Home Explore Help
Register Sign In
root
/
php-ebpf
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

init example

Carl 10 months ago
parent
538ba5e592
commit
1f24885d72
4 changed files with 173 additions and 0 deletions
Split View Show Diff Stats
  1. 72 0
      example/tracing/tcpv4connect.php
  2. 32 0
      example/tracing/tp.php
  3. 42 0
      example/tracing/trace_perf_output.php
  4. 27 0
      example/tracing/uprobe.php

+ 72 - 0
example/tracing/tcpv4connect.php
View File 

@@ -0,0 +1,72 @@
 
+<?php
 
+$bpf_text = <<<EOT
 
+#include <uapi/linux/ptrace.h>
 
+#include <net/sock.h>
 
+#include <bcc/proto.h>
 
+
 
+BPF_HASH(currsock, u32, struct sock *);
 
+
 
+int kprobe__tcp_v4_connect(struct pt_regs *ctx, struct sock *sk)
 
+{
 
+        u32 pid = bpf_get_current_pid_tgid();
 
+
 
+        // stash the sock ptr for lookup on return
 
+        currsock.update(&pid, &sk);
 
+
 
+        return 0;
 
+};
 
+
 
+int kretprobe__tcp_v4_connect(struct pt_regs *ctx)
 
+{
 
+        int ret = PT_REGS_RC(ctx);
 
+        u32 pid = bpf_get_current_pid_tgid();
 
+
 
+        struct sock **skpp;
 
+        skpp = currsock.lookup(&pid);
 
+        if (skpp == 0) {
 
+                return 0;       // missed entry
 
+        }
 
+
 
+        if (ret != 0) {
 
+                // failed to send SYNC packet, may not have populated
 
+                // socket __sk_common.{skc_rcv_saddr, ...}
 
+                currsock.delete(&pid);
 
+                return 0;
 
+        }
 
+
 
+        // pull in details
 
+        struct sock *skp = *skpp;
 
+        u32 saddr = skp->__sk_common.skc_rcv_saddr;
 
+        u32 daddr = skp->__sk_common.skc_daddr;
 
+        u16 dport = skp->__sk_common.skc_dport;
 
+
 
+        // output
 
+        bpf_trace_printk("trace_tcp4connect %x %x %d\\n", saddr, daddr, ntohs(dport));
 
+
 
+        currsock.delete(&pid);
 
+
 
+        return 0;
 
+}
 
+EOT;
 
+
 
+$ebpf = new Ebpf($bpf_text);
 
+# header
 
+printf("%-6s %-12s %-16s %-16s %-4s\n", "PID", "COMM", "SADDR", "DADDR","DPORT");
 
+# format output
 
+while (true) {
 
+    try {
 
+        list($task, $pid, $cpu, $flags, $ts, $msg) =$ebpf->trace_fields();
 
+        list($tag, $saddr_hs, $daddr_hs, $dport_s) = explode(" ", $msg, 4);
 
+
 
+        printf("%-6d %-12.12s %-16s %-16s %-4s\n",
 
+            $pid,
 
+            $task,
 
+            long2ip(unpack('V', pack('H*', $saddr_hs))[1]),
 
+            long2ip(unpack('V', pack('H*', $daddr_hs))[1]),
 
+            $dport_s
 
+        );
 
+        flush();
 
+    } catch (Exception $e) {
 
+        continue;
 
+    }
 
+}

+ 32 - 0
example/tracing/tp.php
View File 

@@ -0,0 +1,32 @@
 
+<?php
 
+$bpf_text = <<<EOT
 
+#include <uapi/linux/ptrace.h>
 
+struct trace_event_raw_sys_enter_rw__stub {
 
+    __u64 unused;
 
+    long int id;
 
+    __u64 fd;
 
+    char* buf;
 
+    __u64 size;
 
+};
 
+
 
+int test(struct trace_event_raw_sys_enter_rw__stub* ctx)
 
+{
 
+        bpf_trace_printk("%s\\n",ctx->size);
 
+        return 1;
 
+}
 
+EOT;
 
+
 
+$ebpf = new Ebpf($bpf_text);
 
+$ebpf->attach_tracepoint("syscalls:sys_enter_write","test");
 
+# header
 
+printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "MESSAGE");
 
+# format output
 
+while (true) {
 
+    try {
 
+        list($task, $pid, $cpu, $flags, $ts, $msg) =$ebpf->trace_fields();
 
+        printf("%-18.9f %-16s %-6d %s\n", $ts, $task, $pid, $msg);
 
+        flush();
 
+    } catch (Exception $e) {
 
+        continue;
 
+    }
 
+}

+ 42 - 0
example/tracing/trace_perf_output.php
View File 

@@ -0,0 +1,42 @@
 
+<?php
 
+function cb($cpu,$data,$size) {
 
+    $event = unpack("Qcpu/Qts/Qmagic/A16msg", $data);
 
+    if ($event === false) {
 
+        echo "error.\n";
 
+        return;
 
+    }
 
+    printf("[%d] %.6f: %x %s\n", $event['cpu'], $event['ts'] / 1000000, $event['magic'],$event['msg']);
 
+}
 
+$prog = <<<EOT
 
+BPF_PERF_OUTPUT(events);
 
+BPF_ARRAY(counters, u64, 10);
 
+int do_sys_clone(void *ctx) {
 
+  struct {
 
+    u64 cpu;
 
+    u64 ts;
 
+    u64 magic;
 
+    char msg[16];
 
+  } data = {bpf_get_smp_processor_id(),bpf_ktime_get_ns(), 0x12345678,"Hello, world!"};
 
+  int rc;
 
+  if ((rc = events.perf_submit(ctx, &data, sizeof(data))) < 0)
 
+    bpf_trace_printk("perf_output failed: %d\\n", rc);
 
+  int zero = 0;
 
+  u64 *val = counters.lookup(&zero);
 
+  if (val) lock_xadd(val, 1);
 
+  return 0;
 
+}
 
+EOT;
 
+
 
+$ebpf = new Ebpf($prog);
 
+$event_name = $ebpf->get_syscall_fnname("clone");
 
+$ebpf->attach_kprobe($event_name,"do_sys_clone");
 
+$ebpf->perf_event("events")->open_perf_buffer("cb");
 
+echo("Tracing... Hit Ctrl-C to end.\n");
 
+while (true) {
 
+    try {
 
+        $ebpf->perf_buffer_poll();
 
+        flush();
 
+    } catch (Exception $e) {
 
+        exit;
 
+    }
 
+}

+ 27 - 0
example/tracing/uprobe.php
View File 

@@ -0,0 +1,27 @@
 
+<?php
 
+$bpf_text = <<<EOT
 
+#include <uapi/linux/ptrace.h>
 
+
 
+int test(struct pt_regs *ctx)
 
+{
 
+        bpf_trace_printk("%d---%d\\n",ctx->di,ctx->si);
 
+        return 1;
 
+}
 
+EOT;
 
+
 
+$ebpf = new Ebpf($bpf_text);
 
+// $arr = array("pid"=>-1);
 
+$ebpf->attach_uprobe("/opt/github/phpcpp_helloworld/a.out","add","test",[]);
 
+// $ebpf->trace_print();
 
+# header
 
+printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "MESSAGE");
 
+# format output
 
+while (true) {
 
+    try {
 
+        list($task, $pid, $cpu, $flags, $ts, $msg) = $ebpf->trace_fields();
 
+        printf("%-18.9f %-16s %-6d %s\n", $ts, $task, $pid, $msg);
 
+        flush();
 
+    } catch (Exception $e) {
 
+        continue;
 
+    }
 
+}