【BPF EBPF】

#include <linux/socket.h>
#include <net/sock.h>
BEGIN
{
  printf("Tracing tcp state.\n");
  @tcp_states[1] = "ESTABLISHED";
  @tcp_states[2] = "SYN_SENT";
  @tcp_states[3] = "SYN_RECV";
  @tcp_states[4] = "FIN_WAIT1";
  @tcp_states[5] = "FIN_WAIT2";
  @tcp_states[6] = "TIME_WAIT";
  @tcp_states[7] = "CLOSE";
  @tcp_states[8] = "CLOSE_WAIT";
  @tcp_states[9] = "LAST_ACK";
  @tcp_states[10] = "LISTEN";
  @tcp_states[11] = "CLOSING";
  @tcp_states[12] = "NEW_SYN_RECV"; 
}
// 
kretprobe:inet_csk_accept
{
  $sk = (struct sock*)retval;
  $inet_family = $sk->__sk_common.skc_family;
  $daddr = ntop(0);
  $saddr = ntop(0);
  if ($inet_family == AF_INET) {
    $daddr = ntop($sk->__sk_common.skc_daddr);
    $saddr = ntop($sk->__sk_common.skc_rcv_saddr);    
  }
  $sport = $sk->__sk_common.skc_num;
  $dport = $sk->__sk_common.skc_dport;
  printf(" tcp_accept: %-16s:%d --> %-16s:%d\n", $daddr, $dport, $saddr, $sport);
}
kprobe:tcp_connect 
{
  $sk = ((struct sock*)arg0);
  $inet_family = $sk->__sk_common.skc_family;
  $daddr = ntop(0);
        $saddr = ntop(0);
        if ($inet_family == AF_INET) {
                $daddr = ntop($sk->__sk_common.skc_daddr);
                $saddr = ntop($sk->__sk_common.skc_rcv_saddr);
        }
        $sport = $sk->__sk_common.skc_num;
        $dport = $sk->__sk_common.skc_dport;
        printf(" tcp_connect: %-16s:%d --> %-16s:%d\n", $daddr, $dport, $saddr, $sport);
}
tracepoint:syscalls:sys_enter_connect
{
  @start[tid] = nsecs;
  printf("sys_enter_connect: %s --> %ld\n", comm, @start[tid]);
}
tracepoint:syscalls:sys_exit_connect
{
  @ms[comm] = sum(nsecs - @start[tid]);
  delete(@start[tid]);
  printf("sys_exit_connect: %s ", comm);
  print(@ms);
}
kprobe:tcp_fin
{
  $sk = ((struct sock*)arg0);
  $state = $sk->__sk_common.skc_state;
  $statestr = @tcp_states[$state];
  printf(" tcp_fin ");
  time("%H:%M:%S ");
  printf("%-8d %-16s %-16s\n", pid, comm, $statestr); 
}
END
{
  clear(@tcp_states);
  clear(@ms);
  clear(@start);
}

bpftrace -e 'tracepoint:block:block_rq_i* { @[probe] = count(); } interval:s:1 { print(@); clear(@); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret > 0/ { @bytes = sum(args->ret); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @ret = hist(args->ret); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @ret = lhist(args->ret, 0, 1000, 100); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret < 0/ { @[- args->ret] = count(); }'
bpftrace -e 'kprobe:vfs_* { @[probe] = count(); } END { print(@, 5); clear(@); }'
bpftrace -e 'kprobe:vfs_read { @start[tid] =nsecs; } kretprobe:vfs_read /@start[tid]/ { @ms[comm] = sum(nsecs - @start[tid]); delete(@start[tid]); } END { print(@ms, 0, 1000000); clear(@ms); clear(@start); }'
bpftrace -e 'k:vfs_read { @[pid] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%s -> %s\n", comm, str(args->filename)); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_execve { join(args->argv); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }'
bpftrace -e 'tracepoint:raw_syscalls:sys_enter {@[comm] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_* {@[probe] = count(); }'
bpftrace -e 'tracepoint:raw_syscalls:sys_enter {@[pid, comm] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }'
bpftrace -e 'tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); }'
bpftrace -e 'software:major-faults:1 { @[comm] = count(); }'
bpftrace -e 'software:faults:1 { @[comm] = count(); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_clone { printf("-> clone() by %s PID %d\n", comm, pid); } tracepoint:syscalls:sys_exit_clone { printf("<- clone() return %d, %s PID %d\n", args->ret, comm, pid); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_setuid { printf("setuid by PID %d (%s), UID %d\n", pid, comm, uid); }'
bpftrace -e 'tracepoint:syscalls:sys_exit_setuid { printf("setuid by %s returned %d\n", comm, args->ret); }'
bpftrace -e 'tracepoint:block:block_rq_insert { printf("Block I/O by %s\n", kstack); }'
bpftrace -e 'tracepoint:syscalls:sys_enter_connect /pid == 123/ { printf("PID %d called connect()\n", $1); }'
bpftrace -e 'tracepoint:timer:hrtimer_start { @[ksym(args->function)] = count(); }'
bpftrace -e 't:syscalls:sys_enter_read { @reads = count(); } interval:s:5 { exit(); }'