Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / bcc / 0d08989d4c14fbecfde8e4abf175adb24a5252e5 / . / examples / tracing / strlen_snoop.py
blob: c3c7199ebe9e86d765917b15b45ed2db7935e4fc [file] [log] [blame]
Brendan Gregg0030d342016-01-28 22:39:23 -0800[diff] [blame]1#!/usr/bin/python
2#
3# strlen_snoop Trace strlen() library function for a given PID.
4# For Linux, uses BCC, eBPF. Embedded C.
5#
6# USAGE: strlensnoop PID
7#
8# Try running this on a separate bash shell.
9#
10# Written as a basic example of BCC and uprobes.
11#
12# Copyright 2016 Netflix, Inc.
13# Licensed under the Apache License, Version 2.0 (the "License")
14
15from __future__ import print_function
16from bcc import BPF
17from os import getpid
18import sys
19
20if len(sys.argv) < 2:
21 print("USAGE: strlensnoop PID")
22 exit()
23pid = sys.argv[1]
24
25# load BPF program
26bpf_text = """
27#include <uapi/linux/ptrace.h>
28int printarg(struct pt_regs *ctx) {
Brendan Greggeb1b70d2016-07-25 16:13:35 -0700[diff] [blame]29 if (!PT_REGS_PARM1(ctx))
Brendan Gregg0030d342016-01-28 22:39:23 -0800[diff] [blame]30 return 0;
31
32 u32 pid = bpf_get_current_pid_tgid();
33 if (pid != PID)
34 return 0;
35
36 char str[80] = {};
Brendan Greggeb1b70d2016-07-25 16:13:35 -0700[diff] [blame]37 bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
Brendan Gregg0030d342016-01-28 22:39:23 -0800[diff] [blame]38 bpf_trace_printk("%s\\n", &str);
39
40 return 0;
41};
42"""
43bpf_text = bpf_text.replace('PID', pid)
44b = BPF(text=bpf_text)
45b.attach_uprobe(name="c", sym="strlen", fn_name="printarg")
46
47# header
48print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "STRLEN"))
49
50# format output
51me = getpid()
52while 1:
53 try:
54 (task, pid, cpu, flags, ts, msg) = b.trace_fields()
55 except ValueError:
56 continue
57 if pid == me or msg == "":
58 continue
59 print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))