Functional analysis of ebpf tracepoint

1. View all supported by the system tracepoint
find /sys/kernel/debug/tracing/events -type d 

You can view all supported by the current system tracepoint Function point , People are using tracepoint When performing functions, it is best to first look at the corresponding subsystems in those places hook spot , Evaluate whether the function can be met . For example, you want to look inside TCP Protocol stack , Then you can go first tcp trace Support those functions ：

[[email protected] tcp]# ls /sys/kernel/debug/tracing/events/tcp
enable  tcp_destroy_sock  tcp_rcv_space_adjust  tcp_retransmit_skb     tcp_send_reset
filter  tcp_probe         tcp_receive_reset     tcp_retransmit_synack

So you can take advantage of it Hook Click to realize your own functions .

If you need to find tcp_receive_reset Functional trace function , You can find in the kernel trace_tcp_receive_reset, It is the corresponding buried point function of this function .

[[email protected]]# grep -rn "tcp_receive_reset" net
net/ipv4/tcp_input.c:4051:    trace_tcp_receive_reset(sk);

In particular, it should be noted that trace_tcp_receive_reset Is a buried point function , But not necessarily just in tcp_receive_reset call , such as cpu The relevant buried point function of .

Then there is a project that will use tracepoint/tcp The ability to build .