microsoft · nddq · Feb 11, 2026
@@ -0,0 +1,127 @@
+// go:build ignore
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT license.
+
+// TCP retransmission tracer eBPF program
+// Hooks into tcp_retransmit_skb tracepoint/kprobe to capture TCP retransmission
+// events
+//
+// Based on tcpretrans from BCC (Apache 2.0 License)
+// https://github.com/iovisor/bcc
+// Copyright (c) 2016 Netflix, Inc.
+// Author: Brendan Gregg
+
+#include "vmlinux.h"
+#include "bpf_helpers.h"
+#include "bpf_core_read.h"
+#include "bpf_tracing.h"
+#include "bpf_endian.h"
+
+char __license[] SEC("license") = "Dual MIT/GPL";
+
+// TCP retransmission event structure - sent to userspace
+struct tcpretrans_event {
+	__u64 timestamp; // Boot time in nanoseconds
+	__u32 src_ip;	 // Source IPv4 address (network byte order)
+	__u32 dst_ip;	 // Destination IPv4 address (network byte order)
+	__u16 src_port;	 // Source port (host byte order)
+	__u16 dst_port;	 // Destination port (host byte order)
+	__u32 state;	 // TCP state
+	__u8 tcpflags;	 // TCP flags from the retransmitted packet
+	__u8 af;		 // Address family (4 or 6)
+	__u8 _pad[2];
+	__u8 src_ip6[16]; // Source IPv6 address
+	__u8 dst_ip6[16]; // Destination IPv6 address
+};
+
+// Define const for bpf2go type generation
+const struct tcpretrans_event *unused_tcpretrans_event __attribute__((unused));
+
+// Perf event array for streaming events to userspace
+struct {
+	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+	__uint(key_size, sizeof(__u32));
+	__uint(value_size, sizeof(__u32));
+} retina_tcpretrans_events SEC(".maps");
+
+// TCP flag bit positions
+#define TCP_FLAG_FIN 0x01
+#define TCP_FLAG_SYN 0x02
+#define TCP_FLAG_RST 0x04
+#define TCP_FLAG_PSH 0x08
+#define TCP_FLAG_ACK 0x10
+#define TCP_FLAG_URG 0x20
+#define TCP_FLAG_ECE 0x40
+#define TCP_FLAG_CWR 0x80
+
+static __always_inline void extract_tcp_info(struct sock *sk,
+											 struct tcpretrans_event *event) {
+	// Read address family
+	__u16 family = 0;
+	BPF_CORE_READ_INTO(&family, sk, __sk_common.skc_family);
+
+	if (family == 2) { // AF_INET
+		event->af = 4;
+		BPF_CORE_READ_INTO(&event->src_ip, sk, __sk_common.skc_rcv_saddr);
+		BPF_CORE_READ_INTO(&event->dst_ip, sk, __sk_common.skc_daddr);
+	} else if (family == 10) { // AF_INET6
+		event->af = 6;
+		BPF_CORE_READ_INTO(&event->src_ip6, sk,
+						   __sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
+		BPF_CORE_READ_INTO(&event->dst_ip6, sk,
+						   __sk_common.skc_v6_daddr.in6_u.u6_addr8);
+	} else {
+		return;
+	}
+
+	// Read ports
+	__u16 dport = 0;
+	BPF_CORE_READ_INTO(&dport, sk, __sk_common.skc_dport);
+	event->dst_port = bpf_ntohs(dport);
+
+	__u16 sport = 0;
+	BPF_CORE_READ_INTO(&sport, sk, __sk_common.skc_num);
+	event->src_port = sport; // already in host byte order
+
+	// Read TCP state
+	BPF_CORE_READ_INTO(&event->state, sk, __sk_common.skc_state);
+}
+
+SEC("kprobe/tcp_retransmit_skb")
+int BPF_KPROBE(retina_tcp_retransmit_skb, struct sock *sk,
+			   struct sk_buff *skb) {
+	if (!sk || !skb)
+		return 0;
+
+	struct tcpretrans_event event = {};
+	event.timestamp = bpf_ktime_get_boot_ns();
+
+	extract_tcp_info(sk, &event);
+
+	// Skip if we couldn't determine the address family
+	if (event.af == 0)
+		return 0;
+
+	// Read TCP flags from the skb's transport header
+	// TCP flags byte is at offset 13 in the TCP header
+	// (byte 12 = data offset + reserved, byte 13 = flags)
+	// Cannot use BPF_CORE_READ_INTO on bit-fields, so read the raw byte
+	char *head = NULL;
+	__u16 trans_header = 0;
+	BPF_CORE_READ_INTO(&head, skb, head);
+	BPF_CORE_READ_INTO(&trans_header, skb, transport_header);
+
+	if (head && trans_header) {
+		// Read the flags byte (offset 13 in TCP header)
+		__u8 flags_byte = 0;
+		bpf_probe_read_kernel(&flags_byte, sizeof(flags_byte),
+							  head + trans_header + 13);
+		event.tcpflags = flags_byte;
+	}
+
+	bpf_perf_event_output(ctx, &retina_tcpretrans_events, BPF_F_CURRENT_CPU,
+						  &event, sizeof(event));
+
+	return 0;
+}