1 Demonstrations of bpflist. 2 3 4 bpflist displays information on running BPF programs and optionally also 5 prints open kprobes and uprobes. It is used to understand which BPF programs 6 are currently running on the system. For example: 7 8 # bpflist 9 PID COMM TYPE COUNT 10 4058 fileslower prog 4 11 4058 fileslower map 2 12 4106 bashreadline map 1 13 4106 bashreadline prog 1 14 15 From the output above, the fileslower and bashreadline tools are running. 16 fileslower has installed 4 BPF programs (functions) and has opened 2 BPF maps 17 (such as hashes, histograms, stack trace tables, and so on). 18 19 In verbose mode, bpflist also counts the number of kprobes and uprobes opened 20 by the process. This information is obtained heuristically: bcc-based tools 21 include the process id in the name of the probe. For example: 22 23 # bpflist -v 24 PID COMM TYPE COUNT 25 4058 fileslower prog 4 26 4058 fileslower kprobe 4 27 4058 fileslower map 2 28 4106 bashreadline uprobe 1 29 4106 bashreadline prog 1 30 4106 bashreadline map 1 31 32 In double-verbose mode, the probe definitions are also displayed: 33 34 # bpflist -vv 35 open kprobes: 36 p:kprobes/p___vfs_read_bcc_4058 __vfs_read 37 r:kprobes/r___vfs_read_bcc_4058 __vfs_read 38 p:kprobes/p___vfs_write_bcc_4058 __vfs_write 39 r:kprobes/r___vfs_write_bcc_4058 __vfs_write 40 41 open uprobes: 42 r:uprobes/r__bin_bash_0xa4dd0_bcc_4106 /bin/bash:0x00000000000a4dd0 43 44 PID COMM TYPE COUNT 45 4058 fileslower prog 4 46 4058 fileslower kprobe 4 47 4058 fileslower map 2 48 4106 bashreadline uprobe 1 49 4106 bashreadline prog 1 50 4106 bashreadline map 1 51 52 53 USAGE: 54 # bpflist -h 55 usage: bpflist.py [-h] [-v] 56 57 Display processes currently using BPF programs and maps 58 59 optional arguments: 60 -h, --help show this help message and exit 61 -v, --verbosity count and display kprobes/uprobes as well 62 63 examples: 64 bpflist # display all processes currently using BPF 65 bpflist -v # also count kprobes/uprobes 66 bpflist -vv # display kprobes/uprobes and count them 67