Questions related to the development of BPF tools through the use of the bcc (BPF Compiler Collection) framework.
Questions related to the development of BPF tools through the use of the bcc (BPF Compiler Collection) framework.
Questions tagged [bcc-bpf]
121 questions
1
vote
0 answers
How can I use BCC to compile my BPF program to an ELF file?
I want to use bcc just to compile my BPF program. All the examples I have seen use BCC to compile code on the fly, but I want to use it instead to compile my BPF program to an ELF file ahead of time which I can then load via gobpf separately.
Does…
dippynark
- 2,743
- 20
- 58
1
vote
1 answer
How can I determine which namespaces a PID is in from kernel space?
I am trying to write an eBPF program to log every call of a particular syscall from containers running on the system. I am using bcc and can retrieve the PID using bpf_get_current_pid_tgid().
From userspace I could examine the proc filesystem to…
dippynark
- 2,743
- 20
- 58
0
votes
0 answers
use ringbuf and perfbuf depending on kernel version dynamically
We are trying to support older kernel version with perf_buff vs. also newer kernel version with ring_buff. With some kernel guarding, we could try to compile time. We wanted to have BPF_CORE feature to avoid different kernel version maintenance…
nullptr
- 5
- 3
0
votes
0 answers
Use bpf_program__attach_uprobe() API multiple times with the same program instance, but different target functions
We are trying to port an existing bcc solution to libbpf + c. The problem is we need to support older kernels too
i.e. at least 5.5.
Functionality: uprobe for user executable with function pattern etc i.e. need bpf_program__attach_uprobe_multi …
nullptr
- 5
- 3
0
votes
1 answer
libbpf: Error in bpf_create_map_xattr(flow_table):Invalid argument(-22). Retrying without BTF
I am trying to use BPF_MAP_TYPE_ARRAY for tracking new connections and want to maintain a map with tuples and new connection details. I am using libbpf framework However, the map creation does not work when either of the key or value is a…
hundredmiles
- 61
- 6
0
votes
1 answer
Extracting Ethernet Header using XDP
I built this program to get information, namely the ethernet header out of packets with XDP, and while I was using the bpf_trace_printk function everything worked fine.
When i tried to swap to perf buffers and print the MAC addresses they are always…
Afonso Pinto
- 65
- 7
0
votes
0 answers
Passing argument "args" from a TRACEPOINT_PROBE to another function in bcc eBPF
I am exploring tracepoint probes using the bcc framework and I intend to investigate the tracepointsock:inet_sock_set_state. I started with the examples in the bcc repo but I would like to make the code more modular and readable as I am using…
hundredmiles
- 61
- 6
0
votes
0 answers
Trace TCP packets instead of TCP connections
As the title says, is it possible to trace TCP packets, instead of TCP connections using bcc/ebpf?
If so, how would i do it?
I've checked all BCC tools, and if possible I'd like to stray from using XDP.
Afonso Pinto
- 65
- 7
0
votes
0 answers
How to monitor the creation and exit events of all child processes recursively of a specific process in Linux (centos)
Suppose I specify a process (known process id), how do I monitor the creation and exit events of all recursive child processes of this process, including:
When the child process was created
The exit time of the child process
The exit code of the…
sleepfin
- 1
- 2
0
votes
0 answers
Python/bcc program only exits after i hold Ctrl+C (instead of just pressing)
As the title suggests I have this python/bcc program that doesn't stop when pressing KeyboardInterrupt, i have to hold it. The code is as follows:
def callback(ctx, data, size):
event = bpf["syscalls"].event(data)
if…
Afonso Pinto
- 65
- 7
0
votes
1 answer
Accessing system call arguments
I'm currently writing a system call tracer that stores some information about a system call every time a system call is called. How can I add to this code so that it also stores the system call arguments?
This is the event structure:
struct…
Afonso Pinto
- 65
- 7
0
votes
1 answer
Use an array field inside a struct to store list of system calls in BCC
I'm trying to create a program using BCC, in which I store an array with all System calls performed by each process. My code is as follows:
struct data_t{
u32 syscalls[MAX_SYSCALLS];
u64 count;
}
TRACEPOINT_PROBE(raw_syscalls, sys_exit{
u32 key…
Afonso Pinto
- 65
- 7
0
votes
0 answers
When tracing shared library functions with funclatency, no function names were displayed
When using the bcc tool funclatency, there are unknown function names.
It would be helpful if I could track the entry and return values of a number of functions contained in the library ibverbs (Infiniband).
I use funclatency to print a histogram of…
Bahamas
- 345
- 1
- 2
- 13
0
votes
1 answer
BPF Verification fails due to register offset
I am trying to write some bpf probes that keep some sort of state required for runtime verification. I am using iovisor/BCC for this purpose. I have created a pinned map so this value can be used across several bpf programs. Whenever I read the…
nela
- 429
- 5
- 13
0
votes
0 answers
how to get http whole request content from bpftrace
I Want to use bpftrace to get all the http request content of my program.
cat /etc/redhat-release
CentOS Linux release 8.0.1905 (Core)
uname -a
Linux infra-test4.18.0-305.12.1.el8_4.x86_64 #1 SMP Wed Aug 11
01:59:55 UTC 2021 x86_64 x86_64 x86_64…
weizhao
- 183
- 3
- 16