Improve tls info for openssl with kprobes (#1177)

Instead of going through the socket fd, addresses are obtained in kprobe/tcp_sendmsg on ssl write and kprobe/tcp_recvmsg on ssl read. The tcp kprobes and the openssl uprobes communicate through the id->sslInfo bpf map.
2025-06-24 23:34:45 +00:00 · 2022-07-07 19:11:54 +03:00 · 2022-07-07 19:11:54 +03:00 · a2463b739a
commit a2463b739a
parent c010d336bb
20 changed files with 329 additions and 97 deletions
--- a/tap/tlstapper/bpf/common.c
+++ b/tap/tlstapper/bpf/common.c
@ -12,7 +12,7 @@ Copyright (C) UP9 Inc.
 #include "include/common.h"
-static __always_inline int add_address_to_chunk(struct pt_regs *ctx, struct tls_chunk* chunk, __u64 id, __u32 fd) {
+static __always_inline int add_address_to_chunk(struct pt_regs *ctx, struct tls_chunk* chunk, __u64 id, __u32 fd, struct ssl_info* info) {
    __u32 pid = id >> 32;
    __u64 key = (__u64) pid << 32 | fd;
@ -22,14 +22,29 @@ static __always_inline int add_address_to_chunk(struct pt_regs *ctx, struct tls_
        return 0;
    }
-    int err = bpf_probe_read(chunk->address, sizeof(chunk->address), fdinfo->ipv4_addr);
+    int err;
    chunk->flags |= (fdinfo->flags & FLAGS_IS_CLIENT_BIT);
-    if (err != 0) {
+    switch (info->address_info.mode) {
-        log_error(ctx, LOG_ERROR_READING_FD_ADDRESS, id, err, 0l);
+        case ADDRESS_INFO_MODE_UNDEFINED:
-        return 0;
+            chunk->address_info.mode = ADDRESS_INFO_MODE_SINGLE;
            err = bpf_probe_read(&chunk->address_info.sport, sizeof(chunk->address_info.sport), &fdinfo->ipv4_addr[2]);
            if (err != 0) {
                log_error(ctx, LOG_ERROR_READING_FD_ADDRESS, id, err, 0l);
                return 0;
            }
            err = bpf_probe_read(&chunk->address_info.saddr, sizeof(chunk->address_info.saddr), &fdinfo->ipv4_addr[4]);
            if (err != 0) {
                log_error(ctx, LOG_ERROR_READING_FD_ADDRESS, id, err, 0l);
                return 0;
            }
            break;
        default:
            bpf_probe_read(&chunk->address_info, sizeof(chunk->address_info), &info->address_info);
    }
    chunk->flags |= (fdinfo->flags & FLAGS_IS_CLIENT_BIT);
    return 1;
 }
@ -104,7 +119,7 @@ static __always_inline void output_ssl_chunk(struct pt_regs *ctx, struct ssl_inf
    chunk->len = count_bytes;
    chunk->fd = info->fd;
-    if (!add_address_to_chunk(ctx, chunk, id, chunk->fd)) {
+    if (!add_address_to_chunk(ctx, chunk, id, chunk->fd, info)) {
        // Without an address, we drop the chunk because there is not much to do with it in Go
        //
        return;
--- a/tap/tlstapper/bpf/include/common.h
+++ b/tap/tlstapper/bpf/include/common.h
@ -7,9 +7,11 @@ Copyright (C) UP9 Inc.
 #ifndef __COMMON__
 #define __COMMON__
 #define AF_INET	2	/* Internet IP Protocol */
 const __s32 invalid_fd = -1;
-static int add_address_to_chunk(struct pt_regs *ctx, struct tls_chunk* chunk, __u64 id, __u32 fd);
+static int add_address_to_chunk(struct pt_regs *ctx, struct tls_chunk* chunk, __u64 id, __u32 fd, struct ssl_info* info);
 static void send_chunk_part(struct pt_regs *ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk, int start, int end);
 static void send_chunk(struct pt_regs *ctx, __u8* buffer, __u64 id, struct tls_chunk* chunk);
 static void output_ssl_chunk(struct pt_regs *ctx, struct ssl_info* info, int count_bytes, __u64 id, __u32 flags);
--- a/tap/tlstapper/bpf/include/headers.h
+++ b/tap/tlstapper/bpf/include/headers.h
@ -15,6 +15,7 @@ Copyright (C) UP9 Inc.
 #include "legacy_kernel.h"
 #include <bpf/bpf_endian.h>
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
--- a/tap/tlstapper/bpf/include/logger_messages.h
+++ b/tap/tlstapper/bpf/include/logger_messages.h
@ -26,6 +26,11 @@ Copyright (C) UP9 Inc.
 #define LOG_ERROR_PUTTING_CONNECT_INFO (14)
 #define LOG_ERROR_GETTING_CONNECT_INFO (15)
 #define LOG_ERROR_READING_CONNECT_INFO (16)
 #define LOG_ERROR_READING_SOCKET_FAMILY (17)
 #define LOG_ERROR_READING_SOCKET_DADDR (18)
 #define LOG_ERROR_READING_SOCKET_SADDR (19)
 #define LOG_ERROR_READING_SOCKET_DPORT (20)
 #define LOG_ERROR_READING_SOCKET_SPORT (21)
 // Sometimes we have the same error, happening from different locations.
 // 	in order to be able to distinct between them in the log, we add an 
--- a/tap/tlstapper/bpf/include/maps.h
+++ b/tap/tlstapper/bpf/include/maps.h
@ -24,6 +24,21 @@ Copyright (C) UP9 Inc.
 //  
 //  Be careful when editing, alignment and padding should be exactly the same in go/c.
 //
 typedef enum {
    ADDRESS_INFO_MODE_UNDEFINED,
    ADDRESS_INFO_MODE_SINGLE,
    ADDRESS_INFO_MODE_PAIR,
 } address_info_mode;
 struct address_info {
    address_info_mode mode;
    __be32 saddr;
    __be32 daddr;
    __be16 sport;
    __be16 dport;
 };
 struct tls_chunk {
    __u32 pid;
    __u32 tgid;
@ -32,7 +47,7 @@ struct tls_chunk {
    __u32 recorded;
    __u32 fd;
    __u32 flags;
-    __u8 address[16];
+    struct address_info address_info;
    __u8 data[CHUNK_SIZE]; // Must be N^2
 };
@ -41,6 +56,7 @@ struct ssl_info {
    __u32 buffer_len;
    __u32 fd;
    __u64 created_at_nano;
    struct address_info address_info;
    // for ssl_write and ssl_read must be zero
    // for ssl_write_ex and ssl_read_ex save the *written/*readbytes pointer. 
--- a/tap/tlstapper/bpf/openssl_uprobes.c
+++ b/tap/tlstapper/bpf/openssl_uprobes.c
@ -42,6 +42,8 @@ static __always_inline int get_count_bytes(struct pt_regs *ctx, struct ssl_info*
 }
 static __always_inline void ssl_uprobe(struct pt_regs *ctx, void* ssl, void* buffer, int num, struct bpf_map_def* map_fd, size_t *count_ptr) {
 	long err;
 	__u64 id = bpf_get_current_pid_tgid();
 	if (!should_tap(id >> 32)) {
@ -53,7 +55,7 @@ static __always_inline void ssl_uprobe(struct pt_regs *ctx, void* ssl, void* buf
 	info.count_ptr = count_ptr;
 	info.buffer = buffer;
-	long err = bpf_map_update_elem(map_fd, &id, &info, BPF_ANY);
+	err = bpf_map_update_elem(map_fd, &id, &info, BPF_ANY);
 	if (err != 0) {
 		log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, id, err, 0l);
@ -66,7 +68,7 @@ static __always_inline void ssl_uretprobe(struct pt_regs *ctx, struct bpf_map_de
 	if (!should_tap(id >> 32)) {
 		return;
 	}
-	
+
 	struct ssl_info *infoPtr = bpf_map_lookup_elem(map_fd, &id);
 	if (infoPtr == NULL) {
@ -99,10 +101,10 @@ static __always_inline void ssl_uretprobe(struct pt_regs *ctx, struct bpf_map_de
 		return;
 	}
-    int count_bytes = get_count_bytes(ctx, &info, id);
+	int count_bytes = get_count_bytes(ctx, &info, id);
-    if (count_bytes <= 0) {
+	if (count_bytes <= 0) {
-        return;
+		return;
-    }
+	}
 	output_ssl_chunk(ctx, &info, count_bytes, id, flags);
 }
--- a/tap/tlstapper/bpf/tcp_kprobes.c
+++ b/tap/tlstapper/bpf/tcp_kprobes.c
@ -0,0 +1,79 @@
 #include "include/headers.h"
 #include "include/maps.h"
 #include "include/log.h"
 #include "include/logger_messages.h"
 #include "include/pids.h"
 #include "include/common.h"
 static __always_inline void tcp_kprobe(struct pt_regs *ctx, struct bpf_map_def *map_fd, _Bool is_send) {
 	long err;
 	__u64 id = bpf_get_current_pid_tgid();
 	__u32 pid = id >> 32;
 	if (!should_tap(id >> 32)) {
 		return;
 	}
 	struct ssl_info *info_ptr = bpf_map_lookup_elem(map_fd, &id);
 	// Happens when the connection is not tls
 	if (info_ptr == NULL) {
 		return;
 	}
 	struct sock *sk = (struct sock *) PT_REGS_PARM1(ctx);
 	short unsigned int family;
 	err = bpf_probe_read(&family, sizeof(family), (void *)&sk->__sk_common.skc_family);
 	if (err != 0) {
 		log_error(ctx, LOG_ERROR_READING_SOCKET_FAMILY, id, err, 0l);
 		return;
 	}
 	if (family != AF_INET) {
 		return;
 	}
 	// daddr, saddr and dport are in network byte order (big endian)
 	// sport is in host byte order
 	__be32 saddr;
 	__be32 daddr;
 	__be16 dport;
 	__u16 sport;
 	err = bpf_probe_read(&saddr, sizeof(saddr), (void *)&sk->__sk_common.skc_rcv_saddr);
 	if (err != 0) {
 		log_error(ctx, LOG_ERROR_READING_SOCKET_SADDR, id, err, 0l);
 		return;
 	}
 	err = bpf_probe_read(&daddr, sizeof(daddr), (void *)&sk->__sk_common.skc_daddr);
 	if (err != 0) {
 		log_error(ctx, LOG_ERROR_READING_SOCKET_DADDR, id, err, 0l);
 		return;
 	}
 	err = bpf_probe_read(&dport, sizeof(dport), (void *)&sk->__sk_common.skc_dport);
 	if (err != 0) {
 		log_error(ctx, LOG_ERROR_READING_SOCKET_DPORT, id, err, 0l);
 		return;
 	}
 	err = bpf_probe_read(&sport, sizeof(sport), (void *)&sk->__sk_common.skc_num);
 	if (err != 0) {
 		log_error(ctx, LOG_ERROR_READING_SOCKET_SPORT, id, err, 0l);
 		return;
 	}
 	info_ptr->address_info.mode = ADDRESS_INFO_MODE_PAIR;
 	info_ptr->address_info.daddr = daddr;
 	info_ptr->address_info.saddr = saddr;
 	info_ptr->address_info.dport = dport;
 	info_ptr->address_info.sport = bpf_htons(sport);
 }
 SEC("kprobe/tcp_sendmsg")
 void BPF_KPROBE(tcp_sendmsg) {
 	tcp_kprobe(ctx, &openssl_write_context, true);
 }
 SEC("kprobe/tcp_recvmsg")
 void BPF_KPROBE(tcp_recvmsg) {
 	tcp_kprobe(ctx, &openssl_read_context, false);
 }
--- a/tap/tlstapper/bpf/tls_tapper.c
+++ b/tap/tlstapper/bpf/tls_tapper.c
@ -15,6 +15,7 @@ Copyright (C) UP9 Inc.
 //
 #include "common.c"
 #include "openssl_uprobes.c"
 #include "tcp_kprobes.c"
 #include "go_uprobes.c"
 #include "fd_tracepoints.c"
 #include "fd_to_address_tracepoints.c"
--- a/tap/tlstapper/bpf_logger_messages.go
+++ b/tap/tlstapper/bpf_logger_messages.go
@ -20,4 +20,9 @@ var bpfLogMessages = []string{
 	/*0014*/ "[%d] Unable to put connect info [err: %d]",
 	/*0015*/ "[%d] Unable to get connect info",
 	/*0016*/ "[%d] Unable to read connect info [err: %d]",
 	/*0017*/ "[%d] Unable to read socket family [err: %d]",
 	/*0018*/ "[%d] Unable to read socket daddr [err: %d]",
 	/*0019*/ "[%d] Unable to read socket saddr [err: %d]",
 	/*0019*/ "[%d] Unable to read socket dport [err: %d]",
 	/*0021*/ "[%d] Unable to read socket sport [err: %d]",
 }
--- a/tap/tlstapper/chunk.go
+++ b/tap/tlstapper/chunk.go
@ -1,38 +1,33 @@
 package tlstapper
 import (
 	"bytes"
 	"encoding/binary"
 	"net"
 	"unsafe"
 	"github.com/go-errors/errors"
 	"github.com/up9inc/mizu/tap/api"
 )
 const FlagsIsClientBit uint32 = 1 << 0
 const FlagsIsReadBit uint32 = 1 << 1
 const (
 	addressInfoModeUndefined = iota
 	addressInfoModeSingle
 	addressInfoModePair
 )
-func (c *tlsTapperTlsChunk) getAddress() (net.IP, uint16, error) {
+func (c *tlsTapperTlsChunk) getSrcAddress() (net.IP, uint16) {
-	address := bytes.NewReader(c.Address[:])
+	ip := intToIP(c.AddressInfo.Saddr)
-	var family uint16
+	port := ntohs(c.AddressInfo.Sport)
 	var port uint16
 	var ip32 uint32
-	if err := binary.Read(address, binary.BigEndian, &family); err != nil {
+	return ip, port
-		return nil, 0, errors.Wrap(err, 0)
+}
 	}
-	if err := binary.Read(address, binary.BigEndian, &port); err != nil {
+func (c *tlsTapperTlsChunk) getDstAddress() (net.IP, uint16) {
-		return nil, 0, errors.Wrap(err, 0)
+	ip := intToIP(c.AddressInfo.Daddr)
-	}
+	port := ntohs(c.AddressInfo.Dport)
-	if err := binary.Read(address, binary.BigEndian, &ip32); err != nil {
+	return ip, port
 		return nil, 0, errors.Wrap(err, 0)
 	}
 	ip := net.IP{uint8(ip32 >> 24), uint8(ip32 >> 16), uint8(ip32 >> 8), uint8(ip32)}
 	return ip, port, nil
 }
 func (c *tlsTapperTlsChunk) isClient() bool {
@ -59,26 +54,54 @@ func (c *tlsTapperTlsChunk) isRequest() bool {
 	return (c.isClient() && c.isWrite()) || (c.isServer() && c.isRead())
 }
-func (c *tlsTapperTlsChunk) getAddressPair() (addressPair, error) {
+func (c *tlsTapperTlsChunk) getAddressPair() (addressPair, bool) {
-	ip, port, err := c.getAddress()
+	var (
 		srcIp, dstIp     net.IP
 		srcPort, dstPort uint16
 		full             bool
 	)
-	if err != nil {
+	switch c.AddressInfo.Mode {
-		return addressPair{}, err
+	case addressInfoModeSingle:
 		if c.isRequest() {
 			srcIp, srcPort = api.UnknownIp, api.UnknownPort
 			dstIp, dstPort = c.getSrcAddress()
 		} else {
 			srcIp, srcPort = c.getSrcAddress()
 			dstIp, dstPort = api.UnknownIp, api.UnknownPort
 		}
 		full = false
 	case addressInfoModePair:
 		if c.isRequest() {
 			srcIp, srcPort = c.getSrcAddress()
 			dstIp, dstPort = c.getDstAddress()
 		} else {
 			srcIp, srcPort = c.getDstAddress()
 			dstIp, dstPort = c.getSrcAddress()
 		}
 		full = true
 	case addressInfoModeUndefined:
 		srcIp, srcPort = api.UnknownIp, api.UnknownPort
 		dstIp, dstPort = api.UnknownIp, api.UnknownPort
 		full = false
 	}
-	if c.isRequest() {
+	return addressPair{
-		return addressPair{
+		srcIp:   srcIp,
-			srcIp:   api.UnknownIp,
+		srcPort: srcPort,
-			srcPort: api.UnknownPort,
+		dstIp:   dstIp,
-			dstIp:   ip,
+		dstPort: dstPort,
-			dstPort: port,
+	}, full
-		}, nil
+}
-	} else {
+
-		return addressPair{
+// intToIP converts IPv4 number to net.IP
-			srcIp:   ip,
+func intToIP(ip32be uint32) net.IP {
-			srcPort: port,
+	return net.IPv4(uint8(ip32be), uint8(ip32be>>8), uint8(ip32be>>16), uint8(ip32be>>24))
-			dstIp:   api.UnknownIp,
+}
-			dstPort: api.UnknownPort,
+
-		}, nil
+// ntohs converts big endian (network byte order) to little endian (assuming that's the host byte order)
-	}
+func ntohs(i16be uint16) uint16 {
 	b := make([]byte, 2)
 	binary.BigEndian.PutUint16(b, i16be)
 	return *(*uint16)(unsafe.Pointer(&b[0]))
 }
--- a/tap/tlstapper/ssllib_hooks.go
+++ b/tap/tlstapper/ssllib_hooks.go
@ -14,6 +14,8 @@ type sslHooks struct {
 	sslWriteExRetProbe link.Link
 	sslReadExProbe     link.Link
 	sslReadExRetProbe  link.Link
 	tcpSendmsg         link.Link
 	tcpRecvmsg         link.Link
 }
 func (s *sslHooks) installUprobes(bpfObjects *tlsTapperObjects, sslLibraryPath string) error {
@ -103,6 +105,16 @@ func (s *sslHooks) installSslHooks(bpfObjects *tlsTapperObjects, sslLibrary *lin
 		}
 	}
 	s.tcpSendmsg, err = link.Kprobe("tcp_sendmsg", bpfObjects.TcpSendmsg, nil)
 	if err != nil {
 		return errors.Wrap(err, 0)
 	}
 	s.tcpRecvmsg, err = link.Kprobe("tcp_recvmsg", bpfObjects.TcpRecvmsg, nil)
 	if err != nil {
 		return errors.Wrap(err, 0)
 	}
 	return nil
 }
@ -149,5 +161,17 @@ func (s *sslHooks) close() []error {
 		}
 	}
 	if s.tcpSendmsg != nil {
 		if err := s.tcpSendmsg.Close(); err != nil {
 			returnValue = append(returnValue, err)
 		}
 	}
 	if s.tcpRecvmsg != nil {
 		if err := s.tcpRecvmsg.Close(); err != nil {
 			returnValue = append(returnValue, err)
 		}
 	}
 	return returnValue
 }
--- a/tap/tlstapper/tls_poller.go
+++ b/tap/tlstapper/tls_poller.go
@ -134,14 +134,9 @@ func (p *tlsPoller) pollChunksPerfBuffer(chunks chan<- *tlsTapperTlsChunk) {
 func (p *tlsPoller) handleTlsChunk(chunk *tlsTapperTlsChunk, extension *api.Extension, emitter api.Emitter,
 	options *api.TrafficFilteringOptions, streamsMap api.TcpStreamMap) error {
-	address, err := p.getSockfdAddressPair(chunk)
+	address, err := p.getAddressPair(chunk)
 	if err != nil {
-		address, err = chunk.getAddressPair()
+		return err
 		if err != nil {
 			return err
 		}
 	}
 	key := buildTlsKey(address)
@ -161,6 +156,22 @@ func (p *tlsPoller) handleTlsChunk(chunk *tlsTapperTlsChunk, extension *api.Exte
 	return nil
 }
 func (p *tlsPoller) getAddressPair(chunk *tlsTapperTlsChunk) (addressPair, error) {
 	addrPairFromChunk, full := chunk.getAddressPair()
 	if full {
 		return addrPairFromChunk, nil
 	}
 	addrPairFromSockfd, err := p.getSockfdAddressPair(chunk)
 	if err == nil {
 		return addrPairFromSockfd, nil
 	} else {
 		logger.Log.Error("failed to get address from sock fd:", err)
 	}
 	return addrPairFromChunk, err
 }
 func (p *tlsPoller) startNewTlsReader(chunk *tlsTapperTlsChunk, address *addressPair, key string,
 	emitter api.Emitter, extension *api.Extension, options *api.TrafficFilteringOptions,
 	streamsMap api.TcpStreamMap) *tlsReader {
--- a/tap/tlstapper/tlstapper46_bpfel_arm64.go
+++ b/tap/tlstapper/tlstapper46_bpfel_arm64.go
@ -19,15 +19,21 @@ type tlsTapper46GoidOffsets struct {
 }
 type tlsTapper46TlsChunk struct {
-	Pid      uint32
+	Pid         uint32
-	Tgid     uint32
+	Tgid        uint32
-	Len      uint32
+	Len         uint32
-	Start    uint32
+	Start       uint32
-	Recorded uint32
+	Recorded    uint32
-	Fd       uint32
+	Fd          uint32
-	Flags    uint32
+	Flags       uint32
-	Address  [16]uint8
+	AddressInfo struct {
-	Data     [4096]uint8
+		Mode  int32
 		Saddr uint32
 		Daddr uint32
 		Sport uint16
 		Dport uint16
 	}
 	Data [4096]uint8
 }
 // loadTlsTapper46 returns the embedded CollectionSpec for tlsTapper46.
@ -93,6 +99,8 @@ type tlsTapper46ProgramSpecs struct {
 	SysEnterWrite                 *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.ProgramSpec `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.ProgramSpec `ebpf:"tcp_sendmsg"`
 }
 // tlsTapper46MapSpecs contains maps before they are loaded into the kernel.
@ -189,6 +197,8 @@ type tlsTapper46Programs struct {
 	SysEnterWrite                 *ebpf.Program `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.Program `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.Program `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.Program `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.Program `ebpf:"tcp_sendmsg"`
 }
 func (p *tlsTapper46Programs) Close() error {
@ -215,6 +225,8 @@ func (p *tlsTapper46Programs) Close() error {
 		p.SysEnterWrite,
 		p.SysExitAccept4,
 		p.SysExitConnect,
 		p.TcpRecvmsg,
 		p.TcpSendmsg,
 	)
 }
--- a/tap/tlstapper/tlstapper46_bpfel_arm64.o
+++ b/tap/tlstapper/tlstapper46_bpfel_arm64.o
--- a/tap/tlstapper/tlstapper46_bpfel_x86.go
+++ b/tap/tlstapper/tlstapper46_bpfel_x86.go
@ -19,15 +19,21 @@ type tlsTapper46GoidOffsets struct {
 }
 type tlsTapper46TlsChunk struct {
-	Pid      uint32
+	Pid         uint32
-	Tgid     uint32
+	Tgid        uint32
-	Len      uint32
+	Len         uint32
-	Start    uint32
+	Start       uint32
-	Recorded uint32
+	Recorded    uint32
-	Fd       uint32
+	Fd          uint32
-	Flags    uint32
+	Flags       uint32
-	Address  [16]uint8
+	AddressInfo struct {
-	Data     [4096]uint8
+		Mode  int32
 		Saddr uint32
 		Daddr uint32
 		Sport uint16
 		Dport uint16
 	}
 	Data [4096]uint8
 }
 // loadTlsTapper46 returns the embedded CollectionSpec for tlsTapper46.
@ -93,6 +99,8 @@ type tlsTapper46ProgramSpecs struct {
 	SysEnterWrite                 *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.ProgramSpec `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.ProgramSpec `ebpf:"tcp_sendmsg"`
 }
 // tlsTapper46MapSpecs contains maps before they are loaded into the kernel.
@ -189,6 +197,8 @@ type tlsTapper46Programs struct {
 	SysEnterWrite                 *ebpf.Program `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.Program `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.Program `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.Program `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.Program `ebpf:"tcp_sendmsg"`
 }
 func (p *tlsTapper46Programs) Close() error {
@ -215,6 +225,8 @@ func (p *tlsTapper46Programs) Close() error {
 		p.SysEnterWrite,
 		p.SysExitAccept4,
 		p.SysExitConnect,
 		p.TcpRecvmsg,
 		p.TcpSendmsg,
 	)
 }
--- a/tap/tlstapper/tlstapper46_bpfel_x86.o
+++ b/tap/tlstapper/tlstapper46_bpfel_x86.o
--- a/tap/tlstapper/tlstapper_bpfel_arm64.go
+++ b/tap/tlstapper/tlstapper_bpfel_arm64.go
@ -19,15 +19,21 @@ type tlsTapperGoidOffsets struct {
 }
 type tlsTapperTlsChunk struct {
-	Pid      uint32
+	Pid         uint32
-	Tgid     uint32
+	Tgid        uint32
-	Len      uint32
+	Len         uint32
-	Start    uint32
+	Start       uint32
-	Recorded uint32
+	Recorded    uint32
-	Fd       uint32
+	Fd          uint32
-	Flags    uint32
+	Flags       uint32
-	Address  [16]uint8
+	AddressInfo struct {
-	Data     [4096]uint8
+		Mode  int32
 		Saddr uint32
 		Daddr uint32
 		Sport uint16
 		Dport uint16
 	}
 	Data [4096]uint8
 }
 // loadTlsTapper returns the embedded CollectionSpec for tlsTapper.
@ -93,6 +99,8 @@ type tlsTapperProgramSpecs struct {
 	SysEnterWrite                 *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.ProgramSpec `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.ProgramSpec `ebpf:"tcp_sendmsg"`
 }
 // tlsTapperMapSpecs contains maps before they are loaded into the kernel.
@ -189,6 +197,8 @@ type tlsTapperPrograms struct {
 	SysEnterWrite                 *ebpf.Program `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.Program `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.Program `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.Program `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.Program `ebpf:"tcp_sendmsg"`
 }
 func (p *tlsTapperPrograms) Close() error {
@ -215,6 +225,8 @@ func (p *tlsTapperPrograms) Close() error {
 		p.SysEnterWrite,
 		p.SysExitAccept4,
 		p.SysExitConnect,
 		p.TcpRecvmsg,
 		p.TcpSendmsg,
 	)
 }
--- a/tap/tlstapper/tlstapper_bpfel_arm64.o
+++ b/tap/tlstapper/tlstapper_bpfel_arm64.o
--- a/tap/tlstapper/tlstapper_bpfel_x86.go
+++ b/tap/tlstapper/tlstapper_bpfel_x86.go
@ -19,15 +19,21 @@ type tlsTapperGoidOffsets struct {
 }
 type tlsTapperTlsChunk struct {
-	Pid      uint32
+	Pid         uint32
-	Tgid     uint32
+	Tgid        uint32
-	Len      uint32
+	Len         uint32
-	Start    uint32
+	Start       uint32
-	Recorded uint32
+	Recorded    uint32
-	Fd       uint32
+	Fd          uint32
-	Flags    uint32
+	Flags       uint32
-	Address  [16]uint8
+	AddressInfo struct {
-	Data     [4096]uint8
+		Mode  int32
 		Saddr uint32
 		Daddr uint32
 		Sport uint16
 		Dport uint16
 	}
 	Data [4096]uint8
 }
 // loadTlsTapper returns the embedded CollectionSpec for tlsTapper.
@ -93,6 +99,8 @@ type tlsTapperProgramSpecs struct {
 	SysEnterWrite                 *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.ProgramSpec `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.ProgramSpec `ebpf:"tcp_sendmsg"`
 }
 // tlsTapperMapSpecs contains maps before they are loaded into the kernel.
@ -189,6 +197,8 @@ type tlsTapperPrograms struct {
 	SysEnterWrite                 *ebpf.Program `ebpf:"sys_enter_write"`
 	SysExitAccept4                *ebpf.Program `ebpf:"sys_exit_accept4"`
 	SysExitConnect                *ebpf.Program `ebpf:"sys_exit_connect"`
 	TcpRecvmsg                    *ebpf.Program `ebpf:"tcp_recvmsg"`
 	TcpSendmsg                    *ebpf.Program `ebpf:"tcp_sendmsg"`
 }
 func (p *tlsTapperPrograms) Close() error {
@ -215,6 +225,8 @@ func (p *tlsTapperPrograms) Close() error {
 		p.SysEnterWrite,
 		p.SysExitAccept4,
 		p.SysExitConnect,
 		p.TcpRecvmsg,
 		p.TcpSendmsg,
 	)
 }
--- a/tap/tlstapper/tlstapper_bpfel_x86.o
+++ b/tap/tlstapper/tlstapper_bpfel_x86.o