feat(ja4ebpf): add dst_ip/dst_port to TLS and HTTP plain events for complete L3/L4

Add dst_ip and dst_port fields to tls_hello_event BPF struct and populate them in tc_capture.c. Update Go TLS event handler with new byte offsets (payload[2048]+src_ip(4)+dst_ip(4)+src_port(2)+dst_port(2)+payload_len(2)+ timestamp_ns(8) = 2070 bytes). Read dst_ip/dst_port from HTTP plain events and use them to populate L3L4 when SYN was not captured, ensuring dst_ip and dst_port are always available in ClickHouse for both TLS and HTTP sessions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-15 14:31:46 +02:00
parent 65d833bb18
commit 0975d40609
5 changed files with 44 additions and 10 deletions
--- a/services/ja4ebpf/internal/loader/ja4ssl_x86_bpfel.go
+++ b/services/ja4ebpf/internal/loader/ja4ssl_x86_bpfel.go
@ -61,7 +61,9 @@ type Ja4SslSslReadArgs struct {
 type Ja4SslTlsHelloEvent struct {
 	Payload     [2048]uint8
 	SrcIp       uint32
+	DstIp       uint32
 	SrcPort     uint16
+	DstPort     uint16
 	PayloadLen  uint16
 	TimestampNs uint64
 }
--- a/services/ja4ebpf/internal/loader/ja4tc_x86_bpfel.go
+++ b/services/ja4ebpf/internal/loader/ja4tc_x86_bpfel.go
@ -61,7 +61,9 @@ type Ja4TcSslReadArgs struct {
 type Ja4TcTlsHelloEvent struct {
 	Payload     [2048]uint8
 	SrcIp       uint32
+	DstIp       uint32
 	SrcPort     uint16
+	DstPort     uint16
 	PayloadLen  uint16
 	TimestampNs uint64
 }