- 02 Aug, 2018 1 commit
-
-
Alex Maestretti authored
cmake3 was throwing an error that the package did not exist. cmake exists and the build was successful using it.
-
- 01 Aug, 2018 1 commit
-
-
Javier Honduvilla Coto authored
* Replace boilerplate for increment with a call to `increment` from new tooling. Found cases to replace using `ripgrep`[1]: ``` $ rg '\(\*\w+\)\s*\+\+' -l | grep tools | grep -v old ``` [1]: https://github.com/BurntSushi/ripgrep * Replace boilerplate for bigger than 1 increments with the new `increment` call from new tooling. Found cases to replace using `ripgrep`[1]: ``` $ rg '\(\*\w+\)\s*\+=' -l | grep tools | grep -v old ``` [1]: https://github.com/BurntSushi/ripgrep * Update examples indicating the alternative increment call for hash tables
-
- 30 Jul, 2018 1 commit
-
-
Oliver Mannion authored
Add instructions for installing on Amazon Linux from source
-
- 27 Jul, 2018 2 commits
-
-
Nikita V. Shirokov authored
* [trace.py]: allow to use STRCMP helper with binary values Summary: sometimes in probe you want to compare char* w/ some predefined value which is not a string. e.g. setsockopt syscall has signature like this: sys_setsockopt(int fd, int level, int optname, char* optval, int optlen) and if you want to catch where/who is setting up specific value you are forced to compare optval against some predefined array. it's not possible today w/ trace.py and in this diff i'm adding such ability Test Plan: as example: we want to catch setsockopt when someone is setting up IP_TOS equal to 108 trace.py 'sys_setsockopt(int fd, int level, int optname, char* optval, int optlen)(level==0 && optname == 1 && STRCMP("{0x6C,0x00, 0x00, 0x00}", optval))' -U -M 1 --bin_cmp -v without this new modifier: static inline bool streq_0(char const *ignored, uintptr_t str) { char needle[] = "{0x6C,0x00, 0x00, 0x00}"; char haystack[sizeof(needle)]; bpf_probe_read(&haystack, sizeof(haystack), (void *)str); for (int i = 0; i < sizeof(needle) - 1; ++i) { if (needle[i] != haystack[i]) { return false; } } return true; } // see needle is qouted above with: tatic inline bool streq_0(char const *ignored, uintptr_t str) { char needle[] = {0x6C,0x00, 0x00, 0x00}; char haystack[sizeof(needle)]; bpf_probe_read(&haystack, sizeof(haystack), (void *)str); for (int i = 0; i < sizeof(needle) - 1; ++i) { if (needle[i] != haystack[i]) { return false; } } return true; } ... PID TID COMM FUNC - 1855611 1863183 worker sys_setsockopt found * adding example of --bin_cmp flag usage
-
Javier Honduvilla Coto authored
* Allow arbitrary hashtable increments. Fixes #1742 Right now incrementing some datastructure's values like maps or histograms can be done with some boilerplate[1] or with `increment` which increments a value by 1. This patch allows a second optional parameter to use as the increment. - [1]: ``` u64 zero = 0, *val; val = map.lookup_or_init(&key, &zero); (*val) += inc; ``` Notes: - Some lines in the documentation where changed because of trailing spaces deletion - The test is quite simple right now - Will update the tools to use `increment` in another PR * CR changes
-
- 24 Jul, 2018 1 commit
-
-
Joel authored
BCC currently requires exactly matching headers. Sometimes this is quite inconvenient especially if the kernel version is only very slightly different such as updates in a stable kernel. This patch gives the user the flexibility to override the the LINUX_VERSION_CODE provided in the linux kernel headers, so that the eBPF program may load. We also print a message when this is done, so that the user is warned about the override happening and that results may be unpredictable. Also updated the docs. Signed-off-by: Joel Fernandes <joel@joelfernandes.org>
-
- 23 Jul, 2018 4 commits
-
-
Eyal Birger authored
BPF_MAP_TYPE_LPM_TRIE supports element deletion since kernel commit e454cf595853 ("bpf: Implement map_delete_elem for BPF_MAP_TYPE_LPM_TRIE") which is available in 4.15 kernels onwards. Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
-
Brenden Blanco authored
-
Brenden Blanco authored
* tools: use printb for more python3 compat Switch to printb in killsnoop and wakeuptime * tests: use subproceess sleep to trigger test In some python implementations, time.sleep uses select instead of nanosleep and hence won't trigger the bpf kprobe. * tools: remove explicit python3 shebang Use an ambiguous python invocation in the shebang line. Instead, rely on packaging stage to mangle the line to specify a python version. * cmake: add ENABLE_LLVM_SHARED option This adds an option to specify that only the dynamic libraries should be used to link bcc. This is most likely to be used in systems that don't build/provide the llvm-static and clang-static package options (fedora-based). * rpm: enable llvm_shared and python3 build options Enable rpm packaging with two new features: - shared-only packaging (no static linking) - python3 To enable these build features (off by default), run: RPM_WITH_OPTS="--with llvm_shared --with python3" ./scripts/build-rpm.sh * rpm: protect python3-bcc package declaration Don't define python3-bcc if --with python3 isn't explicitly specified. * specs: only build python3 if requested * man: compress man pages * specs: enable python3 by default in fc28+/rh8+ - Enable llvm_shared and python3 --with options by default in new fedora - Fix string quoting - Update spec changelog
-
Brendan Gregg authored
add usdt calls to libbcc static library
-
- 19 Jul, 2018 3 commits
-
-
ChaosData authored
This fix adds additional accounting logic to the http_filter examples ("simple" and "complete") that make sure to shift the pointer for the IP body/payload to the correct offset before accessing TCP header fields. This is done by taking into account the IP header length field. Previously, the IP header length field was used, but it was done later in processing, after TCP header values were extracted using the size of the BCC `proto.h` `struct ip_t` a static offset. Prior to this, it was possible to evade HTTP detection by injecting IP options data into the IP header that would spoof parts of the TCP header and shift the real one down, as done in the scapy snippet below: ```Python IP( dst=target[0], options=struct.pack(">BBHHHB",130,11,8080,0,0,0), )/TCP( ... ) ```
-
jeromemarchand authored
Prevents the following error when tracing a java program that contains non-ascii method name: Traceback (most recent call last): File "/usr/share/bcc/tools/lib/ucalls", line 305, in <module> data = get_data() # [(function, (num calls, latency in ns))] File "/usr/share/bcc/tools/lib/ucalls", line 266, in get_data bpf["counts"].items())) File "/usr/share/bcc/tools/lib/ucalls", line 264, in <lambda> kv[0].method.decode(), UnicodeDecodeError: 'ascii' codec can't decode byte 0xc4 in position 11: ordinal not in range(128) Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
-
Nikita V. Shirokov authored
* [profile.py]: adding support to collect profile only from specified CPU Summary: sometime it is usefull to collect stack only from single cpu for example you have single core saturated while others dont and you want to know whats going on there. in this diff i'm adding this ability (network related code could be example of when single core is saturated as usually you have 1 to 1 mappng between rx queue and cpu) example of generated code w/ CPU specified: ./tools/profile.py -C 14 2 --ebpf Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs. struct key_t { u32 pid; u64 kernel_ip; u64 kernel_ret_ip; int user_stack_id; int kernel_stack_id; char name[TASK_COMM_LEN]; }; BPF_HASH(counts, struct key_t); BPF_STACK_TRACE(stack_traces, 16384); // This code gets a bit complex. Probably not suitable for casual hacking. int do_perf_event(struct bpf_perf_event_data *ctx) { if (bpf_get_smp_processor_id() != 14) return 0; u32 pid = bpf_get_current_pid_tgid() >> 32; ... and w/o ./tools/profile.py 2 --ebpf Sampling at 49 Hertz of all threads by user + kernel stack for 2 secs. struct key_t { u32 pid; u64 kernel_ip; u64 kernel_ret_ip; int user_stack_id; int kernel_stack_id; char name[TASK_COMM_LEN]; }; BPF_HASH(counts, struct key_t); BPF_STACK_TRACE(stack_traces, 16384); // This code gets a bit complex. Probably not suitable for casual hacking. int do_perf_event(struct bpf_perf_event_data *ctx) { u32 pid = bpf_get_current_pid_tgid() >> 32; if (!(1)) return 0; ... * addressing comments * adding change in man
-
- 16 Jul, 2018 2 commits
-
-
Brendan Gregg authored
[tools/execsnoop] Try to get parent PID from current task's real parent.
-
Brendan Gregg authored
tcptop: fix display of received bytes, reduce syscalls (fixes #1871)
-
- 14 Jul, 2018 1 commit
-
-
David Calavera authored
bpf_get_current_task is only available in 4.8 and above. Signed-off-by: David Calavera <david.calavera@gmail.com>
-
- 13 Jul, 2018 2 commits
-
-
Andreas Gerstmayr authored
the keys variable was a reference to ipv4_recv_bytes, and after merging the keys of ipv4_send_bytes the original ipv4_recv_bytes BPF table also contained all keys, therefore the `if k in ipv4_recv_bytes` check a few lines below always evaluates to true with this commit all BPF tables are copied to userspace as dicts once (to reduce the number of syscalls) and the keys are merged in a new dict
-
David Calavera authored
Signed-off-by: David Calavera <david.calavera@gmail.com>
-
- 12 Jul, 2018 3 commits
-
-
Teng Qin authored
fix get_table_offline for percpu hash table
-
David Calavera authored
Signed-off-by: David Calavera <david.calavera@gmail.com>
-
David Calavera authored
Fallback to read the PPid from /proc if the real parent's TGID is 0. Signed-off-by: David Calavera <david.calavera@gmail.com>
-
- 11 Jul, 2018 1 commit
-
-
Mauricio Vasquez B authored
Use get_value() instead of lookup() as the value as in the case of percpu tables the ValueType is an std::vector that has to be resized before performing the lookup function. Add also some testing for it. Solves https://github.com/iovisor/bcc/issues/1860Signed-off-by: Mauricio Vasquez B <mauricio.vasquez@polito.it>
-
- 10 Jul, 2018 6 commits
-
-
4ast authored
debian: add llvm6.0 as possible dependency
-
4ast authored
Mention perf as universal counting tool in llcstat
-
4ast authored
Improve Python autoload syscall name handling
-
4ast authored
Added new footer.h header where BPF_LICENSE is set if not defined
-
4ast authored
Rewrite array accesses
-
4ast authored
Fix license recognition on GitHub.com
-
- 09 Jul, 2018 1 commit
-
-
Brenden Blanco authored
In recent Ubuntu, llvm 6 is available. Use that as control file dependency option.
-
- 08 Jul, 2018 1 commit
-
-
Ivan Babrou authored
Closes #1757.
-
- 06 Jul, 2018 1 commit
-
-
Teng Qin authored
-
- 02 Jul, 2018 1 commit
-
-
Brendan Gregg authored
tools: remove unnecessary calls to bpf_probe_read
-
- 01 Jul, 2018 2 commits
-
-
Paul Chaignon authored
The second file with the license information, COPYRIGHT.txt, contains the same information as LICENSE.txt, expect for the license's text. However, it prevents Licensee, the tool used by GitHub to detect licenses, from working properly as it doesn't know which file to take into account.
-
Paul Chaignon authored
Most of these calls have been rendered useless by a9f96c02 ("Recognize context member dereferences despite array accesses (#1828)").
-
- 28 Jun, 2018 3 commits
-
-
Paul Chaignon authored
-
Paul Chaignon authored
-
Paul Chaignon authored
Stops at any array accesses on external pointers and tries to rewrite both the array access and the member dereference if any, in one shot. With this commit, the following C code is rewritten properly into a single bpf_probe_read call. int test(struct pt_regs *ctx, const struct qstr *name) { return name->name[1]; } Based on Yonghong Song's code.
-
- 27 Jun, 2018 3 commits
-
-
Joe Yin authored
switch some fields from u64 to their natural size u32/u16
-
Oriol Arcas authored
Signed-off-by: Oriol Arcas <oriol@starflownetworks.com>
-
Joe Yin authored
based on kernel version, different kernel functions are kprobed.
-