1 #!/usr/bin/python 2 # 3 # urandomread-explicit Example of instrumenting a kernel tracepoint. 4 # For Linux, uses BCC, BPF. Embedded C. 5 # 6 # This is an older example of instrumenting a tracepoint, which defines 7 # the argument struct and makes an explicit call to attach_tracepoint(). 8 # See urandomread for a newer version that uses TRACEPOINT_PROBE(). 9 # 10 # REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support). 11 # 12 # Test by running this, then in another shell, run: 13 # dd if=/dev/urandom of=/dev/null bs=1k count=5 14 # 15 # Copyright 2016 Netflix, Inc. 16 # Licensed under the Apache License, Version 2.0 (the "License") 17 18 from __future__ import print_function 19 from bcc import BPF 20 21 # define BPF program 22 bpf_text = """ 23 #include <uapi/linux/ptrace.h> 24 25 struct urandom_read_args { 26 // from /sys/kernel/debug/tracing/events/random/urandom_read/format 27 u64 __unused__; 28 u32 got_bits; 29 u32 pool_left; 30 u32 input_left; 31 }; 32 33 int printarg(struct urandom_read_args *args) { 34 bpf_trace_printk("%d\\n", args->got_bits); 35 return 0; 36 } 37 """ 38 39 # load BPF program 40 b = BPF(text=bpf_text) 41 b.attach_tracepoint(tp="random:urandom_read", fn_name="printarg") 42 43 # header 44 print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "GOTBITS")) 45 46 # format output 47 while 1: 48 try: 49 (task, pid, cpu, flags, ts, msg) = b.trace_fields() 50 except ValueError: 51 continue 52 print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg)) 53
