[RFC] Stop parsing the packet payload

Containerfile

@@ -29,7 +29,8 @@ LABEL org.opencontainers.image.authors="https://github.com/retis-org"
 RUN dnf install -y \
     less \
     libpcap \
-    nftables
+    nftables \
+    tcpdump
 
 COPY --from=builder /retis/target/release/retis /usr/bin/retis
 COPY --from=builder /retis/retis/profiles /etc/retis/profiles

docs/collectors/skb.md

@@ -14,10 +14,9 @@ argument to the `kfree_skb_reason` function.
 ## Arguments
 
 The `skb` collector has a single specific argument, `--skb-sections`. This is
-used to choose which parts of the `skb` metadata and/or data to retrieve and
-export in the events. The raw start of the packet (headers), ARP, IPv4/6, TCP,
-UDP and ICMPv4/v6 information are always included. See the `retis collect
---help` for a detailed description.
+used to choose which parts of the `skb` metadata to retrieve and export in the
+events. The raw start of the packet (headers) is always included. See the `retis
+collect --help` for a detailed description.
 
 When collecting event for later `pcap-ng` file generation (see `retis pcap
 --help`), it's best to collect the `dev` and `ns` sections too.
@@ -39,69 +38,10 @@ ns {namespace id}
 if {interface index} ({interface name}) rxif {rx interface index}
 ```
 
-### Ethernet section
+### VLAN acceleration section
 
 ```none
-{src mac} > {dst mac} ethertype {etype name} ({etype hex})
-```
-
-### VLAN section
-
-```none
-vlan (id {id} prio {prio} [drop] [accel])
-```
-
-### ARP section
-
-```none
-request who-has {ip} tell {ip}
-```
-
-or,
-
-```none
-reply {ip} is at {mac}
-```
-
-### IP section
-
-For IPv4:
-
-```none
-{src ip}.{src port} > {dst ip}.{dst port} {ECN info} ttl {ttl} tos {tos} id {id}
-    off {frag offset} [{flags}] len {packet len} proto {protocol name}
-```
-
-- `ECN info` can be one of `CE`, `ECT(0)` or `ECT(1)`.
-- `flags` are constructed with a combination of `+`, `DF` and `rsvd`.
-
-For IPv6:
-
-```none
-{src ip}.{src port} > {dst ip}.{dst port} {ECN info} ttl {ttl} label {flow label}
-    len {packet len} proto {protocol name}
-```
-
-### TCP section
-
-```none
-flags [{flags}] seq {sequence} ack {acked sequence} win {window}
-```
-
-- `flags` are constructed using a combination of `F` (fin), `S` (syn), `R`
-  (reset), `P` (push), `.` (ack), `U` (urgent).
-- `sequence` can be a range (`{start}:{end}`) or a single number (`{sequence}`).
-
-### UDP section
-
-```none
-len {UDP data len}
-```
-
-### ICMP & ICMPv6 sections
-
-```none
-type {type number} code {code number}
+vlan_accel (id {id} prio {prio} [drop])
 ```
 
 ### Metadata & dataref sections
@@ -130,3 +70,8 @@ gso [type {GSO type} flags {GSO flags} frags {nr of GSO frags}
 
 - `GSO type`, see `SKBFL_*` in the Linux kernel `include/linux/skbuff.h`.
 - `GSO flags`, see `SKB_GSO_*` in the Linux kernel `include/linux/skbuff.h`.
+
+### Packet section
+
+The packet itself (payload) is printed on a dedicated line when using the
+multi-line format and the output is coming from `tcpdump`.

docs/install.md

@@ -69,6 +69,7 @@ Retis depends on the following (in addition to Git and Cargo):
 - llvm
 - make
 - pkg-config
+- tcpdump
 
 If the `python` feature is used (which is by default), the Python3 shared
 libraries and headers must be available.
@@ -77,15 +78,15 @@ On Fedora, one can run:
 
 ```none
 $ dnf -y install git cargo clang elfutils-libelf-devel python3-devel \
-        jq libpcap-devel llvm make pkgconf-pkg-config
+        jq libpcap-devel llvm make pkgconf-pkg-config tcpdump
 ```
 
 On Ubuntu:
 
 ```none
 $ apt update
 $ apt -y install git cargo clang jq libelf-dev libpcap-dev python3-dev \
-        llvm make pkg-config
+        llvm make pkg-config tcpdump
 ```
 
 Then, to download and build Retis:

retis-events/src/ct.rs

@@ -143,7 +143,7 @@ pub struct CtConnEvent {
 }
 
 impl EventFmt for CtEvent {
-    fn event_fmt(&self, f: &mut Formatter, _: &DisplayFormat) -> fmt::Result {
+    fn event_fmt(&self, f: &mut Formatter, format: &DisplayFormat) -> fmt::Result {
         use CtState::*;
         match self.state {
             Established => write!(f, "ct_state ESTABLISHED ")?,
@@ -157,7 +157,11 @@ impl EventFmt for CtEvent {
         Self::format_conn(&self.base, f)?;
 
         if let Some(parent) = &self.parent {
-            write!(f, "\n\\ parent [")?;
+            if format.multiline {
+                write!(f, "\n\\")?;
+            }
+
+            write!(f, " parent [")?;
             Self::format_conn(parent, f)?;
             write!(f, "]")?;
         }

retis-events/src/display.rs

@@ -24,6 +24,8 @@ pub struct DisplayFormat {
     pub time_format: TimeFormat,
     /// Offset of the monotonic clock to the wall-clock time.
     pub monotonic_offset: Option<TimeSpec>,
+    /// Should the link level part be displayed?
+    pub print_ll: bool,
 }
 
 impl DisplayFormat {
@@ -48,6 +50,12 @@ impl DisplayFormat {
         self.monotonic_offset = Some(offset);
         self
     }
+
+    /// Configure if LL information is printed.
+    pub fn print_ll(mut self, enabled: bool) -> Self {
+        self.print_ll = enabled;
+        self
+    }
 }
 
 /// `Formatter` implements `std::fmt::Write` and controls how events are being
@@ -318,6 +326,11 @@ impl DelimWriter {
         Ok(())
     }
 
+    /// Reset the DelimWriter to behave as if it was new.
+    pub fn reset(&mut self) {
+        self.first = true;
+    }
+
     /// Was the DelimWriter used?
     pub fn used(&self) -> bool {
         !self.first

retis-events/src/python.rs

@@ -107,7 +107,7 @@ impl PyEvent {
 
     /// Returns a string representation of the event
     fn show(&self) -> String {
-        let format = crate::DisplayFormat::new().multiline(true);
+        let format = crate::DisplayFormat::new().multiline(true).print_ll(true);
         format!("{}", self.0.display(&format, &crate::FormatterConf::new()))
     }