1KSNOOP(8)                                                            KSNOOP(8)
2
3
4

NAME

6       KSNOOP  -  tool  for tracing kernel function entry/return showing argu‐
7       ments/return values
8

SYNOPSIS

10          ksnoop [OPTIONS] { COMMAND  FUNC | help }
11
12          OPTIONS := { { -V | --version } | { -h | --help } | { [-P | --pages]
13          nr_pages} | { [-p | --pid] pid} | [{ -s | --stack }] | [{ -d | --de‐
14          bug }] }
15
16          COMMAND := { trace | info }
17
18          FUNC := { name | name(arg[,**arg]) }
19

DESCRIPTION

21          ksnoop allows for inspection of arguments and return values  associ‐
22          ated with function entry/return.
23
24          ksnoop info FUNC
25                 Show function description, arguments and return value types.
26
27          ksnoop trace FUNC [FUNC]
28                 Trace function entry and return, showing arguments and return
29                 values.  A function name can simply be specified, or a  func‐
30                 tion  name along with named arguments, return values.  return
31                 is used to specify the return value.
32
33          ksnoop requires the kernel to provide BTF for itself, and if tracing
34          of  module data is required, module BTF must be present also.  Check
35          /sys/kernel/btf to see if BTF is present.
36
37          ksnoop requires CAP_BPF and CAP_TRACING capabilities.
38

OPTIONS

40          -h, --help
41                 Show help information
42
43          -V, --version
44                 Show version.
45
46          -d, --debug
47                 Show debug output.
48
49          -p, --pid
50                 Filter events by pid.
51
52          -P, --pages
53                 Specify number of pages used per-CPU for perf  event  collec‐
54                 tion.  Default is 8.
55
56          -s, --stack
57                 Specified set of functions are traced if and only if they are
58                 encountered in the order specified.
59

EXAMPLES

61       # ksnoop info ip_send_skb
62
63          int  ip_send_skb(struct net  * net, struct sk_buff  * skb);
64
65       Show function description.
66
67       # ksnoop trace ip_send_skb
68
69                    TIME  CPU      PID FUNCTION/ARGS
70          78101668506811    1     2813 ip_send_skb(
71                                           net = *(0xffffffffb5959840)
72                                            (struct net){
73                                             .passive = (refcount_t){
74                                              .refs = (atomic_t){
75                                               .counter = (int)0x2,
76                                              },
77                                             },
78                                             .dev_base_seq = (unsigned int)0x18,
79                                             .ifindex = (int)0xf,
80                                             .list = (struct list_head){
81                                              .next = (struct list_head *)0xffff9895440dc120,
82                                              .prev = (struct list_head *)0xffffffffb595a8d0,
83                                             },
84                                           ...
85
86          79561322965250    1     2813 ip_send_skb(
87                                           return =
88                                            (int)0x0
89                                       );
90
91       Show entry/return for ip_send_skb() with arguments, return values.
92
93       # ksnoop trace "ip_send_skb(skb)"
94
95                   TIME  CPU      PID FUNCTION/ARGS
96          78142420834537    1     2813 ip_send_skb(
97                                           skb = *(0xffff989750797c00)
98                                            (struct sk_buff){
99                                             (union){
100                                              .sk = (struct sock *)0xffff98966ce19200,
101                                              .ip_defrag_offset = (int)0x6ce19200,
102                                             },
103                                             (union){
104                                              (struct){
105                                               ._skb_refdst = (long unsigned int)0xffff98981dde2d80,
106                                               .destructor = (void (*)(struct sk_buff *))0xffffffffb3e1beb0,
107                                              },
108                                          ...
109
110       Show entry argument skb.
111
112       # ksnoop trace "ip_send_skb(return)"
113
114                   TIME  CPU      PID FUNCTION/ARGS
115          78178228354796    1     2813 ip_send_skb(
116                                           return =
117                                            (int)0x0
118                                       );
119
120       Show return value from ip_send_skb().
121
122       # ksnoop trace "ip_send_skb(skb->sk)"
123
124                    TIME  CPU      PID FUNCTION/ARGS
125          78207649138829    2     2813 ip_send_skb(
126                                           skb->sk = *(0xffff98966ce19200)
127                                            (struct sock){
128                                             .__sk_common = (struct sock_common){
129                                              (union){
130                                               .skc_addrpair = (__addrpair)0x1701a8c017d38f8d,
131                                               (struct){
132                                                .skc_daddr = (__be32)0x17d38f8d,
133                                                .skc_rcv_saddr = (__be32)0x1701a8c0,
134                                               },
135                                              },
136                                            ...
137
138       Trace member information associated with argument.  Only one  level  of
139       membership is supported.
140
141       # ksnoop -p 2813 "ip_rcv(dev)"
142
143                    TIME  CPU      PID FUNCTION/ARGS
144          78254803164920    1     2813 ip_rcv(
145                                           dev = *(0xffff9895414cb000)
146                                            (struct net_device){
147                                             .name = (char[16])[
148                                              'l',
149                                              'o',
150                                             ],
151                                             .name_node = (struct netdev_name_node *)0xffff989541515ec0,
152                                             .state = (long unsigned int)0x3,
153                                           ...
154
155       Trace dev argument of ip_rcv().  Specify process id 2813 for events for
156       that process only.
157
158       # ksnoop -s tcp_sendmsg __tcp_transmit_skb  ip_output
159
160                   TIME  CPU      PID FUNCTION/ARGS
161          71827770952903    1     4777 __tcp_transmit_skb(
162                                           sk = *(0xffff9852460a2300)
163                                            (struct sock){
164                                             .__sk_common = (struct sock_common){
165                                              (union){
166                                               .skc_addrpair = (__addrpair)0x61b2af0a35cbfe0a,
167
168       Trace entry/return of  tcp_sendmsg,  __tcp_transmit_skb  and  ip_output
169       when tcp_sendmsg leads to a call to __tcp_transmit_skb and that in turn
170       leads to a call to ip_output; i.e. with a call graph matching the order
171       specified.  The order does not have to be direct calls, i.e. function A
172       can call another function that calls function B.
173
174       # ksnoop "ip_send_skb(skb->len > 100, skb)"
175
176                    TIME  CPU      PID FUNCTION/ARGS
177          39267395709745    1     2955 ip_send_skb(
178                                           skb->len =
179                                            (unsigned int)0x89,
180                                           skb = *(0xffff89c8be81e500)
181                                            (struct sk_buff){
182                                             (union){
183                                              .sk = (struct sock *)0xffff89c6c59e5580,
184                                              .ip_defrag_offset = (int)0xc59e5580,
185                                             },
186
187       Trace ip_send_skb() skbs which have len > 100.
188

SEE ALSO

190          bpf(2),
191
192
193
194
195                                                                     KSNOOP(8)
Impressum