more strlen examples

iovisor · Jan 29, 2016 · 0030d34 · 0030d34
1 parent 03c2bc5
commit 0030d34
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 0 deletions.
diff --git a/examples/tracing/strlen_count.py b/examples/tracing/strlen_count.py
@@ -0,0 +1,54 @@
+#!/usr/bin/python
+#
+# strlen_count  Trace strlen() and print a frequency count of strings.
+#               For Linux, uses BCC, eBPF. Embedded C.
+#
+# Written as a basic example of BCC and uprobes.
+#
+# Also see strlensnoop.
+#
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+from __future__ import print_function
+from bcc import BPF
+from time import sleep
+
+# load BPF program
+b = BPF(text="""
+#include <uapi/linux/ptrace.h>
+
+struct key_t {
+    char c[80];
+};
+BPF_HASH(counts, struct key_t);
+
+int count(struct pt_regs *ctx) {
+    if (!ctx->si)
+        return 0;
+
+    struct key_t key = {};
+    u64 zero = 0, *val;
+
+    bpf_probe_read(&key.c, sizeof(key.c), (void *)ctx->si);
+    val = counts.lookup_or_init(&key, &zero);
+    (*val)++;
+    return 0;
+};
+""")
+b.attach_uprobe(name="c", sym="strlen", fn_name="count")
+
+# header
+print("Tracing strlen()... Hit Ctrl-C to end.")
+
+# sleep until Ctrl-C
+try:
+    sleep(99999999)
+except KeyboardInterrupt:
+    pass
+
+# print output
+print("%10s %s" % ("COUNT", "STRING"))
+counts = b.get_table("counts")
+for k, v in sorted(counts.items(), key=lambda counts: counts[1].value):
+    print("%10d \"%s\"" % (v.value, k.c.encode('string-escape')))
diff --git a/examples/tracing/strlen_snoop.py b/examples/tracing/strlen_snoop.py
@@ -0,0 +1,59 @@
+#!/usr/bin/python
+#
+# strlen_snoop  Trace strlen() library function for a given PID.
+#               For Linux, uses BCC, eBPF. Embedded C.
+#
+# USAGE: strlensnoop PID
+#
+# Try running this on a separate bash shell.
+#
+# Written as a basic example of BCC and uprobes.
+#
+# Copyright 2016 Netflix, Inc.
+# Licensed under the Apache License, Version 2.0 (the "License")
+
+from __future__ import print_function
+from bcc import BPF
+from os import getpid
+import sys
+
+if len(sys.argv) < 2:
+    print("USAGE: strlensnoop PID")
+    exit()
+pid = sys.argv[1]
+
+# load BPF program
+bpf_text = """
+#include <uapi/linux/ptrace.h>
+int printarg(struct pt_regs *ctx) {
+    if (!ctx->si)
+        return 0;
+
+    u32 pid = bpf_get_current_pid_tgid();
+    if (pid != PID)
+        return 0;
+
+    char str[80] = {};
+    bpf_probe_read(&str, sizeof(str), (void *)ctx->si);
+    bpf_trace_printk("%s\\n", &str);
+
+    return 0;
+};
+"""
+bpf_text = bpf_text.replace('PID', pid)
+b = BPF(text=bpf_text)
+b.attach_uprobe(name="c", sym="strlen", fn_name="printarg")
+
+# header
+print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "STRLEN"))
+
+# format output
+me = getpid()
+while 1:
+    try:
+        (task, pid, cpu, flags, ts, msg) = b.trace_fields()
+    except ValueError:
+        continue
+    if pid == me or msg == "":
+        continue
+    print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))