Skip to content

perf(userspace/libscap): rewrite /proc/pid/net/{tcp6,udp6,raw6} parsing logic#2816

Merged
poiana merged 2 commits intofalcosecurity:masterfrom
ekoops:ekoops/proc-pid-net-ipv6
Feb 3, 2026
Merged

perf(userspace/libscap): rewrite /proc/pid/net/{tcp6,udp6,raw6} parsing logic#2816
poiana merged 2 commits intofalcosecurity:masterfrom
ekoops:ekoops/proc-pid-net-ipv6

Conversation

@ekoops
Copy link
Contributor

@ekoops ekoops commented Jan 29, 2026

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind test

/kind feature

/kind sync

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

The previous logic used 1 single fopen() to open the /proc/<pid>/net/{tcp6,udp6,raw6}//proc/net/{tcp6,udp6,raw6} files, and fread() to read the content of the file in a single heap-allocated buffer of 1MB.

The new parsing logic introduces the following optimizations:

  • use parse_procfs_proc_pid_socket_table_file() for efficiently read the socket table file content and (this uses lighter open() and read() system calls, a stack-allocated for cache locality and a sliding window logic for handling truncated lines).
  • the single line parsing logic (implemented inparse_ipv6_socket_table_line() uses light helper like str_scan_u64(), scan_ipv6_socket_table_address() and memchr(); moreover, avoid polluting the cache by repeatedly write on the line buffer while parsing the addresses and ports

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

/milestone 0.24.0

Does this PR introduce a user-facing change?:

NONE

@poiana poiana added this to the 0.24.0 milestone Jan 29, 2026
@poiana poiana requested review from hbrueckner and terror96 January 29, 2026 15:05
@github-actions
Copy link

github-actions bot commented Jan 29, 2026
edited
Loading

Perf diff from master - unit tests

    12.05%     -1.49%  [.] sinsp_threadinfo::get_main_thread()
    12.52%     +1.05%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::_M_get_use_count() const
     9.13%     +0.68%  [.] sinsp_threadinfo::update_main_fdtable()
     9.91%     -0.36%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release()
     9.87%     +0.35%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_add_ref_lock_nothrow()
     6.50%     +0.32%  [.] std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count(std::__weak_count<(__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)
    15.34%     -0.28%  [.] std::__shared_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2>::__shared_ptr(std::__weak_ptr<sinsp_threadinfo, (__gnu_cxx::_Lock_policy)2> const&, std::nothrow_t)
     0.23%     +0.22%  [.] scap_event_encode_params_v
     7.89%     -0.19%  [.] sinsp_threadinfo::get_fd_table()
     3.56%     +0.16%  [.] sinsp_thread_manager::create_thread_dependencies(std::shared_ptr<sinsp_threadinfo> const&)

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            -0.0253         -0.0255           239           233           239           233
BM_sinsp_split_median                                          -0.0252         -0.0252           238           232           238           232
BM_sinsp_split_stddev                                          -0.4089         -0.4194             2             1             2             1
BM_sinsp_split_cv                                              -0.3935         -0.4043             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  -0.0588         -0.0588            72            68            72            68
BM_sinsp_concatenate_paths_relative_path_median                -0.0615         -0.0616            72            68            72            68
BM_sinsp_concatenate_paths_relative_path_stddev                -0.0247         -0.0260             1             1             1             1
BM_sinsp_concatenate_paths_relative_path_cv                    +0.0362         +0.0348             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0505         +0.0508            40            42            40            42
BM_sinsp_concatenate_paths_empty_path_median                   +0.0564         +0.0564            39            42            39            42
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.8253         -0.8210             1             0             1             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.8337         -0.8297             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  -0.0042         -0.0041            68            68            68            68
BM_sinsp_concatenate_paths_absolute_path_median                -0.0040         -0.0040            68            68            68            68
BM_sinsp_concatenate_paths_absolute_path_stddev                -0.5202         -0.5222             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_cv                    -0.5182         -0.5202             0             0             0             0

@codecov
Copy link

codecov bot commented Jan 29, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.53%. Comparing base (127ac82) to head (98afca3).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #2816   +/-   ##
=======================================
  Coverage   74.53%   74.53%           
=======================================
  Files         292      292           
  Lines       29987    29987           
  Branches     4660     4660           
=======================================
  Hits        22350    22350           
  Misses       7637     7637
Flag Coverage Δ
libsinsp 74.53% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ekoops ekoops force-pushed the ekoops/proc-pid-net-ipv6 branch from 7f5ecfb to d2c470b Compare January 29, 2026 15:38
terror96
terror96 reviewed Feb 2, 2026
View reviewed changes
ekoops added 2 commits February 2, 2026 11:39
@ekoops
perf(userspace/libscap): rewrite /proc/pid/net/{tcp6,udp6,raw6} par…
a8fbad7 
…sing logic

The previous logic used 1 single `fopen()` to open the
`/proc/<pid>/net/{tcp6,udp6,raw6}`/`/proc/net/{tcp6,udp6,raw6}` files,
and `fread()` to read the content of the file in a single
heap-allocated buffer of 1MB.
The new parsing logic introduces the following optimizations:
- use `open()` and `read()` to avoid `fopen()` and `fread()`
  allocation, buffering and lock acquisition overheads
- try to read the entire file content with a single `read()`. In the
  case in which the file content is bigger than the stack-allocated
  buffer of 32kB, the unprocessed content (the last truncated line) is
  shifted at the beginning of the buffer, and a new read is attempted.
  Notice that 32 kB is a good choice for the majority of the use
  cases. Each file line is approximately 150 bytes. The following
  table estimate how many `read()` system call are issued in the
  optimistic case (e.g.: no signals):
  - 100 sockets -> ~15 kB -> 1 read()
  - 1000 sockets -> ~150 kB -> ~5 read()
  - 10000 sockets -> ~1.5 MB -> ~50 read()
  Even in the worst scenario, the cost of issuing 50 system call
  should be overcome by the cache-friendly accesses using the
  stack-allocated buffer.

Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
@ekoops
refactor(userspace/libscap): use common helper for sock table parsing
98afca3 
Signed-off-by: Leonardo Di Giovanna <leonardodigiovanna1@gmail.com>
@ekoops ekoops force-pushed the ekoops/proc-pid-net-ipv6 branch from d2c470b to 98afca3 Compare February 2, 2026 10:40
@ekoops ekoops requested a review from terror96 February 2, 2026 10:41
@ekoops
Copy link
Contributor Author

ekoops commented Feb 2, 2026

Fixed and pushed! @terror96

terror96
terror96 approved these changes Feb 2, 2026
View reviewed changes
Copy link
Contributor

@terror96 terror96 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My eyes can't spot more problems: /lgtm

@poiana poiana added the lgtm label Feb 2, 2026
@github-project-automation github-project-automation bot moved this from Todo to In progress in Falco Roadmap Feb 3, 2026
@poiana
Copy link
Contributor

poiana commented Feb 3, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ekoops, leogr, terror96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit ac64ebd into falcosecurity:master Feb 3, 2026
48 checks passed
@github-project-automation github-project-automation bot moved this from In progress to Done in Falco Roadmap Feb 3, 2026
@ekoops ekoops deleted the ekoops/proc-pid-net-ipv6 branch February 4, 2026 11:43
@ekoops ekoops mentioned this pull request Feb 9, 2026
Open
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr approved these changes

@terror96 terror96 terror96 approved these changes

@hbrueckner hbrueckner Awaiting requested review from hbrueckner

Assignees

@leogr leogr

@terror96 terror96

Labels

approved area/libscap dco-signoff: yes kind/cleanup lgtm release-note-none size/XL

Projects

Falco Roadmap
Status: Done

Milestone

0.24.0

Development

Successfully merging this pull request may close these issues.

4 participants

@ekoops @poiana @leogr @terror96