Skip to content

bolinfest/opensnoop-native

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits

docs

docs

 
 

rust

rust

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

build.sh

build.sh

 
 

debug.py

debug.py

 
 

generated_bytecode.h

generated_bytecode.h

 
 

opensnoop.c

opensnoop.c

 
 

opensnoop.h

opensnoop.h

 
 

opensnoop.py

opensnoop.py

 
 

Repository files navigation

opensnoop-native

This is a pure C implementation of opensnoop that uses eBPF. I put together a detailed backstory of how this came to be.

The "official" version of opensnoop that uses eBPF is written in Python, as it leverages the Python bindings from the BCC toolkit to dynamically generate the eBPF program at runtime by populating a template of C code and compiling it on the fly into eBPF instructions.

This version of opensnoop differs slightly, as it uses the BCC toolkit to generate a template for the eBPF program (as an array of eBPF instructions) at build time that can be populated directly in C. Advantages:

  • This implementation uses only libbpf at runtime whereas the original uses libbcc, which is a much larger dependency.
  • Compared to the Python version, it eliminates some code that has to be duplicated between the Python code and C code template.
  • It eliminates an extra division done in the eBPF program due to the limits of numeric precision in Python.
  • Perhaps the most important difference (and the most subjective) is that this standalone version is simpler, which makes it easier to see what is going on. For example, because it is pure C, you can step through the entire program using gdb. Similarly, an strace of the pure C version is much cleaner compared to the original verison. When I first tried to understand how opensnoop worked, I had to navigate through several layers of code: the Python bindings for BCC, libbcc, and libbpf. In this implementation, you only need to worry about what libbpf is doing. Once you understand that, go back and see how those other layers make it easier to create tools that use eBPF.

Build instructions

To build the program from scratch, you must have the BCC toolkit installed:

$ ./build.sh
$ sudo ./opensnoop

If you want to leverage the existing code that was generated from BCC (the generated code is checked into the repo to make it easier for others to study and to build), then you can just do:

$ clang opensnoop.c -lelf -O3 -o opensnoop /usr/lib/x86_64-linux-gnu/libbpf.so
$ sudo ./opensnoop

In both cases, the version of libbpf/libbcc that you use should be built from https://github.com/iovisor/bcc/commit/0ec2d4fd02bfd894b3fdb44ecb175344197a33dc or later.

Quirks

Because the source code embeds the value of LINUX_VERSION_CODE from <linux/version.h> into the final binary, a version that you build on your machine will not work on a colleague's machine if they are not running the exact same version of the kernel.

About

opensnoop in pure C using eBPF

Resources

Readme

License

Apache-2.0 license
Activity

Stars

97 stars

Watchers

5 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages