How to get the entire skb data content instead of the address in eBPF/libbpf?

Question

I'm writing code in libbpf to get the entire data packet content (not address) by funtion bpf_probe_read_kernel.

For example, bpf_probe_read_kernel(my_struct, 512, skb->data);

But there's an error: invalid mem access 'inv' which probably tells me that I don't have access directly to skb->data.

But if I add an & before, let's say bpf_probe_read_kernel(my_struct, 512, &skb->data);, there's no error but I can only get the address which is not what I want.

So any ideas on this issue?

Answer 1

First, not all program types have access to the entire skb data content. For example, the BPF_PROG_TYPE_CGROUP_SKB can only access the data header (see here).

Secondly, if in case you are using a supported hook, e.g. BPF_PROG_TYPE_SK_SKB, then also it might be possible that the socket data is non-linear, due to the scatter-gather structure of skbuffs. In this case, you need to first 'pull' the socket data together using the bpf_skb_pull_data() helper. Check the man page here.