SUMAN KUMARI
Reputation: 1
eBPF : How to get syscall id using raw_tracepoint/sys_exit
I’d like to use raw_tracepoint with libbpf to record syscalls . Is there any way to get syscall_id using bpf raw tracepoint program SEC("raw_tracepoint/sys_exit") ? I tried to search the documents about raw tracepoints and tracepoints, but I didn’t find any answer
Upvotes: 0
Views: 544
Answers (1)
user3256049
Reputation: 1
You can use btf raw tracepoint, with the syscall number saved in the 'orig_ax' register. You can use BPF_CORE_READ(regs, orig_ax) to read it.
SEC("tp_btf/sys_exit")
__s32 BPF_PROG(xm_btf_rtp__sys_exit, struct pt_regs *regs, __s64 ret) {
pid_t pid = __xm_get_pid();
__u32 tid = __xm_get_tid();
__u64 delay_ns = 0;
__s64 syscall_nr = BPF_CORE_READ(regs, orig_ax);
Upvotes: 0
Related Questions
- eBPF: raw_tracepoint arguments
- ebpf: how to use BPF_FUNC_trace_printk in eBPF assembly program
- bpf how to inspect syscall arguments
- eBPF - Cannot read argv and envp from tracepoint sys_enter_execve
- Can eBPF modify the return value or parameters of a syscall?
- Read eBPF tracepoint argument
- attaching bpf to sys_enter (tracepoint available through /proc/kallsyms)
- bpftrace doesn’t recognise a syscall argument as negative
- tracepoint/syscalls/sys_enter doesn't trigger bpf_trace_printk
- How to read stack trace kernelside in ebpf?