├── README.md
├── exercises
└── Ch10_Networking
│ └── udplife.bt
├── images
└── bpf_performance_tools_2019.png
├── originals
├── Ch06_CPUs
│ ├── cpufreq.bt
│ ├── execsnoop.bt
│ ├── offcputime.bt
│ ├── runqlat.bt
│ ├── runqlen.bt
│ └── smpcalls.bt
├── Ch07_Memory
│ ├── brkstack.bt
│ ├── faults.bt
│ ├── ffaults.bt
│ ├── hfaults.bt
│ ├── mmapsnoop.py
│ ├── oomkill.bt
│ ├── swapin.bt
│ └── vmscan.bt
├── Ch08_FileSystems
│ ├── bufgrow.bt
│ ├── dcsnoop.bt
│ ├── dcstat.bt
│ ├── ext4dist.bt
│ ├── filelife.bt
│ ├── fileslower.bt
│ ├── filetype.bt
│ ├── filetype2.bt
│ ├── fmapfault.bt
│ ├── fsrwstat.bt
│ ├── icstat.bt
│ ├── mmapfiles.bt
│ ├── opensnoop.bt
│ ├── readahead.bt
│ ├── scread.bt
│ ├── statsnoop.bt
│ ├── syncsnoop.bt
│ ├── vfscount.bt
│ ├── vfssize.bt
│ ├── vfsstat.bt
│ ├── writeback.bt
│ ├── writesync.bt
│ └── xfsdist.bt
├── Ch09_Disks
│ ├── bioerr.bt
│ ├── biolatency-tp.bt
│ ├── biolatency.bt
│ ├── biopattern.bt
│ ├── biosnoop.bt
│ ├── biostacks.bt
│ ├── bitesize.bt
│ ├── iosched.bt
│ ├── mdflush.bt
│ ├── nvmelatency.bt
│ ├── scsilatency.bt
│ ├── scsiresult.bt
│ └── seeksize.bt
├── Ch10_Networking
│ ├── gethostlatency.bt
│ ├── ieee80211scan.bt
│ ├── ipecn.bt
│ ├── netsize.bt
│ ├── nettxlat-dev.bt
│ ├── nettxlat.bt
│ ├── qdisc-cbq.bt
│ ├── qdisc-cbs.bt
│ ├── qdisc-codel.bt
│ ├── qdisc-fq.bt
│ ├── qdisc-fq_codel.bt
│ ├── qdisc-red.bt
│ ├── qdisc-tbf.bt
│ ├── skbdrop.bt
│ ├── skblife.bt
│ ├── so1stbyte.bt
│ ├── soaccept.bt
│ ├── socketio.bt
│ ├── socksize.bt
│ ├── sockstat.bt
│ ├── soconnect.bt
│ ├── soconnlat.bt
│ ├── sofamily.bt
│ ├── soprotocol.bt
│ ├── sormem.bt
│ ├── superping.bt
│ ├── tcpaccept-tp.bt
│ ├── tcpaccept.bt
│ ├── tcpconnect-tp.bt
│ ├── tcplife.bt
│ ├── tcpnagle.bt
│ ├── tcpretrans.bt
│ ├── tcpsynbl.bt
│ ├── tcpwin.bt
│ └── udpconnect.bt
├── Ch11_Security
│ ├── bashreadline.bt
│ ├── capable.bt
│ ├── elfsnoop.bt
│ ├── eperm.bt
│ ├── modsnoop.bt
│ ├── setuids.bt
│ ├── shellsnoop.bt
│ ├── shellsnoop.py
│ ├── tcpreset.bt
│ └── ttysnoop.bt
├── Ch12_Languages
│ ├── bashfunc.bt
│ ├── bashfunc2.bt
│ ├── bashfunc3.bt
│ ├── bashfunclat.bt
│ ├── javacalls.bt
│ ├── javathreads.bt
│ └── jnistacks.bt
├── Ch13_Applications
│ ├── ioprofile.bt
│ ├── killsnoop.bt
│ ├── mysqld_clat.bt
│ ├── mysqld_qslower-uprobes.bt
│ ├── mysqld_qslower.bt
│ ├── naptime.bt
│ ├── offcpuhist.bt
│ ├── pmheld.bt
│ ├── pmlock.bt
│ ├── signals.bt
│ ├── threaded.bt
│ └── threadsnoop.bt
├── Ch14_Kernel
│ ├── kmem.bt
│ ├── kpages.bt
│ ├── loads.bt
│ ├── mheld.bt
│ ├── mlock.bt
│ ├── numamove.bt
│ ├── slabratetop.bt
│ └── workq.bt
├── Ch15_Containers
│ ├── blkthrot.bt
│ ├── overlayfs.bt
│ └── pidnss.bt
├── Ch16_Hypervisors
│ ├── cpustolen.bt
│ ├── kvmexits.bt
│ └── xenhyper.bt
└── README.md
└── updated
├── Ch06_CPUs
└── README.md
├── Ch07_Memory
└── README.md
├── Ch08_FileSystems
└── README.md
├── Ch09_Disks
├── README.md
└── biostacks.bt
├── Ch10_Networking
├── tcplife.bt
└── udpconnect.bt
├── Ch11_Security
└── README.md
├── Ch12_Languages
└── README.md
├── Ch13_Applications
└── README.md
├── Ch14_Kernel
└── README.md
├── Ch15_Containers
└── README.md
├── Ch16_Hypervisors
└── README.md
└── README.md
/README.md:
--------------------------------------------------------------------------------
1 | # BPF Performance Tools
2 |
3 | This is the official repository of BPF (eBPF) tools from the book [BPF Performance Tools: Linux and Application Observability](http://www.brendangregg.com/bpf-performance-tools-book.html). The directories are:
4 |
5 | - [originals](originals): The original published version of the tools.
6 | - [updated](updated): Updated versions of the tools.
7 | - [exercises](exercises): Exercise solutions.
8 |
9 | These tools are documented in the book.
10 |
11 | #### Tools:
12 | 
13 |
14 | In red are many of the new tools developed for the book, which are all in this repository. In black are the prior tools from BCC and bpftrace, many of which are also covered in the book.
15 |
16 | ## Updated tools
17 |
18 | You may contribute updated versions of the tools to the updated/ directory as you find they need fixes for newer kernels or other distributions (which can change CONFIG options or library paths, changing the probes). Please avoid ifdef's where possible, and create separate tools as they can be tested and maintained independently. Filename examples:
19 |
20 | - opensnoop_5.4.bt: opensnoop.bt for Linux 5.4 onwards
21 | - opensnoop_redfrog.bt: opensnoop for the RedFrog Linux distribution (I made that up).
22 | - opensnoop_redfrog11.bt: opensnoop for RedFrog release 11 onwards.
23 | - opensnoop_redfrog11_5.4.bt: opensnoop for RedFrog release 11 onwards, with Linux 5.4 onwards.
24 |
25 | By contributing updates to this repository, you agree that the publisher has the necessary permissions to include your updates in possible later editions of the book. Attribution will be given: make it clear in the PR what your name is. Note that the tools are deliberately short to serve as textbook examples and to simplify maintenance, and updates should not add functionality. For that, see the next section.
26 |
27 | ## Enhanced tools
28 |
29 | A small selection of tools from this book has been added to the bpftrace and BCC repositories. It is expected that the BCC versions will be enhanced with various command line options. We are not planning to add any more of these tools to those repositories: they are limited to ensure that they can be well supported by the repository community.
30 |
--------------------------------------------------------------------------------
/exercises/Ch10_Networking/udplife.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * udplife - Trace UDP session lifespans with connection details.
4 | *
5 | * Based on tcplife(8) from BPF Performance Tools (ISBN-13: 9780136554820),
6 | * and is a solution to Chapter 10 exercise 6.
7 | *
8 | * Copyright (c) 2020 Netflix
9 | * Licensed under the Apache License, Version 2.0 (the "License").
10 | *
11 | * 28-Jan-2020 Brendan Gregg Created this for Keerti.
12 | */
13 |
14 | #include
15 | #include
16 |
17 | BEGIN
18 | {
19 | printf("%-5s %-10s %-15s %-5s %-15s %-5s ", "PID", "COMM",
20 | "LADDR", "LPORT", "RADDR", "RPORT");
21 | printf("%6s %6s %s\n", "TX_B", "RX_B", "MS");
22 | }
23 |
24 | kprobe:ip4_datagram_connect,
25 | kprobe:ip6_datagram_connect
26 | {
27 | $sk = (struct sock *)arg0;
28 | @birth[$sk] = nsecs;
29 | @skpid[$sk] = pid;
30 | @skcomm[$sk] = comm;
31 | }
32 |
33 | /*
34 | * struct udp_sock does not have byte metrics, so we must trace send/recv.
35 | * This costs overhead.
36 | */
37 | kprobe:udp_sendmsg
38 | {
39 | @tx[(struct sock *)arg0] += arg2;
40 | }
41 | kprobe:udp_recvmsg
42 | {
43 | @udp_recv_sk[tid] = (struct sock *)arg0;
44 | }
45 | kretprobe:udp_recvmsg
46 | /@udp_recv_sk[tid]/
47 | {
48 | if (retval > 0) {
49 | @rx[@udp_recv_sk[tid]] += retval;
50 | }
51 | delete(@udp_recv_sk[tid]);
52 | }
53 |
54 | kprobe:udp_destruct_sock
55 | /@birth[(struct sock *)arg0]/
56 | {
57 | $sk = (struct sock *)arg0;
58 |
59 | $delta_ms = (nsecs - @birth[$sk]) / 1000000;
60 | $lport = $sk->__sk_common.skc_num;
61 | $dport = $sk->__sk_common.skc_dport;
62 | $dport = ($dport >> 8) | (($dport << 8) & 0xff00);
63 | $pid = @skpid[$sk];
64 | $comm = @skcomm[$sk];
65 | $family = $sk->__sk_common.skc_family;
66 | $saddr = ntop(0);
67 | $daddr = ntop(0);
68 | if ($family == AF_INET) {
69 | $saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);
70 | $daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
71 | } else {
72 | // AF_INET6
73 | $saddr = ntop(AF_INET6,
74 | $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
75 | $daddr = ntop(AF_INET6,
76 | $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
77 | }
78 |
79 | printf("%-5d %-10.10s %-15s %-5d %-15s %-5d ", $pid,
80 | $comm, $saddr, $lport, $daddr, $dport);
81 | printf("%6d %6d %d\n", @tx[$sk], @rx[$sk], $delta_ms);
82 |
83 | delete(@birth[$sk]);
84 | delete(@skpid[$sk]);
85 | delete(@skcomm[$sk]);
86 | delete(@tx[$sk]);
87 | delete(@rx[$sk]);
88 | }
89 |
90 | END
91 | {
92 | clear(@birth); clear(@skpid); clear(@skcomm);
93 | clear(@tx); clear(@rx); clear(@udp_recv_sk);
94 | }
95 |
--------------------------------------------------------------------------------
/images/bpf_performance_tools_2019.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/brendangregg/bpf-perf-tools-book/09f8a3a101fdc23b0e51c33158ea3a1782aea427/images/bpf_performance_tools_2019.png
--------------------------------------------------------------------------------
/originals/Ch06_CPUs/cpufreq.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * cpufreq - Sample CPU frequency by process.
4 | *
5 | * See BPF Performance Tools, Chapter 6, for an explanation of this tool.
6 | *
7 | * This was inspired by the time_in_state BPF tool from Android by Connor
8 | * O'Brien, with some initial work by Joel Fernandes.
9 | *
10 | * Copyright (c) 2019 Brendan Gregg.
11 | * Licensed under the Apache License, Version 2.0 (the "License").
12 | * This was originally created for the BPF Performance Tools book
13 | * published by Addison Wesley. ISBN-13: 9780136554820
14 | * When copying or porting, include this comment.
15 | *
16 | * 24-Apr-2019 Brendan Gregg Created this.
17 | */
18 |
19 | BEGIN
20 | {
21 | printf("Sampling CPU freq system-wide & by process. Ctrl-C to end.\n");
22 | }
23 |
24 | tracepoint:power:cpu_frequency
25 | {
26 | @curfreq[cpu] = args->state;
27 | }
28 |
29 | profile:hz:100
30 | /@curfreq[cpu]/
31 | {
32 | @system_mhz = lhist(@curfreq[cpu] / 1000, 0, 5000, 200);
33 | if (pid) {
34 | @process_mhz[comm] = lhist(@curfreq[cpu] / 1000, 0, 5000, 200);
35 | }
36 | }
37 |
38 | END
39 | {
40 | clear(@curfreq);
41 | }
42 |
--------------------------------------------------------------------------------
/originals/Ch06_CPUs/execsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * execsnoop.bt Trace new processes via exec() syscalls.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This traces when processes call exec(). It is handy for identifying new
10 | * processes created via the usual fork()->exec() sequence. Note that the
11 | * return value is not currently traced, so the exec() may have failed.
12 | *
13 | * TODO: switch to tracepoints args. Support more args. Include retval.
14 | *
15 | * This is a bpftrace version of the bcc tool of the same name.
16 | *
17 | * 15-Nov-2017 Brendan Gregg Created this.
18 | * 11-Sep-2018 " " Switched to use join().
19 | */
20 |
21 | BEGIN
22 | {
23 | printf("%-10s %-5s %s\n", "TIME(ms)", "PID", "ARGS");
24 | }
25 |
26 | tracepoint:syscalls:sys_enter_execve
27 | {
28 | printf("%-10u %-5d ", elapsed / 1000000, pid);
29 | join(args->argv);
30 | }
31 |
--------------------------------------------------------------------------------
/originals/Ch06_CPUs/offcputime.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * offcputime - Summarize off-CPU time by stack trace (bpftrace version).
4 | *
5 | * See BPF Performance Tools, Chapter 6, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 16-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing nanosecond time in off-CPU stacks. Ctrl-C to end.\n");
21 | }
22 |
23 | kprobe:finish_task_switch
24 | {
25 | // record previous thread sleep time
26 | $prev = (struct task_struct *)arg0;
27 | if ($1 == 0 || $prev->tgid == $1) {
28 | @start[$prev->pid] = nsecs;
29 | }
30 |
31 | // get the current thread start time
32 | $last = @start[tid];
33 | if ($last != 0) {
34 | @[kstack, ustack, comm] = sum(nsecs - $last);
35 | delete(@start[tid]);
36 | }
37 | }
38 |
39 | END
40 | {
41 | clear(@start);
42 | }
43 |
--------------------------------------------------------------------------------
/originals/Ch06_CPUs/runqlat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * runqlat.bt CPU scheduler run queue latency as a histogram.
4 | * For Linux, uses bpftrace, eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This is a bpftrace version of the bcc tool of the same name.
10 | *
11 | * Copyright 2018 Netflix, Inc.
12 | * Licensed under the Apache License, Version 2.0 (the "License")
13 | *
14 | * 17-Sep-2018 Brendan Gregg Created this.
15 | */
16 |
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing CPU scheduler... Hit Ctrl-C to end.\n");
22 | }
23 |
24 | tracepoint:sched:sched_wakeup,
25 | tracepoint:sched:sched_wakeup_new
26 | {
27 | @qtime[args->pid] = nsecs;
28 | }
29 |
30 | tracepoint:sched:sched_switch
31 | {
32 | if (args->prev_state == TASK_RUNNING) {
33 | @qtime[args->prev_pid] = nsecs;
34 | }
35 |
36 | $ns = @qtime[args->next_pid];
37 | if ($ns) {
38 | @usecs = hist((nsecs - $ns) / 1000);
39 | }
40 | delete(@qtime[args->next_pid]);
41 | }
42 |
43 | END
44 | {
45 | clear(@qtime);
46 | }
47 |
--------------------------------------------------------------------------------
/originals/Ch06_CPUs/runqlen.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * runqlen.bt CPU scheduler run queue length as a histogram.
4 | * For Linux, uses bpftrace, eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This is a bpftrace version of the bcc tool of the same name.
10 | *
11 | * Copyright 2018 Netflix, Inc.
12 | * Licensed under the Apache License, Version 2.0 (the "License")
13 | *
14 | * 07-Oct-2018 Brendan Gregg Created this.
15 | */
16 |
17 | #include
18 |
19 | // Until BTF is available, we'll need to declare some of this struct manually,
20 | // since it isn't avaible to be #included. This will need maintenance to match
21 | // your kernel version. It is from kernel/sched/sched.h:
22 | struct cfs_rq_partial {
23 | struct load_weight load;
24 | unsigned long runnable_weight;
25 | unsigned int nr_running;
26 | };
27 |
28 | BEGIN
29 | {
30 | printf("Sampling run queue length at 99 Hertz... Hit Ctrl-C to end.\n");
31 | }
32 |
33 | profile:hz:99
34 | {
35 | $task = (struct task_struct *)curtask;
36 | $my_q = (struct cfs_rq_partial *)$task->se.cfs_rq;
37 | $len = $my_q->nr_running;
38 | $len = $len > 0 ? $len - 1 : 0; // subtract currently running task
39 | @runqlen = lhist($len, 0, 100, 1);
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch06_CPUs/smpcalls.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * smpcalls - Time SMP calls.
4 | *
5 | * See BPF Performance Tools, Chapter 6, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 23-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing SMP calls. Hit Ctrl-C to stop.\n");
19 | }
20 |
21 | kprobe:smp_call_function_single,
22 | kprobe:smp_call_function_many
23 | {
24 | @ts[tid] = nsecs;
25 | @func[tid] = arg1;
26 | }
27 |
28 | kretprobe:smp_call_function_single,
29 | kretprobe:smp_call_function_many
30 | /@ts[tid]/
31 | {
32 | @time_ns[ksym(@func[tid])] = hist(nsecs - @ts[tid]);
33 | delete(@ts[tid]);
34 | delete(@func[tid]);
35 | }
36 |
37 | kprobe:native_smp_send_reschedule
38 | {
39 | @ts[tid] = nsecs;
40 | @func[tid] = reg("ip");
41 | }
42 |
43 | kretprobe:native_smp_send_reschedule
44 | /@ts[tid]/
45 | {
46 | @time_ns[ksym(@func[tid])] = hist(nsecs - @ts[tid]);
47 | delete(@ts[tid]);
48 | delete(@func[tid]);
49 | }
50 |
51 | END
52 | {
53 | clear(@ts);
54 | clear(@func);
55 | }
56 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/brkstack.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * brkstack - Count brk(2) syscalls with user stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 7, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | tracepoint:syscalls:sys_enter_brk
17 | {
18 | @[ustack, comm] = count();
19 | }
20 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/faults.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * faults - Count page faults with user stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 7, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 27-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | software:page-faults:1
17 | {
18 | @[ustack, comm] = count();
19 | }
20 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/ffaults.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * ffaults - Count page faults by filename.
4 | *
5 | * See BPF Performance Tools, Chapter 7, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | kprobe:handle_mm_fault
19 | {
20 | $vma = (struct vm_area_struct *)arg0;
21 | $file = $vma->vm_file->f_path.dentry->d_name.name;
22 | @[str($file)] = count();
23 | }
24 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/hfaults.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * hfaults - Count huge page faults by process.
4 | *
5 | * See BPF Performance Tools, Chapter 7, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Amer Ather.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | */
13 |
14 | BEGIN
15 | {
16 | printf("Tracing Huge Page faults per process... Hit Ctrl-C to end.\n");
17 | }
18 |
19 | kprobe:hugetlb_fault
20 | {
21 | @[pid, comm] = count();
22 | }
23 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/mmapsnoop.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | #
3 | # mmapsnoop - Trace mmap(2) calls.
4 | #
5 | # See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | #
7 | # Copyright (c) 2019 Brendan Gregg.
8 | # Licensed under the Apache License, Version 2.0 (the "License").
9 | # This was originally created for the BPF Performance Tools book
10 | # published by Addison Wesley. ISBN-13: 9780136554820
11 | # When copying or porting, include this comment.
12 | #
13 | # 03-Feb-2019 Brendan Gregg Created this.
14 |
15 | from __future__ import print_function
16 | from bcc import BPF
17 | import argparse
18 | from struct import pack
19 | import ctypes as ct
20 | from time import strftime, time
21 |
22 | # arguments
23 | examples = """examples:
24 | ./mmap # trace all mmap calls
25 | ./mmap -T # include time column (HH:MM:SS)
26 | """
27 | parser = argparse.ArgumentParser(
28 | description="Trace mmap() calls system-wide",
29 | formatter_class=argparse.RawDescriptionHelpFormatter,
30 | epilog=examples)
31 | parser.add_argument("-T", "--time", action="store_true",
32 | help="include time column on output (HH:MM:SS)")
33 | parser.add_argument("--ebpf", action="store_true",
34 | help=argparse.SUPPRESS)
35 | args = parser.parse_args()
36 | debug = 0
37 |
38 | # define BPF program
39 | bpf_text = """
40 | #include
41 | #include
42 | #include
43 | #include
44 |
45 | struct mmap_data_t {
46 | u64 len;
47 | u64 prot;
48 | u64 flags;
49 | u64 off;
50 | u64 pid;
51 | char comm[TASK_COMM_LEN];
52 | char path[DNAME_INLINE_LEN];
53 | };
54 | BPF_PERF_OUTPUT(mmap_events);
55 |
56 | struct fdkey_t {
57 | int pid;
58 | int fd;
59 | };
60 |
61 | BPF_HASH(fd2file, struct fdkey_t, struct file *);
62 |
63 | // cache pid+FD -> file for later lookup
64 | // TODO: use a task->files->fdt->fd[] lookup in the mmap tracepoint instead.
65 | int kprobe__fd_install(struct pt_regs *ctx, int fd, struct file *file)
66 | {
67 | u32 pid = bpf_get_current_pid_tgid() >> 32;
68 | struct fdkey_t key = {.fd = fd, .pid = pid};
69 | fd2file.update(&key, &file);
70 | return 0;
71 | }
72 |
73 | // assume this and other events are in PID context
74 | int kprobe____close_fd(struct pt_regs *ctx, struct files_struct *files, int fd)
75 | {
76 | u32 pid = bpf_get_current_pid_tgid() >> 32;
77 | struct fdkey_t key = {.fd = fd, .pid = pid};
78 | fd2file.delete(&key);
79 | return 0;
80 | }
81 |
82 | TRACEPOINT_PROBE(syscalls, sys_enter_mmap) {
83 | struct task_struct *task;
84 | struct file **fpp, *file;
85 | u32 pid = bpf_get_current_pid_tgid() >> 32;
86 | struct fdkey_t key = {.fd = args->fd, .pid = pid};
87 |
88 | fpp = fd2file.lookup(&key);
89 | if (fpp == 0)
90 | return 0;
91 | file = *fpp;
92 |
93 | struct mmap_data_t data = {
94 | .len = args->len,
95 | .prot = args->prot,
96 | .flags = args->flags,
97 | .off = args->off,
98 | .pid = pid
99 | };
100 | bpf_get_current_comm(&data.comm, sizeof(data.comm));
101 |
102 | struct dentry *de = file->f_path.dentry;
103 | struct qstr d_name = {};
104 | bpf_probe_read(&d_name, sizeof(d_name), (void *)&de->d_name);
105 | bpf_probe_read(&data.path, sizeof(data.path), d_name.name);
106 | mmap_events.perf_submit(args, &data, sizeof(data));
107 |
108 | return 0;
109 | }
110 | """
111 |
112 | if debug or args.ebpf:
113 | print(bpf_text)
114 | if args.ebpf:
115 | exit()
116 |
117 | # event data
118 | TASK_COMM_LEN = 16 # linux/sched.h
119 | DNAME_INLINE_LEN = 32 # linux/dcache.h
120 |
121 | class Data(ct.Structure):
122 | _fields_ = [
123 | ("len", ct.c_ulonglong),
124 | ("prot", ct.c_ulonglong),
125 | ("flags", ct.c_ulonglong),
126 | ("off", ct.c_ulonglong),
127 | ("pid", ct.c_ulonglong),
128 | ("comm", ct.c_char * TASK_COMM_LEN),
129 | ("path", ct.c_char * DNAME_INLINE_LEN)
130 | ]
131 |
132 | # from uapi/asm-generic/mman-common.h:
133 | PROT_READ = 0x1
134 | PROT_WRITE = 0x2
135 | PROT_EXEC = 0x4
136 | MAP_SHARED = 0x1
137 | MAP_PRIVATE = 0x2
138 | MAP_FIXED = 0x10
139 | MAP_ANON = 0x20
140 |
141 | # process event
142 | def print_event(cpu, data, size):
143 | event = ct.cast(data, ct.POINTER(Data)).contents
144 |
145 | # protection flags
146 | r = "R" if event.prot & PROT_READ else "-"
147 | w = "W" if event.prot & PROT_WRITE else "-"
148 | x = "E" if event.prot & PROT_EXEC else "-"
149 | prot = r + w + x
150 |
151 | # map flags
152 | s = "S" if event.flags & MAP_SHARED else "-"
153 | p = "P" if event.flags & MAP_PRIVATE else "-"
154 | f = "F" if event.flags & MAP_FIXED else "-"
155 | a = "A" if event.flags & MAP_ANON else "-"
156 | flags = s + p + f + a
157 |
158 | if args.time:
159 | print("%-8s " % strftime("%H:%M:%S"), end="")
160 | print("%-6d %-14.14s %-4s %-5s %-8d %-8d %s" % (event.pid,
161 | event.comm, prot, flags, event.off / 1024, event.len / 1024,
162 | event.path))
163 |
164 | # initialize BPF
165 | b = BPF(text=bpf_text)
166 |
167 | # header
168 | if args.time:
169 | print("%-8s " % ("TIME"), end="")
170 | print("%-6s %-14.14s %-4s %-5s %-8s %-8s %s" % ("PID", "COMM", "PROT", "MAP",
171 | "OFFS(KB)", "SIZE(KB)", "FILE"));
172 |
173 | # read events
174 | b["mmap_events"].open_perf_buffer(print_event, page_cnt=64)
175 | while 1:
176 | try:
177 | b.perf_buffer_poll()
178 | except KeyboardInterrupt:
179 | exit()
180 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/oomkill.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * oomkill Trace OOM killer.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This traces the kernel out-of-memory killer, and prints basic details,
10 | * including the system load averages. This can provide more context on the
11 | * system state at the time of OOM: was it getting busier or steady, based
12 | * on the load averages? This tool may also be useful to customize for
13 | * investigations; for example, by adding other task_struct details at the
14 | * time of the OOM, or other commands in the system() call.
15 | *
16 | * This currently works by using kernel dynamic tracing of oom_kill_process().
17 | *
18 | * USAGE: oomkill.bt
19 | *
20 | * Copyright 2018 Netflix, Inc.
21 | * Licensed under the Apache License, Version 2.0 (the "License")
22 | *
23 | * 07-Sep-2018 Brendan Gregg Created this.
24 | */
25 |
26 | #include
27 |
28 | BEGIN
29 | {
30 | printf("Tracing oom_kill_process()... Hit Ctrl-C to end.\n");
31 | }
32 |
33 | kprobe:oom_kill_process
34 | {
35 | $oc = (struct oom_control *)arg1;
36 | time("%H:%M:%S ");
37 | printf("Triggered by PID %d (\"%s\"), ", pid, comm);
38 | printf("OOM kill of PID %d (\"%s\"), %d pages, loadavg: ",
39 | $oc->chosen->pid, $oc->chosen->comm, $oc->totalpages);
40 | cat("/proc/loadavg");
41 | }
42 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/swapin.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * swapin - Show swapins by process.
4 | *
5 | * See BPF Performance Tools, Chapter 7, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | kprobe:swap_readpage
17 | {
18 | @[comm, pid] = count();
19 | }
20 |
21 | interval:s:1
22 | {
23 | time();
24 | print(@);
25 | clear(@);
26 | }
27 |
--------------------------------------------------------------------------------
/originals/Ch07_Memory/vmscan.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * vmscan - Measure VM scanner shrink and reclaim times.
4 | *
5 | * See BPF Performance Tools, Chapter 7, for an explanation of this tool.
6 | *
7 | * Also see see Mel Gorman's trace-vmscan-postprocess.pl.
8 | *
9 | * Copyright (c) 2019 Brendan Gregg.
10 | * Licensed under the Apache License, Version 2.0 (the "License").
11 | * This was originally created for the BPF Performance Tools book
12 | * published by Addison Wesley. ISBN-13: 9780136554820
13 | * When copying or porting, include this comment.
14 | *
15 | * 26-Jan-2019 Brendan Gregg Created this.
16 | */
17 |
18 | tracepoint:vmscan:mm_shrink_slab_start { @start_ss[tid] = nsecs; }
19 | tracepoint:vmscan:mm_shrink_slab_end /@start_ss[tid]/
20 | {
21 | $dur_ss = nsecs - @start_ss[tid];
22 | @sum_ss = @sum_ss + $dur_ss;
23 | @shrink_slab_ns = hist($dur_ss);
24 | delete(@start_ss[tid]);
25 | }
26 |
27 | tracepoint:vmscan:mm_vmscan_direct_reclaim_begin { @start_dr[tid] = nsecs; }
28 | tracepoint:vmscan:mm_vmscan_direct_reclaim_end /@start_dr[tid]/
29 | {
30 | $dur_dr = nsecs - @start_dr[tid];
31 | @sum_dr = @sum_dr + $dur_dr;
32 | @direct_reclaim_ns = hist($dur_dr);
33 | delete(@start_dr[tid]);
34 | }
35 |
36 |
37 | tracepoint:vmscan:mm_vmscan_memcg_reclaim_begin { @start_mr[tid] = nsecs; }
38 | tracepoint:vmscan:mm_vmscan_memcg_reclaim_end /@start_mr[tid]/
39 | {
40 | $dur_mr = nsecs - @start_mr[tid];
41 | @sum_mr = @sum_mr + $dur_mr;
42 | @memcg_reclaim_ns = hist($dur_mr);
43 | delete(@start_mr[tid]);
44 | }
45 |
46 | tracepoint:vmscan:mm_vmscan_wakeup_kswapd { @count_wk++; }
47 |
48 | tracepoint:vmscan:mm_vmscan_writepage { @count_wp++; }
49 |
50 | BEGIN
51 | {
52 | printf("%-10s %10s %12s %12s %6s %9s\n", "TIME",
53 | "S-SLABms", "D-RECLAIMms", "M-RECLAIMms", "KSWAPD", "WRITEPAGE");
54 |
55 | }
56 |
57 | interval:s:1
58 | {
59 | time("%H:%M:%S");
60 | printf(" %10d %12d %12d %6d %9d\n",
61 | @sum_ss / 1000000, @sum_dr / 1000000, @sum_mr / 1000000,
62 | @count_wk, @count_wp);
63 | clear(@sum_ss);
64 | clear(@sum_dr);
65 | clear(@sum_mr);
66 | clear(@count_wk);
67 | clear(@count_wp);
68 | }
69 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/bufgrow.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * bufgrow - Buffer cache growth by process and bytes.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 03-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | kprobe:add_to_page_cache_lru
19 | {
20 | $as = (struct address_space *)arg1;
21 | $mode = $as->host->i_mode;
22 | // match block mode, uapi/linux/stat.h:
23 | if ($mode & 0x6000) {
24 | @kb[comm] = sum(4); // page size
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/dcsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * dcsnoop Trace directory entry cache (dcache) lookups.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This uses kernel dynamic tracing of kernel functions, lookup_fast() and
10 | * d_lookup(), which will need to be modified to match kernel changes. See
11 | * code comments.
12 | *
13 | * USAGE: dcsnoop.bt
14 | *
15 | * Copyright 2018 Netflix, Inc.
16 | * Licensed under the Apache License, Version 2.0 (the "License")
17 | *
18 | * 08-Sep-2018 Brendan Gregg Created this.
19 | */
20 |
21 | #include
22 | #include
23 |
24 | // from fs/namei.c:
25 | struct nameidata {
26 | struct path path;
27 | struct qstr last;
28 | // [...]
29 | };
30 |
31 | BEGIN
32 | {
33 | printf("Tracing dcache lookups... Hit Ctrl-C to end.\n");
34 | printf("%-8s %-6s %-16s %1s %s\n", "TIME", "PID", "COMM", "T", "FILE");
35 | }
36 |
37 | // comment out this block to avoid showing hits:
38 | kprobe:lookup_fast
39 | {
40 | $nd = (struct nameidata *)arg0;
41 | printf("%-8d %-6d %-16s R %s\n", elapsed / 1000000, pid, comm,
42 | str($nd->last.name));
43 | }
44 |
45 | kprobe:d_lookup
46 | {
47 | $name = (struct qstr *)arg1;
48 | @fname[tid] = $name->name;
49 | }
50 |
51 | kretprobe:d_lookup
52 | /@fname[tid]/
53 | {
54 | if (retval == 0) {
55 | printf("%-8d %-6d %-16s M %s\n", elapsed / 1000000, pid, comm,
56 | str(@fname[tid]));
57 | }
58 | delete(@fname[tid]);
59 | }
60 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/dcstat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * dcstat - Directory cache hit statistics.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing dcache lookups... Hit Ctrl-C to end.\n");
19 | printf("%10s %10s %5s%\n", "REFS", "MISSES", "HIT%");
20 | }
21 |
22 | kprobe:lookup_fast { @hits++; }
23 |
24 | kretprobe:d_lookup /retval == 0/ { @misses++; }
25 |
26 | interval:s:1
27 | {
28 | $refs = @hits + @misses;
29 | $percent = $refs > 0 ? 100 * @hits / $refs : 0;
30 | printf("%10d %10d %4d%%\n", $refs, @misses, $percent);
31 | clear(@hits);
32 | clear(@misses);
33 | }
34 |
35 | END
36 | {
37 | clear(@hits);
38 | clear(@misses);
39 | }
40 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/ext4dist.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * ext4dist - Common ext4 operation latency histograms.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 02-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing ext4 operation latency... Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:ext4_file_read_iter,
22 | kprobe:ext4_file_write_iter,
23 | kprobe:ext4_file_open,
24 | kprobe:ext4_sync_file
25 | {
26 | @start[tid] = nsecs;
27 | @name[tid] = func;
28 | }
29 |
30 | kretprobe:ext4_file_read_iter,
31 | kretprobe:ext4_file_write_iter,
32 | kretprobe:ext4_file_open,
33 | kretprobe:ext4_sync_file
34 | /@start[tid]/
35 | {
36 | @us[@name[tid]] = hist((nsecs - @start[tid]) / 1000);
37 | delete(@start[tid]);
38 | delete(@name[tid]);
39 | }
40 |
41 | END
42 | {
43 | clear(@start);
44 | clear(@name);
45 | }
46 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/filelife.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * filelife - Trace short-lived files with their duration.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 31-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("%-6s %-16s %8s %s\n", "PID", "COMM", "AGE(ms)", "FILE");
21 | }
22 |
23 | kprobe:vfs_create,
24 | kprobe:security_inode_create
25 | {
26 | @birth[arg1] = nsecs;
27 | }
28 |
29 | kprobe:vfs_unlink
30 | /@birth[arg1]/
31 | {
32 | $dur = nsecs - @birth[arg1];
33 | delete(@birth[arg1]);
34 | $dentry = (struct dentry *)arg1;
35 | printf("%-6d %-16s %8d %s\n", pid, comm, $dur / 1000000,
36 | str($dentry->d_name.name));
37 | }
38 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/fileslower.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * fileslower - Show slow file reads/writes.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 31-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("%-8s %-16s %-6s T %-7s %7s %s\n", "TIMEms", "COMM", "PID",
21 | "BYTES", "LATms", "FILE");
22 | }
23 |
24 | kprobe:new_sync_read,
25 | kprobe:new_sync_write
26 | {
27 | $file = (struct file *)arg0;
28 | if ($file->f_path.dentry->d_name.len != 0) {
29 | @name[tid] = $file->f_path.dentry->d_name.name;
30 | @size[tid] = arg2;
31 | @start[tid] = nsecs;
32 | }
33 | }
34 |
35 | kretprobe:new_sync_read
36 | /@start[tid]/
37 | {
38 | $read_ms = (nsecs - @start[tid]) / 1000000;
39 | if ($read_ms >= 1) {
40 | printf("%-8d %-16s %-6d R %-7d %7d %s\n", nsecs / 1000000,
41 | comm, pid, @size[tid], $read_ms, str(@name[tid]));
42 | }
43 | delete(@start[tid]); delete(@size[tid]); delete(@name[tid]);
44 | }
45 |
46 | kretprobe:new_sync_write
47 | /@start[tid]/
48 | {
49 | $write_ms = (nsecs - @start[tid]) / 1000000;
50 | if ($write_ms >= 1) {
51 | printf("%-8d %-16s %-6d W %-7d %7d %s\n", nsecs / 1000000,
52 | comm, pid, @size[tid], $write_ms, str(@name[tid]));
53 | }
54 | delete(@start[tid]); delete(@size[tid]); delete(@name[tid]);
55 | }
56 |
57 | END
58 | {
59 | clear(@start); clear(@size); clear(@name);
60 | }
61 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/filetype.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * filetype - Show VFS reads/writes by file type and process.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 02-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | // from uapi/linux/stat.h:
21 | @type[0xc000] = "socket";
22 | @type[0xa000] = "link";
23 | @type[0x8000] = "regular";
24 | @type[0x6000] = "block";
25 | @type[0x4000] = "directory";
26 | @type[0x2000] = "character";
27 | @type[0x1000] = "fifo";
28 | @type[0] = "other";
29 | }
30 |
31 | kprobe:vfs_read,
32 | kprobe:vfs_readv,
33 | kprobe:vfs_write,
34 | kprobe:vfs_writev
35 | {
36 | $file = (struct file *)arg0;
37 | $mode = $file->f_inode->i_mode;
38 | @[@type[$mode & 0xf000], func, comm] = count();
39 | }
40 |
41 | END
42 | {
43 | clear(@type);
44 | }
45 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/filetype2.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * filetype2 - Show VFS reads/writes by file type and process.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 02-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing VFS reads and writes... Hit Ctrl-C to end.\n");
21 | // from include/linux/fs.h:
22 | @type2str[0] = "UNKNOWN";
23 | @type2str[1] = "FIFO";
24 | @type2str[2] = "CHR";
25 | @type2str[4] = "DIR";
26 | @type2str[6] = "BLK";
27 | @type2str[8] = "REG";
28 | @type2str[10] = "LNK";
29 | @type2str[12] = "SOCK";
30 | @type2str[14] = "WHT";
31 | }
32 |
33 | kprobe:vfs_read,
34 | kprobe:vfs_readv,
35 | kprobe:vfs_write,
36 | kprobe:vfs_writev
37 | {
38 | $file = (struct file *)arg0;
39 | $type = ($file->f_inode->i_mode >> 12) & 15;
40 | @[@type2str[$type], func, comm] = count();
41 | }
42 |
43 | END
44 | {
45 | clear(@type2str);
46 | }
47 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/fmapfault.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * fmapfault - Count file map faults.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | kprobe:filemap_fault
19 | {
20 | $vf = (struct vm_fault *)arg0;
21 | $file = $vf->vma->vm_file->f_path.dentry->d_name.name;
22 | @[comm, str($file)] = count();
23 | }
24 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/fsrwstat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * fsrwstat - Show VFS reads/writes by file system type.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 01-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing VFS reads and writes... Hit Ctrl-C to end.\n");
21 | }
22 |
23 | kprobe:vfs_read,
24 | kprobe:vfs_readv,
25 | kprobe:vfs_write,
26 | kprobe:vfs_writev
27 | {
28 | @[str(((struct file *)arg0)->f_inode->i_sb->s_type->name), func] =
29 | count();
30 | }
31 |
32 | interval:s:1
33 | {
34 | time(); print(@); clear(@);
35 | }
36 |
37 | END
38 | {
39 | clear(@);
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/icstat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * icstat - Inode cache hit statistics.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 02-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing icache lookups... Hit Ctrl-C to end.\n");
19 | printf("%10s %10s %5s\n", "REFS", "MISSES", "HIT%");
20 | }
21 |
22 | kretprobe:find_inode_fast
23 | {
24 | @refs++;
25 | if (retval == 0) {
26 | @misses++;
27 | }
28 | }
29 |
30 | interval:s:1
31 | {
32 | $hits = @refs - @misses;
33 | $percent = @refs > 0 ? 100 * $hits / @refs : 0;
34 | printf("%10d %10d %4d%%\n", @refs, @misses, $percent);
35 | clear(@refs);
36 | clear(@misses);
37 | }
38 |
39 | END
40 | {
41 | clear(@refs);
42 | clear(@misses);
43 | }
44 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/mmapfiles.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * mmapfiles - Count mmap(2) files.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | kprobe:do_mmap
19 | {
20 | $file = (struct file *)arg0;
21 | $name = $file->f_path.dentry;
22 | $dir1 = $name->d_parent;
23 | $dir2 = $dir1->d_parent;
24 | @[str($dir2->d_name.name), str($dir1->d_name.name),
25 | str($name->d_name.name)] = count();
26 | }
27 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/opensnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * opensnoop Trace open() syscalls.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * Also a basic example of bpftrace.
10 | *
11 | * USAGE: opensnoop.bt
12 | *
13 | * This is a bpftrace version of the bcc tool of the same name.
14 | *
15 | * Copyright 2018 Netflix, Inc.
16 | * Licensed under the Apache License, Version 2.0 (the "License")
17 | *
18 | * 08-Sep-2018 Brendan Gregg Created this.
19 | */
20 |
21 | BEGIN
22 | {
23 | printf("Tracing open syscalls... Hit Ctrl-C to end.\n");
24 | printf("%-6s %-16s %4s %3s %s\n", "PID", "COMM", "FD", "ERR", "PATH");
25 | }
26 |
27 | tracepoint:syscalls:sys_enter_open,
28 | tracepoint:syscalls:sys_enter_openat
29 | {
30 | @filename[tid] = args->filename;
31 | }
32 |
33 | tracepoint:syscalls:sys_exit_open,
34 | tracepoint:syscalls:sys_exit_openat
35 | /@filename[tid]/
36 | {
37 | $ret = args->ret;
38 | $fd = $ret > 0 ? $ret : -1;
39 | $errno = $ret > 0 ? 0 : - $ret;
40 |
41 | printf("%-6d %-16s %4d %3d %s\n", pid, comm, $fd, $errno,
42 | str(@filename[tid]));
43 | delete(@filename[tid]);
44 | }
45 |
46 | END
47 | {
48 | clear(@filename);
49 | }
50 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/readahead.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * readahead - Show read ahead hits and efficiency.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 03-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | kprobe:__do_page_cache_readahead { @in_readahead[tid] = 1; }
17 | kretprobe:__do_page_cache_readahead { @in_readahead[tid] = 0; }
18 |
19 | kretprobe:__page_cache_alloc
20 | /@in_readahead[tid]/
21 | {
22 | @birth[retval] = nsecs;
23 | @rapages++;
24 | }
25 |
26 | kprobe:mark_page_accessed
27 | /@birth[arg0]/
28 | {
29 | @age_ms = hist((nsecs - @birth[arg0]) / 1000000);
30 | delete(@birth[arg0]);
31 | @rapages--;
32 | }
33 |
34 | END
35 | {
36 | printf("\nReadahead unused pages: %d\n", @rapages);
37 | printf("\nReadahead used page age (ms):\n");
38 | print(@age_ms); clear(@age_ms);
39 | clear(@birth); clear(@in_readahead); clear(@rapages);
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/scread.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * scread - Count read(2) files.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 |
20 | tracepoint:syscalls:sys_enter_read
21 | {
22 | $task = (struct task_struct *)curtask;
23 | $file = (struct file *)*($task->files->fdt->fd + args->fd);
24 | @filename[str($file->f_path.dentry->d_name.name)] = count();
25 | }
26 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/statsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * statsnoop Trace stat() syscalls.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This traces the traecepoints for statfs(), statx(), newstat(), and
10 | * newlstat(). These aren't the only the stat syscalls: if you are missing
11 | * activity, you may need to add more variants.
12 | *
13 | * Also a basic example of bpftrace.
14 | *
15 | * USAGE: statsnoop.bt
16 | *
17 | * This is a bpftrace version of the bcc tool of the same name.
18 | *
19 | * Copyright 2018 Netflix, Inc.
20 | * Licensed under the Apache License, Version 2.0 (the "License")
21 | *
22 | * 08-Sep-2018 Brendan Gregg Created this.
23 | */
24 |
25 | BEGIN
26 | {
27 | printf("Tracing stat syscalls... Hit Ctrl-C to end.\n");
28 | printf("%-6s %-16s %3s %s\n", "PID", "COMM", "ERR", "PATH");
29 | }
30 |
31 | tracepoint:syscalls:sys_enter_statfs
32 | {
33 | @filename[tid] = args->pathname;
34 | }
35 |
36 | tracepoint:syscalls:sys_enter_statx,
37 | tracepoint:syscalls:sys_enter_newstat,
38 | tracepoint:syscalls:sys_enter_newlstat
39 | {
40 | @filename[tid] = args->filename;
41 | }
42 |
43 | tracepoint:syscalls:sys_exit_statfs,
44 | tracepoint:syscalls:sys_exit_statx,
45 | tracepoint:syscalls:sys_exit_newstat,
46 | tracepoint:syscalls:sys_exit_newlstat
47 | /@filename[tid]/
48 | {
49 | $ret = args->ret;
50 | $errno = $ret >= 0 ? 0 : - $ret;
51 |
52 | printf("%-6d %-16s %3d %s\n", pid, comm, $errno,
53 | str(@filename[tid]));
54 | delete(@filename[tid]);
55 | }
56 |
57 | END
58 | {
59 | clear(@filename);
60 | }
61 |
62 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/syncsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * syncsnoop Trace sync() variety of syscalls.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * Also a basic example of bpftrace.
10 | *
11 | * USAGE: syncsnoop.bt
12 | *
13 | * This is a bpftrace version of the bcc tool of the same name.
14 | *
15 | * Copyright 2018 Netflix, Inc.
16 | * Licensed under the Apache License, Version 2.0 (the "License")
17 | *
18 | * 06-Sep-2018 Brendan Gregg Created this.
19 | */
20 |
21 | BEGIN
22 | {
23 | printf("Tracing sync syscalls... Hit Ctrl-C to end.\n");
24 | printf("%-9s %-6s %-16s %s\n", "TIME", "PID", "COMM", "EVENT");
25 | }
26 |
27 | tracepoint:syscalls:sys_enter_sync,
28 | tracepoint:syscalls:sys_enter_syncfs,
29 | tracepoint:syscalls:sys_enter_fsync,
30 | tracepoint:syscalls:sys_enter_fdatasync,
31 | tracepoint:syscalls:sys_enter_sync_file_range,
32 | tracepoint:syscalls:sys_enter_msync
33 | {
34 | time("%H:%M:%S ");
35 | printf("%-6d %-16s %s\n", pid, comm, probe);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/vfscount.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * vfscount Count VFS calls ("vfs_*").
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * Written as a basic example of counting kernel functions.
10 | *
11 | * USAGE: vfscount.bt
12 | *
13 | * This is a bpftrace version of the bcc tool of the same name.
14 | *
15 | * Copyright 2018 Netflix, Inc.
16 | * Licensed under the Apache License, Version 2.0 (the "License")
17 | *
18 | * 06-Sep-2018 Brendan Gregg Created this.
19 | */
20 |
21 | BEGIN
22 | {
23 | printf("Tracing VFS calls... Hit Ctrl-C to end.\n");
24 |
25 | }
26 |
27 | kprobe:vfs_*
28 | {
29 | @[func] = count();
30 | }
31 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/vfssize.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * vfssize - Show VFS read/write sizes.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 17-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | kprobe:vfs_read,
19 | kprobe:vfs_readv,
20 | kprobe:vfs_write,
21 | kprobe:vfs_writev
22 | {
23 | @file[tid] = arg0;
24 | }
25 |
26 | kretprobe:vfs_read,
27 | kretprobe:vfs_readv,
28 | kretprobe:vfs_write,
29 | kretprobe:vfs_writev
30 | /@file[tid]/
31 | {
32 | if (retval >= 0) {
33 | $file = (struct file *)@file[tid];
34 | $name = $file->f_path.dentry->d_name.name;
35 | if ((($file->f_inode->i_mode >> 12) & 15) == DT_FIFO) {
36 | @[comm, "FIFO"] = hist(retval);
37 | } else {
38 | @[comm, str($name)] = hist(retval);
39 | }
40 | }
41 | delete(@file[tid]);
42 | }
43 |
44 | END
45 | {
46 | clear(@file);
47 | }
48 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/vfsstat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * vfsstat Count some VFS calls, with per-second summaries.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * Written as a basic example of counting multiple events and printing a
10 | * per-second summary.
11 | *
12 | * USAGE: vfsstat.bt
13 | *
14 | * This is a bpftrace version of the bcc tool of the same name.
15 | *
16 | * Copyright 2018 Netflix, Inc.
17 | * Licensed under the Apache License, Version 2.0 (the "License")
18 | *
19 | * 06-Sep-2018 Brendan Gregg Created this.
20 | */
21 |
22 | BEGIN
23 | {
24 | printf("Tracing key VFS calls... Hit Ctrl-C to end.\n");
25 |
26 | }
27 |
28 | kprobe:vfs_read*,
29 | kprobe:vfs_write*,
30 | kprobe:vfs_fsync,
31 | kprobe:vfs_open,
32 | kprobe:vfs_create
33 | {
34 | @[func] = count();
35 | }
36 |
37 | interval:s:1
38 | {
39 | time();
40 | print(@);
41 | clear(@);
42 | }
43 |
44 | END
45 | {
46 | clear(@);
47 | }
48 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/writeback.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * writeback Trace file system writeback events with details.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This traces when file system dirtied pages are flushed to disk by kernel
10 | * writeback, and prints details including when the event occurred, and the
11 | * duration of the event. This can be useful for correlating these times with
12 | * other performace problems, and if there is a match, it would be a clue
13 | * that the problem may be caused by writeback. How quickly the kernel does
14 | * writeback can be tuned: see the kernel docs, eg,
15 | * vm.dirty_writeback_centisecs.
16 | *
17 | * USAGE: writeback.bt
18 | *
19 | * Copyright 2018 Netflix, Inc.
20 | * Licensed under the Apache License, Version 2.0 (the "License")
21 | *
22 | * 14-Sep-2018 Brendan Gregg Created this.
23 | */
24 |
25 | BEGIN
26 | {
27 | printf("Tracing writeback... Hit Ctrl-C to end.\n");
28 | printf("%-9s %-8s %-8s %-16s %s\n", "TIME", "DEVICE", "PAGES",
29 | "REASON", "ms");
30 |
31 | // see /sys/kernel/debug/tracing/events/writeback/writeback_start/format
32 | @reason[0] = "background";
33 | @reason[1] = "vmscan";
34 | @reason[2] = "sync";
35 | @reason[3] = "periodic";
36 | @reason[4] = "laptop_timer";
37 | @reason[5] = "free_more_memory";
38 | @reason[6] = "fs_free_space";
39 | @reason[7] = "forker_thread";
40 | }
41 |
42 | tracepoint:writeback:writeback_start
43 | {
44 | @start[args->sb_dev] = nsecs;
45 | @pages[args->sb_dev] = args->nr_pages;
46 | }
47 |
48 | tracepoint:writeback:writeback_written
49 | /@start[args->sb_dev]/
50 | {
51 | $sb_dev = args->sb_dev;
52 | $s = @start[$sb_dev];
53 | $lat = $s ? (nsecs - $s) / 1000 : 0;
54 | $pages = @pages[args->sb_dev] - args->nr_pages;
55 |
56 | time("%H:%M:%S ");
57 | printf("%-8s %-8d %-16s %d.%03d\n", args->name, $pages,
58 | @reason[args->reason], $lat / 1000, $lat % 1000);
59 |
60 | delete(@start[$sb_dev]);
61 | delete(@pages[$sb_dev]);
62 | }
63 |
64 | END
65 | {
66 | clear(@reason);
67 | clear(@start);
68 | }
69 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/writesync.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * writesync - Show regular file writes by sync flag.
4 | *
5 | * See BPF Performance Tools, Chapter 8, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-May-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing VFS write sync flags... Hit Ctrl-C to end.\n");
22 | }
23 |
24 | kprobe:vfs_write,
25 | kprobe:vfs_writev
26 | {
27 | $file = (struct file *)arg0;
28 | $name = $file->f_path.dentry->d_name.name;
29 | if ((($file->f_inode->i_mode >> 12) & 15) == DT_REG) {
30 | if ($file->f_flags & O_DSYNC) {
31 | @sync[comm, str($name)] = count();
32 | } else {
33 | @regular[comm, str($name)] = count();
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch08_FileSystems/xfsdist.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * xfsdist Summarize XFS operation latency.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This traces four common file system calls: read, write, open, and fsync.
10 | * It can be customized to trace more if desired.
11 | *
12 | * USAGE: xfsdist.bt
13 | *
14 | * This is a bpftrace version of the bcc tool of the same name.
15 | *
16 | * Copyright 2018 Netflix, Inc.
17 | * Licensed under the Apache License, Version 2.0 (the "License")
18 | *
19 | * 08-Sep-2018 Brendan Gregg Created this.
20 | */
21 |
22 | BEGIN
23 | {
24 | printf("Tracing XFS operation latency... Hit Ctrl-C to end.\n");
25 | }
26 |
27 | kprobe:xfs_file_read_iter,
28 | kprobe:xfs_file_write_iter,
29 | kprobe:xfs_file_open,
30 | kprobe:xfs_file_fsync
31 | {
32 | @start[tid] = nsecs;
33 | @name[tid] = func;
34 | }
35 |
36 | kretprobe:xfs_file_read_iter,
37 | kretprobe:xfs_file_write_iter,
38 | kretprobe:xfs_file_open,
39 | kretprobe:xfs_file_fsync
40 | /@start[tid]/
41 | {
42 | @us[@name[tid]] = hist((nsecs - @start[tid]) / 1000);
43 | delete(@start[tid]);
44 | delete(@name[tid]);
45 | }
46 |
47 | END
48 | {
49 | clear(@start);
50 | clear(@name);
51 | }
52 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/bioerr.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * bioerr - Trace disk errors.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing block I/O errors. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:block:block_rq_complete
22 | /args->error != 0/
23 | {
24 | time("%H:%M:%S ");
25 | printf("device: %d,%d, sector: %d, bytes: %d, flags: %s, error: %d\n",
26 | args->dev >> 20, args->dev & ((1 << 20) - 1), args->sector,
27 | args->nr_sector * 512, args->rwbs, args->error);
28 | }
29 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/biolatency-tp.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * biolatency-tp.bt - Block I/O latency as a histogram, using tracepoints.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing block device I/O... Hit Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:block:block_rq_issue
22 | {
23 | @start[args->dev, args->sector] = nsecs;
24 | }
25 |
26 | tracepoint:block:block_rq_complete
27 | /@start[args->dev, args->sector]/
28 | {
29 | @usecs = hist((nsecs - @start[args->dev, args->sector]) / 1000);
30 | delete(@start[args->dev, args->sector]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/biolatency.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * biolatency.bt Block I/O latency as a histogram.
4 | * For Linux, uses bpftrace, eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This is a bpftrace version of the bcc tool of the same name.
10 | *
11 | * Copyright 2018 Netflix, Inc.
12 | * Licensed under the Apache License, Version 2.0 (the "License")
13 | *
14 | * 13-Sep-2018 Brendan Gregg Created this.
15 | */
16 |
17 | BEGIN
18 | {
19 | printf("Tracing block device I/O... Hit Ctrl-C to end.\n");
20 | }
21 |
22 | kprobe:blk_account_io_start
23 | {
24 | @start[arg0] = nsecs;
25 | }
26 |
27 | kprobe:blk_account_io_done
28 | /@start[arg0]/
29 | {
30 | @usecs = hist((nsecs - @start[arg0]) / 1000);
31 | delete(@start[arg0]);
32 | }
33 |
34 | END
35 | {
36 | clear(@start);
37 | }
38 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/biopattern.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * biopattern - Identify random/sequential disk access patterns.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("%-8s %5s %5s %8s %10s\n", "TIME", "%RND", "%SEQ", "COUNT",
19 | "KBYTES");
20 | }
21 |
22 | tracepoint:block:block_rq_complete
23 | {
24 | if (@lastsector[args->dev] == args->sector) {
25 | @sequential++;
26 | } else {
27 | @random++;
28 | }
29 | @bytes = @bytes + args->nr_sector * 512;
30 | @lastsector[args->dev] = args->sector + args->nr_sector;
31 | }
32 |
33 | interval:s:1
34 | {
35 | $count = @random + @sequential;
36 | $div = $count;
37 | if ($div == 0) {
38 | $div = 1;
39 | }
40 | time("%H:%M:%S ");
41 | printf("%5d %5d %8d %10d\n", @random * 100 / $div,
42 | @sequential * 100 / $div, $count, @bytes / 1024);
43 | clear(@random); clear(@sequential); clear(@bytes);
44 | }
45 |
46 | END
47 | {
48 | clear(@lastsector);
49 | clear(@random); clear(@sequential); clear(@bytes);
50 | }
51 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/biosnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * biosnoop.bt Block I/O tracing tool, showing per I/O latency.
4 | * For Linux, uses bpftrace, eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * TODO: switch to block tracepoints. Add device, offset, and size columns.
10 | *
11 | * This is a bpftrace version of the bcc tool of the same name.
12 | *
13 | * 15-Nov-2017 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("%-12s %-16s %-6s %7s\n", "TIME(ms)", "COMM", "PID", "LAT(ms)");
19 | }
20 |
21 | kprobe:blk_account_io_start
22 | {
23 | @start[arg0] = nsecs;
24 | @iopid[arg0] = pid;
25 | @iocomm[arg0] = comm;
26 | }
27 |
28 | kprobe:blk_account_io_done
29 | /@start[arg0] != 0 && @iopid[arg0] != 0 && @iocomm[arg0] != ""/
30 | {
31 | $now = nsecs;
32 | printf("%-12u %-16s %-6d %7d\n",
33 | elapsed / 1000000, @iocomm[arg0], @iopid[arg0],
34 | ($now - @start[arg0]) / 1000000);
35 |
36 | delete(@start[arg0]);
37 | delete(@iopid[arg0]);
38 | delete(@iocomm[arg0]);
39 | }
40 |
41 | END
42 | {
43 | clear(@start);
44 | clear(@iopid);
45 | clear(@iocomm);
46 | }
47 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/biostacks.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * biostacks - Show disk I/O latency with initialization stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing block I/O with init stacks. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:blk_account_io_start
22 | {
23 | @reqstack[arg0] = kstack;
24 | @reqts[arg0] = nsecs;
25 | }
26 |
27 | kprobe:blk_start_request,
28 | kprobe:blk_mq_start_request
29 | /@reqts[arg0]/
30 | {
31 | @usecs[@reqstack[arg0]] = hist(nsecs - @reqts[arg0]);
32 | delete(@reqstack[arg0]);
33 | delete(@reqts[arg0]);
34 | }
35 |
36 | END
37 | {
38 | clear(@reqstack); clear(@reqts);
39 | }
40 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/bitesize.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * bitesize Show disk I/O size as a histogram.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * USAGE: bitesize.bt
10 | *
11 | * This is a bpftrace version of the bcc tool of the same name.
12 | *
13 | * Copyright 2018 Netflix, Inc.
14 | * Licensed under the Apache License, Version 2.0 (the "License")
15 | *
16 | * 07-Sep-2018 Brendan Gregg Created this.
17 | */
18 |
19 | BEGIN
20 | {
21 | printf("Tracing block device I/O... Hit Ctrl-C to end.\n");
22 | }
23 |
24 | tracepoint:block:block_rq_issue
25 | {
26 | @[args->comm] = hist(args->bytes);
27 | }
28 |
29 | END
30 | {
31 | printf("\nI/O size (bytes) histograms by process name:");
32 | }
33 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/iosched.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * iosched - Summarize I/O scheduler latency.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 20-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing block I/O schedulers. Hit Ctrl-C to end.\n");
21 | }
22 |
23 | kprobe:__elv_add_request
24 | {
25 | @start[arg1] = nsecs;
26 | }
27 |
28 | kprobe:blk_start_request,
29 | kprobe:blk_mq_start_request
30 | /@start[arg0]/
31 | {
32 | $r = (struct request *)arg0;
33 | @usecs[$r->q->elevator->type->elevator_name] =
34 | hist((nsecs - @start[arg0]) / 1000);
35 | delete(@start[arg0]);
36 | }
37 |
38 | END
39 | {
40 | clear(@start);
41 | }
42 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/mdflush.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * mdflush Trace md flush events.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * USAGE: mdflush.bt
10 | *
11 | * This is a bpftrace version of the bcc tool of the same name.
12 | *
13 | * Copyright 2018 Netflix, Inc.
14 | * Licensed under the Apache License, Version 2.0 (the "License")
15 | *
16 | * 08-Sep-2018 Brendan Gregg Created this.
17 | */
18 |
19 | #include
20 | #include
21 |
22 | BEGIN
23 | {
24 | printf("Tracing md flush events... Hit Ctrl-C to end.\n");
25 | printf("%-8s %-6s %-16s %s", "TIME", "PID", "COMM", "DEVICE");
26 | }
27 |
28 | kprobe:md_flush_request
29 | {
30 | time("%H:%M:%S ");
31 | printf("%-6d %-16s %s\n", pid, comm,
32 | ((struct bio *)arg1)->bi_disk->disk_name);
33 | }
34 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/nvmelatency.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * nvmelatency - Summarise NVME driver command latency.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing nvme command latency. Hit Ctrl-C to end.\n");
22 | // from linux/nvme.h:
23 | @ioopcode[0x00] = "nvme_cmd_flush";
24 | @ioopcode[0x01] = "nvme_cmd_write";
25 | @ioopcode[0x02] = "nvme_cmd_read";
26 | @ioopcode[0x04] = "nvme_cmd_write_uncor";
27 | @ioopcode[0x05] = "nvme_cmd_compare";
28 | @ioopcode[0x08] = "nvme_cmd_write_zeroes";
29 | @ioopcode[0x09] = "nvme_cmd_dsm";
30 | @ioopcode[0x0d] = "nvme_cmd_resv_register";
31 | @ioopcode[0x0e] = "nvme_cmd_resv_report";
32 | @ioopcode[0x11] = "nvme_cmd_resv_acquire";
33 | @ioopcode[0x15] = "nvme_cmd_resv_release";
34 | }
35 |
36 | kprobe:nvme_setup_cmd
37 | {
38 | $req = (struct request *)arg1;
39 | if ($req->rq_disk) {
40 | @start[arg1] = nsecs;
41 | @cmd[arg1] = arg2;
42 | } else {
43 | @admin_commands = count();
44 | }
45 | }
46 |
47 | kprobe:nvme_complete_rq
48 | /@start[arg0]/
49 | {
50 | $req = (struct request *)arg0;
51 | $cmd = (struct nvme_command *)@cmd[arg0];
52 | $disk = $req->rq_disk;
53 | $opcode = $cmd->common.opcode & 0xff;
54 | @usecs[$disk->disk_name, @ioopcode[$opcode]] =
55 | hist((nsecs - @start[arg0]) / 1000);
56 | delete(@start[tid]); delete(@cmd[tid]);
57 | }
58 |
59 | END
60 | {
61 | clear(@ioopcode); clear(@start); clear(@cmd);
62 | }
63 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/scsilatency.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * scsilatency - Show SCSI command latency distributions.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing scsi latency. Hit Ctrl-C to end.\n");
21 | // SCSI opcodes from scsi/scsi_proto.h; add more mappings if desired:
22 | @opcode[0x00] = "TEST_UNIT_READY";
23 | @opcode[0x03] = "REQUEST_SENSE";
24 | @opcode[0x08] = "READ_6";
25 | @opcode[0x0a] = "WRITE_6";
26 | @opcode[0x0b] = "SEEK_6";
27 | @opcode[0x12] = "INQUIRY";
28 | @opcode[0x18] = "ERASE";
29 | @opcode[0x28] = "READ_10";
30 | @opcode[0x2a] = "WRITE_10";
31 | @opcode[0x2b] = "SEEK_10";
32 | @opcode[0x35] = "SYNCHRONIZE_CACHE";
33 | }
34 |
35 | kprobe:scsi_init_io
36 | {
37 | @start[arg0] = nsecs;
38 | }
39 |
40 | kprobe:scsi_done,
41 | kprobe:scsi_mq_done
42 | /@start[arg0]/
43 | {
44 | $cmnd = (struct scsi_cmnd *)arg0;
45 | $opcode = *$cmnd->req.cmd & 0xff;
46 | @usecs[$opcode, @opcode[$opcode]] = hist((nsecs - @start[arg0]) / 1000);
47 | }
48 |
49 | END
50 | {
51 | clear(@start); clear(@opcode);
52 | }
53 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/scsiresult.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * scsiresult - Show SCSI command result codes.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing scsi command results. Hit Ctrl-C to end.\n");
19 |
20 | // host byte codes, from include/scsi/scsi.h:
21 | @host[0x00] = "DID_OK";
22 | @host[0x01] = "DID_NO_CONNECT";
23 | @host[0x02] = "DID_BUS_BUSY";
24 | @host[0x03] = "DID_TIME_OUT";
25 | @host[0x04] = "DID_BAD_TARGET";
26 | @host[0x05] = "DID_ABORT";
27 | @host[0x06] = "DID_PARITY";
28 | @host[0x07] = "DID_ERROR";
29 | @host[0x08] = "DID_RESET";
30 | @host[0x09] = "DID_BAD_INTR";
31 | @host[0x0a] = "DID_PASSTHROUGH";
32 | @host[0x0b] = "DID_SOFT_ERROR";
33 | @host[0x0c] = "DID_IMM_RETRY";
34 | @host[0x0d] = "DID_REQUEUE";
35 | @host[0x0e] = "DID_TRANSPORT_DISRUPTED";
36 | @host[0x0f] = "DID_TRANSPORT_FAILFAST";
37 | @host[0x10] = "DID_TARGET_FAILURE";
38 | @host[0x11] = "DID_NEXUS_FAILURE";
39 | @host[0x12] = "DID_ALLOC_FAILURE";
40 | @host[0x13] = "DID_MEDIUM_ERROR";
41 |
42 | // status byte codes, from include/scsi/scsi_proto.h:
43 | @status[0x00] = "SAM_STAT_GOOD";
44 | @status[0x02] = "SAM_STAT_CHECK_CONDITION";
45 | @status[0x04] = "SAM_STAT_CONDITION_MET";
46 | @status[0x08] = "SAM_STAT_BUSY";
47 | @status[0x10] = "SAM_STAT_INTERMEDIATE";
48 | @status[0x14] = "SAM_STAT_INTERMEDIATE_CONDITION_MET";
49 | @status[0x18] = "SAM_STAT_RESERVATION_CONFLICT";
50 | @status[0x22] = "SAM_STAT_COMMAND_TERMINATED";
51 | @status[0x28] = "SAM_STAT_TASK_SET_FULL";
52 | @status[0x30] = "SAM_STAT_ACA_ACTIVE";
53 | @status[0x40] = "SAM_STAT_TASK_ABORTED";
54 | }
55 |
56 | tracepoint:scsi:scsi_dispatch_cmd_done
57 | {
58 | @[@host[(args->result >> 16) & 0xff], @status[args->result & 0xff]] =
59 | count();
60 | }
61 |
62 | END
63 | {
64 | clear(@status);
65 | clear(@host);
66 | }
67 |
--------------------------------------------------------------------------------
/originals/Ch09_Disks/seeksize.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * seeksize - Show requested I/O seek distances.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 18-Oct-2018 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing block I/O requested seeks... Hit Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:block:block_rq_issue
22 | {
23 | if (@last[args->dev]) {
24 | // calculate requested seek distance
25 | $last = @last[args->dev];
26 | $dist = (args->sector - $last) > 0 ?
27 | args->sector - $last : $last - args->sector;
28 |
29 | // store details
30 | @sectors[args->comm] = hist($dist);
31 | }
32 | // save last requested position of disk head
33 | @last[args->dev] = args->sector + args->nr_sector;
34 | }
35 |
36 | END
37 | {
38 | clear(@last);
39 | }
40 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/gethostlatency.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * gethostlatency Trace getaddrinfo/gethostbyname[2] calls.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This can be useful for identifying DNS latency, by identifying which
10 | * remote host name lookups were slow, and by how much.
11 | *
12 | * This uses dynamic tracing of user-level functions and registers, and may
13 | # need modifications to match your software and processor architecture.
14 | *
15 | * USAGE: gethostlatency.bt
16 | *
17 | * This is a bpftrace version of the bcc tool of the same name.
18 | *
19 | * Copyright 2018 Netflix, Inc.
20 | * Licensed under the Apache License, Version 2.0 (the "License")
21 | *
22 | * 08-Sep-2018 Brendan Gregg Created this.
23 | */
24 |
25 | BEGIN
26 | {
27 | printf("Tracing getaddr/gethost calls... Hit Ctrl-C to end.\n");
28 | printf("%-9s %-6s %-16s %6s %s\n", "TIME", "PID", "COMM", "LATms",
29 | "HOST");
30 | }
31 |
32 | uprobe:/lib/x86_64-linux-gnu/libc.so.6:getaddrinfo,
33 | uprobe:/lib/x86_64-linux-gnu/libc.so.6:gethostbyname,
34 | uprobe:/lib/x86_64-linux-gnu/libc.so.6:gethostbyname2
35 | {
36 | @start[tid] = nsecs;
37 | @name[tid] = arg0;
38 | }
39 |
40 | uretprobe:/lib/x86_64-linux-gnu/libc.so.6:getaddrinfo,
41 | uretprobe:/lib/x86_64-linux-gnu/libc.so.6:gethostbyname,
42 | uretprobe:/lib/x86_64-linux-gnu/libc.so.6:gethostbyname2
43 | /@start[tid]/
44 | {
45 | $latms = (nsecs - @start[tid]) / 1000000;
46 | time("%H:%M:%S ");
47 | printf("%-6d %-16s %6d %s\n", pid, comm, $latms, str(@name[tid]));
48 | delete(@start[tid]);
49 | delete(@name[tid]);
50 | }
51 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/ieee80211scan.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * ieee80211scan - Trace IEEE 802.11 WiFi scanning.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 23-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing ieee80211 SSID scans. Hit Ctrl-C to end.\n");
21 | // from include/uapi/linux/nl80211.h:
22 | @band[0] = "2GHZ";
23 | @band[1] = "5GHZ";
24 | @band[2] = "60GHZ";
25 | }
26 |
27 | kprobe:ieee80211_request_scan
28 | {
29 | time("%H:%M:%S ");
30 | printf("scan started (on-CPU PID %d, %s)\n", pid, comm);
31 | @start = nsecs;
32 | }
33 |
34 | kretprobe:ieee80211_get_channel
35 | /retval/
36 | {
37 | $ch = (struct ieee80211_channel *)retval;
38 | $band = 0xff & *retval; // $ch->band; workaround for #776
39 | time("%H:%M:%S ");
40 | printf("scanning channel %s freq %d: beacon_found %d\n",
41 | @band[$band], $ch->center_freq, $ch->beacon_found);
42 | }
43 |
44 | kprobe:ieee80211_scan_completed
45 | /@start/
46 | {
47 | time("%H:%M:%S ");
48 | printf("scan compeleted: %d ms\n", (nsecs - @start) / 1000000);
49 | delete(@start);
50 | }
51 |
52 | END
53 | {
54 | clear(@start); clear(@band);
55 | }
56 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/ipecn.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * ipecn - Trace IP inbound explicit congestion notification.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 28-May-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing inbound IPv4 ECN Congestion Encountered. ");
22 | printf("Hit Ctrl-C to end.\n");
23 | }
24 |
25 | kprobe:ip_rcv
26 | {
27 | $skb = (struct sk_buff *)arg0;
28 | // get IPv4 header; see skb_network_header():
29 | $iph = (struct iphdr *)($skb->head + $skb->network_header);
30 | // see INET_ECN_MASK:
31 | if (($iph->tos & 3) == 3) {
32 | time("%H:%M:%S ");
33 | printf("ECN CE from: %s\n", ntop($iph->saddr));
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/netsize.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * netsize - Show net device I/O sizes.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing net device send/receive. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:net:netif_receive_skb
22 | {
23 | @recv_bytes = hist(args->len);
24 | }
25 |
26 | tracepoint:net:net_dev_queue
27 | {
28 | @send_bytes = hist(args->len);
29 | }
30 |
31 | tracepoint:net:napi_gro_receive_entry
32 | {
33 | @nic_recv_bytes = hist(args->len);
34 | }
35 |
36 | tracepoint:net:net_dev_xmit
37 | {
38 | @nic_send_bytes = hist(args->len);
39 | }
40 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/nettxlat-dev.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * nettxlat-dev - Show net device transmission latency by device name.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing net device xmit queue latency. Hit Ctrl-C to end.\n");
22 | }
23 |
24 | tracepoint:net:net_dev_start_xmit
25 | {
26 | @start[args->skbaddr] = nsecs;
27 | }
28 |
29 | tracepoint:skb:consume_skb
30 | /@start[args->skbaddr]/
31 | {
32 | $skb = (struct sk_buff *)args->skbaddr;
33 | @us[$skb->dev->name] = hist((nsecs - @start[args->skbaddr]) / 1000);
34 | delete(@start[args->skbaddr]);
35 | }
36 |
37 | tracepoint:net:net_dev_queue
38 | {
39 | // avoid timestamp reuse:
40 | delete(@start[args->skbaddr]);
41 | }
42 |
43 | END
44 | {
45 | clear(@start);
46 | }
47 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/nettxlat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * nettxlat - Show net device transmission latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing net device xmit queue latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:net:net_dev_start_xmit
22 | {
23 | @start[args->skbaddr] = nsecs;
24 | }
25 |
26 | tracepoint:skb:consume_skb
27 | /@start[args->skbaddr]/
28 | {
29 | @us = hist((nsecs - @start[args->skbaddr]) / 1000);
30 | delete(@start[args->skbaddr]);
31 | }
32 |
33 | tracepoint:net:net_dev_queue
34 | {
35 | // avoid timestamp reuse:
36 | delete(@start[args->skbaddr]);
37 | }
38 |
39 | END
40 | {
41 | clear(@start);
42 | }
43 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-cbq.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-cbq - Show qdisc CBQ queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc cbq latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:cbq_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:cbq_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-cbs.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-cbs - Show qdisc CBS queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc cbs latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:cbs_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:cbs_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-codel.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-codel - Show qdisc CoDel queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc codel latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:codel_qdisc_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:codel_qdisc_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-fq.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-fq - Show qdisc FQ queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc fq latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:fq_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:fq_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-fq_codel.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-fq_codel - Show qdisc FQ CoDel queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc fq_codel latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:fq_codel_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:fq_codel_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-red.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-red - Show qdisc RED queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc red latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:red_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:red_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/qdisc-tbf.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * qdisc-tbl - Show qdisc TBF queue latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing qdisc tbf latency. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:tbf_enqueue
22 | {
23 | @start[arg0] = nsecs;
24 | }
25 |
26 | kretprobe:tbf_dequeue
27 | /@start[retval]/
28 | {
29 | @us = hist((nsecs - @start[retval]) / 1000);
30 | delete(@start[retval]);
31 | }
32 |
33 | END
34 | {
35 | clear(@start);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/skbdrop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * skbdrop - Trace sk_buff drops with kernel stack traces.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 21-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing unusual skb drop stacks. Hit Ctrl-C to end.\n");
19 | system("nstat > /dev/null");
20 | }
21 |
22 | tracepoint:skb:kfree_skb
23 | {
24 | @[kstack(8)] = count();
25 | }
26 |
27 | END
28 | {
29 | system("nstat; nstat -rs > /dev/null");
30 | }
31 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/skblife.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * skblife - Lifespan of sk_buff as inter-stack latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 04-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | kprobe:kmem_cache_alloc,
17 | kprobe:kmem_cache_alloc_node
18 | {
19 | $cache = arg0;
20 | if ($cache == *kaddr("skbuff_fclone_cache") ||
21 | $cache == *kaddr("skbuff_head_cache")) {
22 | @is_skb_alloc[tid] = 1;
23 | }
24 | }
25 |
26 | kretprobe:kmem_cache_alloc,
27 | kretprobe:kmem_cache_alloc_node
28 | /@is_skb_alloc[tid]/
29 | {
30 | delete(@is_skb_alloc[tid]);
31 | @skb_birth[retval] = nsecs;
32 | }
33 |
34 | kprobe:kmem_cache_free
35 | /@skb_birth[arg1]/
36 | {
37 | @skb_residency_nsecs = hist(nsecs - @skb_birth[arg1]);
38 | delete(@skb_birth[arg1]);
39 | }
40 |
41 | END
42 | {
43 | clear(@is_skb_alloc);
44 | clear(@skb_birth);
45 | }
46 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/so1stbyte.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * so1stbyte - Summarize IP socket first byte latency.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 16-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing IP socket first-read-byte latency. Ctrl-C to end.\n");
22 | }
23 |
24 | tracepoint:syscalls:sys_enter_connect
25 | /args->uservaddr->sa_family == AF_INET ||
26 | args->uservaddr->sa_family == AF_INET6/
27 | {
28 | @connfd[tid] = args->fd;
29 | @connstart[pid, args->fd] = nsecs;
30 | }
31 |
32 | tracepoint:syscalls:sys_exit_connect
33 | {
34 | if (args->ret != 0 && args->ret != - EINPROGRESS) {
35 | // connect() failure, delete flag if present
36 | delete(@connstart[pid, @connfd[tid]]);
37 | }
38 | delete(@connfd[tid]);
39 | }
40 |
41 | tracepoint:syscalls:sys_enter_close
42 | /@connstart[pid, args->fd]/
43 | {
44 | // never called read
45 | delete(@connstart[pid, @connfd[tid]]);
46 | }
47 |
48 | tracepoint:syscalls:sys_enter_read,
49 | tracepoint:syscalls:sys_enter_readv,
50 | tracepoint:syscalls:sys_enter_pread*,
51 | tracepoint:syscalls:sys_enter_recvfrom,
52 | tracepoint:syscalls:sys_enter_recvmsg,
53 | tracepoint:syscalls:sys_enter_recvmmsg
54 | /@connstart[pid, args->fd]/
55 | {
56 | @readfd[tid] = args->fd;
57 | }
58 |
59 | tracepoint:syscalls:sys_exit_read,
60 | tracepoint:syscalls:sys_exit_readv,
61 | tracepoint:syscalls:sys_exit_pread*,
62 | tracepoint:syscalls:sys_exit_recvfrom,
63 | tracepoint:syscalls:sys_exit_recvmsg,
64 | tracepoint:syscalls:sys_exit_recvmmsg
65 | /@readfd[tid]/
66 | {
67 | $fd = @readfd[tid];
68 | @us[comm, pid] = hist((nsecs - @connstart[pid, $fd]) / 1000);
69 | delete(@connstart[pid, $fd]);
70 | delete(@readfd[tid]);
71 | }
72 |
73 | END
74 | {
75 | clear(@connstart); clear(@connfd); clear(@readfd);
76 | }
77 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/soaccept.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * soaccept - Trace socket IP-protocol accepts with details.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 13-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("%-6s %-16s FAM %-16s %-5s %s\n", "PID", "PROCESS",
22 | "ADDRESS", "PORT", "RESULT");
23 | // accept(2) has more details:
24 | @err2str[0] = "Success";
25 | @err2str[EPERM] = "Permission denied";
26 | @err2str[EINTR] = "Interrupted";
27 | @err2str[EBADF] = "Invalid sockfd";
28 | @err2str[EAGAIN] = "None to accept";
29 | @err2str[ENOMEM] = "Out of memory";
30 | @err2str[EFAULT] = "Sock struct addr invalid";
31 | @err2str[EINVAL] = "Args invalid";
32 | @err2str[ENFILE] = "System FD limit";
33 | @err2str[EMFILE] = "Process FD limit";
34 | @err2str[EPROTO] = "Protocol error";
35 | @err2str[ENOTSOCK] = "FD not a socket";
36 | @err2str[EOPNOTSUPP] = "Not SOCK_STREAM";
37 | @err2str[ECONNABORTED] = "Aborted";
38 | @err2str[ENOBUFS] = "Memory (ENOBUFS)";
39 | }
40 |
41 | tracepoint:syscalls:sys_enter_accept,
42 | tracepoint:syscalls:sys_enter_accept4
43 | {
44 | @sockaddr[tid] = args->upeer_sockaddr;
45 | }
46 |
47 | tracepoint:syscalls:sys_exit_accept,
48 | tracepoint:syscalls:sys_exit_accept4
49 | /@sockaddr[tid]/
50 | {
51 | $sa = (struct sockaddr *)@sockaddr[tid];
52 | if ($sa->sa_family == AF_INET || $sa->sa_family == AF_INET6) {
53 | printf("%-6d %-16s %-3d ", pid, comm, $sa->sa_family);
54 | $error = args->ret > 0 ? 0 : - args->ret;
55 |
56 | if ($sa->sa_family == AF_INET) {
57 | $s = (struct sockaddr_in *)@sockaddr[tid];
58 | $port = ($s->sin_port >> 8) |
59 | (($s->sin_port << 8) & 0xff00);
60 | printf("%-16s %-5d %s\n",
61 | ntop(AF_INET, $s->sin_addr.s_addr),
62 | $port, @err2str[$error]);
63 | } else {
64 | $s6 = (struct sockaddr_in6 *)@sockaddr[tid];
65 | $port = ($s6->sin6_port >> 8) |
66 | (($s6->sin6_port << 8) & 0xff00);
67 | printf("%-16s %-5d %s\n",
68 | ntop(AF_INET6, $s6->sin6_addr.in6_u.u6_addr8),
69 | $port, @err2str[$error]);
70 | }
71 | }
72 |
73 | delete(@sockaddr[tid]);
74 | }
75 |
76 | END
77 | {
78 | clear(@err2str); clear(@sockaddr);
79 | }
80 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/socketio.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * socketio - Summarize socket I/O bytes and counts.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 11-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | kprobe:sock_recvmsg
19 | {
20 | $sock = (struct socket *)arg0;
21 | $dport = $sock->sk->__sk_common.skc_dport;
22 | $dport = ($dport >> 8) | (($dport << 8) & 0xff00);
23 | @io[comm, pid, "read", $sock->sk->__sk_common.skc_prot->name, $dport] =
24 | count();
25 | }
26 |
27 | kprobe:sock_sendmsg
28 | {
29 | $sock = (struct socket *)arg0;
30 | $dport = $sock->sk->__sk_common.skc_dport;
31 | $dport = ($dport >> 8) | (($dport << 8) & 0xff00);
32 | @io[comm, pid, "write", $sock->sk->__sk_common.skc_prot->name, $dport] =
33 | count();
34 | }
35 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/socksize.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * socksize - Show socket I/O sizes as per-process histograms.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 12-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | kprobe:sock_recvmsg,
20 | kprobe:sock_sendmsg
21 | {
22 | @socket[tid] = arg0;
23 | }
24 |
25 | kretprobe:sock_recvmsg
26 | {
27 | if (retval < 0x7fffffff) {
28 | @read_bytes[comm] = hist(retval);
29 | }
30 | delete(@socket[tid]);
31 | }
32 |
33 | kretprobe:sock_sendmsg
34 | {
35 | if (retval < 0x7fffffff) {
36 | @write_bytes[comm] = hist(retval);
37 | }
38 | delete(@socket[tid]);
39 | }
40 |
41 | END
42 | {
43 | clear(@socket);
44 | }
45 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/sockstat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * sockstat - High-level socket statistics.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 14-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing sock statistics. Output every 1 second.\n");
19 | }
20 |
21 | tracepoint:syscalls:sys_enter_accept*,
22 | tracepoint:syscalls:sys_enter_connect,
23 | tracepoint:syscalls:sys_enter_bind,
24 | tracepoint:syscalls:sys_enter_socket*,
25 | kprobe:sock_recvmsg,
26 | kprobe:sock_sendmsg
27 | {
28 | @[probe] = count();
29 | }
30 |
31 | interval:s:1
32 | {
33 | time();
34 | print(@);
35 | clear(@);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/soconnect.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * soconnect - Trace socket IP-protocol connections with details.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 09-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("%-6s %-16s FAM %-16s %-5s %8s %s\n", "PID", "PROCESS",
22 | "ADDRESS", "PORT", "LAT(us)", "RESULT");
23 | // connect(2) has more details:
24 | @err2str[0] = "Success";
25 | @err2str[EPERM] = "Permission denied";
26 | @err2str[EINTR] = "Interrupted";
27 | @err2str[EBADF] = "Invalid sockfd";
28 | @err2str[EAGAIN] = "Routing cache insuff.";
29 | @err2str[EACCES] = "Perm. denied (EACCES)";
30 | @err2str[EFAULT] = "Sock struct addr invalid";
31 | @err2str[ENOTSOCK] = "FD not a socket";
32 | @err2str[EPROTOTYPE] = "Socket protocol error";
33 | @err2str[EAFNOSUPPORT] = "Address family invalid";
34 | @err2str[EADDRINUSE] = "Local addr in use";
35 | @err2str[EADDRNOTAVAIL] = "No port available";
36 | @err2str[ENETUNREACH] = "Network unreachable";
37 | @err2str[EISCONN] = "Already connected";
38 | @err2str[ETIMEDOUT] = "Timeout";
39 | @err2str[ECONNREFUSED] = "Connect refused";
40 | @err2str[EALREADY] = "Not yet completed";
41 | @err2str[EINPROGRESS] = "In progress";
42 | }
43 |
44 | tracepoint:syscalls:sys_enter_connect
45 | /args->uservaddr->sa_family == AF_INET ||
46 | args->uservaddr->sa_family == AF_INET6/
47 | {
48 | @sockaddr[tid] = args->uservaddr;
49 | @start[tid] = nsecs;
50 | }
51 |
52 | tracepoint:syscalls:sys_exit_connect
53 | /@start[tid]/
54 | {
55 | $dur_us = (nsecs - @start[tid]) / 1000;
56 | printf("%-6d %-16s %-3d ", pid, comm, @sockaddr[tid]->sa_family);
57 |
58 | if (@sockaddr[tid]->sa_family == AF_INET) {
59 | $s = (struct sockaddr_in *)@sockaddr[tid];
60 | $port = ($s->sin_port >> 8) | (($s->sin_port << 8) & 0xff00);
61 | printf("%-16s %-5d %8d %s\n",
62 | ntop(AF_INET, $s->sin_addr.s_addr),
63 | $port, $dur_us, @err2str[- args->ret]);
64 | } else {
65 | $s6 = (struct sockaddr_in6 *)@sockaddr[tid];
66 | $port = ($s6->sin6_port >> 8) | (($s6->sin6_port << 8) & 0xff00);
67 | printf("%-16s %-5d %8d %s\n",
68 | ntop(AF_INET6, $s6->sin6_addr.in6_u.u6_addr8),
69 | $port, $dur_us, @err2str[- args->ret]);
70 | }
71 |
72 | delete(@sockaddr[tid]);
73 | delete(@start[tid]);
74 | }
75 |
76 | END
77 | {
78 | clear(@start); clear(@err2str); clear(@sockaddr);
79 | }
80 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/soconnlat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * soconnlat - Summarize IP socket connection latency with stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 12-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing IP connect() latency with ustacks. Ctrl-C to end.\n");
22 | }
23 |
24 | tracepoint:syscalls:sys_enter_connect
25 | /args->uservaddr->sa_family == AF_INET ||
26 | args->uservaddr->sa_family == AF_INET6/
27 | {
28 | @conn_start[tid] = nsecs;
29 | @conn_stack[tid] = ustack();
30 | }
31 |
32 | tracepoint:syscalls:sys_exit_connect
33 | /@conn_start[tid] && args->ret != - EINPROGRESS/
34 | {
35 | $dur_us = (nsecs - @conn_start[tid]) / 1000;
36 | @us[@conn_stack[tid], comm] = hist($dur_us);
37 | delete(@conn_start[tid]);
38 | delete(@conn_stack[tid]);
39 | }
40 |
41 | tracepoint:syscalls:sys_exit_poll*,
42 | tracepoint:syscalls:sys_exit_epoll*,
43 | tracepoint:syscalls:sys_exit_select*,
44 | tracepoint:syscalls:sys_exit_pselect*
45 | /@conn_start[tid] && args->ret > 0/
46 | {
47 | $dur_us = (nsecs - @conn_start[tid]) / 1000;
48 | @us[@conn_stack[tid], comm] = hist($dur_us);
49 | delete(@conn_start[tid]);
50 | delete(@conn_stack[tid]);
51 | }
52 |
53 | END
54 | {
55 | clear(@conn_start); clear(@conn_stack);
56 | }
57 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/sofamily.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * sofamily - Count address families for new sockets by process.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 10-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing socket connect/accepts. Ctrl-C to end.\n");
21 | // from linux/socket.h:
22 | @fam2str[AF_UNSPEC] = "AF_UNSPEC";
23 | @fam2str[AF_UNIX] = "AF_UNIX";
24 | @fam2str[AF_INET] = "AF_INET";
25 | @fam2str[AF_INET6] = "AF_INET6";
26 | }
27 |
28 | tracepoint:syscalls:sys_enter_connect
29 | {
30 | @connect[comm, args->uservaddr->sa_family,
31 | @fam2str[args->uservaddr->sa_family]] = count();
32 | }
33 |
34 | tracepoint:syscalls:sys_enter_accept,
35 | tracepoint:syscalls:sys_enter_accept4
36 | {
37 | @sockaddr[tid] = args->upeer_sockaddr;
38 | }
39 |
40 | tracepoint:syscalls:sys_exit_accept,
41 | tracepoint:syscalls:sys_exit_accept4
42 | /@sockaddr[tid]/
43 | {
44 | if (args->ret > 0) {
45 | $sa = (struct sockaddr *)@sockaddr[tid];
46 | @accept[comm, $sa->sa_family, @fam2str[$sa->sa_family]] =
47 | count();
48 | }
49 | delete(@sockaddr[tid]);
50 | }
51 |
52 | END
53 | {
54 | clear(@sockaddr); clear(@fam2str);
55 | }
56 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/soprotocol.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * soprotocol - Counts transport protocols for new sockets by process.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 13-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing socket connect/accepts. Ctrl-C to end.\n");
21 | // from include/uapi/linux/in.h:
22 | @prot2str[IPPROTO_IP] = "IPPROTO_IP";
23 | @prot2str[IPPROTO_ICMP] = "IPPROTO_ICMP";
24 | @prot2str[IPPROTO_TCP] = "IPPROTO_TCP";
25 | @prot2str[IPPROTO_UDP] = "IPPROTO_UDP";
26 | }
27 |
28 | kprobe:security_socket_accept,
29 | kprobe:security_socket_connect
30 | {
31 | $sock = (struct socket *)arg0;
32 | $protocol = $sock->sk->sk_protocol & 0xff;
33 | @connect[comm, $protocol, @prot2str[$protocol],
34 | $sock->sk->__sk_common.skc_prot->name] = count();
35 | }
36 |
37 | END
38 | {
39 | clear(@prot2str);
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/sormem.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * sormem - Show socket receive buffer usage and overflows.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 14-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing socket receive buffer size. Hit Ctrl-C to end.\n");
21 | }
22 |
23 | kprobe:sock_recvmsg
24 | {
25 | $sock = ((struct socket *)arg0)->sk;
26 | @rmem_alloc = hist($sock->sk_backlog.rmem_alloc.counter);
27 | @rmem_limit = hist($sock->sk_rcvbuf & 0xffffffff);
28 | }
29 |
30 | tracepoint:sock:sock_rcvqueue_full
31 | {
32 | printf("%s rmem_alloc %d > rcvbuf %d, skb size %d\n", probe,
33 | args->rmem_alloc, args->sk_rcvbuf, args->truesize);
34 | }
35 |
36 | tracepoint:sock:sock_exceed_buf_limit
37 | {
38 | printf("%s rmem_alloc %d, allocated %d\n", probe,
39 | args->rmem_alloc, args->allocated);
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/superping.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * superping - Measure ICMP echo times from the network stack.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 20-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 |
22 | BEGIN
23 | {
24 | printf("Tracing ICMP ping latency. Hit Ctrl-C to end.\n");
25 | }
26 |
27 | /*
28 | * IPv4
29 | */
30 | kprobe:ip_send_skb
31 | {
32 | $skb = (struct sk_buff *)arg1;
33 | // get IPv4 header; see skb_network_header():
34 | $iph = (struct iphdr *)($skb->head + $skb->network_header);
35 | if ($iph->protocol == IPPROTO_ICMP) {
36 | // get ICMP header; see skb_transport_header():
37 | $icmph = (struct icmphdr *)($skb->head +
38 | $skb->transport_header);
39 | if ($icmph->type == ICMP_ECHO) {
40 | $id = $icmph->un.echo.id;
41 | $seq = $icmph->un.echo.sequence;
42 | @start[$id, $seq] = nsecs;
43 | }
44 | }
45 | }
46 |
47 | kprobe:icmp_rcv
48 | {
49 | $skb = (struct sk_buff *)arg0;
50 | // get ICMP header; see skb_transport_header():
51 | $icmph = (struct icmphdr *)($skb->head + $skb->transport_header);
52 | if ($icmph->type == ICMP_ECHOREPLY) {
53 | $id = $icmph->un.echo.id;
54 | $seq = $icmph->un.echo.sequence;
55 | $start = @start[$id, $seq];
56 | if ($start > 0) {
57 | $idhost = ($id >> 8) | (($id << 8) & 0xff00);
58 | $seqhost = ($seq >> 8) | (($seq << 8) & 0xff00);
59 | printf("IPv4 ping, ID %d seq %d: %d us\n",
60 | $idhost, $seqhost, (nsecs - $start) / 1000);
61 | delete(@start[$id, $seq]);
62 | }
63 | }
64 | }
65 |
66 | /*
67 | * IPv6
68 | */
69 | kprobe:ip6_send_skb
70 | {
71 | $skb = (struct sk_buff *)arg0;
72 | // get IPv6 header; see skb_network_header():
73 | $ip6h = (struct ipv6hdr *)($skb->head + $skb->network_header);
74 | if ($ip6h->nexthdr == IPPROTO_ICMPV6) {
75 | // get ICMP header; see skb_transport_header():
76 | $icmp6h = (struct icmp6hdr *)($skb->head +
77 | $skb->transport_header);
78 | if ($icmp6h->icmp6_type == ICMPV6_ECHO_REQUEST) {
79 | $id = $icmp6h->icmp6_dataun.u_echo.identifier;
80 | $seq = $icmp6h->icmp6_dataun.u_echo.sequence;
81 | @start[$id, $seq] = nsecs;
82 | }
83 | }
84 | }
85 |
86 | kprobe:icmpv6_rcv
87 | {
88 | $skb = (struct sk_buff *)arg0;
89 | // get ICMPv6 header; see skb_transport_header():
90 | $icmp6h = (struct icmp6hdr *)($skb->head + $skb->transport_header);
91 | if ($icmp6h->icmp6_type == ICMPV6_ECHO_REPLY) {
92 | $id = $icmp6h->icmp6_dataun.u_echo.identifier;
93 | $seq = $icmp6h->icmp6_dataun.u_echo.sequence;
94 | $start = @start[$id, $seq];
95 | if ($start > 0) {
96 | $idhost = ($id >> 8) | (($id << 8) & 0xff00);
97 | $seqhost = ($seq >> 8) | (($seq << 8) & 0xff00);
98 | printf("IPv6 ping, ID %d seq %d: %d us\n",
99 | $idhost, $seqhost, (nsecs - $start) / 1000);
100 | delete(@start[$id, $seq]);
101 | }
102 | }
103 | }
104 |
105 | END { clear(@start); }
106 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpaccept-tp.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcpaccept-tp - Trace TCP passive connections (accept()) using tracepoints.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 07-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("%-8s %-3s %-14s %-5s %-14s %-5s\n", "TIME", "IP",
22 | "RADDR", "RPORT", "LADDR", "LPORT");
23 | }
24 |
25 | tracepoint:sock:inet_sock_set_state
26 | /args->oldstate == TCP_SYN_RECV && args->newstate == TCP_ESTABLISHED/
27 | {
28 | time("%H:%M:%S ");
29 | printf("%-3d %-14s %-5d %-14s %-5d\n", args->family == AF_INET ? 4 : 6,
30 | ntop(args->family, args->daddr), args->dport,
31 | ntop(args->family, args->saddr), args->sport);
32 | }
33 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpaccept.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * tcpaccept.bt Trace TCP accept()s
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * USAGE: tcpaccept.bt
10 | *
11 | * This is a bpftrace version of the bcc tool of the same name.
12 | *
13 | * This uses dynamic tracing of the kernel inet_csk_accept() socket function
14 | * (from tcp_prot.accept), and will need to be modified to match kernel changes.
15 |
16 | * Copyright (c) 2018 Dale Hamel.
17 | * Licensed under the Apache License, Version 2.0 (the "License")
18 |
19 | * 23-Nov-2018 Dale Hamel created this.
20 | */
21 |
22 | #include
23 | #include
24 |
25 | BEGIN
26 | {
27 | printf("Tracing TCP accepts. Hit Ctrl-C to end.\n");
28 | printf("%-8s %-6s %-14s ", "TIME", "PID", "COMM");
29 | printf("%-39s %-5s %-39s %-5s %s\n", "RADDR", "RPORT", "LADDR",
30 | "LPORT", "BL");
31 | }
32 |
33 | kretprobe:inet_csk_accept
34 | {
35 | $sk = (struct sock *)retval;
36 | $inet_family = $sk->__sk_common.skc_family;
37 |
38 | if ($inet_family == AF_INET || $inet_family == AF_INET6) {
39 | $daddr = ntop(0);
40 | $saddr = ntop(0);
41 | if ($inet_family == AF_INET) {
42 | $daddr = ntop($sk->__sk_common.skc_daddr);
43 | $saddr = ntop($sk->__sk_common.skc_rcv_saddr);
44 | } else {
45 | $daddr = ntop(
46 | $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
47 | $saddr = ntop(
48 | $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
49 | }
50 | $lport = $sk->__sk_common.skc_num;
51 | $dport = $sk->__sk_common.skc_dport;
52 | $qlen = $sk->sk_ack_backlog;
53 | $qmax = $sk->sk_max_ack_backlog;
54 |
55 | // Destination port is big endian, it must be flipped
56 | $dport = ($dport >> 8) | (($dport << 8) & 0x00FF00);
57 |
58 | time("%H:%M:%S ");
59 | printf("%-6d %-14s ", pid, comm);
60 | printf("%-39s %-5d %-39s %-5d ", $daddr, $dport, $saddr,
61 | $lport);
62 | printf("%d/%d\n", $qlen, $qmax);
63 | }
64 | }
65 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpconnect-tp.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcpconnect-tp - Trace TCP active connections (connect()) using tracepoints.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 07-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("%-8s %-6s %-16s %-3s ", "TIME", "PID", "COMM", "IP");
22 | printf("%-15s %-15s %-5s\n", "SADDR", "DADDR", "DPORT");
23 | }
24 |
25 | tracepoint:sock:inet_sock_set_state
26 | /args->oldstate == TCP_CLOSE && args->newstate == TCP_SYN_SENT/
27 | {
28 | time("%H:%M:%S ");
29 | printf("%-6d %-16s %-3d ", pid, comm, args->family == AF_INET ? 4 : 6);
30 | printf("%-15s %-15s %-5d\n", ntop(args->family, args->saddr),
31 | ntop(args->family, args->daddr), args->dport)
32 | }
33 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcplife.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcplife - Trace TCP session lifespans with connection details.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 17-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 | #include
20 |
21 | BEGIN
22 | {
23 | printf("%-5s %-10s %-15s %-5s %-15s %-5s ", "PID", "COMM",
24 | "LADDR", "LPORT", "RADDR", "RPORT");
25 | printf("%5s %5s %s\n", "TX_KB", "RX_KB", "MS");
26 | }
27 |
28 | kprobe:tcp_set_state
29 | {
30 | $sk = (struct sock *)arg0;
31 | $newstate = arg1;
32 |
33 | /*
34 | * This tool includes PID and comm context. From TCP this is best
35 | * effort, and may be wrong in some situations. It does this:
36 | * - record timestamp on any state < TCP_FIN_WAIT1
37 | * note some state transitions may not be present via this kprobe
38 | * - cache task context on:
39 | * TCP_SYN_SENT: tracing from client
40 | * TCP_LAST_ACK: client-closed from server
41 | * - do output on TCP_CLOSE:
42 | * fetch task context if cached, or use current task
43 | */
44 |
45 | // record first timestamp seen for this socket
46 | if ($newstate < TCP_FIN_WAIT1 && @birth[$sk] == 0) {
47 | @birth[$sk] = nsecs;
48 | }
49 |
50 | // record PID & comm on SYN_SENT
51 | if ($newstate == TCP_SYN_SENT || $newstate == TCP_LAST_ACK) {
52 | @skpid[$sk] = pid;
53 | @skcomm[$sk] = comm;
54 | }
55 |
56 | // session ended: calculate lifespan and print
57 | if ($newstate == TCP_CLOSE && @birth[$sk]) {
58 | $delta_ms = (nsecs - @birth[$sk]) / 1000000;
59 | $lport = $sk->__sk_common.skc_num;
60 | $dport = $sk->__sk_common.skc_dport;
61 | $dport = ($dport >> 8) | (($dport << 8) & 0xff00);
62 | $tp = (struct tcp_sock *)$sk;
63 | $pid = @skpid[$sk];
64 | $comm = @skcomm[$sk];
65 | if ($comm == "") {
66 | // not cached, use current task
67 | $pid = pid;
68 | $comm = comm;
69 | }
70 |
71 | $family = $sk->__sk_common.skc_family;
72 | $saddr = ntop(0);
73 | $daddr = ntop(0);
74 | if ($family == AF_INET) {
75 | $saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);
76 | $daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
77 | } else {
78 | // AF_INET6
79 | $saddr = ntop(AF_INET6,
80 | $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
81 | $daddr = ntop(AF_INET6,
82 | $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
83 | }
84 | printf("%-5d %-10.10s %-15s %-5d %-15s %-6d ", $pid,
85 | $comm, $saddr, $lport, $daddr, $dport);
86 | printf("%5d %5d %d\n", $tp->bytes_acked / 1024,
87 | $tp->bytes_received / 1024, $delta_ms);
88 |
89 | delete(@birth[$sk]);
90 | delete(@skpid[$sk]);
91 | delete(@skcomm[$sk]);
92 | }
93 | }
94 |
95 | END
96 | {
97 | clear(@birth); clear(@skpid); clear(@skcomm);
98 | }
99 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpnagle.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcpnagle - Trace TCP nagle usage and transmit delays.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 23-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing TCP nagle and xmit delays. Hit Ctrl-C to end.\n");
19 | // from include/net/tcp.h; add more combinations if needed:
20 | @flags[0x0] = "ON";
21 | @flags[0x1] = "OFF";
22 | @flags[0x2] = "CORK";
23 | @flags[0x3] = "OFF|CORK";
24 | @flags[0x4] = "PUSH";
25 | @flags[0x5] = "OFF|PUSH";
26 | }
27 |
28 | kprobe:tcp_write_xmit
29 | {
30 | @nagle[@flags[arg2]] = count();
31 | @sk[tid] = arg0;
32 | }
33 |
34 | kretprobe:tcp_write_xmit
35 | /@sk[tid]/
36 | {
37 | $inflight = retval & 0xff;
38 | $sk = @sk[tid];
39 | if ($inflight && !@start[$sk]) {
40 | @start[$sk] = nsecs;
41 | }
42 | if (!$inflight && @start[$sk]) {
43 | @blocked_us = hist((nsecs - @start[$sk]) / 1000);
44 | delete(@start[$sk]);
45 | }
46 | delete(@sk[tid]);
47 | }
48 |
49 | END
50 | {
51 | clear(@flags); clear(@start); clear(@sk);
52 | }
53 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpretrans.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * tcpretrans.bt Trace or count TCP retransmits
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * USAGE: tcpretrans.bt
10 | *
11 | * This is a bpftrace version of the bcc tool of the same name.
12 | * It is limited to ipv4 addresses, and doesn't support tracking TLPs.
13 | *
14 | * This uses dynamic tracing of kernel functions, and will need to be updated
15 | * to match kernel changes.
16 | *
17 | * Copyright (c) 2018 Dale Hamel.
18 | * Licensed under the Apache License, Version 2.0 (the "License")
19 | *
20 | * 23-Nov-2018 Dale Hamel created this.
21 | */
22 |
23 | #include
24 | #include
25 |
26 | BEGIN
27 | {
28 | printf("Tracing tcp retransmits. Hit Ctrl-C to end.\n");
29 | printf("%-8s %-8s %20s %21s %6s\n", "TIME", "PID", "LADDR:LPORT",
30 | "RADDR:RPORT", "STATE");
31 |
32 | // See include/net/tcp_states.h:
33 | @tcp_states[1] = "ESTABLISHED";
34 | @tcp_states[2] = "SYN_SENT";
35 | @tcp_states[3] = "SYN_RECV";
36 | @tcp_states[4] = "FIN_WAIT1";
37 | @tcp_states[5] = "FIN_WAIT2";
38 | @tcp_states[6] = "TIME_WAIT";
39 | @tcp_states[7] = "CLOSE";
40 | @tcp_states[8] = "CLOSE_WAIT";
41 | @tcp_states[9] = "LAST_ACK";
42 | @tcp_states[10] = "LISTEN";
43 | @tcp_states[11] = "CLOSING";
44 | @tcp_states[12] = "NEW_SYN_RECV";
45 | }
46 |
47 | kprobe:tcp_retransmit_skb
48 | {
49 | $sk = (struct sock *)arg0;
50 | $inet_family = $sk->__sk_common.skc_family;
51 |
52 | if ($inet_family == AF_INET || $inet_family == AF_INET6) {
53 | $daddr = ntop(0);
54 | $saddr = ntop(0);
55 | if ($inet_family == AF_INET) {
56 | $daddr = ntop($sk->__sk_common.skc_daddr);
57 | $saddr = ntop($sk->__sk_common.skc_rcv_saddr);
58 | } else {
59 | $daddr = ntop(
60 | $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
61 | $saddr = ntop(
62 | $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
63 | }
64 | $lport = $sk->__sk_common.skc_num;
65 | $dport = $sk->__sk_common.skc_dport;
66 |
67 | // Destination port is big endian, it must be flipped
68 | $dport = ($dport >> 8) | (($dport << 8) & 0x00FF00);
69 |
70 | $state = $sk->__sk_common.skc_state;
71 | $statestr = @tcp_states[$state];
72 |
73 | time("%H:%M:%S ");
74 | printf("%-8d %14s:%-6d %14s:%-6d %6s\n", pid, $saddr, $lport,
75 | $daddr, $dport, $statestr);
76 | }
77 | }
78 |
79 | END
80 | {
81 | clear(@tcp_states);
82 | }
83 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpsynbl.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcpsynbl - Show TCP SYN backlog as a histogram.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing SYN backlog size. Ctrl-C to end.\n");
21 | }
22 |
23 | kprobe:tcp_v4_syn_recv_sock,
24 | kprobe:tcp_v6_syn_recv_sock
25 | {
26 | $sock = (struct sock *)arg0;
27 | @backlog[$sock->sk_max_ack_backlog & 0xffffffff] =
28 | hist($sock->sk_ack_backlog);
29 | if ($sock->sk_ack_backlog > $sock->sk_max_ack_backlog) {
30 | time("%H:%M:%S dropping a SYN.\n");
31 | }
32 | }
33 |
34 | END
35 | {
36 | printf("\n@backlog[backlog limit]: histogram of backlog size\n");
37 | }
38 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/tcpwin.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcpwin - Trace TCP send congestion window parameters.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 20-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("event,sock,time_us,snd_cwnd,snd_ssthresh,sk_sndbuf,");
22 | printf("sk_wmem_queued\n");
23 | }
24 |
25 | kprobe:tcp_rcv_established
26 | {
27 | $sock = (struct sock *)arg0;
28 | $tcps = (struct tcp_sock *)arg0; // see tcp_sk()
29 | printf("rcv,0x%llx,%lld,%d,%d,%d,%d\n", arg0, elapsed / 1000,
30 | $tcps->snd_cwnd, $tcps->snd_ssthresh, $sock->sk_sndbuf,
31 | $sock->sk_wmem_queued);
32 | }
33 |
--------------------------------------------------------------------------------
/originals/Ch10_Networking/udpconnect.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * udpconnect - Trace new UDP connections from localhost.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 20-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("%-8s %-6s %-16s %-2s %-16s %-5s\n", "TIME", "PID", "COMM",
21 | "IP", "RADDR", "RPORT");
22 | }
23 |
24 | kprobe:ip4_datagram_connect,
25 | kprobe:ip6_datagram_connect
26 | {
27 | $sa = (struct sockaddr *)arg1;
28 | if ($sa->sa_family == AF_INET || $sa->sa_family == AF_INET6) {
29 | time("%H:%M:%S ");
30 | if ($sa->sa_family == AF_INET) {
31 | $s = (struct sockaddr_in *)arg1;
32 | $port = ($s->sin_port >> 8) |
33 | (($s->sin_port << 8) & 0xff00);
34 | printf("%-6d %-16s 4 %-16s %-5d\n", pid, comm,
35 | ntop(AF_INET, $s->sin_addr.s_addr), $port);
36 | } else {
37 | $s6 = (struct sockaddr_in6 *)arg1;
38 | $port = ($s6->sin6_port >> 8) |
39 | (($s6->sin6_port << 8) & 0xff00);
40 | printf("%-6d %-16s 6 %-16s %-5d\n", pid, comm,
41 | ntop(AF_INET6, $s6->sin6_addr.in6_u.u6_addr8),
42 | $port);
43 | }
44 | }
45 | }
46 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/bashreadline.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * bashreadline Print entered bash commands from all running shells.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * This works by tracing the readline() function using a uretprobe (uprobes).
10 | *
11 | * USAGE: bashreadline.bt
12 | *
13 | * This is a bpftrace version of the bcc tool of the same name.
14 | *
15 | * Copyright 2018 Netflix, Inc.
16 | * Licensed under the Apache License, Version 2.0 (the "License")
17 | *
18 | * 06-Sep-2018 Brendan Gregg Created this.
19 | */
20 |
21 | BEGIN
22 | {
23 | printf("Tracing bash commands... Hit Ctrl-C to end.\n");
24 | printf("%-9s %-6s %s\n", "TIME", "PID", "COMMAND");
25 | }
26 |
27 | uretprobe:/bin/bash:readline
28 | {
29 | time("%H:%M:%S ");
30 | printf("%-6d %s\n", pid, str(retval));
31 | }
32 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/capable.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * capable Trace security capabilitiy checks (cap_capable()).
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * USAGE: capable.bt
10 | *
11 | * This is a bpftrace version of the bcc tool of the same name.
12 | *
13 | * Copyright 2018 Netflix, Inc.
14 | * Licensed under the Apache License, Version 2.0 (the "License")
15 | *
16 | * 08-Sep-2018 Brendan Gregg Created this.
17 | */
18 |
19 | BEGIN
20 | {
21 | printf("Tracing cap_capable syscalls... Hit Ctrl-C to end.\n");
22 | printf("%-9s %-6s %-6s %-16s %-4s %-20s AUDIT\n", "TIME", "UID", "PID",
23 | "COMM", "CAP", "NAME");
24 | @cap[0] = "CAP_CHOWN";
25 | @cap[1] = "CAP_DAC_OVERRIDE";
26 | @cap[2] = "CAP_DAC_READ_SEARCH";
27 | @cap[3] = "CAP_FOWNER";
28 | @cap[4] = "CAP_FSETID";
29 | @cap[5] = "CAP_KILL";
30 | @cap[6] = "CAP_SETGID";
31 | @cap[7] = "CAP_SETUID";
32 | @cap[8] = "CAP_SETPCAP";
33 | @cap[9] = "CAP_LINUX_IMMUTABLE";
34 | @cap[10] = "CAP_NET_BIND_SERVICE";
35 | @cap[11] = "CAP_NET_BROADCAST";
36 | @cap[12] = "CAP_NET_ADMIN";
37 | @cap[13] = "CAP_NET_RAW";
38 | @cap[14] = "CAP_IPC_LOCK";
39 | @cap[15] = "CAP_IPC_OWNER";
40 | @cap[16] = "CAP_SYS_MODULE";
41 | @cap[17] = "CAP_SYS_RAWIO";
42 | @cap[18] = "CAP_SYS_CHROOT";
43 | @cap[19] = "CAP_SYS_PTRACE";
44 | @cap[20] = "CAP_SYS_PACCT";
45 | @cap[21] = "CAP_SYS_ADMIN";
46 | @cap[22] = "CAP_SYS_BOOT";
47 | @cap[23] = "CAP_SYS_NICE";
48 | @cap[24] = "CAP_SYS_RESOURCE";
49 | @cap[25] = "CAP_SYS_TIME";
50 | @cap[26] = "CAP_SYS_TTY_CONFIG";
51 | @cap[27] = "CAP_MKNOD";
52 | @cap[28] = "CAP_LEASE";
53 | @cap[29] = "CAP_AUDIT_WRITE";
54 | @cap[30] = "CAP_AUDIT_CONTROL";
55 | @cap[31] = "CAP_SETFCAP";
56 | @cap[32] = "CAP_MAC_OVERRIDE";
57 | @cap[33] = "CAP_MAC_ADMIN";
58 | @cap[34] = "CAP_SYSLOG";
59 | @cap[35] = "CAP_WAKE_ALARM";
60 | @cap[36] = "CAP_BLOCK_SUSPEND";
61 | @cap[37] = "CAP_AUDIT_READ";
62 | }
63 |
64 | kprobe:cap_capable
65 | {
66 | $cap = arg2;
67 | $audit = arg3;
68 | time("%H:%M:%S ");
69 | printf("%-6d %-6d %-16s %-4d %-20s %d\n", uid, pid, comm, $cap,
70 | @cap[$cap], $audit);
71 | }
72 |
73 | END
74 | {
75 | clear(@cap);
76 | }
77 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/elfsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * elfsnoop - Show ELF file loads.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 25-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 |
20 | BEGIN
21 | {
22 | printf("Tracing ELF loads. Ctrl-C to end\n");
23 | printf("%-8s %-6s %-18s %-18s %-10s %-10s RET\n",
24 | "TIME", "PID", "INTERPRETER", "FILE", "MOUNT", "INODE");
25 | }
26 |
27 | kprobe:load_elf_binary
28 | {
29 | @arg0[tid] = arg0;
30 | }
31 |
32 | kretprobe:load_elf_binary
33 | /@arg0[tid]/
34 | {
35 | $bin = (struct linux_binprm *)@arg0[tid];
36 | time("%H:%M:%S ");
37 | printf("%-6d %-18s %-18s %-10s %-10d %3d\n", pid,
38 | str($bin->interp), str($bin->filename),
39 | str($bin->file->f_path.mnt->mnt_root->d_name.name),
40 | $bin->file->f_inode->i_ino, retval);
41 | delete(@arg0[tid]);
42 | }
43 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/eperm.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * eperm - Count failed EPERM and EACCES syscalls.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 25-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing EACCESS and EPERM syscall errors. Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:raw_syscalls:sys_exit
22 | /args->ret == -1/
23 | {
24 | @EACCESS[comm, ksym(*(kaddr("sys_call_table") + args->id * 8))] =
25 | count();
26 | }
27 |
28 | tracepoint:raw_syscalls:sys_exit
29 | /args->ret == -13/
30 | {
31 | @EPERM[comm, ksym(*(kaddr("sys_call_table") + args->id * 8))] =
32 | count();
33 | }
34 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/modsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * modsnoop - Show kernel module loads.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 14-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing kernel module loads. Hit Ctrl-C to end.\n");
21 | }
22 |
23 |
24 | kprobe:do_init_module
25 | {
26 | $mod = (struct module *)arg0;
27 | time("%H:%M:%S ");
28 | printf("module init: %s, by %s (PID %d, user %s, UID %d)\n",
29 | $mod->name, comm, pid, username, uid);
30 | }
31 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/setuids.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * setuids - Trace the setuid syscalls: privilege escalation.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing setuid(2) family syscalls. Hit Ctrl-C to end.\n");
19 | printf("%-8s %-6s %-16s %-6s %-9s %s\n", "TIME",
20 | "PID", "COMM", "UID", "SYSCALL", "ARGS (RET)");
21 | }
22 |
23 | tracepoint:syscalls:sys_enter_setuid,
24 | tracepoint:syscalls:sys_enter_setfsuid
25 | {
26 | @uid[tid] = uid;
27 | @setuid[tid] = args->uid;
28 | @seen[tid] = 1;
29 | }
30 |
31 | tracepoint:syscalls:sys_enter_setresuid
32 | {
33 | @uid[tid] = uid;
34 | @ruid[tid] = args->ruid;
35 | @euid[tid] = args->euid;
36 | @suid[tid] = args->suid;
37 | @seen[tid] = 1;
38 | }
39 |
40 | tracepoint:syscalls:sys_exit_setuid
41 | /@seen[tid]/
42 | {
43 | time("%H:%M:%S ");
44 | printf("%-6d %-16s %-6d setuid uid=%d (%d)\n", pid, comm,
45 | @uid[tid], @setuid[tid], args->ret);
46 | delete(@seen[tid]); delete(@uid[tid]); delete(@setuid[tid]);
47 | }
48 |
49 | tracepoint:syscalls:sys_exit_setfsuid
50 | /@seen[tid]/
51 | {
52 | time("%H:%M:%S ");
53 | printf("%-6d %-16s %-6d setfsuid uid=%d (prevuid=%d)\n", pid, comm,
54 | @uid[tid], @setuid[tid], args->ret);
55 | delete(@seen[tid]); delete(@uid[tid]); delete(@setuid[tid]);
56 | }
57 |
58 | tracepoint:syscalls:sys_exit_setresuid
59 | /@seen[tid]/
60 | {
61 | time("%H:%M:%S ");
62 | printf("%-6d %-16s %-6d setresuid ", pid, comm, @uid[tid]);
63 | printf("ruid=%d euid=%d suid=%d (%d)\n", @ruid[tid], @euid[tid],
64 | @suid[tid], args->ret);
65 | delete(@seen[tid]); delete(@uid[tid]); delete(@ruid[tid]);
66 | delete(@euid[tid]); delete(@suid[tid]);
67 | }
68 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/shellsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * shellsnoop - Mirror shell output.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 31-May-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | /$1 == 0/
18 | {
19 | printf("USAGE: shellsnoop.bt PID\n");
20 | exit();
21 | }
22 |
23 | tracepoint:sched:sched_process_fork
24 | /args->parent_pid == $1 || @descendent[args->parent_pid]/
25 | {
26 | @descendent[args->child_pid] = 1;
27 | }
28 |
29 | tracepoint:syscalls:sys_enter_write
30 | /(pid == $1 || @descendent[pid]) && (args->fd == 1 || args->fd == 2)/
31 | {
32 | printf("%s", str(args->buf, args->count));
33 | }
34 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/shellsnoop.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # @lint-avoid-python-3-compatibility-imports
3 | #
4 | # shellsnoop Watch another shell session.
5 | # For Linux, uses BCC, eBPF. Embedded C.
6 | #
7 | # This traces writes to STDOUT and STDERR for the specified PID and its
8 | # children, and prints them out. This lets you watch another shell live. Due
9 | # to a limited buffer size, some commands (eg, a vim session) are likely to
10 | # be printed a little messed up.
11 | #
12 | # Copyright (c) 2016 Brendan Gregg.
13 | # Licensed under the Apache License, Version 2.0 (the "License")
14 | #
15 | # Idea: from ttywatcher.
16 | #
17 | # 15-Oct-2016 Brendan Gregg Created this.
18 |
19 | from __future__ import print_function
20 | from bcc import BPF
21 | import ctypes as ct
22 | from subprocess import call
23 | import argparse
24 | from sys import argv
25 | import sys
26 |
27 | def usage():
28 | print("USAGE: %s PID" % argv[0])
29 | exit()
30 |
31 | # arguments
32 | examples = """examples:
33 | ./shellsnoop 181 # snoop on shell with PID 181
34 | """
35 | parser = argparse.ArgumentParser(
36 | description="Snoop output from another shell",
37 | formatter_class=argparse.RawDescriptionHelpFormatter,
38 | epilog=examples)
39 | parser.add_argument("-C", "--noclear", action="store_true",
40 | help="don't clear the screen")
41 | parser.add_argument("-s", "--shellonly", action="store_true",
42 | help="shell output only (no sub-commands)")
43 | parser.add_argument("-r", "--replay", action="store_true",
44 | help="emit a replay shell script")
45 | parser.add_argument("pid", nargs="?", default=0,
46 | help="PID to trace")
47 | args = parser.parse_args()
48 | debug = 0
49 |
50 | if args.pid == 0:
51 | print("USAGE: %s [-hs] PID" % argv[0])
52 | exit()
53 | if args.replay:
54 | args.noclear = True
55 |
56 | # define BPF program
57 | bpf_text = """
58 | #include
59 |
60 | #define BUFSIZE 256
61 | struct data_t {
62 | u64 ts;
63 | int count;
64 | char buf[BUFSIZE];
65 | };
66 |
67 | BPF_PERF_OUTPUT(events);
68 | BPF_HASH(children, u32, int);
69 |
70 | TRACEPOINT_PROBE(sched, sched_process_fork)
71 | {
72 | if (NOCHILDREN)
73 | return 0;
74 | u32 pid = args->parent_pid;
75 | u32 newpid = args->child_pid;
76 | u32 *cp = children.lookup(&pid);
77 | if (cp == NULL && pid != PID)
78 | return 0;
79 | int one = 1;
80 |
81 | children.update(&newpid, &one);
82 | return 0;
83 | }
84 |
85 | static void emit(void *ctx, const char *buf, u32 *offset, u64 ts, size_t count)
86 | {
87 | struct data_t data = {.ts = ts};
88 | bpf_probe_read(&data.buf, BUFSIZE, (void *)buf + *offset);
89 | data.count = count - *offset > BUFSIZE ? BUFSIZE : count - *offset;
90 | *offset += BUFSIZE;
91 | events.perf_submit(ctx, &data, sizeof(data));
92 | }
93 |
94 | // switch to a tracepoint when #748 is fixed
95 | TRACEPOINT_PROBE(syscalls, sys_enter_write)
96 | {
97 | if (args->fd != 1 && args->fd != 2)
98 | return 0;
99 |
100 | u32 pid = bpf_get_current_pid_tgid();
101 | u32 *cp = children.lookup(&pid);
102 | if (cp == NULL && pid != PID)
103 | return 0;
104 |
105 | // bpf_probe_read() can only use a fixed size, so truncate to count
106 | // in user space:
107 | u32 offset = 0;
108 |
109 | // unrolled loop to workaround stack size limit.
110 | // TODO: switch to use BPF map storage and a single perf_submit().
111 | u64 ts = bpf_ktime_get_ns();
112 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
113 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
114 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
115 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
116 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
117 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
118 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
119 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
120 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
121 | if (offset < args->count) { emit(args, args->buf, &offset, ts, args->count); }
122 |
123 | return 0;
124 | };
125 | """
126 |
127 | bpf_text = bpf_text.replace('PID', str(args.pid))
128 | bpf_text = bpf_text.replace('NOCHILDREN', str(int(args.shellonly)))
129 | if debug:
130 | print(bpf_text)
131 |
132 | # initialize BPF
133 | b = BPF(text=bpf_text)
134 |
135 | BUFSIZE = 256
136 | last_ts = 0
137 |
138 | if not args.noclear:
139 | call("clear")
140 |
141 | # process event
142 | def print_event(cpu, data, size):
143 | event = b["events"].event(data)
144 | global last_ts
145 | if last_ts == 0:
146 | last_ts = event.ts
147 | if args.replay:
148 | delay_ms = (event.ts - last_ts) / 1000000
149 | if delay_ms:
150 | print("sleep %.2f" % (float(delay_ms) / 1000))
151 | printable = event.buf[0:event.count]
152 | printable = printable.replace('\\', '\\\\')
153 | printable = printable.replace('\'', '\\047')
154 | print("echo -e '%s\\c'" % printable)
155 | last_ts = event.ts
156 | else:
157 | print("%s" % event.buf[0:event.count], end="")
158 | sys.stdout.flush()
159 |
160 | # loop with callback to print_event
161 | b["events"].open_perf_buffer(print_event, page_cnt=64)
162 | while 1:
163 | b.kprobe_poll()
164 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/tcpreset.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcpreset - Show TCP send resets: port scan detection.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 |
20 | BEGIN
21 | {
22 | printf("Tracing TCP resets. Hit Ctrl-C to end.\n");
23 | printf("%-8s %-14s %-6s %-14s %-6s\n", "TIME",
24 | "LADDR", "LPORT", "RADDR", "RPORT");
25 | }
26 |
27 | kprobe:tcp_v4_send_reset
28 | {
29 | $skb = (struct sk_buff *)arg1;
30 | $tcp = (struct tcphdr *)($skb->head + $skb->transport_header);
31 | $ip = (struct iphdr *)($skb->head + $skb->network_header);
32 | $dport = ($tcp->dest >> 8) | (($tcp->dest << 8) & 0xff00);
33 | $sport = ($tcp->source >> 8) | (($tcp->source << 8) & 0xff00);
34 |
35 | time("%H:%M:%S ");
36 | printf("%-14s %-6d %-14s %-6d\n", ntop(AF_INET, $ip->daddr), $dport,
37 | ntop(AF_INET, $ip->saddr), $sport);
38 | }
39 |
--------------------------------------------------------------------------------
/originals/Ch11_Security/ttysnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * ttysnoop - Mirror tty output.
4 | *
5 | * See BPF Performance Tools, Chapter 11, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | if ($1 == 0) {
21 | printf("USAGE: ttysnoop.bt pts_device # eg, pts14\n");
22 | exit();
23 | }
24 | printf("Tracing tty writes. Ctrl-C to end.\n");
25 | }
26 |
27 | kprobe:tty_write
28 | {
29 | $file = (struct file *)arg0;
30 | // +3 skips "pts":
31 | if (str($file->f_path.dentry->d_name.name) == str($1 + 3)) {
32 | printf("%s", str(arg1, arg2));
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/bashfunc.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * bashfunc - Trace recompiled bash function calls.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 09-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include "/home/bgregg/Build/bash-4.4.18/variables.h"
17 |
18 | uprobe:/home/bgregg/Build/bash-4.4.18/bash:execute_function
19 | {
20 | $var = (struct variable *)arg0;
21 | printf("function: %s\n", str($var->name));
22 | }
23 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/bashfunc2.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * bashfunc2 - Trace recompiled bash function calls.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 09-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | struct variable_partial {
17 | char *name;
18 | };
19 |
20 | uprobe:/home/bgregg/Build/bash-4.4.18/bash:execute_function
21 | {
22 | $var = (struct variable_partial *)arg0;
23 | printf("function: %s\n", str($var->name));
24 | }
25 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/bashfunc3.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * bashfunc3 - Trace /bin/bash function calls.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 09-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | uprobe:/bin/bash:find_function_def
17 | {
18 | @currfunc[tid] = arg0;
19 | }
20 |
21 | uprobe:/bin/bash:restore_funcarray_state
22 | {
23 | printf("function: %s\n", str(@currfunc[tid]));
24 | delete(@currfunc[tid]);
25 | }
26 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/bashfunclat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * bashfunclat - Show bash function latency as a histogram.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 09-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | struct variable_partial {
17 | char *name;
18 | };
19 |
20 | BEGIN
21 | {
22 | printf("Tracing bash function latency, Ctrl-C to end.\n");
23 | }
24 |
25 | uprobe:/home/bgregg/Build/bash-4.4.18/bash:execute_function
26 | {
27 | $var = (struct variable_partial *)arg0;
28 | @name[tid] = $var->name;
29 | @start[tid] = nsecs;
30 | }
31 |
32 | uretprobe:/home/bgregg/Build/bash-4.4.18/bash:execute_function
33 | /@start[tid]/
34 | {
35 | @ms[str(@name[tid])] = hist((nsecs - @start[tid]) / 1000000);
36 | delete(@name[tid]);
37 | delete(@start[tid]);
38 | }
39 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/javacalls.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * javacalls - Count Java method calls.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 11-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing Java method calls. Ctrl-C to end.\n");
19 | }
20 |
21 | usdt:/.../libjvm.so:hotspot:method__entry
22 | {
23 | @[str(arg1, arg2), str(arg3, arg4)] = count();
24 | }
25 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/javathreads.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * javathreads - Trace thread start and stop events.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("%-20s %6s/%-5s -- %s\n", "TIME", "PID", "TID", "THREAD");
19 | }
20 |
21 | usdt:/.../libjvm.so:hotspot:thread__start
22 | {
23 | time("%H:%M:%S ");
24 | printf("%6d/%-5d => %s\n", pid, tid, str(arg0, arg1));
25 | }
26 |
27 | usdt:/.../libjvm.so:hotspot:thread__stop
28 | {
29 | time("%H:%M:%S ");
30 | printf("%6d/%-5d <= %s\n", pid, tid, str(arg0, arg1));
31 | }
32 |
--------------------------------------------------------------------------------
/originals/Ch12_Languages/jnistacks.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * jnistacks - Show JNI consumers by object stack trace.
4 | *
5 | * See BPF Performance Tools, Chapter 12, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 08-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing jni_NewObject* calls... Ctrl-C to end.\n");
19 | }
20 |
21 | uprobe:/usr/lib/jvm/java-11-openjdk-amd64/lib/server/libjvm.so:jni_NewObject*
22 | {
23 | @[ustack] = count();
24 | }
25 |
26 | END
27 | {
28 | $jmaps = "/usr/local/bin/jmaps";
29 | printf("\nRunning %s to create Java symbol files in /tmp...\n", $jmaps);
30 | system("%s", $jmaps);
31 | }
32 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/ioprofile.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * ioprofile - Count stacks on I/O.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing I/O syscall user stacks. Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:syscalls:sys_enter_*read*,
22 | tracepoint:syscalls:sys_enter_*write*,
23 | tracepoint:syscalls:sys_enter_*send*,
24 | tracepoint:syscalls:sys_enter_*recv*
25 | /$1 == 0 || pid == $1/
26 | {
27 | @[probe, ustack, comm] = count();
28 | }
29 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/killsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * killsnoop Trace signals issued by the kill() syscall.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * USAGE: killsnoop.bt
10 | *
11 | * Also a basic example of bpftrace.
12 | *
13 | * This is a bpftrace version of the bcc tool of the same name.
14 | *
15 | * Copyright 2018 Netflix, Inc.
16 | * Licensed under the Apache License, Version 2.0 (the "License")
17 | *
18 | * 07-Sep-2018 Brendan Gregg Created this.
19 | */
20 |
21 | BEGIN
22 | {
23 | printf("Tracing kill() signals... Hit Ctrl-C to end.\n");
24 | printf("%-9s %-6s %-16s %-4s %-6s %s\n", "TIME", "PID", "COMM", "SIG",
25 | "TPID", "RESULT");
26 | }
27 |
28 | tracepoint:syscalls:sys_enter_kill
29 | {
30 | @tpid[tid] = args->pid;
31 | @tsig[tid] = args->sig;
32 | }
33 |
34 | tracepoint:syscalls:sys_exit_kill
35 | /@tpid[tid]/
36 | {
37 | time("%H:%M:%S ");
38 | printf("%-6d %-16s %-4d %-6d %d\n", pid, comm, @tsig[tid], @tpid[tid],
39 | args->ret);
40 | delete(@tpid[tid]);
41 | delete(@tsig[tid]);
42 | }
43 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/mysqld_clat.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * mysqld_clat - Show MySQL command latency as a histogram.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing mysqld command latencies. Ctrl-C to end.\n");
19 |
20 | // from include/my_command.h:
21 | @com[0] = "COM_SLEEP";
22 | @com[1] = "COM_QUIT";
23 | @com[2] = "COM_INIT_DB";
24 | @com[3] = "COM_QUERY";
25 | @com[4] = "COM_FIELD_LIST";
26 | @com[5] = "COM_CREATE_DB";
27 | @com[6] = "COM_DROP_DB";
28 | @com[7] = "COM_REFRESH";
29 | @com[8] = "COM_SHUTDOWN";
30 | @com[9] = "COM_STATISTICS";
31 | @com[10] = "COM_PROCESS_INFO";
32 | @com[11] = "COM_CONNECT";
33 | @com[12] = "COM_PROCESS_KILL";
34 | @com[13] = "COM_DEBUG";
35 | @com[14] = "COM_PING";
36 | @com[15] = "COM_TIME";
37 | @com[16] = "COM_DELAYED_INSERT";
38 | @com[17] = "COM_CHANGE_USER";
39 | @com[18] = "COM_BINLOG_DUMP";
40 | @com[19] = "COM_TABLE_DUMP";
41 | @com[20] = "COM_CONNECT_OUT";
42 | @com[21] = "COM_REGISTER_SLAVE";
43 | @com[22] = "COM_STMT_PREPARE";
44 | @com[23] = "COM_STMT_EXECUTE";
45 | @com[24] = "COM_STMT_SEND_LONG_DATA";
46 | @com[25] = "COM_STMT_CLOSE";
47 | @com[26] = "COM_STMT_RESET";
48 | @com[27] = "COM_SET_OPTION";
49 | @com[28] = "COM_STMT_FETCH";
50 | @com[29] = "COM_DAEMON";
51 | @com[30] = "COM_BINLOG_DUMP_GTID";
52 | @com[31] = "COM_RESET_CONNECTION";
53 | }
54 |
55 | usdt:/usr/sbin/mysqld:mysql:command__start
56 | {
57 | @command[tid] = arg1;
58 | @start[tid] = nsecs;
59 | }
60 |
61 | usdt:/usr/sbin/mysqld:mysql:command__done
62 | /@start[tid]/
63 | {
64 | $dur = (nsecs - @start[tid]) / 1000;
65 | @us[@com[@command[tid]]] = hist($dur);
66 | delete(@command[tid]);
67 | delete(@start[tid]);
68 | }
69 |
70 | END
71 | {
72 | clear(@com);
73 | }
74 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/mysqld_qslower-uprobes.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * mysqld_qslower-uprobes - Show MySQL queries slower than a threshold.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing mysqld queries slower than %d ms. Ctrl-C to end.\n",
19 | $1);
20 | printf("%-10s %-6s %6s %s\n", "TIME(ms)", "PID", "MS", "QUERY");
21 | }
22 |
23 | uprobe:/usr/sbin/mysqld:*dispatch_command*
24 | {
25 | $COM_QUERY = 3; // see include/my_command.h
26 | if (arg2 == $COM_QUERY) {
27 | @query[tid] = str(*arg1);
28 | @start[tid] = nsecs;
29 | }
30 | }
31 |
32 | uretprobe:/usr/sbin/mysqld:*dispatch_command*
33 | /@start[tid]/
34 | {
35 | $dur = (nsecs - @start[tid]) / 1000000;
36 | if ($dur > $1) {
37 | printf("%-10u %-6d %6d %s\n", elapsed / 1000000,
38 | pid, $dur, @query[tid]);
39 | }
40 | delete(@query[tid]);
41 | delete(@start[tid]);
42 | }
43 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/mysqld_qslower.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * mysqld_qslower - Show MySQL queries slower than a threshold.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing mysqld queries slower than %d ms. Ctrl-C to end.\n",
19 | $1);
20 | printf("%-10s %-6s %6s %s\n", "TIME(ms)", "PID", "MS", "QUERY");
21 | }
22 |
23 | usdt:/usr/sbin/mysqld:mysql:query__start
24 | {
25 | @query[tid] = str(arg0);
26 | @start[tid] = nsecs;
27 | }
28 |
29 | usdt:/usr/sbin/mysqld:mysql:query__done
30 | /@start[tid]/
31 | {
32 | $dur = (nsecs - @start[tid]) / 1000000;
33 | if ($dur > $1) {
34 | printf("%-10u %-6d %6d %s\n", elapsed / 1000000,
35 | pid, $dur, @query[tid]);
36 | }
37 | delete(@query[tid]);
38 | delete(@start[tid]);
39 | }
40 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/naptime.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * naptime - Show voluntary sleep calls.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 16-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing sleeps. Hit Ctrl-C to end.\n");
22 | printf("%-8s %-6s %-16s %-6s %-16s %s\n", "TIME", "PPID", "PCOMM",
23 | "PID", "COMM", "SECONDS");
24 | }
25 |
26 | tracepoint:syscalls:sys_enter_nanosleep
27 | /args->rqtp->tv_sec + args->rqtp->tv_nsec/
28 | {
29 | $task = (struct task_struct *)curtask;
30 | time("%H:%M:%S ");
31 | printf("%-6d %-16s %-6d %-16s %d.%03d\n", $task->real_parent->pid,
32 | $task->real_parent->comm, pid, comm,
33 | args->rqtp->tv_sec, args->rqtp->tv_nsec / 1000000);
34 | }
35 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/offcpuhist.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * offcpuhist - Show off-CPU stacks with time histograms.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 16-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("Tracing nanosecond time in off-CPU stacks. Ctrl-C to end.\n");
21 | }
22 |
23 | kprobe:finish_task_switch
24 | {
25 | // record previous thread sleep time
26 | $prev = (struct task_struct *)arg0;
27 | if ($1 == 0 || $prev->tgid == $1) {
28 | @start[$prev->pid] = nsecs;
29 | }
30 |
31 | // get the current thread start time
32 | $last = @start[tid];
33 | if ($last != 0) {
34 | @[kstack, ustack, comm, tid] = hist(nsecs - $last);
35 | delete(@start[tid]);
36 | }
37 | }
38 |
39 | END
40 | {
41 | clear(@start);
42 | }
43 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/pmheld.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * pmheld - Show pthread mutex held times and user stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 17-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing libpthread mutex held times, Ctrl-C to end.\n");
19 | }
20 |
21 | uprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_lock,
22 | uprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_trylock
23 | /$1 == 0 || pid == $1/
24 | {
25 | @lock_addr[tid] = arg0;
26 | }
27 |
28 | uretprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_lock
29 | /($1 == 0 || pid == $1) && @lock_addr[tid]/
30 | {
31 | @held_start[pid, @lock_addr[tid]] = nsecs;
32 | delete(@lock_addr[tid]);
33 | }
34 |
35 | uretprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_trylock
36 | /retval == 0 && ($1 == 0 || pid == $1) && @lock_addr[tid]/
37 | {
38 | @held_start[pid, @lock_addr[tid]] = nsecs;
39 | delete(@lock_addr[tid]);
40 | }
41 |
42 | uprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_unlock
43 | /($1 == 0 || pid == $1) && @held_start[pid, arg0]/
44 | {
45 | @held_time_ns[usym(arg0), ustack(5), comm] =
46 | hist(nsecs - @held_start[pid, arg0]);
47 | delete(@held_start[pid, arg0]);
48 | }
49 |
50 | END
51 | {
52 | clear(@lock_addr);
53 | clear(@held_start);
54 | }
55 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/pmlock.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * pmlock - Show pthread mutex lock times and user stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 17-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing libpthread mutex lock latency, Ctrl-C to end.\n");
19 | }
20 |
21 | uprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_lock
22 | /$1 == 0 || pid == $1/
23 | {
24 | @lock_start[tid] = nsecs;
25 | @lock_addr[tid] = arg0;
26 | }
27 |
28 | uretprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_mutex_lock
29 | /($1 == 0 || pid == $1) && @lock_start[tid]/
30 | {
31 | @lock_latency_ns[usym(@lock_addr[tid]), ustack(5), comm] =
32 | hist(nsecs - @lock_start[tid]);
33 | delete(@lock_start[tid]);
34 | delete(@lock_addr[tid]);
35 | }
36 |
37 | END
38 | {
39 | clear(@lock_start);
40 | clear(@lock_addr);
41 | }
42 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/signals.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * signals - Summarize sent signals by target process.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 16-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Counting signals. Hit Ctrl-C to end.\n");
19 |
20 | // from /usr/include/asm-generic/signal.h:
21 | @sig[0] = "0";
22 | @sig[1] = "SIGHUP";
23 | @sig[2] = "SIGINT";
24 | @sig[3] = "SIGQUIT";
25 | @sig[4] = "SIGILL";
26 | @sig[5] = "SIGTRAP";
27 | @sig[6] = "SIGABRT";
28 | @sig[7] = "SIGBUS";
29 | @sig[8] = "SIGFPE";
30 | @sig[9] = "SIGKILL";
31 | @sig[10] = "SIGUSR1";
32 | @sig[11] = "SIGSEGV";
33 | @sig[12] = "SIGUSR2";
34 | @sig[13] = "SIGPIPE";
35 | @sig[14] = "SIGALRM";
36 | @sig[15] = "SIGTERM";
37 | @sig[16] = "SIGSTKFLT";
38 | @sig[17] = "SIGCHLD";
39 | @sig[18] = "SIGCONT";
40 | @sig[19] = "SIGSTOP";
41 | @sig[20] = "SIGTSTP";
42 | @sig[21] = "SIGTTIN";
43 | @sig[22] = "SIGTTOU";
44 | @sig[23] = "SIGURG";
45 | @sig[24] = "SIGXCPU";
46 | @sig[25] = "SIGXFSZ";
47 | @sig[26] = "SIGVTALRM";
48 | @sig[27] = "SIGPROF";
49 | @sig[28] = "SIGWINCH";
50 | @sig[29] = "SIGIO";
51 | @sig[30] = "SIGPWR";
52 | @sig[31] = "SIGSYS";
53 | }
54 |
55 | tracepoint:signal:signal_generate
56 | {
57 | @[@sig[args->sig], args->pid, args->comm] = count();
58 | }
59 |
60 | END
61 | {
62 | printf("\n@[SIGNAL, PID, COMM] = COUNT");
63 | clear(@sig);
64 | }
65 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/threaded.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * threaded - Sample on-CPU threads.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 16-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | if ($1 == 0) {
19 | printf("USAGE: threaded.bt PID\n");
20 | exit();
21 | }
22 | printf("Sampling PID %d threads at 99 Hertz. Ctrl-C to end.\n", $1);
23 | }
24 |
25 | profile:hz:99
26 | /pid == $1/
27 | {
28 | @[comm, tid] = count();
29 | }
30 |
31 | interval:s:1
32 | {
33 | time();
34 | print(@);
35 | clear(@);
36 | }
37 |
--------------------------------------------------------------------------------
/originals/Ch13_Applications/threadsnoop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * threadsnoop - List new thread creation.
4 | *
5 | * See BPF Performance Tools, Chapter 13, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("%-10s %-6s %-16s %s\n", "TIME(ms)", "PID", "COMM", "FUNC");
19 | }
20 |
21 | uprobe:/lib/x86_64-linux-gnu/libpthread.so.0:pthread_create
22 | {
23 | printf("%-10u %-6d %-16s %s\n", elapsed / 1000000, pid, comm,
24 | usym(arg2));
25 | }
26 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/kmem.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * kmem - Summarize kernel memory allocations.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing kmem allocation stacks (kmalloc, kmem_cache_alloc). ");
19 | printf("Hit Ctrl-C to end.\n");
20 | }
21 |
22 | tracepoint:kmem:kmalloc,
23 | tracepoint:kmem:kmem_cache_alloc
24 | {
25 | @bytes[kstack(5), comm] = stats(args->bytes_alloc);
26 | }
27 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/kpages.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * kpages - Summarize kernel page allocations.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 15-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing page allocation stacks. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:kmem:mm_page_alloc
22 | {
23 | @pages[kstack(5), comm] = count();
24 | }
25 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/loads.bt:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bpftrace
2 | /*
3 | * loads Prints load averages.
4 | * For Linux, uses bpftrace and eBPF.
5 | *
6 | * This is a snapshot from https://github.com/iovisor/bpftrace.
7 | * Refer to that repository for updated versions.
8 | *
9 | * These are the same load averages printed by "uptime", but to three decimal
10 | * places instead of two (not that it really matters). This is really a
11 | * demonstration of fetching and processing a kernel structure from bpftrace.
12 | *
13 | * USAGE: loads.bt
14 | *
15 | * This is a bpftrace version of a DTraceToolkit tool.
16 | *
17 | * Copyright 2018 Netflix, Inc.
18 | * Licensed under the Apache License, Version 2.0 (the "License")
19 | *
20 | * 10-Sep-2018 Brendan Gregg Created this.
21 | */
22 |
23 | BEGIN
24 | {
25 | printf("Reading load averages... Hit Ctrl-C to end.\n");
26 | }
27 |
28 | interval:s:1
29 | {
30 | /*
31 | * See fs/proc/loadavg.c and include/linux/sched/loadavg.h for the
32 | * following calculations.
33 | */
34 | $avenrun = kaddr("avenrun");
35 | $load1 = *$avenrun;
36 | $load5 = *($avenrun + 8);
37 | $load15 = *($avenrun + 16);
38 | time("%H:%M:%S ");
39 | printf("load averages: %d.%03d %d.%03d %d.%03d\n",
40 | ($load1 >> 11), (($load1 & ((1 << 11) - 1)) * 1000) >> 11,
41 | ($load5 >> 11), (($load5 & ((1 << 11) - 1)) * 1000) >> 11,
42 | ($load15 >> 11), (($load15 & ((1 << 11) - 1)) * 1000) >> 11
43 | );
44 | }
45 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/mheld.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * mheld - Show mutex held times and kernel stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 14-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing mutex_lock() held times, Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:mutex_lock,
22 | kprobe:mutex_trylock,
23 | kprobe:mutex_lock_interruptible
24 | /$1 == 0 || pid == $1/
25 | {
26 | @lock_addr[tid] = arg0;
27 | }
28 |
29 | kretprobe:mutex_lock
30 | /($1 == 0 || pid == $1) && @lock_addr[tid]/
31 | {
32 | @held_start[@lock_addr[tid]] = nsecs;
33 | delete(@lock_addr[tid]);
34 | }
35 |
36 | kretprobe:mutex_trylock,
37 | kretprobe:mutex_lock_interruptible
38 | /retval == 0 && ($1 == 0 || pid == $1) && @lock_addr[tid]/
39 | {
40 | @held_start[@lock_addr[tid]] = nsecs;
41 | delete(@lock_addr[tid]);
42 | }
43 |
44 | kprobe:mutex_unlock
45 | /($1 == 0 || pid == $1) && @held_start[arg0]/
46 | {
47 | @held_time_ns[ksym(arg0), kstack(5), comm] =
48 | hist(nsecs - @held_start[arg0]);
49 | delete(@held_start[arg0]);
50 | }
51 |
52 | END
53 | {
54 | clear(@lock_addr);
55 | clear(@held_start);
56 | }
57 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/mlock.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * mlock - Show mutex lock times and kernel stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 14-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing mutex_lock() latency, Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:mutex_lock,
22 | kprobe:mutex_lock_interruptible
23 | /$1 == 0 || pid == $1/
24 | {
25 | @lock_start[tid] = nsecs;
26 | @lock_addr[tid] = arg0;
27 | }
28 |
29 | kretprobe:mutex_lock
30 | /($1 == 0 || pid == $1) && @lock_start[tid]/
31 | {
32 | @lock_latency_ns[ksym(@lock_addr[tid]), kstack(5), comm] =
33 | hist(nsecs - @lock_start[tid]);
34 | delete(@lock_start[tid]);
35 | delete(@lock_addr[tid]);
36 | }
37 |
38 | kretprobe:mutex_lock_interruptible
39 | /retval == 0 && ($1 == 0 || pid == $1) && @lock_start[tid]/
40 | {
41 | @lock_latency_ns[ksym(@lock_addr[tid]), kstack(5), comm] =
42 | hist(nsecs - @lock_start[tid]);
43 | delete(@lock_start[tid]);
44 | delete(@lock_addr[tid]);
45 | }
46 |
47 | END
48 | {
49 | clear(@lock_start);
50 | clear(@lock_addr);
51 | }
52 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/numamove.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * numamove - Show numa page migration statistics.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | kprobe:migrate_misplaced_page { @start[tid] = nsecs; }
17 |
18 | kretprobe:migrate_misplaced_page /@start[tid]/
19 | {
20 | $dur = nsecs - @start[tid];
21 | @ns += $dur;
22 | @num++;
23 | delete(@start[tid]);
24 | }
25 |
26 | BEGIN
27 | {
28 | printf("%-10s %18s %18s\n", "TIME",
29 | "NUMA_migrations", "NUMA_migrations_ms");
30 | }
31 |
32 | interval:s:1
33 | {
34 | time("%H:%M:%S");
35 | printf(" %18d %18d\n", @num, @ns / 1000000);
36 | delete(@num);
37 | delete(@ns);
38 | }
39 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/slabratetop.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * slabratetop - Show kernel slab allocation rates by cache.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 26-Jan-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #ifdef CONFIG_SLUB
19 | #include
20 | #else
21 | #include
22 | #endif
23 |
24 | kprobe:kmem_cache_alloc
25 | {
26 | $cachep = (struct kmem_cache *)arg0;
27 | @[str($cachep->name)] = count();
28 | }
29 |
30 | interval:s:1
31 | {
32 | time();
33 | print(@);
34 | clear(@);
35 | }
36 |
--------------------------------------------------------------------------------
/originals/Ch14_Kernel/workq.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * workq - Show work queue function execution times.
4 | *
5 | * See BPF Performance Tools, Chapter 14, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 14-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing workqueue request latencies. Ctrl-C to end.\n");
19 | }
20 |
21 | tracepoint:workqueue:workqueue_execute_start
22 | {
23 | @start[tid] = nsecs;
24 | @wqfunc[tid] = args->function;
25 | }
26 |
27 | tracepoint:workqueue:workqueue_execute_end
28 | /@start[tid]/
29 | {
30 | $dur = (nsecs - @start[tid]) / 1000;
31 | @us[ksym(@wqfunc[tid])] = hist($dur);
32 | delete(@start[tid]);
33 | delete(@wqfunc[tid]);
34 | }
35 |
36 | END
37 | {
38 | clear(@start);
39 | clear(@wqfunc);
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch15_Containers/blkthrot.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * blkthrot - Count block I/O throttles by blk cgroup.
4 | *
5 | * See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 06-May-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 |
19 | BEGIN
20 | {
21 | printf("Tracing block I/O throttles by cgroup. Ctrl-C to end\n");
22 | }
23 |
24 | kprobe:blk_throtl_bio
25 | {
26 | @blkg[tid] = arg1;
27 | }
28 |
29 | kretprobe:blk_throtl_bio
30 | /@blkg[tid]/
31 | {
32 | $blkg = (struct blkcg_gq *)@blkg[tid];
33 | if (retval) {
34 | @throttled[$blkg->blkcg->css.id] = count();
35 | } else {
36 | @notthrottled[$blkg->blkcg->css.id] = count();
37 | }
38 | delete(@blkg[tid]);
39 | }
40 |
--------------------------------------------------------------------------------
/originals/Ch15_Containers/overlayfs.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * overlayfs - Show overlay FS read and write latency.
4 | *
5 | * See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Jason Koch.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | */
13 |
14 | #include
15 | #include
16 |
17 | kprobe:ovl_read_iter
18 | /((struct task_struct *)curtask)->nsproxy->pid_ns_for_children->ns.inum == $1/
19 | {
20 | @read_start[tid] = nsecs;
21 | }
22 |
23 | kretprobe:ovl_read_iter
24 | /((struct task_struct *)curtask)->nsproxy->pid_ns_for_children->ns.inum == $1/
25 | {
26 | $duration_us = (nsecs - @read_start[tid]) / 1000;
27 | @read_latency_us = hist($duration_us);
28 | delete(@read_start[tid]);
29 | }
30 |
31 | kprobe:ovl_write_iter
32 | /((struct task_struct *)curtask)->nsproxy->pid_ns_for_children->ns.inum == $1/
33 | {
34 | @write_start[tid] = nsecs;
35 | }
36 |
37 | kretprobe:ovl_write_iter
38 | /((struct task_struct *)curtask)->nsproxy->pid_ns_for_children->ns.inum == $1/
39 | {
40 | $duration_us = (nsecs - @write_start[tid]) / 1000;
41 | @write_latency_us = hist($duration_us);
42 | delete(@write_start[tid]);
43 | }
44 |
45 | interval:ms:1000
46 | {
47 | time("\n%H:%M:%S --------------------\n");
48 | print(@write_latency_us);
49 | print(@read_latency_us);
50 | clear(@write_latency_us);
51 | clear(@read_latency_us);
52 | }
53 |
54 | END
55 | {
56 | clear(@write_start);
57 | clear(@read_start);
58 | }
59 |
--------------------------------------------------------------------------------
/originals/Ch15_Containers/pidnss.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * pidnss - Count PID namespace switches: containers sharing a CPU.
4 | *
5 | * See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 06-May-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 | #include
20 |
21 | BEGIN
22 | {
23 | printf("Tracing PID namespace switches. Ctrl-C to end\n");
24 | }
25 |
26 | kprobe:finish_task_switch
27 | {
28 | $prev = (struct task_struct *)arg0;
29 | $curr = (struct task_struct *)curtask;
30 | $prev_pidns = $prev->nsproxy->pid_ns_for_children->ns.inum;
31 | $curr_pidns = $curr->nsproxy->pid_ns_for_children->ns.inum;
32 | if ($prev_pidns != $curr_pidns) {
33 | @[$prev_pidns, $prev->nsproxy->uts_ns->name.nodename] = count();
34 | }
35 | }
36 |
37 | END
38 | {
39 | printf("\nVictim PID namespace switch counts [PIDNS, nodename]:\n");
40 | }
41 |
--------------------------------------------------------------------------------
/originals/Ch16_Hypervisors/cpustolen.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * cpustolen - Show CPU stolen time distribution.
4 | *
5 | * See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 22-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing stolen CPU time. Ctrl-C to end.\n");
19 | }
20 |
21 | kretprobe:xen_steal_clock,
22 | kretprobe:kvm_steal_clock
23 | {
24 | if (@last[cpu] > 0) {
25 | @stolen_us = hist((retval - @last[cpu]) / 1000);
26 | }
27 | @last[cpu] = retval;
28 | }
29 |
30 | END
31 | {
32 | clear(@last);
33 | }
34 |
--------------------------------------------------------------------------------
/originals/Ch16_Hypervisors/kvmexits.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * kvmexits - Show KVM guest exit time by reason, from the host.
4 | *
5 | * See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 25-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing KVM exits. Ctrl-C to end\n");
19 |
20 | // from arch/x86/include/uapi/asm/vmx.h:
21 | @exitreason[0] = "EXCEPTION_NMI";
22 | @exitreason[1] = "EXTERNAL_INTERRUPT";
23 | @exitreason[2] = "TRIPLE_FAULT";
24 | @exitreason[7] = "PENDING_INTERRUPT";
25 | @exitreason[8] = "NMI_WINDOW";
26 | @exitreason[9] = "TASK_SWITCH";
27 | @exitreason[10] = "CPUID";
28 | @exitreason[12] = "HLT";
29 | @exitreason[13] = "INVD";
30 | @exitreason[14] = "INVLPG";
31 | @exitreason[15] = "RDPMC";
32 | @exitreason[16] = "RDTSC";
33 | @exitreason[18] = "VMCALL";
34 | @exitreason[19] = "VMCLEAR";
35 | @exitreason[20] = "VMLAUNCH";
36 | @exitreason[21] = "VMPTRLD";
37 | @exitreason[22] = "VMPTRST";
38 | @exitreason[23] = "VMREAD";
39 | @exitreason[24] = "VMRESUME";
40 | @exitreason[25] = "VMWRITE";
41 | @exitreason[26] = "VMOFF";
42 | @exitreason[27] = "VMON";
43 | @exitreason[28] = "CR_ACCESS";
44 | @exitreason[29] = "DR_ACCESS";
45 | @exitreason[30] = "IO_INSTRUCTION";
46 | @exitreason[31] = "MSR_READ";
47 | @exitreason[32] = "MSR_WRITE";
48 | @exitreason[33] = "INVALID_STATE";
49 | @exitreason[34] = "MSR_LOAD_FAIL";
50 | @exitreason[36] = "MWAIT_INSTRUCTION";
51 | @exitreason[37] = "MONITOR_TRAP_FLAG";
52 | @exitreason[39] = "MONITOR_INSTRUCTION";
53 | @exitreason[40] = "PAUSE_INSTRUCTION";
54 | @exitreason[41] = "MCE_DURING_VMENTRY";
55 | @exitreason[43] = "TPR_BELOW_THRESHOLD";
56 | @exitreason[44] = "APIC_ACCESS";
57 | @exitreason[45] = "EOI_INDUCED";
58 | @exitreason[46] = "GDTR_IDTR";
59 | @exitreason[47] = "LDTR_TR";
60 | @exitreason[48] = "EPT_VIOLATION";
61 | @exitreason[49] = "EPT_MISCONFIG";
62 | @exitreason[50] = "INVEPT";
63 | @exitreason[51] = "RDTSCP";
64 | @exitreason[52] = "PREEMPTION_TIMER";
65 | @exitreason[53] = "INVVPID";
66 | @exitreason[54] = "WBINVD";
67 | @exitreason[55] = "XSETBV";
68 | @exitreason[56] = "APIC_WRITE";
69 | @exitreason[57] = "RDRAND";
70 | @exitreason[58] = "INVPCID";
71 | }
72 |
73 | tracepoint:kvm:kvm_exit
74 | {
75 | @start[tid] = nsecs;
76 | @reason[tid] = args->exit_reason;
77 | }
78 |
79 | tracepoint:kvm:kvm_entry
80 | /@start[tid]/
81 | {
82 | $num = @reason[tid];
83 | @exit_ns[$num, @exitreason[$num]] = hist(nsecs - @start[tid]);
84 | delete(@start[tid]);
85 | delete(@reason[tid]);
86 | }
87 |
88 | END
89 | {
90 | clear(@exitreason);
91 | clear(@start);
92 | clear(@reason);
93 | }
94 |
--------------------------------------------------------------------------------
/originals/Ch16_Hypervisors/xenhyper.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * xenhyper - Count Xen PV hypercalls from the guest.
4 | *
5 | * See BPF Performance Tools, Chapter 15, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 22-Feb-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Counting Xen hypercalls (xen_mc_entry). Ctrl-C to end.\n");
19 |
20 | // needs updating to match your kernel version: xen-hypercalls.h
21 | @name[0] = "set_trap_table";
22 | @name[1] = "mmu_update";
23 | @name[2] = "set_gdt";
24 | @name[3] = "stack_switch";
25 | @name[4] = "set_callbacks";
26 | @name[5] = "fpu_taskswitch";
27 | @name[6] = "sched_op_compat";
28 | @name[7] = "dom0_op";
29 | @name[8] = "set_debugreg";
30 | @name[9] = "get_debugreg";
31 | @name[10] = "update_descriptor";
32 | @name[11] = "memory_op";
33 | @name[12] = "multicall";
34 | @name[13] = "update_va_mapping";
35 | @name[14] = "set_timer_op";
36 | @name[15] = "event_channel_op_compat";
37 | @name[16] = "xen_version";
38 | @name[17] = "console_io";
39 | @name[18] = "physdev_op_compat";
40 | @name[19] = "grant_table_op";
41 | @name[20] = "vm_assist";
42 | @name[21] = "update_va_mapping_otherdomain";
43 | @name[22] = "iret";
44 | @name[23] = "vcpu_op";
45 | @name[24] = "set_segment_base";
46 | @name[25] = "mmuext_op";
47 | @name[26] = "acm_op";
48 | @name[27] = "nmi_op";
49 | @name[28] = "sched_op";
50 | @name[29] = "callback_op";
51 | @name[30] = "xenoprof_op";
52 | @name[31] = "event_channel_op";
53 | @name[32] = "physdev_op";
54 | @name[33] = "hvm_op";
55 | }
56 |
57 | tracepoint:xen:xen_mc_entry
58 | {
59 | @[@name[args->op]] = count();
60 | }
61 |
62 | END
63 | {
64 | clear(@name);
65 | }
66 |
--------------------------------------------------------------------------------
/originals/README.md:
--------------------------------------------------------------------------------
1 | # BPF Performance Tools: Original Tools
2 |
3 | These directories contain the original as-published source code for the BPF (eBPF) tools in [BPF Performance Tools: Linux and Application Observability](http://www.brendangregg.com/bpfperftools.html). The directories are:
4 |
5 | - [Chapter 6: CPUs](Ch06_CPUs)
6 | - [Chapter 7: Memory](Ch07_Memory)
7 | - [Chapter 8: File Systems](Ch08_FileSystems)
8 | - [Chapter 9: Disks](Ch09_Disks)
9 | - [Chapter 10: Networking](Ch10_Networking)
10 | - [Chapter 11: Security](Ch11_Security)
11 | - [Chapter 12: Languages](Ch12_Languages)
12 | - [Chapter 13: Applications](Ch13_Applications)
13 | - [Chapter 14: Kernel](Ch14_Kernel)
14 | - [Chapter 15: Containers](Ch15_Containers)
15 | - [Chapter 16: Hypervisors](Ch16_Hypervisors)
16 | - [Appendix C: BCC](ApxC_BCC)
17 |
18 | The tools are documented in the book.
19 |
20 | If you would like to update a tool, see the [/updated](/updated) directory.
21 |
--------------------------------------------------------------------------------
/updated/Ch06_CPUs/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch07_Memory/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch08_FileSystems/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch09_Disks/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch09_Disks/biostacks.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * biostacks - Show disk I/O latency with initialization stacks.
4 | *
5 | * See BPF Performance Tools, Chapter 9, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 19-Mar-2019 Brendan Gregg Created this.
14 | */
15 |
16 | BEGIN
17 | {
18 | printf("Tracing block I/O with init stacks. Hit Ctrl-C to end.\n");
19 | }
20 |
21 | kprobe:blk_account_io_start
22 | {
23 | @reqstack[arg0] = kstack;
24 | @reqts[arg0] = nsecs;
25 | }
26 |
27 | kprobe:blk_account_io_done
28 | /@reqts[arg0]/
29 | {
30 | @usecs[@reqstack[arg0]] = hist(nsecs - @reqts[arg0]);
31 | delete(@reqstack[arg0]);
32 | delete(@reqts[arg0]);
33 | }
34 |
35 | END
36 | {
37 | clear(@reqstack); clear(@reqts);
38 | }
39 |
--------------------------------------------------------------------------------
/updated/Ch10_Networking/tcplife.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * tcplife - Trace TCP session lifespans with connection details.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 17-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 | #include
18 | #include
19 | #include
20 |
21 | BEGIN
22 | {
23 | printf("%-5s %-10s %-15s %-5s %-15s %-5s ", "PID", "COMM",
24 | "LADDR", "LPORT", "RADDR", "RPORT");
25 | printf("%5s %5s %s\n", "TX_KB", "RX_KB", "MS");
26 | }
27 |
28 | kprobe:tcp_set_state
29 | {
30 | $sk = (struct sock *)arg0;
31 | $newstate = arg1;
32 |
33 | /*
34 | * This tool includes PID and comm context. From TCP this is best
35 | * effort, and may be wrong in some situations. It does this:
36 | * - record timestamp on any state < TCP_FIN_WAIT1
37 | * note some state transitions may not be present via this kprobe
38 | * - cache task context on:
39 | * TCP_SYN_SENT: tracing from client
40 | * TCP_LAST_ACK: client-closed from server
41 | * - do output on TCP_CLOSE:
42 | * fetch task context if cached, or use current task
43 | */
44 |
45 | // record first timestamp seen for this socket
46 | if ($newstate < TCP_FIN_WAIT1 && !@birth[$sk]) {
47 | @birth[$sk] = nsecs;
48 | }
49 |
50 | // record PID & comm on SYN_SENT
51 | if ($newstate == TCP_SYN_SENT || $newstate == TCP_LAST_ACK) {
52 | @skpid[$sk] = pid;
53 | @skcomm[$sk] = comm;
54 | }
55 |
56 | // session ended: calculate lifespan and print
57 | if ($newstate == TCP_CLOSE && @birth[$sk]) {
58 | $delta_ms = (nsecs - @birth[$sk]) / 1000000;
59 | $lport = $sk->__sk_common.skc_num;
60 | $dport = $sk->__sk_common.skc_dport;
61 | $dport = ($dport >> 8) | (($dport << 8) & 0xff00);
62 | $tp = (struct tcp_sock *)$sk;
63 | $pid = @skpid[$sk];
64 | $comm = @skcomm[$sk];
65 | if ($comm == "") {
66 | // not cached, use current task
67 | $pid = pid;
68 | $comm = comm;
69 | }
70 |
71 | $family = $sk->__sk_common.skc_family;
72 | $saddr = ntop(0);
73 | $daddr = ntop(0);
74 | if ($family == AF_INET) {
75 | $saddr = ntop(AF_INET, $sk->__sk_common.skc_rcv_saddr);
76 | $daddr = ntop(AF_INET, $sk->__sk_common.skc_daddr);
77 | } else {
78 | // AF_INET6
79 | $saddr = ntop(AF_INET6,
80 | $sk->__sk_common.skc_v6_rcv_saddr.in6_u.u6_addr8);
81 | $daddr = ntop(AF_INET6,
82 | $sk->__sk_common.skc_v6_daddr.in6_u.u6_addr8);
83 | }
84 | printf("%-5d %-10.10s %-15s %-5d %-15s %-5d ", $pid,
85 | $comm, $saddr, $lport, $daddr, $dport);
86 | printf("%5d %5d %d\n", $tp->bytes_acked / 1024,
87 | $tp->bytes_received / 1024, $delta_ms);
88 |
89 | delete(@birth[$sk]);
90 | delete(@skpid[$sk]);
91 | delete(@skcomm[$sk]);
92 | }
93 | }
94 |
95 | END
96 | {
97 | clear(@birth); clear(@skpid); clear(@skcomm);
98 | }
99 |
--------------------------------------------------------------------------------
/updated/Ch10_Networking/udpconnect.bt:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/bpftrace
2 | /*
3 | * udpconnect - Trace new UDP connections from localhost.
4 | *
5 | * See BPF Performance Tools, Chapter 10, for an explanation of this tool.
6 | *
7 | * Copyright (c) 2019 Brendan Gregg.
8 | * Licensed under the Apache License, Version 2.0 (the "License").
9 | * This was originally created for the BPF Performance Tools book
10 | * published by Addison Wesley. ISBN-13: 9780136554820
11 | * When copying or porting, include this comment.
12 | *
13 | * 20-Apr-2019 Brendan Gregg Created this.
14 | */
15 |
16 | #include
17 |
18 | BEGIN
19 | {
20 | printf("%-8s %-6s %-16s %-2s %-16s %-5s\n", "TIME", "PID", "COMM",
21 | "IP", "RADDR", "RPORT");
22 | }
23 |
24 | kprobe:ip4_datagram_connect,
25 | kprobe:ip6_datagram_connect
26 | {
27 | $sk = (struct sock *)arg0;
28 | $sa = (struct sockaddr *)arg1;
29 | if (($sa->sa_family == AF_INET || $sa->sa_family == AF_INET6) &&
30 | $sk->sk_protocol == IPPROTO_UDP) {
31 | time("%H:%M:%S ");
32 | if ($sa->sa_family == AF_INET) {
33 | $s = (struct sockaddr_in *)arg1;
34 | $port = ($s->sin_port >> 8) |
35 | (($s->sin_port << 8) & 0xff00);
36 | printf("%-6d %-16s 4 %-16s %-5d\n", pid, comm,
37 | ntop(AF_INET, $s->sin_addr.s_addr), $port);
38 | } else {
39 | $s6 = (struct sockaddr_in6 *)arg1;
40 | $port = ($s6->sin6_port >> 8) |
41 | (($s6->sin6_port << 8) & 0xff00);
42 | printf("%-6d %-16s 6 %-16s %-5d\n", pid, comm,
43 | ntop(AF_INET6, $s6->sin6_addr.in6_u.u6_addr8),
44 | $port);
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/updated/Ch11_Security/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch12_Languages/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch13_Applications/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch14_Kernel/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch15_Containers/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/Ch16_Hypervisors/README.md:
--------------------------------------------------------------------------------
1 | nothing here yet
2 |
--------------------------------------------------------------------------------
/updated/README.md:
--------------------------------------------------------------------------------
1 | # BPF Performance Tools: Updated Tools
2 |
3 | These directories contain the original and updated BPF (eBPF) tools for the book [BPF Performance Tools: Linux and Application Observability](http://www.brendangregg.com/bpfperftools.html). The directories are:
4 |
5 | - [Chapter 6: CPUs](Ch06_CPUs)
6 | - [Chapter 7: Memory](Ch07_Memory)
7 | - [Chapter 8: File Systems](Ch08_FileSystems)
8 | - [Chapter 9: Disks](Ch09_Disks)
9 | - [Chapter 10: Networking](Ch10_Networking)
10 | - [Chapter 11: Security](Ch11_Security)
11 | - [Chapter 12: Languages](Ch12_Languages)
12 | - [Chapter 13: Applications](Ch13_Applications)
13 | - [Chapter 14: Kernel](Ch14_Kernel)
14 | - [Chapter 15: Containers](Ch15_Containers)
15 | - [Chapter 16: Hypervisors](Ch16_Hypervisors)
16 | - [Appendix C: BCC](ApxC_BCC)
17 |
18 | The tools are documented in the book.
19 |
20 | All the original as-published source is in the [/originals](/originals) directory. See the main [../README.md](README) for instructions on contributing updates.
21 |
--------------------------------------------------------------------------------