• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/usr/bin/env python
2#
3# strlen_snoop  Trace strlen() library function for a given PID.
4#               For Linux, uses BCC, eBPF. Embedded C.
5#
6# USAGE: strlensnoop PID
7#
8# Try running this on a separate bash shell.
9#
10# Written as a basic example of BCC and uprobes.
11#
12# Copyright 2016 Netflix, Inc.
13# Licensed under the Apache License, Version 2.0 (the "License")
14
15from __future__ import print_function
16from bcc import BPF
17from os import getpid
18import sys
19
20if len(sys.argv) < 2:
21    print("USAGE: strlensnoop PID")
22    exit()
23pid = sys.argv[1]
24
25# load BPF program
26bpf_text = """
27#include <uapi/linux/ptrace.h>
28int printarg(struct pt_regs *ctx) {
29    if (!PT_REGS_PARM1(ctx))
30        return 0;
31
32    u32 pid = bpf_get_current_pid_tgid();
33    if (pid != PID)
34        return 0;
35
36    char str[80] = {};
37    bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
38    bpf_trace_printk("%s\\n", &str);
39
40    return 0;
41};
42"""
43bpf_text = bpf_text.replace('PID', pid)
44b = BPF(text=bpf_text)
45b.attach_uprobe(name="c", sym="strlen", fn_name="printarg")
46
47# header
48print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "STRLEN"))
49
50# format output
51me = getpid()
52while 1:
53    try:
54        (task, pid, cpu, flags, ts, msg) = b.trace_fields()
55    except ValueError:
56        continue
57    if pid == me or msg == "":
58        continue
59    print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
60