{"id":15753313,"url":"https://github.com/h0x0er/ebpf-learn","last_synced_at":"2025-06-19T20:41:28.189Z","repository":{"id":204740668,"uuid":"711236550","full_name":"h0x0er/ebpf-learn","owner":"h0x0er","description":"Learning eBPF","archived":false,"fork":false,"pushed_at":"2024-01-01T09:37:44.000Z","size":2991,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-14T10:14:14.225Z","etag":null,"topics":["bpf","cilium-ebpf","ebpf","ebpf-programs"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/h0x0er.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-28T16:11:53.000Z","updated_at":"2024-11-13T12:59:33.000Z","dependencies_parsed_at":null,"dependency_job_id":"8947988f-a516-4c14-ad7d-4297ed4213f6","html_url":"https://github.com/h0x0er/ebpf-learn","commit_stats":null,"previous_names":["h0x0er/ebpf-learn"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/h0x0er/ebpf-learn","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0x0er%2Febpf-learn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0x0er%2Febpf-learn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0x0er%2Febpf-learn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0x0er%2Febpf-learn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/h0x0er","download_url":"https://codeload.github.com/h0x0er/ebpf-learn/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/h0x0er%2Febpf-learn/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260827631,"owners_count":23069001,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","cilium-ebpf","ebpf","ebpf-programs"],"created_at":"2024-10-04T07:40:23.635Z","updated_at":"2025-06-19T20:41:23.179Z","avatar_url":"https://github.com/h0x0er.png","language":"C","readme":"# Learning eBPF\n\n\n## imp: bpf-core\n* https://facebookmicrosites.github.io/bpf/blog/2020/02/19/bpf-portability-and-co-re.html\n\n## \"vmlinux.h\" header file\n\nTo use kernel structs, run below command to generate a header file containing all structs.\n\n```bash\nbpftool btf dump file /sys/kernel/btf/vmlinux format c \u003e vmlinux.h\n```\n\nThen include it into your all `btf programs` at the top.\n```c\n#include \"vmlinux.h\"\n```\n\n\n\n**Refer:**\n* [includes folder](includes/)\n* https://blog.aquasec.com/vmlinux.h-ebpf-programs\n\n\n## \"common.h\" header file\n\nI have included all the required headers in this single file.Simply include this file and start developing.\n\nheader file: [common.h](includes/common.h)\n\n## go generate: \n\n**specify custom headers**\n```go\n// go:generate go run github.com/cilium/ebpf/cmd/bpf2go -target amd64 bpf dorenameat_btf.c -- -I../includes\n```\n**generate go structs**\n\n```go\n//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -type \u003cname of c_struct here\u003e -target amd64 bpf dorenameat_btf.c -- -I../includes\n```\nCheckout: [vfsread_btf.c](vfsread/vfsread_btf.c)\n\n## for reading kernel struct from arguments\n\n```c\n...\n    char src[20];\n    struct filename src_file;\n\n    int err;\n\n    // populate the src_file struct.\n    err = bpf_probe_read_kernel(\u0026src_file, sizeof(struct filename), (void *)PT_REGS_PARM2(ctx));\n\n    // read field just like accessing normal structs\n    bpf_probe_read_user(\u0026src, 20, src_file.uptr);\n...\n\n```\n\nCheckout: [dorenameat_btf.c](dorenameat/dorenameat_btf.c)\n\nRefer: https://github.com/iovisor/bcc/issues/2534\n\n\n\n## using ringbuffer\n\n**Step1:** declare ringbuf \u0026 event to put into the ringbuf.\n```c\n...\n\n// ringbuf declaration\nstruct {\n\t__uint(type, BPF_MAP_TYPE_RINGBUF);\n\t__uint(max_entries, 1 \u003c\u003c 24);\n} events SEC(\".maps\");\n\n// event to put into ringbuf\nstruct event_t{\n    u8 exe[100];\n    u8 filename_[100];\n};\n...\n\n```\n**Step2:** reserve some memory in the ringbuf \u0026 submit\n\n```c\n...\n\nstruct event_t *event;\n\nevent = bpf_ringbuf_reserve(\u0026events, sizeof(struct event_t), 0);\nif(!event){\n    return 0;\n}\n\n// populate the event to send;\nbpf_get_current_comm(\u0026event-\u003eexe , 100);\n\n// put into ringbuf\nbpf_ringbuf_submit(event, 0);\n\n...\n\n\n```\n\nRefer for btfcode: [getname_btf.c](getname/getname_btf.c)\n\n\n\n\n## to read  trace events\n\nWhen `bpf_printk` is used; then the logs can be read using below command.\n\n```sh\nsudo cat /sys/kernel/debug/tracing/trace_pipe\n```\n\nRefer: [log.sh](log.sh)\n\n\n## to get list of kprobes\n```sh\ncat /proc/kallsyms\n```\n\n\n\n\n\n## References\n\nhttps://sysdig.com/blog/the-art-of-writing-ebpf-programs-a-primer/\n\nhttps://www.oreilly.com/library/view/linux-observability-with/9781492050193/ch04.html\n\nhttps://docs.kernel.org/bpf/\nhttps://man7.org/linux/man-pages/man7/bpf-helpers.7.html\n\n\nhttps://github.com/cilium/ebpf/blob/main/docs/ebpf/guides/getting-started.md\n\n\nhttps://android.googlesource.com/platform/external/bcc/+/refs/heads/android10-c2f2-s1-release/docs/reference_guide.md\n\nhttps://www.tigera.io/learn/guides/ebpf/ebpf-xdp/\n\nhttps://thegraynode.io/posts/bpf_dev_env/\n\nhttps://elixir.bootlin.com/linux/latest/source/tools/testing/selftests/bpf/progs\n\n\nhttps://stackoverflow.com/questions/70905815/how-to-read-all-parameters-from-a-function-ebpf\n\n\n\n\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh0x0er%2Febpf-learn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fh0x0er%2Febpf-learn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fh0x0er%2Febpf-learn/lists"}