Stack Overflow
Stack Overflow

Questions tagged [bpftrace]

bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x).

bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap.

14 questions
3
votes
1 answer

How can I filter process name in bpftrace?

I'm currently trying to learn how to use BPF tools with the book "BPF performance Tools" Its really complet and really interesting. At the end of some chapter there are some optionnal exercices..but there is no solution. I also checked the github…
NicoW
  • 61
  • 5
1
vote
0 answers

How to detect that bpftrace has attached its probes and is ready to trace?

I working with bpftrace scripts attaching to hundreds of probes and sometimes it takes a couple of seconds or minutes for bpftrace to start tracing. This is not an issue if I'm providing the command via -c because the command starts when the tracer…
Mateusz Piotrowski
  • 8,029
  • 10
  • 53
  • 79
1
vote
1 answer

Why are the kernel function names not resolving in the output of kstack()?

I am trying to see the kernel stack with the following bpftrace command: root@ubuntu:~$ bpftrace -e 'k:vfs_read{@[kstack] = count()}' Attaching 1 probe... ^C @[ 0xffffffffa78d2dc1 0xffffffffa78d306a 0xffffffffa7604fd7 …
Mateusz Piotrowski
  • 8,029
  • 10
  • 53
  • 79
0
votes
1 answer

why my bpftrace program can not run on linux kernel version 4.18

/* FILENAME: vfs_open.bt */ #include #include kprobe:vfs_open { printf("open path: %s\n", str(((struct path *)arg0)->dentry->d_name.name)); } Since struct path and struct dentry are defined in the path.h and…
jiufei19
  • 1
  • 1
0
votes
1 answer

Implementing bpftrace histogram in libbpf

I am implementing bpftrace's histogram in libbpf. struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(max_entries, 1024); __type(key, u64); __type(value, u64); } latency_map SEC(".maps"); u64 bin = log2(latency); void *read =…
mq7
  • 1,125
  • 2
  • 11
  • 21
0
votes
0 answers

Libbpf eBPF fails to attach, bpftrace succeeds

I am currently experimenting with BPF, both by libbpf and bpftrace. So far I've found some differences that I need help understanding. For this specific case I am trying to instrument, authelia authentication and authorization server written in go.…
nela
  • 429
  • 5
  • 13
0
votes
1 answer

Why cannot `f2fs_delete_entry` be traced by bpftrace

I use the following command to trace function f2fs_delete_dentry: bpftrace -e 'kprobe:f2fs_delete_entry {printf("comm:%s inode:%ld\n", comm, ((struct inode*)arg3)->i_ino); }' But it does not print anything. So I use bpftrace -lv…
Jun
  • 1
  • 1
0
votes
1 answer

Why does bpftrace treat char pointer as integer?

I run the bpftrace command as below: bpftrace -e 'kprobe:f2fs_file_write_iter { printf("process:%s file:%s inode:%ld offset:%ld count:%ld\n", comm, (((struct kiocb *)arg0)->ki_filp->f_path.dentry->d_name.name), ((struct kiocb…
Jun
  • 1
  • 1
0
votes
0 answers

bpftrace uretprobe go reader pattern print buffer

I am looking for a bpftrace example for the reader pattern in go - a function that takes a buffer as input, fills that buffer and returns the written bytes and a potential error. Something like: # bpftrace -p -e…
RomanTheReader
  • 33
  • 5
0
votes
0 answers

Listing all syscall's a thread makes using bpftrace

I'm trying to collect the function names of all of the syscall's a thread makes. I'm filtering by thread name: syscalls.bt: #!/usr/bin/env bpftrace kprobe:sys_enter_* / comm == str($1) / { @syscalls[func]=count(); } Problem is, this never gets…
jkang
  • 483
  • 7
  • 19
0
votes
0 answers

bpftrace hangs after "Attaching probe" message

Hi I am trying to run bpftrace on AlmaLinux with uprobe. For any kind of traced application bpftrace shows "attaching .. probe(s)" and then just hangs. It doesn't work neither with bash as appears below or with simple test application compiled…
Boris
  • 1,311
  • 13
  • 39
0
votes
1 answer

Install bpftrace on ubuntu

I am new at eBPF and i am following the bpftrace installing quide of https://github.com/iovisor/bpftrace. After cloning it and mkdir bpftrace/build; cd bpftrace/build; I have executed build-libs.sh ~/bpftrace/build$ ../build-libs.sh So the script is…
yahia kramdi
  • 1
  • 2
0
votes
0 answers

Is there a way to get the call stack of the process to be killed by kill -9 automatically on Redhat/Centos? bpftrace?

I just want to get the call stack or a core dump of the process automatically before a kill -9 sending to it. After checking bpftrace docs, I wrote a simple bpftrace program: [root]# cat killstack.bt #!/usr/bin/env…
zhaimlill
  • 11
  • 2
0
votes
1 answer

Comparing ip addresses in bpftrace?

I am writing some bpftrace code in which I would like to compare an IP address (stored as a 32 bit integer) against the string representation of an address. That is, I want to do something like this: kprobe:netif_receive_skb { $skb = (struct…
larsks
  • 277,717
  • 41
  • 399
  • 399