code_public/ja4-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ja4ebpf): correct BPF struct byte offsets and regenerate SSL_write programs

Browse Source 
Fix two critical offset bugs introduced when ip_total_length was added to
tcp_syn_event: tcp_options_raw offset 21→23 and tcp_options_len offset 61→63,
plus minimum size check 70→72. Fix ssl_data_event direction field offset from
4118 (inside timestamp_ns) to 4126. Simplify attachSSLWrite to use generated
objects directly instead of dynamic spec loading. Regenerate BPF objects with
SSL_write uprobe programs included.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jacquin Antoine
2026-04-15 14:06:28 +02:00
parent 24306ef390
commit 65d833bb18
3 changed files with 32 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
services/ja4ebpf/cmd/ja4ebpf/main.go
View File

@ -309,9 +309,9 @@ func consumeSynEvents(ctx context.Context, rd *perf.Reader, mgr *correlation.Man
// src_ip(4)+dst_ip(4)+src_port(2)+dst_port(2)+ttl(1)+df_bit(1)+ip_id(2)+
// ip_total_length(2)+window_size(2)+window_scale(1)+mss(2)+tcp_options_raw[40]+
// tcp_options_len(1)+timestamp_ns(8)
// offsets: 0 4 8 10 12 13 14 16 18 19 21 61
// total = 62 + 8 = 70
if len(record.RawSample) < 70 {
// offsets: 0 4 8 10 12 13 14 16 18 20 21 23 63
// total = 64 + 8 = 72
if len(record.RawSample) < 72 {
continue
}
data := record.RawSample
@ -342,12 +342,12 @@ func consumeSynEvents(ctx context.Context, rd *perf.Reader, mgr *correlation.Man
ipTotalLength := binary.LittleEndian.Uint16(data[16:18])
windowSize := binary.LittleEndian.Uint16(data[18:20])
optLen := int(data[61])
optLen := int(data[63])
if optLen > 40 {
optLen = 40
}
tcpOpts := make([]byte, optLen)
copy(tcpOpts, data[21:21+optLen])
copy(tcpOpts, data[23:23+optLen])
// Analyser les options TCP brutes pour extraire MSS et Window Scale
mss, windowScale := parseTCPOptions(tcpOpts)
@ -499,12 +499,13 @@ func consumeSSLEvents(ctx context.Context, rd *perf.Reader, mgr *correlation.Man
srcIPRaw := binary.LittleEndian.Uint32(data[12:16])
srcPort := binary.LittleEndian.Uint16(data[16:18])
// data[4096] commence à offset 18, data_len à offset 4114, direction à offset 4118
if len(data) < 4119 {
// data[4096] commence à offset 18, data_len à offset 4114,
// timestamp_ns à offset 4118, direction à offset 4126
if len(data) < 4127 {
continue
}
dataLen := binary.LittleEndian.Uint32(data[4114:4118])
direction := data[4118] // 0 = SSL_read (client→serveur), 1 = SSL_write (serveur→client)
direction := data[4126] // 0 = SSL_read (client→serveur), 1 = SSL_write (serveur→client)
if dataLen > 4096 {
dataLen = 4096
}