Is it possible to trace through what is being read through a text file using eBPF? There are ways to see the amount of memory being used and count reads and writes but I would like to even output the user data using bpf_trace_print if possible.
Asked
Active
Viewed 204 times
1 Answers
0
I think this would require tracing open() (or openat()) system call and correlate it (fd in particular) with traced read calls.
/sys/kernel/debug/tracing/events/syscalls/sys_enter_read/format defines what syscall arguments can be accessed. What may interest you is char *buf buffer pointer, where read() places bytes it has read.
However, it is possible that the trace call occurs before any bytes have been read (need to check the kernel source). So, may be more reliable way is to use raw tracepoint (BPF_PROG_TYPE_RAW_TRACEPOINT) hooked at read() return.
Mark
- 6,052
- 8
- 61
- 129
-
It might be going over my head a little bit but is this just a matter of doing b.attach_raw_tracepoint(,.. ,...) or doing b.attach_kprobe(.. ,sym="read", ..)? I'm not sure on how I can see the values inside char *buf – Zarif Rahman Jun 10 '21 at 16:55