-
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathoutput.json
158 lines (158 loc) · 56.5 KB
/
output.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
[
{
"request": "Write a BPF code that traces TCP retransmits, displaying the time, process ID, local and remote addresses and ports, and state of the TCP connection.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpretrans.bt Trace or count TCP retransmits\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpretrans.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * It is limited to ipv4 addresses, and doesn't support tracking TLPs.\n *\n * This uses dynamic tracing of kernel functions, and will need to be updated\n * to match kernel changes.\n *\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 23-Nov-2018 Dale Hamel created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing tcp retransmits. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-8s %20s %21s %6s\\n\", \"TIME\", \"PID\", \"LADDR:LPORT\",\n\t \"RADDR:RPORT\", \"STATE\");\n\n\t// See include/net/tcp_states.h:\n\t@tcp_states[1] = \"ESTABLISHED\";\n\t@tcp_states[2] = \"SYN_SENT\";\n\t@tcp_states[3] = \"SYN_RECV\";\n\t@tcp_states[4] = \"FIN_WAIT1\";\n\t@tcp_states[5] = \"FIN_WAIT2\";\n\t@tcp_states[6] = \"TIME_WAIT\";\n\t@tcp_states[7] = \"CLOSE\";\n\t@tcp_states[8] = \"CLOSE_WAIT\";\n\t@tcp_states[9] = \"LAST_ACK\";\n\t@tcp_states[10] = \"LISTEN\";\n\t@tcp_states[11] = \"CLOSING\";\n\t@tcp_states[12] = \"NEW_SYN_RECV\";\n}\n\nkprobe:tcp_retransmit_skb\n{\n\t$sk = (struct sock *)arg0;\n\t$inet_family = $sk->__sk_common.skc_family;\n\n\tif ($inet_family == AF_INET || $inet_family == AF_INET6) {\n\t\t// initialize variable type:\n\t\t$daddr = ntop(0);\n\t\t$saddr = ntop(0);\n\t\tif ($inet_family == AF_INET) {\n\t\t\t$daddr = ntop($sk->__sk_common.skc_daddr);\n\t\t\t$saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n\t\t} else {\n\t\t\t$daddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n\t\t\t$saddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n\t\t}\n\t\t$lport = $sk->__sk_common.skc_num;\n\t\t$dport = $sk->__sk_common.skc_dport;\n\n\t\t// Destination port is big endian, it must be flipped\n\t\t$dport = bswap($dport);\n\n\t\t$state = $sk->__sk_common.skc_state;\n\t\t$statestr = @tcp_states[$state];\n\n\t\ttime(\"%H:%M:%S \");\n\t\tprintf(\"%-8d %14s:%-6d %14s:%-6d %6s\\n\", pid, $saddr, $lport,\n\t\t $daddr, $dport, $statestr);\n\t}\n}\n\nEND\n{\n\tclear(@tcp_states);\n}\n"
},
{
"request": "Write a BPF code that traces getaddrinfo, gethostbyname, and gethostbyname2 calls and measures the latency of these DNS lookups, displaying the timestamp, process ID, process name, latency in milliseconds, and the host name being resolved.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * gethostlatency\tTrace getaddrinfo/gethostbyname[2] calls.\n *\t\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This can be useful for identifying DNS latency, by identifying which\n * remote host name lookups were slow, and by how much.\n *\n * This uses dynamic tracing of user-level functions and registers, and may\n # need modifications to match your software and processor architecture.\n *\n * USAGE: gethostlatency.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing getaddr/gethost calls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-16s %6s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"LATms\",\n\t \"HOST\");\n}\n\nuprobe:libc:getaddrinfo,\nuprobe:libc:gethostbyname,\nuprobe:libc:gethostbyname2\n{\n\t@start[tid] = nsecs;\n\t@name[tid] = arg0;\n}\n\nuretprobe:libc:getaddrinfo,\nuretprobe:libc:gethostbyname,\nuretprobe:libc:gethostbyname2\n/@start[tid]/\n{\n\t$latms = (nsecs - @start[tid]) / 1e6;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %6d %s\\n\", pid, comm, $latms, str(@name[tid]));\n\tdelete(@start[tid]);\n\tdelete(@name[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces the readline() function in the /bin/bash executable, printing the timestamp, process ID, and the entered command when a readline() call returns.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * bashreadline Print entered bash commands from all running shells.\n * For Linux, uses bpftrace and eBPF.\n *\n * This works by tracing the readline() function using a uretprobe (uprobes).\n *\n * USAGE: bashreadline.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing bash commands... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %s\\n\", \"TIME\", \"PID\", \"COMMAND\");\n}\n\nuretprobe:/bin/bash:readline\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %s\\n\", pid, str(retval));\n}\n"
},
{
"request": "Write a BPF code that traces the stat() syscalls, including variants such as statfs(), statx(), newstat(), and newlstat(). The code prints the process ID, command name, error code, and file path of each traced syscall.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * statsnoop\tTrace stat() syscalls.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces the tracepoints for statfs(), statx(), newstat(), and\n * newlstat(). These aren't the only the stat syscalls: if you are missing\n * activity, you may need to add more variants.\n *\n * Also a basic example of bpftrace.\n *\n * USAGE: statsnoop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing stat syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-6s %-16s %3s %s\\n\", \"PID\", \"COMM\", \"ERR\", \"PATH\");\n}\n\ntracepoint:syscalls:sys_enter_statfs\n{\n\t@filename[tid] = args.pathname;\n}\n\ntracepoint:syscalls:sys_enter_statx,\ntracepoint:syscalls:sys_enter_newstat,\ntracepoint:syscalls:sys_enter_newlstat\n{\n\t@filename[tid] = args.filename;\n}\n\ntracepoint:syscalls:sys_exit_statfs,\ntracepoint:syscalls:sys_exit_statx,\ntracepoint:syscalls:sys_exit_newstat,\ntracepoint:syscalls:sys_exit_newlstat\n/@filename[tid]/\n{\n\t$ret = args.ret;\n\t$errno = $ret >= 0 ? 0 : - $ret;\n\n\tprintf(\"%-6d %-16s %3d %s\\n\", pid, comm, $errno,\n\t str(@filename[tid]));\n\tdelete(@filename[tid]);\n}\n\nEND\n{\n\tclear(@filename);\n}\n"
},
{
"request": "Write a BPF code that traces key VFS calls, such as read, write, fsync, open, and create, and provides per-second summaries of the number of calls made for each function.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * vfsstat\tCount some VFS calls, with per-second summaries.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Written as a basic example of counting multiple events and printing a\n * per-second summary.\n *\n * USAGE: vfsstat.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing key VFS calls... Hit Ctrl-C to end.\\n\");\n\n}\n\nkprobe:vfs_read*,\nkprobe:vfs_write*,\nkprobe:vfs_fsync,\nkprobe:vfs_open,\nkprobe:vfs_create\n{\n\t@[func] = count();\n}\n\ninterval:s:1\n{\n\ttime();\n\tprint(@);\n\tclear(@);\n}\n\nEND\n{\n\tclear(@);\n}\n"
},
{
"request": "Write a BPF code that traces TCP accepts by dynamically tracing the kernel's inet_csk_accept() socket function and prints relevant information such as the timestamp, process ID, communication type, remote and local addresses, and queue length.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpaccept.bt Trace TCP accept()s\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpaccept.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * This uses dynamic tracing of the kernel inet_csk_accept() socket function\n * (from tcp_prot.accept), and will need to be modified to match kernel changes.\n\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n\n * 23-Nov-2018\tDale Hamel\tcreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing TCP accepts. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-14s \", \"TIME\", \"PID\", \"COMM\");\n\tprintf(\"%-39s %-5s %-39s %-5s %s\\n\", \"RADDR\", \"RPORT\", \"LADDR\",\n\t \"LPORT\", \"BL\");\n}\n\nkretprobe:inet_csk_accept\n{\n\t$sk = (struct sock *)retval;\n\t$inet_family = $sk->__sk_common.skc_family;\n\n\tif ($inet_family == AF_INET || $inet_family == AF_INET6) {\n\t\t// initialize variable type:\n\t\t$daddr = ntop(0);\n\t\t$saddr = ntop(0);\n\t\tif ($inet_family == AF_INET) {\n\t\t\t$daddr = ntop($sk->__sk_common.skc_daddr);\n\t\t\t$saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n\t\t} else {\n\t\t\t$daddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n\t\t\t$saddr = ntop(\n\t\t\t $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n\t\t}\n\t\t$lport = $sk->__sk_common.skc_num;\n\t\t$dport = $sk->__sk_common.skc_dport;\n\t\t$qlen = $sk->sk_ack_backlog;\n\t\t$qmax = $sk->sk_max_ack_backlog;\n\n\t\t// Destination port is big endian, it must be flipped\n\t\t$dport = bswap($dport);\n\n\t\ttime(\"%H:%M:%S \");\n\t\tprintf(\"%-6d %-14s \", pid, comm);\n\t\tprintf(\"%-39s %-5d %-39s %-5d \", $daddr, $dport, $saddr,\n\t\t $lport);\n\t\tprintf(\"%d/%d\\n\", $qlen, $qmax);\n\t}\n}\n"
},
{
"request": "Write a BPF code that traces SSL/TLS handshake for OpenSSL, showing latency stats and distribution.",
"bpf": "#!/usr/bin/bpftrace\n/*\n * ssllatency\tTrace SSL/TLS handshake for OpenSSL.\n * \t\tFor Linux, uses bpftrace and eBPF.\n *\n * ssllatency shows handshake latency stats and distribution.\n *\n * Copyright (c) 2021 Tao Xu.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 17-Dec-2021\tTao Xu\tcreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing SSL/TLS handshake... Hit Ctrl-C to end.\\n\");\n}\n\nuprobe:libssl:SSL_read,\nuprobe:libssl:SSL_write,\nuprobe:libssl:SSL_do_handshake\n{\n\t@start_ssl[tid] = nsecs;\n\t@func_ssl[tid] = func; // store for uretprobe\n}\n\nuretprobe:libssl:SSL_read,\nuretprobe:libssl:SSL_write,\nuretprobe:libssl:SSL_do_handshake\n/@start_ssl[tid] != 0/\n{\n\t$lat_us = (nsecs - @start_ssl[tid]) / 1000;\n\tif ((int8)retval >= 1) {\n\t\t@hist[@func_ssl[tid]] = lhist($lat_us, 0, 1000, 200);\n\t\t@stat[@func_ssl[tid]] = stats($lat_us);\n\t} else {\n\t\t@histF[@func_ssl[tid]] = lhist($lat_us, 0, 1000, 200);\n\t\t@statF[@func_ssl[tid]] = stats($lat_us);\n\t}\n\tdelete(@start_ssl[tid]); delete(@func_ssl[tid]);\n}\n\n// need debug symbol for ossl local functions\nuprobe:libcrypto:rsa_ossl_public_encrypt,\nuprobe:libcrypto:rsa_ossl_public_decrypt,\nuprobe:libcrypto:rsa_ossl_private_encrypt,\nuprobe:libcrypto:rsa_ossl_private_decrypt,\nuprobe:libcrypto:RSA_sign,\nuprobe:libcrypto:RSA_verify,\nuprobe:libcrypto:ossl_ecdsa_sign,\nuprobe:libcrypto:ossl_ecdsa_verify,\nuprobe:libcrypto:ecdh_simple_compute_key\n{\n\t@start_crypto[tid] = nsecs;\n\t@func_crypto[tid] = func; // store for uretprobe\n}\n\nuretprobe:libcrypto:rsa_ossl_public_encrypt,\nuretprobe:libcrypto:rsa_ossl_public_decrypt,\nuretprobe:libcrypto:rsa_ossl_private_encrypt,\nuretprobe:libcrypto:rsa_ossl_private_decrypt,\nuretprobe:libcrypto:RSA_sign,\nuretprobe:libcrypto:RSA_verify,\nuretprobe:libcrypto:ossl_ecdsa_sign,\nuretprobe:libcrypto:ossl_ecdsa_verify,\nuretprobe:libcrypto:ecdh_simple_compute_key\n/@start_crypto[tid] != 0/\n{\n\t$lat_us = (nsecs - @start_crypto[tid]) / 1000;\n\t@hist[@func_crypto[tid]] = lhist($lat_us, 0, 1000, 200);\n\t@stat[@func_crypto[tid]] = stats($lat_us);\n\tdelete(@start_crypto[tid]); delete(@func_crypto[tid]);\n}\n\nEND\n{\n\tprintf(\"\\nLatency distribution in microsecond:\");\n}\n"
},
{
"request": "Write a BPF code that traces block device I/O and measures the latency as a histogram.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biolatency.bt\tBlock I/O latency as a histogram.\n *\t\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 13-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block device I/O... Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:blk_account_io_start,\nkprobe:__blk_account_io_start\n{\n\t@start[arg0] = nsecs;\n}\n\nkprobe:blk_account_io_done,\nkprobe:__blk_account_io_done\n/@start[arg0]/\n{\n\t@usecs = hist((nsecs - @start[arg0]) / 1000);\n\tdelete(@start[arg0]);\n}\n\nEND\n{\n\tclear(@start);\n}\n"
},
{
"request": "Write a BPF code that tracks the number of swapin events per process and displays the results at a 1-second interval.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * swapin - Show swapins by process.\n *\n * See BPF Performance Tools, Chapter 7, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 26-Jan-2019 Brendan Gregg Created this.\n */\n\nkprobe:swap_readpage\n{\n @[comm, pid] = count();\n}\n\ninterval:s:1\n{\n time();\n print(@);\n clear(@);\n}\n"
},
{
"request": "Write a BPF code that traces signals issued by the kill() syscall, and prints the time, process ID, command, signal, thread ID, and result of each kill() call.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * killsnoop\tTrace signals issued by the kill() syscall.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: killsnoop.bt\n *\n * Also a basic example of bpftrace.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing kill() signals... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-16s %-4s %-6s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"SIG\",\n\t \"TPID\", \"RESULT\");\n}\n\ntracepoint:syscalls:sys_enter_kill\n{\n\t@tpid[tid] = args.pid;\n\t@tsig[tid] = args.sig;\n}\n\ntracepoint:syscalls:sys_exit_kill\n/@tpid[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-4d %-6d %d\\n\", pid, comm, @tsig[tid], @tpid[tid],\n\t args.ret);\n\tdelete(@tpid[tid]);\n\tdelete(@tsig[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces the kernel out-of-memory (OOM) killer, and prints basic details such as the time, process ID, command name, and number of pages involved in the OOM kill, as well as the system load averages at that time.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * oomkill\tTrace OOM killer.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces the kernel out-of-memory killer, and prints basic details,\n * including the system load averages. This can provide more context on the\n * system state at the time of OOM: was it getting busier or steady, based\n * on the load averages? This tool may also be useful to customize for\n * investigations; for example, by adding other task_struct details at the\n * time of the OOM, or other commands in the system() call.\n *\n * This currently works by using kernel dynamic tracing of oom_kill_process().\n *\n * USAGE: oomkill.bt\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/oom.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing oom_kill_process()... Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:oom_kill_process\n{\n\t$oc = (struct oom_control *)arg0;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"Triggered by PID %d (\\\"%s\\\"), \", pid, comm);\n\tprintf(\"OOM kill of PID %d (\\\"%s\\\"), %d pages, loadavg: \",\n\t $oc->chosen->pid, $oc->chosen->comm, $oc->totalpages);\n\tcat(\"/proc/loadavg\");\n}\n"
},
{
"request": "Write a BPF code that traces TCP kernel-dropped packets/segments in Linux, providing information such as packet details, socket state, and kernel stack trace for the dropped packets.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpdrop.bt Trace TCP kernel-dropped packets/segments.\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpdrop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * It is limited to ipv4 addresses, and cannot show tcp flags.\n *\n * This provides information such as packet details, socket state, and kernel\n * stack trace for packets/segments that were dropped via kfree_skb.\n *\n * For Linux 5.17+ (see tools/old for script for lower versions).\n *\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 23-Nov-2018\tDale Hamel\tcreated this.\n * 01-Oct-2022\tRong Tao\tuse tracepoint:skb:kfree_skb\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n printf(\"Tracing tcp drops. Hit Ctrl-C to end.\\n\");\n printf(\"%-8s %-8s %-16s %-21s %-21s %-8s\\n\", \"TIME\", \"PID\", \"COMM\", \"SADDR:SPORT\", \"DADDR:DPORT\", \"STATE\");\n\n // See https://github.com/torvalds/linux/blob/master/include/net/tcp_states.h\n @tcp_states[1] = \"ESTABLISHED\";\n @tcp_states[2] = \"SYN_SENT\";\n @tcp_states[3] = \"SYN_RECV\";\n @tcp_states[4] = \"FIN_WAIT1\";\n @tcp_states[5] = \"FIN_WAIT2\";\n @tcp_states[6] = \"TIME_WAIT\";\n @tcp_states[7] = \"CLOSE\";\n @tcp_states[8] = \"CLOSE_WAIT\";\n @tcp_states[9] = \"LAST_ACK\";\n @tcp_states[10] = \"LISTEN\";\n @tcp_states[11] = \"CLOSING\";\n @tcp_states[12] = \"NEW_SYN_RECV\";\n}\n\ntracepoint:skb:kfree_skb\n{\n $reason = args.reason;\n $skb = (struct sk_buff *)args.skbaddr;\n $sk = ((struct sock *) $skb->sk);\n $inet_family = $sk->__sk_common.skc_family;\n\n if ($reason > SKB_DROP_REASON_NOT_SPECIFIED &&\n ($inet_family == AF_INET || $inet_family == AF_INET6)) {\n if ($inet_family == AF_INET) {\n $daddr = ntop($sk->__sk_common.skc_daddr);\n $saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n } else {\n $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n $saddr = ntop($sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n }\n $lport = $sk->__sk_common.skc_num;\n $dport = $sk->__sk_common.skc_dport;\n\n // Destination port is big endian, it must be flipped\n $dport = bswap($dport);\n\n $state = $sk->__sk_common.skc_state;\n $statestr = @tcp_states[$state];\n\n time(\"%H:%M:%S \");\n printf(\"%-8d %-16s \", pid, comm);\n printf(\"%39s:%-6d %39s:%-6d %-10s\\n\", $saddr, $lport, $daddr, $dport, $statestr);\n printf(\"%s\\n\", kstack);\n }\n}\n\nEND\n{\n clear(@tcp_states);\n}\n"
},
{
"request": "Write a BPF code that traces block I/O latency with initialization stacks, recording the stack trace and timestamps for each I/O request and calculating the latency by subtracting the timestamp of the start of each request from the current timestamp.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biostacks - Show disk I/O latency with initialization stacks.\n *\n * See BPF Performance Tools, Chapter 9, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 19-Mar-2019 Brendan Gregg Created this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block I/O with init stacks. Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:blk_account_io_start,\nkprobe:__blk_account_io_start\n{\n\t@reqstack[arg0] = kstack;\n\t@reqts[arg0] = nsecs;\n}\n\nkprobe:blk_start_request,\nkprobe:blk_mq_start_request\n/@reqts[arg0]/\n{\n\t@usecs[@reqstack[arg0]] = hist(nsecs - @reqts[arg0]);\n\tdelete(@reqstack[arg0]);\n\tdelete(@reqts[arg0]);\n}\n\nEND\n{\n\tclear(@reqstack); clear(@reqts);\n}\n"
},
{
"request": "Write a BPF code that traces the latency of four common XFS file system operations (read, write, open, and fsync) and outputs a histogram of their latencies in microseconds.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * xfsdist\tSummarize XFS operation latency.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces four common file system calls: read, write, open, and fsync.\n * It can be customized to trace more if desired.\n *\n * USAGE: xfsdist.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing XFS operation latency... Hit Ctrl-C to end.\\n\");\n}\n\nkprobe:xfs_file_read_iter,\nkprobe:xfs_file_write_iter,\nkprobe:xfs_file_open,\nkprobe:xfs_file_fsync\n{\n\t@start[tid] = nsecs;\n\t@name[tid] = func;\n}\n\nkretprobe:xfs_file_read_iter,\nkretprobe:xfs_file_write_iter,\nkretprobe:xfs_file_open,\nkretprobe:xfs_file_fsync\n/@start[tid]/\n{\n\t@us[@name[tid]] = hist((nsecs - @start[tid]) / 1000);\n\tdelete(@start[tid]);\n\tdelete(@name[tid]);\n}\n\nEND\n{\n\tclear(@start);\n\tclear(@name);\n}\n"
},
{
"request": "Write a BPF code that traces voluntary sleep calls and prints the time, parent process ID, parent process name, process ID, process name, and the duration of the sleep in seconds.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * naptime - Show voluntary sleep calls.\n *\n * See BPF Performance Tools, Chapter 13, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 16-Feb-2019 Brendan Gregg Created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/time.h>\n#include <linux/sched.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing sleeps. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %-6s %-16s %s\\n\", \"TIME\", \"PPID\", \"PCOMM\",\n\t \"PID\", \"COMM\", \"SECONDS\");\n}\n\ntracepoint:syscalls:sys_enter_nanosleep\n/args.rqtp->tv_sec + args.rqtp->tv_nsec/\n{\n\t$task = (struct task_struct *)curtask;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d %-16s %d.%03d\\n\", $task->real_parent->pid,\n\t $task->real_parent->comm, pid, comm,\n\t args.rqtp->tv_sec, (uint64)args.rqtp->tv_nsec / 1e6);\n}\n"
},
{
"request": "Write a BPF code that traces and dumps the received data packages of a Unix domain socket, including information such as time, process ID, package size, and the actual data.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * undump\tTrace unix domain socket package receive.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Also a basic example of bpftrace.\n *\n * This is a bpftrace version of the bcc examples/tracing of the same name.\n *\n * USAGE: undump.bt\n *\n * Copyright 2022 CESTC, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 22-May-2022\tRong Tao\tCreated this.\n */\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/skbuff.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Dump UNIX socket packages RX. Ctrl-C to end\\n\");\n\tprintf(\"%-8s %-16s %-8s %-8s %-s\\n\", \"TIME\", \"COMM\", \"PID\", \"SIZE\", \"DATA\");\n}\n\nkprobe:unix_stream_read_actor\n{\n\t$skb = (struct sk_buff *)arg0;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-16s %-8d %-8d %r\\n\", comm, pid, $skb->len, buf($skb->data, $skb->len));\n}\n\nEND\n{\n}\n"
},
{
"request": "Write a BPF code that traces TCP connections, printing the time, process ID, process name, source and destination IP addresses, and source and destination ports for each connection attempt.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpconnect.bt Trace TCP connect()s.\n * For Linux, uses bpftrace and eBPF.\n *\n * USAGE: tcpconnect.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * It is limited to ipv4 addresses.\n *\n * All connection attempts are traced, even if they ultimately fail.\n *\n * This uses dynamic tracing of kernel functions, and will need to be updated\n * to match kernel changes.\n *\n * Copyright (c) 2018 Dale Hamel.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 23-Nov-2018\tDale Hamel\tcreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/socket.h>\n#include <net/sock.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n printf(\"Tracing tcp connections. Hit Ctrl-C to end.\\n\");\n printf(\"%-8s %-8s %-16s \", \"TIME\", \"PID\", \"COMM\");\n printf(\"%-39s %-6s %-39s %-6s\\n\", \"SADDR\", \"SPORT\", \"DADDR\", \"DPORT\");\n}\n\nkprobe:tcp_connect\n{\n $sk = ((struct sock *) arg0);\n $inet_family = $sk->__sk_common.skc_family;\n\n if ($inet_family == AF_INET || $inet_family == AF_INET6) {\n if ($inet_family == AF_INET) {\n $daddr = ntop($sk->__sk_common.skc_daddr);\n $saddr = ntop($sk->__sk_common.skc_rcv_saddr);\n } else {\n $daddr = ntop($sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n $saddr = ntop($sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n }\n $lport = $sk->__sk_common.skc_num;\n $dport = $sk->__sk_common.skc_dport;\n\n // Destination port is big endian, it must be flipped\n $dport = bswap($dport);\n\n time(\"%H:%M:%S \");\n printf(\"%-8d %-16s \", pid, comm);\n printf(\"%-39s %-6d %-39s %-6d\\n\", $saddr, $lport, $daddr, $dport);\n }\n}\n"
},
{
"request": "Write a BPF code that traces block I/O operations and displays the latency, disk name, process name, and process ID of each operation.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biosnoop.bt Block I/O tracing tool, showing per I/O latency.\n * For Linux, uses bpftrace, eBPF.\n *\n * TODO: switch to block tracepoints. Add offset and size columns.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * 15-Nov-2017\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/blkdev.h>\n#include <linux/blk-mq.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"%-12s %-7s %-16s %-6s %7s\\n\", \"TIME(ms)\", \"DISK\", \"COMM\", \"PID\", \"LAT(ms)\");\n}\n\nkprobe:blk_account_io_start,\nkprobe:__blk_account_io_start\n{\n\t@start[arg0] = nsecs;\n\t@iopid[arg0] = pid;\n\t@iocomm[arg0] = comm;\n\t@disk[arg0] = ((struct request *)arg0)->q->disk->disk_name;\n}\n\nkprobe:blk_account_io_done,\nkprobe:__blk_account_io_done\n/@start[arg0] != 0 && @iopid[arg0] != 0 && @iocomm[arg0] != \"\"/\n\n{\n\t$now = nsecs;\n\tprintf(\"%-12u %-7s %-16s %-6d %7d\\n\",\n\t elapsed / 1e6, @disk[arg0], @iocomm[arg0], @iopid[arg0],\n\t ($now - @start[arg0]) / 1e6);\n\n\tdelete(@start[arg0]);\n\tdelete(@iopid[arg0]);\n\tdelete(@iocomm[arg0]);\n\tdelete(@disk[arg0]);\n}\n\nEND\n{\n\tclear(@start);\n\tclear(@iopid);\n\tclear(@iocomm);\n\tclear(@disk);\n}\n"
},
{
"request": "Write a BPF code that traces the CPU scheduler for Linux and calculates the latency of the run queue, displaying it as a histogram.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * runqlat.bt\tCPU scheduler run queue latency as a histogram.\n *\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 17-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#include <linux/sched.h>\n\nBEGIN\n{\n\tprintf(\"Tracing CPU scheduler... Hit Ctrl-C to end.\\n\");\n}\n\ntracepoint:sched:sched_wakeup,\ntracepoint:sched:sched_wakeup_new\n{\n\t@qtime[args.pid] = nsecs;\n}\n\ntracepoint:sched:sched_switch\n{\n\tif (args.prev_state == TASK_RUNNING) {\n\t\t@qtime[args.prev_pid] = nsecs;\n\t}\n\n\t$ns = @qtime[args.next_pid];\n\tif ($ns) {\n\t\t@usecs = hist((nsecs - $ns) / 1000);\n\t}\n\tdelete(@qtime[args.next_pid]);\n}\n\nEND\n{\n\tclear(@qtime);\n}\n"
},
{
"request": "Write a BPF code that counts the number of new processes (via fork) and prints the count every second, until the tracing is stopped.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * pidpersec\tCount new processes (via fork).\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Written as a basic example of counting on an event.\n *\n * USAGE: pidpersec.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing new processes... Hit Ctrl-C to end.\\n\");\n\n}\n\ntracepoint:sched:sched_process_fork\n{\n\t@ = count();\n}\n\ninterval:s:1\n{\n\ttime(\"%H:%M:%S PIDs/sec: \");\n\tprint(@);\n\tclear(@);\n}\n\nEND\n{\n\tclear(@);\n}\n"
},
{
"request": "Write a BPF code that counts system calls and processes using the bpftrace tool. It prints the top 10 system call IDs and processes at the end of execution.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * syscount.bt\tCount system calls.\n *\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n * The bcc versions translates syscall IDs to their names, and this version\n * currently does not. Syscall IDs can be listed by \"ausyscall --dump\".\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 13-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Counting syscalls... Hit Ctrl-C to end.\\n\");\n\t// ausyscall --dump | awk 'NR > 1 { printf(\"\\t@sysname[%d] = \\\"%s\\\";\\n\", $1, $2); }'\n}\n\ntracepoint:raw_syscalls:sys_enter\n{\n\t@syscall[args.id] = count();\n\t@process[comm] = count();\n}\n\nEND\n{\n\tprintf(\"\\nTop 10 syscalls IDs:\\n\");\n\tprint(@syscall, 10);\n\tclear(@syscall);\n\n\tprintf(\"\\nTop 10 processes:\\n\");\n\tprint(@process, 10);\n\tclear(@process);\n}\n"
},
{
"request": "Write a BPF code that traces the \"open\" and \"openat\" system calls, printing the process ID, command name, file descriptor, error code, and file path for each call.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * opensnoop\tTrace open() syscalls.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Also a basic example of bpftrace.\n *\n * USAGE: opensnoop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing open syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-6s %-16s %4s %3s %s\\n\", \"PID\", \"COMM\", \"FD\", \"ERR\", \"PATH\");\n}\n\ntracepoint:syscalls:sys_enter_open,\ntracepoint:syscalls:sys_enter_openat\n{\n\t@filename[tid] = args.filename;\n}\n\ntracepoint:syscalls:sys_exit_open,\ntracepoint:syscalls:sys_exit_openat\n/@filename[tid]/\n{\n\t$ret = args.ret;\n\t$fd = $ret >= 0 ? $ret : -1;\n\t$errno = $ret >= 0 ? 0 : - $ret;\n\n\tprintf(\"%-6d %-16s %4d %3d %s\\n\", pid, comm, $fd, $errno,\n\t str(@filename[tid]));\n\tdelete(@filename[tid]);\n}\n\nEND\n{\n\tclear(@filename);\n}\n"
},
{
"request": "Write a BPF code that monitors new thread creations in a program and displays the timestamp, process ID, command name, and function being executed when the thread is created.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * threadsnoop - List new thread creation.\n *\n * See BPF Performance Tools, Chapter 13, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 15-Feb-2019 Brendan Gregg Created this.\n */\n\nBEGIN\n{\n\tprintf(\"%-10s %-6s %-16s %s\\n\", \"TIME(ms)\", \"PID\", \"COMM\", \"FUNC\");\n}\n\nuprobe:libpthread:pthread_create,\nuprobe:libc:pthread_create\n{\n\tprintf(\"%-10u %-6d %-16s %s\\n\", elapsed / 1e6, pid, comm,\n\t usym(arg2));\n}\n"
},
{
"request": "Write a BPF code that samples the run queue length of the CPU scheduler as a histogram, subtracting the currently running task, and outputs the results.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * runqlen.bt\tCPU scheduler run queue length as a histogram.\n *\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Oct-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/sched.h>\n\n// Until BTF is available, we'll need to declare some of this struct manually,\n// since it isn't available to be #included. This will need maintenance to match\n// your kernel version. It is from kernel/sched/sched.h:\nstruct cfs_rq {\n\tstruct load_weight load;\n\tunsigned long runnable_weight;\n\tunsigned int nr_running;\n\tunsigned int h_nr_running;\n};\n#endif\n\nBEGIN\n{\n\tprintf(\"Sampling run queue length at 99 Hertz... Hit Ctrl-C to end.\\n\");\n}\n\nprofile:hz:99\n{\n\t$task = (struct task_struct *)curtask;\n\t$my_q = (struct cfs_rq *)$task->se.cfs_rq;\n\t$len = $my_q->nr_running;\n\t$len = $len > 0 ? $len - 1 : 0;\t// subtract currently running task\n\t@runqlen = lhist($len, 0, 100, 1);\n}\n"
},
{
"request": "Write a BPF code that fetches and processes the kernel structure to print load averages with three decimal places, similar to the output of the \"uptime\" command.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * loads\tPrints load averages.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * These are the same load averages printed by \"uptime\", but to three decimal\n * places instead of two (not that it really matters). This is really a\n * demonstration of fetching and processing a kernel structure from bpftrace.\n *\n * USAGE: loads.bt\n *\n * This is a bpftrace version of a DTraceToolkit tool.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 10-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Reading load averages... Hit Ctrl-C to end.\\n\");\n}\n\ninterval:s:1\n{\n\t/*\n\t * See fs/proc/loadavg.c and include/linux/sched/loadavg.h for the\n\t * following calculations.\n\t */\n\t$avenrun = kaddr(\"avenrun\");\n\t$load1 = *$avenrun;\n\t$load5 = *($avenrun + 8);\n\t$load15 = *($avenrun + 16);\n\ttime(\"%H:%M:%S \");\n\tprintf(\"load averages: %d.%03d %d.%03d %d.%03d\\n\",\n\t ($load1 >> 11), (($load1 & ((1 << 11) - 1)) * 1000) >> 11,\n\t ($load5 >> 11), (($load5 & ((1 << 11) - 1)) * 1000) >> 11,\n\t ($load15 >> 11), (($load15 & ((1 << 11) - 1)) * 1000) >> 11\n\t);\n}\n"
},
{
"request": "Write a BPF code that traces TCP session lifespans and prints details such as process ID, communication, local and remote addresses, ports, data transmitted and received, and duration in milliseconds.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcplife - Trace TCP session lifespans with connection details.\n *\n * See BPF Performance Tools, Chapter 10, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 17-Apr-2019 Brendan Gregg Created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <net/tcp_states.h>\n#include <net/sock.h>\n#include <linux/socket.h>\n#include <linux/tcp.h>\n#else\n#include <sys/socket.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"%-5s %-10s %-15s %-5s %-15s %-5s \", \"PID\", \"COMM\",\n\t \"LADDR\", \"LPORT\", \"RADDR\", \"RPORT\");\n\tprintf(\"%5s %5s %s\\n\", \"TX_KB\", \"RX_KB\", \"MS\");\n}\n\nkprobe:tcp_set_state\n{\n\t$sk = (struct sock *)arg0;\n\t$newstate = arg1;\n\n\t/*\n\t * This tool includes PID and comm context. From TCP this is best\n\t * effort, and may be wrong in some situations. It does this:\n\t * - record timestamp on any state < TCP_FIN_WAIT1\n\t *\tnote some state transitions may not be present via this kprobe\n\t * - cache task context on:\n\t *\tTCP_SYN_SENT: tracing from client\n\t *\tTCP_LAST_ACK: client-closed from server\n\t * - do output on TCP_CLOSE:\n\t *\tfetch task context if cached, or use current task\n\t */\n\n\t// record first timestamp seen for this socket\n\tif ($newstate < TCP_FIN_WAIT1 && @birth[$sk] == 0) {\n\t\t@birth[$sk] = nsecs;\n\t}\n\n\t// record PID & comm on SYN_SENT\n\tif ($newstate == TCP_SYN_SENT || $newstate == TCP_LAST_ACK) {\n\t\t@skpid[$sk] = pid;\n\t\t@skcomm[$sk] = comm;\n\t}\n\n\t// session ended: calculate lifespan and print\n\tif ($newstate == TCP_CLOSE && @birth[$sk]) {\n\t\t$delta_ms = (nsecs - @birth[$sk]) / 1e6;\n\t\t$lport = $sk->__sk_common.skc_num;\n\t\t$dport = $sk->__sk_common.skc_dport;\n\t\t$dport = bswap($dport);\n\t\t$tp = (struct tcp_sock *)$sk;\n\t\t$pid = @skpid[$sk];\n\t\t$comm = @skcomm[$sk];\n\t\tif ($comm == \"\") {\n\t\t\t// not cached, use current task\n\t\t\t$pid = pid;\n\t\t\t$comm = comm;\n\t\t}\n\n\t\t$family = $sk->__sk_common.skc_family;\n\t\t$saddr = ntop(0);\n\t\t$daddr = ntop(0);\n\t\tif ($family == AF_INET) {\n\t\t\t$saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);\n\t\t\t$daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);\n\t\t} else {\n\t\t\t// AF_INET6\n\t\t\t$saddr = ntop(AF_INET6,\n\t\t\t $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);\n\t\t\t$daddr = ntop(AF_INET6,\n\t\t\t $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);\n\t\t}\n\t\tprintf(\"%-5d %-10.10s %-15s %-5d %-15s %-6d \", $pid,\n\t\t $comm, $saddr, $lport, $daddr, $dport);\n\t\tprintf(\"%5d %5d %d\\n\", $tp->bytes_acked / 1024,\n\t\t $tp->bytes_received / 1024, $delta_ms);\n\n\t\tdelete(@birth[$sk]);\n\t\tdelete(@skpid[$sk]);\n\t\tdelete(@skcomm[$sk]);\n\t}\n}\n\nEND\n{\n\tclear(@birth); clear(@skpid); clear(@skcomm);\n}\n"
},
{
"request": "Write a BPF code that traces the execution of new processes via the exec() system call, displaying the time in milliseconds, process ID, and arguments passed to the exec() function.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * execsnoop.bt Trace new processes via exec() syscalls.\n * For Linux, uses bpftrace and eBPF.\n *\n * This traces when processes call exec(). It is handy for identifying new\n * processes created via the usual fork()->exec() sequence. Note that the\n * return value is not currently traced, so the exec() may have failed.\n *\n * TODO: switch to tracepoints args. Support more args. Include retval.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * 15-Nov-2017\tBrendan Gregg\tCreated this.\n * 11-Sep-2018\t \" \"\tSwitched to use join().\n */\n\nBEGIN\n{\n\tprintf(\"%-10s %-5s %s\\n\", \"TIME(ms)\", \"PID\", \"ARGS\");\n}\n\ntracepoint:syscalls:sys_enter_exec*\n{\n\tprintf(\"%-10u %-5d \", elapsed / 1e6, pid);\n\tjoin(args.argv);\n}\n"
},
{
"request": "Write a BPF code that traces file system writeback events and provides details such as the time of occurrence, device, number of pages flushed, reason, and duration of the event in milliseconds. The code uses tracepoints and prints the information in a clear and organized format.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * writeback\tTrace file system writeback events with details.\n * \t\tFor Linux, uses bpftrace and eBPF.\n *\n * This traces when file system dirtied pages are flushed to disk by kernel\n * writeback, and prints details including when the event occurred, and the\n * duration of the event. This can be useful for correlating these times with\n * other performance problems, and if there is a match, it would be a clue\n * that the problem may be caused by writeback. How quickly the kernel does\n * writeback can be tuned: see the kernel docs, eg,\n * vm.dirty_writeback_centisecs.\n *\n * USAGE: writeback.bt\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 14-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing writeback... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-8s %-8s %-16s %s\\n\", \"TIME\", \"DEVICE\", \"PAGES\",\n\t \"REASON\", \"ms\");\n\n\t// see /sys/kernel/debug/tracing/events/writeback/writeback_start/format\n\t@reason[0] = \"background\";\n\t@reason[1] = \"vmscan\";\n\t@reason[2] = \"sync\";\n\t@reason[3] = \"periodic\";\n\t@reason[4] = \"laptop_timer\";\n\t@reason[5] = \"free_more_memory\";\n\t@reason[6] = \"fs_free_space\";\n\t@reason[7] = \"forker_thread\";\n}\n\ntracepoint:writeback:writeback_start\n{\n\t@start[args.sb_dev] = nsecs;\n}\n\ntracepoint:writeback:writeback_written\n{\n\t$sb_dev = args.sb_dev;\n\t$s = @start[$sb_dev];\n\tdelete(@start[$sb_dev]);\n\t$lat = $s ? (nsecs - $s) / 1000 : 0;\n\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-8s %-8d %-16s %d.%03d\\n\", args.name,\n\t args.nr_pages & 0xffff,\t// TODO: explain these bitmasks\n\t @reason[args.reason & 0xffffffff],\n\t $lat / 1000, $lat % 1000);\n}\n\nEND\n{\n\tclear(@reason);\n\tclear(@start);\n}\n"
},
{
"request": "Write a BPF code that traces setuid syscalls, including setuid, setfsuid, and setresuid, and prints the process ID, command, user ID, syscall, and arguments with their return values.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * setuids - Trace the setuid syscalls: privilege escalation.\n *\n * See BPF Performance Tools, Chapter 11, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 26-Feb-2019 Brendan Gregg Created this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing setuid(2) family syscalls. Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %-6s %-9s %s\\n\", \"TIME\",\n\t \"PID\", \"COMM\", \"UID\", \"SYSCALL\", \"ARGS (RET)\");\n}\n\ntracepoint:syscalls:sys_enter_setuid,\ntracepoint:syscalls:sys_enter_setfsuid\n{\n\t@uid[tid] = uid;\n\t@setuid[tid] = args.uid;\n\t@seen[tid] = 1;\n}\n\ntracepoint:syscalls:sys_enter_setresuid\n{\n\t@uid[tid] = uid;\n\t@ruid[tid] = args.ruid;\n\t@euid[tid] = args.euid;\n\t@suid[tid] = args.suid;\n\t@seen[tid] = 1;\n}\n\ntracepoint:syscalls:sys_exit_setuid\n/@seen[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d setuid uid=%d (%d)\\n\", pid, comm,\n\t @uid[tid], @setuid[tid], args.ret);\n\tdelete(@seen[tid]); delete(@uid[tid]); delete(@setuid[tid]);\n}\n\ntracepoint:syscalls:sys_exit_setfsuid\n/@seen[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d setfsuid uid=%d (prevuid=%d)\\n\", pid, comm,\n\t @uid[tid], @setuid[tid], args.ret);\n\tdelete(@seen[tid]); delete(@uid[tid]); delete(@setuid[tid]);\n}\n\ntracepoint:syscalls:sys_exit_setresuid\n/@seen[tid]/\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %-6d setresuid \", pid, comm, @uid[tid]);\n\tprintf(\"ruid=%d euid=%d suid=%d (%d)\\n\", @ruid[tid], @euid[tid],\n\t @suid[tid], args.ret);\n\tdelete(@seen[tid]); delete(@uid[tid]); delete(@ruid[tid]);\n\tdelete(@euid[tid]); delete(@suid[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces md flush events and displays the time, process ID, command name, and device name of the event.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * mdflush\tTrace md flush events.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: mdflush.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * For Linux 5.12+ (see tools/old for script for lower versions).\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/genhd.h>\n#include <linux/bio.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing md flush events... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"DEVICE\");\n}\n\nkprobe:md_flush_request\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %s\\n\", pid, comm,\n\t ((struct bio *)arg1)->bi_bdev->bd_disk->disk_name);\n}\n"
},
{
"request": "Write a BPF code that traces sync-related system calls, such as sync(), syncfs(), fsync(), fdatasync(), sync_file_range(), and msync(), and prints the timestamp, process ID, command name, and event for each tracepoint.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * syncsnoop\tTrace sync() variety of syscalls.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Also a basic example of bpftrace.\n *\n * USAGE: syncsnoop.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing sync syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-16s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"EVENT\");\n}\n\ntracepoint:syscalls:sys_enter_sync,\ntracepoint:syscalls:sys_enter_syncfs,\ntracepoint:syscalls:sys_enter_fsync,\ntracepoint:syscalls:sys_enter_fdatasync,\ntracepoint:syscalls:sys_enter_sync_file_range*,\ntracepoint:syscalls:sys_enter_msync\n{\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-16s %s\\n\", pid, comm, probe);\n}\n"
},
{
"request": "Write a BPF code that traces directory entry cache (dcache) lookups in the Linux kernel, displaying the time, process ID, process name, lookup type (R for read, M for miss), and file name for each lookup.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * dcsnoop\tTrace directory entry cache (dcache) lookups.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * This uses kernel dynamic tracing of kernel functions, lookup_fast() and\n * d_lookup(), which will need to be modified to match kernel changes. See\n * code comments.\n *\n * USAGE: dcsnoop.bt\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <linux/fs.h>\n#include <linux/sched.h>\n\n// from fs/namei.c:\nstruct nameidata {\n struct path path;\n struct qstr last;\n // [...]\n};\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing dcache lookups... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-8s %-6s %-16s %1s %s\\n\", \"TIME\", \"PID\", \"COMM\", \"T\", \"FILE\");\n}\n\n// comment out this block to avoid showing hits:\nkprobe:lookup_fast,\nkprobe:lookup_fast.constprop.*\n{\n\t$nd = (struct nameidata *)arg0;\n\tprintf(\"%-8d %-6d %-16s R %s\\n\", elapsed / 1e6, pid, comm,\n\t str($nd->last.name));\n}\n\nkprobe:d_lookup\n{\n\t$name = (struct qstr *)arg1;\n\t@fname[tid] = $name->name;\n}\n\nkretprobe:d_lookup\n/@fname[tid]/\n{\n\tprintf(\"%-8d %-6d %-16s M %s\\n\", elapsed / 1e6, pid, comm,\n\t str(@fname[tid]));\n\tdelete(@fname[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces the latency of block device I/O operations by recording the start and end times of the operations and calculating the elapsed time in microseconds.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * biolatency.bt\tBlock I/O latency as a histogram.\n *\t\t\tFor Linux, uses bpftrace, eBPF.\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 13-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block device I/O... Hit Ctrl-C to end.\\n\");\n}\n\ntracepoint:block:block_bio_queue\n{\n\t@start[args.sector] = nsecs;\n}\n\ntracepoint:block:block_rq_complete,\ntracepoint:block:block_bio_complete\n/@start[args.sector]/\n{\n\t@usecs = hist((nsecs - @start[args.sector]) / 1000);\n\tdelete(@start[args.sector]);\n}\n\nEND\n{\n\tclear(@start);\n}\n"
},
{
"request": "Write a BPF code that traces SSL/TLS handshake latency and return values, as well as the latency and return values of various OpenSSL functions. This code can be useful for analyzing SSL/TLS performance.",
"bpf": "#!/usr/bin/bpftrace\n/*\n * sslsnoop\tTrace SSL/TLS handshake for OpenSSL.\n * \t\tFor Linux, uses bpftrace and eBPF.\n *\n * sslsnoop shows handshake latency and retval. This is useful for SSL/TLS\n * performance analysis.\n *\n * Copyright (c) 2021 Tao Xu.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 15-Dec-2021\tTao Xu\tcreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing SSL/TLS handshake... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-10s %-8s %-8s %7s %5s %s\\n\", \"TIME(us)\", \"TID\",\n\t \"COMM\", \"LAT(us)\", \"RET\", \"FUNC\");\n}\n\nuprobe:libssl:SSL_read,\nuprobe:libssl:SSL_write,\nuprobe:libssl:SSL_do_handshake\n{\n\t@start_ssl[tid] = nsecs;\n\t@func_ssl[tid] = func; // store for uretprobe\n}\n\nuretprobe:libssl:SSL_read,\nuretprobe:libssl:SSL_write,\nuretprobe:libssl:SSL_do_handshake\n/@start_ssl[tid] != 0/\n{\n\tprintf(\"%-10u %-8d %-8s %7u %5d %s\\n\", elapsed/1000, tid, comm,\n\t (nsecs - @start_ssl[tid])/1000, retval, @func_ssl[tid]);\n\tdelete(@start_ssl[tid]); delete(@func_ssl[tid]);\n}\n\n// need debug symbol for ossl local functions\nuprobe:libcrypto:rsa_ossl_public_encrypt,\nuprobe:libcrypto:rsa_ossl_public_decrypt,\nuprobe:libcrypto:rsa_ossl_private_encrypt,\nuprobe:libcrypto:rsa_ossl_private_decrypt,\nuprobe:libcrypto:RSA_sign,\nuprobe:libcrypto:RSA_verify,\nuprobe:libcrypto:ossl_ecdsa_sign,\nuprobe:libcrypto:ossl_ecdsa_verify,\nuprobe:libcrypto:ossl_ecdh_compute_key\n{\n\t@start_crypto[tid] = nsecs;\n\t@func_crypto[tid] = func; // store for uretprobe\n}\n\nuretprobe:libcrypto:rsa_ossl_public_encrypt,\nuretprobe:libcrypto:rsa_ossl_public_decrypt,\nuretprobe:libcrypto:rsa_ossl_private_encrypt,\nuretprobe:libcrypto:rsa_ossl_private_decrypt,\nuretprobe:libcrypto:RSA_sign,\nuretprobe:libcrypto:RSA_verify,\nuretprobe:libcrypto:ossl_ecdsa_sign,\nuretprobe:libcrypto:ossl_ecdsa_verify,\nuretprobe:libcrypto:ossl_ecdh_compute_key\n/@start_crypto[tid] != 0/\n{\n\tprintf(\"%-10u %-8d %-8s %7u %5d %s\\n\", elapsed/1000, tid, comm,\n\t (nsecs - @start_crypto[tid])/1000, retval, @func_crypto[tid]);\n\tdelete(@start_crypto[tid]); delete(@func_crypto[tid]);\n}\n"
},
{
"request": "Write a BPF code that traces and counts VFS (Virtual File System) calls in the Linux kernel.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * vfscount\tCount VFS calls (\"vfs_*\").\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * Written as a basic example of counting kernel functions.\n *\n * USAGE: vfscount.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 06-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing VFS calls... Hit Ctrl-C to end.\\n\");\n\n}\n\nkprobe:vfs_*\n{\n\t@[func] = count();\n}\n"
},
{
"request": "Write a BPF code that samples the CPU usage of processes at a frequency of 99 times per second and generates a histogram of CPU usage for each process.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * cpuwalk\tSample which CPUs are executing processes.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: cpuwalk.bt\n *\n * This is a bpftrace version of the DTraceToolkit tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Sampling CPU at 99hz... Hit Ctrl-C to end.\\n\");\n}\n\nprofile:hz:99\n/pid/\n{\n\t@cpu = lhist(cpu, 0, 1000, 1);\n}\n"
},
{
"request": "Write a BPF code that traces security capability checks (cap_capable()) in Linux using bpftrace and eBPF. The code prints the time, UID, PID, process name, capability, and audit flag for each cap_capable syscall.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * capable\tTrace security capability checks (cap_capable()).\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: capable.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 08-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing cap_capable syscalls... Hit Ctrl-C to end.\\n\");\n\tprintf(\"%-9s %-6s %-6s %-16s %-4s %-20s AUDIT\\n\", \"TIME\", \"UID\", \"PID\",\n\t \"COMM\", \"CAP\", \"NAME\");\n\t@cap[0] = \"CAP_CHOWN\";\n\t@cap[1] = \"CAP_DAC_OVERRIDE\";\n\t@cap[2] = \"CAP_DAC_READ_SEARCH\";\n\t@cap[3] = \"CAP_FOWNER\";\n\t@cap[4] = \"CAP_FSETID\";\n\t@cap[5] = \"CAP_KILL\";\n\t@cap[6] = \"CAP_SETGID\";\n\t@cap[7] = \"CAP_SETUID\";\n\t@cap[8] = \"CAP_SETPCAP\";\n\t@cap[9] = \"CAP_LINUX_IMMUTABLE\";\n\t@cap[10] = \"CAP_NET_BIND_SERVICE\";\n\t@cap[11] = \"CAP_NET_BROADCAST\";\n\t@cap[12] = \"CAP_NET_ADMIN\";\n\t@cap[13] = \"CAP_NET_RAW\";\n\t@cap[14] = \"CAP_IPC_LOCK\";\n\t@cap[15] = \"CAP_IPC_OWNER\";\n\t@cap[16] = \"CAP_SYS_MODULE\";\n\t@cap[17] = \"CAP_SYS_RAWIO\";\n\t@cap[18] = \"CAP_SYS_CHROOT\";\n\t@cap[19] = \"CAP_SYS_PTRACE\";\n\t@cap[20] = \"CAP_SYS_PACCT\";\n\t@cap[21] = \"CAP_SYS_ADMIN\";\n\t@cap[22] = \"CAP_SYS_BOOT\";\n\t@cap[23] = \"CAP_SYS_NICE\";\n\t@cap[24] = \"CAP_SYS_RESOURCE\";\n\t@cap[25] = \"CAP_SYS_TIME\";\n\t@cap[26] = \"CAP_SYS_TTY_CONFIG\";\n\t@cap[27] = \"CAP_MKNOD\";\n\t@cap[28] = \"CAP_LEASE\";\n\t@cap[29] = \"CAP_AUDIT_WRITE\";\n\t@cap[30] = \"CAP_AUDIT_CONTROL\";\n\t@cap[31] = \"CAP_SETFCAP\";\n\t@cap[32] = \"CAP_MAC_OVERRIDE\";\n\t@cap[33] = \"CAP_MAC_ADMIN\";\n\t@cap[34] = \"CAP_SYSLOG\";\n\t@cap[35] = \"CAP_WAKE_ALARM\";\n\t@cap[36] = \"CAP_BLOCK_SUSPEND\";\n\t@cap[37] = \"CAP_AUDIT_READ\";\n\t@cap[38] = \"CAP_PERFMON\";\n\t@cap[39] = \"CAP_BPF\";\n\t@cap[40] = \"CAP_CHECKPOINT_RESTORE\";\n}\n\nkprobe:cap_capable\n{\n\t$cap = arg2;\n\t$audit = arg3;\n\ttime(\"%H:%M:%S \");\n\tprintf(\"%-6d %-6d %-16s %-4d %-20s %d\\n\", uid, pid, comm, $cap,\n\t @cap[$cap], $audit);\n}\n\nEND\n{\n\tclear(@cap);\n}\n"
},
{
"request": "Write a BPF code that traces the size of TCP SYN backlogs and records them as a histogram, also providing a timestamp when a SYN is dropped due to the backlog surpassing the limit.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * tcpsynbl - Show TCP SYN backlog as a histogram.\n *\n * See BPF Performance Tools, Chapter 10, for an explanation of this tool.\n *\n * Copyright (c) 2019 Brendan Gregg.\n * Licensed under the Apache License, Version 2.0 (the \"License\").\n * This was originally created for the BPF Performance Tools book\n * published by Addison Wesley. ISBN-13: 9780136554820\n * When copying or porting, include this comment.\n *\n * 19-Apr-2019 Brendan Gregg Created this.\n */\n\n#ifndef BPFTRACE_HAVE_BTF\n#include <net/sock.h>\n#endif\n\nBEGIN\n{\n\tprintf(\"Tracing SYN backlog size. Ctrl-C to end.\\n\");\n}\n\nkprobe:tcp_v4_syn_recv_sock,\nkprobe:tcp_v6_syn_recv_sock\n{\n\t$sock = (struct sock *)arg0;\n\t@backlog[$sock->sk_max_ack_backlog & 0xffffffff] =\n\t hist($sock->sk_ack_backlog);\n\tif ($sock->sk_ack_backlog > $sock->sk_max_ack_backlog) {\n\t\ttime(\"%H:%M:%S dropping a SYN.\\n\");\n\t}\n}\n\nEND\n{\n\tprintf(\"\\n@backlog[backlog limit]: histogram of backlog size\\n\");\n}\n"
},
{
"request": "Write a BPF code that traces block device I/O and creates histograms of the I/O size in bytes for each process name.",
"bpf": "#!/usr/bin/env bpftrace\n/*\n * bitesize\tShow disk I/O size as a histogram.\n *\t\tFor Linux, uses bpftrace and eBPF.\n *\n * USAGE: bitesize.bt\n *\n * This is a bpftrace version of the bcc tool of the same name.\n *\n * Copyright 2018 Netflix, Inc.\n * Licensed under the Apache License, Version 2.0 (the \"License\")\n *\n * 07-Sep-2018\tBrendan Gregg\tCreated this.\n */\n\nBEGIN\n{\n\tprintf(\"Tracing block device I/O... Hit Ctrl-C to end.\\n\");\n}\n\ntracepoint:block:block_rq_issue\n{\n\t@[args.comm] = hist(args.bytes);\n}\n\nEND\n{\n\tprintf(\"\\nI/O size (bytes) histograms by process name:\");\n}\n"
}
]