$ perf annotate --stdio2 -P bpf_prog_dff48fc6b3b7ff17_trace_net_packets Samples: 96 of event 'cpu-clock:ppp', 4000 Hz, Event count (approx.): 24000000, [percent: local period] bpf_prog_dff48fc6b3b7ff17_trace_net_packets() bpf_prog_dff48fc6b3b7ff17_trace_net_packets Percent int trace_net_packets(struct trace_event_raw_net_dev_template *args) { 1.04 nop 25.00 xchg %ax,%ax push %rbp mov %rsp,%rbp sub $0x1d0,%rsp push %rbx 4.17 push %r13 push %r14 push %r15 xor %r13d,%r13d __builtin_memset(&skb, 0, sizeof(skb)); mov %r13,-0xc8(%rbp) 1.04 mov %r13,-0xd0(%rbp) mov %r13,-0xd8(%rbp) mov %r13,-0xe0(%rbp) mov %r13,-0xe8(%rbp) mov %r13,-0xf0(%rbp) mov %r13,-0xf8(%rbp) 1.04 mov %r13,-0x100(%rbp) mov %r13,-0x108(%rbp) mov %r13,-0x110(%rbp) mov %r13,-0x118(%rbp) 1.04 mov %r13,-0x120(%rbp) mov %r13,-0x128(%rbp) mov %r13,-0x130(%rbp) 1.04 mov %r13,-0x138(%rbp) mov %r13,-0x140(%rbp) mov %r13,-0x148(%rbp) mov %r13,-0x150(%rbp) 1.04 mov %r13,-0x158(%rbp) mov %r13,-0x160(%rbp) mov %r13,-0x168(%rbp) 1.04 mov %r13,-0x170(%rbp) 1.04 mov %r13,-0x178(%rbp) 2.08 mov %r13,-0x180(%rbp) mov %r13,-0x188(%rbp) 1.04 mov %r13,-0x190(%rbp) mov %r13,-0x198(%rbp) 1.04 mov %r13,-0x1a0(%rbp) 1.04 mov %r13,-0x1a8(%rbp) bpf_probe_read(&skb, sizeof(struct sk_buff), args->skbaddr); mov 0x8(%rdi),%rdx mov %rbp,%rbx add $0xfffffffffffffe58,%rbx bpf_probe_read(&skb, sizeof(struct sk_buff), args->skbaddr); mov %rbx,%rdi mov $0xe8,%esi 1.04 → call *fffffffff1ae4e98 __builtin_memset(&id, 0, sizeof(id)); 1.04 mov %r13,-0x58(%rbp) id.if_index = skb->skb_iif; 1.04 mov 0x90(%rbx),%edi id.if_index = skb->skb_iif; mov %di,-0x52(%rbp) shr $0x10,%rdi mov %di,-0x50(%rbp) __builtin_memset(&id, 0, sizeof(id)); mov %r13,-0x88(%rbp) mov %r13,-0x80(%rbp) mov %r13,-0x78(%rbp) mov %r13,-0x70(%rbp) mov %r13,-0x68(%rbp) mov %r13,-0x60(%rbp) u16 family = 0,flags = 0, len = 0; mov %r13w,-0x8a(%rbp) __builtin_memset(ð, 0, sizeof(eth)); mov %r13w,-0x3c(%rbp) mov %r13d,-0x40(%rbp) mov %r13,-0x48(%rbp) bpf_probe_read(ð, sizeof(eth), (struct ethhdr *)(skb->head + skb->mac_header)); 1.04 movzwq 0xb6(%rbx),%rdi bpf_probe_read(ð, sizeof(eth), (struct ethhdr *)(skb->head + skb->mac_header)); mov 0xc0(%rbx),%rdx bpf_probe_read(ð, sizeof(eth), (struct ethhdr *)(skb->head + skb->mac_header)); add %rdi,%rdx mov %rbp,%rbx add $0xffffffffffffffb8,%rbx bpf_probe_read(ð, sizeof(eth), (struct ethhdr *)(skb->head + skb->mac_header)); mov %rbx,%rdi mov $0xe,%esi → call *fffffffff1ae4e98 xor %edi,%edi mov %rbx,%rsi add %rdi,%rsi __builtin_memcpy(id->dst_mac, eth.h_dest, ETH_ALEN); movzbq 0x3(%rsi),%rdi 5.21 mov %dil,-0x7c(%rbp) movzbq 0x2(%rsi),%rdi 1.04 mov %dil,-0x7d(%rbp) 1.04 movzbq 0x1(%rsi),%rdi mov %dil,-0x7e(%rbp) movzbq 0x0(%rbx),%rdi mov %dil,-0x7f(%rbp) movzbq 0x5(%rsi),%rdi mov %dil,-0x7a(%rbp) movzbq 0x4(%rsi),%rdi mov %dil,-0x7b(%rbp) mov $0x6,%edi mov %rbx,%rsi add %rdi,%rsi __builtin_memcpy(id->src_mac, eth.h_source, ETH_ALEN); movzbq 0x3(%rsi),%rdi mov %dil,-0x82(%rbp) movzbq 0x2(%rsi),%rdi mov %dil,-0x83(%rbp) movzbq 0x1(%rsi),%rdi mov %dil,-0x84(%rbp) movzbq 0x6(%rbx),%rdi mov %dil,-0x85(%rbp) movzbq 0x5(%rsi),%rdi mov %dil,-0x80(%rbp) movzbq 0x4(%rsi),%rdi mov %dil,-0x81(%rbp) id->eth_protocol = bpf_ntohs(eth.h_proto); 1.04 movzwq 0xc(%rbx),%rdi ror $0x8,%di movzwl %di,%edi id->eth_protocol = bpf_ntohs(eth.h_proto); mov %di,-0x88(%rbp) if (id->eth_protocol == ETH_P_IP) { cmp $0x800,%rdi 1.04 ↓ je 22f cmp $0x86dd,%rdi ↓ je 324 mov $0xffffffff,%eax ↓ jmp c6d 22f: mov %rbp,%rdi bpf_probe_read(&ip, sizeof(ip), (struct iphdr *)(skb->head + skb->network_header)); 2.08 add $0xfffffffffffffe58,%rdi movzwq 0xb4(%rdi),%rsi bpf_probe_read(&ip, sizeof(ip), (struct iphdr *)(skb->head + skb->network_header)); 2.08 mov 0xc0(%rdi),%rdx bpf_probe_read(&ip, sizeof(ip), (struct iphdr *)(skb->head + skb->network_header)); add %rsi,%rdx __builtin_memset(&ip, 0, sizeof(ip)); mov %r13d,-0x38(%rbp) mov %r13,-0x40(%rbp) mov %r13,-0x48(%rbp) 1.04 mov %rbp,%rbx bpf_probe_read(&ip, sizeof(ip), (struct iphdr *)(skb->head + skb->network_header)); add $0xffffffffffffffb8,%rbx bpf_probe_read(&ip, sizeof(ip), (struct iphdr *)(skb->head + skb->network_header)); mov %rbx,%rdi mov $0x14,%esi → call *fffffffff1ae4e98 mov $0xff,%edi __builtin_memcpy(id->src_ip, ip4in6, sizeof(ip4in6)); mov %dil,-0x6e(%rbp) 1.04 mov %dil,-0x6f(%rbp) __builtin_memcpy(id->dst_ip, ip4in6, sizeof(ip4in6)); mov %dil,-0x5e(%rbp) 2.08 mov %dil,-0x5f(%rbp) __builtin_memcpy(id->src_ip, ip4in6, sizeof(ip4in6)); 1.04 mov %r13b,-0x72(%rbp) mov %r13b,-0x73(%rbp) mov %r13b,-0x74(%rbp) mov %r13b,-0x75(%rbp) mov %r13b,-0x76(%rbp) mov %r13b,-0x77(%rbp) mov %r13b,-0x78(%rbp) mov %r13b,-0x79(%rbp) mov %r13b,-0x70(%rbp) mov %r13b,-0x71(%rbp) __builtin_memcpy(id->dst_ip, ip4in6, sizeof(ip4in6)); mov %r13b,-0x62(%rbp) mov %r13b,-0x63(%rbp) mov %r13b,-0x64(%rbp) 2.08 mov %r13b,-0x65(%rbp) mov %r13b,-0x66(%rbp) 1.04 mov %r13b,-0x67(%rbp) mov %r13b,-0x68(%rbp) mov %r13b,-0x69(%rbp) 1.04 mov %r13b,-0x60(%rbp) mov %r13b,-0x61(%rbp) __builtin_memcpy(id->src_ip + sizeof(ip4in6), &ip.saddr, sizeof(ip.saddr)); mov 0xc(%rbx),%edi mov %rdi,%rsi shr $0x18,%rsi mov %sil,-0x6a(%rbp) mov %rdi,%rsi shr $0x10,%rsi mov %sil,-0x6b(%rbp) mov %dil,-0x6d(%rbp) shr $0x8,%rdi mov %dil,-0x6c(%rbp) __builtin_memcpy(id->dst_ip + sizeof(ip4in6), &ip.daddr, sizeof(ip.daddr)); mov 0x10(%rbx),%edi mov %rdi,%rsi shr $0x18,%rsi mov %sil,-0x5a(%rbp) mov %rdi,%rsi shr $0x10,%rsi mov %sil,-0x5b(%rbp) mov %dil,-0x5d(%rbp) shr $0x8,%rdi mov %dil,-0x5c(%rbp) *protocol = ip.protocol; movzbq 0x9(%rbx),%rdi ↓ jmp 4a5 324: xor %edi,%edi __builtin_memset(&ip, 0, sizeof(ip)); mov %rdi,-0x28(%rbp) mov %rdi,-0x30(%rbp) mov %rdi,-0x38(%rbp) mov %rdi,-0x40(%rbp) mov %rdi,-0x48(%rbp) mov %rbp,%rdi add $0xfffffffffffffe58,%rdi bpf_probe_read(&ip, sizeof(ip), (struct ipv6hdr *)(skb->head + skb->network_header)); movzwq 0xb4(%rdi),%rsi bpf_probe_read(&ip, sizeof(ip), (struct ipv6hdr *)(skb->head + skb->network_header)); mov 0xc0(%rdi),%rdx bpf_probe_read(&ip, sizeof(ip), (struct ipv6hdr *)(skb->head + skb->network_header)); add %rsi,%rdx mov %rbp,%rbx add $0xffffffffffffffb8,%rbx bpf_probe_read(&ip, sizeof(ip), (struct ipv6hdr *)(skb->head + skb->network_header)); mov %rbx,%rdi mov $0x28,%esi → call *fffffffff1ae4e98 mov $0x8,%esi mov %rbx,%rdi add %rsi,%rdi __builtin_memcpy(id->src_ip, ip.saddr.in6_u.u6_addr8, IP_MAX_LEN); movzbq 0x7(%rdi),%rsi mov %sil,-0x72(%rbp) movzbq 0x6(%rdi),%rsi mov %sil,-0x73(%rbp) movzbq 0x5(%rdi),%rsi mov %sil,-0x74(%rbp) movzbq 0x4(%rdi),%rsi mov %sil,-0x75(%rbp) movzbq 0x3(%rdi),%rsi mov %sil,-0x76(%rbp) movzbq 0x2(%rdi),%rsi mov %sil,-0x77(%rbp) movzbq 0x1(%rdi),%rsi mov %sil,-0x78(%rbp) movzbq 0x8(%rbx),%rsi mov %sil,-0x79(%rbp) movzbq 0xf(%rdi),%rsi mov %sil,-0x6a(%rbp) movzbq 0xe(%rdi),%rsi mov %sil,-0x6b(%rbp) movzbq 0xd(%rdi),%rsi mov %sil,-0x6c(%rbp) movzbq 0xc(%rdi),%rsi mov %sil,-0x6d(%rbp) movzbq 0xb(%rdi),%rsi mov %sil,-0x6e(%rbp) movzbq 0xa(%rdi),%rsi mov %sil,-0x6f(%rbp) movzbq 0x9(%rdi),%rsi mov %sil,-0x70(%rbp) movzbq 0x8(%rdi),%rdi mov %dil,-0x71(%rbp) mov $0x18,%esi mov %rbx,%rdi add %rsi,%rdi __builtin_memcpy(id->dst_ip, ip.daddr.in6_u.u6_addr8, IP_MAX_LEN); movzbq 0x7(%rdi),%rsi mov %sil,-0x62(%rbp) movzbq 0x6(%rdi),%rsi mov %sil,-0x63(%rbp) movzbq 0x5(%rdi),%rsi mov %sil,-0x64(%rbp) movzbq 0x4(%rdi),%rsi mov %sil,-0x65(%rbp) movzbq 0x3(%rdi),%rsi mov %sil,-0x66(%rbp) movzbq 0x2(%rdi),%rsi mov %sil,-0x67(%rbp) movzbq 0x1(%rdi),%rsi mov %sil,-0x68(%rbp) movzbq 0x18(%rbx),%rsi mov %sil,-0x69(%rbp) movzbq 0xf(%rdi),%rsi mov %sil,-0x5a(%rbp) movzbq 0xe(%rdi),%rsi mov %sil,-0x5b(%rbp) movzbq 0xd(%rdi),%rsi mov %sil,-0x5c(%rbp) movzbq 0xc(%rdi),%rsi mov %sil,-0x5d(%rbp) movzbq 0xb(%rdi),%rsi mov %sil,-0x5e(%rbp) movzbq 0xa(%rdi),%rsi mov %sil,-0x5f(%rbp) movzbq 0x9(%rdi),%rsi mov %sil,-0x60(%rbp) movzbq 0x8(%rdi),%rdi mov %dil,-0x61(%rbp) *protocol = ip.nexthdr; movzbq 0x6(%rbx),%rdi switch (protocol) { 4a5: and $0xff,%rdi 4.17 cmp $0x6,%rdi ↓ je 570 mov $0xffffffff,%eax cmp $0x11,%rdi ↓ jne c6d xor %edi,%edi __builtin_memset(&udp, 0, sizeof(udp)); mov %rdi,-0x48(%rbp) mov %rbp,%rdi add $0xfffffffffffffe58,%rdi bpf_probe_read(&udp, sizeof(udp), (struct udphdr *)(skb->head + skb->transport_header)); movzwq 0xb2(%rdi),%rsi bpf_probe_read(&udp, sizeof(udp), (struct udphdr *)(skb->head + skb->transport_header)); mov 0xc0(%rdi),%rdx bpf_probe_read(&udp, sizeof(udp), (struct udphdr *)(skb->head + skb->transport_header)); add %rsi,%rdx mov %rbp,%r13 add $0xffffffffffffffb8,%r13 mov $0x8,%ebx bpf_probe_read(&udp, sizeof(udp), (struct udphdr *)(skb->head + skb->transport_header)); mov %r13,%rdi mov $0x8,%esi → call *fffffffff1ae4e98 1.04 mov $0xffffffff,%eax mov $0x11,%edi id->transport_protocol = protocol; mov %dil,-0x55(%rbp) dport = bpf_ntohs(udp.dest); movzwq 0x2(%r13),%r14 mov %r14,%rdi bswap %rdi id->dst_port = dport; shr $0x38,%rdi mov %dil,-0x56(%rbp) sport = bpf_ntohs(udp.source); movzwq 0x0(%r13),%r15 mov %r15,%rdi bswap %rdi id->src_port = sport; shr $0x38,%rdi mov %dil,-0x58(%rbp) dport = bpf_ntohs(udp.dest); ror $0x8,%r14w movzwl %r14w,%r14d id->dst_port = dport; mov %r14b,-0x57(%rbp) sport = bpf_ntohs(udp.source); ror $0x8,%r15w movzwl %r15w,%r15d id->src_port = sport; mov %r15b,-0x59(%rbp) return bpf_ntohs(udp.len); movzwq 0x4(%r13),%rdi ror $0x8,%di movzwl %di,%edi if (len - sizeof(struct udphdr) > UDP_MAXMSG) { add $0xfffffffffffffff8,%rdi if (len - sizeof(struct udphdr) > UDP_MAXMSG) { cmp $0x200,%rdi ↓ ja c6d ↓ jmp 615 570: xor %edi,%edi __builtin_memset(&tcp, 0, sizeof(tcp)); 4.17 mov %edi,-0x38(%rbp) 1.04 mov %rdi,-0x40(%rbp) 1.04 mov %rdi,-0x48(%rbp) mov %rbp,%rdi add $0xfffffffffffffe58,%rdi bpf_probe_read(&tcp, sizeof(tcp), (struct tcphdr *)(skb->head + skb->transport_header)); movzwq 0xb2(%rdi),%rsi bpf_probe_read(&tcp, sizeof(tcp), (struct tcphdr *)(skb->head + skb->transport_header)); 1.04 mov 0xc0(%rdi),%rdx bpf_probe_read(&tcp, sizeof(tcp), (struct tcphdr *)(skb->head + skb->transport_header)); add %rsi,%rdx 1.04 mov %rbp,%rbx add $0xffffffffffffffb8,%rbx bpf_probe_read(&tcp, sizeof(tcp), (struct tcphdr *)(skb->head + skb->transport_header)); mov %rbx,%rdi mov $0x14,%esi → call *fffffffff1ae4e98 sport = bpf_ntohs(tcp.source); 1.04 movzwq 0x0(%rbx),%r15 dport = bpf_ntohs(tcp.dest); movzwq 0x2(%rbx),%r14 mov %rbp,%rsi 3.12 add $0xffffffffffffff76,%rsi set_flags(&tcp, flags); mov %rbx,%rdi → call *fffffffffffd8a04 dport = bpf_ntohs(tcp.dest); mov %r14,%rdi bswap %rdi id->dst_port = dport; shr $0x38,%rdi 1.04 mov %dil,-0x56(%rbp) sport = bpf_ntohs(tcp.source); mov %r15,%rdi bswap %rdi id->src_port = sport; shr $0x38,%rdi mov %dil,-0x58(%rbp) mov $0x6,%edi id->transport_protocol = protocol; mov %dil,-0x55(%rbp) dport = bpf_ntohs(tcp.dest); 1.04 ror $0x8,%r14w movzwl %r14w,%r14d id->dst_port = dport; mov %r14b,-0x57(%rbp) sport = bpf_ntohs(tcp.source); ror $0x8,%r15w movzwl %r15w,%r15d id->src_port = sport; mov %r15b,-0x59(%rbp) return tcp.doff * sizeof(u32); movzwq 0xc(%rbx),%rbx return tcp.doff * sizeof(u32); shr $0x2,%rbx and $0x3c,%rbx 615: xor %eax,%eax if (id.dst_port == DNS_PORT || id.src_port == DNS_PORT) { 2.08 cmp $0x35,%r14 ↓ je 627 cmp $0x35,%r15 ↓ jne c6d 627: mov %rbp,%rdi bpf_probe_read(&dns, sizeof(dns), (struct dns_header *)(skb->head + skb->transport_header + len)); add $0xfffffffffffffe58,%rdi movzwq 0xb2(%rdi),%rsi bpf_probe_read(&dns, sizeof(dns), (struct dns_header *)(skb->head + skb->transport_header + len)); add %rsi,%rbx bpf_probe_read(&dns, sizeof(dns), (struct dns_header *)(skb->head + skb->transport_header + len)); mov 0xc0(%rdi),%rdx bpf_probe_read(&dns, sizeof(dns), (struct dns_header *)(skb->head + skb->transport_header + len)); add %rbx,%rdx mov %rbp,%rdi bpf_probe_read(&dns, sizeof(dns), (struct dns_header *)(skb->head + skb->transport_header + len)); add $0xffffffffffffff68,%rdi bpf_probe_read(&dns, sizeof(dns), (struct dns_header *)(skb->head + skb->transport_header + len)); mov $0xc,%esi → call *fffffffff1ae4e98 if ((bpf_ntohs(dns.flags) & DNS_QR_FLAG) == 0) { /* dns query */ movzwq -0x96(%rbp),%rdi if ((bpf_ntohs(dns.flags) & DNS_QR_FLAG) == 0) { /* dns query */ and $0x80,%rdi if ((bpf_ntohs(dns.flags) & DNS_QR_FLAG) == 0) { /* dns query */ test %rdi,%rdi ↓ jne 8cb __builtin_memcpy(dns_flow->src_ip, id->src_ip, IP_MAX_LEN); movzbq -0x72(%rbp),%rsi shl $0x8,%rsi movzbq -0x73(%rbp),%rdi or %rdi,%rsi mov %rsi,-0x1b0(%rbp) movzbq -0x76(%rbp),%rdx shl $0x8,%rdx movzbq -0x77(%rbp),%rdi or %rdi,%rdx movzbq -0x6a(%rbp),%rsi shl $0x8,%rsi movzbq -0x6b(%rbp),%rdi or %rdi,%rsi movzbq -0x70(%rbp),%rbx shl $0x8,%rbx movzbq -0x71(%rbp),%rdi or %rdi,%rbx movzbq -0x6e(%rbp),%rcx shl $0x8,%rcx movzbq -0x6f(%rbp),%rdi or %rdi,%rcx movzbq -0x74(%rbp),%r13 shl $0x8,%r13 movzbq -0x75(%rbp),%rdi or %rdi,%r13 movzbq -0x78(%rbp),%r14 shl $0x8,%r14 movzbq -0x79(%rbp),%rdi or %rdi,%r14 movzbq -0x6c(%rbp),%r15 shl $0x8,%r15 movzbq -0x6d(%rbp),%rdi or %rdi,%r15 __builtin_memcpy(dns_flow->dst_ip, id->dst_ip, IP_MAX_LEN); movzbq -0x62(%rbp),%r8 shl $0x8,%r8 movzbq -0x63(%rbp),%rdi or %rdi,%r8 movzbq -0x66(%rbp),%rax shl $0x8,%rax movzbq -0x67(%rbp),%rdi or %rdi,%rax __builtin_memcpy(dns_flow->src_ip, id->src_ip, IP_MAX_LEN); shl $0x10,%rcx or %rbx,%rcx shl $0x10,%rsi or %r15,%rsi mov %rsi,-0x1b8(%rbp) shl $0x10,%rdx or %r14,%rdx mov %rdx,-0x1c0(%rbp) mov -0x1b0(%rbp),%rdi shl $0x10,%rdi or %r13,%rdi mov %rdi,-0x1b0(%rbp) movzbq -0x58(%rbp),%rbx shl $0x8,%rbx movzbq -0x59(%rbp),%rdi or %rdi,%rbx movzbq -0x56(%rbp),%r13 shl $0x8,%r13 movzbq -0x57(%rbp),%rdi or %rdi,%r13 __builtin_memcpy(dns_flow->dst_ip, id->dst_ip, IP_MAX_LEN); movzbq -0x64(%rbp),%r14 shl $0x8,%r14 movzbq -0x65(%rbp),%rdi or %rdi,%r14 movzbq -0x68(%rbp),%rsi shl $0x8,%rsi movzbq -0x69(%rbp),%r15 or %r15,%rsi movzbq -0x5c(%rbp),%rdi shl $0x8,%rdi movzbq -0x5d(%rbp),%r15 or %r15,%rdi movzbq -0x5a(%rbp),%r15 shl $0x8,%r15 movzbq -0x5b(%rbp),%rdx or %rdx,%r15 shl $0x10,%r15 or %rdi,%r15 shl $0x10,%rax or %rsi,%rax shl $0x10,%r8 or %r14,%r8 dns_flow->protocol = id->transport_protocol; movzbq -0x55(%rbp),%rdi dns_flow->protocol = id->transport_protocol; mov %dil,-0x9a(%rbp) fill_dns_id(&id, &dns_req, bpf_ntohs(dns.id), false); movzwq -0x98(%rbp),%rdi ror $0x8,%di movzwl %di,%edi dns_flow->id = dns_id; mov %di,-0x9c(%rbp) dns_flow->dst_port = id->src_port; mov %r13w,-0xbe(%rbp) dns_flow->src_port = id->dst_port; mov %bx,-0xc0(%rbp) __builtin_memcpy(dns_flow->src_ip, id->src_ip, IP_MAX_LEN); mov -0x1b0(%rbp),%rdi mov %edi,-0xb8(%rbp) mov -0x1c0(%rbp),%rdi mov %edi,-0xbc(%rbp) mov -0x1b8(%rbp),%rdi mov %edi,-0xb0(%rbp) mov %ecx,-0xb4(%rbp) __builtin_memcpy(dns_flow->dst_ip, id->dst_ip, IP_MAX_LEN); mov %r8d,-0xa8(%rbp) mov %eax,-0xac(%rbp) mov %r15d,-0xa0(%rbp) movzbq -0x60(%rbp),%rdi shl $0x8,%rdi movzbq -0x61(%rbp),%rsi or %rsi,%rdi movzbq -0x5e(%rbp),%rsi shl $0x8,%rsi movzbq -0x5f(%rbp),%rdx or %rdx,%rsi shl $0x10,%rsi or %rdi,%rsi 1.04 mov %esi,-0xa4(%rbp) mov %rbp,%rsi __builtin_memcpy(dns_flow->src_ip, id->src_ip, IP_MAX_LEN); add $0xffffffffffffff40,%rsi if (bpf_map_lookup_elem(&dns_flows, &dns_req) == NULL) { movabs $0xffff8f4147ed1400,%rdi → call *fffffffff1b23008 test %rax,%rax ↓ je 899 add $0x58,%rax if (bpf_map_lookup_elem(&dns_flows, &dns_req) == NULL) { 899: test %rax,%rax ↓ jne c6b u64 ts = bpf_ktime_get_ns(); → call *fffffffff1b1e5c8 u64 ts = bpf_ktime_get_ns(); mov %rax,-0x48(%rbp) mov %rbp,%rsi u64 ts = bpf_ktime_get_ns(); add $0xffffffffffffff40,%rsi mov %rbp,%rdx add $0xffffffffffffffb8,%rdx bpf_map_update_elem(&dns_flows, &dns_req, &ts, BPF_ANY); movabs $0xffff8f4147ed1400,%rdi ↓ jmp c64 __builtin_memcpy(dns_flow->src_ip, id->dst_ip, IP_MAX_LEN); 8cb: movzbq -0x5c(%rbp),%rsi shl $0x8,%rsi movzbq -0x5d(%rbp),%rdi or %rdi,%rsi mov %rsi,-0x1c0(%rbp) movzbq -0x5a(%rbp),%rsi shl $0x8,%rsi movzbq -0x5b(%rbp),%rdi or %rdi,%rsi mov %rsi,-0x1b0(%rbp) movzbq -0x5e(%rbp),%rsi shl $0x8,%rsi movzbq -0x5f(%rbp),%rdi or %rdi,%rsi mov %rsi,-0x1b8(%rbp) __builtin_memcpy(dns_flow->dst_ip, id->src_ip, IP_MAX_LEN); movzbq -0x74(%rbp),%rsi shl $0x8,%rsi movzbq -0x75(%rbp),%rdi or %rdi,%rsi mov %rsi,-0x1d0(%rbp) movzbq -0x72(%rbp),%rbx shl $0x8,%rbx movzbq -0x73(%rbp),%rdi or %rdi,%rbx __builtin_memcpy(dns_flow->src_ip, id->dst_ip, IP_MAX_LEN); movzbq -0x64(%rbp),%rsi shl $0x8,%rsi movzbq -0x65(%rbp),%rdi or %rdi,%rsi mov %rsi,-0x1c8(%rbp) movzbq -0x62(%rbp),%rcx shl $0x8,%rcx movzbq -0x63(%rbp),%rdi or %rdi,%rcx movzbq -0x68(%rbp),%r8 shl $0x8,%r8 movzbq -0x69(%rbp),%rdi or %rdi,%r8 movzbq -0x66(%rbp),%rax shl $0x8,%rax movzbq -0x67(%rbp),%rdi or %rdi,%rax movzbq -0x60(%rbp),%rsi shl $0x8,%rsi movzbq -0x61(%rbp),%rdi or %rdi,%rsi __builtin_memcpy(dns_flow->dst_ip, id->src_ip, IP_MAX_LEN); movzbq -0x78(%rbp),%r13 shl $0x8,%r13 movzbq -0x79(%rbp),%rdi or %rdi,%r13 movzbq -0x76(%rbp),%r14 shl $0x8,%r14 movzbq -0x77(%rbp),%rdi or %rdi,%r14 movzbq -0x6c(%rbp),%rdx shl $0x8,%rdx movzbq -0x6d(%rbp),%rdi or %rdi,%rdx movzbq -0x6a(%rbp),%rdi shl $0x8,%rdi movzbq -0x6b(%rbp),%r15 or %r15,%rdi shl $0x10,%rbx mov -0x1d0(%rbp),%r15 or %r15,%rbx mov -0x1b8(%rbp),%r15 __builtin_memcpy(dns_flow->src_ip, id->dst_ip, IP_MAX_LEN); shl $0x10,%r15 or %rsi,%r15 mov %r15,-0x1b8(%rbp) mov -0x1b0(%rbp),%rsi shl $0x10,%rsi mov -0x1c0(%rbp),%r15 or %r15,%rsi mov %rsi,-0x1b0(%rbp) shl $0x10,%rax or %r8,%rax shl $0x10,%rcx mov -0x1c8(%rbp),%rsi or %rsi,%rcx movzbq -0x56(%rbp),%rsi shl $0x8,%rsi movzbq -0x57(%rbp),%r8 or %r8,%rsi movzbq -0x58(%rbp),%r8 shl $0x8,%r8 movzbq -0x59(%rbp),%r15 or %r15,%r8 __builtin_memcpy(dns_flow->dst_ip, id->src_ip, IP_MAX_LEN); shl $0x10,%rdi or %rdx,%rdi shl $0x10,%r14 or %r13,%r14 xor %edx,%edx id.direction = INGRESS; mov %dl,-0x86(%rbp) dns_flow->protocol = id->transport_protocol; movzbq -0x55(%rbp),%rdx dns_flow->protocol = id->transport_protocol; mov %dl,-0x9a(%rbp) fill_dns_id(&id, &dns_req, bpf_ntohs(dns.id), true); movzwq -0x98(%rbp),%rdx ror $0x8,%dx movzwl %dx,%edx dns_flow->id = dns_id; mov %dx,-0x9c(%rbp) dns_flow->dst_port = id->src_port; mov %r8w,-0xbe(%rbp) dns_flow->src_port = id->dst_port; mov %si,-0xc0(%rbp) __builtin_memcpy(dns_flow->src_ip, id->dst_ip, IP_MAX_LEN); mov %ecx,-0xb8(%rbp) mov %eax,-0xbc(%rbp) mov -0x1b0(%rbp),%rsi mov %esi,-0xb0(%rbp) mov -0x1b8(%rbp),%rsi mov %esi,-0xb4(%rbp) __builtin_memcpy(dns_flow->dst_ip, id->src_ip, IP_MAX_LEN); 1.04 mov %ebx,-0xa8(%rbp) mov %r14d,-0xac(%rbp) 1.04 mov %edi,-0xa0(%rbp) movzbq -0x70(%rbp),%rdi shl $0x8,%rdi movzbq -0x71(%rbp),%rsi or %rsi,%rdi movzbq -0x6e(%rbp),%rsi shl $0x8,%rsi movzbq -0x6f(%rbp),%rdx or %rdx,%rsi shl $0x10,%rsi or %rdi,%rsi mov %esi,-0xa4(%rbp) mov %rbp,%rsi __builtin_memcpy(dns_flow->src_ip, id->dst_ip, IP_MAX_LEN); add $0xffffffffffffff40,%rsi u64 *value = bpf_map_lookup_elem(&dns_flows, &dns_req); movabs $0xffff8f4147ed1400,%rdi → call *fffffffff1b23008 test %rax,%rax ↓ je b22 add $0x58,%rax b22: mov %rax,%r14 if (value != NULL) { test %r14,%r14 ↓ je c6b latency = bpf_ktime_get_ns() - *value; → call *fffffffff1b1e5c8 mov %rax,%r13 latency = bpf_ktime_get_ns() - *value; mov 0x0(%r14),%rdi bpf_map_delete_elem(&dns_flows, &dns_req); mov %rdi,-0x1b0(%rbp) mov %rbp,%rsi add $0xffffffffffffff40,%rsi bpf_map_delete_elem(&dns_flows, &dns_req); movabs $0xffff8f4147ed1400,%rdi → call *fffffffff1b24118 mov %rbp,%rdi add $0xfffffffffffffe58,%rdi find_or_create_dns_flow(&id, &dns, skb->len, flags, latency); mov 0x70(%rdi),%ebx find_or_create_dns_flow(&id, &dns, skb->len, flags, latency); movzwq -0x8a(%rbp),%r15 mov %rbp,%rsi add $0xffffffffffffff78,%rsi flow_metrics *aggregate_flow = bpf_map_lookup_elem(&aggregated_flows, id); movabs $0xffff8f4147838400,%rdi → call *fffffffff1b23008 test %rax,%rax ↓ je b91 add $0x70,%rax b91: mov %rax,%r14 u64 current_time = bpf_ktime_get_ns(); → call *fffffffff1b1e5c8 if (aggregate_flow == NULL) { test %r14,%r14 ↓ jne c6b latency = bpf_ktime_get_ns() - *value; mov -0x1b0(%rbp),%rdi sub %rdi,%r13 mov $0x1,%edi new_flow.packets = 1; mov %edi,-0x48(%rbp) xor %edi,%edi __builtin_memset(&new_flow, 0, sizeof(new_flow)); mov %edi,-0x2c(%rbp) new_flow.flags = flags; mov %r15w,-0x2c(%rbp) __builtin_memset(&new_flow, 0, sizeof(new_flow)); mov %edi,-0x18(%rbp) new_flow.dns_record.id = bpf_ntohs(dns->id); movzwq -0x98(%rbp),%rsi ror $0x8,%si movzwl %si,%esi new_flow.dns_record.id = bpf_ntohs(dns->id); mov %si,-0x16(%rbp) __builtin_memset(&new_flow, 0, sizeof(new_flow)); mov %edi,-0x14(%rbp) new_flow.dns_record.flags = bpf_ntohs(dns->flags); movzwq -0x96(%rbp),%rsi ror $0x8,%si movzwl %si,%esi new_flow.dns_record.flags = bpf_ntohs(dns->flags); mov %si,-0x14(%rbp) new_flow.end_mono_time_ts = current_time; mov %eax,-0x34(%rbp) new_flow.start_mono_time_ts = current_time; mov %eax,-0x3c(%rbp) shr $0x20,%rax new_flow.end_mono_time_ts = current_time; mov %eax,-0x30(%rbp) new_flow.start_mono_time_ts = current_time; mov %eax,-0x38(%rbp) __builtin_memset(&new_flow, 0, sizeof(new_flow)); mov %edi,-0x10(%rbp) new_flow.dns_record.latency = latency; mov %r13,%rsi shr $0x20,%rsi mov %si,-0xe(%rbp) __builtin_memset(&new_flow, 0, sizeof(new_flow)); mov %edi,-0xc(%rbp) new_flow.dns_record.latency = latency; mov %r13,%rsi shr $0x30,%rsi mov %si,-0xc(%rbp) mov %r13w,-0x12(%rbp) shr $0x10,%r13 mov %r13w,-0x10(%rbp) new_flow.bytes = len; shl $0x20,%rbx sar $0x20,%rbx new_flow.bytes = len; mov %ebx,-0x44(%rbp) shr $0x20,%rbx mov %ebx,-0x40(%rbp) __builtin_memset(&new_flow, 0, sizeof(new_flow)); mov %edi,-0x28(%rbp) mov %edi,-0x1c(%rbp) mov %edi,-0x20(%rbp) mov %edi,-0x24(%rbp) mov %edi,-0x8(%rbp) mov %di,-0x4(%rbp) mov %rbp,%rsi latency = bpf_ktime_get_ns() - *value; add $0xffffffffffffff78,%rsi mov %rbp,%rdx add $0xffffffffffffffb8,%rdx bpf_map_update_elem(&aggregated_flows, id, &new_flow, BPF_ANY); movabs $0xffff8f4147838400,%rdi c64: xor %ecx,%ecx → call *fffffffff1b1e2b8 c6b: xor %eax,%eax return trace_dns(&skb); c6d: pop %r15 4.17 pop %r14 pop %r13 pop %rbx leave 1.04 → jmp 0