[WIP] ebpf study (by quqi99)

作者：張華 發表於：2020-01-13
版權聲明：可以任意轉載，轉載時請務必以超鏈接形式標明文章原始出處和作者信息及本版權聲明

bcc-tools test

#install hwe kernel
sudo add-apt-repository ppa:canonical-kernel-team/ppa
sudo apt-get update
sudo apt install linux-image-generic-hwe-18.04
sudo reboot

#install bcc-tools
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt update
sudo apt install bcc-tools libbcc-examples linux-headers-$(uname -r) linux-tools-$(uname -r) python3-bcc
ls /usr/share/bcc/tools

#install hwe kernel source linux-source-5.3.0 and build bpftool (bpftool is for viewing and manipulating BPF objects)
sudo apt install build-essential binutils-dev libelf-dev
#unment deb-src line in /etc/apt/sources.list.d/canonical-kernel-team-ubuntu-ppa-bionic.list
sudo apt-cache policy linux-source-5.3.0
sudo apt install linux-source-5.3.0
mkdir -p ~/build/hwe && cd ~/build/hwe
cp /usr/src/linux-source-5.3.0/linux-source-5.3.0.tar.bz2 .
tar vxf linux-source-5.3.0.tar.bz2
make -C ./linux-source-5.3.0/tools/bpf/bpftool
sudo cp ./linux-source-5.3.0/tools/bpf/bpftool/bpftool /usr/local/bin/
bpftool --version

#DEMO
#The perf subcommand shows BPF programs attached via perf_event_open()
sudo bpftool perf
#The prog show subcommand lists all programs (not just those that are perf_event_open() based)
sudo bpftool prog show
#Each BPF program can be printed/dumped via it's ID
#the xlated mode prints the BPF instructions translated to assembly, linum mode can used to included source file num info.
#opcodes modifier can be used to include the BPF instruction opcodes
#visual modifier can be used to emit control flow graph info in DOT/GraphViz format (dot -Tpng -Elen=2.5 xx.dot -o xx.png)
sudo bpftool prog dump xlated id <ID> linum
#jited subcommand shows the machine code for the processor that is executed
sudo bpftool prog dump jited id <ID>
#while tcpdump can emit BPF instructions with -d, bpftrace can do the same thing with -v
sudo tcpdump -nni eth0 'tcp port 80' -d > test.bt
bpftrace -v test.bt