eBPF is a technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. Details refer to https://ebpf.io.
Questions tagged [ebpf]
31 questions
9
votes
2 answers
Understanding of BPF
When I need to capture some packets using tcpdump, I use command like:
tcpdump -i eth0 "dst host 192.168.1.0"
I always think the dst host 192.168.1.0 part is something called BPF, Berkeley Packet Filter. To me, it's a simple language to filter…
Fajela Tajkiya
- 965
- 5
- 15
5
votes
1 answer
How do packets flow through the kernel
When it comes to packet filtering/management I never actually know what is going on inside the kernel. There are so many different tools that act on the packets, either from userspace (modifying kernel-space subsystems) or directly on…
AFP_555
- 251
- 2
- 11
3
votes
1 answer
'cannot attach kprobe, probe entry may not exist' when execute trace-bpfcc
I am following bcc Tutorial and trying to execute the trace-bpfcc command: sudo trace-bpfcc 'sys_execve "%s", arg1'
The command fails with an error:
cannot attach kprobe, probe entry may not exist Failed to attach BPF program b'probe_sys_execve_1'…
ibse
- 247
- 1
- 2
- 8
2
votes
0 answers
How to get the current cgroup ID from C/C++?
The eBPF helper functions define bpf_get_current_cgroup_id for eBPF programs, which does the obvious thing
u64 bpf_get_current_cgroup_id(void)
Return A 64-bit integer containing the current cgroup id
based on the cgroup…
user547386
- 21
- 2
2
votes
2 answers
What are the limitations of eBPF feature-wise?
I understood it is mainly used for observability (ie read-only).
I saw you can route packets, but can you do more than that?
Can you also manipulate the file system, send signals and write from an eBPF program?
funerr
- 123
- 4
1
vote
1 answer
Log all commands executed regardless of shell?
Suppose a user runs the following command:
zcat file.gz | grep something | gzip > grepped.gz
I'm looking for a kernel feature (a BPF filter perhaps?) that would note all of the execves, chain together their stdins/stdouts and reconstruct that in a…
d33tah
- 1,361
- 14
- 28
1
vote
1 answer
DPROBES (DTRACE_PROBE) for measuring high latency stuff under 1µsec
Currently, I'm analyzing the performance of a high latency application but I'm not confident in my measurements at all. So far, I have used DPROBES for instrumentation and BCC/funclatency for measuring.
Would someone be able to verify those numbers?…
Bahamas
- 113
- 5
1
vote
1 answer
Mellanox NIC doesn't support DRV_MODE in XDP hook?
I'm trying to load my first eBPF program to the XDP hook, but can't use DRV_MODE.
To be more specific, I'm using Ubuntu 20.04 LTS (GNU/Linux 5.4.0-100-generic x86_64), with a NIC ca:00.0 Ethernet controller: Mellanox Technologies MT2892 Family…
Zezhou Wang
- 13
- 3
1
vote
0 answers
CPU Usage based on eBPF profiling
I am relatively new to the concept of eBPF and have, so far, been working with the BCC library. I've found the profile.py tool, alongside with FlameGraphs, to be really helpful when monitoring a single process. However, this tool doesn't provide CPU…
user529737
- 11
- 1
1
vote
0 answers
how do I trace guest os system calls from host os?
Is there a way to trace guest os system calls from host os with bpf?
Huzi
- 342
- 1
- 2
- 8
1
vote
0 answers
Kprobe vs Fentry/ Fexit probes -- TOCTTOU
I am reading up upon attaching eBPF programs in the kernel in a security
context. While i have read that kprobes are susceptible to time-of-check-to-time-of-use attacks, i would like to know it the same holds up for
fentry/ fexit probes also known…
BillGatesPriv
- 11
- 3
1
vote
0 answers
Count number of bytes read() from files on a file system
I have multiple XFS filesystems mounted on my Linux 5 machine.
I'd like to know for one of them how many bytes were read() in a time period.
Is there an easy way of doing that? I've been looking through /sys/fs and /proc/fs but there's only stats…
Marcus Müller
- 21,602
- 2
- 39
- 54
1
vote
1 answer
Interception syscalls and make change in their arguments
I'm interested to write a kernel program that can have all possible controls on syscalls, such as intersection, filtering, and make changes in their arguments.
I look up for two goals:
read system calls and their arguments and decide to block or…
Mostafa Sarmad
- 11
- 6
1
vote
0 answers
bpf_helpers.h file is missing
I'm trying to run some example XDP code that depends on bpf_helpers.h and the file is missing.
The distribution is CentOS 8.0 with kernel 4.18.0-80.el8.x86_64 with CONFIG_XDP_SOCKETS=y. I've installed the kernel and kernel-devel packages and the…
Jim
- 111
- 3
1
vote
0 answers
Mapping from uname -m to /usr/src/linux-headers/arch/*
I'm building an eBPF program. For it to build I need to add as include paths (-I) some headers located in /usr/src/linux-headers-*/arch/x86/include.
Since this path is x86-specific, to be able to compile it for non-x86 architectures I will need to…
Albert Vaca Cintora
- 111
- 3