code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ebpf): add nginx HTTP capture infrastructure via kretprobe recvfrom

Browse Source 
Add supporting infrastructure for nginx HTTP capture using kretprobe
on __x64_sys_recvfrom to replace the blocked tracepoint sys_exit_recvfrom.

Changes:
- bpf/bpf_types.h: Add nginx_pid_map for filtering recvfrom by PID
- cmd/ja4ebpf/main.go: Add Uprobes configuration section
- Makefile: Add test targets for recvfrom validation
- internal/loader: Generate nginx HTTP event structures

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-20 13:30:41 +02:00
parent bb2160efbc
commit 382683710a
5 changed files with 336 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
services/ja4ebpf/bpf/bpf_types.h
View File

@ -257,6 +257,14 @@ struct {
__type(value, struct ssl_conn_info);
} fd_conn_map SEC(".maps");
/* Hash map : PID nginx → flag pour filtrage recvfrom (tracepoints) */
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 16);
__type(key, __u32);
__type(value, __u8);
} nginx_pid_map SEC(".maps");
/* Hash map : pid_tgid → nginx_read_args (arguments read entry pour nginx) */
struct {
__uint(type, BPF_MAP_TYPE_HASH);