Playing with bpftrace

This post is jumbled notes on debugging with eBPF that I wanted for future reference. It’s a work-in-progress, so please don’t judge me too harshly.

Let’s see if we can use bpftool to monitor incoming traffic. how SKBs work shows skb_put as a potentially useful function to monitor.

Find the skb_put source in the Linux kernel to see its arguments. The second argument, arg1, is the length of a fragment, which is useful to see.

# look for kernel symbols with skb in the name
$ grep skb /proc/kallsyms

# try some bpfraces...
$ sudo bpftrace -e 'kprobe:skb_put { @bytes = hist(arg1); }'
$ sudo bpftrace -e 'kprobe:skb_put { printf("%s\t%s\n", arg0, arg1); }'

# filter by command name, "wget" in this case
$ sudo bpftrace -e 'kprobe:skb_put /comm == "wget"/ { printf("%s\t%s\n", arg0, arg1); }'

Useful Links

• skb
• tracepoints, perf, eBPF
• Using structs in bpftrace
• source code for bpf-tools

uprobe

• one liners
• bashrealine.bt
• gethostlatency

Questions/Notes

Example Using structs

C structures can be used to interpret pointers source

#include <linux/socket.h>
#include <net/sock.h>

// ...

kprobe:tcp_retransmit_skb
{
	$sk = (struct sock *)arg0;
	$inet_family = $sk->__sk_common.skc_family;

    // ...

Clearing at END

Is clearing the maps at the end of the program necessary? The code below is from tcplife.bt

END
{
	clear(@birth); clear(@skpid); clear(@skcomm);
}