【BPF EBPF】

linu 4.14内核

tcp.bt

#include <linux/socket.h>
#include <net/sock.h>

BEGIN
{
	printf("Tracing tcp state.\n");

	@tcp_states[1] = "ESTABLISHED";
	@tcp_states[2] = "SYN_SENT";
	@tcp_states[3] = "SYN_RECV";
	@tcp_states[4] = "FIN_WAIT1";
	@tcp_states[5] = "FIN_WAIT2";
	@tcp_states[6] = "TIME_WAIT";
	@tcp_states[7] = "CLOSE";
	@tcp_states[8] = "CLOSE_WAIT";
	@tcp_states[9] = "LAST_ACK";
	@tcp_states[10] = "LISTEN";
	@tcp_states[11] = "CLOSING";
	@tcp_states[12] = "NEW_SYN_RECV";	
}

// 
kretprobe:inet_csk_accept
{
	$sk = (struct sock*)retval;
	$inet_family = $sk->__sk_common.skc_family;

	$daddr = ntop(0);
	$saddr = ntop(0);

	if ($inet_family == AF_INET) {

		$daddr = ntop($sk->__sk_common.skc_daddr);
		$saddr = ntop($sk->__sk_common.skc_rcv_saddr);		

	}
	
	$sport = $sk->__sk_common.skc_num;
	$dport = $sk->__sk_common.skc_dport;

	printf(" tcp_accept: %-16s:%d --> %-16s:%d\n", $daddr, $dport, $saddr, $sport);
}


kprobe:tcp_connect 
{
	$sk = ((struct sock*)arg0);
	$inet_family = $sk->__sk_common.skc_family;

	$daddr = ntop(0);
        $saddr = ntop(0);

        if ($inet_family == AF_INET) {

                $daddr = ntop($sk->__sk_common.skc_daddr);
                $saddr = ntop($sk->__sk_common.skc_rcv_saddr);

        }

        $sport = $sk->__sk_common.skc_num;
        $dport = $sk->__sk_common.skc_dport;

        printf(" tcp_connect: %-16s:%d --> %-16s:%d\n", $daddr, $dport, $saddr, $sport);
}

tracepoint:syscalls:sys_enter_connect
{
	@start[tid] = nsecs;
	printf("sys_enter_connect: %s --> %ld\n", comm, @start[tid]);
}

tracepoint:syscalls:sys_exit_connect
{
	@ms[comm] = sum(nsecs - @start[tid]);
	delete(@start[tid]);
	printf("sys_exit_connect: %s ", comm);
	print(@ms);
}

kprobe:tcp_fin
{
	$sk = ((struct sock*)arg0);
	
	$state = $sk->__sk_common.skc_state;
	$statestr = @tcp_states[$state];
	
	printf(" tcp_fin ");

	time("%H:%M:%S ");
	
	printf("%-8d %-16s %-16s\n", pid, comm, $statestr);	

}

END
{
	clear(@tcp_states);
	clear(@ms);
	clear(@start);
}

bpftrace 命令

bpftrace -e 'tracepoint:block:block_rq_i* { @[probe] = count(); } interval:s:1 { print(@); clear(@); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret > 0/ { @bytes = sum(args->ret); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @ret = hist(args->ret); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @ret = lhist(args->ret, 0, 1000, 100); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret < 0/ { @[- args->ret] = count(); }'
bpftrace -e 'kprobe:vfs_* { @[probe] = count(); } END { print(@, 5); clear(@); }'
bpftrace -e 'kprobe:vfs_read { @start[tid] =nsecs; } kretprobe:vfs_read /@start[tid]/ { @ms[comm] = sum(nsecs - @start[tid]); delete(@start[tid]); } END { print(@ms, 0, 1000000); clear(@ms); clear(@start); }'
bpftrace -e 'k:vfs_read { @[pid] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s -> %s\n", comm, str(args->filename)); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_execve { join(args->argv); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }'
bpftrace -e 'tracepoint:raw_syscalls:sys_enter {@[comm] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_* {@[probe] = count(); }'
bpftrace -e 'tracepoint:raw_syscalls:sys_enter {@[pid, comm] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }'
bpftrace -e 'tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); }'
bpftrace -e 'software:major-faults:1 { @[comm] = count(); }'
bpftrace -e 'software:faults:1 { @[comm] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_clone { printf("-> clone() by %s PID %d\n", comm, pid); } tracepoint:syscalls:sys_exit_clone { printf("<- clone() return %d, %s PID %d\n", args->ret, comm, pid); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_setuid { printf("setuid by PID %d (%s), UID %d\n", pid, comm, uid); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_setuid { printf("setuid by %s returned %d\n", comm, args->ret); }'
bpftrace -e 'tracepoint:block:block_rq_insert { printf("Block I/O by %s\n", kstack); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_connect /pid == 123/ { printf("PID %d called connect()\n", $1); }'
bpftrace -e 'tracepoint:timer:hrtimer_start { @[ksym(args->function)] = count(); }'
bpftrace -e 't:syscalls:sys_enter_read { @reads = count(); } interval:s:5 { exit(); }'