You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Part of v0.2.0 (#32). The tracepoint-only half of closing the #37 capture gaps — everything that does not need a kprobe. Sibling of #68 (which handles the one case that does: sendfile body bytes).
Problem
tinytap hooks write/read/sendto/recvfrom/sendmsg/recvmsg syscall tracepoints, but notwritev/readv or sendfile. So:
writev/readv — vectored I/O. The payload is in user space (the iovec buffers), so it's fully capturable; tinytap just doesn't hook it yet. Servers that write headers+body in one vectored call (Go net/http, some Node paths) lose those bytes today.
sendfile — the body bytes are kernel-to-kernel and unreachable without a kprobe (that's Capture sendfile/splice body bytes via a TCP-send-path kprobe #68). But the metadata — byte count and the fds — comes straight off sys_enter_sendfile64. Capturing that lets the panel say "50 KiB body sent via sendfile (zero-copy, content not captured)" instead of dropping the exchange silently.
All of this stays within the existing tracepoint design (#8) — no vmlinux.h, no CO-RE, no kprobe.
Scope
writev/readv content — hook sys_enter_writev / sys_exit_readv (and writev/readv counterparts). Walk the iovec array and sample bytes as the existing write/read paths do. Bound the iovec loop to a fixed max entry count for the verifier; log/flag when truncated.
sendfile metadata — hook sys_enter_sendfile64 (+ sys_exit for the returned count). Emit an event carrying the out_fd and byte count, flagged as a zero-copy body with no captured content.
Render — the detail/body view shows the writev/readv bytes like any other payload, and shows the sendfile marker (body: N bytes via sendfile — content not captured) so the limitation reads clearly rather than as missing data.
Event schema: document any new syscall ids / flags in docs/event-schema.md.
Part of v0.2.0 (#32). The tracepoint-only half of closing the #37 capture gaps — everything that does not need a kprobe. Sibling of #68 (which handles the one case that does: sendfile body bytes).
Problem
tinytap hooks
write/read/sendto/recvfrom/sendmsg/recvmsgsyscall tracepoints, but notwritev/readvorsendfile. So:writev/readv— vectored I/O. The payload is in user space (the iovec buffers), so it's fully capturable; tinytap just doesn't hook it yet. Servers that write headers+body in one vectored call (Gonet/http, some Node paths) lose those bytes today.sendfile— the body bytes are kernel-to-kernel and unreachable without a kprobe (that's Capture sendfile/splice body bytes via a TCP-send-path kprobe #68). But the metadata — byte count and the fds — comes straight offsys_enter_sendfile64. Capturing that lets the panel say "50 KiB body sent via sendfile (zero-copy, content not captured)" instead of dropping the exchange silently.All of this stays within the existing tracepoint design (#8) — no
vmlinux.h, no CO-RE, no kprobe.Scope
writev/readvcontent — hooksys_enter_writev/sys_exit_readv(andwritev/readvcounterparts). Walk theiovecarray and sample bytes as the existing write/read paths do. Bound the iovec loop to a fixed max entry count for the verifier; log/flag when truncated.sendfilemetadata — hooksys_enter_sendfile64(+sys_exitfor the returned count). Emit an event carrying the out_fd and byte count, flagged as a zero-copy body with no captured content.body: N bytes via sendfile — content not captured) so the limitation reads clearly rather than as missing data.Out of scope
Done when
writevshows its body in the detail panelsendfileshows the body size and an explicit "content not captured" marker, not an empty/absent exchangeRefs: #37 (gap discovery), #68 (the kprobe half), #35 (body view), #36 (payload cap).