bpftrace | High-level tracing language for Linux eBPF

 by   iovisor C++ Version: v0.18.0 License: Apache-2.0

kandi X-RAY | bpftrace Summary

kandi X-RAY | bpftrace Summary

bpftrace is a C++ library. bpftrace has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson. To learn more about bpftrace, see the Manual the Reference Guide and One-Liner Tutorial.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              bpftrace has a medium active ecosystem.
              It has 6820 star(s) with 1072 fork(s). There are 166 watchers for this library.
              OutlinedDot
              It had no major release in the last 12 months.
              There are 234 open issues and 714 have been closed. On average issues are closed in 464 days. There are 26 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of bpftrace is v0.18.0

            kandi-Quality Quality

              bpftrace has 0 bugs and 0 code smells.

            kandi-Security Security

              bpftrace has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              bpftrace code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              bpftrace is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              bpftrace releases are available to install and integrate.
              Installation instructions, examples and code snippets are available.
              It has 471 lines of code, 15 functions and 5 files.
              It has high code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of bpftrace
            Get all kandi verified functions for this library.

            bpftrace Key Features

            No Key Features are available at this moment for bpftrace.

            bpftrace Examples and Code Snippets

            No Code Snippets are available at this moment for bpftrace.

            Community Discussions

            QUESTION

            Weird behavior for executing a bpftrace shell command in Golang?
            Asked 2021-Apr-01 at 07:56

            What do I want?

            To parse the output of the command which basically runs inside a POD

            Shell Command:

            ...

            ANSWER

            Answered 2021-Apr-01 at 07:56

            After string "/n" gets added, so I removed the newline using the following to make it work as expected:

            Source https://stackoverflow.com/questions/66778874

            QUESTION

            Can one retrieve a socket's port from the Linux Kernel data type `struct sock`?
            Asked 2020-May-09 at 06:03

            Motivation

            I'm trying to write a bpftrace program to trace out when a socket is ready for reading by hooking into the kprobe sock_def_readable. I will get a struct sock to inspect. I'd like to map it back to the socket I created in user-land.

            Question

            How does one recover the port number from a struct sock?

            ...

            ANSWER

            Answered 2020-May-09 at 06:03

            I just expanded the definition of inet_sk ... which was merely a cast.

            Source https://stackoverflow.com/questions/61673778

            QUESTION

            bpftrace and sys_read syscall
            Asked 2020-Apr-05 at 09:38

            I'm attempting to write a single bpftrace script which grab the strings passing from a postfix process and a saslauthd for the authentication part. The goal is detect compromise account of my company. The strace command give me some good results:

            ...

            ANSWER

            Answered 2020-Apr-05 at 09:37

            TL;DR. That's actually the expected behavior of str(buf, len). It retrieves the string pointed to by buf, with a limit to len characters including the NULL character. Thus, since in your case some strings start with a NULL character, str() will copy an empty string.

            Sources. bpftrace translates str() into a call to the BPF_FUNC_probe_read_str BPF helper. In the kernel, that helper itself calls strncpy_from_unsafe.

            I don't think bpftrace already has a function implementing what you're looking for. If you want your described semantics, you could ask for a copy() function in bpftrace. Though, looking at the commit that introduced str(), it shouldn't be too hard to write a patch for that. Don't hesitate to send a pull request!

            Source https://stackoverflow.com/questions/61039065

            QUESTION

            attaching bpf to sys_enter (tracepoint available through /proc/kallsyms)
            Asked 2020-Apr-03 at 05:55

            I'm trying to build a tool wherein I attach a BPF program to the entry points for all syscalls. From the CLI, I was able to attach to all syscall entries via

            ...

            ANSWER

            Answered 2020-Apr-03 at 05:55

            I don't think there's a way to trace all syscalls with a single kprobe attach point via BPF. Instead what you can do is derive the list of all matching krprobe hooks from the given pattern (i.e., sys_enter_*).

            In bcc, there's function called BPF.get_kprobe_functions() that allows you to do just that. You can see an example usage in bcc's funccount.py. I'm guessing that bpftrace does something very similar when giving it a pattern.

            Source https://stackoverflow.com/questions/60983944

            QUESTION

            Monitoring Process Syscalls in Live Environment
            Asked 2020-Mar-13 at 04:17

            I've been working on a project for a little while, and the first step is building a library of syscall traces for processes. Essentially, what I'm trying to do is have system wherein every time a process requests an OS service via a syscall, relevant information (calling process, time, syscall name) of the event get logged to a file.

            Theoretically, this sounds like a simple enough thing to do, however, implementing such is becoming more of a pain as time goes on. I suppose the main that's causing issues for me is a general lack of knowing where to start implementation.

            Initially, I thought that this could all be handled be adding a few lines of code to the kernel entry point, but after digging through entry_64.S for a little while, I came to the conclusion that there must be an easier way. The next idea I had was to overwrite all the services pointed to by sys_call_table with my own service that did logging then called the original service. But, turns out, there are some difficulties to this method with linux kernel 5.4.18 due to sys_call_table no longer being exported. And, even when recompiling the kernel so that sys_call_table is exported, the table is in a memory protected location. Lastly, I've been experimenting with auditd. Specifically, I followed this link but it doesn't seem to be working (when I executed kill command there was is only a corresponding result in ausearch about 50% of time based on timestamps).

            I'm getting a little burned out by all these dead-ends, and am really hoping to finally have this first stage in my project up and running. Does anyone have any pointers as to what I should try?

            Solution: BPFTrace was exactly what I was looking for.

            ...

            ANSWER

            Answered 2020-Mar-13 at 04:17

            I used BPFTrace to log every time the kernel began execution of a syscall (excluding those initiated by BPFTrace itself)

            Source https://stackoverflow.com/questions/60367940

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install bpftrace

            For build and install instructions, see INSTALL.md.

            Support

            For additional help / discussion, please use our discussions page.
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/iovisor/bpftrace.git

          • CLI

            gh repo clone iovisor/bpftrace

          • sshUrl

            git@github.com:iovisor/bpftrace.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link