Showing posts from October, 2018

bpf_trace_printk as a last-resort method to debug eBPF programs

It's hard to debug problems in eBPF programs. When everything fails, there is a last-resort: use bpf_trace_printk.

bpf_trace_printk can be used as such:

bpf_trace_printk("fname %s\\n", valp->fname);

The double-escaped \\n is needed when the C source code is embedded in a Python multi-line string, which is the case for most bcc examples.

You can use formatting directives like %s and %d, but you can only use one per line.

To see the output, first run the bcc program as usual, then do this in a separate terminal:

$ sudo cat /sys/kernel/debug/tracing/trace_pipe foo-29323 [002] d... 12090253.569332: : fname /etc/ foo-29323 [002] d... 12090253.569350: : fname /lib/x86_64-linux-gnu/ foo-29323 [002] d... 12090253.569384: : fname /lib/x86_64-linux-gnu/ foo-29323 [002] d... 12090253.570230: : fname /proc/sys/net/core/somaxconn foo-29323 [002] d... 12090253.571336: : fname /dev/null
Tail won't work. cat will already take care of streaming the outp…