def printEvent(event): printb(b"%-9s" % strftime("%H:%M:%S").encode('ascii'), nl="") ppid = event.ppid if event.ppid > 0 else -1 ppid = b"%d" % ppid if ppid > 0 else b"?" argv_text = b' '.join(argv[event.pid]).replace(b'\n', b'\\n') printb(b"%-16s %-6d %-6s %3d %s" % (event.comm, event.pid, ppid, event.retval, argv_text))
def print_event(cpu, data, size): event = b["events"].event(data) global initial_ts # split return value into FD and errno columns if event.ret >= 0: fd_s = event.ret err = 0 else: fd_s = -1 err = - event.ret if not initial_ts: initial_ts = event.ts printb(b"%-6d %-16s %4d %3d " % (event.id & event.id >> 32, event.comm, fd_s, err), nl="") printb(b'%s' % event.fname)
def print_event(cpu, data, size): event = b["events"].event(data) global start_ts if start_ts == 0: start_ts = event.ts if event.rwflag == 1: rwflg = "W" else: rwflg = "R" delta = float(event.ts) - start_ts # print(event.pid) if event.pid != 0: if args.time: printb(b"%-9s" % strftime("%H:%M:%S").encode('ascii'), nl="") print("%-11.6f %-14.14s %-6s %-7s %-1s %-10s %-7s" % ( delta / 1000000, event.name.decode('utf-8', 'replace'), event.pid, event.disk_name.decode('utf-8', 'replace'), rwflg, event.sector, event.len), end="") if args.queue: print("%7.2f " % (float(event.qdelta) / 1000000), end="") if args.netns: print("%-8d" % event.netns, end="") print("%7.2f" % (float(event.delta) / 1000000))
def process_netevent(cpu, data, size): global lists global args event = b["events"].event(data) ip_address = socket.inet_ntoa(struct.pack("I", event.address)) if args.verbose: printb(b"\t%s (%d) %s:%d" % (event.comm, event.pid, ip_address, socket.htons(event.port))) for feed in lists: if feed.check_membership(ip_address): if args.action == "print": print("{} ({}) touched a bad IP ({})".format( event.comm, event.pid, ip_address)) elif args.action == "dump": os.kill(event.pid, 19) os.system( "gcore -o /tmp/meatball-{}.core {} 2>/dev/null".format( event.ts, event.pid)) os.kill(event.pid, 9) print("{} ({}) Meatball took a dump in /tmp/ ({})".format( event.comm, event.pid, ip_address)) elif args.action == "suspend": os.kill(event.pid, 19) print("{} ({}) was suspended ({}) ".format( event.comm, event.pid, ip_address)) elif args.action == "kill": os.kill(event.pid, 9) print("{} ({}) was killed by Meatball ({}) ".format( event.comm, event.pid, ip_address))
def print_event(cpu, data, size): # Decode event event = b["listen_evt"].event(data) pid = event.pid_tgid & 0xffffffff proto_family = event.proto & 0xff proto_type = event.proto >> 16 & 0xff if proto_family == SOCK_STREAM: protocol = "TCP" elif proto_family == SOCK_DGRAM: protocol = "UDP" else: protocol = "UNK" address = "" if proto_type == AF_INET: protocol += "v4" address = inet_ntop(AF_INET, pack("I", event.laddr[0])) elif proto_type == AF_INET6: address = inet_ntop(AF_INET6, event.laddr) protocol += "v6" # Display if show_netns: printb(b"%-6d %-12.12s %-12s %-6s %-8s %-5s %-39s" % ( pid, event.task, event.netns, protocol, event.backlog, event.lport, address, )) else: printb(b"%-6d %-12.12s %-6s %-8s %-5s %-39s" % ( pid, event.task, protocol, event.backlog, event.lport, address, ))
def print_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data)).contents skip = False if event.type == EventType.EVENT_ARG: argv[event.pid].append(event.argv) elif event.type == EventType.EVENT_RET: if event.retval != 0 and not args.fails: skip = True if args.name and not re.search(bytes(args.name), event.comm): skip = True if args.line and not re.search(bytes(args.line), b' '.join(argv[event.pid])): skip = True if args.quote: argv[event.pid] = [ "\"" + arg.replace("\"", "\\\"") + "\"" for arg in argv[event.pid] ] if not skip: if args.timestamp: print("%-8.3f" % (time.time() - start_ts), end="") ppid = get_ppid(event.pid) ppid = b"%d" % ppid if ppid > 0 else b"?" printb(b"%-16s %-6d %-6s %3d %s" % (event.comm, event.pid, ppid, event.retval, b' '.join(argv[event.pid]))) try: del(argv[event.pid]) except Exception: pass
def print_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data)).contents global initial_ts # split return value into FD and errno columns if event.ret >= 0: fd_s = event.ret err = 0 else: fd_s = -1 err = -event.ret if not initial_ts: initial_ts = event.ts if args.failed and (event.ret >= 0): return if args.name and bytes(args.name) not in event.comm: return if args.timestamp: delta = event.ts - initial_ts print("%-14.9f" % (float(delta) / 1000000), end="") print("%-6d %-16s %4d %3d " % (event.id & 0xffffffff if args.tid else event.id >> 32, event.comm.decode('utf-8', 'replace'), fd_s, err), end="") if args.extended_fields: print("%08o " % event.flags, end="") printb(b'%s' % event.fname.decode('utf-8', 'replace'))
def print_event(cpu, data, size): event = b["events"].event(data) skip = False if event.type == EventType.EVENT_ARG: argv[event.pid].append(event.argv) elif event.type == EventType.EVENT_RET: if event.retval != 0 and not args.fails: skip = True if args.name and not re.search(bytes(args.name), event.comm): skip = True if args.line and not re.search(bytes(args.line), b' '.join(argv[event.pid])): skip = True if args.quote: argv[event.pid] = [ b"\"" + arg.replace(b"\"", b"\\\"") + b"\"" for arg in argv[event.pid] ] if not skip: if args.timestamp: printb(b"%-8.3f" % (time.time() - start_ts), nl="") ppid = event.ppid if event.ppid > 0 else get_ppid(event.pid) ppid = b"%d" % ppid if ppid > 0 else b"?" argv_text = b' '.join(argv[event.pid]).replace(b'\n', b'\\n') printb(b"%-16s %-6d %-6s %3d %s" % (event.comm, event.pid, ppid, event.retval, argv_text)) try: del(argv[event.pid]) except Exception: pass
def print_ipv6_event(cpu, data, size): event = b["tcp_ipv6_event"].event(data) global start_ts if args.time: printb(b"%-9s" % strftime("%H:%M:%S").encode('ascii'), nl="") if args.timestamp: if start_ts == 0: start_ts = event.ts_ns if args.verbose: print("%-14d" % (event.ts_ns - start_ts), end="") else: print("%-9.3f" % ((event.ts_ns - start_ts) / 1000000000.0), end="") if event.type == 1: type_str = "C" elif event.type == 2: type_str = "A" elif event.type == 3: type_str = "X" else: type_str = "U" if args.verbose: print("%-12s " % (verbose_types[type_str]), end="") else: print("%-2s " % (type_str), end="") print("%-6d %-16s %-2d %-16s %-16s %-6d %-6d" % (event.pid, event.comm.decode('utf-8', 'replace'), event.ip, "[" + inet_ntop(AF_INET6, event.saddr) + "]", "[" + inet_ntop(AF_INET6, event.daddr) + "]", event.sport, event.dport), end="") if args.verbose and not args.netns: print(" %-8d" % event.netns) else: print()
def print_ipv4_event(cpu, data, size): event = b["ipv4_events"].event(data) state = tcpstate2str(event.state).encode() dest_ip = inet_ntop(AF_INET, pack("I", event.daddr)).encode() printb(b"%-6d %-6d %-12.12s %-2d %-16s %-6d %-16s %-6d %-12.12s" % (event.pid, event.tgid, event.task, event.ip, inet_ntop(AF_INET, pack("I", event.saddr)).encode(), event.lport, dest_ip, event.dport, state))
def print_stream_event(cpu, data, size): event = b["stream_recvmsg_events"].event(data) global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us printb(b"%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), nl="") printb(b"%-6s %-12s" % (event.pid, event.task))
def print_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data)).contents if cpu == int(args.cpu) and event.type == 0: printb( b"%-9s %d %d %d %d %d %d" % (strftime("%H:%M:%S").encode('ascii'), event.pid, event.vruntime, event.load_sum, event.util_sum, event.load_avg, event.util_avg))
def print_event(cpu, data, size): global start event = b["events"].event(data) if start == 0: start = event.ts time_s = (float(event.ts - start)) / 1000000000 printb(b"%-18.9f %-16s %-6d %s" % (time_s, event.comm, event.pid, b"Hello, perf_output!"))
def print_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data)).contents if (args.failed and (event.ret >= 0)): return printb(b"%-9s %-6d %-16s %-4d %-6d %d" % (strftime("%H:%M:%S"), event.pid, event.comm, event.sig, event.tpid, event.ret))
def print_event(cpu, data, size): event = b["events"].event(data) if (args.failed and (event.ret >= 0)): return printb(b"%-9s %-6d %-16s %-4d %-6d %d" % (strftime("%H:%M:%S").encode('ascii'), event.pid, event.comm, event.sig, event.tpid, event.ret))
def print_event(cpu, data, size): event = bpf["events"].event(data) printb( b"%-16s %-8s %-8s %-8s %-12s" % (dec2ip(event.ip_src_addr), parse_ip_protocol(event.trans_proto), str(event.src_port) if event.src_port != 0 else '-', str(event.dst_port) if event.dst_port != 0 else '-', parse_xdp_action(event.action)))
def print_event(cpu, data, size): event = bpf["events"].event(data) printb(b"%-8d %-8d %-8s %-8s" % ( event.pid, event.argc, event.argv_1 if event.argv_1 != '' else '-', event.argv_2 if event.argv_2 != '' else '-', ))
def print_reaper_stats(): print("Reaper stats:") count_by_ns = bpf["count_by_ns"] for k, v in sorted(count_by_ns.items(), key=lambda kv: -kv[1].value): if k.value == 0xffffffff: continue printb(b"%-6d %-15s %8d" % (k.value, comm_for_pid(k.value), v.value)) print("") count_by_ns.clear()
def print_data(cpu, data, size): global start event = b["result"].event(data) if start == 0: start = event.ts ts = event.ts - start printb( b"At time %.2f s: multiple syncs detected, last %s ms ago, count %d" % (ts, event.delta, event.count))
def format_printer(queue, num, interval): #global tx_queue, rx_queue, print_interval # duration = (end_time - start_time) duration = interval + 0.0 if duration == 0.0: exit() # --- format --- COL_WIDTH = 10 LEN1 = 64 LEN2 = 512 LEN3 = 2048 LEN4 = 16384 #---------------- table for tx --------------- # table header headers = [ "QueueID", "BPS", "PPS", "avg_size", "[0, 64)", "[64, 512)", "[512, 2K)", "[2K, 16K)", "[16K, 64K)" ] for hd in headers: print(hd.center(COL_WIDTH)), print # contents tlen = 0 tpkg = 0 t_groups = [0] * LENs for i in range(num): len_cnt = queue['len_cnt'][i] pkg = queue['pkg_cnt'][i] group = queue['size_group'][i] t_groups = [(t_groups[k] + group[k]) for k in range(LENs)] tlen += len_cnt tpkg += pkg if pkg != 0: avg_size = len_cnt / pkg else: avg_size = 0 printb(b"%5d %11.2f %10.2f %10d %10d %10d %10d %10d %10d" % (i, len_cnt / duration, pkg / duration, avg_size, group[0], group[1], group[2], group[3], group[4])) if tpkg > 0: t_avg = tlen / tpkg else: t_avg = 0 printb(b" Total %10.2f %10.2f %10d %10d %10d %10d %10d %10d" % (tlen / duration, tpkg / duration, t_avg, t_groups[0], t_groups[1], t_groups[2], t_groups[3], t_groups[4])) print
def print_tcpreset_event(cpu, data, size): event = b["tcpreset_ipv4_events"].event(data) printb(b"%-6d %-6d %-16s %-6d %-16s %-6d" % ( event.uid, event.pid, inet_ntop(AF_INET, pack("I", event.daddr)).encode(), event.dport, inet_ntop(AF_INET, pack("I", event.saddr)).encode(), event.sport, ))
def print_count_stats(): data = bpf["data"] print("[%s]" % strftime("%H:%M:%S")) print("%-22s %8s" % (agg_colname, "COUNT")) for k, v in sorted(data.items(), key=lambda kv: -kv[1].value)[:args.top]: if k.value == 0xFFFFFFFF: continue # happens occasionally, we don't need it printb(b"%-22s %8d" % (agg_colval(k), v.value)) print("") data.clear()
def print_count_stats(): data = bpf["data"] print("[%s]" % strftime("%H:%M:%S")) print("%-22s %8s" % ("SYSCALL", "COUNT")) for k, v in sorted(data.items(), key=lambda kv: -kv[1].value)[:args.top]: if k.value == 0xFFFFFFFF: continue # happens occasionally, we don't need it printb(b"%-22s %8d" % (syscall_name(k.value % 10000), v.value)) print("") data.clear()
def print_latency_stats(): data = b["data"] print("[%s]" % strftime("%H:%M:%S")) print("%-22s %8s" % (agg_colname, "COUNT")) for k, v in sorted(data.items(), key=lambda kv: -kv[1].total_ns): if k.value == 0xFFFFFFFF: continue printb(b"%-22s %8d %16.3f" % (agg_colval(k), v.count, v.total_ns / 1e3)) print("") data.clear()
def print_ipv6_event(cpu, data, size): event = b["ipv6_events"].event(data) global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") printb(b"%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, event.task, event.ip, inet_ntop( AF_INET6, event.daddr).encode(), inet_ntop( AF_INET6, event.saddr).encode(), event.lport))
def print_ipv6_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data_ipv6)).contents global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") printb(b"%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, event.task.decode('utf-8', 'replace'), event.ip, inet_ntop(AF_INET6, event.daddr), inet_ntop( AF_INET6, event.saddr), event.lport))
def print_event(cpu, data, size): wrapper_obj = ct.cast(data, ct.POINTER(wrapper_class)).contents data += ct.sizeof(ct.c_ulong) + ct.sizeof(ct.c_int) event = b["events"].event(data) event.__raw_bpf_ts = wrapper_obj.__raw_bpf_ts printb(b"%-18d %-18d %-16s %-6d %s" % (event.__raw_bpf_ts, event.ts, event.comm, event.pid, b"Hello, perf_output!"))
def print_event(cpu, data, size): global initial_ts event = b["events"].event(data) if not initial_ts: initial_ts = event.ts delta = event.ts - initial_ts print("%-18.2f" % (float(delta) / 1000000), end="") print("%-30lx" % event.dev, end="") printb(b'%s' % event.name)
def print_ipv6_event(cpu, data, size): event = b["ipv6_events"].event(data) global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") printb(b"%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, event.task, event.ip, inet_ntop(AF_INET6, event.daddr).encode(), inet_ntop(AF_INET6, event.saddr).encode(), event.lport))
def print_ipv6_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data_ipv6)).contents global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") printb(b"%-6d %-12.12s %-2d %-16s %-16s %-6d %-8d %-11d" % (event.pid, event.task, event.ip, inet_ntop( AF_INET6, event.daddr).encode(), inet_ntop( AF_INET6, event.saddr).encode(), event.lport, event.backlog, event.max_backlog))
def print_ipv4_event(cpu, data, size): event = ct.cast(data, ct.POINTER(Data_ipv4)).contents global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") if args.print_uid: print("%-6d" % event.uid, end="") printb(b"%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, event.task, event.ip, inet_ntop(AF_INET, pack("I", event.saddr)).encode(), inet_ntop(AF_INET, pack("I", event.daddr)).encode(), event.dport))
def print_latency_stats(): data = bpf["data"] print("[%s]" % strftime("%H:%M:%S")) print("%-22s %8s %16s" % (agg_colname, "COUNT", time_colname)) for k, v in sorted(data.items(), key=lambda kv: -kv[1].total_ns)[:args.top]: if k.value == 0xFFFFFFFF: continue # happens occasionally, we don't need it printb((b"%-22s %8d " + (b"%16.6f" if args.milliseconds else b"%16.3f")) % (agg_colval(k), v.count, v.total_ns / (1e6 if args.milliseconds else 1e3))) print("") data.clear()
def print_ipv4_event(cpu, data, size): event = b["ipv4_events"].event(data) global start_ts if args.time: print("%-9s" % strftime("%H:%M:%S"), end="") if args.timestamp: if start_ts == 0: start_ts = event.ts_us print("%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), end="") printb(b"%-7d %-12.12s %-2d %-16s %-5d %-16s %-5d" % (event.pid, event.task, event.ip, inet_ntop(AF_INET, pack("I", event.daddr)).encode(), event.dport, inet_ntop(AF_INET, pack("I", event.saddr)).encode(), event.lport))
def print_event(cpu, data, size): event = b["events"].event(data) global initial_ts # split return value into FD and errno columns if event.ret >= 0: fd_s = event.ret err = 0 else: fd_s = -1 err = - event.ret if not initial_ts: initial_ts = event.ts if args.failed and (event.ret >= 0): return if args.name and bytes(args.name) not in event.comm: return if args.timestamp: delta = event.ts - initial_ts print("%-14.9f" % (float(delta) / 1000000), end="") if args.print_uid: print("%-6d" % event.uid, end="") print("%-6d %-16s %4d %3d " % (event.id & 0xffffffff if args.tid else event.id >> 32, event.comm.decode('utf-8', 'replace'), fd_s, err), end="") if args.extended_fields: print("%08o " % event.flags, end="") printb(b'%s' % event.fname)
def print_ipv4_event(cpu, data, size): event = b["ipv4_events"].event(data) global start_ts if args.timestamp: if start_ts == 0: start_ts = event.ts_us printb(b"%-9.3f" % ((float(event.ts_us) - start_ts) / 1000000), nl="") if args.print_uid: printb(b"%-6d" % event.uid, nl="") printb(b"%-6d %-12.12s %-2d %-16s %-16s %-4d" % (event.pid, event.task, event.ip, inet_ntop(AF_INET, pack("I", event.saddr)).encode(), inet_ntop(AF_INET, pack("I", event.daddr)).encode(), event.dport))
req->cmd_flags, delta / 1000); start.delete(&req); } } """) b.attach_kprobe(event="blk_start_request", fn_name="trace_start") b.attach_kprobe(event="blk_mq_start_request", fn_name="trace_start") b.attach_kprobe(event="blk_account_io_completion", fn_name="trace_completion") # header print("%-18s %-2s %-7s %8s" % ("TIME(s)", "T", "BYTES", "LAT(ms)")) # format output while 1: try: (task, pid, cpu, flags, ts, msg) = b.trace_fields() (bytes_s, bflags_s, us_s) = msg.split() if int(bflags_s, 16) & REQ_WRITE: type_s = b"W" elif bytes_s == "0": # see blk_fill_rwbs() for logic type_s = b"M" else: type_s = b"R" ms = float(int(us_s, 10)) / 1000 printb(b"%-18.9f %-2s %-7s %8.2f" % (ts, type_s, bytes_s, ms)) except KeyboardInterrupt: exit()
# check for an ENOMEM error if k.w_k_stack_id == -errno.ENOMEM: missing_stacks += 1 continue waker_kernel_stack = [] if k.w_k_stack_id < 1 else \ reversed(list(stack_traces.walk(k.w_k_stack_id))[1:]) if folded: # print folded stack output line = \ [k.waker] + \ [b.ksym(addr) for addr in reversed(list(waker_kernel_stack))] + \ [k.target] printb(b"%s %d" % (b";".join(line), v.value)) else: # print default multi-line stack output printb(b" %-16s %s" % (b"target:", k.target)) for addr in waker_kernel_stack: printb(b" %-16x %s" % (addr, b.ksym(addr))) printb(b" %-16s %s" % (b"waker:", k.waker)) print(" %d\n" % v.value) counts.clear() if missing_stacks > 0: enomem_str = " Consider increasing --stack-storage-size." print("WARNING: %d stack traces could not be displayed.%s" % (missing_stacks, enomem_str), file=stderr)
# # This is a Hello World example that formats output as fields. from bcc import BPF from bcc.utils import printb # define BPF program prog = """ int hello(void *ctx) { bpf_trace_printk("Hello, World!\\n"); return 0; } """ # load BPF program b = BPF(text=prog) b.attach_kprobe(event=b.get_syscall_fnname("clone"), fn_name="hello") # header print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "MESSAGE")) # format output while 1: try: (task, pid, cpu, flags, ts, msg) = b.trace_fields() except ValueError: continue except KeyboardInterrupt: exit() printb(b"%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))
if (tsp != 0) { delta = bpf_ktime_get_ns() - *tsp; if (delta < 1000000000) { // output if time is less than 1 second bpf_trace_printk("%d\\n", delta / 1000000); } last.delete(&key); } // update stored timestamp ts = bpf_ktime_get_ns(); last.update(&key, &ts); return 0; } """) b.attach_kprobe(event=b.get_syscall_fnname("sync"), fn_name="do_trace") print("Tracing for quick sync's... Ctrl-C to end") # format output start = 0 while 1: try: (task, pid, cpu, flags, ts, ms) = b.trace_fields() if start == 0: start = ts ts = ts - start printb(b"At time %.2f s: multiple syncs detected, last %s ms ago" % (ts, ms)) except KeyboardInterrupt: exit()
try: sleep(interval) except KeyboardInterrupt: exiting = 1 # header if clear: call("clear") else: print() with open(loadavg) as stats: print("%-8s loadavg: %s" % (strftime("%H:%M:%S"), stats.read())) print("%-32s %6s %10s" % ("CACHE", "ALLOCS", "BYTES")) # by-TID output counts = b.get_table("counts") line = 0 for k, v in reversed(sorted(counts.items(), key=lambda counts: counts[1].size)): printb(b"%-32s %6d %10d" % (k.name, v.count, v.size)) line += 1 if line >= maxrows: break counts.clear() countdown -= 1 if exiting or countdown == 0: print("Detaching...") exit()
def inet_ntoa(addr): dq = b'' for i in range(0, 4): dq = dq + str(addr & 0xff).encode() if (i != 3): dq = dq + b'.' addr = addr >> 8 return dq # filter and format output while 1: # Read messages from kernel pipe try: (task, pid, cpu, flags, ts, msg) = b.trace_fields() (_tag, saddr_hs, daddr_hs, dport_s) = msg.split(b" ") except ValueError: # Ignore messages from other tracers continue except KeyboardInterrupt: exit() # Ignore messages from other tracers if _tag != "trace_tcp4connect": continue printb(b"%-6d %-12.12s %-16s %-16s %-4s" % (pid, task, inet_ntoa(int(saddr_hs, 16)), inet_ntoa(int(daddr_hs, 16)), dport_s))