进程名称 (comm) 作为 BPF 映射的键
process name (comm) as key for BPF map
我一直在尝试设计一种工具,我可以在其中进行每个进程的跟踪,但这意味着我需要为每个进程设置一个键,以便我可以为每个进程存储键值映射对。我本能地不喜欢使用结构或字符串作为键,并且有一段时间我在考虑如何访问 inode 值以将它们用作键。但是有很多examples that use structures or strings as hashmap keys, and Alexei suggested that process names will be commonly used as a key。也就是说,我无法使这种哈希图的基本实现正常工作。在 BPF 程序中,跟踪点无法找到与 process_name 键相关联的值。也许我正在比较内存位置而不是预期的字符串文字? c_types 背后是否发生了什么导致键之间不匹配的事情?
from bcc import BPF
from bcc.utils import printb
from bcc.syscall import syscall_name, syscalls
from ctypes import *
b = BPF(text = """
struct procName {
char name[16];
};
BPF_HASH(attempt, struct procName, u32);
TRACEPOINT_PROBE(raw_syscalls, sys_exit)
{
u32 *val;
struct procName hKey;
bpf_get_current_comm(hKey.name,16);
val = attempt.lookup(&hKey);
if (val)
{
bpf_trace_printk("Hello world, I have value %d!\n", *val);
}
return 0;
}
""")
class procName(Structure):
_fields_ = [("name", (c_char_p*16))]
myFirst = procName(('p','y','t','h','o','n','[=10=]'))
trialUpload[myFirst] = c_int(10)
while 1:
try:
(task, pid, cpu, flags, ts, msg) = b.trace_fields()
except KeyboardInterrupt:
print("Detaching")
exit()
print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
原代码中的错误与BCC & BPF无关,是我对ctypes的实现。对于初学者 --
class procName(Structure):
_fields_ = [("name", (c_char_p*16))]
用字段 "name" 创建一个结构。在上面的定义中,当我想要一个 char[16] 时,name 将是 *char[16] 类型。其次,虽然这个
myFirst = procName(('p','y','t','h','o','n','[=11=]'))
可能会起作用,但它不是最佳实践初始化。这是正确的做法--
class procName(Structure):
_fields_ = [("name", (c_char*16))]
s = "python"
mySecond = procName()
mySecond.name = s
因此,包含基于 process_name 的密钥的完整程序及其实现以从 python 传递数据是......
from bcc import BPF
from bcc.utils import printb
from bcc.syscall import syscall_name, syscalls
import ctypes
from ctypes import *
b = BPF(text = """
#include <linux/string.h>
struct procName {
char name[16];
};
BPF_HASH(attempt, struct procName, u32);
TRACEPOINT_PROBE(raw_syscalls, sys_exit)
{
u32 *myVal;
struct procName key;
bpf_get_current_comm(&(key.name),16);
myVal = attempt.lookup(&key);
if (myVal)
{
bpf_trace_printk("values: %d\n", *myVal);
}
return 0;
}
""")
class procName(Structure):
_fields_ = [("name", (c_char*16))]
trialUpload = b["attempt"]
s = "python"
mySecond = procName()
mySecond.name = s
trialUpload[mySecond] = c_int(5)
while 1:
try:
(task, pid, cpu, flags, ts, msg) = b.trace_fields()
except KeyboardInterrupt:
print("Detaching")
exit()
print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
我一直在尝试设计一种工具,我可以在其中进行每个进程的跟踪,但这意味着我需要为每个进程设置一个键,以便我可以为每个进程存储键值映射对。我本能地不喜欢使用结构或字符串作为键,并且有一段时间我在考虑如何访问 inode 值以将它们用作键。但是有很多examples that use structures or strings as hashmap keys, and Alexei suggested that process names will be commonly used as a key。也就是说,我无法使这种哈希图的基本实现正常工作。在 BPF 程序中,跟踪点无法找到与 process_name 键相关联的值。也许我正在比较内存位置而不是预期的字符串文字? c_types 背后是否发生了什么导致键之间不匹配的事情?
from bcc import BPF
from bcc.utils import printb
from bcc.syscall import syscall_name, syscalls
from ctypes import *
b = BPF(text = """
struct procName {
char name[16];
};
BPF_HASH(attempt, struct procName, u32);
TRACEPOINT_PROBE(raw_syscalls, sys_exit)
{
u32 *val;
struct procName hKey;
bpf_get_current_comm(hKey.name,16);
val = attempt.lookup(&hKey);
if (val)
{
bpf_trace_printk("Hello world, I have value %d!\n", *val);
}
return 0;
}
""")
class procName(Structure):
_fields_ = [("name", (c_char_p*16))]
myFirst = procName(('p','y','t','h','o','n','[=10=]'))
trialUpload[myFirst] = c_int(10)
while 1:
try:
(task, pid, cpu, flags, ts, msg) = b.trace_fields()
except KeyboardInterrupt:
print("Detaching")
exit()
print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
原代码中的错误与BCC & BPF无关,是我对ctypes的实现。对于初学者 --
class procName(Structure):
_fields_ = [("name", (c_char_p*16))]
用字段 "name" 创建一个结构。在上面的定义中,当我想要一个 char[16] 时,name 将是 *char[16] 类型。其次,虽然这个
myFirst = procName(('p','y','t','h','o','n','[=11=]'))
可能会起作用,但它不是最佳实践初始化。这是正确的做法--
class procName(Structure):
_fields_ = [("name", (c_char*16))]
s = "python"
mySecond = procName()
mySecond.name = s
因此,包含基于 process_name 的密钥的完整程序及其实现以从 python 传递数据是......
from bcc import BPF
from bcc.utils import printb
from bcc.syscall import syscall_name, syscalls
import ctypes
from ctypes import *
b = BPF(text = """
#include <linux/string.h>
struct procName {
char name[16];
};
BPF_HASH(attempt, struct procName, u32);
TRACEPOINT_PROBE(raw_syscalls, sys_exit)
{
u32 *myVal;
struct procName key;
bpf_get_current_comm(&(key.name),16);
myVal = attempt.lookup(&key);
if (myVal)
{
bpf_trace_printk("values: %d\n", *myVal);
}
return 0;
}
""")
class procName(Structure):
_fields_ = [("name", (c_char*16))]
trialUpload = b["attempt"]
s = "python"
mySecond = procName()
mySecond.name = s
trialUpload[mySecond] = c_int(5)
while 1:
try:
(task, pid, cpu, flags, ts, msg) = b.trace_fields()
except KeyboardInterrupt:
print("Detaching")
exit()
print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))