Initial implementation for user space uprobe for Open SSL #819

msherif1234 · 2025-10-20T16:18:56Z

Description

This PR adds support to probe/uretprobe to track openSSL write function call to read the packets before being encrypted and generate events using ringbuffer to userspace

I was able to bring up ebpf agent with SSL_enable on kind cluster

./examples/test-ssl-host.sh
=== Testing SSL with Host Process ===

This will run curl on each cluster node directly on the host
This should trigger the SSL uprobes since the host process uses
the same libssl.so that the agent attached to.

=========================================
Testing node: kind-control-plane
=========================================
Warning: No agent pod found on node kind-control-plane, skipping...
=========================================
Testing node: kind-worker
=========================================
Agent pod: netobserv-ebpf-agent-lglkp
Running curl with HTTP/1.1 (--http1.1) on host...
HTTP Request completed successfully
Checking logs for SSL events:
time="2025-10-23T17:24:10Z" level=info msg="SSL EVENT: pid=2449200806146953, timestamp=51258572899030, data_len=78, ssl_type=3" component=flow.RingBufTracer
=========================================
Testing node: kind-worker2
=========================================
Agent pod: netobserv-ebpf-agent-2wp7h
Running curl with HTTP/1.1 (--http1.1) on host...
HTTP Request completed successfully
Checking logs for SSL events:
time="2025-10-23T17:24:10Z" level=info msg="SSL EVENT: pid=2449200806146953, timestamp=51258572913197, data_len=78, ssl_type=3" component=flow.RingBufTracer
time="2025-10-23T17:24:10Z" level=info msg="SSL EVENT: pid=2449282410525596, timestamp=51258737434405, data_len=78, ssl_type=3" component=flow.RingBufTracer
=========================================
Test completed for all nodes
=========================================

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

To run a perfscale test, comment with: /test ebpf-node-density-heavy-25nodes

openshift-ci · 2025-10-20T16:19:04Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jotak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

….8.0-crc0 (#590) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

jotak · 2025-11-03T17:17:03Z

@msherif1234 since there is no correlation with flows, I wonder if it's really something we want to send to FLP, or if just having something build-in (in the agent) to extract HTTP info and produce prometheus metrics, would be good enough?

The other use-case is to use specifically with the CLI/pcap

msherif1234 · 2025-11-14T13:26:04Z

@msherif1234 since there is no correlation with flows, I wonder if it's really something we want to send to FLP, or if just having something build-in (in the agent) to extract HTTP info and produce prometheus metrics, would be good enough?

The other use-case is to use specifically with the CLI/pcap

maybe for starter we can go with metrics maybe we can discuss this or collaborate together here I did rename the config

msherif1234 · 2025-11-17T18:17:18Z

/ok-to-test

Signed-off-by: Mohamed S. Mahmoud <[email protected]>

msherif1234 · 2025-11-17T18:23:10Z

/ok-to-test

github-actions · 2025-11-17T18:25:33Z

New images:
quay.io/netobserv/ebpf-bytecode:486fe96
quay.io/netobserv/netobserv-ebpf-agent:486fe96

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=486fe96 make set-agent-image

jpinsonneau · 2025-11-18T12:43:37Z

Hey @msherif1234, I took the opportunity to improve the script when testing on openshift:

Deploy the agents and collectors using:

$ AGENT_IMAGE=quay.io/netobserv/netobserv-ebpf-agent:486fe96 OPENSSL_PATH=/usr/lib64/libssl.so.3 ./scripts/deploy-agent.sh

Run your test SSL script (improved):

$ ./examples/test-ssl-host.sh 
=== Testing SSL with Host Process ===

Detected: Real Kubernetes/OpenShift cluster
Tests will run via privileged test pods with hostNetwork.
These pods mount the host's libssl.so to ensure uprobes are triggered.

This will run various SSL/TLS tests on each cluster node.
Tests use privileged pods with hostNetwork that mount the host's libssl.so,
ensuring processes use the same library that the agent's uprobe is attached to.

=========================================
Testing node: ip-10-0-1-225.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-fcz6n

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-225-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:47Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:47Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 1] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 2] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 3] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 4] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 5] HTTPS with custom headers
✓ Request completed successfully
[TEST 6] HTTPS to GitHub API
✓ Request completed successfully
[TEST 7] HTTPS to Google
✓ Request completed successfully
[TEST 8] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 9] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:02Z" level=debug msg="SSL EVENT: pid=720931735637935, timestamp=12928033086161, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:02Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL EVENT: pid=721155073937379, timestamp=12930250504317, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407920281, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407979485, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-225.ec2.internal test summary:
  Total tests: 9
  Passed: 9
  Failed: 0

=========================================
Testing node: ip-10-0-1-29.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-szt5g

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-29-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:45Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:45Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 10] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 11] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 12] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 13] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 14] HTTPS with custom headers
✓ Request completed successfully
[TEST 15] HTTPS to GitHub API
✓ Request completed successfully
[TEST 16] HTTPS to Google
✓ Request completed successfully
[TEST 17] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 18] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:47Z" level=debug msg="SSL EVENT: pid=579678851174199, timestamp=12964205535569, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:47Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL EVENT: pid=579854944833376, timestamp=12966346637358, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915565758, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915627452, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-29.ec2.internal test summary:
  Total tests: 18
  Passed: 18
  Failed: 0

=========================================
Test completed for all nodes
=========================================

Cleaning up test pods...
pod "ssl-test-ip-10-0-1-225-ec2-internal" deleted
pod "ssl-test-ip-10-0-1-29-ec2-internal" deleted

Overall Summary:
  Total tests executed: 18
  Passed: 18
  Failed: 0

  Pass rate: 100%

That seems to work fine 👌

Let me know if you see any issues in the results or if you want me to run something else. Thanks !

msherif1234 · 2025-11-18T12:47:21Z

Hey @msherif1234, I took the opportunity to improve the script when testing on openshift:

Deploy the agents and collectors using:

$ AGENT_IMAGE=quay.io/netobserv/netobserv-ebpf-agent:486fe96 OPENSSL_PATH=/usr/lib64/libssl.so.3 ./scripts/deploy-agent.sh

Run your test SSL script (improved):

$ ./examples/test-ssl-host.sh 
=== Testing SSL with Host Process ===

Detected: Real Kubernetes/OpenShift cluster
Tests will run via privileged test pods with hostNetwork.
These pods mount the host's libssl.so to ensure uprobes are triggered.

This will run various SSL/TLS tests on each cluster node.
Tests use privileged pods with hostNetwork that mount the host's libssl.so,
ensuring processes use the same library that the agent's uprobe is attached to.

=========================================
Testing node: ip-10-0-1-225.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-fcz6n

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-225-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:47Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:47Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 1] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 2] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 3] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 4] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 5] HTTPS with custom headers
✓ Request completed successfully
[TEST 6] HTTPS to GitHub API
✓ Request completed successfully
[TEST 7] HTTPS to Google
✓ Request completed successfully
[TEST 8] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 9] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:02Z" level=debug msg="SSL EVENT: pid=720931735637935, timestamp=12928033086161, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:02Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL EVENT: pid=721155073937379, timestamp=12930250504317, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407920281, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407979485, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-225.ec2.internal test summary:
  Total tests: 9
  Passed: 9
  Failed: 0

=========================================
Testing node: ip-10-0-1-29.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-szt5g

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-29-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:45Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:45Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 10] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 11] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 12] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 13] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 14] HTTPS with custom headers
✓ Request completed successfully
[TEST 15] HTTPS to GitHub API
✓ Request completed successfully
[TEST 16] HTTPS to Google
✓ Request completed successfully
[TEST 17] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 18] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:47Z" level=debug msg="SSL EVENT: pid=579678851174199, timestamp=12964205535569, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:47Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL EVENT: pid=579854944833376, timestamp=12966346637358, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915565758, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915627452, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-29.ec2.internal test summary:
  Total tests: 18
  Passed: 18
  Failed: 0

=========================================
Test completed for all nodes
=========================================

Cleaning up test pods...
pod "ssl-test-ip-10-0-1-225-ec2-internal" deleted
pod "ssl-test-ip-10-0-1-29-ec2-internal" deleted

Overall Summary:
  Total tests executed: 18
  Passed: 18
  Failed: 0

  Pass rate: 100%

That seems to work fine 👌

Let me know if you see any issues in the results or if you want me to run something else. Thanks !

Thanks @jpinsonneau were able to check the dash board metrics ? if so can pls include some pic here ?

jpinsonneau · 2025-11-18T12:49:41Z

Thanks @jpinsonneau were able to check the dash board metrics ? if so can pls include some pic here ?

Oh I don't have it here as I only deployed the agent + collector. Let me deploy netobserv and check 😉

msherif1234 · 2025-11-18T12:53:09Z

Thanks @jpinsonneau were able to check the dash board metrics ? if so can pls include some pic here ?

Oh I don't have it here as I only deployed the agent + collector. Let me deploy netobserv and check 😉

Thank you!!, also if u have a min pls run make docker-generate ci/cd doesn't like s390 files generated from my Mac.

jpinsonneau · 2025-11-18T13:54:53Z

@msherif1234 I capture some events and those are reported to the metrics. However, I only see openssl_type="0".

Is it expected ?

# HELP ebpf_agent_openssl_data_events_total Number of OpenSSL data events
# TYPE ebpf_agent_openssl_data_events_total counter
ebpf_agent_openssl_data_events_total{data_len="118",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="13",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="147",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="24",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="27",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="40",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="43",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="78",openssl_type="0"} 6
ebpf_agent_openssl_data_events_total{data_len="85",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="88",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="9",openssl_type="0"} 4

msherif1234 · 2025-11-18T14:05:59Z

@msherif1234 I capture some events and those are reported to the metrics. However, I only see openssl_type="0".

Is it expected ?

# HELP ebpf_agent_openssl_data_events_total Number of OpenSSL data events
# TYPE ebpf_agent_openssl_data_events_total counter
ebpf_agent_openssl_data_events_total{data_len="118",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="13",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="147",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="24",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="27",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="40",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="43",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="78",openssl_type="0"} 6
ebpf_agent_openssl_data_events_total{data_len="85",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="88",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="9",openssl_type="0"} 4

were u running the test script during this collection or those was just default flows ?

jpinsonneau · 2025-11-18T14:06:53Z

@msherif1234 I capture some events and those are reported to the metrics. However, I only see openssl_type="0".
Is it expected ?

# HELP ebpf_agent_openssl_data_events_total Number of OpenSSL data events
# TYPE ebpf_agent_openssl_data_events_total counter
ebpf_agent_openssl_data_events_total{data_len="118",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="13",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="147",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="24",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="27",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="40",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="43",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="78",openssl_type="0"} 6
ebpf_agent_openssl_data_events_total{data_len="85",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="88",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="9",openssl_type="0"} 4

were u running the test script during this collection or those was just default flows ?

yes that's with the test script running multiple times

msherif1234 · 2025-11-18T14:09:20Z

this is are the expected types
https://github.com/openssl/openssl/blob/master/ssl/ssl_local.h#L1225

so means its SSL connection type

openshift-ci · 2025-11-18T19:49:47Z

@msherif1234: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/netobserv-cli-tests	`945bfc1`	link	false	`/test netobserv-cli-tests`
ci/prow/qe-e2e-tests	`945bfc1`	link	false	`/test qe-e2e-tests`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

openshift-ci bot added the do-not-merge/work-in-progress label Oct 20, 2025

msherif1234 marked this pull request as draft October 20, 2025 16:19

msherif1234 requested a review from jotak October 20, 2025 18:36

msherif1234 force-pushed the dev_ssl branch 7 times, most recently from d102fc8 to 2e0828e Compare October 22, 2025 12:48

red-hat-konflux bot added 2 commits October 22, 2025 08:54

fix(deps): update module github.com/netobserv/flowlogs-pipeline to v1…

2f4fbe7

….8.0-crc0 (#590) Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

fix(deps): update module github.com/vmware/go-ipfix to v0.13.0 (#592)

b165fb3

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

msherif1234 force-pushed the dev_ssl branch 13 times, most recently from f5957da to b833299 Compare October 23, 2025 17:22

msherif1234 requested a review from jpinsonneau October 24, 2025 11:05

msherif1234 force-pushed the dev_ssl branch 3 times, most recently from 94c8a6a to 00fd511 Compare October 25, 2025 12:00

msherif1234 force-pushed the dev_ssl branch from 5d02a92 to 1d2856b Compare November 17, 2025 15:09

msherif1234 marked this pull request as ready for review November 17, 2025 15:22

msherif1234 requested a review from jotak November 17, 2025 15:23

msherif1234 changed the title ~~WIP: Initial implementation for user space uprobe for SSL~~ Initial implementation for user space uprobe for SSL Nov 17, 2025

openshift-ci bot removed the do-not-merge/work-in-progress label Nov 17, 2025

msherif1234 changed the title ~~Initial implementation for user space uprobe for SSL~~ Initial implementation for user space uprobe for Open SSL Nov 17, 2025

msherif1234 force-pushed the dev_ssl branch from 697b71f to ba53bda Compare November 17, 2025 15:28

openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 17, 2025

msherif1234 added 2 commits November 17, 2025 13:22

Initial PR to implement openSSL userspace tracker

1f00f09

Signed-off-by: Mohamed S. Mahmoud <[email protected]>

Add promo metrics for openSSL tracker

0b7fc0e

Signed-off-by: Mohamed S. Mahmoud <[email protected]>

msherif1234 force-pushed the dev_ssl branch from ba53bda to 0b7fc0e Compare November 17, 2025 18:22

github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 17, 2025

openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 17, 2025

improved tests for openshift

ca8e6c6

github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 18, 2025

update s390

945bfc1

Initial implementation for user space uprobe for Open SSL #819

Are you sure you want to change the base?

Initial implementation for user space uprobe for Open SSL #819

Uh oh!

Conversation

msherif1234 commented Oct 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Dependencies

Checklist

Uh oh!

openshift-ci bot commented Oct 20, 2025

Uh oh!

jotak commented Nov 3, 2025

Uh oh!

msherif1234 commented Nov 14, 2025

Uh oh!

msherif1234 commented Nov 17, 2025

Uh oh!

msherif1234 commented Nov 17, 2025

Uh oh!

github-actions bot commented Nov 17, 2025

Uh oh!

jpinsonneau commented Nov 18, 2025

Uh oh!

msherif1234 commented Nov 18, 2025

Uh oh!

jpinsonneau commented Nov 18, 2025

Uh oh!

msherif1234 commented Nov 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jpinsonneau commented Nov 18, 2025

Uh oh!

msherif1234 commented Nov 18, 2025

Uh oh!

jpinsonneau commented Nov 18, 2025

Uh oh!

msherif1234 commented Nov 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci bot commented Nov 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

msherif1234 commented Oct 20, 2025 •

edited

Loading

msherif1234 commented Nov 18, 2025 •

edited

Loading

msherif1234 commented Nov 18, 2025 •

edited

Loading