Skip to content

A demonstration to show how to trace syscalls by eBPF

Notifications You must be signed in to change notification settings

RinHizakura/ebpf-strace

Repository files navigation

ebpf-strace

Overview

The ebpf-strace is an experimental tool to trace system calls like strace, but achieving by eBPF instead of ptrace.

The tool can be run on x86_64 or aarch64, but most of the validation only done on x86_64 currently. Besides, only a few syscalls's arguments can be traced. Please feel free to report for any unusual output or implement arguments tracing for more system calls.

Usage

Build

These dependencies are required to build ebpf-strace.

$ sudo apt install clang llvm libelf1 libelf-dev zlib1g-dev

You will also need bpftool for the generating of vmlinux.h.

$ git clone https://github.com/libbpf/bpftool.git
$ cd bpftool
$ git submodule update --init
$ cd src
$ make
$ sudo make install

After the installations, you can build ebpf-strace now.

$ make

Execute

To know the detail for how to use ebpf-strace, you can try -h for the direction.

$ sudo ./ebpf -h
Usage: ebpf-strace [OPTIONS] [CMD]...

Arguments:
  [CMD]...  command to run for trace

Options:
  -T, --syscall-times  whether to show on the time cost of syscall
  -h, --help           Print help

For example, we can trace which system calls are run during the execution of echo hello with the following command:

$ sudo ./ebpf-strace echo hello

About

A demonstration to show how to trace syscalls by eBPF

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published