Stack Overflow
Stack Overflow

Questions tagged [bcc-bpf]

Questions related to the development of BPF tools through the use of the bcc (BPF Compiler Collection) framework.

Questions related to the development of BPF tools through the use of the bcc (BPF Compiler Collection) framework.

121 questions
1
vote
0 answers

failure on updating socket map

I'm doing BPF programming and I want to add a socket to socket map. The code is as follows When it detects a listen/connect, the socket is added to a socket map __section("sockops") int bpf_sockmap(struct bpf_sock_ops *skops) { switch…
1t3a
  • 31
  • 3
1
vote
1 answer

How to get cgroup path of task in an eBPF program?

I have been trying to play with tcptop BCC tool by Brendan Gregg to learn more about how eBPF programs work. I am trying to get it to print the CGROUP path of the tasks. With my rusty knowledge of Linux systems programming, I thought I could use…
Soumyadip DM
  • 115
  • 6
1
vote
0 answers

What does the offset mean in BCC

I've been using BCC to profile my code. As part of it I'm looking at the offset we get when using the sym() function, which gets a function name from an address and a pid, and optionally displays the offset. I got the following results when…
Bemi42
  • 11
  • 1
1
vote
1 answer

Functionality of the BPF hash of maps structure

I'm writing a BPF tool that maintains a per-process trace, which means I'll need a 2d data structure of some sort. To bypass the 512 byte limitation, I've decided that going with the supported structs (maps) is my best bet. After glancing at the…
byrnesj1
  • 189
  • 1
  • 14
1
vote
1 answer

bpftrace and sys_read syscall

I'm attempting to write a single bpftrace script which grab the strings passing from a postfix process and a saslauthd for the authentication part. The goal is detect compromise account of my company. The strace command give me some good…
almorel
  • 13
  • 2
1
vote
2 answers

attaching bpf to sys_enter (tracepoint available through /proc/kallsyms)

I'm trying to build a tool wherein I attach a BPF program to the entry points for all syscalls. From the CLI, I was able to attach to all syscall entries via sudo bpftrace -e 'tracepoint:syscalls:sys_enter_* /comm != "bpftrace"/ {printf("Process…
byrnesj1
  • 189
  • 1
  • 14
1
vote
1 answer

How to print the file path from an open syscall using ebpf python?

I use bpf from the python bcc module, and I want that my probe function will print the file path of the current file (kind of a custom simplified opensnoop). How can I do that? This is what I have so far: b = BPF(text=""" #include
Liroshka
  • 69
  • 9
1
vote
1 answer

Failure to compare strings with eBPF

When I run the following code I get an error. #include #include struct uts_namespace { struct kref kref; struct new_utsname name; }; static __always_inline char * get_task_uts_name(struct…
Nuno Lopes
  • 57
  • 1
  • 7
1
vote
1 answer

What exactly is usage of cursor_advance in BPF?

I was looking through a slide by IOvisor project, https://events.static.linuxfound.org/sites/events/files/slides/iovisor-lc-bof-2016.pdf #include struct IPKey { u32 dip; u32 sip; }; BPF_TABLE("hash", struct IPKey, int, mytable,…
Rosè
  • 345
  • 2
  • 13
1
vote
1 answer

eBPF packet monitor losing some packets when 'ping -f'ed

I wrote this program to capture all the packets that come into my network interface. It seems to work fine with things like ping [IP]. It also works fine with ping -f [IP] -c 10. However, when the number of packets that are pinged goes up to like…
Rosè
  • 345
  • 2
  • 13
1
vote
1 answer

eBPF packet filter not giving me correct data

So I've been trying to see if I could attach a eBPF packet filter to a network interface, enp32s0np1. I'm trying to catch all the incoming sender IP addresses. However, running the below code gives me weird reaction. Instead of seeing the sender IP…
Rosè
  • 345
  • 2
  • 13
1
vote
0 answers

Making comparison using eBPF map in the kernel space

I'm experimenting with eBPF map and I have trouble using values retrieved from eBPF maps in the 'if' clause. I'm also using BCC to experiment with this code! So, when I run the code, I try to do this : BPF_ARRAY(test,u64, 12); u64 key0 = 0; u64 test…
Rosè
  • 345
  • 2
  • 13
1
vote
1 answer

eBPF: reading the result of getaddrinfo

Similar to the gethostlatency.py tool in the BPF Compiler Collection (bcc) I want to trace function calls to getaddrinfo. Additionally, I want to collect the returned values (IP addresses, address families) However, I seem not be able to get past…
peter
  • 3,109
  • 2
  • 18
  • 15
1
vote
0 answers

Why I'm forced to use raw socket to write ebpf programs with BCC?

GOAL: write an eBPF packet filter program that doesn't require high privileges. PROBLEM: from what I understood I have to use attach_raw_socket function to attach my filter to an interface. This functions invokes bpf_open_raw_sock libbpf function…
Maicake
  • 1,046
  • 10
  • 34
1
vote
1 answer

eBPF: How can the sockaddr struct be read when hooking into security_socket_connect

As proposed in the presentation Security Monitoring with eBPF I'm trying to hook into security_socket_connect. While my gobpf/bcc based code partly works, I seem not be able to read the IP address in the sockaddr struct. The relevant part looks like…
peter
  • 3,109
  • 2
  • 18
  • 15
1 2 3
8 9