddr)
-	ce.Tuple = fmt.Sprintf("%s:%d-%s:%d", saddr, ce.Sport, daddr, ce.Dport)
-	return nil
+        if ce.Family == unix.AF_INET {
+            saddr, daddr := netip.AddrFrom4([4]byte(ce.Saddr[:4])), netip.AddrFrom4([4]byte(ce.Saddr[:4]))
+            ce.Tuple = fmt.Sprintf("%s:%d-%s:%d", saddr, ce.Sport, daddr, ce.Dport)
+        } else {
+            saddr, daddr := netip.AddrFrom16(ce.Saddr), netip.AddrFrom16(ce.Daddr)
+            ce.Tuple = fmt.Sprintf("[%s]:%d-[%s]:%d", saddr, ce.Sport, daddr, ce.Dport)
+        }
+
+        return nil
 }
 
 func (ce *ConnDataEvent) StringHex() string {