No perf buffer is just fine to pass data from the BPF program in the kernel to the user-space part for post-processing. It's hard to give you any definitive answer, it all depends. But think about

Unfortunately my project is currently targeting Ubuntu 20.04 which ships with linux kernel version 5.4. It is a shame because the new ring buffer interface looks excellent! That said, would you still

I don't think golang can interrupt thread while it's being executed in the kernel. So from the golang perspective I wouldn't worry, the kernel will execute both kprobe and corresponding kretprobe

If you have the luxury of using Linux kernel 5.8 or newer, you can try a new BPF ring buffer map, that provides MPSC queue (so you can queue from multiple CPUs simultaneously, while BPF perf buffer

The project I am working on generically loads BPF object files, pins their respective maps, and then proceeds to use perf_buffer__poll from libbpf to poll the maps. I currently am polling the multiple

On Fri, Aug 7, 2020 at 11:31 AM, Andrii Nakryiko wrote: You can't do it reliably with kretprobe. kretprobe is executed right before the function is exiting, by that time all the registers

You can't do it reliably with kretprobe. kretprobe is executed right before the function is exiting, by that time all the registers that contained input parameters could have been used for something

When using kprobe in bcc, I can get param directly like `int kprobe__tcp_set_state(struct pt_regs *ctx, struct sock *sk, int state)` But it seems not to work in kretprobe, I've found that I can get

The BPF UAPI header file <linux/bpf.h> includes <linux/types.h>, which gives BPF-programs access to types e.g. __u32, __u64, __u8, etc. On Ubuntu/Debian when compiling with clang option[1] "-target

Hi, I am trying to attach the same TC eBPF program instance to both host and container interfaces. So some of the maps need to be qualified with the netns id. I was wondering if there is a way to

Hello Tristan! That is the same path I found when debugging with strace! I think I also saw a missing comm string during my tests (with printk from BCC), but I would have to reproduce it again to be

Alessandro, I figured out that it's non-deterministic. So sometimes certain commands (git, awk, rm, uname, etc.) will have an openat with no filename, but other times they will. I ran these commands

I ran the same test with strace. One of the file data points that doesn't show up is this: bpftrace: sys_enter_openat mode:0 filename: (93911401193582) strace: openat(AT_FDCWD,

Hello Tristan, thanks for spending the time to check this out! One thing I forgot to mention is that I can verify with strace that the filename parameter is always present. I initially suspected

I don't have an answer, but I verified this with the following bpftrace script and using the action of switching to zsh/oh-my-zsh from

Hello everyone, I'll start with some backstory first: I wrote my own BPF library to trace functions/syscalls and yesterday I noticed that I am sometimes receiving broken openat() tracepoint data.

Hello, I am trying a port mirroring use case that basically mirrors traffic from host1 to host2. On host 1 I have two interfaces eth0 and eth1 and have configured vxlan interface on eth1. I have used

Hi, Lately, I've been working on in-kernel traffic analysis with eBPF and the newest features released in the latest kernel versions (queue/stack, batch operations,...). For some reason, I couldn't

Thanks, fetch_and_add would be more appropriate to my use-case

You cannot use the return value. A recent llvm should return an error if you try to use it. There is some preliminary work to have more atomic operations in the BPF ISA.