-1

I am using bcc to trace several syscalls, why is it that I can trace syscalls like write, close, fchown using a simple attach_kprobe but can't trace syscalls like stat, fstat?

I assume that are other syscalls that I can't trace but haven't found which ones. How can I trace stat, fstat and how are these different from the usual write, close ?

Sample code:

b = BPF(text=prog)
b.attach_kprobe(event=b.get_syscall_fnname("fstat"), fn_name="syscall_fstat")

In my prog I do a simple print

int syscall_fstat(void *ctx){
    bpf_trace_printk("fstat\n");
    return 0;
}
Nuno Lopes
  • 57
  • 1
  • 7
  • 1
    Can you post the code you're using in both cases? What makes you think you can't trace them? Do you have an error message? – pchaigno Feb 14 '20 at 07:01
  • No error message. To trigger fstat I believe a "ls" should be enough but I never see output that confirms this. On the other hand when using write I am able to see the output – Nuno Lopes Feb 14 '20 at 11:50

1 Answers1

1

Instead of using stat I should be using newstat.

Nuno Lopes
  • 57
  • 1
  • 7
  • 1
    Indeed, if you look at [the source code](https://github.com/iovisor/bcc/blob/v0.12.0/tools/statsnoop.py#L112) of one of the bcc examples tracing `stat`, you can see that it attempts several names: `stat`, `statfs` and `newstat`. Congrats on finding the one you need for your system :) – Qeole Feb 14 '20 at 13:13