EBPF monitoring Tool Bcc series nine Bcc Python

EBPF monitoring Tool Bcc series nine Bcc Python

Next look at Python knowledge.

1. Initialize 1.1 BPF

Grammar:

BPF({text=BPF_program | src_file=filename} [, usdt_contexts=[USDT_object, ...]])

Creates a BPF object that can interact to produce output.

1.2 USDT

Syntax: USDT ({pid=pid | path=path})

To create an object to use USDT, you can specify the process ID, path.

2. Event 2.1 Attach_kprobe

Grammar:

BPF.attach_kprobe(event="event", fn_name="name")

Kernel dynamic tracking using function entry, associating C function name and kernel function event ().

2.2 Attach_kretprobe

Grammar:

BPF.attach_kretprobe(event="event", fn_name="name")

The associated C function name and kernel function event, call the function name when the kernel function returns.

2.3 Attach_tracepoint

Grammar:

BPF.attach_tracepoint(tp="tracepoint", fn_name="name")

Associated with the C-language definition of the BPF function and the tracepoint of the kernel. You can also use the Tracepoint_probe macro, which uses the advanced self-declared args struct to contain the tracepoint parameter. If, using Attach_tracepoint, the parameters need to be declared in the BPF program.

2.4 Attach_uprobe

Grammar:

BPF.attach_uprobe(name="location", sym="symbol", fn_name="name")

Associate the function event symbol in location with the function defined by C. Callback with the name function when the symbol is called.

For example:

b.attach_uprobe(name="c", sym="strlen", fn_name="count")

2.5 attach_uretprobe

Grammar:

BPF.attach_uretprobe(name="location", sym="symbol", fn_name="name")

With Attach_uprobe, the name function is simply called when the function returns.

2.6 Usdt.enable_probe

Grammar:

USDT.enable_probe(probe=probe, fn_name=name)

Attach the BPF's C function to the USDT probe.

For example:

u = USDT(pid=int(pid))u.enable_probe(probe="http__server__request", fn_name="do_trace")

To see if the binaries have USDT probes, you can use the following command to detect the STAP debug segment:

#readelf –n binary　

3. Debug output 3.1 Trace_print

Grammar:

BPF.trace_print(fmt="fields")

Continuously reads the/sys/kernel/debug/tracing/trace_pipe file of the global share and outputs it. This file can be written by the BPF and BPF_TRACE_PRINTK () functions.

For example:

# print trace_pipe output as-is:b.trace_print()# print PID and message:b.trace_print(fmt="{1} {5}")

3.2 Trace_fields

Syntax: Bpf.trace_fields (Nonblocking=false)

Reads a row from the global shared file/sys/kernel/debug/tracing/trace_pipe file and returns the domain. The parameter indicates whether the blocking is waiting to be written.

4. Output 4.1 perf_buffer_poll

Grammar:

BPF.perf_buffer_poll()

Waiting for data from perf ring buffers, there is data calling the Open_perf_buffer specified callback function.

For example:

# loop with callback to print_eventb["events"].open_perf_buffer(print_event)while 1:    b.perf_buffer_poll()

5. Mapping 5.1 get_table

Returns a Table object. This function is obsolete because BFP can read the table as items, such as Bfp[name].

5.2 Open_perf_buffer

Grammar:

table.open_perf_buffers(callback, page_cnt=N, lost_cb=None)

The callback function is called when data is available in the perf ring buffer. Where table is defined in BPF. This is the recommended way to pass perf event data from the kernel to the user layer.

The size of the perf ring buffer is set by the page_cnt parameter, which is suggested to be an even number of pages, which is 8 by default. If the callback is not processed fast enough, some data will be lost. LOST_CB will be called when there is lost data. If LOST_CB is defined as none, a line of information is printed to stderr.

5.3 Items

Returns an array of keys in the table. can be obtained through bpf_hash, iteration.

5.4 Values

Returns the values array in the table.

5.5 Clear

Clears the table.

5.6 Print_log2_hist

Syntax: Table.print_log2_hist (val_type= "value", section_header= "Bucket ptr", Section_print_fn=none)

Use ASCII to print the table log2 histogram. The table must be stored in LOG2 mode, which can be done by BPF_LOG2 ().

Val_type Optional, which represents the column header.

Section_header: If the histogram has a second key, multiple tables will be printed and Section_header will be described as headers.

If SECTION_PRINT_FN is not none, pass the bucket value.

5.7 Print_linear_hist

Grammar:

table.print_linear_hist(val_type="value", section_header="Bucket ptr", section_print_fn=None)

Prints a linear histogram of the table in ASCII mode.

The Val_type parameter is optional, the header of the column

Section_header: If the histogram has a second key, multiple graphs will be printed and Section_header will be used as the header descriptor.

SECTION_PRINT_FN: If the parameter is not none, the bucket value is passed.

6. Help 6.1 Ksym

Grammar:

BPF.ksym(addr)

Turn a kernel memory address into a kernel function name.

6.2 Ksymname

Grammar:

BPF.ksymname(name)

Converting a kernel name to an address is the inverse function of ksym.

6.3 Sym

Grammar:

BPF.sym(addr, pid, show_module=False, show_offset=False)

Converts a memory address bit function name to a process.

The parameter Show_module,show_offset parameter controls whether the symbol symbol is in the same module as the symbols offset.

6.4 Num_open_kprobes

Returns the number of open k[ret]probes. Useful in event_re scenes.

7. About BPF Errors

All memory reads in the BPF are copied to the BPF stack through the Bpf_probe_read () function. If you read the memory directly, invalid MEM access appears.

Reference files:

Documentation/networking/filter.txt in the kernel

EBPF monitoring Tool Bcc series nine Bcc Python