首页 kprobe-link
文章
取消

kprobe-link

发表于 2022-10-10 更新于 2022-10-14
作者
1 分钟阅读

an example of dealing with kernel-space entry and exit (return) probes, kprobe and kretprobe in libbpf lingo

Run eBPF program in a line

1

sudo ecli run kprobe-link

kprobe is an example of dealing with kernel-space entry and exit (return) probes, kprobe and kretprobe in libbpf lingo. It attaches kprobe and kretprobe BPF programs to the do_unlinkat() function and logs the PID, filename, and return result, respectively, using bpf_printk() macro.

1
2
3
4
5

$ sudo ./kprobe
libbpf: loading object 'kprobe_bpf' from buffer
...
Successfully started!
...........

The kprobe demo output in /sys/kernel/debug/tracing/trace_pipe should look something like this:

1
2
3
4
5

$ sudo cat /sys/kernel/debug/tracing/trace_pipe
              rm-9346    [005] d..3  4710.951696: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test1
              rm-9346    [005] d..4  4710.951819: bpf_trace_printk: KPROBE EXIT: ret = 0
              rm-9346    [005] d..3  4710.951852: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test2
              rm-9346    [005] d..4  4710.951895: bpf_trace_printk: KPROBE EXIT: ret = 0

Run

Compile:

1

docker run -it -v `pwd`/:/src/ yunwei37/ebpm:latest

Run:

1

sudo ecli/build/bin/Release/ecli run examples/bpftools/kprobe-link/package.json
examples
bpftools examples kprobe no-output
本文由作者按照 CC BY 4.0 进行授权
最近更新
文章内容