2

I would like to write an eBPF program in order to track the functions being called in a separate running eBPF program. Also, I would like to count the number of times the respective functions have been called.

Is this possible? And if so, could someone please hint me towards what could be used in order to achieve this?

(Note: I am looking for the idea/concept behind achieving this functionality (i.e. the specific kprobe to be used) rather than a fully developed solution.)

Preferably, I am looking for a solution which can be implemented using python bcc or bpftrace.

Update: I would like to count the number of times "user-defined" functions are being called inside an eBPF program.

For example, if I create an eBPF program in the kernel code:

SEC("kprobe/tcp_v4_connect")
int bpf_sample_prog(struct pt_regs *ctx) {
    int x, y, ...; /* local variables to which I assign data from context */

    foo(x);        /* user-defined function */
    bar(y);        /* user-defined function */
    return 0;
}

, and I attach it to the kprobe from the userspace code, I would like to be able to count using a completely separate eBPF program the number of times the foo and bar functions have been called inside the bpf_sample_prog program.

Thank you in advance.

b0gd4n
  • 39
  • 2
  • Yes, it's possible. Look at the [bcc tools](https://github.com/iovisor/bcc/) for examples. – pchaigno Apr 19 '21 at 18:29
  • @pchaigno Thank you for your answer. I have seen examples of how to list all running eBPF programs using `bps.c` and how to instrument certain functions using `funccount` or `funcinterval`, but I couldn't find how to instrument a function being called inside an eBPF program. Is it possible to isolate searching for function calls only inside an attached eBPF program? Thank you in advance – b0gd4n Apr 20 '21 at 05:34
  • What do you mean by a "function being called inside an eBPF program"? Do you mean helper calls? – pchaigno Apr 20 '21 at 07:59
  • @pchaigno I have updated the question to provide further clarification. I would like to count the number of times "user-defined" functions are being called inside an attached eBPF program. – b0gd4n Apr 20 '21 at 08:36
  • 2
    Most of the time such functions are inlined during compilation, so they don't “exist” as individual functions anymore in the bytecode for the eBPF program. eBPF does support regular function calls, but I don't believe there is any mechanism to track them at the moment. You can hook at the entry/exit of the whole program (fentry/fexit hooks), but not in the middle of it as far as I know. You could likely modify your function to increment a counter in a map each time it runs, though. Then it would be trivial to dump the value from user space. – Qeole Apr 20 '21 at 08:38
  • @Qeole Thank you for your answer. The proposed map approach is definitely more suitable and is easier to implement – b0gd4n Apr 20 '21 at 09:05

0 Answers0