bpf-developer-tutorial

kernel/bpf-developer-tutorial

Fork 0

mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-03 18:24:27 +08:00

Files

History

yunwei37 81d749a9cc init with documents from eunomia-bpf

2022-12-02 19:18:03 +08:00

.gitignore

init with documents from eunomia-bpf

2022-12-02 19:18:03 +08:00

kprobe-link.bpf.c

init with documents from eunomia-bpf

2022-12-02 19:18:03 +08:00

README.md

init with documents from eunomia-bpf

2022-12-02 19:18:03 +08:00

README.md

layout, title, date, category, author, tags, summary

layout

title

date

tags

summary

post

kprobe-link

2022-10-10 16:18

bpftools

yunwei37

bpftools

examples

kprobe

no-output

an example of dealing with kernel-space entry and exit (return) probes, `kprobe` and `kretprobe` in libbpf lingo

kprobe is an example of dealing with kernel-space entry and exit (return) probes, kprobe and kretprobe in libbpf lingo. It attaches kprobe and kretprobe BPF programs to the do_unlinkat() function and logs the PID, filename, and return result, respectively, using bpf_printk() macro.

$ sudo ecli  examples/bpftools/kprobe-link/package.json
Runing eBPF program...

The kprobe demo output in /sys/kernel/debug/tracing/trace_pipe should look something like this:

$ sudo cat /sys/kernel/debug/tracing/trace_pipe
              rm-9346    [005] d..3  4710.951696: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test1
              rm-9346    [005] d..4  4710.951819: bpf_trace_printk: KPROBE EXIT: ret = 0
              rm-9346    [005] d..3  4710.951852: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test2
              rm-9346    [005] d..4  4710.951895: bpf_trace_printk: KPROBE EXIT: ret = 0

Run

Compile with docker:

docker run -it -v `pwd`/:/src/ yunwei37/ebpm:latest

or compile with ecc:

$ ecc kprobe-link.bpf.c
Compiling bpf object...
Packing ebpf object and config into package.json...

Run:

sudo ecli examples/bpftools/kprobe-link/package.json