Hello everyone! I am experiencing some issues with the execveat tracepoints, and was wondering if others could reproduce it or help me understand what I am doing wrong. On Arch Linux (kernel 5.9.1,

This is a good question. For packaging purpose, no, it does not matter much. The people who builds package can choose whatever it is available to them to package. bcc is supposed to work for all

Does the LLVM version used by bcc matter, for packaging purposes? I assume bcc includes some static libraries from LLVM, so I'm curious if the older versions are acceptable. For instance, on ubuntu

Thank you very much, Yonghong! Those are very helpful.

e.g., in kernel/events/core.c, for perf event overflow handler, we have rcu_read_lock(); ret = BPF_PROG_RUN(event->prog, &ctx); rcu_read_unlock(); out:

Thanks a lot, Yonghong. From your response: 1. How can I make a kernel function use the return value of a eBPF program/function? 2. An KProbes related question: from an

<jtu3=hawk.iit.edu@...> wrote: Currently, no. Kernel has support to replace a bpf program, but not kernel function. Replacing kernel functions may easily causing kernel mishehave. There

Hello BPF community, I am looking for a way to move a user space program's disk I/O scheduling related logic down to kernel space, and then have the new kernel logic communicate with the user space

XDP only tracks raw packet. There is no skb or other meta data is available at that point. You either need to track by yourself or you add another skb or sk level hook.

Thanks Forrest!

Nice, thanks Song. I am actually looking to track it till it is closed, so might have to remove that tag when the socket goes to closed state. And once I have the concurrent connections info, say in a

Hi, Observing established connection counter discrepancy as 20% (30-40 connections mismatch out of 200) in one day that builds to 30% by day-2 and so on. This observation is with this code if

Hello, Correcting typo in code snippet <code> TRACEPOINT_PROBE(sock, inet_sock_set_state) { if (args->newstate == TCP_ESTABLISHED) __sync_fetch_and_add(val, 1); if

Hi Ragalahari, In your code you seem to not check for "old state" when you're heading to decrement. It looks like you are adding 1 and then immediately subtracting 1 in the same condition. That might

Hi everyone, I am using inet_set_socket_state trace point to get current establish connection count Here, incrementing counter value in BPF map when new state is TCP_ESTABLISHED and decrementing

Sure I can accept a PR.

I have to create a test-environment (based on vagrant) the last couple of days and i've done this with ubuntu 20.04 as base image. Is the repository https://github.com/iovisor/vagrant still active? If

you can attach kprobe in 'tcp_conn_request" for inbound connection -- forrest0579@...

Maybe you can use sk_local_storage? You can attach a piece of information to the socket during TCP_SYN_RECV and later on during TCP_ESTABLISHED to check that data, and you can delete that data

Hi, I am looking for tracking inbound connections on a system using tracepoints/kprobes. I was checking "trace_inet_sock_set_state", with which we can track the state changes during connection