Is it possible to trace through what is being read through a text file using eBPF? There are ways to see the amount of memory being used and count reads and writes but I would like to even output the user data using bpf_trace_print if possible.
Possible to see tracing when using cat or vi opening a text file
366 Views Asked by Zarif Rahman At
1
There are 1 best solutions below
Related Questions in BPF
- Are Berkeley Packet Filter opcode values implementation defined?
- How to build Linux kernel to support SO_ATTACH_BPF socket option?
- BPF in python to sniff packets for multiple TCP ports
- Packet filtering with Netfilter's NFQUEUE vs. Berkeley Packet Filter (BPF)
- seccomp-bpf - how can i use bpf to filter the arguments of a system call?
- How can I re-filter a scapy packet using BPF?
- Tc bpf packet forward to other device by updating the Checksum
- Correct filter expression in libpcap for outgoing packets
- What causes `bpf_perf_event_output` to return -22?
- How to bind a UDP socket using SO_ATTACH_REUSEPORT_CBPF?
- bpftrace tracepoint:syscalls:sys_enter_getcwd can't capture my user process
- How to access user space function argument (struct pointer) in bpf?
- How to unload bpd program using bpftool?
- What is the recommended way to unit test eBPF/XDP program?
- Cannot run bpftrace from docker executor
Related Questions in EBPF
- How to build Linux kernel to support SO_ATTACH_BPF socket option?
- Tc bpf packet forward to other device by updating the Checksum
- What causes `bpf_perf_event_output` to return -22?
- How to cross compile bpf targets for linux arm on Mac M-series laptop?
- Tracing with eBPF tracepoint "netif_receive_skb" for multiple NICs
- Extracting UDP packet payload with eBPF tracepoints using libbpf
- XDP get packet payload
- How to get request/response body with uprobe?
- EBPF Route Table Addition or Modification
- How to access user space function argument (struct pointer) in bpf?
- How to unload bpd program using bpftool?
- How to design eBPF map for large data structures without exceeding jump complexity?
- What is the recommended way to unit test eBPF/XDP program?
- libbpf: failed to guess program from ELF section 'filter'
- I was unble to load my compiled bpf source code in to the kernel
Related Questions in BCC-BPF
- What is the recommended way to unit test eBPF/XDP program?
- asm/types.h Error during compilation of ebpf code
- Simple eBPF program to retrieve DTRACE_PROBE calls
- What should I do if "sudo /usr/share/bcc/tools/execsnoop" fails after build BCC from source?
- Instrument functions called in eBPF program using eBPF
- How to trace a java process with eBPF (BCC)
- Listing and using custom Linux kernel tracepoints
- bcc: ImportError cannot import name BPF
- How can I use the enum tcp mib definitions in a kprobe program?
- Keep getting bpf: Failed to load program: Permission denied when trying to run eBPF code
- Reading sk_buff with ebpf inside dev_queue_xmit yields questionable data
- Printing something from a text file in eBPF
- BPF crc32 wierd error: last insn is not an exit or jump
- Extracting the first two words in a sentence in C without pointers
- Possible to see tracing when using cat or vi opening a text file
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
I think this would require tracing
open()(oropenat()) system call and correlate it (fd in particular) with tracedreadcalls./sys/kernel/debug/tracing/events/syscalls/sys_enter_read/formatdefines what syscall arguments can be accessed. What may interest you ischar *bufbuffer pointer, whereread()places bytes it has read.However, it is possible that the trace call occurs before any bytes have been read (need to check the kernel source). So, may be more reliable way is to use raw tracepoint (
BPF_PROG_TYPE_RAW_TRACEPOINT) hooked at read() return.