A thin wrapper around bpftrace which allows to trace socket buffer contents
A thin wrapper around bpftrace which allows to trace socket buffer contents
Like any other bpftrace script, skbtrace is defined by probes to which it attaches actions. Two most common probes in skbtrace are 'recv' and 'xmit' which fire on receiving and transmitting the sk buffer respectively. Probes are specified using option -P, but some commands do so implicitly. List of available probes can be printed with 'probes' command.
skbtrace doesn't determine which protocols are encapsulated in the packet and instead requires hints to be specified, so only one type of the packet can be traced at a time. Hints include overlay encapsulation type (-e), IP version (-6) and transport protocol type (such as -p tcp).
Probe firings can be limited using filters in format '-F 'field == value'' with field being either an alias, fields without object such as global variable 'comm' or a full $obj->field notation. List of available fields is available in 'fields' command. There are also filter shortcuts such as '-i' which allows to specify network interface directly.
skbtrace will track number of probe firings and number of firings which passed filtering either implicitly (in @hits array in dump-like commands) or by explicitly specifying 'evcount' subcommand for one of the 'timeit' command.
Dump-like commands such as 'dump' and 'outliers' require specifying dumping rows using '-o' option. List of available dump rows and field meanings can be printed with 'fields' command.
Time commands which map one event to another require lists of keys using in such mapping. Keys use same syntax for fields as in filters. For example, '-k src,dst,sport,dport' will map packets having same five tuple assuming that there is '-p tcp' or '-p udp' is supplied to determine the protocol.
--bpftrace string Path to bpftrace binary (default "bpftrace")
-D, --dump Dump bpftrace command instead of running it
-e, --encap string Type of encapsulation: 'gre' or 'udp' (default "gre")
-h, --help help for skbtrace
-p, --hint strings Protocol hints for weak field aliases such as 'tcp' for 'sport'.
-6, --inet6 If specified, skbtrace assumes that inner header is IPv6.
--struct-keyword string Use struct keyword in casts: "" - do not use, "struct" - use, "auto" - deduce based on bpftrace version. (default "auto")
-T, --timeout duration Execution timeout for resulting bpftrace script (default 1m0s)
--unit string Time unit using for measurements: 'sec', 'ms', 'us' - default or 'ns' (default "us")
- skbtrace aggregate - Aggregates probe firings by specified set of keys
- skbtrace dump - Prints requested rows each time probe is fired
- skbtrace duplicate - Dumps objects when hit twice with the same set of keys
- skbtrace fields - Shows list of known fields
- skbtrace probes - Shows list of known probes
- skbtrace timeit - Measures time delta between two distinct events 'from' and 'to'