kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-08 04:44:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add some desc for userspace eBPF

Browse Source
This commit is contained in:
yunwei37
2024-01-13 20:27:34 +00:00
parent 01e85ee09c
commit 3468fab36b
13 changed files with 329 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/5-uprobe-bashreadline/README.md
View File

@@ -10,7 +10,9 @@ uprobe是一种用户空间探针uprobe探针允许在用户空间程序中
uprobe基于文件当一个二进制文件中的一个函数被跟踪时所有使用到这个文件的进程都会被插桩包括那些尚未启动的进程这样就可以在全系统范围内跟踪系统调用。
uprobe适用于在用户态去解析一些内核态探针无法解析的流量例如http2流量报文header被编码内核无法解码https流量加密流量内核无法解密
uprobe适用于在用户态去解析一些内核态探针无法解析的流量例如http2流量报文header被编码内核无法解码https流量加密流量内核无法解密具体可以参考 [eBPF 实践教程:使用 uprobe 捕获多种库的 SSL/TLS 明文数据](../30-sslsniff) 中的例子。
Uprobe 在内核态 eBPF 运行时,也可能产生比较大的性能开销,这时候也可以考虑使用用户态 eBPF 运行时,例如 [bpftime](https://github.com/eunomia-bpf/bpftime)。bpftime 是一个基于 LLVM JIT/AOT 的用户态 eBPF 运行时,它可以在用户态运行 eBPF 程序,和内核态的 eBPF 兼容,避免了内核态和用户态之间的上下文切换,从而提高了 eBPF 程序的执行效率。对于 uprobe 而言bpftime 的性能开销比 kernel 小一个数量级。
## 使用 uprobe 捕获 bash 的 readline 函数调用

4
src/5-uprobe-bashreadline/README_en.md
View File

@@ -10,7 +10,9 @@ uprobe is a user-space probe that allows dynamic instrumentation in user-space p
uprobe is file-based. When a function in a binary file is traced, all processes that use the file are instrumented, including those that have not yet been started, allowing system calls to be tracked system-wide.
uprobe is suitable for parsing some traffic in user mode that cannot be resolved by kernel mode probes, such as HTTP/2 traffic (where the header is encoded and cannot be decoded by the kernel) and HTTPS traffic (which is encrypted and cannot be decrypted by the kernel).
uprobe is suitable for parsing some traffic in user mode that cannot be resolved by kernel mode probes, such as HTTP/2 traffic (where the header is encoded and cannot be decoded by the kernel) and HTTPS traffic (which is encrypted and cannot be decrypted by the kernel). For more information, see the example in [eBPF Tutorial by Example: Capturing SSL/TLS Plaintext Data from Multiple Libraries with Uprobe](../30-sslsniff).
Uprobe in kernel mode eBPF runtime may also cause relatively large performance overhead. In this case, you can also consider using user mode eBPF runtime, such as [bpftime](https://github.com/eunomia-bpf/bpftime). bpftime is a user mode eBPF runtime based on LLVM JIT/AOT. It can run eBPF programs in user mode and is compatible with kernel mode eBPF, avoiding context switching between kernel mode and user mode, thereby improving the execution efficiency of eBPF programs.
## Capturing readline Function Calls in bash using uprobe