Is it possible to trace through what is being read through a text file using eBPF? There are ways to see the amount of memory being used and count reads and writes but I would like to even output the user data using bpf_trace_print if possible.
Possible to see tracing when using cat or vi opening a text file
367 views Asked by Zarif Rahman At
1
There are 1 answers
Related Questions in BPF
- Detect and capture openconnect traffic using eBPF/XDP
- R2 max value is outside of the allowed memory range after explicit bounds checking
- invalid access to map value, value_size=128 off=0 size=0; libbpf: prog 'xdp_parser_func': failed to load: -13
- BCC tool execute failed on Android by debianfs
- unknown type name ‘GElf_Nhdr’; did you mean ‘GElf_Shdr’?
- BPF per CPU array is not zero initialized?
- How to read arbitrary len bytes using helper bpf_skb_load_bytes()?
- ebpf: what causes BPF_LINK_CREATE return EINVAL
- Poll on BPF device descriptor
- bpf_override_return not working with uretprobes
- BPF setsockopt with ICMP6
- i need Step-by-Step Implementation for Simple CPUMAP Program in c
- ebpf: "value is outside of the allowed memory range" when reading data into array with offset
- bpf_probe_read_user() is throwing `permission denied: invalid access to map value` in an ebpf program
- Path printed twice, separated by numerous empty linesusing bpf_d_path(&file->f_path , d_path_buf , MAX_STR);
Related Questions in EBPF
- How to monitor the traffic of Android applications uploading images?
- R2 max value is outside of the allowed memory range after explicit bounds checking
- invalid access to map value, value_size=128 off=0 size=0; libbpf: prog 'xdp_parser_func': failed to load: -13
- ebpf not displaying output with tracing_pipe
- ebpf: about the kfuncs call and MAX_BPF_STACK
- Ebpf: Invalid access to map value, with weird compiled code
- Ebpf Kernel Code: permission denied: invalid access to map value
- Invalid access to packet while iterating over packet in eBPF program , with “bpf_trace_printk”
- Where are the "hooks" for BPF functions defined?
- How to iterate vm_area in bpf/bcc program?
- BCC tool execute failed on Android by debianfs
- unknown type name ‘GElf_Nhdr’; did you mean ‘GElf_Shdr’?
- ebpf hook some points, after running for a while. the system is hang ,is kernel bug?
- How do I initialize/reinitialize BPF_MAP_TYPE_PERCPU_HASH entry to zero for all CPUs?
- BPF per CPU array is not zero initialized?
Related Questions in BCC-BPF
- How to iterate vm_area in bpf/bcc program?
- BCC tool execute failed on Android by debianfs
- Simple eBPF program to retrieve DTRACE_PROBE calls
- asm/types.h Error during compilation of ebpf code
- What is the recommended way to unit test eBPF/XDP program?
- How to add a traffic-control filter for an egress eBPF programm in the eBPF Compiler Collection (bcc) with pyroute2?
- How do I activate a BCC eBPF program that modifies outgoing/egress network traffic?
- Flamegraphs for java apps within docker
- Can not call BPF kernel functions from BPF programs (Implicit Function Declaration Warning)
- resolve library and executable full path in libbpf
- use ringbuf and perfbuf depending on kernel version dynamically
- Use bpf_program__attach_uprobe() API multiple times with the same program instance, but different target functions
- libbpf: Error in bpf_create_map_xattr(flow_table):Invalid argument(-22). Retrying without BTF
- Output from trace pipe and perf_output are different
- Extracting Ethernet Header using XDP
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
I think this would require tracing
open()(oropenat()) system call and correlate it (fd in particular) with tracedreadcalls./sys/kernel/debug/tracing/events/syscalls/sys_enter_read/formatdefines what syscall arguments can be accessed. What may interest you ischar *bufbuffer pointer, whereread()places bytes it has read.However, it is possible that the trace call occurs before any bytes have been read (need to check the kernel source). So, may be more reliable way is to use raw tracepoint (
BPF_PROG_TYPE_RAW_TRACEPOINT) hooked at read() return.