ERR SSLDataEvent's fd is 0 address= fd=0 pid=13617

[amwait]

在使用ecapture 针对tls抓包时 出现 ERR SSLDataEvent's fd is 0 address= fd=0 pid=3944 这种情况，这可能是由于什么问题导致的
环境：
pixel 6 pro
android 12
内核版本 5.10.81
使用方式：non-core BTF mode

[cfc4n]

以前没遇到过。不过，看上去text模式下不影响明文捕获？

另外，你起码把命令启动方式，启动后输出的内容一并贴出来。

你的提问题的方式，有很大提升空间，挤牙膏一样，问一点，回答一点，很累。

[amwait]

好的，感谢

[cfc4n]

hello?

[yuweizzz]

这个应该是 SSL_set_fd 的问题，貌似在服务端不会有这个问题，客户端就会报这个错误。

[amwait]

app：KFC肯德基app
ecapture版本：0.8.5
启动命令：./ecapture-0.8.5 tls -m text
出现错误如下：

主要表现是：部分请求的数据（请求头、请求体、URl）看不到

[yuweizzz]

你可以试试 pcap 模式，看看具体的数据包是什么内容， text 模式对一些特殊协议不适配。

[cfc4n]

超过2周无响应，关闭。

[xxxxxliil]

@cfc4n 请重新打开这个 issue，我发现即使是简单的 1.1.1.1/cdn-cgi/trace 也会触发一样的问题

[cfc4n]

@cfc4n 请重新打开这个 issue，我发现即使是简单的 1.1.1.1/cdn-cgi/trace 也会触发一样的问题

可以补充一下重现的方法吗

[yuweizzz]

似乎只有 openssl 3.0 以上的版本，客户端发起的请求才有这个问题。

[xxxxxliil]

似乎只有 openssl 3.0 以上的版本，客户端发起的请求才有这个问题。

不，目前来看包括手机的 BoringSSL 也会出现一样的问题

2024-09-10T13:19:30Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=3327
2024-09-10T13:19:30Z DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=3327
2024-09-10T13:19:30Z ERR SSLDataEvent's fd is 0 address= fd=0 pid=3327
2024-09-10T13:19:30Z DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=3327
2024-09-10T13:19:31Z ??? UUID:3327_3594_Thread-18_0_1_0.0.0.0, Name:HTTPRequest, Type:1, Length:455
POST /APPService/S.asmx/GetPhoneByEVXP HTTP/1.1
Host: b2e.a.dogfood.com
Accept-Encoding: gzip
Charset: utf-8
Connection: Keep-Alive
Content-Length: 134
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Dalvik/2.1.0 (Linux; U; Android 13; -)

strLang=&strKey=q&strEmpNo=NA&strAuthKey=MC&
2024-09-10T13:19:31Z ??? UUID:3327_3594_Thread-18_0_0_0.0.0.0, Name:HTTPResponse, Type:3, Length:607
HTTP/1.1 200 OK
Content-Length: 152
Cache-Control: private, max-age=0,no-cache
Content-Security-Policy: frame-ancestors 'self'; script-src 'self'; object-src 'self'; style-src 'self'
Content-Type: text/xml; charset=utf-8
Date: Tue, 10 Sep 2024 13:19:31 GMT
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="utf-8"?>
<string xmlns="http://tempuri.org/">{"RESULT":[{"STATUS":"C"},{"RETURN_MESSAGE":"此工号不存在"}]}</string>

这是某个软件发出和接收的 tls http 1.1 请求

[xxxxxliil]

@cfc4n 请重新打开这个 issue，我发现即使是简单的 1.1.1.1/cdn-cgi/trace 也会触发一样的问题

可以补充一下重现的方法吗

因为目前 ecapture 不能通过 comm 或者 args 筛选进程，所以使用 pid
curl https://1.1.1.1/cdn-cgi/trace，但是在执行时立刻 ctrl + z 暂停它，然后通过 shell 展示的 pid 作为 ecapture 的参数尝试抓包

curl --socks5 127.0.0.1:1080 -v https://www.google.com/gen_204

*   Trying 127.0.0.1:1080...
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* Host www.google.com:443 was resolved.
* IPv6: 2001::1
* IPv4: 199.16.158.12
* SOCKS5 connect to 199.16.158.12:443 (locally resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 1080
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
^Z
[1]  + 2020977 suspended  curl --socks5 127.0.0.1:1080 -v https://www.google.com/gen_204
148|$ fg
[1]  + 2020977 continued  curl --socks5 127.0.0.1:1080 -v https://www.google.com/gen_204
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.google.com
*  start date: Aug 12 07:19:41 2024 GMT
*  expire date: Nov  4 07:19:40 2024 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=WR2
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha384WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://www.google.com/gen_204
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: www.google.com]
* [HTTP/2] [1] [:path: /gen_204]
* [HTTP/2] [1] [user-agent: curl/8.9.1]
* [HTTP/2] [1] [accept: */*]
> GET /gen_204 HTTP/2
> Host: www.google.com
> User-Agent: curl/8.9.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 204 
< content-type: text/html; charset=ISO-8859-1
< content-security-policy: object-src 'none';base-uri 'self';script-src 'nonce-...' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Tue, 10 Sep 2024 13:34:11 GMT
< server: gws
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: NID=!=...; expires=...; path=/; domain=.google.com; HttpOnly
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 
* Connection #0 to host 127.0.0.1 left intact

sudo bin/ecapture -p 2020977 --debug tls

2024-09-10T21:34:09+08:00 INF AppName="eCapture(旁观者)"
2024-09-10T21:34:09+08:00 INF HomePage=https://ecapture.cc
2024-09-10T21:34:09+08:00 INF Repository=https://github.com/gojue/ecapture
2024-09-10T21:34:09+08:00 INF Author="CFC4N <[email protected]>"
2024-09-10T21:34:09+08:00 INF Description="Capturing SSL/TLS plaintext without a CA certificate using eBPF. Supported on Linux/Android kernels for amd64/arm64."
2024-09-10T21:34:09+08:00 INF Version=linux_amd64:0.8.5-20240829-a2cb6ef:[CORE]
2024-09-10T21:34:09+08:00 INF Listen=localhost:28256
2024-09-10T21:34:09+08:00 INF eCapture running logs logger=
2024-09-10T21:34:09+08:00 INF the file handler that receives the captured event eventCollector=
2024-09-10T21:34:09+08:00 WRN ========== module starting. ==========
2024-09-10T21:34:09+08:00 INF Kernel Info=6.10.7 Pid=2021076
2024-09-10T21:34:09+08:00 INF BTF bytecode mode: CORE. btfMode=0
2024-09-10T21:34:09+08:00 INF master key keylogger has been set. eBPFProgramType=Text keylogger=
2024-09-10T21:34:09+08:00 INF module initialization. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-10T21:34:09+08:00 INF Module.Run()
2024-09-10T21:34:09+08:00 INF OpenSSL/BoringSSL version found sslVersion="openssl 3.3.1"
2024-09-10T21:34:09+08:00 INF Hook masterKey function ElfType=2 Functions=["SSL_get_wbio","SSL_in_before","SSL_do_handshake"] binrayPath=/lib64/libssl.so.3
2024-09-10T21:34:09+08:00 INF listen=localhost:28256
2024-09-10T21:34:09+08:00 INF https server starting...You can update the configuration file via the HTTP interface.
2024-09-10T21:34:09+08:00 INF target process. target PID=2020977
2024-09-10T21:34:09+08:00 INF target all users.
2024-09-10T21:34:09+08:00 INF setupManagers eBPFProgramType=Text
2024-09-10T21:34:09+08:00 INF BPF bytecode file is matched. bpfFileName=user/bytecode/openssl_3_2_0_kern_core.o
2024-09-10T21:34:10+08:00 INF perfEventReader created mapSize(MB)=4
2024-09-10T21:34:10+08:00 INF perfEventReader created mapSize(MB)=4
2024-09-10T21:34:10+08:00 INF module started successfully. isReload=false moduleName=EBPFProbeOPENSSL
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:11+08:00 ERR SSLDataEvent's fd is 0 address= fd=0 pid=2020977
2024-09-10T21:34:11+08:00 DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=0 pid=2020977
2024-09-10T21:34:13+08:00 ??? UUID:2020977_2020977_curl_0_0_0.0.0.0, Name:HTTP2Response, Type:4, Length:1126

Frame Type      =>      SETTINGS

Frame Type      =>      WINDOW_UPDATE

Frame Type      =>      SETTINGS

Frame Type      =>      HEADERS
header field ":status" = "204"
header field "content-type" = "text/html; charset=ISO-8859-1"
header field "content-security-policy" = "object-src 'none';base-uri 'self';script-src 'nonce-...' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other"
header field "p3p" = "CP=\"This is not a P3P policy! See g.co/p3phelp for more info.\""
header field "date" = "Tue, 10 Sep 2024 13:34:11 GMT"
header field "server" = "gws"
header field "content-length" = "0"
header field "x-xss-protection" = "0"
header field "x-frame-options" = "SAMEORIGIN"
header field "set-cookie" = "NID=!=...; expires=...; path=/; domain=.google.com; HttpOnly"
header field "alt-svc" = "h3=\":443\"; ma=2592000,h3-29=\":443\"; ma=2592000"

Frame Type      =>      PING

2024-09-10T21:34:13+08:00 ??? UUID:2020977_2020977_curl_0_1_0.0.0.0, Name:HTTP2Request, Type:2, Length:336

Frame Type      =>      SETTINGS

Frame Type      =>      WINDOW_UPDATE

Frame Type      =>      HEADERS
header field ":method" = "GET"
header field ":scheme" = "https"
header field ":authority" = "www.google.com"
header field ":path" = "/gen_204"
header field "user-agent" = "curl/8.9.1"
header field "accept" = "*/*"

Frame Type      =>      SETTINGS

Frame Type      =>      GOAWAY

^C2024-09-10T21:36:51+08:00 INF module close.
2024-09-10T21:36:51+08:00 INF Module closed,message recived from Context
2024-09-10T21:36:51+08:00 INF iModule module close
2024-09-10T21:36:51+08:00 INF bye bye.

[xxxxxliil]

在容器中的 ubuntu 20.04 中抓取 curl 时发现 trace_pipe 日志中有一行 curl-2068865 [003] ...11 104629.165726: bpf_trace_printk: SSL_set_fd hook!!, ssl_addr:-2116985504, fd:5，且每一次得到的 addr 都是负数值。同时 ecapture 输出有以下内容

2024-09-10T14:11:04Z DBG GetConn fd=5 pid=2072189
2024-09-10T14:11:04Z DBG SSLDataEvent address=[ADDR_NOT_FOUND] fd=5 pid=2072189
2024-09-10T14:11:05Z ??? UUID:2072189_2072189_curl_5_1_0.0.0.0, Name:HTTP2Request, Type:2, Length:314

也就是说 openssl 1.1.1f 可以获取 fd，但是地址不能正确获得
https://github.com/gojue/ecapture/blob/master/kern/openssl.h#L457
u64 的值作为 int 输出会不会有点不合理？因为内核兼容性不用 %lu 吗

[cfc4n]

负值时，大概是结构体的属性还没赋值。

fd的显示，是用来结合tcp_connect信息来匹配IP、PORT的，不影响实际使用。

[xxxxxliil]

负值时，大概是结构体的属性还没赋值。

fd的显示，是用来结合tcp_connect信息来匹配IP、PORT的，不影响实际使用。

好的，格式化字符串有考虑更换吗？

[cfc4n]

暂时不用，fd为0时，大概是Openssl使用了BIO模式(Basic Input/Output) ，需要定位这个根因。 近期我分析一下。

---

When fd is 0, it's likely that OpenSSL has used the BIO mode (Basic Input/Output), and we need to identify this root cause. I will analyze it soon.