3

I'm currently trying to learn how to use BPF tools with the book "BPF performance Tools" Its really complet and really interesting.

At the end of some chapter there are some optionnal exercices..but there is no solution. I also checked the github repo.

So i need your help to get the exercices done....I'm already struggling with the second question to run execsnoop as some arguments seems to be deleted..

i tried to run an bpftrace one-liner with the code from the execsnoop.bt :

sudo bpftrace -o output.txt -e 'BEGIN {printf("%-10s %-5s %s\n", "TIME(ms)", "PID", "ARGS"); } t:syscalls:sys_enter_exec* { printf("%-10u %-5d ", elapsed / 1e6, pid); join(args->argv); } interval:s:60 { exit(); }'

As you can see, i found out to set up a duration with the exit() function.

but now im stuck to filter with the process name, i dont know how to make a filter with this one-liner.

i thought it was simple with /comm == "man"/ right after the syscall tracepoint but that's not how its work.

Edit: As a bonus question..if anyone knows if there is any solutions for the optionnal exercices from the book directly it will be very helpful.

NicoW
  • 61
  • 5
  • Good show on a first question with code and comments. I can't help w the specifics, but recommend that you look at the github again to see where you can post your query. Is `ebpf/bpftrace` big enough that is has it's own support/community forum attached to the project development? Maybe a Berkley sup/comm forum can help? Interesting problem, but sorry, I have no idea. Good luck! – shellter May 26 '23 at 13:44
  • And ... did you google the authors? (consider changing your title to "How can I filter process name in bpftrace".) .Good luck! – shellter May 26 '23 at 13:52
  • hey, thanks for your answer, i didnt find any forums for beginners, i got no answers on reddit and slack seems to be to help to develop some tools...way to far of my league at the moment :d Guess, i'll create an issue on the github repo – NicoW May 27 '23 at 13:06
  • 2
    You should move your solution above into an answer below. Doing so will gain you valuable reputation points. Glad you solved your problem. Good luck in the future! – shellter May 29 '23 at 15:38

1 Answers1

3

Here the solution, i dont know what i missed last time but it works as expected

sudo bpftrace -o output.txt -e 'BEGIN {printf("%-10s %-5s %s\n", "TIME(ms)", "PID", "ARGS"); } t:syscalls:sys_enter_exec* /comm == "man"/ { printf("%-10u %-5d ", elapsed / 1e6, pid); join(args->argv); } interval:s:60 { exit(); }'
NicoW
  • 61
  • 5