refactor

5 files changed, 55 insertions, 45 deletions

diff --git a/internal/event.go b/internal/event.go
index bce60fa..f0d81b6 100644
--- a/internal/event.go
+++ b/internal/event.go
@@ -51,31 +51,34 @@ func (e *eventPair) is(id TraceId) bool {
 	return e.enterEv.GetTraceId() == id
 }
 
+const eventStreamHeader = "durationToPrevNs,durationNs,comm,pid.tid,name,ret,notice,file"
+
 func (e *eventPair) String() string {
 	var sb strings.Builder
 
-	sb.WriteString(fmt.Sprintf("%08dns %08dns", e.durationToPrev, e.duration))
+	sb.WriteString(fmt.Sprintf("%08d,%08d", e.durationToPrev, e.duration))
 
-	sb.WriteString(" comm:")
+	sb.WriteString(",")
 	sb.WriteString(e.comm)
 
-	sb.WriteString(" pidtid:")
+	sb.WriteString(",")
 	sb.WriteString(strconv.FormatInt(int64(e.enterEv.GetPid()), 10))
 	sb.WriteString(".")
 	sb.WriteString(strconv.FormatInt(int64(e.enterEv.GetTid()), 10))
 
-	sb.WriteString(" name:")
+	sb.WriteString(",")
 	sb.WriteString(e.enterEv.GetTraceId().Name())
+
+	sb.WriteString(",")
 	if retEv, ok := e.exitEv.(*RetEvent); ok {
-		sb.WriteString(":")
 		sb.WriteString(strconv.FormatInt(int64(retEv.Ret), 10))
 	}
 
-	sb.WriteString(" ")
+	sb.WriteString(",")
 	sb.WriteString(e.file.String())
 
 	if e.tracepointMismatch {
-		sb.WriteString(" MISMATCH")
+		sb.WriteString(",MISMATCH")
 	}
 	return sb.String()
 }
diff --git a/internal/eventloop.go b/internal/eventloop.go
index 29e002c..0dca083 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -6,16 +6,32 @@ import (
 	"fmt"
 
 	. "ioriotng/internal/generated/types"
-
-	bpf "github.com/aquasecurity/libbpfgo"
 )
 
-func eventLoop(bpfModule *bpf.Module, rawCh <-chan []byte) {
-	for ev := range events(rawCh) {
+type eventLoop struct {
+	evCh      chan *eventPair       // Channel of events (enter+exit tracepoint results of a syscall).
+	enterEvs  map[uint32]*eventPair // Temp. store of sys_enter tracepoints per Tid.
+	files     map[int32]file        // Track all open files by file descriptor.
+	comms     map[uint32]string     // Program or thread name of the current Tid.
+	prevPairs map[uint32]*eventPair // Previous event (to calculate time differences between two events)
+}
+
+func newEventLoop() *eventLoop {
+	return &eventLoop{
+		evCh:      make(chan *eventPair),
+		enterEvs:  make(map[uint32]*eventPair),
+		files:     make(map[int32]file),
+		comms:     make(map[uint32]string),
+		prevPairs: make(map[uint32]*eventPair),
+	}
+}
+
+func (e *eventLoop) run(rawCh <-chan []byte) {
+	fmt.Println(eventStreamHeader)
+	for ev := range e.events(rawCh) {
 		fmt.Println(ev.String())
 		if ev.prevPair != nil {
-			// Only recycle the previous event, as the current event is the previous
-			// event of the next event!
+			// Only recycle the previous event, as the current event is the previous event of the next event!
 			ev.prevPair.recycle()
 			continue
 		}
@@ -23,31 +39,20 @@ func eventLoop(bpfModule *bpf.Module, rawCh <-chan []byte) {
 	fmt.Println("Good bye")
 }
 
-func events(rawCh <-chan []byte) <-chan *eventPair {
-	// Channel of events (enter+exit tracepoint results of a syscall).
-	evCh := make(chan *eventPair)
-	// Temp. store of sys_enter tracepoints per Tid.
-	enterEvs := make(map[uint32]*eventPair)
-	// Track all open files by file descriptor.
-	files := make(map[int32]file)
-	// Program or thread name of the current Tid.
-	comms := make(map[uint32]string)
-	// Previous event (to calculate time differences between two events)
-	prevPairs := make(map[uint32]*eventPair)
-
+func (e *eventLoop) events(rawCh <-chan []byte) <-chan *eventPair {
 	// Syscall entered
 	enter := func(enterEv event) {
-		enterEvs[enterEv.GetTid()] = newEventPair(enterEv)
+		e.enterEvs[enterEv.GetTid()] = newEventPair(enterEv)
 	}
 
 	// Syscall exited
 	exit := func(exitEv event) {
-		ev, ok := enterEvs[exitEv.GetTid()]
+		ev, ok := e.enterEvs[exitEv.GetTid()]
 		if !ok {
 			exitEv.Recycle()
 			return
 		}
-		delete(enterEvs, exitEv.GetTid())
+		delete(e.enterEvs, exitEv.GetTid())
 		ev.exitEv = exitEv
 
 		// Expect ID one lower, otherwise, enter and exit tracepoints
@@ -64,12 +69,12 @@ func events(rawCh <-chan []byte) <-chan *eventPair {
 			fd := int32(ev.exitEv.(*RetEvent).Ret)
 			file := fdFile{fd, string(openEv.Filename[:])}
 			if fd >= 0 {
-				files[fd] = file
+				e.files[fd] = file
 			}
 			ev.file = file
 
 			comm := string(openEv.Comm[:])
-			comms[openEv.Tid] = comm
+			e.comms[openEv.Tid] = comm
 
 		case *NameEvent:
 			nameEvent := ev.enterEv.(*NameEvent)
@@ -77,41 +82,41 @@ func events(rawCh <-chan []byte) <-chan *eventPair {
 				oldname: string(nameEvent.Oldname[:]),
 				newname: string(nameEvent.Newname[:]),
 			}
-			ev.comm, _ = comms[ev.enterEv.GetTid()]
+			ev.comm, _ = e.comms[ev.enterEv.GetTid()]
 
 		case *PathEvent:
 			nameEvent := ev.enterEv.(*PathEvent)
 			ev.file = pathnameFile{string(nameEvent.Pathname[:])}
-			ev.comm, _ = comms[ev.enterEv.GetTid()]
+			ev.comm, _ = e.comms[ev.enterEv.GetTid()]
 
 		case *FdEvent:
 			fd := ev.enterEv.(*FdEvent).Fd
-			if file_, ok := files[fd]; ok {
+			if file_, ok := e.files[fd]; ok {
 				ev.file = file_
 				if ev.is(SYS_ENTER_CLOSE) {
-					delete(files, fd)
+					delete(e.files, fd)
 				}
 			} else {
 				ev.file = fdFile{fd, "?"}
 			}
-			ev.comm, _ = comms[ev.enterEv.GetTid()]
+			ev.comm, _ = e.comms[ev.enterEv.GetTid()]
 
 		case *NullEvent:
-			ev.comm, _ = comms[ev.enterEv.GetTid()]
+			ev.comm, _ = e.comms[ev.enterEv.GetTid()]
 
 		default:
 			panic(fmt.Sprintf("unknown type: %v", v))
 		}
 
-		ev.prevPair, _ = prevPairs[ev.enterEv.GetTid()]
+		ev.prevPair, _ = e.prevPairs[ev.enterEv.GetTid()]
 		ev.calculateDurations()
-		prevPairs[ev.enterEv.GetTid()] = ev
-		evCh <- ev
+		e.prevPairs[ev.enterEv.GetTid()] = ev
+		e.evCh <- ev
 	}
 
 	// Deserialise raw byte stream from BPF ringbuffer.
 	go func() {
-		defer close(evCh)
+		defer close(e.evCh)
 		for raw := range rawCh {
 			switch EventType(raw[0]) {
 			case ENTER_OPEN_EVENT:
@@ -136,5 +141,5 @@ func events(rawCh <-chan []byte) <-chan *eventPair {
 		}
 	}()
 
-	return evCh
+	return e.evCh
 }
diff --git a/internal/file.go b/internal/file.go
index 72fe57e..9230afd 100644
--- a/internal/file.go
+++ b/internal/file.go
@@ -18,12 +18,12 @@ func (f fdFile) String() string {
 	var sb strings.Builder
 
 	if len(f.name) == 0 {
-		sb.WriteString("file:?")
+		sb.WriteString("?")
 	} else {
-		sb.WriteString("file:(")
+		sb.WriteString(f.name)
+		sb.WriteString(" (")
 		sb.WriteString(strconv.FormatInt(int64(f.fd), 10))
 		sb.WriteString(")")
-		sb.WriteString(f.name)
 	}
 
 	return sb.String()
diff --git a/internal/flags/flags.go b/internal/flags/flags.go
index 5596ea5..2c655fa 100644
--- a/internal/flags/flags.go
+++ b/internal/flags/flags.go
@@ -11,12 +11,14 @@ type Flags struct {
 	PidFilter    int
 	TidFilter    int
 	EventMapSize int
+	CommFilter   string
 }
 
 func New() (flags Flags) {
 	flag.IntVar(&flags.PidFilter, "pid", -1, "Filter for processes ID")
 	flag.IntVar(&flags.TidFilter, "tid", -1, "Filter for thread ID")
 	flag.IntVar(&flags.EventMapSize, "mapSize", 4096*16, "BPF FD event ring buffer map size")
+	flag.StringVar(&flags.CommFilter, "comm", "", "Command to filter for")
 	flag.Parse()
 
 	return flags
diff --git a/internal/ioriotng.go b/internal/ioriotng.go
index 46cc0e5..b335630 100644
--- a/internal/ioriotng.go
+++ b/internal/ioriotng.go
@@ -60,7 +60,7 @@ func Run(flags flags.Flags) {
 		panic(err)
 	}
 	rb.Poll(300)
-	eventLoop(bpfModule, ch)
+	newEventLoop().run(ch)
 
 	fmt.Println("Good bye")
 }