I am trying to capture incoming packets with tracepoint events in the net category. As per this blog, netif_receive_skb seems to be a suitable tracepoint (one of the earliest points in the networking stack, L4 agnostic as well). Things work as expected with VMs having 1 NIC. However, when there are 2 NICs some packets are not captured meaning that the tracepoint is not triggered. Verifying with tcpdump for the secondary interface, I do see that the packets which are received by the secondary interface are not captured by the tracepoint netif_receive_skb.
My understanding was that the tracepoint was independent of the network interface which is another reason for choosing netif_receive_skb over xdp (additionally, when loading the eBPF program with this tracepoint, network interfaces are not mentioned anyway).
Again referring to the blog, I noticed that "netif_receive_skb operates in the context of a the softirq processing loop" which is in turn dependent on the interrupt raised by the network interface on receiving a packet.
Code snippet for the tracepoint:
SEC("tp/net/netif_receive_skb")
int net_netif_receive_skb(struct trace_event_raw_consume_skb *args)
{
struct sk_buff *skb = (struct sk_buff *)BPF_CORE_READ(args, skbaddr);
return trace_skb(skb, TP_NETIF_RECEIVE_SKB);
}
So the questions are, does each network interface have their individual netif_receive_skb instances or this tracepoint is shared by all the NICs? If netif_receive_skb is for individual interfaces, any idea/pointer/examples for such a program?