Skip to content

BPF Network Logs

BPF network, or Berkeley Packet Filter (BPF) technology, is a network packet filtering technology that operates at the operating system kernel level. It helps us capture and filter network packets to improve network efficiency, perform security checks, and more. BPF rules are a special language that defines filtering conditions, allowing you to specify various filtering criteria, such as the source IP, destination IP, protocol type, or port number of a packet. In simple terms, BPF acts like an advanced network sieve, filtering out the network packets we want based on the rules we set.

As an advanced Linux network packet processing technology, Guance utilizes BPF technology to collect and display network traffic data, providing visualizations to help you gain deep insights into network behavior and diagnose issues.

Module Division

  • Layer 4 BPF Network Logs (bpf_net_l4_log): Layer 4, the transport layer, is primarily responsible for end-to-end data transmission. This module records network traffic information based on transport layer protocols (such as TCP, UDP).
  • Layer 7 BPF Network Logs (bpf_net_l7_log): Layer 7, the application layer, involves specific application protocols such as HTTP, FTP. This module records network traffic information based on application layer protocols.

Layer 4 BPF Network Logs

Filter data with source:bpf_net_l4_log in the log explorer and enter the details page:

  • Packet Content: View the detailed packet content of each network flow, intuitively displaying different time points and packet directions.
  • Packet Interaction: Analyze the packet exchange between the client and server.
  • Time Difference: Record the time differences in packet transmission.

Network Details

Based on the network transmission direction, display is determined for the client and server:

  • outgoing: The source address (src_ip) is the client, and the destination address (dst_ip) is the server.
  • incoming: The source address (src_ip) is the server, and the destination address (dst_ip) is the client.
  • unknown: The source address (src_ip) is marked as Local, and the destination address (dst_ip) is marked as Remote.

Layer 4 and Layer 7 Network Correlation Analysis

When a packet is associated with Layer 7 network data, the HTTP method (http_method) and path (http_path) are displayed.

If a packet contains L7 network log data, you can directly click to open a new page and view the detailed logs of the Layer 7 network.

The search box in the upper right corner supports searching for packets by seq for quick positioning.

Layer 7 BPF Network Logs

Displays a list of all network flows and allows viewing detailed information for each flow. Filter data with source:bpf_net_l7_log in the log explorer and enter the details page:

Network Request Topology

Displays the network request path, the request process and latency between physical hosts and virtual hosts. Guance shows the flow between nodes to help you understand the complexity of network communication.

  • Virtual NIC: Displays information such as pod_name, nic_name, dst_port, src_port, k8s_namespace, k8s_container_name, host.
  • Physical NIC: Displays information such as host, nic_name, dst_port, src_port, l4_proto, l7_proto.
Note

If there is an external unknown network situation, it will be displayed as N/A.

For network NICs, you can perform the following operations:

  • Hover over the port on a NIC node to display ip:port.
  • To view network data details, hover over the NIC node and click the button in the upper right corner to jump to the corresponding page.

Associated Network Logs

Guance displays related log data based on three dimensions: single connection requests, cross-NIC requests, and transport layer requests.

  • Single Connection Request: A request and response conducted between a client and a server through a single network connection.
  • Cross-NIC Request: A request that traverses different NICs. For example, in a virtualized environment, a request might originate from a virtual NIC on a virtual machine and then be sent through the physical NIC of the host machine to another virtual machine or an external server.
  • Transport Layer Request: Refers to transport layer network logs, such as requests conducted over TCP or UDP protocols.

Click on the right to modify the displayed columns for network logs:

Network Troubleshooting Example

When a network issue occurs, you can follow these steps for BPF network troubleshooting:

  1. Confirm the symptom: Record the manifestation of the network issue, such as connection timeouts, packet loss, etc.
  2. Check Layer 4 logs: Use bpf_net_l4_log to view basic information about the relevant network flows, confirming the transmission direction and basic packet information.
  3. Dive into Layer 7 logs: If the issue might involve the application layer, use bpf_net_l7_log to view detailed application layer interactions.
  4. Analyze the network topology: Use the network request topology feature to check the call relationships and latency between virtual and physical NICs, confirming if there is network delay or interruption.
  5. Correlation analysis: Use the Layer 4 and Layer 7 correlation analysis to see if specific application layer protocols are causing the issue.
  6. Log correlation: Review all logs related to the problematic network flow to find potential clues.

By following these steps, you can effectively utilize BPF network visualization to troubleshoot and analyze network issues, quickly locating and resolving problems.

Feedback

Is this page helpful? ×