Create a gist now

Instantly share code, notes, and snippets.

@slankdev /trace.py Secret
Created Apr 30, 2017

What would you like to do?
#!/usr/bin/env python
from bcc import BPF
prog="""
#include <uapi/linux/ptrace.h>
BPF_HASH(counter, u64, u64, 1024);
int kprobe__packet_sendmsg(struct pt_regs* ctx)
{
/* Update Counter */
u64 zero = 0;
u64* val = counter.lookup_or_init(&zero, &zero);
(*val) ++;
/* Function Arguments */
struct socket *sock = (struct socket*)PT_REGS_PARM1(ctx);
struct msghdr *msg = (struct msghdr*)PT_REGS_PARM2(ctx);
size_t len = (u64)PT_REGS_PARM3(ctx);
/* Printk */
bpf_trace_printk("[%lu]: \n", *val);
bpf_trace_printk("+ sock=%p \n", sock);
bpf_trace_printk("+ msg=%p \n", msg);
bpf_trace_printk("+ len=%lu \n", len);
return 0;
}
"""
b = BPF(text=prog)
while True:
print(b.trace_fields()[5])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment