https://github.com/graniet/ebpf-utils

Example for create, monitor eBPF probe
https://github.com/graniet/ebpf-utils

bpf bpftrace ebpf ebpf-rust rust tracing

Last synced: 12 months ago
JSON representation

Example for create, monitor eBPF probe

Host: GitHub
URL: https://github.com/graniet/ebpf-utils
Owner: graniet
Created: 2022-07-09T05:43:04.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2022-07-10T04:53:30.000Z (almost 4 years ago)
Last Synced: 2025-06-05T06:29:13.136Z (about 1 year ago)
Topics: bpf, bpftrace, ebpf, ebpf-rust, rust, tracing
Language: Rust
Homepage:
Size: 21.5 KB
Stars: 4
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# eBPF utils

### Generate a probe :

```shell
./ebpf-utils generate "__x64_sys_tgkill" --kprobe --args "sys_tgid:%d" "sys_pid:%d" "sys_signal:%d" -o /tmp/tgkill.c --prober-name "prober-tgkill.yaml"
```

```
generate kprobe probe : ["__x64_sys_tgkill"]
probers : Prober {
probe_type: "kprobe",
probe_path: "/tmp/tgkill.c",
probe_init: "do_probing",
arguments: [
"sys_tgid:%d",
"sys_pid:%d",
"sys_signal:%d",
],
map_object: "ebpf_map_events",
map_object_type: "hashmap",
probe_hook: "__x64_sys_tgkill",
}
```

### Monitor with prober :

```shell
$ ./ebpf-utils monitor --probes prober-tgkill.yaml
```

```
loading BPF program /tmp/tgkill.c into BPF VM...
monitor > all
source : /tmp/tgkill.c___x64_sys_tgkill
{
"sys_tgid": "11435",
"sys_pid": "11437",
"sys_signal": "23",
"comm": "test",
"pid": "11443",
}
{
"comm": "test",
"sys_signal": "2",
"sys_pid": "11435",
"pid": "11435",
"sys_tgid": "11435",
}
```

### Monitor with multiple probers :

#### generate a second probe

```shell
$ ./ebpf-utils generate "__x64_sys_openat" --kprobe --args "sys_f:%d" "sys_path:%s@user" -o /tmp/openat.c --prober-name "prober-openat.yaml"
```

```
generate kprobe probe : ["__x64_sys_openat"]
probers : Prober {
probe_type: "kprobe",
probe_path: "/tmp/openat.c",
probe_init: "do_probing",
arguments: [
"sys_f:%d",
"sys_path:%s",
],
map_object: "ebpf_map_events",
map_object_type: "hashmap",
probe_hook: "__x64_sys_openat",
}
```

```shell
$ ./ebpf-utils monitor --probes prober-tgkill.yaml prober-openat.yaml
```

```
monitor > all
source : /tmp/tgkill.c___x64_sys_tgkill
{
"sys_tgid": "11727",
"comm": "test",
"pid": "11728",
"sys_pid": "11727",
"sys_signal": "23",
}
{
"comm": "test",
"sys_signal": "2",
"sys_tgid": "11727",
"pid": "11727",
"sys_pid": "11727",
}
source : /tmp/openat.c___x64_sys_openat
{
"sys_path": "/proc/meminfo",
"sys_f": "-100",
"pid": "1569",
"comm": "MemoryPoller",
}

```

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/graniet/ebpf-utils

Awesome Lists containing this project

README