eBPF Tracing
Contents
Get start with eBPF Tracing
TODO: learn how to use bcc/trace and bpftrace
bcc
install bcc on RHEL
dnf install -y bcc-tools
The tools list under
/usr/share/bcc/tools/
, go through the tutorial to familiar each tools.- Some tools that may interested, like bpflist, tcp*, memleak
- funccount command traces functions, tracepoints, or USDT probes that match a specified pattern, e.g. funccount ‘tcp_*’
- trace command probes functions you specify and displays trace messages, e.g. trace ‘do_sys_open “%s”, arg2’, trace -I ‘net/sock.h’ ‘udpv6_sendmsg(struct sock *sk) (sk->sk_dport == 13568)’
How to develope a new tool, seel developer tutorial
bpftrace
install bpftrace on RHEL
dnf install -y bpftrace
The tools list under
/usr/share/bpftrace/tools/
- Some tools that may interested, like gethostlatency.bt, tcp*,
How to deal with the errors
Q: bcc: “Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module)”
A: you need to install kernel-devel package if you use RHEL8
Q: bpftrace got errors like “‘net/sock.h’ file not found”.
A: you need to install kernel-devel package if you use RHEL8
Q: bcc: # ./trace ‘sys_execve “%s”, arg1’ cannot attach kprobe, probe entry may not exist Failed to attach BPF program b’probe_sys_execve_1’ to kprobe b’sys_execve’
A: Check ‘/proc/kallsyms’ and see if it contains the probe you want to attache, in this case it should be ‘__x64_sys_execve’ on x86_64 system.
Reference
Author Hangbin Liu
LastMod 2020-06-09 (93a7471)