| Sasha Goldshtein | 2593378 | 2017-03-09 14:37:50 +0000 | [diff] [blame] | 1 | Demonstrations of bpflist. |
| 2 | |
| 3 | |
| 4 | bpflist displays information on running BPF programs and optionally also |
| 5 | prints open kprobes and uprobes. It is used to understand which BPF programs |
| 6 | are currently running on the system. For example: |
| 7 | |
| 8 | # bpflist |
| 9 | PID COMM TYPE COUNT |
| 10 | 4058 fileslower prog 4 |
| 11 | 4058 fileslower map 2 |
| 12 | 4106 bashreadline map 1 |
| 13 | 4106 bashreadline prog 1 |
| 14 | |
| 15 | From the output above, the fileslower and bashreadline tools are running. |
| 16 | fileslower has installed 4 BPF programs (functions) and has opened 2 BPF maps |
| 17 | (such as hashes, histograms, stack trace tables, and so on). |
| 18 | |
| 19 | In verbose mode, bpflist also counts the number of kprobes and uprobes opened |
| 20 | by the process. This information is obtained heuristically: bcc-based tools |
| 21 | include the process id in the name of the probe. For example: |
| 22 | |
| 23 | # bpflist -v |
| 24 | PID COMM TYPE COUNT |
| 25 | 4058 fileslower prog 4 |
| 26 | 4058 fileslower kprobe 4 |
| 27 | 4058 fileslower map 2 |
| 28 | 4106 bashreadline uprobe 1 |
| 29 | 4106 bashreadline prog 1 |
| 30 | 4106 bashreadline map 1 |
| 31 | |
| 32 | In double-verbose mode, the probe definitions are also displayed: |
| 33 | |
| 34 | # bpflist -vv |
| 35 | open kprobes: |
| 36 | p:kprobes/p___vfs_read_bcc_4058 __vfs_read |
| 37 | r:kprobes/r___vfs_read_bcc_4058 __vfs_read |
| 38 | p:kprobes/p___vfs_write_bcc_4058 __vfs_write |
| 39 | r:kprobes/r___vfs_write_bcc_4058 __vfs_write |
| 40 | |
| 41 | open uprobes: |
| 42 | r:uprobes/r__bin_bash_0xa4dd0_bcc_4106 /bin/bash:0x00000000000a4dd0 |
| 43 | |
| 44 | PID COMM TYPE COUNT |
| 45 | 4058 fileslower prog 4 |
| 46 | 4058 fileslower kprobe 4 |
| 47 | 4058 fileslower map 2 |
| 48 | 4106 bashreadline uprobe 1 |
| 49 | 4106 bashreadline prog 1 |
| 50 | 4106 bashreadline map 1 |
| 51 | |
| 52 | |
| 53 | USAGE: |
| 54 | # bpflist -h |
| 55 | usage: bpflist.py [-h] [-v] |
| 56 | |
| 57 | Display processes currently using BPF programs and maps |
| 58 | |
| 59 | optional arguments: |
| 60 | -h, --help show this help message and exit |
| 61 | -v, --verbosity count and display kprobes/uprobes as well |
| 62 | |
| 63 | examples: |
| 64 | bpflist # display all processes currently using BPF |
| 65 | bpflist -v # also count kprobes/uprobes |
| 66 | bpflist -vv # display kprobes/uprobes and count them |