-
-
Notifications
You must be signed in to change notification settings - Fork 23
/
output.json
158 lines (158 loc) · 56.4 KB
/
output.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
[
{
"request": "Write a BPF code that traces block I/O operations and displays the latency for each operation, along with the disk, process, and PID associated with it.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biosnoop.bt Block I/O tracing tool, showing per I/O latency.\n * For Linux, uses bpftrace, eBPF.\n *\n * TODO: switch to block tracepoints. Add offset and size columns.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * 15-Nov-2017\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/blkdev.h>\n#include <linux/blk-mq.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"%-12s %-7s %-16s %-6s %7s\\n\", \"TIME(ms)\", \"DISK\", \"COMM\", \"PID\", \"LAT(ms)\");\n}\n\nkprobe:blk_account_io_start,\nkprobe:__blk_account_io_start\n{\n\t@start[arg0] = nsecs;\n\t@iopid[arg0] = pid;\n\t@iocomm[arg0] = comm;\n\t@disk[arg0] = ((struct request *)arg0)->q->disk->disk_name;\n}\n\nkprobe:blk_account_io_done,\nkprobe:__blk_account_io_done\n/@start[arg0] != 0 && @iopid[arg0] != 0 && @iocomm[arg0] != \"\"/\n\n{\n\t$now = nsecs;\n\tprintf(\"%-12u %-7s %-16s %-6d %7d\\n\",\n\t elapsed / 1e6, @disk[arg0], @iocomm[arg0], @iopid[arg0],\n\t ($now - @start[arg0]) / 1e6);\n\n\tdelete(@start[arg0]);\n\tdelete(@iopid[arg0]);\n\tdelete(@iocomm[arg0]);\n\tdelete(@disk[arg0]);\n}\n\nEND\n{\n\tclear(@start);\n\tclear(@iopid);\n\tclear(@iocomm);\n\tclear(@disk);\n}\n"
},
{
"request": "Write a BPF code that traces directory entry cache (dcache) lookups in the Linux kernel. The code uses kernel dynamic tracing of functions lookup_fast() and d_lookup() to capture lookup information and prints the time, process ID, command, and file name for each lookup event.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * dcsnoop\tTrace directory entry cache (dcache) lookups.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This uses kernel dynamic tracing of kernel functions, lookup_fast() and\n * d_lookup(), which will need to be modified to match kernel changes. See\n * code comments.\n *\n * USAGE: dcsnoop.bt\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/fs.h>\n#include <linux/sched.h>\n\n// from fs/namei.c:\nstruct nameidata {\n struct path path;\n struct qstr last;\n // [...]\n};\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing dcache lookups... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %1s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"T\", \"FILE\");\n}\n\n// comment out this block to avoid showing hits:\nkprobe:lookup_fast,\nkprobe:lookup_fast.constprop.*\n{\n\t$nd = (struct nameidata *)arg0;\n\tprintf(\"%-8d %-6d %-16s R %s\\n\", elapsed / 1e6, pid, comm,\n\t str($nd->last.name));\n}\n\nkprobe:d_lookup\n{\n\t$name = (struct qstr *)arg1;\n\t@fname[tid] = $name->name;\n}\n\nkretprobe:d_lookup\n/@fname[tid]/\n{\n\tprintf(\"%-8d %-6d %-16s M %s\\n\", elapsed / 1e6, pid, comm,\n\t str(@fname[tid]));\n\tdelete(@fname[tid]);\n}\n"
},
{
"request": "Write a BPF code that lists new thread creations, printing the time in milliseconds, PID, process name, and function name where the thread was created.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * threadsnoop - List new thread creation.\n *\n * See BPF Performance Tools, Chapter 13, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 15-Feb-2019 Brendan Gregg Created this.\n */\n\nBEGIN\n{\n\tprintf(\"%-10s %-6s %-16s %s\\n\", \"TIME(ms)\", \"PID\", \"COMM\", \"FUNC\");\n}\n\nuprobe:libpthread:pthread_create,\nuprobe:libc:pthread_create\n{\n\tprintf(\"%-10u %-6d %-16s %s\\n\", elapsed / 1e6, pid, comm,\n\t usym(arg2));\n}\n"
},
{
"request": "Write a BPF code that traces block device I/O and creates histograms of I/O size in bytes for each process.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * bitesize\tShow disk I/O size as a histogram.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: bitesize.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block device I/O... Hit Ctrl-C to end.\\n\");\n}\n\ntracepoint:block:block_rq_issue\n{\n\t@[args.comm] = hist(args.bytes);\n}\n\nEND\n{\n\tprintf(\"\\nI/O size (bytes) histograms by process name:\");\n}\n"
},
{
"request": "Write a BPF code that traces file system writeback events, including the time of occurrence, device information, reason, and duration. This code can help identify performance issues related to writeback events.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * writeback\tTrace file system writeback events with details.\n * \t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces when file system dirtied pages are flushed to disk by kernel\n * writeback, and prints details including when the event occurred, and the\n * duration of the event. This can be useful for correlating these times with\n * other performance problems, and if there is a match, it would be a clue\n * that the problem may be caused by writeback. How quickly the kernel does\n * writeback can be tuned: see the kernel docs, eg,\n * vm.dirty_writeback_centisecs.\n *\n * USAGE: writeback.bt\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 14-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing writeback... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-8s %-8s %-16s %s\\n\", \"TIME\", \"DEVICE\", \"PAGES\",\n\t \"REASON\", \"ms\");\n\n\t// see /sys/kernel/debug/tracing/events/writeback/writeback_start/format\n\t@reason[0] = \"background\";\n\t@reason[1] = \"vmscan\";\n\t@reason[2] = \"sync\";\n\t@reason[3] = \"periodic\";\n\t@reason[4] = \"laptop_timer\";\n\t@reason[5] = \"free_more_memory\";\n\t@reason[6] = \"fs_free_space\";\n\t@reason[7] = \"forker_thread\";\n}\n\ntracepoint:writeback:writeback_start\n{\n\t@start[args.sb_dev] = nsecs;\n}\n\ntracepoint:writeback:writeback_written\n{\n\t$sb_dev = args.sb_dev;\n\t$s = @start[$sb_dev];\n\tdelete(@start[$sb_dev]);\n\t$lat = $s ? (nsecs - $s) / 1000 : 0;\n\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-8s %-8d %-16s %d.%03d\\n\", args.name,\n\t args.nr_pages & 0xffff,\t// TODO: explain these bitmasks\n\t @reason[args.reason & 0xffffffff],\n\t $lat / 1000, $lat % 1000);\n}\n\nEND\n{\n\tclear(@reason);\n\tclear(@start);\n}\n"
},
{
"request": "Write a BPF code that traces block device I/O by measuring the latency of block I/O operations and grouping them into a histogram.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biolatency.bt\tBlock I/O latency as a histogram.\n *\t\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 13-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block device I/O... Hit Ctrl-C to end.\\n\");\n}\n\ntracepoint:block:block_bio_queue\n{\n\t@start[args.sector] = nsecs;\n}\n\ntracepoint:block:block_rq_complete,\ntracepoint:block:block_bio_complete\n/@start[args.sector]/\n{\n\t@usecs = hist((nsecs - @start[args.sector]) / 1000);\n\tdelete(@start[args.sector]);\n}\n\nEND\n{\n\tclear(@start);\n}\n"
},
{
"request": "Write a BPF code that traces SSL/TLS handshake for OpenSSL, showing the latency, return value, and function information. This code is useful for analyzing SSL/TLS performance.",
"bpf": "#!/usr/bin/bpftrace\n/*\n * sslsnoop\tTrace SSL/TLS handshake for OpenSSL.\n * \t\tFor Linux, uses bpftrace and eBPF.\n *\n * sslsnoop shows handshake latency and retval. This is useful for SSL/TLS\n * performance analysis.\n *\n * Copyright (c) 2021 Tao Xu.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 15-Dec-2021\tTao Xu\tcreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing SSL/TLS handshake... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-10s %-8s %-8s %7s %5s %s\\n\", \"TIME(us)\", \"TID\",\n\t \"COMM\", \"LAT(us)\", \"RET\", \"FUNC\");\n}\n\nuprobe:libssl:SSL_read,\nuprobe:libssl:SSL_write,\nuprobe:libssl:SSL_do_handshake\n{\n\t@start_ssl[tid] = nsecs;\n\t@func_ssl[tid] = func; // store for uretprobe\n}\n\nuretprobe:libssl:SSL_read,\nuretprobe:libssl:SSL_write,\nuretprobe:libssl:SSL_do_handshake\n/@start_ssl[tid] != 0/\n{\n\tprintf(\"%-10u %-8d %-8s %7u %5d %s\\n\", elapsed/1000, tid, comm,\n\t (nsecs - @start_ssl[tid])/1000, retval, @func_ssl[tid]);\n\tdelete(@start_ssl[tid]); delete(@func_ssl[tid]);\n}\n\n// need debug symbol for ossl local functions\nuprobe:libcrypto:rsa_ossl_public_encrypt,\nuprobe:libcrypto:rsa_ossl_public_decrypt,\nuprobe:libcrypto:rsa_ossl_private_encrypt,\nuprobe:libcrypto:rsa_ossl_private_decrypt,\nuprobe:libcrypto:RSA_sign,\nuprobe:libcrypto:RSA_verify,\nuprobe:libcrypto:ossl_ecdsa_sign,\nuprobe:libcrypto:ossl_ecdsa_verify,\nuprobe:libcrypto:ossl_ecdh_compute_key\n{\n\t@start_crypto[tid] = nsecs;\n\t@func_crypto[tid] = func; // store for uretprobe\n}\n\nuretprobe:libcrypto:rsa_ossl_public_encrypt,\nuretprobe:libcrypto:rsa_ossl_public_decrypt,\nuretprobe:libcrypto:rsa_ossl_private_encrypt,\nuretprobe:libcrypto:rsa_ossl_private_decrypt,\nuretprobe:libcrypto:RSA_sign,\nuretprobe:libcrypto:RSA_verify,\nuretprobe:libcrypto:ossl_ecdsa_sign,\nuretprobe:libcrypto:ossl_ecdsa_verify,\nuretprobe:libcrypto:ossl_ecdh_compute_key\n/@start_crypto[tid] != 0/\n{\n\tprintf(\"%-10u %-8d %-8s %7u %5d %s\\n\", elapsed/1000, tid, comm,\n\t (nsecs - @start_crypto[tid])/1000, retval, @func_crypto[tid]);\n\tdelete(@start_crypto[tid]); delete(@func_crypto[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces TCP accept()s by dynamically tracing the kernel inet_csk_accept() socket function and prints information such as the time, process ID, communication, remote and local addresses and ports, and backlog length.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpaccept.bt Trace TCP accept()s\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpaccept.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * This uses dynamic tracing of the kernel inet_csk_accept() socket function\n * (from tcp_prot.accept), and will need to be modified to match kernel changes.\n\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n\n * 23-Nov-2018\tDale Hamel\tcreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing TCP accepts. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-14s \", \"TIME\", \"PID\", \"COMM\");\n\tprintf(\"%-39s %-5s %-39s %-5s %s\\n\", \"RADDR\", \"RPORT\", \"LADDR\",\n\t \"LPORT\", \"BL\");\n}\n\nkretprobe:inet_csk_accept\n{\n\t$sk = (struct sock *)retval;\n\t$inet_family = $sk->__sk_common.skc_family;\n\n\tif ($inet_family == AF_INET || $inet_family == AF_INET6) {\n\t\t// initialize variable type:\n\t\t$daddr = ntop(0);\n\t\t$saddr = ntop(0);\n\t\tif ($inet_family == AF_INET) {\n\t\t\t$daddr = ntop($sk->__sk_common.skc_daddr);\n\t\t\t$saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n\t\t} else {\n\t\t\t$daddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n\t\t\t$saddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n\t\t}\n\t\t$lport = $sk->__sk_common.skc_num;\n\t\t$dport = $sk->__sk_common.skc_dport;\n\t\t$qlen = $sk->sk_ack_backlog;\n\t\t$qmax = $sk->sk_max_ack_backlog;\n\n\t\t// Destination port is big endian, it must be flipped\n\t\t$dport = bswap($dport);\n\n\t\ttime(\"%H:%M:%S \");\n\t\tprintf(\"%-6d %-14s \", pid, comm);\n\t\tprintf(\"%-39s %-5d %-39s %-5d \", $daddr, $dport, $saddr,\n\t\t $lport);\n\t\tprintf(\"%d/%d\\n\", $qlen, $qmax);\n\t}\n}\n"
},
{
"request": "Please write a BPF code that traces signals issued by the kill() syscall and prints information such as the timestamp, process ID, command, signal, target process ID, and the result of the kill() syscall.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * killsnoop\tTrace signals issued by the kill() syscall.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: killsnoop.bt\n *\n * Also a basic example of bpftrace.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing kill() signals... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-16s %-4s %-6s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"SIG\",\n\t \"TPID\", \"RESULT\");\n}\n\ntracepoint:syscalls:sys_enter_kill\n{\n\t@tpid[tid] = args.pid;\n\t@tsig[tid] = args.sig;\n}\n\ntracepoint:syscalls:sys_exit_kill\n/@tpid[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-4d %-6d %d\\n\", pid, comm, @tsig[tid], @tpid[tid],\n\t args.ret);\n\tdelete(@tpid[tid]);\n\tdelete(@tsig[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces dropped TCP packets in the Linux kernel, providing details such as packet information, socket state, and kernel stack trace for each dropped packet.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpdrop.bt Trace TCP kernel-dropped packets/segments.\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpdrop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * It is limited to ipv4 addresses, and cannot show tcp flags.\n *\n * This provides information such as packet details, socket state, and kernel\n * stack trace for packets/segments that were dropped via kfree_skb.\n *\n * For Linux 5.17+ (see tools/old for script for lower versions).\n *\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 23-Nov-2018\tDale Hamel\tcreated this.\n * 01-Oct-2022\tRong Tao\tuse tracepoint:skb:kfree_skb\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n printf(\"Tracing tcp drops. Hit Ctrl-C to end.\\n\");\n printf(\"%-8s %-8s %-16s %-21s %-21s %-8s\\n\", \"TIME\", \"PID\", \"COMM\", \"SADDR:SPORT\", \"DADDR:DPORT\", \"STATE\");\n\n // See https://github.com/torvalds/linux/blob/master/include/net/tcp_states.h\n @tcp_states[1] = \"ESTABLISHED\";\n @tcp_states[2] = \"SYN_SENT\";\n @tcp_states[3] = \"SYN_RECV\";\n @tcp_states[4] = \"FIN_WAIT1\";\n @tcp_states[5] = \"FIN_WAIT2\";\n @tcp_states[6] = \"TIME_WAIT\";\n @tcp_states[7] = \"CLOSE\";\n @tcp_states[8] = \"CLOSE_WAIT\";\n @tcp_states[9] = \"LAST_ACK\";\n @tcp_states[10] = \"LISTEN\";\n @tcp_states[11] = \"CLOSING\";\n @tcp_states[12] = \"NEW_SYN_RECV\";\n}\n\ntracepoint:skb:kfree_skb\n{\n $reason = args.reason;\n $skb = (struct sk_buff *)args.skbaddr;\n $sk = ((struct sock *) $skb->sk);\n $inet_family = $sk->__sk_common.skc_family;\n\n if ($reason > SKB_DROP_REASON_NOT_SPECIFIED &&\n ($inet_family == AF_INET || $inet_family == AF_INET6)) {\n if ($inet_family == AF_INET) {\n $daddr = ntop($sk->__sk_common.skc_daddr);\n $saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n } else {\n $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n $saddr = ntop($sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n }\n $lport = $sk->__sk_common.skc_num;\n $dport = $sk->__sk_common.skc_dport;\n\n // Destination port is big endian, it must be flipped\n $dport = bswap($dport);\n\n $state = $sk->__sk_common.skc_state;\n $statestr = @tcp_states[$state];\n\n time(\"%H:%M:%S \");\n printf(\"%-8d %-16s \", pid, comm);\n printf(\"%39s:%-6d %39s:%-6d %-10s\\n\", $saddr, $lport, $daddr, $dport, $statestr);\n printf(\"%s\\n\", kstack);\n }\n}\n\nEND\n{\n clear(@tcp_states);\n}\n"
},
{
"request": "Write a BPF code that counts the number of system calls and the number of processes. It also prints the top 10 system call IDs and the top 10 processes at the end.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * syscount.bt\tCount system calls.\n *\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * The bcc versions translates syscall IDs to their names, and this version\n * currently does not. Syscall IDs can be listed by \"ausyscall --dump\".\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 13-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Counting syscalls... Hit Ctrl-C to end.\\n\");\n\t// ausyscall --dump | awk 'NR > 1 { printf(\"\\t@sysname[%d] = \\\"%s\\\";\\n\", $1, $2); }'\n}\n\ntracepoint:raw_syscalls:sys_enter\n{\n\t@syscall[args.id] = count();\n\t@process[comm] = count();\n}\n\nEND\n{\n\tprintf(\"\\nTop 10 syscalls IDs:\\n\");\n\tprint(@syscall, 10);\n\tclear(@syscall);\n\n\tprintf(\"\\nTop 10 processes:\\n\");\n\tprint(@process, 10);\n\tclear(@process);\n}\n"
},
{
"request": "Write a BPF code that traces the kernel OOM killer and prints basic details, including the system load averages, providing context on the system state at the time of the OOM.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * oomkill\tTrace OOM killer.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces the kernel out-of-memory killer, and prints basic details,\n * including the system load averages. This can provide more context on the\n * system state at the time of OOM: was it getting busier or steady, based\n * on the load averages? This tool may also be useful to customize for\n * investigations; for example, by adding other task_struct details at the\n * time of the OOM, or other commands in the system() call.\n *\n * This currently works by using kernel dynamic tracing of oom_kill_process().\n *\n * USAGE: oomkill.bt\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/oom.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing oom_kill_process()... Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:oom_kill_process\n{\n\t$oc = (struct oom_control *)arg0;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"Triggered by PID %d (\\\"%s\\\"), \", pid, comm);\n\tprintf(\"OOM kill of PID %d (\\\"%s\\\"), %d pages, loadavg: \",\n\t $oc->chosen->pid, $oc->chosen->comm, $oc->totalpages);\n\tcat(\"/proc/loadavg\");\n}\n"
},
{
"request": "Write a BPF code that traces the TCP SYN backlog size and creates a histogram of the backlog sizes, also indicating if any SYN packets are being dropped.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpsynbl - Show TCP SYN backlog as a histogram.\n *\n * See BPF Performance Tools, Chapter 10, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 19-Apr-2019 Brendan Gregg Created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <net/sock.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing SYN backlog size. Ctrl-C to end.\\n\");\n}\n\nkprobe:tcp_v4_syn_recv_sock,\nkprobe:tcp_v6_syn_recv_sock\n{\n\t$sock = (struct sock *)arg0;\n\t@backlog[$sock->sk_max_ack_backlog & 0xffffffff] =\n\t hist($sock->sk_ack_backlog);\n\tif ($sock->sk_ack_backlog > $sock->sk_max_ack_backlog) {\n\t\ttime(\"%H:%M:%S dropping a SYN.\\n\");\n\t}\n}\n\nEND\n{\n\tprintf(\"\\n@backlog[backlog limit]: histogram of backlog size\\n\");\n}\n"
},
{
"request": "Write a BPF code that traces TCP session lifespans and prints details of the connections, including the process ID, command, local and remote addresses and ports, and data transmission statistics.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcplife - Trace TCP session lifespans with connection details.\n *\n * See BPF Performance Tools, Chapter 10, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 17-Apr-2019 Brendan Gregg Created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <net/tcp_states.h>\n#include <net/sock.h>\n#include <linux/socket.h>\n#include <linux/tcp.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"%-5s %-10s %-15s %-5s %-15s %-5s \", \"PID\", \"COMM\",\n\t \"LADDR\", \"LPORT\", \"RADDR\", \"RPORT\");\n\tprintf(\"%5s %5s %s\\n\", \"TX_KB\", \"RX_KB\", \"MS\");\n}\n\nkprobe:tcp_set_state\n{\n\t$sk = (struct sock *)arg0;\n\t$newstate = arg1;\n\n\t/*\n\t * This tool includes PID and comm context. From TCP this is best\n\t * effort, and may be wrong in some situations. It does this:\n\t * - record timestamp on any state < TCP_FIN_WAIT1\n\t *\tnote some state transitions may not be present via this kprobe\n\t * - cache task context on:\n\t *\tTCP_SYN_SENT: tracing from client\n\t *\tTCP_LAST_ACK: client-closed from server\n\t * - do output on TCP_CLOSE:\n\t *\tfetch task context if cached, or use current task\n\t */\n\n\t// record first timestamp seen for this socket\n\tif ($newstate < TCP_FIN_WAIT1 && @birth[$sk] == 0) {\n\t\t@birth[$sk] = nsecs;\n\t}\n\n\t// record PID & comm on SYN_SENT\n\tif ($newstate == TCP_SYN_SENT || $newstate == TCP_LAST_ACK) {\n\t\t@skpid[$sk] = pid;\n\t\t@skcomm[$sk] = comm;\n\t}\n\n\t// session ended: calculate lifespan and print\n\tif ($newstate == TCP_CLOSE && @birth[$sk]) {\n\t\t$delta_ms = (nsecs - @birth[$sk]) / 1e6;\n\t\t$lport = $sk->__sk_common.skc_num;\n\t\t$dport = $sk->__sk_common.skc_dport;\n\t\t$dport = bswap($dport);\n\t\t$tp = (struct tcp_sock *)$sk;\n\t\t$pid = @skpid[$sk];\n\t\t$comm = @skcomm[$sk];\n\t\tif ($comm == \"\") {\n\t\t\t// not cached, use current task\n\t\t\t$pid = pid;\n\t\t\t$comm = comm;\n\t\t}\n\n\t\t$family = $sk->__sk_common.skc_family;\n\t\t$saddr = ntop(0);\n\t\t$daddr = ntop(0);\n\t\tif ($family == AF_INET) {\n\t\t\t$saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);\n\t\t\t$daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);\n\t\t} else {\n\t\t\t// AF_INET6\n\t\t\t$saddr = ntop(AF_INET6,\n\t\t\t $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n\t\t\t$daddr = ntop(AF_INET6,\n\t\t\t $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n\t\t}\n\t\tprintf(\"%-5d %-10.10s %-15s %-5d %-15s %-6d \", $pid,\n\t\t $comm, $saddr, $lport, $daddr, $dport);\n\t\tprintf(\"%5d %5d %d\\n\", $tp->bytes_acked / 1024,\n\t\t $tp->bytes_received / 1024, $delta_ms);\n\n\t\tdelete(@birth[$sk]);\n\t\tdelete(@skpid[$sk]);\n\t\tdelete(@skcomm[$sk]);\n\t}\n}\n\nEND\n{\n\tclear(@birth); clear(@skpid); clear(@skcomm);\n}\n"
},
{
"request": "Write a BPF code that traces the readline function in the /bin/bash program and prints the timestamp, process ID, and command entered by the user.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * bashreadline Print entered bash commands from all running shells.\n * For Linux, uses bpftrace and eBPF.\n *\n * This works by tracing the readline() function using a uretprobe (uprobes).\n *\n * USAGE: bashreadline.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing bash commands... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %s\\n\", \"TIME\", \"PID\", \"COMMAND\");\n}\n\nuretprobe:/bin/bash:readline\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %s\\n\", pid, str(retval));\n}\n"
},
{
"request": "Write a BPF code that calculates and samples the length of the CPU scheduler run queue as a histogram, subtracting the currently running task from the total queue length.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * runqlen.bt\tCPU scheduler run queue length as a histogram.\n *\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Oct-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/sched.h>\n\n// Until BTF is available, we'll need to declare some of this struct manually,\n// since it isn't available to be #included. This will need maintenance to match\n// your kernel version. It is from kernel/sched/sched.h:\nstruct cfs_rq {\n\tstruct load_weight load;\n\tunsigned long runnable_weight;\n\tunsigned int nr_running;\n\tunsigned int h_nr_running;\n};\n#endif\n\nBEGIN\n{\n\tprintf(\"Sampling run queue length at 99 Hertz... Hit Ctrl-C to end.\\n\");\n}\n\nprofile:hz:99\n{\n\t$task = (struct task_struct *)curtask;\n\t$my_q = (struct cfs_rq *)$task->se.cfs_rq;\n\t$len = $my_q->nr_running;\n\t$len = $len > 0 ? $len - 1 : 0;\t// subtract currently running task\n\t@runqlen = lhist($len, 0, 100, 1);\n}\n"
},
{
"request": "Write a BPF code that traces and counts TCP retransmits on a Linux system using dynamic tracing of kernel functions. The code prints information about the time, process ID, local and remote address, port, and state of each TCP retransmit.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpretrans.bt Trace or count TCP retransmits\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpretrans.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * It is limited to ipv4 addresses, and doesn't support tracking TLPs.\n *\n * This uses dynamic tracing of kernel functions, and will need to be updated\n * to match kernel changes.\n *\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 23-Nov-2018 Dale Hamel created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing tcp retransmits. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-8s %20s %21s %6s\\n\", \"TIME\", \"PID\", \"LADDR:LPORT\",\n\t \"RADDR:RPORT\", \"STATE\");\n\n\t// See include/net/tcp_states.h:\n\t@tcp_states[1] = \"ESTABLISHED\";\n\t@tcp_states[2] = \"SYN_SENT\";\n\t@tcp_states[3] = \"SYN_RECV\";\n\t@tcp_states[4] = \"FIN_WAIT1\";\n\t@tcp_states[5] = \"FIN_WAIT2\";\n\t@tcp_states[6] = \"TIME_WAIT\";\n\t@tcp_states[7] = \"CLOSE\";\n\t@tcp_states[8] = \"CLOSE_WAIT\";\n\t@tcp_states[9] = \"LAST_ACK\";\n\t@tcp_states[10] = \"LISTEN\";\n\t@tcp_states[11] = \"CLOSING\";\n\t@tcp_states[12] = \"NEW_SYN_RECV\";\n}\n\nkprobe:tcp_retransmit_skb\n{\n\t$sk = (struct sock *)arg0;\n\t$inet_family = $sk->__sk_common.skc_family;\n\n\tif ($inet_family == AF_INET || $inet_family == AF_INET6) {\n\t\t// initialize variable type:\n\t\t$daddr = ntop(0);\n\t\t$saddr = ntop(0);\n\t\tif ($inet_family == AF_INET) {\n\t\t\t$daddr = ntop($sk->__sk_common.skc_daddr);\n\t\t\t$saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n\t\t} else {\n\t\t\t$daddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n\t\t\t$saddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n\t\t}\n\t\t$lport = $sk->__sk_common.skc_num;\n\t\t$dport = $sk->__sk_common.skc_dport;\n\n\t\t// Destination port is big endian, it must be flipped\n\t\t$dport = bswap($dport);\n\n\t\t$state = $sk->__sk_common.skc_state;\n\t\t$statestr = @tcp_states[$state];\n\n\t\ttime(\"%H:%M:%S \");\n\t\tprintf(\"%-8d %14s:%-6d %14s:%-6d %6s\\n\", pid, $saddr, $lport,\n\t\t $daddr, $dport, $statestr);\n\t}\n}\n\nEND\n{\n\tclear(@tcp_states);\n}\n"
},
{
"request": "Write a BPF code that traces VFS calls and counts the number of times each function is called in the kernel.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * vfscount\tCount VFS calls (\"vfs_*\").\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Written as a basic example of counting kernel functions.\n *\n * USAGE: vfscount.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing VFS calls... Hit Ctrl-C to end.\\n\");\n\n}\n\nkprobe:vfs_*\n{\n\t@[func] = count();\n}\n"
},
{
"request": "Write a BPF code that traces the syscalls statfs(), statx(), newstat(), and newlstat(), providing information about the PID, process name, error code, and path being accessed.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * statsnoop\tTrace stat() syscalls.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces the tracepoints for statfs(), statx(), newstat(), and\n * newlstat(). These aren't the only the stat syscalls: if you are missing\n * activity, you may need to add more variants.\n *\n * Also a basic example of bpftrace.\n *\n * USAGE: statsnoop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing stat syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-6s %-16s %3s %s\\n\", \"PID\", \"COMM\", \"ERR\", \"PATH\");\n}\n\ntracepoint:syscalls:sys_enter_statfs\n{\n\t@filename[tid] = args.pathname;\n}\n\ntracepoint:syscalls:sys_enter_statx,\ntracepoint:syscalls:sys_enter_newstat,\ntracepoint:syscalls:sys_enter_newlstat\n{\n\t@filename[tid] = args.filename;\n}\n\ntracepoint:syscalls:sys_exit_statfs,\ntracepoint:syscalls:sys_exit_statx,\ntracepoint:syscalls:sys_exit_newstat,\ntracepoint:syscalls:sys_exit_newlstat\n/@filename[tid]/\n{\n\t$ret = args.ret;\n\t$errno = $ret >= 0 ? 0 : - $ret;\n\n\tprintf(\"%-6d %-16s %3d %s\\n\", pid, comm, $errno,\n\t str(@filename[tid]));\n\tdelete(@filename[tid]);\n}\n\nEND\n{\n\tclear(@filename);\n}\n"
},
{
"request": "Write a BPF code that traces md flush events and displays the time, process ID, command, and device information of each event.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * mdflush\tTrace md flush events.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: mdflush.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * For Linux 5.12+ (see tools/old for script for lower versions).\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/genhd.h>\n#include <linux/bio.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing md flush events... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"DEVICE\");\n}\n\nkprobe:md_flush_request\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %s\\n\", pid, comm,\n\t ((struct bio *)arg1)->bi_bdev->bd_disk->disk_name);\n}\n"
},
{
"request": "Write a BPF code that traces key VFS calls, counts the number of times each call is invoked, and prints a per-second summary.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * vfsstat\tCount some VFS calls, with per-second summaries.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Written as a basic example of counting multiple events and printing a\n * per-second summary.\n *\n * USAGE: vfsstat.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing key VFS calls... Hit Ctrl-C to end.\\n\");\n\n}\n\nkprobe:vfs_read*,\nkprobe:vfs_write*,\nkprobe:vfs_fsync,\nkprobe:vfs_open,\nkprobe:vfs_create\n{\n\t@[func] = count();\n}\n\ninterval:s:1\n{\n\ttime();\n\tprint(@);\n\tclear(@);\n}\n\nEND\n{\n\tclear(@);\n}\n"
},
{
"request": "Write a BPF code that traces new processes and counts the number of new process creations per second using the eBPF technology.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * pidpersec\tCount new processes (via fork).\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Written as a basic example of counting on an event.\n *\n * USAGE: pidpersec.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing new processes... Hit Ctrl-C to end.\\n\");\n\n}\n\ntracepoint:sched:sched_process_fork\n{\n\t@ = count();\n}\n\ninterval:s:1\n{\n\ttime(\"%H:%M:%S PIDs/sec: \");\n\tprint(@);\n\tclear(@);\n}\n\nEND\n{\n\tclear(@);\n}\n"
},
{
"request": "Write a BPF code that monitors the swapins by process.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * swapin - Show swapins by process.\n *\n * See BPF Performance Tools, Chapter 7, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 26-Jan-2019 Brendan Gregg Created this.\n */\n\nkprobe:swap_readpage\n{\n @[comm, pid] = count();\n}\n\ninterval:s:1\n{\n time();\n print(@);\n clear(@);\n}\n"
},
{
"request": "Write a BPF code that traces TCP connections by dynamically tracing kernel functions and prints out the time, PID, and addresses and ports of the source and destination of each connection.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpconnect.bt Trace TCP connect()s.\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpconnect.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * It is limited to ipv4 addresses.\n *\n * All connection attempts are traced, even if they ultimately fail.\n *\n * This uses dynamic tracing of kernel functions, and will need to be updated\n * to match kernel changes.\n *\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 23-Nov-2018\tDale Hamel\tcreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n printf(\"Tracing tcp connections. Hit Ctrl-C to end.\\n\");\n printf(\"%-8s %-8s %-16s \", \"TIME\", \"PID\", \"COMM\");\n printf(\"%-39s %-6s %-39s %-6s\\n\", \"SADDR\", \"SPORT\", \"DADDR\", \"DPORT\");\n}\n\nkprobe:tcp_connect\n{\n $sk = ((struct sock *) arg0);\n $inet_family = $sk->__sk_common.skc_family;\n\n if ($inet_family == AF_INET || $inet_family == AF_INET6) {\n if ($inet_family == AF_INET) {\n $daddr = ntop($sk->__sk_common.skc_daddr);\n $saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n } else {\n $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n $saddr = ntop($sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n }\n $lport = $sk->__sk_common.skc_num;\n $dport = $sk->__sk_common.skc_dport;\n\n // Destination port is big endian, it must be flipped\n $dport = bswap($dport);\n\n time(\"%H:%M:%S \");\n printf(\"%-8d %-16s \", pid, comm);\n printf(\"%-39s %-6d %-39s %-6d\\n\", $saddr, $lport, $daddr, $dport);\n }\n}\n"
},
{
"request": "Write a BPF code that traces gethostbyname[2] calls and provides information about their latency, including the timestamp, process ID, command name, latency in milliseconds, and host name.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * gethostlatency\tTrace getaddrinfo/gethostbyname[2] calls.\n *\t\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This can be useful for identifying DNS latency, by identifying which\n * remote host name lookups were slow, and by how much.\n *\n * This uses dynamic tracing of user-level functions and registers, and may\n # need modifications to match your software and processor architecture.\n *\n * USAGE: gethostlatency.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing getaddr/gethost calls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-16s %6s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"LATms\",\n\t \"HOST\");\n}\n\nuprobe:libc:getaddrinfo,\nuprobe:libc:gethostbyname,\nuprobe:libc:gethostbyname2\n{\n\t@start[tid] = nsecs;\n\t@name[tid] = arg0;\n}\n\nuretprobe:libc:getaddrinfo,\nuretprobe:libc:gethostbyname,\nuretprobe:libc:gethostbyname2\n/@start[tid]/\n{\n\t$latms = (nsecs - @start[tid]) / 1e6;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %6d %s\\n\", pid, comm, $latms, str(@name[tid]));\n\tdelete(@start[tid]);\n\tdelete(@name[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces SSL/TLS handshake for OpenSSL, showing handshake latency statistics and distribution. The code captures function calls and their corresponding latencies, and provides a summary of the latency distribution in microseconds.",
"bpf": "#!/usr/bin/bpftrace\n/*\n * ssllatency\tTrace SSL/TLS handshake for OpenSSL.\n * \t\tFor Linux, uses bpftrace and eBPF.\n *\n * ssllatency shows handshake latency stats and distribution.\n *\n * Copyright (c) 2021 Tao Xu.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 17-Dec-2021\tTao Xu\tcreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing SSL/TLS handshake... Hit Ctrl-C to end.\\n\");\n}\n\nuprobe:libssl:SSL_read,\nuprobe:libssl:SSL_write,\nuprobe:libssl:SSL_do_handshake\n{\n\t@start_ssl[tid] = nsecs;\n\t@func_ssl[tid] = func; // store for uretprobe\n}\n\nuretprobe:libssl:SSL_read,\nuretprobe:libssl:SSL_write,\nuretprobe:libssl:SSL_do_handshake\n/@start_ssl[tid] != 0/\n{\n\t$lat_us = (nsecs - @start_ssl[tid]) / 1000;\n\tif ((int8)retval >= 1) {\n\t\t@hist[@func_ssl[tid]] = lhist($lat_us, 0, 1000, 200);\n\t\t@stat[@func_ssl[tid]] = stats($lat_us);\n\t} else {\n\t\t@histF[@func_ssl[tid]] = lhist($lat_us, 0, 1000, 200);\n\t\t@statF[@func_ssl[tid]] = stats($lat_us);\n\t}\n\tdelete(@start_ssl[tid]); delete(@func_ssl[tid]);\n}\n\n// need debug symbol for ossl local functions\nuprobe:libcrypto:rsa_ossl_public_encrypt,\nuprobe:libcrypto:rsa_ossl_public_decrypt,\nuprobe:libcrypto:rsa_ossl_private_encrypt,\nuprobe:libcrypto:rsa_ossl_private_decrypt,\nuprobe:libcrypto:RSA_sign,\nuprobe:libcrypto:RSA_verify,\nuprobe:libcrypto:ossl_ecdsa_sign,\nuprobe:libcrypto:ossl_ecdsa_verify,\nuprobe:libcrypto:ecdh_simple_compute_key\n{\n\t@start_crypto[tid] = nsecs;\n\t@func_crypto[tid] = func; // store for uretprobe\n}\n\nuretprobe:libcrypto:rsa_ossl_public_encrypt,\nuretprobe:libcrypto:rsa_ossl_public_decrypt,\nuretprobe:libcrypto:rsa_ossl_private_encrypt,\nuretprobe:libcrypto:rsa_ossl_private_decrypt,\nuretprobe:libcrypto:RSA_sign,\nuretprobe:libcrypto:RSA_verify,\nuretprobe:libcrypto:ossl_ecdsa_sign,\nuretprobe:libcrypto:ossl_ecdsa_verify,\nuretprobe:libcrypto:ecdh_simple_compute_key\n/@start_crypto[tid] != 0/\n{\n\t$lat_us = (nsecs - @start_crypto[tid]) / 1000;\n\t@hist[@func_crypto[tid]] = lhist($lat_us, 0, 1000, 200);\n\t@stat[@func_crypto[tid]] = stats($lat_us);\n\tdelete(@start_crypto[tid]); delete(@func_crypto[tid]);\n}\n\nEND\n{\n\tprintf(\"\\nLatency distribution in microsecond:\");\n}\n"
},
{
"request": "Write a BPF code that traces the security capability checks (cap_capable()) and prints the UID, PID, command name, capability, capability name, and audit value for each syscall in a clear and organized manner.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * capable\tTrace security capability checks (cap_capable()).\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: capable.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing cap_capable syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-6s %-16s %-4s %-20s AUDIT\\n\", \"TIME\", \"UID\", \"PID\",\n\t \"COMM\", \"CAP\", \"NAME\");\n\t@cap[0] = \"CAP_CHOWN\";\n\t@cap[1] = \"CAP_DAC_OVERRIDE\";\n\t@cap[2] = \"CAP_DAC_READ_SEARCH\";\n\t@cap[3] = \"CAP_FOWNER\";\n\t@cap[4] = \"CAP_FSETID\";\n\t@cap[5] = \"CAP_KILL\";\n\t@cap[6] = \"CAP_SETGID\";\n\t@cap[7] = \"CAP_SETUID\";\n\t@cap[8] = \"CAP_SETPCAP\";\n\t@cap[9] = \"CAP_LINUX_IMMUTABLE\";\n\t@cap[10] = \"CAP_NET_BIND_SERVICE\";\n\t@cap[11] = \"CAP_NET_BROADCAST\";\n\t@cap[12] = \"CAP_NET_ADMIN\";\n\t@cap[13] = \"CAP_NET_RAW\";\n\t@cap[14] = \"CAP_IPC_LOCK\";\n\t@cap[15] = \"CAP_IPC_OWNER\";\n\t@cap[16] = \"CAP_SYS_MODULE\";\n\t@cap[17] = \"CAP_SYS_RAWIO\";\n\t@cap[18] = \"CAP_SYS_CHROOT\";\n\t@cap[19] = \"CAP_SYS_PTRACE\";\n\t@cap[20] = \"CAP_SYS_PACCT\";\n\t@cap[21] = \"CAP_SYS_ADMIN\";\n\t@cap[22] = \"CAP_SYS_BOOT\";\n\t@cap[23] = \"CAP_SYS_NICE\";\n\t@cap[24] = \"CAP_SYS_RESOURCE\";\n\t@cap[25] = \"CAP_SYS_TIME\";\n\t@cap[26] = \"CAP_SYS_TTY_CONFIG\";\n\t@cap[27] = \"CAP_MKNOD\";\n\t@cap[28] = \"CAP_LEASE\";\n\t@cap[29] = \"CAP_AUDIT_WRITE\";\n\t@cap[30] = \"CAP_AUDIT_CONTROL\";\n\t@cap[31] = \"CAP_SETFCAP\";\n\t@cap[32] = \"CAP_MAC_OVERRIDE\";\n\t@cap[33] = \"CAP_MAC_ADMIN\";\n\t@cap[34] = \"CAP_SYSLOG\";\n\t@cap[35] = \"CAP_WAKE_ALARM\";\n\t@cap[36] = \"CAP_BLOCK_SUSPEND\";\n\t@cap[37] = \"CAP_AUDIT_READ\";\n\t@cap[38] = \"CAP_PERFMON\";\n\t@cap[39] = \"CAP_BPF\";\n\t@cap[40] = \"CAP_CHECKPOINT_RESTORE\";\n}\n\nkprobe:cap_capable\n{\n\t$cap = arg2;\n\t$audit = arg3;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-6d %-16s %-4d %-20s %d\\n\", uid, pid, comm, $cap,\n\t @cap[$cap], $audit);\n}\n\nEND\n{\n\tclear(@cap);\n}\n"
},
{
"request": "Write a BPF code that traces new processes created via the exec() system call, providing the timestamp, process ID, and arguments of the executed command.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * execsnoop.bt Trace new processes via exec() syscalls.\n * For Linux, uses bpftrace and eBPF.\n *\n * This traces when processes call exec(). It is handy for identifying new\n * processes created via the usual fork()->exec() sequence. Note that the\n * return value is not currently traced, so the exec() may have failed.\n *\n * TODO: switch to tracepoints args. Support more args. Include retval.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * 15-Nov-2017\tBrendan Gregg\tCreated this.\n * 11-Sep-2018\t \" \"\tSwitched to use join().\n */\n\nBEGIN\n{\n\tprintf(\"%-10s %-5s %s\\n\", \"TIME(ms)\", \"PID\", \"ARGS\");\n}\n\ntracepoint:syscalls:sys_enter_exec*\n{\n\tprintf(\"%-10u %-5d \", elapsed / 1e6, pid);\n\tjoin(args.argv);\n}\n"
},
{
"request": "Write a BPF code that traces block device I/O latency by calculating the time difference between the start and completion of I/O operations and storing them in a histogram.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biolatency.bt\tBlock I/O latency as a histogram.\n *\t\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 13-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block device I/O... Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:blk_account_io_start,\nkprobe:__blk_account_io_start\n{\n\t@start[arg0] = nsecs;\n}\n\nkprobe:blk_account_io_done,\nkprobe:__blk_account_io_done\n/@start[arg0]/\n{\n\t@usecs = hist((nsecs - @start[arg0]) / 1000);\n\tdelete(@start[arg0]);\n}\n\nEND\n{\n\tclear(@start);\n}\n"
},
{
"request": "Write a BPF code that traces the CPU scheduler and records the latency of tasks in the run queue, using the sched_wakeup, sched_wakeup_new, and sched_switch tracepoints, and displays the latency as a histogram.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * runqlat.bt\tCPU scheduler run queue latency as a histogram.\n *\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 17-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#include <linux/sched.h>\n\nBEGIN\n{\n\tprintf(\"Tracing CPU scheduler... Hit Ctrl-C to end.\\n\");\n}\n\ntracepoint:sched:sched_wakeup,\ntracepoint:sched:sched_wakeup_new\n{\n\t@qtime[args.pid] = nsecs;\n}\n\ntracepoint:sched:sched_switch\n{\n\tif (args.prev_state == TASK_RUNNING) {\n\t\t@qtime[args.prev_pid] = nsecs;\n\t}\n\n\t$ns = @qtime[args.next_pid];\n\tif ($ns) {\n\t\t@usecs = hist((nsecs - $ns) / 1000);\n\t}\n\tdelete(@qtime[args.next_pid]);\n}\n\nEND\n{\n\tclear(@qtime);\n}\n"
},
{
"request": "Write a BPF code that traces voluntary sleep calls, printing the time, parent process ID (PPID), parent process command (PCOMM), process ID (PID), process command (COMM), and duration in seconds.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * naptime - Show voluntary sleep calls.\n *\n * See BPF Performance Tools, Chapter 13, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 16-Feb-2019 Brendan Gregg Created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/time.h>\n#include <linux/sched.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing sleeps. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %-6s %-16s %s\\n\", \"TIME\", \"PPID\", \"PCOMM\",\n\t \"PID\", \"COMM\", \"SECONDS\");\n}\n\ntracepoint:syscalls:sys_enter_nanosleep\n/args.rqtp->tv_sec + args.rqtp->tv_nsec/\n{\n\t$task = (struct task_struct *)curtask;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d %-16s %d.%03d\\n\", $task->real_parent->pid,\n\t $task->real_parent->comm, pid, comm,\n\t args.rqtp->tv_sec, (uint64)args.rqtp->tv_nsec / 1e6);\n}\n"
},
{
"request": "Write a BPF code that traces block I/O and measures the latency by initializing stacks, using kprobes and histogram.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biostacks - Show disk I/O latency with initialization stacks.\n *\n * See BPF Performance Tools, Chapter 9, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 19-Mar-2019 Brendan Gregg Created this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block I/O with init stacks. Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:blk_account_io_start,\nkprobe:__blk_account_io_start\n{\n\t@reqstack[arg0] = kstack;\n\t@reqts[arg0] = nsecs;\n}\n\nkprobe:blk_start_request,\nkprobe:blk_mq_start_request\n/@reqts[arg0]/\n{\n\t@usecs[@reqstack[arg0]] = hist(nsecs - @reqts[arg0]);\n\tdelete(@reqstack[arg0]);\n\tdelete(@reqts[arg0]);\n}\n\nEND\n{\n\tclear(@reqstack); clear(@reqts);\n}\n"
},
{
"request": "Write a BPF code that traces open() and openat() syscalls, displaying the process ID, command name, file descriptor, error code, and file path.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * opensnoop\tTrace open() syscalls.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Also a basic example of bpftrace.\n *\n * USAGE: opensnoop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing open syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-6s %-16s %4s %3s %s\\n\", \"PID\", \"COMM\", \"FD\", \"ERR\", \"PATH\");\n}\n\ntracepoint:syscalls:sys_enter_open,\ntracepoint:syscalls:sys_enter_openat\n{\n\t@filename[tid] = args.filename;\n}\n\ntracepoint:syscalls:sys_exit_open,\ntracepoint:syscalls:sys_exit_openat\n/@filename[tid]/\n{\n\t$ret = args.ret;\n\t$fd = $ret >= 0 ? $ret : -1;\n\t$errno = $ret >= 0 ? 0 : - $ret;\n\n\tprintf(\"%-6d %-16s %4d %3d %s\\n\", pid, comm, $fd, $errno,\n\t str(@filename[tid]));\n\tdelete(@filename[tid]);\n}\n\nEND\n{\n\tclear(@filename);\n}\n"
},
{
"request": "Write a BPF code that traces the setuid syscall and its related syscalls, and prints out information about the process ID, command name, UID, syscall type, and arguments for each syscall.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * setuids - Trace the setuid syscalls: privilege escalation.\n *\n * See BPF Performance Tools, Chapter 11, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 26-Feb-2019 Brendan Gregg Created this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing setuid(2) family syscalls. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %-6s %-9s %s\\n\", \"TIME\",\n\t \"PID\", \"COMM\", \"UID\", \"SYSCALL\", \"ARGS (RET)\");\n}\n\ntracepoint:syscalls:sys_enter_setuid,\ntracepoint:syscalls:sys_enter_setfsuid\n{\n\t@uid[tid] = uid;\n\t@setuid[tid] = args.uid;\n\t@seen[tid] = 1;\n}\n\ntracepoint:syscalls:sys_enter_setresuid\n{\n\t@uid[tid] = uid;\n\t@ruid[tid] = args.ruid;\n\t@euid[tid] = args.euid;\n\t@suid[tid] = args.suid;\n\t@seen[tid] = 1;\n}\n\ntracepoint:syscalls:sys_exit_setuid\n/@seen[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d setuid uid=%d (%d)\\n\", pid, comm,\n\t @uid[tid], @setuid[tid], args.ret);\n\tdelete(@seen[tid]); delete(@uid[tid]); delete(@setuid[tid]);\n}\n\ntracepoint:syscalls:sys_exit_setfsuid\n/@seen[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d setfsuid uid=%d (prevuid=%d)\\n\", pid, comm,\n\t @uid[tid], @setuid[tid], args.ret);\n\tdelete(@seen[tid]); delete(@uid[tid]); delete(@setuid[tid]);\n}\n\ntracepoint:syscalls:sys_exit_setresuid\n/@seen[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d setresuid \", pid, comm, @uid[tid]);\n\tprintf(\"ruid=%d euid=%d suid=%d (%d)\\n\", @ruid[tid], @euid[tid],\n\t @suid[tid], args.ret);\n\tdelete(@seen[tid]); delete(@uid[tid]); delete(@ruid[tid]);\n\tdelete(@euid[tid]); delete(@suid[tid]);\n}\n"
},
{
"request": "Write a BPF code that samples the CPU usage of processes at a rate of 99Hz and outputs the histogram of CPU usage for each process identified by its PID.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * cpuwalk\tSample which CPUs are executing processes.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: cpuwalk.bt\n *\n * This is a bpftrace version of the DTraceToolkit tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Sampling CPU at 99hz... Hit Ctrl-C to end.\\n\");\n}\n\nprofile:hz:99\n/pid/\n{\n\t@cpu = lhist(cpu, 0, 1000, 1);\n}\n"
},
{
"request": "Write a BPF code that traces sync-related system calls, such as sync(), syncfs(), fsync(), and fdatasync(), and prints the time, process ID, command, and event for each traced system call.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * syncsnoop\tTrace sync() variety of syscalls.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Also a basic example of bpftrace.\n *\n * USAGE: syncsnoop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing sync syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-16s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"EVENT\");\n}\n\ntracepoint:syscalls:sys_enter_sync,\ntracepoint:syscalls:sys_enter_syncfs,\ntracepoint:syscalls:sys_enter_fsync,\ntracepoint:syscalls:sys_enter_fdatasync,\ntracepoint:syscalls:sys_enter_sync_file_range*,\ntracepoint:syscalls:sys_enter_msync\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %s\\n\", pid, comm, probe);\n}\n"
},
{
"request": "Write a BPF code that traces the receiving of UNIX domain socket packages, displaying the time, process information, size, and data of each package.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * undump\tTrace unix domain socket package receive.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Also a basic example of bpftrace.\n *\n * This is a bpftrace version of the bcc examples/tracing of the same name.\n *\n * USAGE: undump.bt\n *\n * Copyright 2022 CESTC, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 22-May-2022\tRong Tao\tCreated this.\n */\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/skbuff.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Dump UNIX socket packages RX. Ctrl-C to end\\n\");\n\tprintf(\"%-8s %-16s %-8s %-8s %-s\\n\", \"TIME\", \"COMM\", \"PID\", \"SIZE\", \"DATA\");\n}\n\nkprobe:unix_stream_read_actor\n{\n\t$skb = (struct sk_buff *)arg0;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-16s %-8d %-8d %r\\n\", comm, pid, $skb->len, buf($skb->data, $skb->len));\n}\n\nEND\n{\n}\n"
},
{
"request": "Write a BPF code that fetches and prints the load averages from the kernel, similar to the output of the 'uptime' command but with three decimal places instead of two.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * loads\tPrints load averages.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * These are the same load averages printed by \"uptime\", but to three decimal\n * places instead of two (not that it really matters). This is really a\n * demonstration of fetching and processing a kernel structure from bpftrace.\n *\n * USAGE: loads.bt\n *\n * This is a bpftrace version of a DTraceToolkit tool.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 10-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Reading load averages... Hit Ctrl-C to end.\\n\");\n}\n\ninterval:s:1\n{\n\t/*\n\t * See fs/proc/loadavg.c and include/linux/sched/loadavg.h for the\n\t * following calculations.\n\t */\n\t$avenrun = kaddr(\"avenrun\");\n\t$load1 = *$avenrun;\n\t$load5 = *($avenrun + 8);\n\t$load15 = *($avenrun + 16);\n\ttime(\"%H:%M:%S \");\n\tprintf(\"load averages: %d.%03d %d.%03d %d.%03d\\n\",\n\t ($load1 >> 11), (($load1 & ((1 << 11) - 1)) * 1000) >> 11,\n\t ($load5 >> 11), (($load5 & ((1 << 11) - 1)) * 1000) >> 11,\n\t ($load15 >> 11), (($load15 & ((1 << 11) - 1)) * 1000) >> 11\n\t);\n}\n"
},
{
"request": "Write a BPF code that traces the latency of four common XFS file system operations (read, write, open, and fsync) and prints a summary of the operation latency, using the bpftrace and eBPF tools.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * xfsdist\tSummarize XFS operation latency.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces four common file system calls: read, write, open, and fsync.\n * It can be customized to trace more if desired.\n *\n * USAGE: xfsdist.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing XFS operation latency... Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:xfs_file_read_iter,\nkprobe:xfs_file_write_iter,\nkprobe:xfs_file_open,\nkprobe:xfs_file_fsync\n{\n\t@start[tid] = nsecs;\n\t@name[tid] = func;\n}\n\nkretprobe:xfs_file_read_iter,\nkretprobe:xfs_file_write_iter,\nkretprobe:xfs_file_open,\nkretprobe:xfs_file_fsync\n/@start[tid]/\n{\n\t@us[@name[tid]] = hist((nsecs - @start[tid]) / 1000);\n\tdelete(@start[tid]);\n\tdelete(@name[tid]);\n}\n\nEND\n{\n\tclear(@start);\n\tclear(@name);\n}\n"
}
]