1*387f9dfdSAndroid Build Coastguard Worker# bcc Reference Guide 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard WorkerIntended for search (Ctrl-F) and reference. For tutorials, start with [tutorial.md](tutorial.md). 4*387f9dfdSAndroid Build Coastguard Worker 5*387f9dfdSAndroid Build Coastguard WorkerThis guide is incomplete. If something feels missing, check the bcc and kernel source. And if you confirm we're missing something, please send a pull request to fix it, and help out everyone. 6*387f9dfdSAndroid Build Coastguard Worker 7*387f9dfdSAndroid Build Coastguard Worker## Contents 8*387f9dfdSAndroid Build Coastguard Worker 9*387f9dfdSAndroid Build Coastguard Worker- [BPF C](#bpf-c) 10*387f9dfdSAndroid Build Coastguard Worker - [Events & Arguments](#events--arguments) 11*387f9dfdSAndroid Build Coastguard Worker - [1. kprobes](#1-kprobes) 12*387f9dfdSAndroid Build Coastguard Worker - [2. kretprobes](#2-kretprobes) 13*387f9dfdSAndroid Build Coastguard Worker - [3. Tracepoints](#3-tracepoints) 14*387f9dfdSAndroid Build Coastguard Worker - [4. uprobes](#4-uprobes) 15*387f9dfdSAndroid Build Coastguard Worker - [5. uretprobes](#5-uretprobes) 16*387f9dfdSAndroid Build Coastguard Worker - [6. USDT probes](#6-usdt-probes) 17*387f9dfdSAndroid Build Coastguard Worker - [7. Raw Tracepoints](#7-raw-tracepoints) 18*387f9dfdSAndroid Build Coastguard Worker - [8. system call tracepoints](#8-system-call-tracepoints) 19*387f9dfdSAndroid Build Coastguard Worker - [9. kfuncs](#9-kfuncs) 20*387f9dfdSAndroid Build Coastguard Worker - [10. kretfuncs](#10-kretfuncs) 21*387f9dfdSAndroid Build Coastguard Worker - [11. lsm probes](#11-lsm-probes) 22*387f9dfdSAndroid Build Coastguard Worker - [12. bpf iterators](#12-bpf-iterators) 23*387f9dfdSAndroid Build Coastguard Worker - [Data](#data) 24*387f9dfdSAndroid Build Coastguard Worker - [1. bpf_probe_read_kernel()](#1-bpf_probe_read_kernel) 25*387f9dfdSAndroid Build Coastguard Worker - [2. bpf_probe_read_kernel_str()](#2-bpf_probe_read_kernel_str) 26*387f9dfdSAndroid Build Coastguard Worker - [3. bpf_ktime_get_ns()](#3-bpf_ktime_get_ns) 27*387f9dfdSAndroid Build Coastguard Worker - [4. bpf_get_current_pid_tgid()](#4-bpf_get_current_pid_tgid) 28*387f9dfdSAndroid Build Coastguard Worker - [5. bpf_get_current_uid_gid()](#5-bpf_get_current_uid_gid) 29*387f9dfdSAndroid Build Coastguard Worker - [6. bpf_get_current_comm()](#6-bpf_get_current_comm) 30*387f9dfdSAndroid Build Coastguard Worker - [7. bpf_get_current_task()](#7-bpf_get_current_task) 31*387f9dfdSAndroid Build Coastguard Worker - [8. bpf_log2l()](#8-bpf_log2l) 32*387f9dfdSAndroid Build Coastguard Worker - [9. bpf_get_prandom_u32()](#9-bpf_get_prandom_u32) 33*387f9dfdSAndroid Build Coastguard Worker - [10. bpf_probe_read_user()](#10-bpf_probe_read_user) 34*387f9dfdSAndroid Build Coastguard Worker - [11. bpf_probe_read_user_str()](#11-bpf_probe_read_user_str) 35*387f9dfdSAndroid Build Coastguard Worker - [12. bpf_get_ns_current_pid_tgid()](#12-bpf_get_ns_current_pid_tgid) 36*387f9dfdSAndroid Build Coastguard Worker - [Debugging](#debugging) 37*387f9dfdSAndroid Build Coastguard Worker - [1. bpf_override_return()](#1-bpf_override_return) 38*387f9dfdSAndroid Build Coastguard Worker - [Output](#output) 39*387f9dfdSAndroid Build Coastguard Worker - [1. bpf_trace_printk()](#1-bpf_trace_printk) 40*387f9dfdSAndroid Build Coastguard Worker - [2. BPF_PERF_OUTPUT](#2-bpf_perf_output) 41*387f9dfdSAndroid Build Coastguard Worker - [3. perf_submit()](#3-perf_submit) 42*387f9dfdSAndroid Build Coastguard Worker - [4. perf_submit_skb()](#4-perf_submit_skb) 43*387f9dfdSAndroid Build Coastguard Worker - [5. BPF_RINGBUF_OUTPUT](#5-bpf_ringbuf_output) 44*387f9dfdSAndroid Build Coastguard Worker - [6. ringbuf_output()](#6-ringbuf_output) 45*387f9dfdSAndroid Build Coastguard Worker - [7. ringbuf_reserve()](#7-ringbuf_reserve) 46*387f9dfdSAndroid Build Coastguard Worker - [8. ringbuf_submit()](#8-ringbuf_submit) 47*387f9dfdSAndroid Build Coastguard Worker - [9. ringbuf_discard()](#9-ringbuf_discard) 48*387f9dfdSAndroid Build Coastguard Worker - [Maps](#maps) 49*387f9dfdSAndroid Build Coastguard Worker - [1. BPF_TABLE](#1-bpf_table) 50*387f9dfdSAndroid Build Coastguard Worker - [2. BPF_HASH](#2-bpf_hash) 51*387f9dfdSAndroid Build Coastguard Worker - [3. BPF_ARRAY](#3-bpf_array) 52*387f9dfdSAndroid Build Coastguard Worker - [4. BPF_HISTOGRAM](#4-bpf_histogram) 53*387f9dfdSAndroid Build Coastguard Worker - [5. BPF_STACK_TRACE](#5-bpf_stack_trace) 54*387f9dfdSAndroid Build Coastguard Worker - [6. BPF_PERF_ARRAY](#6-bpf_perf_array) 55*387f9dfdSAndroid Build Coastguard Worker - [7. BPF_PERCPU_HASH](#7-bpf_percpu_hash) 56*387f9dfdSAndroid Build Coastguard Worker - [8. BPF_PERCPU_ARRAY](#8-bpf_percpu_array) 57*387f9dfdSAndroid Build Coastguard Worker - [9. BPF_LPM_TRIE](#9-bpf_lpm_trie) 58*387f9dfdSAndroid Build Coastguard Worker - [10. BPF_PROG_ARRAY](#10-bpf_prog_array) 59*387f9dfdSAndroid Build Coastguard Worker - [11. BPF_DEVMAP](#11-bpf_devmap) 60*387f9dfdSAndroid Build Coastguard Worker - [12. BPF_CPUMAP](#12-bpf_cpumap) 61*387f9dfdSAndroid Build Coastguard Worker - [13. BPF_XSKMAP](#13-bpf_xskmap) 62*387f9dfdSAndroid Build Coastguard Worker - [14. BPF_ARRAY_OF_MAPS](#14-bpf_array_of_maps) 63*387f9dfdSAndroid Build Coastguard Worker - [15. BPF_HASH_OF_MAPS](#15-bpf_hash_of_maps) 64*387f9dfdSAndroid Build Coastguard Worker - [16. BPF_STACK](#16-bpf_stack) 65*387f9dfdSAndroid Build Coastguard Worker - [17. BPF_QUEUE](#17-bpf_queue) 66*387f9dfdSAndroid Build Coastguard Worker - [18. BPF_SOCKHASH](#18-bpf_sockhash) 67*387f9dfdSAndroid Build Coastguard Worker - [19. map.lookup()](#19-maplookup) 68*387f9dfdSAndroid Build Coastguard Worker - [20. map.lookup_or_try_init()](#20-maplookup_or_try_init) 69*387f9dfdSAndroid Build Coastguard Worker - [21. map.delete()](#21-mapdelete) 70*387f9dfdSAndroid Build Coastguard Worker - [22. map.update()](#22-mapupdate) 71*387f9dfdSAndroid Build Coastguard Worker - [23. map.insert()](#23-mapinsert) 72*387f9dfdSAndroid Build Coastguard Worker - [24. map.increment()](#24-mapincrement) 73*387f9dfdSAndroid Build Coastguard Worker - [25. map.get_stackid()](#25-mapget_stackid) 74*387f9dfdSAndroid Build Coastguard Worker - [26. map.perf_read()](#26-mapperf_read) 75*387f9dfdSAndroid Build Coastguard Worker - [27. map.call()](#27-mapcall) 76*387f9dfdSAndroid Build Coastguard Worker - [28. map.redirect_map()](#28-mapredirect_map) 77*387f9dfdSAndroid Build Coastguard Worker - [29. map.push()](#29-mappush) 78*387f9dfdSAndroid Build Coastguard Worker - [30. map.pop()](#30-mappop) 79*387f9dfdSAndroid Build Coastguard Worker - [31. map.peek()](#31-mappeek) 80*387f9dfdSAndroid Build Coastguard Worker - [32. map.sock_hash_update()](#32-mapsock_hash_update) 81*387f9dfdSAndroid Build Coastguard Worker - [33. map.msg_redirect_hash()](#33-mapmsg_redirect_hash) 82*387f9dfdSAndroid Build Coastguard Worker - [34. map.sk_redirect_hash()](#34-mapsk_redirect_hash) 83*387f9dfdSAndroid Build Coastguard Worker - [Licensing](#licensing) 84*387f9dfdSAndroid Build Coastguard Worker - [Rewriter](#rewriter) 85*387f9dfdSAndroid Build Coastguard Worker 86*387f9dfdSAndroid Build Coastguard Worker- [bcc Python](#bcc-python) 87*387f9dfdSAndroid Build Coastguard Worker - [Initialization](#initialization) 88*387f9dfdSAndroid Build Coastguard Worker - [1. BPF](#1-bpf) 89*387f9dfdSAndroid Build Coastguard Worker - [2. USDT](#2-usdt) 90*387f9dfdSAndroid Build Coastguard Worker - [Events](#events) 91*387f9dfdSAndroid Build Coastguard Worker - [1. attach_kprobe()](#1-attach_kprobe) 92*387f9dfdSAndroid Build Coastguard Worker - [2. attach_kretprobe()](#2-attach_kretprobe) 93*387f9dfdSAndroid Build Coastguard Worker - [3. attach_tracepoint()](#3-attach_tracepoint) 94*387f9dfdSAndroid Build Coastguard Worker - [4. attach_uprobe()](#4-attach_uprobe) 95*387f9dfdSAndroid Build Coastguard Worker - [5. attach_uretprobe()](#5-attach_uretprobe) 96*387f9dfdSAndroid Build Coastguard Worker - [6. USDT.enable_probe()](#6-usdtenable_probe) 97*387f9dfdSAndroid Build Coastguard Worker - [7. attach_raw_tracepoint()](#7-attach_raw_tracepoint) 98*387f9dfdSAndroid Build Coastguard Worker - [8. attach_raw_socket()](#8-attach_raw_socket) 99*387f9dfdSAndroid Build Coastguard Worker - [9. attach_xdp()](#9-attach_xdp) 100*387f9dfdSAndroid Build Coastguard Worker - [10. attach_func()](#10-attach_func) 101*387f9dfdSAndroid Build Coastguard Worker - [11. detach_func()](#11-detach_func) 102*387f9dfdSAndroid Build Coastguard Worker - [12. detach_kprobe()](#12-detach_kprobe) 103*387f9dfdSAndroid Build Coastguard Worker - [13. detach_kretprobe()](#13-detach_kretprobe) 104*387f9dfdSAndroid Build Coastguard Worker - [Debug Output](#debug-output) 105*387f9dfdSAndroid Build Coastguard Worker - [1. trace_print()](#1-trace_print) 106*387f9dfdSAndroid Build Coastguard Worker - [2. trace_fields()](#2-trace_fields) 107*387f9dfdSAndroid Build Coastguard Worker - [Output APIs](#output-apis) 108*387f9dfdSAndroid Build Coastguard Worker - [1. perf_buffer_poll()](#1-perf_buffer_poll) 109*387f9dfdSAndroid Build Coastguard Worker - [2. ring_buffer_poll()](#2-ring_buffer_poll) 110*387f9dfdSAndroid Build Coastguard Worker - [3. ring_buffer_consume()](#3-ring_buffer_consume) 111*387f9dfdSAndroid Build Coastguard Worker - [Map APIs](#map-apis) 112*387f9dfdSAndroid Build Coastguard Worker - [1. get_table()](#1-get_table) 113*387f9dfdSAndroid Build Coastguard Worker - [2. open_perf_buffer()](#2-open_perf_buffer) 114*387f9dfdSAndroid Build Coastguard Worker - [3. items()](#3-items) 115*387f9dfdSAndroid Build Coastguard Worker - [4. values()](#4-values) 116*387f9dfdSAndroid Build Coastguard Worker - [5. clear()](#5-clear) 117*387f9dfdSAndroid Build Coastguard Worker - [6. items_lookup_and_delete_batch()](#6-items_lookup_and_delete_batch) 118*387f9dfdSAndroid Build Coastguard Worker - [7. items_lookup_batch()](#7-items_lookup_batch) 119*387f9dfdSAndroid Build Coastguard Worker - [8. items_delete_batch()](#8-items_delete_batch) 120*387f9dfdSAndroid Build Coastguard Worker - [9. items_update_batch()](#9-items_update_batch) 121*387f9dfdSAndroid Build Coastguard Worker - [10. print_log2_hist()](#10-print_log2_hist) 122*387f9dfdSAndroid Build Coastguard Worker - [11. print_linear_hist()](#11-print_linear_hist) 123*387f9dfdSAndroid Build Coastguard Worker - [12. open_ring_buffer()](#12-open_ring_buffer) 124*387f9dfdSAndroid Build Coastguard Worker - [13. push()](#13-push) 125*387f9dfdSAndroid Build Coastguard Worker - [14. pop()](#14-pop) 126*387f9dfdSAndroid Build Coastguard Worker - [15. peek()](#15-peek) 127*387f9dfdSAndroid Build Coastguard Worker - [Helpers](#helpers) 128*387f9dfdSAndroid Build Coastguard Worker - [1. ksym()](#1-ksym) 129*387f9dfdSAndroid Build Coastguard Worker - [2. ksymname()](#2-ksymname) 130*387f9dfdSAndroid Build Coastguard Worker - [3. sym()](#3-sym) 131*387f9dfdSAndroid Build Coastguard Worker - [4. num_open_kprobes()](#4-num_open_kprobes) 132*387f9dfdSAndroid Build Coastguard Worker - [5. get_syscall_fnname()](#5-get_syscall_fnname) 133*387f9dfdSAndroid Build Coastguard Worker 134*387f9dfdSAndroid Build Coastguard Worker- [BPF Errors](#bpf-errors) 135*387f9dfdSAndroid Build Coastguard Worker - [1. Invalid mem access](#1-invalid-mem-access) 136*387f9dfdSAndroid Build Coastguard Worker - [2. Cannot call GPL only function from proprietary program](#2-cannot-call-gpl-only-function-from-proprietary-program) 137*387f9dfdSAndroid Build Coastguard Worker 138*387f9dfdSAndroid Build Coastguard Worker- [Environment Variables](#Environment-Variables) 139*387f9dfdSAndroid Build Coastguard Worker - [1. kernel source directory](#1-kernel-source-directory) 140*387f9dfdSAndroid Build Coastguard Worker - [2. kernel version overriding](#2-kernel-version-overriding) 141*387f9dfdSAndroid Build Coastguard Worker 142*387f9dfdSAndroid Build Coastguard Worker# BPF C 143*387f9dfdSAndroid Build Coastguard Worker 144*387f9dfdSAndroid Build Coastguard WorkerThis section describes the C part of a bcc program. 145*387f9dfdSAndroid Build Coastguard Worker 146*387f9dfdSAndroid Build Coastguard Worker## Events & Arguments 147*387f9dfdSAndroid Build Coastguard Worker 148*387f9dfdSAndroid Build Coastguard Worker### 1. kprobes 149*387f9dfdSAndroid Build Coastguard Worker 150*387f9dfdSAndroid Build Coastguard WorkerSyntax: kprobe__*kernel_function_name* 151*387f9dfdSAndroid Build Coastguard Worker 152*387f9dfdSAndroid Build Coastguard Worker```kprobe__``` is a special prefix that creates a kprobe (dynamic tracing of a kernel function call) for the kernel function name provided as the remainder. You can also use kprobes by declaring a normal C function, then using the Python ```BPF.attach_kprobe()``` (covered later) to associate it with a kernel function. 153*387f9dfdSAndroid Build Coastguard Worker 154*387f9dfdSAndroid Build Coastguard WorkerArguments are specified on the function declaration: kprobe__*kernel_function_name*(struct pt_regs *ctx [, *argument1* ...]) 155*387f9dfdSAndroid Build Coastguard Worker 156*387f9dfdSAndroid Build Coastguard WorkerFor example: 157*387f9dfdSAndroid Build Coastguard Worker 158*387f9dfdSAndroid Build Coastguard Worker```C 159*387f9dfdSAndroid Build Coastguard Workerint kprobe__tcp_v4_connect(struct pt_regs *ctx, struct sock *sk) { 160*387f9dfdSAndroid Build Coastguard Worker [...] 161*387f9dfdSAndroid Build Coastguard Worker} 162*387f9dfdSAndroid Build Coastguard Worker``` 163*387f9dfdSAndroid Build Coastguard Worker 164*387f9dfdSAndroid Build Coastguard WorkerThis instruments the tcp_v4_connect() kernel function using a kprobe, with the following arguments: 165*387f9dfdSAndroid Build Coastguard Worker 166*387f9dfdSAndroid Build Coastguard Worker- ```struct pt_regs *ctx```: Registers and BPF context. 167*387f9dfdSAndroid Build Coastguard Worker- ```struct sock *sk```: First argument to tcp_v4_connect(). 168*387f9dfdSAndroid Build Coastguard Worker 169*387f9dfdSAndroid Build Coastguard WorkerThe first argument is always ```struct pt_regs *```, the remainder are the arguments to the function (they don't need to be specified, if you don't intend to use them). 170*387f9dfdSAndroid Build Coastguard Worker 171*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 172*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/4afa96a71c5dbfc4c507c3355e20baa6c184a3a8/examples/tracing/tcpv4connect.py#L28) ([output](https://github.com/iovisor/bcc/blob/5bd0eb21fd148927b078deb8ac29fff2fb044b66/examples/tracing/tcpv4connect_example.txt#L8)), 173*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/commit/310ab53710cfd46095c1f6b3e44f1dbc8d1a41d8#diff-8cd1822359ffee26e7469f991ce0ef00R26) ([output](https://github.com/iovisor/bcc/blob/3b9679a3bd9b922c736f6061dc65cb56de7e0250/examples/tracing/bitehist_example.txt#L6)) 174*387f9dfdSAndroid Build Coastguard Worker<!--- I can't add search links here, since github currently cannot handle partial-word searches needed for "kprobe__" ---> 175*387f9dfdSAndroid Build Coastguard Worker 176*387f9dfdSAndroid Build Coastguard Worker### 2. kretprobes 177*387f9dfdSAndroid Build Coastguard Worker 178*387f9dfdSAndroid Build Coastguard WorkerSyntax: kretprobe__*kernel_function_name* 179*387f9dfdSAndroid Build Coastguard Worker 180*387f9dfdSAndroid Build Coastguard Worker```kretprobe__``` is a special prefix that creates a kretprobe (dynamic tracing of a kernel function return) for the kernel function name provided as the remainder. You can also use kretprobes by declaring a normal C function, then using the Python ```BPF.attach_kretprobe()``` (covered later) to associate it with a kernel function. 181*387f9dfdSAndroid Build Coastguard Worker 182*387f9dfdSAndroid Build Coastguard WorkerReturn value is available as ```PT_REGS_RC(ctx)```, given a function declaration of: kretprobe__*kernel_function_name*(struct pt_regs *ctx) 183*387f9dfdSAndroid Build Coastguard Worker 184*387f9dfdSAndroid Build Coastguard WorkerFor example: 185*387f9dfdSAndroid Build Coastguard Worker 186*387f9dfdSAndroid Build Coastguard Worker```C 187*387f9dfdSAndroid Build Coastguard Workerint kretprobe__tcp_v4_connect(struct pt_regs *ctx) 188*387f9dfdSAndroid Build Coastguard Worker{ 189*387f9dfdSAndroid Build Coastguard Worker int ret = PT_REGS_RC(ctx); 190*387f9dfdSAndroid Build Coastguard Worker [...] 191*387f9dfdSAndroid Build Coastguard Worker} 192*387f9dfdSAndroid Build Coastguard Worker``` 193*387f9dfdSAndroid Build Coastguard Worker 194*387f9dfdSAndroid Build Coastguard WorkerThis instruments the return of the tcp_v4_connect() kernel function using a kretprobe, and stores the return value in ```ret```. 195*387f9dfdSAndroid Build Coastguard Worker 196*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 197*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/4afa96a71c5dbfc4c507c3355e20baa6c184a3a8/examples/tracing/tcpv4connect.py#L38) ([output](https://github.com/iovisor/bcc/blob/5bd0eb21fd148927b078deb8ac29fff2fb044b66/examples/tracing/tcpv4connect_example.txt#L8)) 198*387f9dfdSAndroid Build Coastguard Worker 199*387f9dfdSAndroid Build Coastguard Worker### 3. Tracepoints 200*387f9dfdSAndroid Build Coastguard Worker 201*387f9dfdSAndroid Build Coastguard WorkerSyntax: TRACEPOINT_PROBE(*category*, *event*) 202*387f9dfdSAndroid Build Coastguard Worker 203*387f9dfdSAndroid Build Coastguard WorkerThis is a macro that instruments the tracepoint defined by *category*:*event*. 204*387f9dfdSAndroid Build Coastguard Worker 205*387f9dfdSAndroid Build Coastguard WorkerThe tracepoint name is `<category>:<event>`. 206*387f9dfdSAndroid Build Coastguard WorkerThe probe function name is `tracepoint__<category>__<event>`. 207*387f9dfdSAndroid Build Coastguard Worker 208*387f9dfdSAndroid Build Coastguard WorkerArguments are available in an ```args``` struct, which are the tracepoint arguments. One way to list these is to cat the relevant format file under /sys/kernel/debug/tracing/events/*category*/*event*/format. 209*387f9dfdSAndroid Build Coastguard Worker 210*387f9dfdSAndroid Build Coastguard WorkerThe ```args``` struct can be used in place of ``ctx`` in each functions requiring a context as an argument. This includes notably [perf_submit()](#3-perf_submit). 211*387f9dfdSAndroid Build Coastguard Worker 212*387f9dfdSAndroid Build Coastguard WorkerFor example: 213*387f9dfdSAndroid Build Coastguard Worker 214*387f9dfdSAndroid Build Coastguard Worker```C 215*387f9dfdSAndroid Build Coastguard WorkerTRACEPOINT_PROBE(random, urandom_read) { 216*387f9dfdSAndroid Build Coastguard Worker // args is from /sys/kernel/debug/tracing/events/random/urandom_read/format 217*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("%d\\n", args->got_bits); 218*387f9dfdSAndroid Build Coastguard Worker return 0; 219*387f9dfdSAndroid Build Coastguard Worker} 220*387f9dfdSAndroid Build Coastguard Worker``` 221*387f9dfdSAndroid Build Coastguard Worker 222*387f9dfdSAndroid Build Coastguard WorkerThis instruments the tracepoint `random:urandom_read tracepoint`, and prints the tracepoint argument ```got_bits```. 223*387f9dfdSAndroid Build Coastguard WorkerWhen using Python API, this probe is automatically attached to the right tracepoint target. 224*387f9dfdSAndroid Build Coastguard WorkerFor C++, this tracepoint probe can be attached by specifying the tracepoint target and function name explicitly: 225*387f9dfdSAndroid Build Coastguard Worker`BPF::attach_tracepoint("random:urandom_read", "tracepoint__random__urandom_read")` 226*387f9dfdSAndroid Build Coastguard WorkerNote the name of the probe function defined above is `tracepoint__random__urandom_read`. 227*387f9dfdSAndroid Build Coastguard Worker 228*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 229*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/a4159da8c4ea8a05a3c6e402451f530d6e5a8b41/examples/tracing/urandomread.py#L19) ([output](https://github.com/iovisor/bcc/commit/e422f5e50ecefb96579b6391a2ada7f6367b83c4#diff-41e5ecfae4a3b38de5f4e0887ed160e5R10)), 230*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=TRACEPOINT_PROBE+path%3Aexamples&type=Code), 231*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=TRACEPOINT_PROBE+path%3Atools&type=Code) 232*387f9dfdSAndroid Build Coastguard Worker 233*387f9dfdSAndroid Build Coastguard Worker### 4. uprobes 234*387f9dfdSAndroid Build Coastguard Worker 235*387f9dfdSAndroid Build Coastguard WorkerThese are instrumented by declaring a normal function in C, then associating it as a uprobe probe in Python via ```BPF.attach_uprobe()``` (covered later). 236*387f9dfdSAndroid Build Coastguard Worker 237*387f9dfdSAndroid Build Coastguard WorkerArguments can be examined using ```PT_REGS_PARM``` macros. 238*387f9dfdSAndroid Build Coastguard Worker 239*387f9dfdSAndroid Build Coastguard WorkerFor example: 240*387f9dfdSAndroid Build Coastguard Worker 241*387f9dfdSAndroid Build Coastguard Worker```C 242*387f9dfdSAndroid Build Coastguard Workerint count(struct pt_regs *ctx) { 243*387f9dfdSAndroid Build Coastguard Worker char buf[64]; 244*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_user(&buf, sizeof(buf), (void *)PT_REGS_PARM1(ctx)); 245*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("%s %d", buf, PT_REGS_PARM2(ctx)); 246*387f9dfdSAndroid Build Coastguard Worker return(0); 247*387f9dfdSAndroid Build Coastguard Worker} 248*387f9dfdSAndroid Build Coastguard Worker``` 249*387f9dfdSAndroid Build Coastguard Worker 250*387f9dfdSAndroid Build Coastguard WorkerThis reads the first argument as a string, and then prints it with the second argument as an integer. 251*387f9dfdSAndroid Build Coastguard Worker 252*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 253*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/4afa96a71c5dbfc4c507c3355e20baa6c184a3a8/examples/tracing/strlen_count.py#L26) 254*387f9dfdSAndroid Build Coastguard Worker 255*387f9dfdSAndroid Build Coastguard Worker### 5. uretprobes 256*387f9dfdSAndroid Build Coastguard Worker 257*387f9dfdSAndroid Build Coastguard WorkerThese are instrumented by declaring a normal function in C, then associating it as a uretprobe probe in Python via ```BPF.attach_uretprobe()``` (covered later). 258*387f9dfdSAndroid Build Coastguard Worker 259*387f9dfdSAndroid Build Coastguard WorkerReturn value is available as ```PT_REGS_RC(ctx)```, given a function declaration of: *function_name*(struct pt_regs *ctx) 260*387f9dfdSAndroid Build Coastguard Worker 261*387f9dfdSAndroid Build Coastguard WorkerFor example: 262*387f9dfdSAndroid Build Coastguard Worker 263*387f9dfdSAndroid Build Coastguard Worker```C 264*387f9dfdSAndroid Build Coastguard WorkerBPF_HISTOGRAM(dist); 265*387f9dfdSAndroid Build Coastguard Workerint count(struct pt_regs *ctx) { 266*387f9dfdSAndroid Build Coastguard Worker dist.increment(PT_REGS_RC(ctx)); 267*387f9dfdSAndroid Build Coastguard Worker return 0; 268*387f9dfdSAndroid Build Coastguard Worker} 269*387f9dfdSAndroid Build Coastguard Worker``` 270*387f9dfdSAndroid Build Coastguard Worker 271*387f9dfdSAndroid Build Coastguard WorkerThis increments the bucket in the ```dist``` histogram that is indexed by the return value. 272*387f9dfdSAndroid Build Coastguard Worker 273*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 274*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/4afa96a71c5dbfc4c507c3355e20baa6c184a3a8/examples/tracing/strlen_hist.py#L39) ([output](https://github.com/iovisor/bcc/blob/4afa96a71c5dbfc4c507c3355e20baa6c184a3a8/examples/tracing/strlen_hist.py#L15)), 275*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/4afa96a71c5dbfc4c507c3355e20baa6c184a3a8/tools/bashreadline.py) ([output](https://github.com/iovisor/bcc/commit/aa87997d21e5c1a6a20e2c96dd25eb92adc8e85d#diff-2fd162f9e594206f789246ce97d62cf0R7)) 276*387f9dfdSAndroid Build Coastguard Worker 277*387f9dfdSAndroid Build Coastguard Worker### 6. USDT probes 278*387f9dfdSAndroid Build Coastguard Worker 279*387f9dfdSAndroid Build Coastguard WorkerThese are User Statically-Defined Tracing (USDT) probes, which may be placed in some applications or libraries to provide a user-level equivalent of tracepoints. The primary BPF method provided for USDT support method is ```enable_probe()```. USDT probes are instrumented by declaring a normal function in C, then associating it as a USDT probe in Python via ```USDT.enable_probe()```. 280*387f9dfdSAndroid Build Coastguard Worker 281*387f9dfdSAndroid Build Coastguard WorkerArguments can be read via: bpf_usdt_readarg(*index*, ctx, &addr) 282*387f9dfdSAndroid Build Coastguard Worker 283*387f9dfdSAndroid Build Coastguard WorkerFor example: 284*387f9dfdSAndroid Build Coastguard Worker 285*387f9dfdSAndroid Build Coastguard Worker```C 286*387f9dfdSAndroid Build Coastguard Workerint do_trace(struct pt_regs *ctx) { 287*387f9dfdSAndroid Build Coastguard Worker uint64_t addr; 288*387f9dfdSAndroid Build Coastguard Worker char path[128]; 289*387f9dfdSAndroid Build Coastguard Worker bpf_usdt_readarg(6, ctx, &addr); 290*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_user(&path, sizeof(path), (void *)addr); 291*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("path:%s\\n", path); 292*387f9dfdSAndroid Build Coastguard Worker return 0; 293*387f9dfdSAndroid Build Coastguard Worker}; 294*387f9dfdSAndroid Build Coastguard Worker``` 295*387f9dfdSAndroid Build Coastguard Worker 296*387f9dfdSAndroid Build Coastguard WorkerThis reads the sixth USDT argument, and then pulls it in as a string to ```path```. 297*387f9dfdSAndroid Build Coastguard Worker 298*387f9dfdSAndroid Build Coastguard WorkerWhen initializing USDTs via the third argument of ```BPF::init``` in the C API, if any USDT fails to ```init```, entire ```BPF::init``` will fail. If you're OK with some USDTs failing to ```init```, use ```BPF::init_usdt``` before calling ```BPF::init```. 299*387f9dfdSAndroid Build Coastguard Worker 300*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 301*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/commit/4f88a9401357d7b75e917abd994aa6ea97dda4d3#diff-04a7cad583be5646080970344c48c1f4R24), 302*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_usdt_readarg+path%3Aexamples&type=Code), 303*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_usdt_readarg+path%3Atools&type=Code) 304*387f9dfdSAndroid Build Coastguard Worker 305*387f9dfdSAndroid Build Coastguard Worker### 7. Raw Tracepoints 306*387f9dfdSAndroid Build Coastguard Worker 307*387f9dfdSAndroid Build Coastguard WorkerSyntax: RAW_TRACEPOINT_PROBE(*event*) 308*387f9dfdSAndroid Build Coastguard Worker 309*387f9dfdSAndroid Build Coastguard WorkerThis is a macro that instruments the raw tracepoint defined by *event*. 310*387f9dfdSAndroid Build Coastguard Worker 311*387f9dfdSAndroid Build Coastguard WorkerThe argument is a pointer to struct ```bpf_raw_tracepoint_args```, which is defined in [bpf.h](https://github.com/iovisor/bcc/blob/master/src/cc/compat/linux/virtual_bpf.h). The struct field ```args``` contains all parameters of the raw tracepoint where you can found at linux tree [include/trace/events](https://github.com/torvalds/linux/tree/master/include/trace/events) 312*387f9dfdSAndroid Build Coastguard Workerdirectory. 313*387f9dfdSAndroid Build Coastguard Worker 314*387f9dfdSAndroid Build Coastguard WorkerFor example: 315*387f9dfdSAndroid Build Coastguard Worker```C 316*387f9dfdSAndroid Build Coastguard WorkerRAW_TRACEPOINT_PROBE(sched_switch) 317*387f9dfdSAndroid Build Coastguard Worker{ 318*387f9dfdSAndroid Build Coastguard Worker // TP_PROTO(bool preempt, struct task_struct *prev, struct task_struct *next) 319*387f9dfdSAndroid Build Coastguard Worker struct task_struct *prev = (struct task_struct *)ctx->args[1]; 320*387f9dfdSAndroid Build Coastguard Worker struct task_struct *next= (struct task_struct *)ctx->args[2]; 321*387f9dfdSAndroid Build Coastguard Worker s32 prev_tgid, next_tgid; 322*387f9dfdSAndroid Build Coastguard Worker 323*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_kernel(&prev_tgid, sizeof(prev->tgid), &prev->tgid); 324*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_kernel(&next_tgid, sizeof(next->tgid), &next->tgid); 325*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("%d -> %d\\n", prev_tgid, next_tgid); 326*387f9dfdSAndroid Build Coastguard Worker} 327*387f9dfdSAndroid Build Coastguard Worker``` 328*387f9dfdSAndroid Build Coastguard Worker 329*387f9dfdSAndroid Build Coastguard WorkerThis instruments the sched:sched_switch tracepoint, and prints the prev and next tgid. 330*387f9dfdSAndroid Build Coastguard Worker 331*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 332*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=RAW_TRACEPOINT_PROBE+path%3Atools&type=Code) 333*387f9dfdSAndroid Build Coastguard Worker 334*387f9dfdSAndroid Build Coastguard Worker### 8. system call tracepoints 335*387f9dfdSAndroid Build Coastguard Worker 336*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```syscall__SYSCALLNAME``` 337*387f9dfdSAndroid Build Coastguard Worker 338*387f9dfdSAndroid Build Coastguard Worker```syscall__``` is a special prefix that creates a kprobe for the system call name provided as the remainder. You can use it by declaring a normal C function, then using the Python ```BPF.get_syscall_fnname(SYSCALLNAME)``` and ```BPF.attach_kprobe()``` to associate it. 339*387f9dfdSAndroid Build Coastguard Worker 340*387f9dfdSAndroid Build Coastguard WorkerArguments are specified on the function declaration: ```syscall__SYSCALLNAME(struct pt_regs *ctx, [, argument1 ...])```. 341*387f9dfdSAndroid Build Coastguard Worker 342*387f9dfdSAndroid Build Coastguard WorkerFor example: 343*387f9dfdSAndroid Build Coastguard Worker```C 344*387f9dfdSAndroid Build Coastguard Workerint syscall__execve(struct pt_regs *ctx, 345*387f9dfdSAndroid Build Coastguard Worker const char __user *filename, 346*387f9dfdSAndroid Build Coastguard Worker const char __user *const __user *__argv, 347*387f9dfdSAndroid Build Coastguard Worker const char __user *const __user *__envp) 348*387f9dfdSAndroid Build Coastguard Worker{ 349*387f9dfdSAndroid Build Coastguard Worker [...] 350*387f9dfdSAndroid Build Coastguard Worker} 351*387f9dfdSAndroid Build Coastguard Worker``` 352*387f9dfdSAndroid Build Coastguard Worker 353*387f9dfdSAndroid Build Coastguard WorkerThis instruments the execve system call. 354*387f9dfdSAndroid Build Coastguard Worker 355*387f9dfdSAndroid Build Coastguard WorkerThe first argument is always ```struct pt_regs *```, the remainder are the arguments to the function (they don't need to be specified, if you don't intend to use them). 356*387f9dfdSAndroid Build Coastguard Worker 357*387f9dfdSAndroid Build Coastguard WorkerCorresponding Python code: 358*387f9dfdSAndroid Build Coastguard Worker```Python 359*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=bpf_text) 360*387f9dfdSAndroid Build Coastguard Workerexecve_fnname = b.get_syscall_fnname("execve") 361*387f9dfdSAndroid Build Coastguard Workerb.attach_kprobe(event=execve_fnname, fn_name="syscall__execve") 362*387f9dfdSAndroid Build Coastguard Worker``` 363*387f9dfdSAndroid Build Coastguard Worker 364*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 365*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/552658edda09298afdccc8a4b5e17311a2d8a771/tools/execsnoop.py#L101) ([output](https://github.com/iovisor/bcc/blob/552658edda09298afdccc8a4b5e17311a2d8a771/tools/execsnoop_example.txt#L8)) 366*387f9dfdSAndroid Build Coastguard Worker 367*387f9dfdSAndroid Build Coastguard Worker### 9. kfuncs 368*387f9dfdSAndroid Build Coastguard Worker 369*387f9dfdSAndroid Build Coastguard WorkerSyntax: KFUNC_PROBE(*function*, typeof(arg1) arg1, typeof(arg2) arge ...) 370*387f9dfdSAndroid Build Coastguard Worker MODULE_KFUNC_PROBE(*module*, *function*, typeof(arg1) arg1, typeof(arg2) arge ...) 371*387f9dfdSAndroid Build Coastguard Worker 372*387f9dfdSAndroid Build Coastguard WorkerThis is a macro that instruments the kernel function via trampoline 373*387f9dfdSAndroid Build Coastguard Worker*before* the function is executed. It's defined by *function* name and 374*387f9dfdSAndroid Build Coastguard Workerthe function arguments defined as *argX*. 375*387f9dfdSAndroid Build Coastguard Worker 376*387f9dfdSAndroid Build Coastguard WorkerFor example: 377*387f9dfdSAndroid Build Coastguard Worker```C 378*387f9dfdSAndroid Build Coastguard WorkerKFUNC_PROBE(do_sys_open, int dfd, const char *filename, int flags, int mode) 379*387f9dfdSAndroid Build Coastguard Worker{ 380*387f9dfdSAndroid Build Coastguard Worker ... 381*387f9dfdSAndroid Build Coastguard Worker``` 382*387f9dfdSAndroid Build Coastguard Worker 383*387f9dfdSAndroid Build Coastguard WorkerThis instruments the do_sys_open kernel function and make its arguments 384*387f9dfdSAndroid Build Coastguard Workeraccessible as standard argument values. 385*387f9dfdSAndroid Build Coastguard Worker 386*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 387*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=KFUNC_PROBE+path%3Atools&type=Code) 388*387f9dfdSAndroid Build Coastguard Worker 389*387f9dfdSAndroid Build Coastguard Worker### 10. kretfuncs 390*387f9dfdSAndroid Build Coastguard Worker 391*387f9dfdSAndroid Build Coastguard WorkerSyntax: KRETFUNC_PROBE(*event*, typeof(arg1) arg1, typeof(arg2) arge ..., int ret) 392*387f9dfdSAndroid Build Coastguard Worker MODULE_KRETFUNC_PROBE(*module*, *function*, typeof(arg1) arg1, typeof(arg2) arge ...) 393*387f9dfdSAndroid Build Coastguard Worker 394*387f9dfdSAndroid Build Coastguard WorkerThis is a macro that instruments the kernel function via trampoline 395*387f9dfdSAndroid Build Coastguard Worker*after* the function is executed. It's defined by *function* name and 396*387f9dfdSAndroid Build Coastguard Workerthe function arguments defined as *argX*. 397*387f9dfdSAndroid Build Coastguard Worker 398*387f9dfdSAndroid Build Coastguard WorkerThe last argument of the probe is the return value of the instrumented function. 399*387f9dfdSAndroid Build Coastguard Worker 400*387f9dfdSAndroid Build Coastguard WorkerFor example: 401*387f9dfdSAndroid Build Coastguard Worker```C 402*387f9dfdSAndroid Build Coastguard WorkerKRETFUNC_PROBE(do_sys_open, int dfd, const char *filename, int flags, int mode, int ret) 403*387f9dfdSAndroid Build Coastguard Worker{ 404*387f9dfdSAndroid Build Coastguard Worker ... 405*387f9dfdSAndroid Build Coastguard Worker``` 406*387f9dfdSAndroid Build Coastguard Worker 407*387f9dfdSAndroid Build Coastguard WorkerThis instruments the do_sys_open kernel function and make its arguments 408*387f9dfdSAndroid Build Coastguard Workeraccessible as standard argument values together with its return value. 409*387f9dfdSAndroid Build Coastguard Worker 410*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 411*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=KRETFUNC_PROBE+path%3Atools&type=Code) 412*387f9dfdSAndroid Build Coastguard Worker 413*387f9dfdSAndroid Build Coastguard Worker 414*387f9dfdSAndroid Build Coastguard Worker### 11. LSM Probes 415*387f9dfdSAndroid Build Coastguard Worker 416*387f9dfdSAndroid Build Coastguard WorkerSyntax: LSM_PROBE(*hook*, typeof(arg1) arg1, typeof(arg2) arg2 ...) 417*387f9dfdSAndroid Build Coastguard Worker 418*387f9dfdSAndroid Build Coastguard WorkerThis is a macro that instruments an LSM hook as a BPF program. It can be 419*387f9dfdSAndroid Build Coastguard Workerused to audit security events and implement MAC security policies in BPF. 420*387f9dfdSAndroid Build Coastguard WorkerIt is defined by specifying the hook name followed by its arguments. 421*387f9dfdSAndroid Build Coastguard Worker 422*387f9dfdSAndroid Build Coastguard WorkerHook names can be found in 423*387f9dfdSAndroid Build Coastguard Worker[include/linux/security.h](https://github.com/torvalds/linux/blob/v5.15/include/linux/security.h#L260) 424*387f9dfdSAndroid Build Coastguard Workerby taking functions like `security_hookname` and taking just the `hookname` part. 425*387f9dfdSAndroid Build Coastguard WorkerFor example, `security_bpf` would simply become `bpf`. 426*387f9dfdSAndroid Build Coastguard Worker 427*387f9dfdSAndroid Build Coastguard WorkerUnlike other BPF program types, the return value specified in an LSM probe 428*387f9dfdSAndroid Build Coastguard Workermatters. A return value of 0 allows the hook to succeed, whereas 429*387f9dfdSAndroid Build Coastguard Workerany non-zero return value will cause the hook to fail and deny the 430*387f9dfdSAndroid Build Coastguard Workersecurity operation. 431*387f9dfdSAndroid Build Coastguard Worker 432*387f9dfdSAndroid Build Coastguard WorkerThe following example instruments a hook that denies all future BPF operations: 433*387f9dfdSAndroid Build Coastguard Worker```C 434*387f9dfdSAndroid Build Coastguard WorkerLSM_PROBE(bpf, int cmd, union bpf_attr *attr, unsigned int size) 435*387f9dfdSAndroid Build Coastguard Worker{ 436*387f9dfdSAndroid Build Coastguard Worker return -EPERM; 437*387f9dfdSAndroid Build Coastguard Worker} 438*387f9dfdSAndroid Build Coastguard Worker``` 439*387f9dfdSAndroid Build Coastguard Worker 440*387f9dfdSAndroid Build Coastguard WorkerThis instruments the `security_bpf` hook and causes it to return `-EPERM`. 441*387f9dfdSAndroid Build Coastguard WorkerChanging `return -EPERM` to `return 0` would cause the BPF program 442*387f9dfdSAndroid Build Coastguard Workerto allow the operation instead. 443*387f9dfdSAndroid Build Coastguard Worker 444*387f9dfdSAndroid Build Coastguard WorkerLSM probes require at least a 5.7+ kernel with the following configuation options set: 445*387f9dfdSAndroid Build Coastguard Worker- `CONFIG_BPF_LSM=y` 446*387f9dfdSAndroid Build Coastguard Worker- `CONFIG_LSM` comma separated string must contain "bpf" (for example, 447*387f9dfdSAndroid Build Coastguard Worker `CONFIG_LSM="lockdown,yama,bpf"`) 448*387f9dfdSAndroid Build Coastguard Worker 449*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 450*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=LSM_PROBE+path%3Atests&type=Code) 451*387f9dfdSAndroid Build Coastguard Worker 452*387f9dfdSAndroid Build Coastguard Worker### 12. BPF ITERATORS 453*387f9dfdSAndroid Build Coastguard Worker 454*387f9dfdSAndroid Build Coastguard WorkerSyntax: BPF_ITER(target) 455*387f9dfdSAndroid Build Coastguard Worker 456*387f9dfdSAndroid Build Coastguard WorkerThis is a macro to define a program signature for a bpf iterator program. The argument *target* specifies what to iterate for the program. 457*387f9dfdSAndroid Build Coastguard Worker 458*387f9dfdSAndroid Build Coastguard WorkerCurrently, kernel does not have interface to discover what targets are supported. A good place to find what is supported is in [tools/testing/selftests/bpf/prog_test/bpf_iter.c](https://github.com/torvalds/linux/blob/master/tools/testing/selftests/bpf/prog_tests/bpf_iter.c) and some sample bpf iter programs are in [tools/testing/selftests/bpf/progs](https://github.com/torvalds/linux/tree/master/tools/testing/selftests/bpf/progs) with file name prefix *bpf_iter*. 459*387f9dfdSAndroid Build Coastguard Worker 460*387f9dfdSAndroid Build Coastguard WorkerThe following example defines a program for target *task*, which traverses all tasks in the kernel. 461*387f9dfdSAndroid Build Coastguard Worker```C 462*387f9dfdSAndroid Build Coastguard WorkerBPF_ITER(task) 463*387f9dfdSAndroid Build Coastguard Worker{ 464*387f9dfdSAndroid Build Coastguard Worker struct seq_file *seq = ctx->meta->seq; 465*387f9dfdSAndroid Build Coastguard Worker struct task_struct *task = ctx->task; 466*387f9dfdSAndroid Build Coastguard Worker 467*387f9dfdSAndroid Build Coastguard Worker if (task == (void *)0) 468*387f9dfdSAndroid Build Coastguard Worker return 0; 469*387f9dfdSAndroid Build Coastguard Worker 470*387f9dfdSAndroid Build Coastguard Worker ... task->pid, task->tgid, task->comm, ... 471*387f9dfdSAndroid Build Coastguard Worker return 0; 472*387f9dfdSAndroid Build Coastguard Worker} 473*387f9dfdSAndroid Build Coastguard Worker``` 474*387f9dfdSAndroid Build Coastguard Worker 475*387f9dfdSAndroid Build Coastguard WorkerBPF iterators are introduced in 5.8 kernel for task, task_file, bpf_map, netlink_sock and ipv6_route . In 5.9, support is added to tcp/udp sockets and bpf map element (hashmap, arraymap and sk_local_storage_map) traversal. 476*387f9dfdSAndroid Build Coastguard Worker 477*387f9dfdSAndroid Build Coastguard Worker## Data 478*387f9dfdSAndroid Build Coastguard Worker 479*387f9dfdSAndroid Build Coastguard Worker### 1. bpf_probe_read_kernel() 480*387f9dfdSAndroid Build Coastguard Worker 481*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int bpf_probe_read_kernel(void *dst, int size, const void *src)``` 482*387f9dfdSAndroid Build Coastguard Worker 483*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 484*387f9dfdSAndroid Build Coastguard Worker 485*387f9dfdSAndroid Build Coastguard WorkerThis copies size bytes from kernel address space to the BPF stack, so that BPF can later operate on it. For safety, all kernel memory reads must pass through bpf_probe_read_kernel(). This happens automatically in some cases, such as dereferencing kernel variables, as bcc will rewrite the BPF program to include the necessary bpf_probe_read_kernel(). 486*387f9dfdSAndroid Build Coastguard Worker 487*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 488*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_probe_read_kernel+path%3Aexamples&type=Code), 489*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_probe_read_kernel+path%3Atools&type=Code) 490*387f9dfdSAndroid Build Coastguard Worker 491*387f9dfdSAndroid Build Coastguard Worker### 2. bpf_probe_read_kernel_str() 492*387f9dfdSAndroid Build Coastguard Worker 493*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int bpf_probe_read_kernel_str(void *dst, int size, const void *src)``` 494*387f9dfdSAndroid Build Coastguard Worker 495*387f9dfdSAndroid Build Coastguard WorkerReturn: 496*387f9dfdSAndroid Build Coastguard Worker - \> 0 length of the string including the trailing NULL on success 497*387f9dfdSAndroid Build Coastguard Worker - \< 0 error 498*387f9dfdSAndroid Build Coastguard Worker 499*387f9dfdSAndroid Build Coastguard WorkerThis copies a `NULL` terminated string from kernel address space to the BPF stack, so that BPF can later operate on it. In case the string length is smaller than size, the target is not padded with further `NULL` bytes. In case the string length is larger than size, just `size - 1` bytes are copied and the last byte is set to `NULL`. 500*387f9dfdSAndroid Build Coastguard Worker 501*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 502*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_probe_read_kernel_str+path%3Aexamples&type=Code), 503*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_probe_read_kernel_str+path%3Atools&type=Code) 504*387f9dfdSAndroid Build Coastguard Worker 505*387f9dfdSAndroid Build Coastguard Worker### 3. bpf_ktime_get_ns() 506*387f9dfdSAndroid Build Coastguard Worker 507*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u64 bpf_ktime_get_ns(void)``` 508*387f9dfdSAndroid Build Coastguard Worker 509*387f9dfdSAndroid Build Coastguard WorkerReturn: u64 number of nanoseconds. Starts at system boot time but stops during suspend. 510*387f9dfdSAndroid Build Coastguard Worker 511*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 512*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_ktime_get_ns+path%3Aexamples&type=Code), 513*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_ktime_get_ns+path%3Atools&type=Code) 514*387f9dfdSAndroid Build Coastguard Worker 515*387f9dfdSAndroid Build Coastguard Worker### 4. bpf_get_current_pid_tgid() 516*387f9dfdSAndroid Build Coastguard Worker 517*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u64 bpf_get_current_pid_tgid(void)``` 518*387f9dfdSAndroid Build Coastguard Worker 519*387f9dfdSAndroid Build Coastguard WorkerReturn: ```current->tgid << 32 | current->pid``` 520*387f9dfdSAndroid Build Coastguard Worker 521*387f9dfdSAndroid Build Coastguard WorkerReturns the process ID in the lower 32 bits (kernel's view of the PID, which in user space is usually presented as the thread ID), and the thread group ID in the upper 32 bits (what user space often thinks of as the PID). By directly setting this to a u32, we discard the upper 32 bits. 522*387f9dfdSAndroid Build Coastguard Worker 523*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 524*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_get_current_pid_tgid+path%3Aexamples&type=Code), 525*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_get_current_pid_tgid+path%3Atools&type=Code) 526*387f9dfdSAndroid Build Coastguard Worker 527*387f9dfdSAndroid Build Coastguard Worker### 5. bpf_get_current_uid_gid() 528*387f9dfdSAndroid Build Coastguard Worker 529*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u64 bpf_get_current_uid_gid(void)``` 530*387f9dfdSAndroid Build Coastguard Worker 531*387f9dfdSAndroid Build Coastguard WorkerReturn: ```current_gid << 32 | current_uid``` 532*387f9dfdSAndroid Build Coastguard Worker 533*387f9dfdSAndroid Build Coastguard WorkerReturns the user ID and group IDs. 534*387f9dfdSAndroid Build Coastguard Worker 535*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 536*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_get_current_uid_gid+path%3Aexamples&type=Code), 537*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_get_current_uid_gid+path%3Atools&type=Code) 538*387f9dfdSAndroid Build Coastguard Worker 539*387f9dfdSAndroid Build Coastguard Worker### 6. bpf_get_current_comm() 540*387f9dfdSAndroid Build Coastguard Worker 541*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```bpf_get_current_comm(char *buf, int size_of_buf)``` 542*387f9dfdSAndroid Build Coastguard Worker 543*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 544*387f9dfdSAndroid Build Coastguard Worker 545*387f9dfdSAndroid Build Coastguard WorkerPopulates the first argument address with the current process name. It should be a pointer to a char array of at least size TASK_COMM_LEN, which is defined in linux/sched.h. For example: 546*387f9dfdSAndroid Build Coastguard Worker 547*387f9dfdSAndroid Build Coastguard Worker```C 548*387f9dfdSAndroid Build Coastguard Worker#include <linux/sched.h> 549*387f9dfdSAndroid Build Coastguard Worker 550*387f9dfdSAndroid Build Coastguard Workerint do_trace(struct pt_regs *ctx) { 551*387f9dfdSAndroid Build Coastguard Worker char comm[TASK_COMM_LEN]; 552*387f9dfdSAndroid Build Coastguard Worker bpf_get_current_comm(&comm, sizeof(comm)); 553*387f9dfdSAndroid Build Coastguard Worker[...] 554*387f9dfdSAndroid Build Coastguard Worker``` 555*387f9dfdSAndroid Build Coastguard Worker 556*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 557*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_get_current_comm+path%3Aexamples&type=Code), 558*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_get_current_comm+path%3Atools&type=Code) 559*387f9dfdSAndroid Build Coastguard Worker 560*387f9dfdSAndroid Build Coastguard Worker### 7. bpf_get_current_task() 561*387f9dfdSAndroid Build Coastguard Worker 562*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```bpf_get_current_task()``` 563*387f9dfdSAndroid Build Coastguard Worker 564*387f9dfdSAndroid Build Coastguard WorkerReturn: current task as a pointer to struct task_struct. 565*387f9dfdSAndroid Build Coastguard Worker 566*387f9dfdSAndroid Build Coastguard WorkerReturns a pointer to the current task's task_struct object. This helper can be used to compute the on-CPU time for a process, identify kernel threads, get the current CPU's run queue, or retrieve many other pieces of information. 567*387f9dfdSAndroid Build Coastguard Worker 568*387f9dfdSAndroid Build Coastguard WorkerWith Linux 4.13, due to issues with field randomization, you may need two #define directives before the includes: 569*387f9dfdSAndroid Build Coastguard Worker```C 570*387f9dfdSAndroid Build Coastguard Worker#define randomized_struct_fields_start struct { 571*387f9dfdSAndroid Build Coastguard Worker#define randomized_struct_fields_end }; 572*387f9dfdSAndroid Build Coastguard Worker#include <linux/sched.h> 573*387f9dfdSAndroid Build Coastguard Worker 574*387f9dfdSAndroid Build Coastguard Workerint do_trace(void *ctx) { 575*387f9dfdSAndroid Build Coastguard Worker struct task_struct *t = (struct task_struct *)bpf_get_current_task(); 576*387f9dfdSAndroid Build Coastguard Worker[...] 577*387f9dfdSAndroid Build Coastguard Worker``` 578*387f9dfdSAndroid Build Coastguard Worker 579*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 580*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_get_current_task+path%3Aexamples&type=Code), 581*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_get_current_task+path%3Atools&type=Code) 582*387f9dfdSAndroid Build Coastguard Worker 583*387f9dfdSAndroid Build Coastguard Worker### 8. bpf_log2l() 584*387f9dfdSAndroid Build Coastguard Worker 585*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```unsigned int bpf_log2l(unsigned long v)``` 586*387f9dfdSAndroid Build Coastguard Worker 587*387f9dfdSAndroid Build Coastguard WorkerReturns the log-2 of the provided value. This is often used to create indexes for histograms, to construct power-of-2 histograms. 588*387f9dfdSAndroid Build Coastguard Worker 589*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 590*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_log2l+path%3Aexamples&type=Code), 591*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_log2l+path%3Atools&type=Code) 592*387f9dfdSAndroid Build Coastguard Worker 593*387f9dfdSAndroid Build Coastguard Worker### 9. bpf_get_prandom_u32() 594*387f9dfdSAndroid Build Coastguard Worker 595*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u32 bpf_get_prandom_u32()``` 596*387f9dfdSAndroid Build Coastguard Worker 597*387f9dfdSAndroid Build Coastguard WorkerReturns a pseudo-random u32. 598*387f9dfdSAndroid Build Coastguard Worker 599*387f9dfdSAndroid Build Coastguard WorkerExample in situ: 600*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_get_prandom_u32+path%3Aexamples&type=Code), 601*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_get_prandom_u32+path%3Atools&type=Code) 602*387f9dfdSAndroid Build Coastguard Worker 603*387f9dfdSAndroid Build Coastguard Worker### 10. bpf_probe_read_user() 604*387f9dfdSAndroid Build Coastguard Worker 605*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int bpf_probe_read_user(void *dst, int size, const void *src)``` 606*387f9dfdSAndroid Build Coastguard Worker 607*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 608*387f9dfdSAndroid Build Coastguard Worker 609*387f9dfdSAndroid Build Coastguard WorkerThis attempts to safely read size bytes from user address space to the BPF stack, so that BPF can later operate on it. For safety, all user address space memory reads must pass through bpf_probe_read_user(). 610*387f9dfdSAndroid Build Coastguard Worker 611*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 612*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_probe_read_user+path%3Aexamples&type=Code), 613*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_probe_read_user+path%3Atools&type=Code) 614*387f9dfdSAndroid Build Coastguard Worker 615*387f9dfdSAndroid Build Coastguard Worker### 11. bpf_probe_read_user_str() 616*387f9dfdSAndroid Build Coastguard Worker 617*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int bpf_probe_read_user_str(void *dst, int size, const void *src)``` 618*387f9dfdSAndroid Build Coastguard Worker 619*387f9dfdSAndroid Build Coastguard WorkerReturn: 620*387f9dfdSAndroid Build Coastguard Worker - \> 0 length of the string including the trailing NULL on success 621*387f9dfdSAndroid Build Coastguard Worker - \< 0 error 622*387f9dfdSAndroid Build Coastguard Worker 623*387f9dfdSAndroid Build Coastguard WorkerThis copies a `NULL` terminated string from user address space to the BPF stack, so that BPF can later operate on it. In case the string length is smaller than size, the target is not padded with further `NULL` bytes. In case the string length is larger than size, just `size - 1` bytes are copied and the last byte is set to `NULL`. 624*387f9dfdSAndroid Build Coastguard Worker 625*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 626*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_probe_read_user_str+path%3Aexamples&type=Code), 627*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_probe_read_user_str+path%3Atools&type=Code) 628*387f9dfdSAndroid Build Coastguard Worker 629*387f9dfdSAndroid Build Coastguard Worker 630*387f9dfdSAndroid Build Coastguard Worker### 12. bpf_get_ns_current_pid_tgid() 631*387f9dfdSAndroid Build Coastguard Worker 632*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u32 bpf_get_ns_current_pid_tgid(u64 dev, u64 ino, struct bpf_pidns_info* nsdata, u32 size)``` 633*387f9dfdSAndroid Build Coastguard Worker 634*387f9dfdSAndroid Build Coastguard WorkerValues for *pid* and *tgid* as seen from the current *namespace* will be returned in *nsdata*. 635*387f9dfdSAndroid Build Coastguard Worker 636*387f9dfdSAndroid Build Coastguard WorkerReturn 0 on success, or one of the following in case of failure: 637*387f9dfdSAndroid Build Coastguard Worker 638*387f9dfdSAndroid Build Coastguard Worker- **-EINVAL** if dev and inum supplied don't match dev_t and inode number with nsfs of current task, or if dev conversion to dev_t lost high bits. 639*387f9dfdSAndroid Build Coastguard Worker 640*387f9dfdSAndroid Build Coastguard Worker- **-ENOENT** if pidns does not exists for the current task. 641*387f9dfdSAndroid Build Coastguard Worker 642*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 643*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_get_ns_current_pid_tgid+path%3Aexamples&type=Code), 644*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_get_ns_current_pid_tgid+path%3Atools&type=Code) 645*387f9dfdSAndroid Build Coastguard Worker 646*387f9dfdSAndroid Build Coastguard Worker 647*387f9dfdSAndroid Build Coastguard Worker## Debugging 648*387f9dfdSAndroid Build Coastguard Worker 649*387f9dfdSAndroid Build Coastguard Worker### 1. bpf_override_return() 650*387f9dfdSAndroid Build Coastguard Worker 651*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int bpf_override_return(struct pt_regs *, unsigned long rc)``` 652*387f9dfdSAndroid Build Coastguard Worker 653*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 654*387f9dfdSAndroid Build Coastguard Worker 655*387f9dfdSAndroid Build Coastguard WorkerWhen used in a program attached to a function entry kprobe, causes the 656*387f9dfdSAndroid Build Coastguard Workerexecution of the function to be skipped, immediately returning `rc` instead. 657*387f9dfdSAndroid Build Coastguard WorkerThis is used for targeted error injection. 658*387f9dfdSAndroid Build Coastguard Worker 659*387f9dfdSAndroid Build Coastguard Workerbpf_override_return will only work when the kprobed function is whitelisted to 660*387f9dfdSAndroid Build Coastguard Workerallow error injections. Whitelisting entails tagging a function with 661*387f9dfdSAndroid Build Coastguard Worker`ALLOW_ERROR_INJECTION()` in the kernel source tree; see `io_ctl_init` for 662*387f9dfdSAndroid Build Coastguard Workeran example. If the kprobed function is not whitelisted, the bpf program will 663*387f9dfdSAndroid Build Coastguard Workerfail to attach with ` ioctl(PERF_EVENT_IOC_SET_BPF): Invalid argument` 664*387f9dfdSAndroid Build Coastguard Worker 665*387f9dfdSAndroid Build Coastguard Worker 666*387f9dfdSAndroid Build Coastguard Worker```C 667*387f9dfdSAndroid Build Coastguard Workerint kprobe__io_ctl_init(void *ctx) { 668*387f9dfdSAndroid Build Coastguard Worker bpf_override_return(ctx, -ENOMEM); 669*387f9dfdSAndroid Build Coastguard Worker return 0; 670*387f9dfdSAndroid Build Coastguard Worker} 671*387f9dfdSAndroid Build Coastguard Worker``` 672*387f9dfdSAndroid Build Coastguard Worker 673*387f9dfdSAndroid Build Coastguard Worker## Output 674*387f9dfdSAndroid Build Coastguard Worker 675*387f9dfdSAndroid Build Coastguard Worker### 1. bpf_trace_printk() 676*387f9dfdSAndroid Build Coastguard Worker 677*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int bpf_trace_printk(const char *fmt, ...)``` 678*387f9dfdSAndroid Build Coastguard Worker 679*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 680*387f9dfdSAndroid Build Coastguard Worker 681*387f9dfdSAndroid Build Coastguard WorkerA simple kernel facility for printf() to the common trace_pipe (/sys/kernel/debug/tracing/trace_pipe). This is ok for some quick examples, but has limitations: 3 args max, 1 %s only, and trace_pipe is globally shared, so concurrent programs will have clashing output. A better interface is via BPF_PERF_OUTPUT(). Note that calling this helper is made simpler than the original kernel version, which has ```fmt_size``` as the second parameter. 682*387f9dfdSAndroid Build Coastguard Worker 683*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 684*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=bpf_trace_printk+path%3Aexamples&type=Code), 685*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=bpf_trace_printk+path%3Atools&type=Code) 686*387f9dfdSAndroid Build Coastguard Worker 687*387f9dfdSAndroid Build Coastguard Worker### 2. BPF_PERF_OUTPUT 688*387f9dfdSAndroid Build Coastguard Worker 689*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_PERF_OUTPUT(name)``` 690*387f9dfdSAndroid Build Coastguard Worker 691*387f9dfdSAndroid Build Coastguard WorkerCreates a BPF table for pushing out custom event data to user space via a perf ring buffer. This is the preferred method for pushing per-event data to user space. 692*387f9dfdSAndroid Build Coastguard Worker 693*387f9dfdSAndroid Build Coastguard WorkerFor example: 694*387f9dfdSAndroid Build Coastguard Worker 695*387f9dfdSAndroid Build Coastguard Worker```C 696*387f9dfdSAndroid Build Coastguard Workerstruct data_t { 697*387f9dfdSAndroid Build Coastguard Worker u32 pid; 698*387f9dfdSAndroid Build Coastguard Worker u64 ts; 699*387f9dfdSAndroid Build Coastguard Worker char comm[TASK_COMM_LEN]; 700*387f9dfdSAndroid Build Coastguard Worker}; 701*387f9dfdSAndroid Build Coastguard WorkerBPF_PERF_OUTPUT(events); 702*387f9dfdSAndroid Build Coastguard Worker 703*387f9dfdSAndroid Build Coastguard Workerint hello(struct pt_regs *ctx) { 704*387f9dfdSAndroid Build Coastguard Worker struct data_t data = {}; 705*387f9dfdSAndroid Build Coastguard Worker 706*387f9dfdSAndroid Build Coastguard Worker data.pid = bpf_get_current_pid_tgid(); 707*387f9dfdSAndroid Build Coastguard Worker data.ts = bpf_ktime_get_ns(); 708*387f9dfdSAndroid Build Coastguard Worker bpf_get_current_comm(&data.comm, sizeof(data.comm)); 709*387f9dfdSAndroid Build Coastguard Worker 710*387f9dfdSAndroid Build Coastguard Worker events.perf_submit(ctx, &data, sizeof(data)); 711*387f9dfdSAndroid Build Coastguard Worker 712*387f9dfdSAndroid Build Coastguard Worker return 0; 713*387f9dfdSAndroid Build Coastguard Worker} 714*387f9dfdSAndroid Build Coastguard Worker``` 715*387f9dfdSAndroid Build Coastguard Worker 716*387f9dfdSAndroid Build Coastguard WorkerThe output table is named ```events```, and data is pushed to it via ```events.perf_submit()```. 717*387f9dfdSAndroid Build Coastguard Worker 718*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 719*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_PERF_OUTPUT+path%3Aexamples&type=Code), 720*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_PERF_OUTPUT+path%3Atools&type=Code) 721*387f9dfdSAndroid Build Coastguard Worker 722*387f9dfdSAndroid Build Coastguard Worker### 3. perf_submit() 723*387f9dfdSAndroid Build Coastguard Worker 724*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int perf_submit((void *)ctx, (void *)data, u32 data_size)``` 725*387f9dfdSAndroid Build Coastguard Worker 726*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 727*387f9dfdSAndroid Build Coastguard Worker 728*387f9dfdSAndroid Build Coastguard WorkerA method of a BPF_PERF_OUTPUT table, for submitting custom event data to user space. See the BPF_PERF_OUTPUT entry. (This ultimately calls bpf_perf_event_output().) 729*387f9dfdSAndroid Build Coastguard Worker 730*387f9dfdSAndroid Build Coastguard WorkerThe ```ctx``` parameter is provided in [kprobes](#1-kprobes) or [kretprobes](#2-kretprobes). For ```SCHED_CLS``` or ```SOCKET_FILTER``` programs, the ```struct __sk_buff *skb``` must be used instead. 731*387f9dfdSAndroid Build Coastguard Worker 732*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 733*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=perf_submit+path%3Aexamples&type=Code), 734*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=perf_submit+path%3Atools&type=Code) 735*387f9dfdSAndroid Build Coastguard Worker 736*387f9dfdSAndroid Build Coastguard Worker### 4. perf_submit_skb() 737*387f9dfdSAndroid Build Coastguard Worker 738*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int perf_submit_skb((void *)ctx, u32 packet_size, (void *)data, u32 data_size)``` 739*387f9dfdSAndroid Build Coastguard Worker 740*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 741*387f9dfdSAndroid Build Coastguard Worker 742*387f9dfdSAndroid Build Coastguard WorkerA method of a BPF_PERF_OUTPUT table available in networking program types, for submitting custom event data to user space, along with the first ```packet_size``` bytes of the packet buffer. See the BPF_PERF_OUTPUT entry. (This ultimately calls bpf_perf_event_output().) 743*387f9dfdSAndroid Build Coastguard Worker 744*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 745*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=perf_submit_skb+path%3Aexamples&type=Code), 746*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=perf_submit_skb+path%3Atools&type=Code) 747*387f9dfdSAndroid Build Coastguard Worker 748*387f9dfdSAndroid Build Coastguard Worker### 5. BPF_RINGBUF_OUTPUT 749*387f9dfdSAndroid Build Coastguard Worker 750*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_RINGBUF_OUTPUT(name, page_cnt)``` 751*387f9dfdSAndroid Build Coastguard Worker 752*387f9dfdSAndroid Build Coastguard WorkerCreates a BPF table for pushing out custom event data to user space via a ringbuf ring buffer. 753*387f9dfdSAndroid Build Coastguard Worker```BPF_RINGBUF_OUTPUT``` has several advantages over ```BPF_PERF_OUTPUT```, summarized as follows: 754*387f9dfdSAndroid Build Coastguard Worker 755*387f9dfdSAndroid Build Coastguard Worker- Buffer is shared across all CPUs, meaning no per-CPU allocation 756*387f9dfdSAndroid Build Coastguard Worker- Supports two APIs for BPF programs 757*387f9dfdSAndroid Build Coastguard Worker - ```map.ringbuf_output()``` works like ```map.perf_submit()``` (covered in [ringbuf_output](#6-ringbuf_output)) 758*387f9dfdSAndroid Build Coastguard Worker - ```map.ringbuf_reserve()```/```map.ringbuf_submit()```/```map.ringbuf_discard()``` 759*387f9dfdSAndroid Build Coastguard Worker split the process of reserving buffer space and submitting events into two steps 760*387f9dfdSAndroid Build Coastguard Worker (covered in [ringbuf_reserve](#7-ringbuf_reserve), [ringbuf_submit](#8-ringbuf_submit), [ringbuf_discard](#9-ringbuf_discard)) 761*387f9dfdSAndroid Build Coastguard Worker- BPF APIs do not require access to a CPU ctx argument 762*387f9dfdSAndroid Build Coastguard Worker- Superior performance and latency in userspace thanks to a shared ring buffer manager 763*387f9dfdSAndroid Build Coastguard Worker- Supports two ways of consuming data in userspace 764*387f9dfdSAndroid Build Coastguard Worker 765*387f9dfdSAndroid Build Coastguard WorkerStarting in Linux 5.8, this should be the preferred method for pushing per-event data to user space. 766*387f9dfdSAndroid Build Coastguard Worker 767*387f9dfdSAndroid Build Coastguard WorkerExample of both APIs: 768*387f9dfdSAndroid Build Coastguard Worker 769*387f9dfdSAndroid Build Coastguard Worker```C 770*387f9dfdSAndroid Build Coastguard Workerstruct data_t { 771*387f9dfdSAndroid Build Coastguard Worker u32 pid; 772*387f9dfdSAndroid Build Coastguard Worker u64 ts; 773*387f9dfdSAndroid Build Coastguard Worker char comm[TASK_COMM_LEN]; 774*387f9dfdSAndroid Build Coastguard Worker}; 775*387f9dfdSAndroid Build Coastguard Worker 776*387f9dfdSAndroid Build Coastguard Worker// Creates a ringbuf called events with 8 pages of space, shared across all CPUs 777*387f9dfdSAndroid Build Coastguard WorkerBPF_RINGBUF_OUTPUT(events, 8); 778*387f9dfdSAndroid Build Coastguard Worker 779*387f9dfdSAndroid Build Coastguard Workerint first_api_example(struct pt_regs *ctx) { 780*387f9dfdSAndroid Build Coastguard Worker struct data_t data = {}; 781*387f9dfdSAndroid Build Coastguard Worker 782*387f9dfdSAndroid Build Coastguard Worker data.pid = bpf_get_current_pid_tgid(); 783*387f9dfdSAndroid Build Coastguard Worker data.ts = bpf_ktime_get_ns(); 784*387f9dfdSAndroid Build Coastguard Worker bpf_get_current_comm(&data.comm, sizeof(data.comm)); 785*387f9dfdSAndroid Build Coastguard Worker 786*387f9dfdSAndroid Build Coastguard Worker events.ringbuf_output(&data, sizeof(data), 0 /* flags */); 787*387f9dfdSAndroid Build Coastguard Worker 788*387f9dfdSAndroid Build Coastguard Worker return 0; 789*387f9dfdSAndroid Build Coastguard Worker} 790*387f9dfdSAndroid Build Coastguard Worker 791*387f9dfdSAndroid Build Coastguard Workerint second_api_example(struct pt_regs *ctx) { 792*387f9dfdSAndroid Build Coastguard Worker struct data_t *data = events.ringbuf_reserve(sizeof(struct data_t)); 793*387f9dfdSAndroid Build Coastguard Worker if (!data) { // Failed to reserve space 794*387f9dfdSAndroid Build Coastguard Worker return 1; 795*387f9dfdSAndroid Build Coastguard Worker } 796*387f9dfdSAndroid Build Coastguard Worker 797*387f9dfdSAndroid Build Coastguard Worker data->pid = bpf_get_current_pid_tgid(); 798*387f9dfdSAndroid Build Coastguard Worker data->ts = bpf_ktime_get_ns(); 799*387f9dfdSAndroid Build Coastguard Worker bpf_get_current_comm(&data->comm, sizeof(data->comm)); 800*387f9dfdSAndroid Build Coastguard Worker 801*387f9dfdSAndroid Build Coastguard Worker events.ringbuf_submit(data, 0 /* flags */); 802*387f9dfdSAndroid Build Coastguard Worker 803*387f9dfdSAndroid Build Coastguard Worker return 0; 804*387f9dfdSAndroid Build Coastguard Worker} 805*387f9dfdSAndroid Build Coastguard Worker``` 806*387f9dfdSAndroid Build Coastguard Worker 807*387f9dfdSAndroid Build Coastguard WorkerThe output table is named ```events```. Data is allocated via ```events.ringbuf_reserve()``` and pushed to it via ```events.ringbuf_submit()```. 808*387f9dfdSAndroid Build Coastguard Worker 809*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: <!-- TODO --> 810*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_RINGBUF_OUTPUT+path%3Aexamples&type=Code), 811*387f9dfdSAndroid Build Coastguard Worker 812*387f9dfdSAndroid Build Coastguard Worker### 6. ringbuf_output() 813*387f9dfdSAndroid Build Coastguard Worker 814*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int ringbuf_output((void *)data, u64 data_size, u64 flags)``` 815*387f9dfdSAndroid Build Coastguard Worker 816*387f9dfdSAndroid Build Coastguard WorkerReturn: 0 on success 817*387f9dfdSAndroid Build Coastguard Worker 818*387f9dfdSAndroid Build Coastguard WorkerFlags: 819*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_NO_WAKEUP```: Do not sent notification of new data availability 820*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_FORCE_WAKEUP```: Send notification of new data availability unconditionally 821*387f9dfdSAndroid Build Coastguard Worker 822*387f9dfdSAndroid Build Coastguard WorkerA method of the BPF_RINGBUF_OUTPUT table, for submitting custom event data to user space. This method works like ```perf_submit()```, 823*387f9dfdSAndroid Build Coastguard Workeralthough it does not require a ctx argument. 824*387f9dfdSAndroid Build Coastguard Worker 825*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: <!-- TODO --> 826*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ringbuf_output+path%3Aexamples&type=Code), 827*387f9dfdSAndroid Build Coastguard Worker 828*387f9dfdSAndroid Build Coastguard Worker### 7. ringbuf_reserve() 829*387f9dfdSAndroid Build Coastguard Worker 830*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```void* ringbuf_reserve(u64 data_size)``` 831*387f9dfdSAndroid Build Coastguard Worker 832*387f9dfdSAndroid Build Coastguard WorkerReturn: Pointer to data struct on success, NULL on failure 833*387f9dfdSAndroid Build Coastguard Worker 834*387f9dfdSAndroid Build Coastguard WorkerA method of the BPF_RINGBUF_OUTPUT table, for reserving space in the ring buffer and simultaenously 835*387f9dfdSAndroid Build Coastguard Workerallocating a data struct for output. Must be used with one of ```ringbuf_submit``` or ```ringbuf_discard```. 836*387f9dfdSAndroid Build Coastguard Worker 837*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: <!-- TODO --> 838*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ringbuf_reserve+path%3Aexamples&type=Code), 839*387f9dfdSAndroid Build Coastguard Worker 840*387f9dfdSAndroid Build Coastguard Worker### 8. ringbuf_submit() 841*387f9dfdSAndroid Build Coastguard Worker 842*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```void ringbuf_submit((void *)data, u64 flags)``` 843*387f9dfdSAndroid Build Coastguard Worker 844*387f9dfdSAndroid Build Coastguard WorkerReturn: Nothing, always succeeds 845*387f9dfdSAndroid Build Coastguard Worker 846*387f9dfdSAndroid Build Coastguard WorkerFlags: 847*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_NO_WAKEUP```: Do not sent notification of new data availability 848*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_FORCE_WAKEUP```: Send notification of new data availability unconditionally 849*387f9dfdSAndroid Build Coastguard Worker 850*387f9dfdSAndroid Build Coastguard WorkerA method of the BPF_RINGBUF_OUTPUT table, for submitting custom event data to user space. Must be preceded by a call to 851*387f9dfdSAndroid Build Coastguard Worker```ringbuf_reserve()``` to reserve space for the data. 852*387f9dfdSAndroid Build Coastguard Worker 853*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: <!-- TODO --> 854*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ringbuf_submit+path%3Aexamples&type=Code), 855*387f9dfdSAndroid Build Coastguard Worker 856*387f9dfdSAndroid Build Coastguard Worker### 9. ringbuf_discard() 857*387f9dfdSAndroid Build Coastguard Worker 858*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```void ringbuf_discard((void *)data, u64 flags)``` 859*387f9dfdSAndroid Build Coastguard Worker 860*387f9dfdSAndroid Build Coastguard WorkerReturn: Nothing, always succeeds 861*387f9dfdSAndroid Build Coastguard Worker 862*387f9dfdSAndroid Build Coastguard WorkerFlags: 863*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_NO_WAKEUP```: Do not sent notification of new data availability 864*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_FORCE_WAKEUP```: Send notification of new data availability unconditionally 865*387f9dfdSAndroid Build Coastguard Worker 866*387f9dfdSAndroid Build Coastguard WorkerA method of the BPF_RINGBUF_OUTPUT table, for discarding custom event data; userspace 867*387f9dfdSAndroid Build Coastguard Workerignores the data associated with the discarded event. Must be preceded by a call to 868*387f9dfdSAndroid Build Coastguard Worker```ringbuf_reserve()``` to reserve space for the data. 869*387f9dfdSAndroid Build Coastguard Worker 870*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: <!-- TODO --> 871*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ringbuf_submit+path%3Aexamples&type=Code), 872*387f9dfdSAndroid Build Coastguard Worker 873*387f9dfdSAndroid Build Coastguard Worker### 10. ringbuf_query() 874*387f9dfdSAndroid Build Coastguard Worker 875*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u64 ringbuf_query(u64 flags)``` 876*387f9dfdSAndroid Build Coastguard Worker 877*387f9dfdSAndroid Build Coastguard WorkerReturn: Requested value, or 0, if flags are not recognized 878*387f9dfdSAndroid Build Coastguard Worker 879*387f9dfdSAndroid Build Coastguard WorkerFlags: 880*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_AVAIL_DATA```: Amount of data not yet consumed 881*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_RING_SIZE```: The size of ring buffer 882*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_CONS_POS```: Consumer position 883*387f9dfdSAndroid Build Coastguard Worker - ```BPF_RB_PROD_POS```: Producer(s) position 884*387f9dfdSAndroid Build Coastguard Worker 885*387f9dfdSAndroid Build Coastguard WorkerA method of the BPF_RINGBUF_OUTPUT table, for getting various properties of ring buffer. Returned values are momentarily snapshots of ring buffer state and could be off by the time helper returns, so this should be used only for debugging/reporting reasons or for implementing various heuristics, that take into account highly-changeable nature of some of those characteristics. 886*387f9dfdSAndroid Build Coastguard Worker 887*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: <!-- TODO --> 888*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ringbuf_query+path%3Aexamples&type=Code), 889*387f9dfdSAndroid Build Coastguard Worker 890*387f9dfdSAndroid Build Coastguard Worker## Maps 891*387f9dfdSAndroid Build Coastguard Worker 892*387f9dfdSAndroid Build Coastguard WorkerMaps are BPF data stores, and are the basis for higher level object types including tables, hashes, and histograms. 893*387f9dfdSAndroid Build Coastguard Worker 894*387f9dfdSAndroid Build Coastguard Worker### 1. BPF_TABLE 895*387f9dfdSAndroid Build Coastguard Worker 896*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_TABLE(_table_type, _key_type, _leaf_type, _name, _max_entries)``` 897*387f9dfdSAndroid Build Coastguard Worker 898*387f9dfdSAndroid Build Coastguard WorkerCreates a map named ```_name```. Most of the time this will be used via higher-level macros, like BPF_HASH, BPF_ARRAY, BPF_HISTOGRAM, etc. 899*387f9dfdSAndroid Build Coastguard Worker 900*387f9dfdSAndroid Build Coastguard Worker`BPF_F_TABLE` is a variant that takes a flag in the last parameter. `BPF_TABLE(...)` is actually a wrapper to `BPF_F_TABLE(..., 0 /* flag */)`. 901*387f9dfdSAndroid Build Coastguard Worker 902*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.lookup(), map.lookup_or_try_init(), map.delete(), map.update(), map.insert(), map.increment(). 903*387f9dfdSAndroid Build Coastguard Worker 904*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 905*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_TABLE+path%3Aexamples&type=Code), 906*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_TABLE+path%3Atools&type=Code) 907*387f9dfdSAndroid Build Coastguard Worker 908*387f9dfdSAndroid Build Coastguard Worker#### Pinned Maps 909*387f9dfdSAndroid Build Coastguard Worker 910*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_TABLE_PINNED(_table_type, _key_type, _leaf_type, _name, _max_entries, "/sys/fs/bpf/xyz")``` 911*387f9dfdSAndroid Build Coastguard Worker 912*387f9dfdSAndroid Build Coastguard WorkerCreate a new map if it doesn't exist and pin it to the bpffs as a FILE, otherwise use the map that was pinned to the bpffs. The type information is not enforced and the actual map type depends on the map that got pinned to the location. 913*387f9dfdSAndroid Build Coastguard Worker 914*387f9dfdSAndroid Build Coastguard WorkerFor example: 915*387f9dfdSAndroid Build Coastguard Worker 916*387f9dfdSAndroid Build Coastguard Worker```C 917*387f9dfdSAndroid Build Coastguard WorkerBPF_TABLE_PINNED("hash", u64, u64, ids, 1024, "/sys/fs/bpf/ids"); 918*387f9dfdSAndroid Build Coastguard Worker``` 919*387f9dfdSAndroid Build Coastguard Worker 920*387f9dfdSAndroid Build Coastguard Worker### 2. BPF_HASH 921*387f9dfdSAndroid Build Coastguard Worker 922*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_HASH(name [, key_type [, leaf_type [, size]]])``` 923*387f9dfdSAndroid Build Coastguard Worker 924*387f9dfdSAndroid Build Coastguard WorkerCreates a hash map (associative array) named ```name```, with optional parameters. 925*387f9dfdSAndroid Build Coastguard Worker 926*387f9dfdSAndroid Build Coastguard WorkerDefaults: ```BPF_HASH(name, key_type=u64, leaf_type=u64, size=10240)``` 927*387f9dfdSAndroid Build Coastguard Worker 928*387f9dfdSAndroid Build Coastguard WorkerFor example: 929*387f9dfdSAndroid Build Coastguard Worker 930*387f9dfdSAndroid Build Coastguard Worker```C 931*387f9dfdSAndroid Build Coastguard WorkerBPF_HASH(start, struct request *); 932*387f9dfdSAndroid Build Coastguard Worker``` 933*387f9dfdSAndroid Build Coastguard Worker 934*387f9dfdSAndroid Build Coastguard WorkerThis creates a hash named ```start``` where the key is a ```struct request *```, and the value defaults to u64. This hash is used by the disksnoop.py example for saving timestamps for each I/O request, where the key is the pointer to struct request, and the value is the timestamp. 935*387f9dfdSAndroid Build Coastguard Worker 936*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("hash", ...)`. 937*387f9dfdSAndroid Build Coastguard Worker 938*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.lookup(), map.lookup_or_try_init(), map.delete(), map.update(), map.insert(), map.increment(). 939*387f9dfdSAndroid Build Coastguard Worker 940*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 941*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_HASH+path%3Aexamples&type=Code), 942*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_HASH+path%3Atools&type=Code) 943*387f9dfdSAndroid Build Coastguard Worker 944*387f9dfdSAndroid Build Coastguard Worker### 3. BPF_ARRAY 945*387f9dfdSAndroid Build Coastguard Worker 946*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_ARRAY(name [, leaf_type [, size]])``` 947*387f9dfdSAndroid Build Coastguard Worker 948*387f9dfdSAndroid Build Coastguard WorkerCreates an int-indexed array which is optimized for fastest lookup and update, named ```name```, with optional parameters. 949*387f9dfdSAndroid Build Coastguard Worker 950*387f9dfdSAndroid Build Coastguard WorkerDefaults: ```BPF_ARRAY(name, leaf_type=u64, size=10240)``` 951*387f9dfdSAndroid Build Coastguard Worker 952*387f9dfdSAndroid Build Coastguard WorkerFor example: 953*387f9dfdSAndroid Build Coastguard Worker 954*387f9dfdSAndroid Build Coastguard Worker```C 955*387f9dfdSAndroid Build Coastguard WorkerBPF_ARRAY(counts, u64, 32); 956*387f9dfdSAndroid Build Coastguard Worker``` 957*387f9dfdSAndroid Build Coastguard Worker 958*387f9dfdSAndroid Build Coastguard WorkerThis creates an array named ```counts``` where with 32 buckets and 64-bit integer values. This array is used by the funccount.py example for saving call count of each function. 959*387f9dfdSAndroid Build Coastguard Worker 960*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("array", ...)`. 961*387f9dfdSAndroid Build Coastguard Worker 962*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.lookup(), map.update(), map.increment(). Note that all array elements are pre-allocated with zero values and can not be deleted. 963*387f9dfdSAndroid Build Coastguard Worker 964*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 965*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_ARRAY+path%3Aexamples&type=Code), 966*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_ARRAY+path%3Atools&type=Code) 967*387f9dfdSAndroid Build Coastguard Worker 968*387f9dfdSAndroid Build Coastguard Worker### 4. BPF_HISTOGRAM 969*387f9dfdSAndroid Build Coastguard Worker 970*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_HISTOGRAM(name [, key_type [, size ]])``` 971*387f9dfdSAndroid Build Coastguard Worker 972*387f9dfdSAndroid Build Coastguard WorkerCreates a histogram map named ```name```, with optional parameters. 973*387f9dfdSAndroid Build Coastguard Worker 974*387f9dfdSAndroid Build Coastguard WorkerDefaults: ```BPF_HISTOGRAM(name, key_type=int, size=64)``` 975*387f9dfdSAndroid Build Coastguard Worker 976*387f9dfdSAndroid Build Coastguard WorkerFor example: 977*387f9dfdSAndroid Build Coastguard Worker 978*387f9dfdSAndroid Build Coastguard Worker```C 979*387f9dfdSAndroid Build Coastguard WorkerBPF_HISTOGRAM(dist); 980*387f9dfdSAndroid Build Coastguard Worker``` 981*387f9dfdSAndroid Build Coastguard Worker 982*387f9dfdSAndroid Build Coastguard WorkerThis creates a histogram named ```dist```, which defaults to 64 buckets indexed by keys of type int. 983*387f9dfdSAndroid Build Coastguard Worker 984*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("histgram", ...)`. 985*387f9dfdSAndroid Build Coastguard Worker 986*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.increment(). 987*387f9dfdSAndroid Build Coastguard Worker 988*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 989*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_HISTOGRAM+path%3Aexamples&type=Code), 990*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_HISTOGRAM+path%3Atools&type=Code) 991*387f9dfdSAndroid Build Coastguard Worker 992*387f9dfdSAndroid Build Coastguard Worker### 5. BPF_STACK_TRACE 993*387f9dfdSAndroid Build Coastguard Worker 994*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_STACK_TRACE(name, max_entries)``` 995*387f9dfdSAndroid Build Coastguard Worker 996*387f9dfdSAndroid Build Coastguard WorkerCreates stack trace map named ```name```, with a maximum entry count provided. These maps are used to store stack traces. 997*387f9dfdSAndroid Build Coastguard Worker 998*387f9dfdSAndroid Build Coastguard WorkerFor example: 999*387f9dfdSAndroid Build Coastguard Worker 1000*387f9dfdSAndroid Build Coastguard Worker```C 1001*387f9dfdSAndroid Build Coastguard WorkerBPF_STACK_TRACE(stack_traces, 1024); 1002*387f9dfdSAndroid Build Coastguard Worker``` 1003*387f9dfdSAndroid Build Coastguard Worker 1004*387f9dfdSAndroid Build Coastguard WorkerThis creates stack trace map named ```stack_traces```, with a maximum number of stack trace entries of 1024. 1005*387f9dfdSAndroid Build Coastguard Worker 1006*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("stacktrace", ...)`. 1007*387f9dfdSAndroid Build Coastguard Worker 1008*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.get_stackid(). 1009*387f9dfdSAndroid Build Coastguard Worker 1010*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1011*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_STACK_TRACE+path%3Aexamples&type=Code), 1012*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_STACK_TRACE+path%3Atools&type=Code) 1013*387f9dfdSAndroid Build Coastguard Worker 1014*387f9dfdSAndroid Build Coastguard Worker### 6. BPF_PERF_ARRAY 1015*387f9dfdSAndroid Build Coastguard Worker 1016*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_PERF_ARRAY(name, max_entries)``` 1017*387f9dfdSAndroid Build Coastguard Worker 1018*387f9dfdSAndroid Build Coastguard WorkerCreates perf array named ```name```, with a maximum entry count provided, which must be equal to the number of system cpus. These maps are used to fetch hardware performance counters. 1019*387f9dfdSAndroid Build Coastguard Worker 1020*387f9dfdSAndroid Build Coastguard WorkerFor example: 1021*387f9dfdSAndroid Build Coastguard Worker 1022*387f9dfdSAndroid Build Coastguard Worker```C 1023*387f9dfdSAndroid Build Coastguard Workertext=""" 1024*387f9dfdSAndroid Build Coastguard WorkerBPF_PERF_ARRAY(cpu_cycles, NUM_CPUS); 1025*387f9dfdSAndroid Build Coastguard Worker""" 1026*387f9dfdSAndroid Build Coastguard Workerb = bcc.BPF(text=text, cflags=["-DNUM_CPUS=%d" % multiprocessing.cpu_count()]) 1027*387f9dfdSAndroid Build Coastguard Workerb["cpu_cycles"].open_perf_event(b["cpu_cycles"].HW_CPU_CYCLES) 1028*387f9dfdSAndroid Build Coastguard Worker``` 1029*387f9dfdSAndroid Build Coastguard Worker 1030*387f9dfdSAndroid Build Coastguard WorkerThis creates a perf array named ```cpu_cycles```, with number of entries equal to the number of cpus/cores. The array is configured so that later calling map.perf_read() will return a hardware-calculated counter of the number of cycles elapsed from some point in the past. Only one type of hardware counter may be configured per table at a time. 1031*387f9dfdSAndroid Build Coastguard Worker 1032*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.perf_read(). 1033*387f9dfdSAndroid Build Coastguard Worker 1034*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1035*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=BPF_PERF_ARRAY+path%3Atests&type=Code) 1036*387f9dfdSAndroid Build Coastguard Worker 1037*387f9dfdSAndroid Build Coastguard Worker### 7. BPF_PERCPU_HASH 1038*387f9dfdSAndroid Build Coastguard Worker 1039*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_PERCPU_HASH(name [, key_type [, leaf_type [, size]]])``` 1040*387f9dfdSAndroid Build Coastguard Worker 1041*387f9dfdSAndroid Build Coastguard WorkerCreates NUM_CPU int-indexed hash maps (associative arrays) named ```name```, with optional parameters. Each CPU will have a separate copy of this array. The copies are not kept synchronized in any way. 1042*387f9dfdSAndroid Build Coastguard Worker 1043*387f9dfdSAndroid Build Coastguard WorkerNote that due to limits defined in the kernel (in linux/mm/percpu.c), the ```leaf_type``` cannot have a size of more than 32KB. 1044*387f9dfdSAndroid Build Coastguard WorkerIn other words, ```BPF_PERCPU_HASH``` elements cannot be larger than 32KB in size. 1045*387f9dfdSAndroid Build Coastguard Worker 1046*387f9dfdSAndroid Build Coastguard Worker 1047*387f9dfdSAndroid Build Coastguard WorkerDefaults: ```BPF_PERCPU_HASH(name, key_type=u64, leaf_type=u64, size=10240)``` 1048*387f9dfdSAndroid Build Coastguard Worker 1049*387f9dfdSAndroid Build Coastguard WorkerFor example: 1050*387f9dfdSAndroid Build Coastguard Worker 1051*387f9dfdSAndroid Build Coastguard Worker```C 1052*387f9dfdSAndroid Build Coastguard WorkerBPF_PERCPU_HASH(start, struct request *); 1053*387f9dfdSAndroid Build Coastguard Worker``` 1054*387f9dfdSAndroid Build Coastguard Worker 1055*387f9dfdSAndroid Build Coastguard WorkerThis creates NUM_CPU hashes named ```start``` where the key is a ```struct request *```, and the value defaults to u64. 1056*387f9dfdSAndroid Build Coastguard Worker 1057*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("percpu_hash", ...)`. 1058*387f9dfdSAndroid Build Coastguard Worker 1059*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.lookup(), map.lookup_or_try_init(), map.delete(), map.update(), map.insert(), map.increment(). 1060*387f9dfdSAndroid Build Coastguard Worker 1061*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1062*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_PERCPU_HASH+path%3Aexamples&type=Code), 1063*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_PERCPU_HASH+path%3Atools&type=Code) 1064*387f9dfdSAndroid Build Coastguard Worker 1065*387f9dfdSAndroid Build Coastguard Worker 1066*387f9dfdSAndroid Build Coastguard Worker### 8. BPF_PERCPU_ARRAY 1067*387f9dfdSAndroid Build Coastguard Worker 1068*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_PERCPU_ARRAY(name [, leaf_type [, size]])``` 1069*387f9dfdSAndroid Build Coastguard Worker 1070*387f9dfdSAndroid Build Coastguard WorkerCreates NUM_CPU int-indexed arrays which are optimized for fastest lookup and update, named ```name```, with optional parameters. Each CPU will have a separate copy of this array. The copies are not kept synchronized in any way. 1071*387f9dfdSAndroid Build Coastguard Worker 1072*387f9dfdSAndroid Build Coastguard WorkerNote that due to limits defined in the kernel (in linux/mm/percpu.c), the ```leaf_type``` cannot have a size of more than 32KB. 1073*387f9dfdSAndroid Build Coastguard WorkerIn other words, ```BPF_PERCPU_ARRAY``` elements cannot be larger than 32KB in size. 1074*387f9dfdSAndroid Build Coastguard Worker 1075*387f9dfdSAndroid Build Coastguard Worker 1076*387f9dfdSAndroid Build Coastguard WorkerDefaults: ```BPF_PERCPU_ARRAY(name, leaf_type=u64, size=10240)``` 1077*387f9dfdSAndroid Build Coastguard Worker 1078*387f9dfdSAndroid Build Coastguard WorkerFor example: 1079*387f9dfdSAndroid Build Coastguard Worker 1080*387f9dfdSAndroid Build Coastguard Worker```C 1081*387f9dfdSAndroid Build Coastguard WorkerBPF_PERCPU_ARRAY(counts, u64, 32); 1082*387f9dfdSAndroid Build Coastguard Worker``` 1083*387f9dfdSAndroid Build Coastguard Worker 1084*387f9dfdSAndroid Build Coastguard WorkerThis creates NUM_CPU arrays named ```counts``` where with 32 buckets and 64-bit integer values. 1085*387f9dfdSAndroid Build Coastguard Worker 1086*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("percpu_array", ...)`. 1087*387f9dfdSAndroid Build Coastguard Worker 1088*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.lookup(), map.update(), map.increment(). Note that all array elements are pre-allocated with zero values and can not be deleted. 1089*387f9dfdSAndroid Build Coastguard Worker 1090*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1091*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_PERCPU_ARRAY+path%3Aexamples&type=Code), 1092*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_PERCPU_ARRAY+path%3Atools&type=Code) 1093*387f9dfdSAndroid Build Coastguard Worker 1094*387f9dfdSAndroid Build Coastguard Worker### 9. BPF_LPM_TRIE 1095*387f9dfdSAndroid Build Coastguard Worker 1096*387f9dfdSAndroid Build Coastguard WorkerSyntax: `BPF_LPM_TRIE(name [, key_type [, leaf_type [, size]]])` 1097*387f9dfdSAndroid Build Coastguard Worker 1098*387f9dfdSAndroid Build Coastguard WorkerCreates a longest prefix match trie map named `name`, with optional parameters. 1099*387f9dfdSAndroid Build Coastguard Worker 1100*387f9dfdSAndroid Build Coastguard WorkerDefaults: `BPF_LPM_TRIE(name, key_type=u64, leaf_type=u64, size=10240)` 1101*387f9dfdSAndroid Build Coastguard Worker 1102*387f9dfdSAndroid Build Coastguard WorkerFor example: 1103*387f9dfdSAndroid Build Coastguard Worker 1104*387f9dfdSAndroid Build Coastguard Worker```c 1105*387f9dfdSAndroid Build Coastguard WorkerBPF_LPM_TRIE(trie, struct key_v6); 1106*387f9dfdSAndroid Build Coastguard Worker``` 1107*387f9dfdSAndroid Build Coastguard Worker 1108*387f9dfdSAndroid Build Coastguard WorkerThis creates an LPM trie map named `trie` where the key is a `struct key_v6`, and the value defaults to u64. 1109*387f9dfdSAndroid Build Coastguard Worker 1110*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro to `BPF_F_TABLE("lpm_trie", ..., BPF_F_NO_PREALLOC)`. 1111*387f9dfdSAndroid Build Coastguard Worker 1112*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.lookup(), map.lookup_or_try_init(), map.delete(), map.update(), map.insert(), map.increment(). 1113*387f9dfdSAndroid Build Coastguard Worker 1114*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1115*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_LPM_TRIE+path%3Aexamples&type=Code), 1116*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF_LPM_TRIE+path%3Atools&type=Code) 1117*387f9dfdSAndroid Build Coastguard Worker 1118*387f9dfdSAndroid Build Coastguard Worker### 10. BPF_PROG_ARRAY 1119*387f9dfdSAndroid Build Coastguard Worker 1120*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_PROG_ARRAY(name, size)``` 1121*387f9dfdSAndroid Build Coastguard Worker 1122*387f9dfdSAndroid Build Coastguard WorkerThis creates a program array named ```name``` with ```size``` entries. Each entry of the array is either a file descriptor to a bpf program or ```NULL```. The array acts as a jump table so that bpf programs can "tail-call" other bpf programs. 1123*387f9dfdSAndroid Build Coastguard Worker 1124*387f9dfdSAndroid Build Coastguard WorkerThis is a wrapper macro for `BPF_TABLE("prog", ...)`. 1125*387f9dfdSAndroid Build Coastguard Worker 1126*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.call(). 1127*387f9dfdSAndroid Build Coastguard Worker 1128*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1129*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_PROG_ARRAY+path%3Aexamples&type=Code), 1130*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=BPF_PROG_ARRAY+path%3Atests&type=Code), 1131*387f9dfdSAndroid Build Coastguard Worker[assign fd](https://github.com/iovisor/bcc/blob/master/examples/networking/tunnel_monitor/monitor.py#L24-L26) 1132*387f9dfdSAndroid Build Coastguard Worker 1133*387f9dfdSAndroid Build Coastguard Worker### 11. BPF_DEVMAP 1134*387f9dfdSAndroid Build Coastguard Worker 1135*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_DEVMAP(name, size)``` 1136*387f9dfdSAndroid Build Coastguard Worker 1137*387f9dfdSAndroid Build Coastguard WorkerThis creates a device map named ```name``` with ```size``` entries. Each entry of the map is an `ifindex` to a network interface. This map is only used in XDP. 1138*387f9dfdSAndroid Build Coastguard Worker 1139*387f9dfdSAndroid Build Coastguard WorkerFor example: 1140*387f9dfdSAndroid Build Coastguard Worker```C 1141*387f9dfdSAndroid Build Coastguard WorkerBPF_DEVMAP(devmap, 10); 1142*387f9dfdSAndroid Build Coastguard Worker``` 1143*387f9dfdSAndroid Build Coastguard Worker 1144*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.redirect_map(). 1145*387f9dfdSAndroid Build Coastguard Worker 1146*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1147*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_DEVMAP+path%3Aexamples&type=Code), 1148*387f9dfdSAndroid Build Coastguard Worker 1149*387f9dfdSAndroid Build Coastguard Worker### 12. BPF_CPUMAP 1150*387f9dfdSAndroid Build Coastguard Worker 1151*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_CPUMAP(name, size)``` 1152*387f9dfdSAndroid Build Coastguard Worker 1153*387f9dfdSAndroid Build Coastguard WorkerThis creates a cpu map named ```name``` with ```size``` entries. The index of the map represents the CPU id and each entry is the size of the ring buffer allocated for the CPU. This map is only used in XDP. 1154*387f9dfdSAndroid Build Coastguard Worker 1155*387f9dfdSAndroid Build Coastguard WorkerFor example: 1156*387f9dfdSAndroid Build Coastguard Worker```C 1157*387f9dfdSAndroid Build Coastguard WorkerBPF_CPUMAP(cpumap, 16); 1158*387f9dfdSAndroid Build Coastguard Worker``` 1159*387f9dfdSAndroid Build Coastguard Worker 1160*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.redirect_map(). 1161*387f9dfdSAndroid Build Coastguard Worker 1162*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1163*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_CPUMAP+path%3Aexamples&type=Code), 1164*387f9dfdSAndroid Build Coastguard Worker 1165*387f9dfdSAndroid Build Coastguard Worker### 13. BPF_XSKMAP 1166*387f9dfdSAndroid Build Coastguard Worker 1167*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_XSKMAP(name, size [, "/sys/fs/bpf/xyz"])``` 1168*387f9dfdSAndroid Build Coastguard Worker 1169*387f9dfdSAndroid Build Coastguard WorkerThis creates a xsk map named ```name``` with ```size``` entries and pin it to the bpffs as a FILE. Each entry represents one NIC's queue id. This map is only used in XDP to redirect packet to an AF_XDP socket. If the AF_XDP socket is binded to a queue which is different than the current packet's queue id, the packet will be dropped. For kernel v5.3 and latter, `lookup` method is available and can be used to check whether and AF_XDP socket is available for the current packet's queue id. More details at [AF_XDP](https://www.kernel.org/doc/html/latest/networking/af_xdp.html). 1170*387f9dfdSAndroid Build Coastguard Worker 1171*387f9dfdSAndroid Build Coastguard WorkerFor example: 1172*387f9dfdSAndroid Build Coastguard Worker```C 1173*387f9dfdSAndroid Build Coastguard WorkerBPF_XSKMAP(xsks_map, 8); 1174*387f9dfdSAndroid Build Coastguard Worker``` 1175*387f9dfdSAndroid Build Coastguard Worker 1176*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.redirect_map(). map.lookup() 1177*387f9dfdSAndroid Build Coastguard Worker 1178*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1179*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF_XSKMAP+path%3Aexamples&type=Code), 1180*387f9dfdSAndroid Build Coastguard Worker 1181*387f9dfdSAndroid Build Coastguard Worker### 14. BPF_ARRAY_OF_MAPS 1182*387f9dfdSAndroid Build Coastguard Worker 1183*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_ARRAY_OF_MAPS(name, inner_map_name, size)``` 1184*387f9dfdSAndroid Build Coastguard Worker 1185*387f9dfdSAndroid Build Coastguard WorkerThis creates an array map with a map-in-map type (BPF_MAP_TYPE_HASH_OF_MAPS) map named ```name``` with ```size``` entries. The inner map meta data is provided by map ```inner_map_name``` and can be most of array or hash maps except ```BPF_MAP_TYPE_PROG_ARRAY```, ```BPF_MAP_TYPE_CGROUP_STORAGE``` and ```BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE```. 1186*387f9dfdSAndroid Build Coastguard Worker 1187*387f9dfdSAndroid Build Coastguard WorkerFor example: 1188*387f9dfdSAndroid Build Coastguard Worker```C 1189*387f9dfdSAndroid Build Coastguard WorkerBPF_TABLE("hash", int, int, ex1, 1024); 1190*387f9dfdSAndroid Build Coastguard WorkerBPF_TABLE("hash", int, int, ex2, 1024); 1191*387f9dfdSAndroid Build Coastguard WorkerBPF_ARRAY_OF_MAPS(maps_array, "ex1", 10); 1192*387f9dfdSAndroid Build Coastguard Worker``` 1193*387f9dfdSAndroid Build Coastguard Worker 1194*387f9dfdSAndroid Build Coastguard Worker### 15. BPF_HASH_OF_MAPS 1195*387f9dfdSAndroid Build Coastguard Worker 1196*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_HASH_OF_MAPS(name, key_type, inner_map_name, size)``` 1197*387f9dfdSAndroid Build Coastguard Worker 1198*387f9dfdSAndroid Build Coastguard WorkerThis creates a hash map with a map-in-map type (BPF_MAP_TYPE_HASH_OF_MAPS) map named ```name``` with ```size``` entries. The inner map meta data is provided by map ```inner_map_name``` and can be most of array or hash maps except ```BPF_MAP_TYPE_PROG_ARRAY```, ```BPF_MAP_TYPE_CGROUP_STORAGE``` and ```BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE```. 1199*387f9dfdSAndroid Build Coastguard Worker 1200*387f9dfdSAndroid Build Coastguard WorkerFor example: 1201*387f9dfdSAndroid Build Coastguard Worker```C 1202*387f9dfdSAndroid Build Coastguard WorkerBPF_ARRAY(ex1, int, 1024); 1203*387f9dfdSAndroid Build Coastguard WorkerBPF_ARRAY(ex2, int, 1024); 1204*387f9dfdSAndroid Build Coastguard WorkerBPF_HASH_OF_MAPS(maps_hash, struct custom_key, "ex1", 10); 1205*387f9dfdSAndroid Build Coastguard Worker``` 1206*387f9dfdSAndroid Build Coastguard Worker 1207*387f9dfdSAndroid Build Coastguard Worker### 16. BPF_STACK 1208*387f9dfdSAndroid Build Coastguard Worker 1209*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_STACK(name, leaf_type, max_entries[, flags])``` 1210*387f9dfdSAndroid Build Coastguard Worker 1211*387f9dfdSAndroid Build Coastguard WorkerCreates a stack named ```name``` with value type ```leaf_type``` and max entries ```max_entries```. 1212*387f9dfdSAndroid Build Coastguard WorkerStack and Queue maps are only available from Linux 4.20+. 1213*387f9dfdSAndroid Build Coastguard Worker 1214*387f9dfdSAndroid Build Coastguard WorkerFor example: 1215*387f9dfdSAndroid Build Coastguard Worker 1216*387f9dfdSAndroid Build Coastguard Worker```C 1217*387f9dfdSAndroid Build Coastguard WorkerBPF_STACK(stack, struct event, 10240); 1218*387f9dfdSAndroid Build Coastguard Worker``` 1219*387f9dfdSAndroid Build Coastguard Worker 1220*387f9dfdSAndroid Build Coastguard WorkerThis creates a stack named ```stack``` where the value type is ```struct event```, that holds up to 10240 entries. 1221*387f9dfdSAndroid Build Coastguard Worker 1222*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.push(), map.pop(), map.peek(). 1223*387f9dfdSAndroid Build Coastguard Worker 1224*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1225*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=BPF_STACK+path%3Atests&type=Code), 1226*387f9dfdSAndroid Build Coastguard Worker 1227*387f9dfdSAndroid Build Coastguard Worker### 17. BPF_QUEUE 1228*387f9dfdSAndroid Build Coastguard Worker 1229*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_QUEUE(name, leaf_type, max_entries[, flags])``` 1230*387f9dfdSAndroid Build Coastguard Worker 1231*387f9dfdSAndroid Build Coastguard WorkerCreates a queue named ```name``` with value type ```leaf_type``` and max entries ```max_entries```. 1232*387f9dfdSAndroid Build Coastguard WorkerStack and Queue maps are only available from Linux 4.20+. 1233*387f9dfdSAndroid Build Coastguard Worker 1234*387f9dfdSAndroid Build Coastguard WorkerFor example: 1235*387f9dfdSAndroid Build Coastguard Worker 1236*387f9dfdSAndroid Build Coastguard Worker```C 1237*387f9dfdSAndroid Build Coastguard WorkerBPF_QUEUE(queue, struct event, 10240); 1238*387f9dfdSAndroid Build Coastguard Worker``` 1239*387f9dfdSAndroid Build Coastguard Worker 1240*387f9dfdSAndroid Build Coastguard WorkerThis creates a queue named ```queue``` where the value type is ```struct event```, that holds up to 10240 entries. 1241*387f9dfdSAndroid Build Coastguard Worker 1242*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.push(), map.pop(), map.peek(). 1243*387f9dfdSAndroid Build Coastguard Worker 1244*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1245*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=BPF_QUEUE+path%3Atests&type=Code), 1246*387f9dfdSAndroid Build Coastguard Worker 1247*387f9dfdSAndroid Build Coastguard Worker### 18. BPF_SOCKHASH 1248*387f9dfdSAndroid Build Coastguard Worker 1249*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF_SOCKHASH(name[, key_type [, max_entries)``` 1250*387f9dfdSAndroid Build Coastguard Worker 1251*387f9dfdSAndroid Build Coastguard WorkerCreates a hash named ```name```, with optional parameters. sockhash is only available from Linux 4.18+. 1252*387f9dfdSAndroid Build Coastguard Worker 1253*387f9dfdSAndroid Build Coastguard WorkerDefault: ```BPF_SOCKHASH(name, key_type=u32, max_entries=10240)``` 1254*387f9dfdSAndroid Build Coastguard Worker 1255*387f9dfdSAndroid Build Coastguard WorkerFor example: 1256*387f9dfdSAndroid Build Coastguard Worker 1257*387f9dfdSAndroid Build Coastguard Worker```C 1258*387f9dfdSAndroid Build Coastguard Workerstruct sock_key { 1259*387f9dfdSAndroid Build Coastguard Worker u32 remote_ip4; 1260*387f9dfdSAndroid Build Coastguard Worker u32 local_ip4; 1261*387f9dfdSAndroid Build Coastguard Worker u32 remote_port; 1262*387f9dfdSAndroid Build Coastguard Worker u32 local_port; 1263*387f9dfdSAndroid Build Coastguard Worker}; 1264*387f9dfdSAndroid Build Coastguard WorkerBPF_HASH(skh, struct sock_key, 65535); 1265*387f9dfdSAndroid Build Coastguard Worker``` 1266*387f9dfdSAndroid Build Coastguard Worker 1267*387f9dfdSAndroid Build Coastguard WorkerThis creates a hash named ```skh``` where the key is a ```struct sock_key```. 1268*387f9dfdSAndroid Build Coastguard Worker 1269*387f9dfdSAndroid Build Coastguard WorkerA sockhash is a BPF map type that holds references to sock structs. Then with a new sk/msg redirect bpf helper BPF programs can use the map to redirect skbs/msgs between sockets (```map.sk_redirect_hash()/map.msg_redirect_hash()```). 1270*387f9dfdSAndroid Build Coastguard Worker 1271*387f9dfdSAndroid Build Coastguard WorkerThe difference between ```BPF_SOCKHASH``` and ```BPF_SOCKMAP``` is that ```BPF_SOCKMAP``` is implemented based on an array, and enforces keys to be four bytes. While ```BPF_SOCKHASH``` is implemented based on hash table, and the type of key can be specified freely. 1272*387f9dfdSAndroid Build Coastguard Worker 1273*387f9dfdSAndroid Build Coastguard WorkerMethods (covered later): map.sock_hash_update(), map.msg_redirect_hash(), map.sk_redirect_hash(). 1274*387f9dfdSAndroid Build Coastguard Worker 1275*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=BPF_SOCKHASH+path%3Atests&type=Code) 1276*387f9dfdSAndroid Build Coastguard Worker 1277*387f9dfdSAndroid Build Coastguard Worker### 19. map.lookup() 1278*387f9dfdSAndroid Build Coastguard Worker 1279*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```*val map.lookup(&key)``` 1280*387f9dfdSAndroid Build Coastguard Worker 1281*387f9dfdSAndroid Build Coastguard WorkerLookup the key in the map, and return a pointer to its value if it exists, else NULL. We pass the key in as an address to a pointer. 1282*387f9dfdSAndroid Build Coastguard Worker 1283*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1284*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=lookup+path%3Aexamples&type=Code), 1285*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=lookup+path%3Atools&type=Code) 1286*387f9dfdSAndroid Build Coastguard Worker 1287*387f9dfdSAndroid Build Coastguard Worker### 20. map.lookup_or_try_init() 1288*387f9dfdSAndroid Build Coastguard Worker 1289*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```*val map.lookup_or_try_init(&key, &zero)``` 1290*387f9dfdSAndroid Build Coastguard Worker 1291*387f9dfdSAndroid Build Coastguard WorkerLookup the key in the map, and return a pointer to its value if it exists, else initialize the key's value to the second argument. This is often used to initialize values to zero. If the key cannot be inserted (e.g. the map is full) then NULL is returned. 1292*387f9dfdSAndroid Build Coastguard Worker 1293*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1294*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=lookup_or_try_init+path%3Aexamples&type=Code), 1295*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=lookup_or_try_init+path%3Atools&type=Code) 1296*387f9dfdSAndroid Build Coastguard Worker 1297*387f9dfdSAndroid Build Coastguard WorkerNote: The old map.lookup_or_init() may cause return from the function, so lookup_or_try_init() is recommended as it 1298*387f9dfdSAndroid Build Coastguard Workerdoes not have this side effect. 1299*387f9dfdSAndroid Build Coastguard Worker 1300*387f9dfdSAndroid Build Coastguard Worker### 21. map.delete() 1301*387f9dfdSAndroid Build Coastguard Worker 1302*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```map.delete(&key)``` 1303*387f9dfdSAndroid Build Coastguard Worker 1304*387f9dfdSAndroid Build Coastguard WorkerDelete the key from the hash. 1305*387f9dfdSAndroid Build Coastguard Worker 1306*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1307*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=delete+path%3Aexamples&type=Code), 1308*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=delete+path%3Atools&type=Code) 1309*387f9dfdSAndroid Build Coastguard Worker 1310*387f9dfdSAndroid Build Coastguard Worker### 22. map.update() 1311*387f9dfdSAndroid Build Coastguard Worker 1312*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```map.update(&key, &val)``` 1313*387f9dfdSAndroid Build Coastguard Worker 1314*387f9dfdSAndroid Build Coastguard WorkerAssociate the value in the second argument to the key, overwriting any previous value. 1315*387f9dfdSAndroid Build Coastguard Worker 1316*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1317*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=update+path%3Aexamples&type=Code), 1318*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=update+path%3Atools&type=Code) 1319*387f9dfdSAndroid Build Coastguard Worker 1320*387f9dfdSAndroid Build Coastguard Worker### 23. map.insert() 1321*387f9dfdSAndroid Build Coastguard Worker 1322*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```map.insert(&key, &val)``` 1323*387f9dfdSAndroid Build Coastguard Worker 1324*387f9dfdSAndroid Build Coastguard WorkerAssociate the value in the second argument to the key, only if there was no previous value. 1325*387f9dfdSAndroid Build Coastguard Worker 1326*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1327*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=insert+path%3Aexamples&type=Code), 1328*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=insert+path%3Atools&type=Code) 1329*387f9dfdSAndroid Build Coastguard Worker 1330*387f9dfdSAndroid Build Coastguard Worker### 24. map.increment() 1331*387f9dfdSAndroid Build Coastguard Worker 1332*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```map.increment(key[, increment_amount])``` 1333*387f9dfdSAndroid Build Coastguard Worker 1334*387f9dfdSAndroid Build Coastguard WorkerIncrements the key's value by `increment_amount`, which defaults to 1. Used for histograms. 1335*387f9dfdSAndroid Build Coastguard Worker 1336*387f9dfdSAndroid Build Coastguard Worker```map.increment()``` are not atomic. In the concurrency case. If you want more accurate results, use ```map.atomic_increment()``` instead of ```map.increment()```. The overhead of ```map.increment()``` and ```map.atomic_increment()``` is similar. 1337*387f9dfdSAndroid Build Coastguard Worker 1338*387f9dfdSAndroid Build Coastguard WorkerNote. When using ```map.atomic_increment()``` to operate on a BPF map of type ```BPF_MAP_TYPE_HASH```, ```map.atomic_increment()``` does not guarantee the atomicity of the operation when the specified key does not exist. 1339*387f9dfdSAndroid Build Coastguard Worker 1340*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1341*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=increment+path%3Aexamples&type=Code), 1342*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=increment+path%3Atools&type=Code) 1343*387f9dfdSAndroid Build Coastguard Worker 1344*387f9dfdSAndroid Build Coastguard Worker### 25. map.get_stackid() 1345*387f9dfdSAndroid Build Coastguard Worker 1346*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.get_stackid(void *ctx, u64 flags)``` 1347*387f9dfdSAndroid Build Coastguard Worker 1348*387f9dfdSAndroid Build Coastguard WorkerThis walks the stack found via the struct pt_regs in ```ctx```, saves it in the stack trace map, and returns a unique ID for the stack trace. 1349*387f9dfdSAndroid Build Coastguard Worker 1350*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1351*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=get_stackid+path%3Aexamples&type=Code), 1352*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=get_stackid+path%3Atools&type=Code) 1353*387f9dfdSAndroid Build Coastguard Worker 1354*387f9dfdSAndroid Build Coastguard Worker### 26. map.perf_read() 1355*387f9dfdSAndroid Build Coastguard Worker 1356*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```u64 map.perf_read(u32 cpu)``` 1357*387f9dfdSAndroid Build Coastguard Worker 1358*387f9dfdSAndroid Build Coastguard WorkerThis returns the hardware performance counter as configured in [5. BPF_PERF_ARRAY](#5-bpf_perf_array) 1359*387f9dfdSAndroid Build Coastguard Worker 1360*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1361*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=perf_read+path%3Atests&type=Code) 1362*387f9dfdSAndroid Build Coastguard Worker 1363*387f9dfdSAndroid Build Coastguard Worker### 27. map.call() 1364*387f9dfdSAndroid Build Coastguard Worker 1365*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```void map.call(void *ctx, int index)``` 1366*387f9dfdSAndroid Build Coastguard Worker 1367*387f9dfdSAndroid Build Coastguard WorkerThis invokes ```bpf_tail_call()``` to tail-call the bpf program which the ```index``` entry in [BPF_PROG_ARRAY](#10-bpf_prog_array) points to. A tail-call is different from the normal call. It reuses the current stack frame after jumping to another bpf program and never goes back. If the ```index``` entry is empty, it won't jump anywhere and the program execution continues as normal. 1368*387f9dfdSAndroid Build Coastguard Worker 1369*387f9dfdSAndroid Build Coastguard WorkerFor example: 1370*387f9dfdSAndroid Build Coastguard Worker 1371*387f9dfdSAndroid Build Coastguard Worker```C 1372*387f9dfdSAndroid Build Coastguard WorkerBPF_PROG_ARRAY(prog_array, 10); 1373*387f9dfdSAndroid Build Coastguard Worker 1374*387f9dfdSAndroid Build Coastguard Workerint tail_call(void *ctx) { 1375*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("Tail-call\n"); 1376*387f9dfdSAndroid Build Coastguard Worker return 0; 1377*387f9dfdSAndroid Build Coastguard Worker} 1378*387f9dfdSAndroid Build Coastguard Worker 1379*387f9dfdSAndroid Build Coastguard Workerint do_tail_call(void *ctx) { 1380*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("Original program\n"); 1381*387f9dfdSAndroid Build Coastguard Worker prog_array.call(ctx, 2); 1382*387f9dfdSAndroid Build Coastguard Worker return 0; 1383*387f9dfdSAndroid Build Coastguard Worker} 1384*387f9dfdSAndroid Build Coastguard Worker``` 1385*387f9dfdSAndroid Build Coastguard Worker 1386*387f9dfdSAndroid Build Coastguard Worker```Python 1387*387f9dfdSAndroid Build Coastguard Workerb = BPF(src_file="example.c") 1388*387f9dfdSAndroid Build Coastguard Workertail_fn = b.load_func("tail_call", BPF.KPROBE) 1389*387f9dfdSAndroid Build Coastguard Workerprog_array = b.get_table("prog_array") 1390*387f9dfdSAndroid Build Coastguard Workerprog_array[c_int(2)] = c_int(tail_fn.fd) 1391*387f9dfdSAndroid Build Coastguard Workerb.attach_kprobe(event="some_kprobe_event", fn_name="do_tail_call") 1392*387f9dfdSAndroid Build Coastguard Worker``` 1393*387f9dfdSAndroid Build Coastguard Worker 1394*387f9dfdSAndroid Build Coastguard WorkerThis assigns ```tail_call()``` to ```prog_array[2]```. In the end of ```do_tail_call()```, ```prog_array.call(ctx, 2)``` tail-calls ```tail_call()``` and executes it. 1395*387f9dfdSAndroid Build Coastguard Worker 1396*387f9dfdSAndroid Build Coastguard Worker**NOTE:** To prevent infinite loop, the maximum number of tail-calls is 32 ([```MAX_TAIL_CALL_CNT```](https://github.com/torvalds/linux/search?l=C&q=MAX_TAIL_CALL_CNT+path%3Ainclude%2Flinux&type=Code)). 1397*387f9dfdSAndroid Build Coastguard Worker 1398*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1399*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?l=C&q=call+path%3Aexamples&type=Code), 1400*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?l=C&q=call+path%3Atests&type=Code) 1401*387f9dfdSAndroid Build Coastguard Worker 1402*387f9dfdSAndroid Build Coastguard Worker### 28. map.redirect_map() 1403*387f9dfdSAndroid Build Coastguard Worker 1404*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.redirect_map(int index, int flags)``` 1405*387f9dfdSAndroid Build Coastguard Worker 1406*387f9dfdSAndroid Build Coastguard WorkerThis redirects the incoming packets based on the ```index``` entry. If the map is [BPF_DEVMAP](#11-bpf_devmap), the packet will be sent to the transmit queue of the network interface that the entry points to. If the map is [BPF_CPUMAP](#12-bpf_cpumap), the packet will be sent to the ring buffer of the ```index``` CPU and be processed by the CPU later. If the map is [BPF_XSKMAP](#13-bpf_xskmap), the packet will be sent to the AF_XDP socket attached to the queue. 1407*387f9dfdSAndroid Build Coastguard Worker 1408*387f9dfdSAndroid Build Coastguard WorkerIf the packet is redirected successfully, the function will return XDP_REDIRECT. Otherwise, it will return XDP_ABORTED to discard the packet. 1409*387f9dfdSAndroid Build Coastguard Worker 1410*387f9dfdSAndroid Build Coastguard WorkerFor example: 1411*387f9dfdSAndroid Build Coastguard Worker```C 1412*387f9dfdSAndroid Build Coastguard WorkerBPF_DEVMAP(devmap, 1); 1413*387f9dfdSAndroid Build Coastguard Worker 1414*387f9dfdSAndroid Build Coastguard Workerint redirect_example(struct xdp_md *ctx) { 1415*387f9dfdSAndroid Build Coastguard Worker return devmap.redirect_map(0, 0); 1416*387f9dfdSAndroid Build Coastguard Worker} 1417*387f9dfdSAndroid Build Coastguard Workerint xdp_dummy(struct xdp_md *ctx) { 1418*387f9dfdSAndroid Build Coastguard Worker return XDP_PASS; 1419*387f9dfdSAndroid Build Coastguard Worker} 1420*387f9dfdSAndroid Build Coastguard Worker``` 1421*387f9dfdSAndroid Build Coastguard Worker 1422*387f9dfdSAndroid Build Coastguard Worker```Python 1423*387f9dfdSAndroid Build Coastguard Workerip = pyroute2.IPRoute() 1424*387f9dfdSAndroid Build Coastguard Workeridx = ip.link_lookup(ifname="eth1")[0] 1425*387f9dfdSAndroid Build Coastguard Worker 1426*387f9dfdSAndroid Build Coastguard Workerb = bcc.BPF(src_file="example.c") 1427*387f9dfdSAndroid Build Coastguard Worker 1428*387f9dfdSAndroid Build Coastguard Workerdevmap = b.get_table("devmap") 1429*387f9dfdSAndroid Build Coastguard Workerdevmap[c_uint32(0)] = c_int(idx) 1430*387f9dfdSAndroid Build Coastguard Worker 1431*387f9dfdSAndroid Build Coastguard Workerin_fn = b.load_func("redirect_example", BPF.XDP) 1432*387f9dfdSAndroid Build Coastguard Workerout_fn = b.load_func("xdp_dummy", BPF.XDP) 1433*387f9dfdSAndroid Build Coastguard Workerb.attach_xdp("eth0", in_fn, 0) 1434*387f9dfdSAndroid Build Coastguard Workerb.attach_xdp("eth1", out_fn, 0) 1435*387f9dfdSAndroid Build Coastguard Worker``` 1436*387f9dfdSAndroid Build Coastguard Worker 1437*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1438*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?l=C&q=redirect_map+path%3Aexamples&type=Code), 1439*387f9dfdSAndroid Build Coastguard Worker 1440*387f9dfdSAndroid Build Coastguard Worker### 29. map.push() 1441*387f9dfdSAndroid Build Coastguard Worker 1442*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.push(&val, int flags)``` 1443*387f9dfdSAndroid Build Coastguard Worker 1444*387f9dfdSAndroid Build Coastguard WorkerPush an element onto a Stack or Queue table. 1445*387f9dfdSAndroid Build Coastguard WorkerPassing BPF_EXIST as a flag causes the Queue or Stack to discard the oldest element if it is full. 1446*387f9dfdSAndroid Build Coastguard WorkerReturns 0 on success, negative error on failure. 1447*387f9dfdSAndroid Build Coastguard Worker 1448*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1449*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=push+path%3Atests&type=Code), 1450*387f9dfdSAndroid Build Coastguard Worker 1451*387f9dfdSAndroid Build Coastguard Worker### 30. map.pop() 1452*387f9dfdSAndroid Build Coastguard Worker 1453*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.pop(&val)``` 1454*387f9dfdSAndroid Build Coastguard Worker 1455*387f9dfdSAndroid Build Coastguard WorkerPop an element from a Stack or Queue table. ```*val``` is populated with the result. 1456*387f9dfdSAndroid Build Coastguard WorkerUnlike peeking, popping removes the element. 1457*387f9dfdSAndroid Build Coastguard WorkerReturns 0 on success, negative error on failure. 1458*387f9dfdSAndroid Build Coastguard Worker 1459*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1460*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=pop+path%3Atests&type=Code), 1461*387f9dfdSAndroid Build Coastguard Worker 1462*387f9dfdSAndroid Build Coastguard Worker### 31. map.peek() 1463*387f9dfdSAndroid Build Coastguard Worker 1464*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.peek(&val)``` 1465*387f9dfdSAndroid Build Coastguard Worker 1466*387f9dfdSAndroid Build Coastguard WorkerPeek an element at the head of a Stack or Queue table. ```*val``` is populated with the result. 1467*387f9dfdSAndroid Build Coastguard WorkerUnlike popping, peeking does not remove the element. 1468*387f9dfdSAndroid Build Coastguard WorkerReturns 0 on success, negative error on failure. 1469*387f9dfdSAndroid Build Coastguard Worker 1470*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1471*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=peek+path%3Atests&type=Code), 1472*387f9dfdSAndroid Build Coastguard Worker 1473*387f9dfdSAndroid Build Coastguard Worker### 32. map.sock_hash_update() 1474*387f9dfdSAndroid Build Coastguard Worker 1475*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.sock_hash_update(struct bpf_sock_ops *skops, &key, int flags)``` 1476*387f9dfdSAndroid Build Coastguard Worker 1477*387f9dfdSAndroid Build Coastguard WorkerAdd an entry to, or update a sockhash map referencing sockets. The skops is used as a new value for the entry associated to key. flags is one of: 1478*387f9dfdSAndroid Build Coastguard Worker 1479*387f9dfdSAndroid Build Coastguard Worker``` 1480*387f9dfdSAndroid Build Coastguard WorkerBPF_NOEXIST: The entry for key must not exist in the map. 1481*387f9dfdSAndroid Build Coastguard WorkerBPF_EXIST: The entry for key must already exist in the map. 1482*387f9dfdSAndroid Build Coastguard WorkerBPF_ANY: No condition on the existence of the entry for key. 1483*387f9dfdSAndroid Build Coastguard Worker``` 1484*387f9dfdSAndroid Build Coastguard Worker 1485*387f9dfdSAndroid Build Coastguard WorkerIf the map has eBPF programs (parser and verdict), those will be inherited by the socket being added. If the socket is already attached to eBPF programs, this results in an error. 1486*387f9dfdSAndroid Build Coastguard Worker 1487*387f9dfdSAndroid Build Coastguard WorkerReturn 0 on success, or a negative error in case of failure. 1488*387f9dfdSAndroid Build Coastguard Worker 1489*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1490*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=sock_hash_update+path%3Atests&type=Code), 1491*387f9dfdSAndroid Build Coastguard Worker 1492*387f9dfdSAndroid Build Coastguard Worker### 33. map.msg_redirect_hash() 1493*387f9dfdSAndroid Build Coastguard Worker 1494*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.msg_redirect_hash(struct sk_msg_buff *msg, void *key, u64 flags)``` 1495*387f9dfdSAndroid Build Coastguard Worker 1496*387f9dfdSAndroid Build Coastguard WorkerThis helper is used in programs implementing policies at the socket level. If the message msg is allowed to pass (i.e. if the verdict eBPF program returns SK_PASS), redirect it to the socket referenced by map (of type BPF_MAP_TYPE_SOCKHASH) using hash key. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). This is the only flag supported for now. 1497*387f9dfdSAndroid Build Coastguard Worker 1498*387f9dfdSAndroid Build Coastguard WorkerReturn SK_PASS on success, or SK_DROP on error. 1499*387f9dfdSAndroid Build Coastguard Worker 1500*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1501*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=msg_redirect_hash+path%3Atests&type=Code), 1502*387f9dfdSAndroid Build Coastguard Worker 1503*387f9dfdSAndroid Build Coastguard Worker### 34. map.sk_redirect_hash() 1504*387f9dfdSAndroid Build Coastguard Worker 1505*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```int map.sk_redirect_hash(struct sk_buff *skb, void *key, u64 flags)``` 1506*387f9dfdSAndroid Build Coastguard Worker 1507*387f9dfdSAndroid Build Coastguard WorkerThis helper is used in programs implementing policies at the skb socket level. If the sk_buff skb is allowed to pass (i.e. if the verdict eBPF program returns SK_PASS), redirect it to the socket referenced by map (of type BPF_MAP_TYPE_SOCKHASH) using hash key. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress otherwise). This is the only flag supported for now. 1508*387f9dfdSAndroid Build Coastguard Worker 1509*387f9dfdSAndroid Build Coastguard WorkerReturn SK_PASS on success, or SK_DROP on error. 1510*387f9dfdSAndroid Build Coastguard Worker 1511*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1512*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=sk_redirect_hash+path%3Atests&type=Code), 1513*387f9dfdSAndroid Build Coastguard Worker 1514*387f9dfdSAndroid Build Coastguard Worker## Licensing 1515*387f9dfdSAndroid Build Coastguard Worker 1516*387f9dfdSAndroid Build Coastguard WorkerDepending on which [BPF helpers](kernel-versions.md#helpers) are used, a GPL-compatible license is required. 1517*387f9dfdSAndroid Build Coastguard Worker 1518*387f9dfdSAndroid Build Coastguard WorkerThe special BCC macro `BPF_LICENSE` specifies the license of the BPF program. You can set the license as a comment in your source code, but the kernel has a special interface to specify it programmatically. If you need to use GPL-only helpers, it is recommended to specify the macro in your C code so that the kernel can understand it: 1519*387f9dfdSAndroid Build Coastguard Worker 1520*387f9dfdSAndroid Build Coastguard Worker```C 1521*387f9dfdSAndroid Build Coastguard Worker// SPDX-License-Identifier: GPL-2.0+ 1522*387f9dfdSAndroid Build Coastguard Worker#define BPF_LICENSE GPL 1523*387f9dfdSAndroid Build Coastguard Worker``` 1524*387f9dfdSAndroid Build Coastguard Worker 1525*387f9dfdSAndroid Build Coastguard WorkerOtherwise, the kernel may reject loading your program (see the [error description](#2-cannot-call-gpl-only-function-from-proprietary-program) below). Note that it supports multiple words and quotes are not necessary: 1526*387f9dfdSAndroid Build Coastguard Worker 1527*387f9dfdSAndroid Build Coastguard Worker```C 1528*387f9dfdSAndroid Build Coastguard Worker// SPDX-License-Identifier: GPL-2.0+ OR BSD-2-Clause 1529*387f9dfdSAndroid Build Coastguard Worker#define BPF_LICENSE Dual BSD/GPL 1530*387f9dfdSAndroid Build Coastguard Worker``` 1531*387f9dfdSAndroid Build Coastguard Worker 1532*387f9dfdSAndroid Build Coastguard WorkerCheck the [BPF helpers reference](kernel-versions.md#helpers) to see which helpers are GPL-only and what the kernel understands as GPL-compatible. 1533*387f9dfdSAndroid Build Coastguard Worker 1534*387f9dfdSAndroid Build Coastguard Worker**If the macro is not specified, BCC will automatically define the license of the program as GPL.** 1535*387f9dfdSAndroid Build Coastguard Worker 1536*387f9dfdSAndroid Build Coastguard Worker## Rewriter 1537*387f9dfdSAndroid Build Coastguard Worker 1538*387f9dfdSAndroid Build Coastguard WorkerOne of jobs for rewriter is to turn implicit memory accesses to explicit ones using kernel helpers. Recent kernel introduced a config option ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE which will be set for architectures who user address space and kernel address are disjoint. x86 and arm has this config option set while s390 does not. If ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE is not set, the bpf old helper `bpf_probe_read()` will not be available. Some existing users may have implicit memory accesses to access user memory, so using `bpf_probe_read_kernel()` will cause their application to fail. Therefore, for non-s390, the rewriter will use `bpf_probe_read()` for these implicit memory accesses. For s390, `bpf_probe_read_kernel()` is used as default and users should use `bpf_probe_read_user()` explicitly when accessing user memories. 1539*387f9dfdSAndroid Build Coastguard Worker 1540*387f9dfdSAndroid Build Coastguard Worker# bcc Python 1541*387f9dfdSAndroid Build Coastguard Worker 1542*387f9dfdSAndroid Build Coastguard Worker## Initialization 1543*387f9dfdSAndroid Build Coastguard Worker 1544*387f9dfdSAndroid Build Coastguard WorkerConstructors. 1545*387f9dfdSAndroid Build Coastguard Worker 1546*387f9dfdSAndroid Build Coastguard Worker### 1. BPF 1547*387f9dfdSAndroid Build Coastguard Worker 1548*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF({text=BPF_program | src_file=filename} [, usdt_contexts=[USDT_object, ...]] [, cflags=[arg1, ...]] [, debug=int])``` 1549*387f9dfdSAndroid Build Coastguard Worker 1550*387f9dfdSAndroid Build Coastguard WorkerCreates a BPF object. This is the main object for defining a BPF program, and interacting with its output. 1551*387f9dfdSAndroid Build Coastguard Worker 1552*387f9dfdSAndroid Build Coastguard WorkerExactly one of `text` or `src_file` must be supplied (not both). 1553*387f9dfdSAndroid Build Coastguard Worker 1554*387f9dfdSAndroid Build Coastguard WorkerThe `cflags` specifies additional arguments to be passed to the compiler, for example `-DMACRO_NAME=value` or `-I/include/path`. The arguments are passed as an array, with each element being an additional argument. Note that strings are not split on whitespace, so each argument must be a different element of the array, e.g. `["-include", "header.h"]`. 1555*387f9dfdSAndroid Build Coastguard Worker 1556*387f9dfdSAndroid Build Coastguard WorkerThe `debug` flags control debug output, and can be or'ed together: 1557*387f9dfdSAndroid Build Coastguard Worker- `DEBUG_LLVM_IR = 0x1` compiled LLVM IR 1558*387f9dfdSAndroid Build Coastguard Worker- `DEBUG_BPF = 0x2` loaded BPF bytecode and register state on branches 1559*387f9dfdSAndroid Build Coastguard Worker- `DEBUG_PREPROCESSOR = 0x4` pre-processor result 1560*387f9dfdSAndroid Build Coastguard Worker- `DEBUG_SOURCE = 0x8` ASM instructions embedded with source 1561*387f9dfdSAndroid Build Coastguard Worker- `DEBUG_BPF_REGISTER_STATE = 0x10` register state on all instructions in addition to DEBUG_BPF 1562*387f9dfdSAndroid Build Coastguard Worker- `DEBUG_BTF = 0x20` print the messages from the `libbpf` library. 1563*387f9dfdSAndroid Build Coastguard Worker 1564*387f9dfdSAndroid Build Coastguard WorkerExamples: 1565*387f9dfdSAndroid Build Coastguard Worker 1566*387f9dfdSAndroid Build Coastguard Worker```Python 1567*387f9dfdSAndroid Build Coastguard Worker# define entire BPF program in one line: 1568*387f9dfdSAndroid Build Coastguard WorkerBPF(text='int do_trace(void *ctx) { bpf_trace_printk("hit!\\n"); return 0; }'); 1569*387f9dfdSAndroid Build Coastguard Worker 1570*387f9dfdSAndroid Build Coastguard Worker# define program as a variable: 1571*387f9dfdSAndroid Build Coastguard Workerprog = """ 1572*387f9dfdSAndroid Build Coastguard Workerint hello(void *ctx) { 1573*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("Hello, World!\\n"); 1574*387f9dfdSAndroid Build Coastguard Worker return 0; 1575*387f9dfdSAndroid Build Coastguard Worker} 1576*387f9dfdSAndroid Build Coastguard Worker""" 1577*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=prog) 1578*387f9dfdSAndroid Build Coastguard Worker 1579*387f9dfdSAndroid Build Coastguard Worker# source a file: 1580*387f9dfdSAndroid Build Coastguard Workerb = BPF(src_file = "vfsreadlat.c") 1581*387f9dfdSAndroid Build Coastguard Worker 1582*387f9dfdSAndroid Build Coastguard Worker# include a USDT object: 1583*387f9dfdSAndroid Build Coastguard Workeru = USDT(pid=int(pid)) 1584*387f9dfdSAndroid Build Coastguard Worker[...] 1585*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=bpf_text, usdt_contexts=[u]) 1586*387f9dfdSAndroid Build Coastguard Worker 1587*387f9dfdSAndroid Build Coastguard Worker# add include paths: 1588*387f9dfdSAndroid Build Coastguard Workeru = BPF(text=prog, cflags=["-I/path/to/include"]) 1589*387f9dfdSAndroid Build Coastguard Worker``` 1590*387f9dfdSAndroid Build Coastguard Worker 1591*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1592*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=BPF+path%3Aexamples+language%3Apython&type=Code), 1593*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=BPF+path%3Atools+language%3Apython&type=Code) 1594*387f9dfdSAndroid Build Coastguard Worker 1595*387f9dfdSAndroid Build Coastguard Worker### 2. USDT 1596*387f9dfdSAndroid Build Coastguard Worker 1597*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```USDT({pid=pid | path=path})``` 1598*387f9dfdSAndroid Build Coastguard Worker 1599*387f9dfdSAndroid Build Coastguard WorkerCreates an object to instrument User Statically-Defined Tracing (USDT) probes. Its primary method is ```enable_probe()```. 1600*387f9dfdSAndroid Build Coastguard Worker 1601*387f9dfdSAndroid Build Coastguard WorkerArguments: 1602*387f9dfdSAndroid Build Coastguard Worker 1603*387f9dfdSAndroid Build Coastguard Worker- pid: attach to this process ID. 1604*387f9dfdSAndroid Build Coastguard Worker- path: instrument USDT probes from this binary path. 1605*387f9dfdSAndroid Build Coastguard Worker 1606*387f9dfdSAndroid Build Coastguard WorkerExamples: 1607*387f9dfdSAndroid Build Coastguard Worker 1608*387f9dfdSAndroid Build Coastguard Worker```Python 1609*387f9dfdSAndroid Build Coastguard Worker# include a USDT object: 1610*387f9dfdSAndroid Build Coastguard Workeru = USDT(pid=int(pid)) 1611*387f9dfdSAndroid Build Coastguard Worker[...] 1612*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=bpf_text, usdt_contexts=[u]) 1613*387f9dfdSAndroid Build Coastguard Worker``` 1614*387f9dfdSAndroid Build Coastguard Worker 1615*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1616*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=USDT+path%3Aexamples+language%3Apython&type=Code), 1617*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=USDT+path%3Atools+language%3Apython&type=Code) 1618*387f9dfdSAndroid Build Coastguard Worker 1619*387f9dfdSAndroid Build Coastguard Worker## Events 1620*387f9dfdSAndroid Build Coastguard Worker 1621*387f9dfdSAndroid Build Coastguard Worker### 1. attach_kprobe() 1622*387f9dfdSAndroid Build Coastguard Worker 1623*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_kprobe(event="event", fn_name="name")``` 1624*387f9dfdSAndroid Build Coastguard Worker 1625*387f9dfdSAndroid Build Coastguard WorkerInstruments the kernel function ```event()``` using kernel dynamic tracing of the function entry, and attaches our C defined function ```name()``` to be called when the kernel function is called. 1626*387f9dfdSAndroid Build Coastguard Worker 1627*387f9dfdSAndroid Build Coastguard WorkerFor example: 1628*387f9dfdSAndroid Build Coastguard Worker 1629*387f9dfdSAndroid Build Coastguard Worker```Python 1630*387f9dfdSAndroid Build Coastguard Workerb.attach_kprobe(event="sys_clone", fn_name="do_trace") 1631*387f9dfdSAndroid Build Coastguard Worker``` 1632*387f9dfdSAndroid Build Coastguard Worker 1633*387f9dfdSAndroid Build Coastguard WorkerThis will instrument the kernel ```sys_clone()``` function, which will then run our BPF defined ```do_trace()``` function each time it is called. 1634*387f9dfdSAndroid Build Coastguard Worker 1635*387f9dfdSAndroid Build Coastguard WorkerYou can call attach_kprobe() more than once, and attach your BPF function to multiple kernel functions. 1636*387f9dfdSAndroid Build Coastguard WorkerYou can also call attach_kprobe() more than once to attach multiple BPF functions to the same kernel function. 1637*387f9dfdSAndroid Build Coastguard Worker 1638*387f9dfdSAndroid Build Coastguard WorkerSee the previous kprobes section for how to instrument arguments from BPF. 1639*387f9dfdSAndroid Build Coastguard Worker 1640*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1641*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_kprobe+path%3Aexamples+language%3Apython&type=Code), 1642*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_kprobe+path%3Atools+language%3Apython&type=Code) 1643*387f9dfdSAndroid Build Coastguard Worker 1644*387f9dfdSAndroid Build Coastguard Worker### 2. attach_kretprobe() 1645*387f9dfdSAndroid Build Coastguard Worker 1646*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_kretprobe(event="event", fn_name="name" [, maxactive=int])``` 1647*387f9dfdSAndroid Build Coastguard Worker 1648*387f9dfdSAndroid Build Coastguard WorkerInstruments the return of the kernel function ```event()``` using kernel dynamic tracing of the function return, and attaches our C defined function ```name()``` to be called when the kernel function returns. 1649*387f9dfdSAndroid Build Coastguard Worker 1650*387f9dfdSAndroid Build Coastguard WorkerFor example: 1651*387f9dfdSAndroid Build Coastguard Worker 1652*387f9dfdSAndroid Build Coastguard Worker```Python 1653*387f9dfdSAndroid Build Coastguard Workerb.attach_kretprobe(event="vfs_read", fn_name="do_return") 1654*387f9dfdSAndroid Build Coastguard Worker``` 1655*387f9dfdSAndroid Build Coastguard Worker 1656*387f9dfdSAndroid Build Coastguard WorkerThis will instrument the kernel ```vfs_read()``` function, which will then run our BPF defined ```do_return()``` function each time it is called. 1657*387f9dfdSAndroid Build Coastguard Worker 1658*387f9dfdSAndroid Build Coastguard WorkerYou can call attach_kretprobe() more than once, and attach your BPF function to multiple kernel function returns. 1659*387f9dfdSAndroid Build Coastguard WorkerYou can also call attach_kretprobe() more than once to attach multiple BPF functions to the same kernel function return. 1660*387f9dfdSAndroid Build Coastguard Worker 1661*387f9dfdSAndroid Build Coastguard WorkerWhen a kretprobe is installed on a kernel function, there is a limit on how many parallel calls it can catch. You can change that limit with ```maxactive```. See the kprobes documentation for its default value. 1662*387f9dfdSAndroid Build Coastguard Worker 1663*387f9dfdSAndroid Build Coastguard WorkerSee the previous kretprobes section for how to instrument the return value from BPF. 1664*387f9dfdSAndroid Build Coastguard Worker 1665*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1666*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_kretprobe+path%3Aexamples+language%3Apython&type=Code), 1667*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_kretprobe+path%3Atools+language%3Apython&type=Code) 1668*387f9dfdSAndroid Build Coastguard Worker 1669*387f9dfdSAndroid Build Coastguard Worker### 3. attach_tracepoint() 1670*387f9dfdSAndroid Build Coastguard Worker 1671*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_tracepoint(tp="tracepoint", fn_name="name")``` 1672*387f9dfdSAndroid Build Coastguard Worker 1673*387f9dfdSAndroid Build Coastguard WorkerInstruments the kernel tracepoint described by ```tracepoint```, and when hit, runs the BPF function ```name()```. 1674*387f9dfdSAndroid Build Coastguard Worker 1675*387f9dfdSAndroid Build Coastguard WorkerThis is an explicit way to instrument tracepoints. The ```TRACEPOINT_PROBE``` syntax, covered in the earlier tracepoints section, is an alternate method with the advantage of auto-declaring an ```args``` struct containing the tracepoint arguments. With ```attach_tracepoint()```, the tracepoint arguments need to be declared in the BPF program. 1676*387f9dfdSAndroid Build Coastguard Worker 1677*387f9dfdSAndroid Build Coastguard WorkerFor example: 1678*387f9dfdSAndroid Build Coastguard Worker 1679*387f9dfdSAndroid Build Coastguard Worker```Python 1680*387f9dfdSAndroid Build Coastguard Worker# define BPF program 1681*387f9dfdSAndroid Build Coastguard Workerbpf_text = """ 1682*387f9dfdSAndroid Build Coastguard Worker#include <uapi/linux/ptrace.h> 1683*387f9dfdSAndroid Build Coastguard Worker 1684*387f9dfdSAndroid Build Coastguard Workerstruct urandom_read_args { 1685*387f9dfdSAndroid Build Coastguard Worker // from /sys/kernel/debug/tracing/events/random/urandom_read/format 1686*387f9dfdSAndroid Build Coastguard Worker u64 __unused__; 1687*387f9dfdSAndroid Build Coastguard Worker u32 got_bits; 1688*387f9dfdSAndroid Build Coastguard Worker u32 pool_left; 1689*387f9dfdSAndroid Build Coastguard Worker u32 input_left; 1690*387f9dfdSAndroid Build Coastguard Worker}; 1691*387f9dfdSAndroid Build Coastguard Worker 1692*387f9dfdSAndroid Build Coastguard Workerint printarg(struct urandom_read_args *args) { 1693*387f9dfdSAndroid Build Coastguard Worker bpf_trace_printk("%d\\n", args->got_bits); 1694*387f9dfdSAndroid Build Coastguard Worker return 0; 1695*387f9dfdSAndroid Build Coastguard Worker}; 1696*387f9dfdSAndroid Build Coastguard Worker""" 1697*387f9dfdSAndroid Build Coastguard Worker 1698*387f9dfdSAndroid Build Coastguard Worker# load BPF program 1699*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=bpf_text) 1700*387f9dfdSAndroid Build Coastguard Workerb.attach_tracepoint("random:urandom_read", "printarg") 1701*387f9dfdSAndroid Build Coastguard Worker``` 1702*387f9dfdSAndroid Build Coastguard Worker 1703*387f9dfdSAndroid Build Coastguard WorkerNotice how the first argument to ```printarg()``` is now our defined struct. 1704*387f9dfdSAndroid Build Coastguard Worker 1705*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1706*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/a4159da8c4ea8a05a3c6e402451f530d6e5a8b41/examples/tracing/urandomread-explicit.py#L41), 1707*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_tracepoint+path%3Aexamples+language%3Apython&type=Code), 1708*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_tracepoint+path%3Atools+language%3Apython&type=Code) 1709*387f9dfdSAndroid Build Coastguard Worker 1710*387f9dfdSAndroid Build Coastguard Worker### 4. attach_uprobe() 1711*387f9dfdSAndroid Build Coastguard Worker 1712*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_uprobe(name="location", sym="symbol", fn_name="name" [, sym_off=int])```, ```BPF.attach_uprobe(name="location", sym_re="regex", fn_name="name")```, ```BPF.attach_uprobe(name="location", addr=int, fn_name="name")``` 1713*387f9dfdSAndroid Build Coastguard Worker 1714*387f9dfdSAndroid Build Coastguard Worker 1715*387f9dfdSAndroid Build Coastguard WorkerInstruments the user-level function ```symbol()``` from either the library or binary named by ```location``` using user-level dynamic tracing of the function entry, and attach our C defined function ```name()``` to be called whenever the user-level function is called. If ```sym_off``` is given, the function is attached to the offset within the symbol. 1716*387f9dfdSAndroid Build Coastguard Worker 1717*387f9dfdSAndroid Build Coastguard WorkerThe real address ```addr``` may be supplied in place of ```sym```, in which case ```sym``` must be set to its default value. If the file is a non-PIE executable, ```addr``` must be a virtual address, otherwise it must be an offset relative to the file load address. 1718*387f9dfdSAndroid Build Coastguard Worker 1719*387f9dfdSAndroid Build Coastguard WorkerInstead of a symbol name, a regular expression can be provided in ```sym_re```. The uprobe will then attach to symbols that match the provided regular expression. 1720*387f9dfdSAndroid Build Coastguard Worker 1721*387f9dfdSAndroid Build Coastguard WorkerLibraries can be given in the name argument without the lib prefix, or with the full path (/usr/lib/...). Binaries can be given only with the full path (/bin/sh). 1722*387f9dfdSAndroid Build Coastguard Worker 1723*387f9dfdSAndroid Build Coastguard WorkerFor example: 1724*387f9dfdSAndroid Build Coastguard Worker 1725*387f9dfdSAndroid Build Coastguard Worker```Python 1726*387f9dfdSAndroid Build Coastguard Workerb.attach_uprobe(name="c", sym="strlen", fn_name="count") 1727*387f9dfdSAndroid Build Coastguard Worker``` 1728*387f9dfdSAndroid Build Coastguard Worker 1729*387f9dfdSAndroid Build Coastguard WorkerThis will instrument ```strlen()``` function from libc, and call our BPF function ```count()``` when it is called. Note how the "lib" in "libc" is not necessary to specify. 1730*387f9dfdSAndroid Build Coastguard Worker 1731*387f9dfdSAndroid Build Coastguard WorkerOther examples: 1732*387f9dfdSAndroid Build Coastguard Worker 1733*387f9dfdSAndroid Build Coastguard Worker```Python 1734*387f9dfdSAndroid Build Coastguard Workerb.attach_uprobe(name="c", sym="getaddrinfo", fn_name="do_entry") 1735*387f9dfdSAndroid Build Coastguard Workerb.attach_uprobe(name="/usr/bin/python", sym="main", fn_name="do_main") 1736*387f9dfdSAndroid Build Coastguard Worker``` 1737*387f9dfdSAndroid Build Coastguard Worker 1738*387f9dfdSAndroid Build Coastguard WorkerYou can call attach_uprobe() more than once, and attach your BPF function to multiple user-level functions. 1739*387f9dfdSAndroid Build Coastguard Worker 1740*387f9dfdSAndroid Build Coastguard WorkerSee the previous uprobes section for how to instrument arguments from BPF. 1741*387f9dfdSAndroid Build Coastguard Worker 1742*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1743*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_uprobe+path%3Aexamples+language%3Apython&type=Code), 1744*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_uprobe+path%3Atools+language%3Apython&type=Code) 1745*387f9dfdSAndroid Build Coastguard Worker 1746*387f9dfdSAndroid Build Coastguard Worker### 5. attach_uretprobe() 1747*387f9dfdSAndroid Build Coastguard Worker 1748*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_uretprobe(name="location", sym="symbol", fn_name="name")``` 1749*387f9dfdSAndroid Build Coastguard Worker 1750*387f9dfdSAndroid Build Coastguard WorkerInstruments the return of the user-level function ```symbol()``` from either the library or binary named by ```location``` using user-level dynamic tracing of the function return, and attach our C defined function ```name()``` to be called whenever the user-level function returns. 1751*387f9dfdSAndroid Build Coastguard Worker 1752*387f9dfdSAndroid Build Coastguard WorkerFor example: 1753*387f9dfdSAndroid Build Coastguard Worker 1754*387f9dfdSAndroid Build Coastguard Worker```Python 1755*387f9dfdSAndroid Build Coastguard Workerb.attach_uretprobe(name="c", sym="strlen", fn_name="count") 1756*387f9dfdSAndroid Build Coastguard Worker``` 1757*387f9dfdSAndroid Build Coastguard Worker 1758*387f9dfdSAndroid Build Coastguard WorkerThis will instrument ```strlen()``` function from libc, and call our BPF function ```count()``` when it returns. 1759*387f9dfdSAndroid Build Coastguard Worker 1760*387f9dfdSAndroid Build Coastguard WorkerOther examples: 1761*387f9dfdSAndroid Build Coastguard Worker 1762*387f9dfdSAndroid Build Coastguard Worker```Python 1763*387f9dfdSAndroid Build Coastguard Workerb.attach_uretprobe(name="c", sym="getaddrinfo", fn_name="do_return") 1764*387f9dfdSAndroid Build Coastguard Workerb.attach_uretprobe(name="/usr/bin/python", sym="main", fn_name="do_main") 1765*387f9dfdSAndroid Build Coastguard Worker``` 1766*387f9dfdSAndroid Build Coastguard Worker 1767*387f9dfdSAndroid Build Coastguard WorkerYou can call attach_uretprobe() more than once, and attach your BPF function to multiple user-level functions. 1768*387f9dfdSAndroid Build Coastguard Worker 1769*387f9dfdSAndroid Build Coastguard WorkerSee the previous uretprobes section for how to instrument the return value from BPF. 1770*387f9dfdSAndroid Build Coastguard Worker 1771*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1772*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_uretprobe+path%3Aexamples+language%3Apython&type=Code), 1773*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_uretprobe+path%3Atools+language%3Apython&type=Code) 1774*387f9dfdSAndroid Build Coastguard Worker 1775*387f9dfdSAndroid Build Coastguard Worker### 6. USDT.enable_probe() 1776*387f9dfdSAndroid Build Coastguard Worker 1777*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```USDT.enable_probe(probe=probe, fn_name=name)``` 1778*387f9dfdSAndroid Build Coastguard Worker 1779*387f9dfdSAndroid Build Coastguard WorkerAttaches a BPF C function ```name``` to the USDT probe ```probe```. 1780*387f9dfdSAndroid Build Coastguard Worker 1781*387f9dfdSAndroid Build Coastguard WorkerExample: 1782*387f9dfdSAndroid Build Coastguard Worker 1783*387f9dfdSAndroid Build Coastguard Worker```Python 1784*387f9dfdSAndroid Build Coastguard Worker# enable USDT probe from given PID 1785*387f9dfdSAndroid Build Coastguard Workeru = USDT(pid=int(pid)) 1786*387f9dfdSAndroid Build Coastguard Workeru.enable_probe(probe="http__server__request", fn_name="do_trace") 1787*387f9dfdSAndroid Build Coastguard Worker``` 1788*387f9dfdSAndroid Build Coastguard Worker 1789*387f9dfdSAndroid Build Coastguard WorkerTo check if your binary has USDT probes, and what they are, you can run ```readelf -n binary``` and check the stap debug section. 1790*387f9dfdSAndroid Build Coastguard Worker 1791*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1792*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=enable_probe+path%3Aexamples+language%3Apython&type=Code), 1793*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=enable_probe+path%3Atools+language%3Apython&type=Code) 1794*387f9dfdSAndroid Build Coastguard Worker 1795*387f9dfdSAndroid Build Coastguard Worker### 7. attach_raw_tracepoint() 1796*387f9dfdSAndroid Build Coastguard Worker 1797*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_raw_tracepoint(tp="tracepoint", fn_name="name")``` 1798*387f9dfdSAndroid Build Coastguard Worker 1799*387f9dfdSAndroid Build Coastguard WorkerInstruments the kernel raw tracepoint described by ```tracepoint``` (```event``` only, no ```category```), and when hit, runs the BPF function ```name()```. 1800*387f9dfdSAndroid Build Coastguard Worker 1801*387f9dfdSAndroid Build Coastguard WorkerThis is an explicit way to instrument tracepoints. The ```RAW_TRACEPOINT_PROBE``` syntax, covered in the earlier raw tracepoints section, is an alternate method. 1802*387f9dfdSAndroid Build Coastguard Worker 1803*387f9dfdSAndroid Build Coastguard WorkerFor example: 1804*387f9dfdSAndroid Build Coastguard Worker 1805*387f9dfdSAndroid Build Coastguard Worker```Python 1806*387f9dfdSAndroid Build Coastguard Workerb.attach_raw_tracepoint("sched_switch", "do_trace") 1807*387f9dfdSAndroid Build Coastguard Worker``` 1808*387f9dfdSAndroid Build Coastguard Worker 1809*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1810*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_raw_tracepoint+path%3Atools+language%3Apython&type=Code) 1811*387f9dfdSAndroid Build Coastguard Worker 1812*387f9dfdSAndroid Build Coastguard Worker### 8. attach_raw_socket() 1813*387f9dfdSAndroid Build Coastguard Worker 1814*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_raw_socket(fn, dev)``` 1815*387f9dfdSAndroid Build Coastguard Worker 1816*387f9dfdSAndroid Build Coastguard WorkerAttaches a BPF function to the specified network interface. 1817*387f9dfdSAndroid Build Coastguard Worker 1818*387f9dfdSAndroid Build Coastguard WorkerThe ```fn``` must be the type of ```BPF.function``` and the bpf_prog type needs to be ```BPF_PROG_TYPE_SOCKET_FILTER``` (```fn=BPF.load_func(func_name, BPF.SOCKET_FILTER)```) 1819*387f9dfdSAndroid Build Coastguard Worker 1820*387f9dfdSAndroid Build Coastguard Worker```fn.sock``` is a non-blocking raw socket that was created and bound to ```dev```. 1821*387f9dfdSAndroid Build Coastguard Worker 1822*387f9dfdSAndroid Build Coastguard WorkerAll network packets processed by ```dev``` are copied to the ```recv-q``` of ```fn.sock``` after being processed by bpf_prog. Try to recv packet form ```fn.sock``` with rev/recvfrom/recvmsg. Note that if the ```recv-q``` is not read in time after the ```recv-q``` is full, the copied packets will be discarded. 1823*387f9dfdSAndroid Build Coastguard Worker 1824*387f9dfdSAndroid Build Coastguard WorkerWe can use this feature to capture network packets just like ```tcpdump```. 1825*387f9dfdSAndroid Build Coastguard Worker 1826*387f9dfdSAndroid Build Coastguard WorkerWe can use ```ss --bpf --packet -p``` to observe ```fn.sock```. 1827*387f9dfdSAndroid Build Coastguard Worker 1828*387f9dfdSAndroid Build Coastguard WorkerExample: 1829*387f9dfdSAndroid Build Coastguard Worker 1830*387f9dfdSAndroid Build Coastguard Worker```Python 1831*387f9dfdSAndroid Build Coastguard WorkerBPF.attach_raw_socket(bpf_func, ifname) 1832*387f9dfdSAndroid Build Coastguard Worker``` 1833*387f9dfdSAndroid Build Coastguard Worker 1834*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1835*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_raw_socket+path%3Aexamples+language%3Apython&type=Code) 1836*387f9dfdSAndroid Build Coastguard Worker### 9. attach_xdp() 1837*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_xdp(dev="device", fn=b.load_func("fn_name",BPF.XDP), flags)``` 1838*387f9dfdSAndroid Build Coastguard Worker 1839*387f9dfdSAndroid Build Coastguard WorkerInstruments the network driver described by ```dev``` , and then receives the packet, run the BPF function ```fn_name()``` with flags. 1840*387f9dfdSAndroid Build Coastguard Worker 1841*387f9dfdSAndroid Build Coastguard WorkerHere is a list of optional flags. 1842*387f9dfdSAndroid Build Coastguard Worker 1843*387f9dfdSAndroid Build Coastguard Worker```Python 1844*387f9dfdSAndroid Build Coastguard Worker# from xdp_flags uapi/linux/if_link.h 1845*387f9dfdSAndroid Build Coastguard WorkerXDP_FLAGS_UPDATE_IF_NOEXIST = (1 << 0) 1846*387f9dfdSAndroid Build Coastguard WorkerXDP_FLAGS_SKB_MODE = (1 << 1) 1847*387f9dfdSAndroid Build Coastguard WorkerXDP_FLAGS_DRV_MODE = (1 << 2) 1848*387f9dfdSAndroid Build Coastguard WorkerXDP_FLAGS_HW_MODE = (1 << 3) 1849*387f9dfdSAndroid Build Coastguard WorkerXDP_FLAGS_REPLACE = (1 << 4) 1850*387f9dfdSAndroid Build Coastguard Worker``` 1851*387f9dfdSAndroid Build Coastguard Worker 1852*387f9dfdSAndroid Build Coastguard WorkerYou can use flags like this ```BPF.attach_xdp(dev="device", fn=b.load_func("fn_name",BPF.XDP), flags=BPF.XDP_FLAGS_UPDATE_IF_NOEXIST)``` 1853*387f9dfdSAndroid Build Coastguard Worker 1854*387f9dfdSAndroid Build Coastguard WorkerThe default value of flags is 0. This means if there is no xdp program with `device`, the fn will run with that device. If there is an xdp program running with device, the old program will be replaced with new fn program. 1855*387f9dfdSAndroid Build Coastguard Worker 1856*387f9dfdSAndroid Build Coastguard WorkerCurrently, bcc does not support XDP_FLAGS_REPLACE flag. The following are the descriptions of other flags. 1857*387f9dfdSAndroid Build Coastguard Worker 1858*387f9dfdSAndroid Build Coastguard Worker#### 1. XDP_FLAGS_UPDATE_IF_NOEXIST 1859*387f9dfdSAndroid Build Coastguard WorkerIf an XDP program is already attached to the specified driver, attaching the XDP program again will fail. 1860*387f9dfdSAndroid Build Coastguard Worker 1861*387f9dfdSAndroid Build Coastguard Worker#### 2. XDP_FLAGS_SKB_MODE 1862*387f9dfdSAndroid Build Coastguard WorkerDriver doesn’t have support for XDP, but the kernel fakes it. 1863*387f9dfdSAndroid Build Coastguard WorkerXDP program works, but there’s no real performance benefit because packets are handed to kernel stack anyways which then emulates XDP – this is usually supported with generic network drivers used in home computers, laptops, and virtualized HW. 1864*387f9dfdSAndroid Build Coastguard Worker 1865*387f9dfdSAndroid Build Coastguard Worker#### 3. XDP_FLAGS_DRV_MODE 1866*387f9dfdSAndroid Build Coastguard WorkerA driver has XDP support and can hand then to XDP without kernel stack interaction – Few drivers can support it and those are usually for enterprise HW. 1867*387f9dfdSAndroid Build Coastguard Worker 1868*387f9dfdSAndroid Build Coastguard Worker#### 4. XDP_FLAGS_HW_MODE 1869*387f9dfdSAndroid Build Coastguard WorkerXDP can be loaded and executed directly on the NIC – just a handful of NICs can do that. 1870*387f9dfdSAndroid Build Coastguard Worker 1871*387f9dfdSAndroid Build Coastguard Worker 1872*387f9dfdSAndroid Build Coastguard WorkerFor example: 1873*387f9dfdSAndroid Build Coastguard Worker 1874*387f9dfdSAndroid Build Coastguard Worker```Python 1875*387f9dfdSAndroid Build Coastguard Workerb.attach_xdp(dev="ens1", fn=b.load_func("do_xdp", BPF.XDP)) 1876*387f9dfdSAndroid Build Coastguard Worker``` 1877*387f9dfdSAndroid Build Coastguard Worker 1878*387f9dfdSAndroid Build Coastguard WorkerThis will instrument the network device ```ens1``` , which will then run our BPF defined ```do_xdp()``` function each time it receives packets. 1879*387f9dfdSAndroid Build Coastguard Worker 1880*387f9dfdSAndroid Build Coastguard WorkerDon't forget to call ```b.remove_xdp("ens1")``` at the end! 1881*387f9dfdSAndroid Build Coastguard Worker 1882*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1883*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_xdp+path%3Aexamples+language%3Apython&type=Code), 1884*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=attach_xdp+path%3Atools+language%3Apython&type=Code) 1885*387f9dfdSAndroid Build Coastguard Worker 1886*387f9dfdSAndroid Build Coastguard Worker### 10. attach_func() 1887*387f9dfdSAndroid Build Coastguard Worker 1888*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.attach_func(fn, attachable_fd, attach_type [, flags])``` 1889*387f9dfdSAndroid Build Coastguard Worker 1890*387f9dfdSAndroid Build Coastguard WorkerAttaches a BPF function of the specified type to a particular ```attachable_fd```. if the ```attach_type``` is ```BPF_FLOW_DISSECTOR```, the function is expected to attach to current net namespace and ```attachable_fd``` must be 0. 1891*387f9dfdSAndroid Build Coastguard Worker 1892*387f9dfdSAndroid Build Coastguard WorkerFor example: 1893*387f9dfdSAndroid Build Coastguard Worker 1894*387f9dfdSAndroid Build Coastguard Worker```Python 1895*387f9dfdSAndroid Build Coastguard Workerb.attach_func(fn, cgroup_fd, BPFAttachType.CGROUP_SOCK_OPS) 1896*387f9dfdSAndroid Build Coastguard Workerb.attach_func(fn, map_fd, BPFAttachType.SK_MSG_VERDICT) 1897*387f9dfdSAndroid Build Coastguard Worker``` 1898*387f9dfdSAndroid Build Coastguard Worker 1899*387f9dfdSAndroid Build Coastguard WorkerNote. When attached to "global" hooks (xdp, tc, lwt, cgroup). If the "BPF function" is no longer needed after the program terminates, be sure to call `detach_func` when the program exits. 1900*387f9dfdSAndroid Build Coastguard Worker 1901*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1902*387f9dfdSAndroid Build Coastguard Worker 1903*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=attach_func+path%3Aexamples+language%3Apython&type=Code), 1904*387f9dfdSAndroid Build Coastguard Worker 1905*387f9dfdSAndroid Build Coastguard Worker### 11. detach_func() 1906*387f9dfdSAndroid Build Coastguard Worker 1907*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.detach_func(fn, attachable_fd, attach_type)``` 1908*387f9dfdSAndroid Build Coastguard Worker 1909*387f9dfdSAndroid Build Coastguard WorkerDetaches a BPF function of the specified type. 1910*387f9dfdSAndroid Build Coastguard Worker 1911*387f9dfdSAndroid Build Coastguard WorkerFor example: 1912*387f9dfdSAndroid Build Coastguard Worker 1913*387f9dfdSAndroid Build Coastguard Worker```Python 1914*387f9dfdSAndroid Build Coastguard Workerb.detach_func(fn, cgroup_fd, BPFAttachType.CGROUP_SOCK_OPS) 1915*387f9dfdSAndroid Build Coastguard Workerb.detach_func(fn, map_fd, BPFAttachType.SK_MSG_VERDICT) 1916*387f9dfdSAndroid Build Coastguard Worker``` 1917*387f9dfdSAndroid Build Coastguard Worker 1918*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1919*387f9dfdSAndroid Build Coastguard Worker 1920*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=detach_func+path%3Aexamples+language%3Apython&type=Code), 1921*387f9dfdSAndroid Build Coastguard Worker 1922*387f9dfdSAndroid Build Coastguard Worker### 12. detach_kprobe() 1923*387f9dfdSAndroid Build Coastguard Worker 1924*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.detach_kprobe(event="event", fn_name="name")``` 1925*387f9dfdSAndroid Build Coastguard Worker 1926*387f9dfdSAndroid Build Coastguard WorkerDetach a kprobe handler function of the specified event. 1927*387f9dfdSAndroid Build Coastguard Worker 1928*387f9dfdSAndroid Build Coastguard WorkerFor example: 1929*387f9dfdSAndroid Build Coastguard Worker 1930*387f9dfdSAndroid Build Coastguard Worker```Python 1931*387f9dfdSAndroid Build Coastguard Workerb.detach_kprobe(event="__page_cache_alloc", fn_name="trace_func_entry") 1932*387f9dfdSAndroid Build Coastguard Worker``` 1933*387f9dfdSAndroid Build Coastguard Worker 1934*387f9dfdSAndroid Build Coastguard Worker### 13. detach_kretprobe() 1935*387f9dfdSAndroid Build Coastguard Worker 1936*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.detach_kretprobe(event="event", fn_name="name")``` 1937*387f9dfdSAndroid Build Coastguard Worker 1938*387f9dfdSAndroid Build Coastguard WorkerDetach a kretprobe handler function of the specified event. 1939*387f9dfdSAndroid Build Coastguard Worker 1940*387f9dfdSAndroid Build Coastguard WorkerFor example: 1941*387f9dfdSAndroid Build Coastguard Worker 1942*387f9dfdSAndroid Build Coastguard Worker```Python 1943*387f9dfdSAndroid Build Coastguard Workerb.detach_kretprobe(event="__page_cache_alloc", fn_name="trace_func_return") 1944*387f9dfdSAndroid Build Coastguard Worker``` 1945*387f9dfdSAndroid Build Coastguard Worker 1946*387f9dfdSAndroid Build Coastguard Worker## Debug Output 1947*387f9dfdSAndroid Build Coastguard Worker 1948*387f9dfdSAndroid Build Coastguard Worker### 1. trace_print() 1949*387f9dfdSAndroid Build Coastguard Worker 1950*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.trace_print(fmt="fields")``` 1951*387f9dfdSAndroid Build Coastguard Worker 1952*387f9dfdSAndroid Build Coastguard WorkerThis method continually reads the globally shared /sys/kernel/debug/tracing/trace_pipe file and prints its contents. This file can be written to via BPF and the bpf_trace_printk() function, however, that method has limitations, including a lack of concurrent tracing support. The BPF_PERF_OUTPUT mechanism, covered earlier, is preferred. 1953*387f9dfdSAndroid Build Coastguard Worker 1954*387f9dfdSAndroid Build Coastguard WorkerArguments: 1955*387f9dfdSAndroid Build Coastguard Worker 1956*387f9dfdSAndroid Build Coastguard Worker- ```fmt```: optional, and can contain a field formatting string. It defaults to ```None```. 1957*387f9dfdSAndroid Build Coastguard Worker 1958*387f9dfdSAndroid Build Coastguard WorkerExamples: 1959*387f9dfdSAndroid Build Coastguard Worker 1960*387f9dfdSAndroid Build Coastguard Worker```Python 1961*387f9dfdSAndroid Build Coastguard Worker# print trace_pipe output as-is: 1962*387f9dfdSAndroid Build Coastguard Workerb.trace_print() 1963*387f9dfdSAndroid Build Coastguard Worker 1964*387f9dfdSAndroid Build Coastguard Worker# print PID and message: 1965*387f9dfdSAndroid Build Coastguard Workerb.trace_print(fmt="{1} {5}") 1966*387f9dfdSAndroid Build Coastguard Worker``` 1967*387f9dfdSAndroid Build Coastguard Worker 1968*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1969*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=trace_print+path%3Aexamples+language%3Apython&type=Code), 1970*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=trace_print+path%3Atools+language%3Apython&type=Code) 1971*387f9dfdSAndroid Build Coastguard Worker 1972*387f9dfdSAndroid Build Coastguard Worker### 2. trace_fields() 1973*387f9dfdSAndroid Build Coastguard Worker 1974*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.trace_fields(nonblocking=False)``` 1975*387f9dfdSAndroid Build Coastguard Worker 1976*387f9dfdSAndroid Build Coastguard WorkerThis method reads one line from the globally shared /sys/kernel/debug/tracing/trace_pipe file and returns it as fields. This file can be written to via BPF and the bpf_trace_printk() function, however, that method has limitations, including a lack of concurrent tracing support. The BPF_PERF_OUTPUT mechanism, covered earlier, is preferred. 1977*387f9dfdSAndroid Build Coastguard Worker 1978*387f9dfdSAndroid Build Coastguard WorkerArguments: 1979*387f9dfdSAndroid Build Coastguard Worker 1980*387f9dfdSAndroid Build Coastguard Worker- ```nonblocking```: optional, defaults to ```False```. When set to ```True```, the program will not block waiting for input. 1981*387f9dfdSAndroid Build Coastguard Worker 1982*387f9dfdSAndroid Build Coastguard WorkerExamples: 1983*387f9dfdSAndroid Build Coastguard Worker 1984*387f9dfdSAndroid Build Coastguard Worker```Python 1985*387f9dfdSAndroid Build Coastguard Workerwhile 1: 1986*387f9dfdSAndroid Build Coastguard Worker try: 1987*387f9dfdSAndroid Build Coastguard Worker (task, pid, cpu, flags, ts, msg) = b.trace_fields() 1988*387f9dfdSAndroid Build Coastguard Worker except ValueError: 1989*387f9dfdSAndroid Build Coastguard Worker continue 1990*387f9dfdSAndroid Build Coastguard Worker [...] 1991*387f9dfdSAndroid Build Coastguard Worker``` 1992*387f9dfdSAndroid Build Coastguard Worker 1993*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 1994*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=trace_fields+path%3Aexamples+language%3Apython&type=Code), 1995*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=trace_fields+path%3Atools+language%3Apython&type=Code) 1996*387f9dfdSAndroid Build Coastguard Worker 1997*387f9dfdSAndroid Build Coastguard Worker## Output APIs 1998*387f9dfdSAndroid Build Coastguard Worker 1999*387f9dfdSAndroid Build Coastguard WorkerNormal output from a BPF program is either: 2000*387f9dfdSAndroid Build Coastguard Worker 2001*387f9dfdSAndroid Build Coastguard Worker- per-event: using PERF_EVENT_OUTPUT, open_perf_buffer(), and perf_buffer_poll(). 2002*387f9dfdSAndroid Build Coastguard Worker- map summary: using items(), or print_log2_hist(), covered in the Maps section. 2003*387f9dfdSAndroid Build Coastguard Worker 2004*387f9dfdSAndroid Build Coastguard Worker### 1. perf_buffer_poll() 2005*387f9dfdSAndroid Build Coastguard Worker 2006*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.perf_buffer_poll(timeout=T)``` 2007*387f9dfdSAndroid Build Coastguard Worker 2008*387f9dfdSAndroid Build Coastguard WorkerThis polls from all open perf ring buffers, calling the callback function that was provided when calling open_perf_buffer for each entry. 2009*387f9dfdSAndroid Build Coastguard Worker 2010*387f9dfdSAndroid Build Coastguard WorkerThe timeout parameter is optional and measured in milliseconds. In its absence, polling continues indefinitely. 2011*387f9dfdSAndroid Build Coastguard Worker 2012*387f9dfdSAndroid Build Coastguard WorkerExample: 2013*387f9dfdSAndroid Build Coastguard Worker 2014*387f9dfdSAndroid Build Coastguard Worker```Python 2015*387f9dfdSAndroid Build Coastguard Worker# loop with callback to print_event 2016*387f9dfdSAndroid Build Coastguard Workerb["events"].open_perf_buffer(print_event) 2017*387f9dfdSAndroid Build Coastguard Workerwhile 1: 2018*387f9dfdSAndroid Build Coastguard Worker try: 2019*387f9dfdSAndroid Build Coastguard Worker b.perf_buffer_poll() 2020*387f9dfdSAndroid Build Coastguard Worker except KeyboardInterrupt: 2021*387f9dfdSAndroid Build Coastguard Worker exit(); 2022*387f9dfdSAndroid Build Coastguard Worker``` 2023*387f9dfdSAndroid Build Coastguard Worker 2024*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2025*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/v0.9.0/examples/tracing/hello_perf_output.py#L55), 2026*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=perf_buffer_poll+path%3Aexamples+language%3Apython&type=Code), 2027*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=perf_buffer_poll+path%3Atools+language%3Apython&type=Code) 2028*387f9dfdSAndroid Build Coastguard Worker 2029*387f9dfdSAndroid Build Coastguard Worker### 2. ring_buffer_poll() 2030*387f9dfdSAndroid Build Coastguard Worker 2031*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.ring_buffer_poll(timeout=T)``` 2032*387f9dfdSAndroid Build Coastguard Worker 2033*387f9dfdSAndroid Build Coastguard WorkerThis polls from all open ringbuf ring buffers, calling the callback function that was provided when calling open_ring_buffer for each entry. 2034*387f9dfdSAndroid Build Coastguard Worker 2035*387f9dfdSAndroid Build Coastguard WorkerThe timeout parameter is optional and measured in milliseconds. In its absence, polling continues until 2036*387f9dfdSAndroid Build Coastguard Workerthere is no more data or the callback returns a negative value. 2037*387f9dfdSAndroid Build Coastguard Worker 2038*387f9dfdSAndroid Build Coastguard WorkerExample: 2039*387f9dfdSAndroid Build Coastguard Worker 2040*387f9dfdSAndroid Build Coastguard Worker```Python 2041*387f9dfdSAndroid Build Coastguard Worker# loop with callback to print_event 2042*387f9dfdSAndroid Build Coastguard Workerb["events"].open_ring_buffer(print_event) 2043*387f9dfdSAndroid Build Coastguard Workerwhile 1: 2044*387f9dfdSAndroid Build Coastguard Worker try: 2045*387f9dfdSAndroid Build Coastguard Worker b.ring_buffer_poll(30) 2046*387f9dfdSAndroid Build Coastguard Worker except KeyboardInterrupt: 2047*387f9dfdSAndroid Build Coastguard Worker exit(); 2048*387f9dfdSAndroid Build Coastguard Worker``` 2049*387f9dfdSAndroid Build Coastguard Worker 2050*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2051*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ring_buffer_poll+path%3Aexamples+language%3Apython&type=Code), 2052*387f9dfdSAndroid Build Coastguard Worker 2053*387f9dfdSAndroid Build Coastguard Worker### 3. ring_buffer_consume() 2054*387f9dfdSAndroid Build Coastguard Worker 2055*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.ring_buffer_consume()``` 2056*387f9dfdSAndroid Build Coastguard Worker 2057*387f9dfdSAndroid Build Coastguard WorkerThis consumes from all open ringbuf ring buffers, calling the callback function that was provided when calling open_ring_buffer for each entry. 2058*387f9dfdSAndroid Build Coastguard Worker 2059*387f9dfdSAndroid Build Coastguard WorkerUnlike ```ring_buffer_poll```, this method **does not poll for data** before attempting to consume. 2060*387f9dfdSAndroid Build Coastguard WorkerThis reduces latency at the expense of higher CPU consumption. If you are unsure which to use, 2061*387f9dfdSAndroid Build Coastguard Workeruse ```ring_buffer_poll```. 2062*387f9dfdSAndroid Build Coastguard Worker 2063*387f9dfdSAndroid Build Coastguard WorkerExample: 2064*387f9dfdSAndroid Build Coastguard Worker 2065*387f9dfdSAndroid Build Coastguard Worker```Python 2066*387f9dfdSAndroid Build Coastguard Worker# loop with callback to print_event 2067*387f9dfdSAndroid Build Coastguard Workerb["events"].open_ring_buffer(print_event) 2068*387f9dfdSAndroid Build Coastguard Workerwhile 1: 2069*387f9dfdSAndroid Build Coastguard Worker try: 2070*387f9dfdSAndroid Build Coastguard Worker b.ring_buffer_consume() 2071*387f9dfdSAndroid Build Coastguard Worker except KeyboardInterrupt: 2072*387f9dfdSAndroid Build Coastguard Worker exit(); 2073*387f9dfdSAndroid Build Coastguard Worker``` 2074*387f9dfdSAndroid Build Coastguard Worker 2075*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2076*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ring_buffer_consume+path%3Aexamples+language%3Apython&type=Code), 2077*387f9dfdSAndroid Build Coastguard Worker 2078*387f9dfdSAndroid Build Coastguard Worker## Map APIs 2079*387f9dfdSAndroid Build Coastguard Worker 2080*387f9dfdSAndroid Build Coastguard WorkerMaps are BPF data stores, and are used in bcc to implement a table, and then higher level objects on top of tables, including hashes and histograms. 2081*387f9dfdSAndroid Build Coastguard Worker 2082*387f9dfdSAndroid Build Coastguard Worker### 1. get_table() 2083*387f9dfdSAndroid Build Coastguard Worker 2084*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.get_table(name)``` 2085*387f9dfdSAndroid Build Coastguard Worker 2086*387f9dfdSAndroid Build Coastguard WorkerReturns a table object. This is no longer used, as tables can now be read as items from BPF. Eg: ```BPF[name]```. 2087*387f9dfdSAndroid Build Coastguard Worker 2088*387f9dfdSAndroid Build Coastguard WorkerExamples: 2089*387f9dfdSAndroid Build Coastguard Worker 2090*387f9dfdSAndroid Build Coastguard Worker```Python 2091*387f9dfdSAndroid Build Coastguard Workercounts = b.get_table("counts") 2092*387f9dfdSAndroid Build Coastguard Worker 2093*387f9dfdSAndroid Build Coastguard Workercounts = b["counts"] 2094*387f9dfdSAndroid Build Coastguard Worker``` 2095*387f9dfdSAndroid Build Coastguard Worker 2096*387f9dfdSAndroid Build Coastguard WorkerThese are equivalent. 2097*387f9dfdSAndroid Build Coastguard Worker 2098*387f9dfdSAndroid Build Coastguard Worker### 2. open_perf_buffer() 2099*387f9dfdSAndroid Build Coastguard Worker 2100*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.open_perf_buffers(callback, page_cnt=N, lost_cb=None)``` 2101*387f9dfdSAndroid Build Coastguard Worker 2102*387f9dfdSAndroid Build Coastguard WorkerThis operates on a table as defined in BPF as BPF_PERF_OUTPUT(), and associates the callback Python function ```callback``` to be called when data is available in the perf ring buffer. This is part of the recommended mechanism for transferring per-event data from kernel to user space. The size of the perf ring buffer can be specified via the ```page_cnt``` parameter, which must be a power of two number of pages and defaults to 8. If the callback is not processing data fast enough, some submitted data may be lost. ```lost_cb``` will be called to log / monitor the lost count. If ```lost_cb``` is the default ```None``` value, it will just print a line of message to ```stderr```. 2103*387f9dfdSAndroid Build Coastguard Worker 2104*387f9dfdSAndroid Build Coastguard WorkerExample: 2105*387f9dfdSAndroid Build Coastguard Worker 2106*387f9dfdSAndroid Build Coastguard Worker```Python 2107*387f9dfdSAndroid Build Coastguard Worker# process event 2108*387f9dfdSAndroid Build Coastguard Workerdef print_event(cpu, data, size): 2109*387f9dfdSAndroid Build Coastguard Worker event = ct.cast(data, ct.POINTER(Data)).contents 2110*387f9dfdSAndroid Build Coastguard Worker [...] 2111*387f9dfdSAndroid Build Coastguard Worker 2112*387f9dfdSAndroid Build Coastguard Worker# loop with callback to print_event 2113*387f9dfdSAndroid Build Coastguard Workerb["events"].open_perf_buffer(print_event) 2114*387f9dfdSAndroid Build Coastguard Workerwhile 1: 2115*387f9dfdSAndroid Build Coastguard Worker try: 2116*387f9dfdSAndroid Build Coastguard Worker b.perf_buffer_poll() 2117*387f9dfdSAndroid Build Coastguard Worker except KeyboardInterrupt: 2118*387f9dfdSAndroid Build Coastguard Worker exit() 2119*387f9dfdSAndroid Build Coastguard Worker``` 2120*387f9dfdSAndroid Build Coastguard Worker 2121*387f9dfdSAndroid Build Coastguard WorkerNote that the data structure transferred will need to be declared in C in the BPF program. For example: 2122*387f9dfdSAndroid Build Coastguard Worker 2123*387f9dfdSAndroid Build Coastguard Worker```C 2124*387f9dfdSAndroid Build Coastguard Worker// define output data structure in C 2125*387f9dfdSAndroid Build Coastguard Workerstruct data_t { 2126*387f9dfdSAndroid Build Coastguard Worker u32 pid; 2127*387f9dfdSAndroid Build Coastguard Worker u64 ts; 2128*387f9dfdSAndroid Build Coastguard Worker char comm[TASK_COMM_LEN]; 2129*387f9dfdSAndroid Build Coastguard Worker}; 2130*387f9dfdSAndroid Build Coastguard WorkerBPF_PERF_OUTPUT(events); 2131*387f9dfdSAndroid Build Coastguard Worker[...] 2132*387f9dfdSAndroid Build Coastguard Worker``` 2133*387f9dfdSAndroid Build Coastguard Worker 2134*387f9dfdSAndroid Build Coastguard WorkerIn Python, you can either let bcc generate the data structure from C declaration automatically (recommended): 2135*387f9dfdSAndroid Build Coastguard Worker 2136*387f9dfdSAndroid Build Coastguard Worker```Python 2137*387f9dfdSAndroid Build Coastguard Workerdef print_event(cpu, data, size): 2138*387f9dfdSAndroid Build Coastguard Worker event = b["events"].event(data) 2139*387f9dfdSAndroid Build Coastguard Worker[...] 2140*387f9dfdSAndroid Build Coastguard Worker``` 2141*387f9dfdSAndroid Build Coastguard Worker 2142*387f9dfdSAndroid Build Coastguard Workeror define it manually: 2143*387f9dfdSAndroid Build Coastguard Worker 2144*387f9dfdSAndroid Build Coastguard Worker```Python 2145*387f9dfdSAndroid Build Coastguard Worker# define output data structure in Python 2146*387f9dfdSAndroid Build Coastguard WorkerTASK_COMM_LEN = 16 # linux/sched.h 2147*387f9dfdSAndroid Build Coastguard Workerclass Data(ct.Structure): 2148*387f9dfdSAndroid Build Coastguard Worker _fields_ = [("pid", ct.c_ulonglong), 2149*387f9dfdSAndroid Build Coastguard Worker ("ts", ct.c_ulonglong), 2150*387f9dfdSAndroid Build Coastguard Worker ("comm", ct.c_char * TASK_COMM_LEN)] 2151*387f9dfdSAndroid Build Coastguard Worker 2152*387f9dfdSAndroid Build Coastguard Workerdef print_event(cpu, data, size): 2153*387f9dfdSAndroid Build Coastguard Worker event = ct.cast(data, ct.POINTER(Data)).contents 2154*387f9dfdSAndroid Build Coastguard Worker[...] 2155*387f9dfdSAndroid Build Coastguard Worker``` 2156*387f9dfdSAndroid Build Coastguard Worker 2157*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2158*387f9dfdSAndroid Build Coastguard Worker[code](https://github.com/iovisor/bcc/blob/v0.9.0/examples/tracing/hello_perf_output.py#L52), 2159*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=open_perf_buffer+path%3Aexamples+language%3Apython&type=Code), 2160*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=open_perf_buffer+path%3Atools+language%3Apython&type=Code) 2161*387f9dfdSAndroid Build Coastguard Worker 2162*387f9dfdSAndroid Build Coastguard Worker### 3. items() 2163*387f9dfdSAndroid Build Coastguard Worker 2164*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.items()``` 2165*387f9dfdSAndroid Build Coastguard Worker 2166*387f9dfdSAndroid Build Coastguard WorkerReturns an array of the keys in a table. This can be used with BPF_HASH maps to fetch, and iterate, over the keys. 2167*387f9dfdSAndroid Build Coastguard Worker 2168*387f9dfdSAndroid Build Coastguard WorkerExample: 2169*387f9dfdSAndroid Build Coastguard Worker 2170*387f9dfdSAndroid Build Coastguard Worker```Python 2171*387f9dfdSAndroid Build Coastguard Worker# print output 2172*387f9dfdSAndroid Build Coastguard Workerprint("%10s %s" % ("COUNT", "STRING")) 2173*387f9dfdSAndroid Build Coastguard Workercounts = b.get_table("counts") 2174*387f9dfdSAndroid Build Coastguard Workerfor k, v in sorted(counts.items(), key=lambda counts: counts[1].value): 2175*387f9dfdSAndroid Build Coastguard Worker print("%10d \"%s\"" % (v.value, k.c.encode('string-escape'))) 2176*387f9dfdSAndroid Build Coastguard Worker``` 2177*387f9dfdSAndroid Build Coastguard Worker 2178*387f9dfdSAndroid Build Coastguard WorkerThis example also uses the ```sorted()``` method to sort by value. 2179*387f9dfdSAndroid Build Coastguard Worker 2180*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2181*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=items+path%3Aexamples+language%3Apython&type=Code), 2182*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=items+path%3Atools+language%3Apython&type=Code) 2183*387f9dfdSAndroid Build Coastguard Worker 2184*387f9dfdSAndroid Build Coastguard Worker### 4. values() 2185*387f9dfdSAndroid Build Coastguard Worker 2186*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.values()``` 2187*387f9dfdSAndroid Build Coastguard Worker 2188*387f9dfdSAndroid Build Coastguard WorkerReturns an array of the values in a table. 2189*387f9dfdSAndroid Build Coastguard Worker 2190*387f9dfdSAndroid Build Coastguard Worker### 5. clear() 2191*387f9dfdSAndroid Build Coastguard Worker 2192*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.clear()``` 2193*387f9dfdSAndroid Build Coastguard Worker 2194*387f9dfdSAndroid Build Coastguard WorkerClears the table: deletes all entries. 2195*387f9dfdSAndroid Build Coastguard Worker 2196*387f9dfdSAndroid Build Coastguard WorkerExample: 2197*387f9dfdSAndroid Build Coastguard Worker 2198*387f9dfdSAndroid Build Coastguard Worker```Python 2199*387f9dfdSAndroid Build Coastguard Worker# print map summary every second: 2200*387f9dfdSAndroid Build Coastguard Workerwhile True: 2201*387f9dfdSAndroid Build Coastguard Worker time.sleep(1) 2202*387f9dfdSAndroid Build Coastguard Worker print("%-8s\n" % time.strftime("%H:%M:%S"), end="") 2203*387f9dfdSAndroid Build Coastguard Worker dist.print_log2_hist(sym + " return:") 2204*387f9dfdSAndroid Build Coastguard Worker dist.clear() 2205*387f9dfdSAndroid Build Coastguard Worker``` 2206*387f9dfdSAndroid Build Coastguard Worker 2207*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2208*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=clear+path%3Aexamples+language%3Apython&type=Code), 2209*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=clear+path%3Atools+language%3Apython&type=Code) 2210*387f9dfdSAndroid Build Coastguard Worker 2211*387f9dfdSAndroid Build Coastguard Worker### 6. items_lookup_and_delete_batch() 2212*387f9dfdSAndroid Build Coastguard Worker 2213*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.items_lookup_and_delete_batch()``` 2214*387f9dfdSAndroid Build Coastguard Worker 2215*387f9dfdSAndroid Build Coastguard WorkerReturns an array of the keys in a table with a single call to BPF syscall. This can be used with BPF_HASH maps to fetch, and iterate, over the keys. It also clears the table: deletes all entries. 2216*387f9dfdSAndroid Build Coastguard WorkerYou should rather use table.items_lookup_and_delete_batch() than table.items() followed by table.clear(). It requires kernel v5.6. 2217*387f9dfdSAndroid Build Coastguard Worker 2218*387f9dfdSAndroid Build Coastguard WorkerExample: 2219*387f9dfdSAndroid Build Coastguard Worker 2220*387f9dfdSAndroid Build Coastguard Worker```Python 2221*387f9dfdSAndroid Build Coastguard Worker# print call rate per second: 2222*387f9dfdSAndroid Build Coastguard Workerprint("%9s-%9s-%8s-%9s" % ("PID", "COMM", "fname", "counter")) 2223*387f9dfdSAndroid Build Coastguard Workerwhile True: 2224*387f9dfdSAndroid Build Coastguard Worker for k, v in sorted(b['map'].items_lookup_and_delete_batch(), key=lambda kv: (kv[0]).pid): 2225*387f9dfdSAndroid Build Coastguard Worker print("%9s-%9s-%8s-%9d" % (k.pid, k.comm, k.fname, v.counter)) 2226*387f9dfdSAndroid Build Coastguard Worker sleep(1) 2227*387f9dfdSAndroid Build Coastguard Worker``` 2228*387f9dfdSAndroid Build Coastguard Worker 2229*387f9dfdSAndroid Build Coastguard Worker### 7. items_lookup_batch() 2230*387f9dfdSAndroid Build Coastguard Worker 2231*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.items_lookup_batch()``` 2232*387f9dfdSAndroid Build Coastguard Worker 2233*387f9dfdSAndroid Build Coastguard WorkerReturns an array of the keys in a table with a single call to BPF syscall. This can be used with BPF_HASH maps to fetch, and iterate, over the keys. 2234*387f9dfdSAndroid Build Coastguard WorkerYou should rather use table.items_lookup_batch() than table.items(). It requires kernel v5.6. 2235*387f9dfdSAndroid Build Coastguard Worker 2236*387f9dfdSAndroid Build Coastguard WorkerExample: 2237*387f9dfdSAndroid Build Coastguard Worker 2238*387f9dfdSAndroid Build Coastguard Worker```Python 2239*387f9dfdSAndroid Build Coastguard Worker# print current value of map: 2240*387f9dfdSAndroid Build Coastguard Workerprint("%9s-%9s-%8s-%9s" % ("PID", "COMM", "fname", "counter")) 2241*387f9dfdSAndroid Build Coastguard Workerwhile True: 2242*387f9dfdSAndroid Build Coastguard Worker for k, v in sorted(b['map'].items_lookup_batch(), key=lambda kv: (kv[0]).pid): 2243*387f9dfdSAndroid Build Coastguard Worker print("%9s-%9s-%8s-%9d" % (k.pid, k.comm, k.fname, v.counter)) 2244*387f9dfdSAndroid Build Coastguard Worker``` 2245*387f9dfdSAndroid Build Coastguard Worker 2246*387f9dfdSAndroid Build Coastguard Worker### 8. items_delete_batch() 2247*387f9dfdSAndroid Build Coastguard Worker 2248*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.items_delete_batch(keys)``` 2249*387f9dfdSAndroid Build Coastguard Worker 2250*387f9dfdSAndroid Build Coastguard WorkerIt clears all entries of a BPF_HASH map when keys is None. It is more efficient than table.clear() since it generates only one system call. You can delete a subset of a map by giving an array of keys as parameter. Those keys and their associated values will be deleted. It requires kernel v5.6. 2251*387f9dfdSAndroid Build Coastguard Worker 2252*387f9dfdSAndroid Build Coastguard WorkerArguments: 2253*387f9dfdSAndroid Build Coastguard Worker 2254*387f9dfdSAndroid Build Coastguard Worker- keys is optional and by default is None. 2255*387f9dfdSAndroid Build Coastguard Worker 2256*387f9dfdSAndroid Build Coastguard Worker 2257*387f9dfdSAndroid Build Coastguard Worker 2258*387f9dfdSAndroid Build Coastguard Worker### 9. items_update_batch() 2259*387f9dfdSAndroid Build Coastguard Worker 2260*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.items_update_batch(keys, values)``` 2261*387f9dfdSAndroid Build Coastguard Worker 2262*387f9dfdSAndroid Build Coastguard WorkerUpdate all the provided keys with new values. The two arguments must be the same length and within the map limits (between 1 and the maximum entries). It requires kernel v5.6. 2263*387f9dfdSAndroid Build Coastguard Worker 2264*387f9dfdSAndroid Build Coastguard WorkerArguments: 2265*387f9dfdSAndroid Build Coastguard Worker 2266*387f9dfdSAndroid Build Coastguard Worker- keys is the list of keys to be updated 2267*387f9dfdSAndroid Build Coastguard Worker- values is the list containing the new values. 2268*387f9dfdSAndroid Build Coastguard Worker 2269*387f9dfdSAndroid Build Coastguard Worker 2270*387f9dfdSAndroid Build Coastguard Worker### 10. print_log2_hist() 2271*387f9dfdSAndroid Build Coastguard Worker 2272*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.print_log2_hist(val_type="value", section_header="Bucket ptr", section_print_fn=None)``` 2273*387f9dfdSAndroid Build Coastguard Worker 2274*387f9dfdSAndroid Build Coastguard WorkerPrints a table as a log2 histogram in ASCII. The table must be stored as log2, which can be done using the BPF function ```bpf_log2l()```. 2275*387f9dfdSAndroid Build Coastguard Worker 2276*387f9dfdSAndroid Build Coastguard WorkerArguments: 2277*387f9dfdSAndroid Build Coastguard Worker 2278*387f9dfdSAndroid Build Coastguard Worker- val_type: optional, column header. 2279*387f9dfdSAndroid Build Coastguard Worker- section_header: if the histogram has a secondary key, multiple tables will print and section_header can be used as a header description for each. 2280*387f9dfdSAndroid Build Coastguard Worker- section_print_fn: if section_print_fn is not None, it will be passed the bucket value. 2281*387f9dfdSAndroid Build Coastguard Worker 2282*387f9dfdSAndroid Build Coastguard WorkerExample: 2283*387f9dfdSAndroid Build Coastguard Worker 2284*387f9dfdSAndroid Build Coastguard Worker```Python 2285*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=""" 2286*387f9dfdSAndroid Build Coastguard WorkerBPF_HISTOGRAM(dist); 2287*387f9dfdSAndroid Build Coastguard Worker 2288*387f9dfdSAndroid Build Coastguard Workerint kprobe__blk_account_io_done(struct pt_regs *ctx, struct request *req) 2289*387f9dfdSAndroid Build Coastguard Worker{ 2290*387f9dfdSAndroid Build Coastguard Worker dist.increment(bpf_log2l(req->__data_len / 1024)); 2291*387f9dfdSAndroid Build Coastguard Worker return 0; 2292*387f9dfdSAndroid Build Coastguard Worker} 2293*387f9dfdSAndroid Build Coastguard Worker""") 2294*387f9dfdSAndroid Build Coastguard Worker[...] 2295*387f9dfdSAndroid Build Coastguard Worker 2296*387f9dfdSAndroid Build Coastguard Workerb["dist"].print_log2_hist("kbytes") 2297*387f9dfdSAndroid Build Coastguard Worker``` 2298*387f9dfdSAndroid Build Coastguard Worker 2299*387f9dfdSAndroid Build Coastguard WorkerOutput: 2300*387f9dfdSAndroid Build Coastguard Worker 2301*387f9dfdSAndroid Build Coastguard Worker``` 2302*387f9dfdSAndroid Build Coastguard Worker kbytes : count distribution 2303*387f9dfdSAndroid Build Coastguard Worker 0 -> 1 : 3 | | 2304*387f9dfdSAndroid Build Coastguard Worker 2 -> 3 : 0 | | 2305*387f9dfdSAndroid Build Coastguard Worker 4 -> 7 : 211 |********** | 2306*387f9dfdSAndroid Build Coastguard Worker 8 -> 15 : 0 | | 2307*387f9dfdSAndroid Build Coastguard Worker 16 -> 31 : 0 | | 2308*387f9dfdSAndroid Build Coastguard Worker 32 -> 63 : 0 | | 2309*387f9dfdSAndroid Build Coastguard Worker 64 -> 127 : 1 | | 2310*387f9dfdSAndroid Build Coastguard Worker 128 -> 255 : 800 |**************************************| 2311*387f9dfdSAndroid Build Coastguard Worker``` 2312*387f9dfdSAndroid Build Coastguard Worker 2313*387f9dfdSAndroid Build Coastguard WorkerThis output shows a multi-modal distribution, with the largest mode of 128->255 kbytes and a count of 800. 2314*387f9dfdSAndroid Build Coastguard Worker 2315*387f9dfdSAndroid Build Coastguard WorkerThis is an efficient way to summarize data, as the summarization is performed in-kernel, and only the count column is passed to user space. 2316*387f9dfdSAndroid Build Coastguard Worker 2317*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2318*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=print_log2_hist+path%3Aexamples+language%3Apython&type=Code), 2319*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=print_log2_hist+path%3Atools+language%3Apython&type=Code) 2320*387f9dfdSAndroid Build Coastguard Worker 2321*387f9dfdSAndroid Build Coastguard Worker### 11. print_linear_hist() 2322*387f9dfdSAndroid Build Coastguard Worker 2323*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.print_linear_hist(val_type="value", section_header="Bucket ptr", section_print_fn=None)``` 2324*387f9dfdSAndroid Build Coastguard Worker 2325*387f9dfdSAndroid Build Coastguard WorkerPrints a table as a linear histogram in ASCII. This is intended to visualize small integer ranges, eg, 0 to 100. 2326*387f9dfdSAndroid Build Coastguard Worker 2327*387f9dfdSAndroid Build Coastguard WorkerArguments: 2328*387f9dfdSAndroid Build Coastguard Worker 2329*387f9dfdSAndroid Build Coastguard Worker- val_type: optional, column header. 2330*387f9dfdSAndroid Build Coastguard Worker- section_header: if the histogram has a secondary key, multiple tables will print and section_header can be used as a header description for each. 2331*387f9dfdSAndroid Build Coastguard Worker- section_print_fn: if section_print_fn is not None, it will be passed the bucket value. 2332*387f9dfdSAndroid Build Coastguard Worker 2333*387f9dfdSAndroid Build Coastguard WorkerExample: 2334*387f9dfdSAndroid Build Coastguard Worker 2335*387f9dfdSAndroid Build Coastguard Worker```Python 2336*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=""" 2337*387f9dfdSAndroid Build Coastguard WorkerBPF_HISTOGRAM(dist); 2338*387f9dfdSAndroid Build Coastguard Worker 2339*387f9dfdSAndroid Build Coastguard Workerint kprobe__blk_account_io_done(struct pt_regs *ctx, struct request *req) 2340*387f9dfdSAndroid Build Coastguard Worker{ 2341*387f9dfdSAndroid Build Coastguard Worker dist.increment(req->__data_len / 1024); 2342*387f9dfdSAndroid Build Coastguard Worker return 0; 2343*387f9dfdSAndroid Build Coastguard Worker} 2344*387f9dfdSAndroid Build Coastguard Worker""") 2345*387f9dfdSAndroid Build Coastguard Worker[...] 2346*387f9dfdSAndroid Build Coastguard Worker 2347*387f9dfdSAndroid Build Coastguard Workerb["dist"].print_linear_hist("kbytes") 2348*387f9dfdSAndroid Build Coastguard Worker``` 2349*387f9dfdSAndroid Build Coastguard Worker 2350*387f9dfdSAndroid Build Coastguard WorkerOutput: 2351*387f9dfdSAndroid Build Coastguard Worker 2352*387f9dfdSAndroid Build Coastguard Worker``` 2353*387f9dfdSAndroid Build Coastguard Worker kbytes : count distribution 2354*387f9dfdSAndroid Build Coastguard Worker 0 : 3 |****** | 2355*387f9dfdSAndroid Build Coastguard Worker 1 : 0 | | 2356*387f9dfdSAndroid Build Coastguard Worker 2 : 0 | | 2357*387f9dfdSAndroid Build Coastguard Worker 3 : 0 | | 2358*387f9dfdSAndroid Build Coastguard Worker 4 : 19 |****************************************| 2359*387f9dfdSAndroid Build Coastguard Worker 5 : 0 | | 2360*387f9dfdSAndroid Build Coastguard Worker 6 : 0 | | 2361*387f9dfdSAndroid Build Coastguard Worker 7 : 0 | | 2362*387f9dfdSAndroid Build Coastguard Worker 8 : 4 |******** | 2363*387f9dfdSAndroid Build Coastguard Worker 9 : 0 | | 2364*387f9dfdSAndroid Build Coastguard Worker 10 : 0 | | 2365*387f9dfdSAndroid Build Coastguard Worker 11 : 0 | | 2366*387f9dfdSAndroid Build Coastguard Worker 12 : 0 | | 2367*387f9dfdSAndroid Build Coastguard Worker 13 : 0 | | 2368*387f9dfdSAndroid Build Coastguard Worker 14 : 0 | | 2369*387f9dfdSAndroid Build Coastguard Worker 15 : 0 | | 2370*387f9dfdSAndroid Build Coastguard Worker 16 : 2 |**** | 2371*387f9dfdSAndroid Build Coastguard Worker[...] 2372*387f9dfdSAndroid Build Coastguard Worker``` 2373*387f9dfdSAndroid Build Coastguard Worker 2374*387f9dfdSAndroid Build Coastguard WorkerThis is an efficient way to summarize data, as the summarization is performed in-kernel, and only the values in the count column are passed to user space. 2375*387f9dfdSAndroid Build Coastguard Worker 2376*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2377*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=print_linear_hist+path%3Aexamples+language%3Apython&type=Code), 2378*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=print_linear_hist+path%3Atools+language%3Apython&type=Code) 2379*387f9dfdSAndroid Build Coastguard Worker 2380*387f9dfdSAndroid Build Coastguard Worker### 12. open_ring_buffer() 2381*387f9dfdSAndroid Build Coastguard Worker 2382*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.open_ring_buffer(callback, ctx=None)``` 2383*387f9dfdSAndroid Build Coastguard Worker 2384*387f9dfdSAndroid Build Coastguard WorkerThis operates on a table as defined in BPF as BPF_RINGBUF_OUTPUT(), and associates the callback Python function ```callback``` to be called when data is available in the ringbuf ring buffer. This is part of the new (Linux 5.8+) recommended mechanism for transferring per-event data from kernel to user space. Unlike perf buffers, ringbuf sizes are specified within the BPF program, as part of the ```BPF_RINGBUF_OUTPUT``` macro. If the callback is not processing data fast enough, some submitted data may be lost. In this case, the events should be polled more frequently and/or the size of the ring buffer should be increased. 2385*387f9dfdSAndroid Build Coastguard Worker 2386*387f9dfdSAndroid Build Coastguard WorkerExample: 2387*387f9dfdSAndroid Build Coastguard Worker 2388*387f9dfdSAndroid Build Coastguard Worker```Python 2389*387f9dfdSAndroid Build Coastguard Worker# process event 2390*387f9dfdSAndroid Build Coastguard Workerdef print_event(ctx, data, size): 2391*387f9dfdSAndroid Build Coastguard Worker event = ct.cast(data, ct.POINTER(Data)).contents 2392*387f9dfdSAndroid Build Coastguard Worker [...] 2393*387f9dfdSAndroid Build Coastguard Worker 2394*387f9dfdSAndroid Build Coastguard Worker# loop with callback to print_event 2395*387f9dfdSAndroid Build Coastguard Workerb["events"].open_ring_buffer(print_event) 2396*387f9dfdSAndroid Build Coastguard Workerwhile 1: 2397*387f9dfdSAndroid Build Coastguard Worker try: 2398*387f9dfdSAndroid Build Coastguard Worker b.ring_buffer_poll() 2399*387f9dfdSAndroid Build Coastguard Worker except KeyboardInterrupt: 2400*387f9dfdSAndroid Build Coastguard Worker exit() 2401*387f9dfdSAndroid Build Coastguard Worker``` 2402*387f9dfdSAndroid Build Coastguard Worker 2403*387f9dfdSAndroid Build Coastguard WorkerNote that the data structure transferred will need to be declared in C in the BPF program. For example: 2404*387f9dfdSAndroid Build Coastguard Worker 2405*387f9dfdSAndroid Build Coastguard Worker```C 2406*387f9dfdSAndroid Build Coastguard Worker// define output data structure in C 2407*387f9dfdSAndroid Build Coastguard Workerstruct data_t { 2408*387f9dfdSAndroid Build Coastguard Worker u32 pid; 2409*387f9dfdSAndroid Build Coastguard Worker u64 ts; 2410*387f9dfdSAndroid Build Coastguard Worker char comm[TASK_COMM_LEN]; 2411*387f9dfdSAndroid Build Coastguard Worker}; 2412*387f9dfdSAndroid Build Coastguard WorkerBPF_RINGBUF_OUTPUT(events, 8); 2413*387f9dfdSAndroid Build Coastguard Worker[...] 2414*387f9dfdSAndroid Build Coastguard Worker``` 2415*387f9dfdSAndroid Build Coastguard Worker 2416*387f9dfdSAndroid Build Coastguard WorkerIn Python, you can either let bcc generate the data structure from C declaration automatically (recommended): 2417*387f9dfdSAndroid Build Coastguard Worker 2418*387f9dfdSAndroid Build Coastguard Worker```Python 2419*387f9dfdSAndroid Build Coastguard Workerdef print_event(ctx, data, size): 2420*387f9dfdSAndroid Build Coastguard Worker event = b["events"].event(data) 2421*387f9dfdSAndroid Build Coastguard Worker[...] 2422*387f9dfdSAndroid Build Coastguard Worker``` 2423*387f9dfdSAndroid Build Coastguard Worker 2424*387f9dfdSAndroid Build Coastguard Workeror define it manually: 2425*387f9dfdSAndroid Build Coastguard Worker 2426*387f9dfdSAndroid Build Coastguard Worker```Python 2427*387f9dfdSAndroid Build Coastguard Worker# define output data structure in Python 2428*387f9dfdSAndroid Build Coastguard WorkerTASK_COMM_LEN = 16 # linux/sched.h 2429*387f9dfdSAndroid Build Coastguard Workerclass Data(ct.Structure): 2430*387f9dfdSAndroid Build Coastguard Worker _fields_ = [("pid", ct.c_ulonglong), 2431*387f9dfdSAndroid Build Coastguard Worker ("ts", ct.c_ulonglong), 2432*387f9dfdSAndroid Build Coastguard Worker ("comm", ct.c_char * TASK_COMM_LEN)] 2433*387f9dfdSAndroid Build Coastguard Worker 2434*387f9dfdSAndroid Build Coastguard Workerdef print_event(ctx, data, size): 2435*387f9dfdSAndroid Build Coastguard Worker event = ct.cast(data, ct.POINTER(Data)).contents 2436*387f9dfdSAndroid Build Coastguard Worker[...] 2437*387f9dfdSAndroid Build Coastguard Worker``` 2438*387f9dfdSAndroid Build Coastguard Worker 2439*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2440*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=open_ring_buffer+path%3Aexamples+language%3Apython&type=Code), 2441*387f9dfdSAndroid Build Coastguard Worker 2442*387f9dfdSAndroid Build Coastguard Worker### 13. push() 2443*387f9dfdSAndroid Build Coastguard Worker 2444*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```table.push(leaf, flags=0)``` 2445*387f9dfdSAndroid Build Coastguard Worker 2446*387f9dfdSAndroid Build Coastguard WorkerPush an element onto a Stack or Queue table. Raises an exception if the operation does not succeed. 2447*387f9dfdSAndroid Build Coastguard WorkerPassing QueueStack.BPF_EXIST as a flag causes the Queue or Stack to discard the oldest element if it is full. 2448*387f9dfdSAndroid Build Coastguard Worker 2449*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2450*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=push+path%3Atests+language%3Apython&type=Code), 2451*387f9dfdSAndroid Build Coastguard Worker 2452*387f9dfdSAndroid Build Coastguard Worker### 14. pop() 2453*387f9dfdSAndroid Build Coastguard Worker 2454*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```leaf = table.pop()``` 2455*387f9dfdSAndroid Build Coastguard Worker 2456*387f9dfdSAndroid Build Coastguard WorkerPop an element from a Stack or Queue table. Unlike ```peek()```, ```pop()``` 2457*387f9dfdSAndroid Build Coastguard Workerremoves the element from the table before returning it. 2458*387f9dfdSAndroid Build Coastguard WorkerRaises a KeyError exception if the operation does not succeed. 2459*387f9dfdSAndroid Build Coastguard Worker 2460*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2461*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=pop+path%3Atests+language%3Apython&type=Code), 2462*387f9dfdSAndroid Build Coastguard Worker 2463*387f9dfdSAndroid Build Coastguard Worker### 15. peek() 2464*387f9dfdSAndroid Build Coastguard Worker 2465*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```leaf = table.peek()``` 2466*387f9dfdSAndroid Build Coastguard Worker 2467*387f9dfdSAndroid Build Coastguard WorkerPeek the element at the head of a Stack or Queue table. Unlike ```pop()```, ```peek()``` 2468*387f9dfdSAndroid Build Coastguard Workerdoes not remove the element from the table. Raises an exception if the operation does not succeed. 2469*387f9dfdSAndroid Build Coastguard Worker 2470*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2471*387f9dfdSAndroid Build Coastguard Worker[search /tests](https://github.com/iovisor/bcc/search?q=peek+path%3Atests+language%3Apython&type=Code), 2472*387f9dfdSAndroid Build Coastguard Worker 2473*387f9dfdSAndroid Build Coastguard Worker## Helpers 2474*387f9dfdSAndroid Build Coastguard Worker 2475*387f9dfdSAndroid Build Coastguard WorkerSome helper methods provided by bcc. Note that since we're in Python, we can import any Python library and their methods, including, for example, the libraries: argparse, collections, ctypes, datetime, re, socket, struct, subprocess, sys, and time. 2476*387f9dfdSAndroid Build Coastguard Worker 2477*387f9dfdSAndroid Build Coastguard Worker### 1. ksym() 2478*387f9dfdSAndroid Build Coastguard Worker 2479*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.ksym(addr)``` 2480*387f9dfdSAndroid Build Coastguard Worker 2481*387f9dfdSAndroid Build Coastguard WorkerTranslate a kernel memory address into a kernel function name, which is returned. 2482*387f9dfdSAndroid Build Coastguard Worker 2483*387f9dfdSAndroid Build Coastguard WorkerExample: 2484*387f9dfdSAndroid Build Coastguard Worker 2485*387f9dfdSAndroid Build Coastguard Worker```Python 2486*387f9dfdSAndroid Build Coastguard Workerprint("kernel function: " + b.ksym(addr)) 2487*387f9dfdSAndroid Build Coastguard Worker``` 2488*387f9dfdSAndroid Build Coastguard Worker 2489*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2490*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ksym+path%3Aexamples+language%3Apython&type=Code), 2491*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=ksym+path%3Atools+language%3Apython&type=Code) 2492*387f9dfdSAndroid Build Coastguard Worker 2493*387f9dfdSAndroid Build Coastguard Worker### 2. ksymname() 2494*387f9dfdSAndroid Build Coastguard Worker 2495*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.ksymname(name)``` 2496*387f9dfdSAndroid Build Coastguard Worker 2497*387f9dfdSAndroid Build Coastguard WorkerTranslate a kernel name into an address. This is the reverse of ksym. Returns -1 when the function name is unknown. 2498*387f9dfdSAndroid Build Coastguard Worker 2499*387f9dfdSAndroid Build Coastguard WorkerExample: 2500*387f9dfdSAndroid Build Coastguard Worker 2501*387f9dfdSAndroid Build Coastguard Worker```Python 2502*387f9dfdSAndroid Build Coastguard Workerprint("kernel address: %x" % b.ksymname("vfs_read")) 2503*387f9dfdSAndroid Build Coastguard Worker``` 2504*387f9dfdSAndroid Build Coastguard Worker 2505*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2506*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=ksymname+path%3Aexamples+language%3Apython&type=Code), 2507*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=ksymname+path%3Atools+language%3Apython&type=Code) 2508*387f9dfdSAndroid Build Coastguard Worker 2509*387f9dfdSAndroid Build Coastguard Worker### 3. sym() 2510*387f9dfdSAndroid Build Coastguard Worker 2511*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.sym(addr, pid, show_module=False, show_offset=False)``` 2512*387f9dfdSAndroid Build Coastguard Worker 2513*387f9dfdSAndroid Build Coastguard WorkerTranslate a memory address into a function name for a pid, which is returned. A pid of less than zero will access the kernel symbol cache. The `show_module` and `show_offset` parameters control whether the module in which the symbol lies should be displayed, and whether the instruction offset from the beginning of the symbol should be displayed. These extra parameters default to `False`. 2514*387f9dfdSAndroid Build Coastguard Worker 2515*387f9dfdSAndroid Build Coastguard WorkerExample: 2516*387f9dfdSAndroid Build Coastguard Worker 2517*387f9dfdSAndroid Build Coastguard Worker```Python 2518*387f9dfdSAndroid Build Coastguard Workerprint("function: " + b.sym(addr, pid)) 2519*387f9dfdSAndroid Build Coastguard Worker``` 2520*387f9dfdSAndroid Build Coastguard Worker 2521*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2522*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=sym+path%3Aexamples+language%3Apython&type=Code), 2523*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=sym+path%3Atools+language%3Apython&type=Code) 2524*387f9dfdSAndroid Build Coastguard Worker 2525*387f9dfdSAndroid Build Coastguard Worker### 4. num_open_kprobes() 2526*387f9dfdSAndroid Build Coastguard Worker 2527*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.num_open_kprobes()``` 2528*387f9dfdSAndroid Build Coastguard Worker 2529*387f9dfdSAndroid Build Coastguard WorkerReturns the number of open k[ret]probes. Can be useful for scenarios where event_re is used while attaching and detaching probes. Excludes perf_events readers. 2530*387f9dfdSAndroid Build Coastguard Worker 2531*387f9dfdSAndroid Build Coastguard WorkerExample: 2532*387f9dfdSAndroid Build Coastguard Worker 2533*387f9dfdSAndroid Build Coastguard Worker```Python 2534*387f9dfdSAndroid Build Coastguard Workerb.attach_kprobe(event_re=pattern, fn_name="trace_count") 2535*387f9dfdSAndroid Build Coastguard Workermatched = b.num_open_kprobes() 2536*387f9dfdSAndroid Build Coastguard Workerif matched == 0: 2537*387f9dfdSAndroid Build Coastguard Worker print("0 functions matched by \"%s\". Exiting." % args.pattern) 2538*387f9dfdSAndroid Build Coastguard Worker exit() 2539*387f9dfdSAndroid Build Coastguard Worker``` 2540*387f9dfdSAndroid Build Coastguard Worker 2541*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2542*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=num_open_kprobes+path%3Aexamples+language%3Apython&type=Code), 2543*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=num_open_kprobes+path%3Atools+language%3Apython&type=Code) 2544*387f9dfdSAndroid Build Coastguard Worker 2545*387f9dfdSAndroid Build Coastguard Worker### 5. get_syscall_fnname() 2546*387f9dfdSAndroid Build Coastguard Worker 2547*387f9dfdSAndroid Build Coastguard WorkerSyntax: ```BPF.get_syscall_fnname(name : str)``` 2548*387f9dfdSAndroid Build Coastguard Worker 2549*387f9dfdSAndroid Build Coastguard WorkerReturn the corresponding kernel function name of the syscall. This helper function will try different prefixes and use the right one to concatenate with the syscall name. Note that the return value may vary in different versions of linux kernel and sometimes it will causing trouble. (see [#2590](https://github.com/iovisor/bcc/issues/2590)) 2550*387f9dfdSAndroid Build Coastguard Worker 2551*387f9dfdSAndroid Build Coastguard WorkerExample: 2552*387f9dfdSAndroid Build Coastguard Worker 2553*387f9dfdSAndroid Build Coastguard Worker```Python 2554*387f9dfdSAndroid Build Coastguard Workerprint("The function name of %s in kernel is %s" % ("clone", b.get_syscall_fnname("clone"))) 2555*387f9dfdSAndroid Build Coastguard Worker# sys_clone or __x64_sys_clone or ... 2556*387f9dfdSAndroid Build Coastguard Worker``` 2557*387f9dfdSAndroid Build Coastguard Worker 2558*387f9dfdSAndroid Build Coastguard WorkerExamples in situ: 2559*387f9dfdSAndroid Build Coastguard Worker[search /examples](https://github.com/iovisor/bcc/search?q=get_syscall_fnname+path%3Aexamples+language%3Apython&type=Code), 2560*387f9dfdSAndroid Build Coastguard Worker[search /tools](https://github.com/iovisor/bcc/search?q=get_syscall_fnname+path%3Atools+language%3Apython&type=Code) 2561*387f9dfdSAndroid Build Coastguard Worker 2562*387f9dfdSAndroid Build Coastguard Worker# BPF Errors 2563*387f9dfdSAndroid Build Coastguard Worker 2564*387f9dfdSAndroid Build Coastguard WorkerSee the "Understanding eBPF verifier messages" section in the kernel source under Documentation/networking/filter.txt. 2565*387f9dfdSAndroid Build Coastguard Worker 2566*387f9dfdSAndroid Build Coastguard Worker## 1. Invalid mem access 2567*387f9dfdSAndroid Build Coastguard Worker 2568*387f9dfdSAndroid Build Coastguard WorkerThis can be due to trying to read memory directly, instead of operating on memory on the BPF stack. All kernel memory reads must be passed via bpf_probe_read_kernel() to copy kernel memory into the BPF stack, which can be automatic by the bcc rewriter in some cases of simple dereferencing. bpf_probe_read_kernel() does all the required checks. 2569*387f9dfdSAndroid Build Coastguard Worker 2570*387f9dfdSAndroid Build Coastguard WorkerExample: 2571*387f9dfdSAndroid Build Coastguard Worker 2572*387f9dfdSAndroid Build Coastguard Worker``` 2573*387f9dfdSAndroid Build Coastguard Workerbpf: Permission denied 2574*387f9dfdSAndroid Build Coastguard Worker0: (bf) r6 = r1 2575*387f9dfdSAndroid Build Coastguard Worker1: (79) r7 = *(u64 *)(r6 +80) 2576*387f9dfdSAndroid Build Coastguard Worker2: (85) call 14 2577*387f9dfdSAndroid Build Coastguard Worker3: (bf) r8 = r0 2578*387f9dfdSAndroid Build Coastguard Worker[...] 2579*387f9dfdSAndroid Build Coastguard Worker23: (69) r1 = *(u16 *)(r7 +16) 2580*387f9dfdSAndroid Build Coastguard WorkerR7 invalid mem access 'inv' 2581*387f9dfdSAndroid Build Coastguard Worker 2582*387f9dfdSAndroid Build Coastguard WorkerTraceback (most recent call last): 2583*387f9dfdSAndroid Build Coastguard Worker File "./tcpaccept", line 179, in <module> 2584*387f9dfdSAndroid Build Coastguard Worker b = BPF(text=bpf_text) 2585*387f9dfdSAndroid Build Coastguard Worker File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 172, in __init__ 2586*387f9dfdSAndroid Build Coastguard Worker self._trace_autoload() 2587*387f9dfdSAndroid Build Coastguard Worker File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 612, in _trace_autoload 2588*387f9dfdSAndroid Build Coastguard Worker fn = self.load_func(func_name, BPF.KPROBE) 2589*387f9dfdSAndroid Build Coastguard Worker File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 212, in load_func 2590*387f9dfdSAndroid Build Coastguard Worker raise Exception("Failed to load BPF program %s" % func_name) 2591*387f9dfdSAndroid Build Coastguard WorkerException: Failed to load BPF program kretprobe__inet_csk_accept 2592*387f9dfdSAndroid Build Coastguard Worker``` 2593*387f9dfdSAndroid Build Coastguard Worker 2594*387f9dfdSAndroid Build Coastguard Worker## 2. Cannot call GPL only function from proprietary program 2595*387f9dfdSAndroid Build Coastguard Worker 2596*387f9dfdSAndroid Build Coastguard WorkerThis error happens when a GPL-only helper is called from a non-GPL BPF program. To fix this error, do not use GPL-only helpers from a proprietary BPF program, or relicense the BPF program under a GPL-compatible license. Check which [BPF helpers](https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md#helpers) are GPL-only, and what licenses are considered GPL-compatible. 2597*387f9dfdSAndroid Build Coastguard Worker 2598*387f9dfdSAndroid Build Coastguard WorkerExample calling `bpf_get_stackid()`, a GPL-only BPF helper, from a proprietary program (`#define BPF_LICENSE Proprietary`): 2599*387f9dfdSAndroid Build Coastguard Worker 2600*387f9dfdSAndroid Build Coastguard Worker``` 2601*387f9dfdSAndroid Build Coastguard Workerbpf: Failed to load program: Invalid argument 2602*387f9dfdSAndroid Build Coastguard Worker[...] 2603*387f9dfdSAndroid Build Coastguard Worker8: (85) call bpf_get_stackid#27 2604*387f9dfdSAndroid Build Coastguard Workercannot call GPL only function from proprietary program 2605*387f9dfdSAndroid Build Coastguard Worker``` 2606*387f9dfdSAndroid Build Coastguard Worker 2607*387f9dfdSAndroid Build Coastguard Worker# Environment Variables 2608*387f9dfdSAndroid Build Coastguard Worker 2609*387f9dfdSAndroid Build Coastguard Worker## 1. Kernel source directory 2610*387f9dfdSAndroid Build Coastguard Worker 2611*387f9dfdSAndroid Build Coastguard WorkereBPF program compilation needs kernel sources or kernel headers with headers 2612*387f9dfdSAndroid Build Coastguard Workercompiled. In case your kernel sources are at a non-standard location where BCC 2613*387f9dfdSAndroid Build Coastguard Workercannot find then, its possible to provide BCC the absolute path of the location 2614*387f9dfdSAndroid Build Coastguard Workerby setting `BCC_KERNEL_SOURCE` to it. 2615*387f9dfdSAndroid Build Coastguard Worker 2616*387f9dfdSAndroid Build Coastguard Worker## 2. Kernel version overriding 2617*387f9dfdSAndroid Build Coastguard Worker 2618*387f9dfdSAndroid Build Coastguard WorkerBy default, BCC stores the `LINUX_VERSION_CODE` in the generated eBPF object 2619*387f9dfdSAndroid Build Coastguard Workerwhich is then passed along to the kernel when the eBPF program is loaded. 2620*387f9dfdSAndroid Build Coastguard WorkerSometimes this is quite inconvenient especially when the kernel is slightly 2621*387f9dfdSAndroid Build Coastguard Workerupdated such as an LTS kernel release. Its extremely unlikely the slight 2622*387f9dfdSAndroid Build Coastguard Workermismatch would cause any issues with the loaded eBPF program. By setting 2623*387f9dfdSAndroid Build Coastguard Worker`BCC_LINUX_VERSION_CODE` to the version of the kernel that's running, the check 2624*387f9dfdSAndroid Build Coastguard Workerfor verifying the kernel version can be bypassed. This is needed for programs 2625*387f9dfdSAndroid Build Coastguard Workerthat use kprobes. This needs to be encoded in the format: `(VERSION * 65536) + 2626*387f9dfdSAndroid Build Coastguard Worker(PATCHLEVEL * 256) + SUBLEVEL`. For example, if the running kernel is `4.9.10`, 2627*387f9dfdSAndroid Build Coastguard Workerthen can set `export BCC_LINUX_VERSION_CODE=264458` to override the kernel 2628*387f9dfdSAndroid Build Coastguard Workerversion check successfully. 2629