Releases: retis-org/retis
v1.6.3
7 non-merge commits since v1.6.2.
- Fix an issue in the
nftcollector leading to no stack trace being reported when using thenft-dropmonprofile. - Fix a compilation issue on Rawhide linked to older
libbpfversions. - Pull for more recent images when using
retis_in_container.shwithdockeras the runtime. This aligns the behavior with when usingpodmanas the runtime. - Other commits include documentation changes and linter/build fixes.
v1.6.2
v1.6.1
v1.6.0
This version brings major new features, improvements and fixes. It contains 217 non-merge commits since v1.5.0. Many thanks to all the contributors 🥳
Open vSwitch detrace
Retis can now query the running OvS daemon to enrich events with datapath and OpenFlow flows.
See the documentation page.
Packet parsing and display
The packets are now parsed when being printed rather than when being collected. This improves performances at collection time. The parsing logic was also rewritten and is now more resilient and versatile. Support for additional fields and protocols was added along the way (Geneve, VXLAN, TCP options, IPv4 options and IPv6 extensions). For protocols and fields not supported in Retis directly, retis pcap can be used and the data can be consumed in third party tools (e.g. tcpdump).
Boolean expressions in meta-filtering
Meta filters (--filter-meta) now support boolean expressions, e.g. retis collect -m '(sk_buff.pkt_type == 0x0 || sk_buff.mark == 0x100) && sk_buff.cloned'. As part of this the meta filter internals were also improved significantly.
See the dedicated documentation for more details.
Backward compatibility
Retis is now able to read events generated from older versions (starting with v1.5.0).
See the details in the compatibility documentation.
VLAN support
Both VLAN and h/w offload VLAN information is now retrieved and exposed. Make sure you're using the -e command line option while collecting and printing packets to print link-level information for the VLAN data to be shown.
Custom profiles
A custom profile directory can now be used, as well as custom profiles. This provides a nice way of sharing configurations while debugging an issue. E.g. retis -p <path to profile> collect.
Other improvements
- Per-probe options: stack traces can now be reported per-probe, e.g.
retis collect -p tp:skb:kfree_skb/stack. - Retis is now much faster to start collecting events (
retis collect). - Allow alternate image location when using the container.
PAGERandNOPAGERsupport when using the container.- Events can automatically be converted to a Scapy representation in Python.
- Improved consumption of Python events.
- Arguments support in Python scripts executed by Retis (
retis python <script> -- arg0). - Default probes set when collecting events if none specified (see
retis collect --help). - And many others!
Fedora package
Last but not least, starting with Fedora 43, Retis is now available as an official package!
v1.5.2
v1.5.1
5 non-merge commits since v1.5.0.
This fixes a major issue when using USDT probes, as Retis was segfaulting when stopping a collection. This was especially problematic when using the --allow-system-changes flag as the modifications could not be reverted on exit (e.g. the nft rules Retis adds).
A few documentation fixes are also included.
v1.5.0
This version includes major new features, improvements and fixes. It includes 278 non-merge commits since v1.4.0! Many thanks to all the contributors 🥳
Python post-processing
Retis now supports converting its events to Python objects which enables post-processing a collection using custom scripts. A built-in Python interpreter can be used (and can run external Python scripts) as well as an external Python library. All details can be found in the documentation.
This is a major feature enabling users to automate the post-processing inspection of events and to tailor the logic to their exact needs. This can also be used in CI or for writing external tools.
$ retis -p ifdump collect -o --cmd 'ping -c1 1.1.1.1'
...
$ retis python
Python 3.13.0 (main, Oct 8 2024, 00:00:00) [GCC 14.2.1 20240912 (Red Hat 14.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> for e in reader.events():
... if "skb" in e and getattr(e["skb"], "ip", None):
... print(e["skb"].ip.daddr)
...
1.1.1.1
192.168.0.42
>>>
Advanced features for meta-filters
Meta-filters can be used to filter packets based on struct sk_buff values, including nested ones. It gains the ability to perform advanced operations like masking and following pointers embedded in a different type. See all the details on the filtering documentation.
Aarch64 support
Retis now compiles and runs on aarch64 machines (and can even be cross-compiled).
Improved date formatting
Timestamps can now be displayed as UTC using the --utc parameter for the collect, print and sort sub-commands.
New ifdump profile
A new profile was added to dump packets after the device in ingress and before the device in egress; like AF_PACKET utilities.
$ retis -p ifdump collect
...
Other improvements
- Support for parent information, mark and labels in the conntrack collector.
- Meta-filtering now supports the
!=operator on strings. - Easier definition of probes when collecting events (the type is not required anymore if it can be inferred).
- The documentation and the project README were improved significantly.
- Bindgen is now used internally for types shared between eBPF and Rust.
- Better handling of unknown packets.
- Drop action support for the OvS collector.
- And many others!
v1.4.0
This version includes multiple improvements, features and fixes. 119 non-merge commits since v1.3.0! Thanks to everyone who contributed 😄
Auto-completion
Retis now supports auto-completion. For Bash this can be set up using source <(retis sh-complete --shell bash). See the official documentation for more details.
Bitfield support in meta-filtering
Meta filtering allows to match packets based on their metadata, aka. direct field checking in struct sk_buff. This now also supports bitfields. See the official documentation for more details.
Retis inspect command
A new sub-command was added, inspect, to filter and display compatible probes on a running kernel. This can be used to get a list of where Retis could add probes. See retis inspect --help for more information.
Probe-stack mode
A new parameter was added to the collect sub-command, --probe-stack. When this is set Retis evaluates where additional probes could be added based on functions reported in the stack traces; and installs probes on those functions at runtime. See retis collect --help.
Other improvements
- Better support of early Rx and Tx packets.
--skb-sectionsselection simplifications (as a side effectpcapsubcommand does not require a special collection configuration anymore).- ICMPv6, GSO support and better csum info in the skb events. SMP id is also now reported on all events.
- Complete rework of our build system (now using
make). - And many more (logging in BPF, authors file, bug fixes, etc)!
v1.3.2
10 non-merge commits since v1.3.1.
- Wait for probes to be installed before starting the collection of events. This fixes potential inconsistencies in the first events (some missing events and some issues with tracking).
- Updated
btf-rsto 1.1. This fixes a corner case issue where some symbols could not be found, eg. when using user-defined probes.
v1.3.1
A few fixes. 16 non-merge commits since v1.3.0.
- Improved symbols validation.
- Fixed packet size computation in BPF for some cases.
- Improved meta filtering input validation.
- Better fixed a BPF verifier issue on older kernels.
- Fixed a BPF verifier issue on newer kernels.
- Added Centos Stream 8 to the runtime CI and upgraded f38 to f39.