feat: add runtime selection for ring buffer or perf event based on kernel version

[cfc4n]

This pull request introduces support for using a ring buffer instead of a perf event array for packet capture in eBPF programs, providing improved performance and reduced packet loss on Linux kernels 5.8 and newer. The changes include runtime detection of kernel version, conditional selection of the appropriate buffer mechanism, and updates to both the kernel and user space components to support this flexibility.

Kernel-side changes:

• Ring buffer support in eBPF maps and runtime selection:
  • Added a new skb_events_rb ring buffer map for packet events in kern/tc.h, used when running on Linux 5.8+ for better performance. A new runtime constant use_ringbuf determines which buffer type to use. ([[1]](https://github.com/gojue/ecapture/pull/901/files#diff-46ef0ddb31904076cb1998f9ecdb1d5b7ab921c039ee8ec1dac0cefc23feaeffR57-R71), [[2]](https://github.com/gojue/ecapture/pull/901/files#diff-47c30c174728010ab21cfd4eaa04f1231e4c9ba27272b275dc3bc5ae1f124d0dR70-R73))
  • Updated the packet capture logic to choose between bpf_perf_event_output and bpf_ringbuf_output based on the kernel version and runtime flag. ([[1]](https://github.com/gojue/ecapture/pull/901/files#diff-46ef0ddb31904076cb1998f9ecdb1d5b7ab921c039ee8ec1dac0cefc23feaeffR276-R290), [[2]](https://github.com/gojue/ecapture/pull/901/files#diff-46ef0ddb31904076cb1998f9ecdb1d5b7ab921c039ee8ec1dac0cefc23feaeffL260-L262))

User space changes:

• Kernel version detection and configuration:

  • Added detection for kernel versions less than 5.8 and set the use_ringbuf constant accordingly in the module initialization. ([[1]](https://github.com/gojue/ecapture/pull/901/files#diff-8645b59266fcb6deeb919beef91f71d67260fabf3f0ad72be2e418d9c84be6d4R151-R157), [[2]](https://github.com/gojue/ecapture/pull/901/files#diff-8645b59266fcb6deeb919beef91f71d67260fabf3f0ad72be2e418d9c84be6d4R118), [[3]](https://github.com/gojue/ecapture/pull/901/files#diff-8645b59266fcb6deeb919beef91f71d67260fabf3f0ad72be2e418d9c84be6d4R106))
  • Exposed a new method IsKernelLess58() to check for ring buffer support. ([user/module/imodule.goR245-R250](https://github.com/gojue/ecapture/pull/901/files#diff-8645b59266fcb6deeb919beef91f71d67260fabf3f0ad72be2e418d9c84be6d4R245-R250))

• Dynamic buffer selection in probe modules:

  • Updated the constantEditor methods in probe modules (probe_gnutls.go, probe_gotls.go, probe_openssl.go) to set the use_ringbuf constant based on kernel version. ([[1]](https://github.com/gojue/ecapture/pull/901/files#diff-0df804a0e43e934558db7777c13fb0bf02be2b202fc95840648a8a9d3f77e42aR195-R211), [[2]](https://github.com/gojue/ecapture/pull/901/files#diff-8cec55766de35e4760d8eb7d9497d779d3ea106dc5f4115d1909b834f2f97ca2R194-R200), [[3]](https://github.com/gojue/ecapture/pull/901/files#diff-779504b2ae7d5c72fdd91b76febcf4f3a108e7bd02638501401a518f773cb195R362-R368), [[4]](https://github.com/gojue/ecapture/pull/901/files#diff-8cec55766de35e4760d8eb7d9497d779d3ea106dc5f4115d1909b834f2f97ca2R211-R214), [[5]](https://github.com/gojue/ecapture/pull/901/files#diff-779504b2ae7d5c72fdd91b76febcf4f3a108e7bd02638501401a518f773cb195R379-R382))
  • Modified packet capture setup in probe modules to select the correct eBPF map (skb_events or skb_events_rb) at runtime and log which buffer is being used. ([[1]](https://github.com/gojue/ecapture/pull/901/files#diff-4fec8f06255579ed0d3c0f516162bb51bc0a34075500b6fec03eb56388894736L138-R165), [[2]](https://github.com/gojue/ecapture/pull/901/files#diff-d3101e43978db3f982e6370019b347b0f4863d1871d4b8c86bf9b3eed84ec6c3L143-R170), [[3]](https://github.com/gojue/ecapture/pull/901/files#diff-b553bad9a74ab279dd00b3a5b64930c3b9f142ebd13f36b1333eaa7770eb2f2cL161-R188))

These changes ensure optimal packet capture performance across different Linux kernel versions by automatically selecting the most suitable buffering mechanism.

fix: #829

[github-actions]

✅ E2E Test Results: PASSED

Test Run: #20172660505

Tests Executed:

• TLS/OpenSSL Module (curl → github.com)
• GnuTLS Module (wget/curl → github.com)
• GoTLS Module (Go client → github.com)

✅ All e2e tests passed successfully! The TLS capture functionality is working correctly.

---

Automated e2e test results for commit ebf9ae2

[Copilot]

Pull request overview

This pull request introduces runtime detection and selection between ring buffer (Linux 5.8+) and perf event array (older kernels) for packet capture in eBPF programs, aiming to improve performance and reduce packet loss on newer kernels.

Key Changes:

• Added kernel version detection in user space to identify kernels < 5.8
• Introduced a runtime constant use_ringbuf that controls buffer type selection in eBPF code
• Created conditional map selection logic in probe modules to use the appropriate buffer based on kernel version

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
kern/tc.h	Added ring buffer map definition and conditional logic to select between ring buffer and perf event output based on runtime flag
kern/common.h	Added use_ringbuf runtime constant for controlling buffer selection
user/module/imodule.go	Added kernel version 5.8 detection and IsKernelLess58() method to expose this information
user/module/probe_openssl.go	Updated constant editor to set use_ringbuf based on kernel version
user/module/probe_openssl_pcap.go	Modified to dynamically select between skb_events and skb_events_rb maps with logging
user/module/probe_gotls.go	Updated constant editor to set use_ringbuf based on kernel version
user/module/probe_gotls_pcap.go	Modified to dynamically select between skb_events and skb_events_rb maps with logging
user/module/probe_gnutls.go	Updated constant editor to set use_ringbuf based on kernel version
user/module/probe_gnutls_pcap.go	Modified to dynamically select between skb_events and skb_events_rb maps with logging

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🔧 Debug Build Complete (PR #901)

📦 Download Links:

• View Build Artifacts

⏰ Files will be retained for 7 days, please download and test promptly.

---

This build includes debug binaries for: android/linux (arm64/amd64)

[github-actions]

✅ E2E Test Results: PASSED

Test Run: #20174461445

Tests Executed:

• TLS/OpenSSL Module (curl → github.com)
• GnuTLS Module (wget/curl → github.com)
• GoTLS Module (Go client → github.com)

✅ All e2e tests passed successfully! The TLS capture functionality is working correctly.

---

Automated e2e test results for commit 87457c0

[github-actions]

🔧 Debug Build Complete (PR #901)

📦 Download Links:

• View Build Artifacts

⏰ Files will be retained for 7 days, please download and test promptly.

---

This build includes debug binaries for: android/linux (arm64/amd64)

[github-actions]

✅ E2E Test Results: PASSED

Test Run: #20189015563

Tests Executed:

• TLS/OpenSSL Module (curl → github.com)
• GnuTLS Module (wget/curl → github.com)
• GoTLS Module (Go client → github.com)

✅ All e2e tests passed successfully! The TLS capture functionality is working correctly.

---

Automated e2e test results for commit 44693c0

[github-actions]

🔧 Debug Build Complete (PR #901)

📦 Download Links:

• View Build Artifacts

⏰ Files will be retained for 7 days, please download and test promptly.

---

This build includes debug binaries for: android/linux (arm64/amd64)