When using the -w parameter, eCapture fails to run(加上-w参数后，运行不正常)

[ryanlycch]

archlinux, kernel 6.2.1

1. 加-w参数，不带-i参数，错误
   /tmp> sudo ecapture tls --hex -w /tmp/git.pcap
   tls_2023/03/13 15:24:37 ECAPTURE :: ecapture Version : linux_x86_64:0.5.0-20230310-9f8b931:[CORE]
   tls_2023/03/13 15:24:37 ECAPTURE :: Pid Info : 3574649
   tls_2023/03/13 15:24:37 ECAPTURE :: Kernel Info : 6.2.1
   tls_2023/03/13 15:24:37 EBPFProbeOPENSSL module initialization
   tls_2023/03/13 15:24:37 EBPFProbeOPENSSL Module.Run()
   tls_2023/03/13 15:24:37 EBPFProbeOPENSSL TC MODEL
   tls_2023/03/13 15:24:37 EBPFProbeOPENSSL module run failed, [skip it]. error:route ip+net: no such network interface

2. 同时加-w和-i参数，错误如下：
   tls_2023/03/13 15:26:15 ECAPTURE :: ecapture Version : linux_x86_64:0.5.0-20230310-9f8b931:[CORE]
   tls_2023/03/13 15:26:15 ECAPTURE :: Pid Info : 3575427
   tls_2023/03/13 15:26:15 ECAPTURE :: Kernel Info : 6.2.1
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL module initialization
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL Module.Run()
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL TC MODEL
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL OpenSSL/BoringSSL version not found from shared library file, used default version:linux_default_3_0
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL HOOK type:2, binrayPath:/lib64/libssl.so.3
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL Ifname:enp2s0, Ifindex:2, Port:443, Pcapng filepath:/tmp/t.pcap
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL Hook masterKey function:SSL_write
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL target all process.
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL target all users.
   tls_2023/03/13 15:26:15 EBPFProbeOPENSSL BPF bytecode filename:user/bytecode/openssl_3_0_0_kern.o
   tls_2023/03/13 15:26:16 EBPFProbeOPENSSL module run failed, [skip it]. error:couldn't start bootstrap manager error:2 errors occurred:

• error:error:netlink receive: no such file or directory , couldn't add a ", err clsact" qdisc to interface 2, {UID:, EbpfFuncName:egress_cls_func}
• error:error:netlink receive: no such file or directory , couldn't add a ", err clsact" qdisc to interface 2, {UID:, EbpfFuncName:ingress_cls_func}

, probes activation validation failed .

3. 不加-w时带不带-i参数都是正常的

[cfc4n]

看上去确实一个BUG，不过，我这里没有archlinux的测试环境，你知道哪一个云服务上可以提供archlinux的镜像吗？

---

It does seem like a bug, but I don't have a testing environment for Arch Linux here. Do you know which cloud service can provide an Arch Linux 6.2.1 image?

[cfc4n]

@chriskaliX could you have a look ？

[chriskaliX]

@chriskaliX could you have a look ？

Yeah, I'll look into this.

[Daikq]

in Android 12 kernel 4.19.195-android-x86_64-g6389db0f737a
|OnePlus8Pro:/data/local/tmp # ./ecapture tls -i nflog:10034 --libssl="/system/lib64/libssl.so" -w xxx.pcap
tls_2023/03/29 07:29:06 ECAPTURE :: ecapture Version : androidgki_x86_64:0.5.0-20230310-9f8b931:5.15.0-1034-azure
tls_2023/03/29 07:29:06 ECAPTURE :: Pid Info : 7070
tls_2023/03/29 07:29:06 ECAPTURE :: Kernel Info : 4.19.195
tls_2023/03/29 07:29:06 EBPFProbeOPENSSL module initialization
tls_2023/03/29 07:29:06 EBPFProbeOPENSSL Module.Run()
tls_2023/03/29 07:29:06 EBPFProbeOPENSSL TC MODEL
tls_2023/03/29 07:29:06 EBPFProbeOPENSSL module run failed, [skip it]. error:route ip+net: no such network interface
tls_2023/03/29 07:29:06 ECAPTURE :: No runnable modules, Exit(1)

130|OnePlus8Pro:/data/local/tmp # ./ecapture tls --libssl="/system/lib64/libssl.so" -w xxx.pcap
tls_2023/03/29 07:29:38 ECAPTURE :: ecapture Version : androidgki_x86_64:0.5.0-20230310-9f8b931:5.15.0-1034-azure
tls_2023/03/29 07:29:38 ECAPTURE :: Pid Info : 7085
tls_2023/03/29 07:29:38 ECAPTURE :: Kernel Info : 4.19.195
tls_2023/03/29 07:29:38 EBPFProbeOPENSSL module initialization
tls_2023/03/29 07:29:38 EBPFProbeOPENSSL Module.Run()
tls_2023/03/29 07:29:38 EBPFProbeOPENSSL TC MODEL
tls_2023/03/29 07:29:38 EBPFProbeOPENSSL module run failed, [skip it]. error:route ip+net: no such network interface
tls_2023/03/29 07:29:38 ECAPTURE :: No runnable modules, Exit(1)
1|OnePlus8Pro:/data/local/tmp # ./ecapture tls -i wlan0 --libssl="/system/lib64/libssl.so" -w xxx.pcap
tls_2023/03/29 07:29:54 ECAPTURE :: ecapture Version : androidgki_x86_64:0.5.0-20230310-9f8b931:5.15.0-1034-azure
tls_2023/03/29 07:29:54 ECAPTURE :: Pid Info : 7092
tls_2023/03/29 07:29:54 ECAPTURE :: Kernel Info : 4.19.195
tls_2023/03/29 07:29:54 EBPFProbeOPENSSL module initialization
tls_2023/03/29 07:29:54 EBPFProbeOPENSSL Module.Run()
tls_2023/03/29 07:29:54 EBPFProbeOPENSSL TC MODEL
tls_2023/03/29 07:29:54 EBPFProbeOPENSSL module run failed, [skip it]. error:route ip+net: no such network interface
tls_2023/03/29 07:29:54 ECAPTURE :: No runnable modules, Exit(1)
1|OnePlus8Pro:/data/local/tmp # uname -r
4.19.195-android-x86_64-g6389db0f737a

不加 -w 可以正常使用

[cfc4n]

@Daikq 你这个例子不是报错了吗？看着像是运行失败啊……

[chriskaliX]

我尝试了上述的 -i <interface_name> -w <file_name> 的形式，没有复现这个问题 。-i 的报错 EBPFProbeOPENSSL module run failed, [skip it]. error:route ip+net: no such network interface 应该是 ifname 没有对上，默认是eth0。

是否能再提供一下执行的命令(-i -w的)，感谢

[cfc4n]

ping @ryanlycch