Stack Overflow
Stack Overflow

Questions tagged [kprobe]

A dynamic instrumentation system that allows one to gather additional information about kernel operation without recompiling or rebooting a kernel.

87 questions
0
votes
1 answer

Permission denied when using bpf_probe_read() in the ebpf program

I am unable to read the addr argument and assign it to my struct field. struct accept_args_t { struct sockaddr_in *addr; }; SEC("kprobe/sys_accept") int syscall__probe_entry_accept(struct pt_regs *ctx, int sockfd, struct sockaddr *addr,…
Gourav Kumar
  • 33
  • 4
0
votes
1 answer

Comparing ip addresses in bpftrace?

I am writing some bpftrace code in which I would like to compare an IP address (stored as a 32 bit integer) against the string representation of an address. That is, I want to do something like this: kprobe:netif_receive_skb { $skb = (struct…
larsks
  • 277,717
  • 41
  • 399
  • 399
0
votes
0 answers

Do `BPF` or `kprobe` need kernel with debug symbols installed to trace a kernel/kernel module function?

I am trying to debug/trace using bpf and kprobe utilities. I have a question, do BPF or kprobe need kernel with debug symbols installed to trace a kernel/kernel module function?
Franc
  • 319
  • 9
  • 28
0
votes
1 answer

Can ebpf only use kprobe to monitor kernel functions?

I want to monitor a Linux kernel function using ebpf. Now, I write code using bcc like this: #!/usr/bin/python3 # coding=utf-8 from bcc import BPF from time import sleep # define BPF program bpf_program = """ int test_func(void *ctx) { …
ray
  • 43
  • 3
0
votes
1 answer

What are the main differences between eBPF and LTTng?

What are the main differences between eBPF and LTTng? I read LTTng uses instrumentation: “Linux Trace Toolkit Next Generation (LTTng) is a tracer able to extract information from the 2 Linux kernel, user space libraries and from programs. It is…
Bahamas
  • 345
  • 1
  • 2
  • 13
0
votes
1 answer

Implementing bcc's killsnoop in C

I'm trying to implement the killsnoop.py program in bcc in C. When executing the program, I'm getting a failed to load: -13 error. Can someone help me to debug this? Note: For compilation, I've taken the libbpf-bootstrap example from Andrii…
Yogaraj
  • 322
  • 1
  • 4
  • 17
0
votes
0 answers

Parse error with kprobe event registration

I'm testing kprobe events on CentOS 7, kernel version 3.10.0-1160.59.1.el7.x86_64. [root@linux2 ~]# echo 'p:qwe do_sys_openat2 filename=+0($arg2):string' > /sys/kernel/debug/tracing/kprobe_events -bash: echo: write error: Invalid…
daisy
  • 22,498
  • 29
  • 129
  • 265
0
votes
1 answer

`do_sys_open` vs `__x86_sys_open` when attaching kprobe

I have tried running opensnoop.py but using fnname_open='do_sys_open' (which I have seen in other scripts) instead of fnname_open = b.get_syscall_prefix().decode() + 'open' # = '__x86_sys_open' on Ubuntu 18.04 but the script then stops printing…
phoxd
  • 1,546
  • 3
  • 12
  • 26
0
votes
0 answers

Track malloc function calls using kernel module with kprobes on mmap and brk

I am trying to see how many times is the malloc function called in userspace using a kernel module and kprobes on mmap and brk. I found the system calls inside the kernel as sys_mmap and sys_brk, but when I try to insert the module inside the kernel…
ginger
  • 55
  • 6
0
votes
1 answer

How Kprobe and Uprobe insert debugging prinkk in executable -- Do they extend the address space of running Module or Program

I just could not wrap my head around the idea of debuggers and probing tools. How is it technically possible to insert debugging printk statements inside running kernel module or user space applications -- using Kprobe and Uprobe. what terminology…
user786
  • 3,902
  • 4
  • 40
  • 72
0
votes
0 answers

need to debug MMAP so where is the object file for MMAP or module containing MMAP() -- how to find in linux?

I am trying to debug MMAP with kprobe but I dont know how to set break points inside MMAP. In my lib/modules there I searched but could not find that resembles mmap containing module. how can I debug mmap with kprobe so I need object file of the…
user786
  • 3,902
  • 4
  • 40
  • 72
0
votes
1 answer

How can I use the enum tcp mib definitions in a kprobe program?

Here, I tried to write a program(kprobe) to include the enum tcp mib like @tcp_states in the book BPF Performance Tools bpftrace. The enum tcp mib is in '/include/uapi/linux/snmp.h': #!/usr/local/bin/bpftrace #include #include…
Panagiotis Papoulidis
  • 21
  • 3
0
votes
1 answer

kprobe of tcp_retransmit_skb. instead of tcp_retransmit_skb @tcp_states, I want to kprobe __napi_schedule

In the book BPF Performance Tools there is a implementation of kprobe of tcp_retransmit_skb. I want to do the same thing but instead of tcp_retransmit_skb @tcp_states, I want to kprobe _napi_schedule and incompocate the enum NAPI_STATE* of…
Panagiotis Papoulidis
  • 21
  • 3
0
votes
0 answers

I am trying to kprobe the function of tcp_synack_timer in a custom BPF program, like the book BPF Performance Tools

I want to use the aforementioned function because I want to use the struct request_sock_queue and struct listen_sock . Is there a way to use them (perhaps a different function)? First I tried to make a BPF program which uses…
Panagiotis Papoulidis
  • 21
  • 3
0
votes
2 answers

Exception: Failed to attach BPF to kprobe when executing sudo opensnoop-bpfcc

When I try to execute sudo opensnoop-bpfcc I get this message: In file included from /virtual/main.c:4: In file included from include/linux/sched.h:14: In file included from include/linux/pid.h:5: In file included from…
Maicake
  • 1,046
  • 10
  • 34
1 2 3 4
5
6