Jacquin Antoine
7dfe640003
feat(ebpf): add Apache httpd HTTP capture via read() syscall
Add support for capturing HTTP traffic from Apache httpd using
tracepoint/kretprobe on read() syscall.
Changes:
- bpf/uprobe_apache.c: New BPF program for Apache httpd capture
- Uses tp/syscalls/sys_enter_read to save arguments
- Uses kretprobe/__x64_sys_read to capture data (avoids tracepoint exit issues)
- bpf/bpf_types.h: Add Apache-specific structures and maps
- struct apache_http_event (same structure as nginx_http_event)
- struct read_args (shared between enter/exit)
- apache_pid_map for filtering by PID
- apache_read_args_map for argument storage
- pb_apache_http perf buffer
- internal/loader/loader.go: Add Apache support
- Add Ja4ApacheObjects, apachePidMap, ApacheHTTPReader
- Add go:generate directive for uprobe_apache.c
- Add AttachUprobesApache(), AddApachePid(), RemoveApachePid()
- Add findApachePIDs() to discover Apache httpd processes
- cmd/ja4ebpf/main.go: Add Apache runtime support
- Add ApacheEnabled config option
- Add attachApacheUprobesWithRetry() with automatic retry
- Add consumeApacheHTTPEvents() to process Apache HTTP events
- Add apache counter to eventCounters
- Update debugStatsDumper to show apache events
Configuration:
- Enable with: uprobes.apache_enabled=true or JA4EBPF_APACHE_ENABLED=1
- Automatically discovers httpd/apache2 processes via /proc/[pid]/cmdline
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-20 13:38:58 +02:00
..
2026-04-19 14:34:30 +02:00
2026-04-16 01:49:26 +02:00
2026-04-20 13:38:58 +02:00
2026-04-16 01:49:26 +02:00
2026-04-16 01:49:26 +02:00
2026-04-19 14:38:56 +02:00