1KSNOOP(8) KSNOOP(8)
2
6 KSNOOP - tool for tracing kernel function entry/return showing argu‐
7 ments/return values
8
10 ksnoop [OPTIONS] { COMMAND FUNC | help }
11 OPTIONS := { { -V | --version } | { -h | --help } | { [-P | --pages]
13 nr_pages} | { [-p | --pid] pid} | [{ -s | --stack }] | [{ -d | --de‐
14 bug }] }
15 COMMAND := { trace | info }
17 FUNC := { name | name(arg[,**arg]) }
19
21 ksnoop allows for inspection of arguments and return values associ‐
22 ated with function entry/return.
23 ksnoop info FUNC
25 Show function description, arguments and return value types.
26 ksnoop trace FUNC [FUNC]
28 Trace function entry and return, showing arguments and return
29 values. A function name can simply be specified, or a func‐
30 tion name along with named arguments, return values. return
31 is used to specify the return value.
32 ksnoop requires the kernel to provide BTF for itself, and if tracing
34 of module data is required, module BTF must be present also. Check
35 /sys/kernel/btf to see if BTF is present.
36 ksnoop requires CAP_BPF and CAP_TRACING capabilities.
38
40 -h, --help
41 Show help information
42 -V, --version
44 Show version.
45 -d, --debug
47 Show debug output.
48 -p, --pid
50 Filter events by pid.
51 -P, --pages
53 Specify number of pages used per-CPU for perf event collec‐
54 tion. Default is 8.
55 -s, --stack
57 Specified set of functions are traced if and only if they are
58 encountered in the order specified.
59
61 # ksnoop info ip_send_skb
62 int ip_send_skb(struct net * net, struct sk_buff * skb);
64 Show function description.
66 # ksnoop trace ip_send_skb
68 TIME CPU PID FUNCTION/ARGS
70 78101668506811 1 2813 ip_send_skb(
71 net = *(0xffffffffb5959840)
72 (struct net){
73 .passive = (refcount_t){
74 .refs = (atomic_t){
75 .counter = (int)0x2,
76 },
77 },
78 .dev_base_seq = (unsigned int)0x18,
79 .ifindex = (int)0xf,
80 .list = (struct list_head){
81 .next = (struct list_head *)0xffff9895440dc120,
82 .prev = (struct list_head *)0xffffffffb595a8d0,
83 },
84 ...
85 79561322965250 1 2813 ip_send_skb(
87 return =
88 (int)0x0
89 );
90 Show entry/return for ip_send_skb() with arguments, return values.
92 # ksnoop trace "ip_send_skb(skb)"
94 TIME CPU PID FUNCTION/ARGS
96 78142420834537 1 2813 ip_send_skb(
97 skb = *(0xffff989750797c00)
98 (struct sk_buff){
99 (union){
100 .sk = (struct sock *)0xffff98966ce19200,
101 .ip_defrag_offset = (int)0x6ce19200,
102 },
103 (union){
104 (struct){
105 ._skb_refdst = (long unsigned int)0xffff98981dde2d80,
106 .destructor = (void (*)(struct sk_buff *))0xffffffffb3e1beb0,
107 },
108 ...
109 Show entry argument skb.
111 # ksnoop trace "ip_send_skb(return)"
113 TIME CPU PID FUNCTION/ARGS
115 78178228354796 1 2813 ip_send_skb(
116 return =
117 (int)0x0
118 );
119 Show return value from ip_send_skb().
121 # ksnoop trace "ip_send_skb(skb->sk)"
123 TIME CPU PID FUNCTION/ARGS
125 78207649138829 2 2813 ip_send_skb(
126 skb->sk = *(0xffff98966ce19200)
127 (struct sock){
128 .__sk_common = (struct sock_common){
129 (union){
130 .skc_addrpair = (__addrpair)0x1701a8c017d38f8d,
131 (struct){
132 .skc_daddr = (__be32)0x17d38f8d,
133 .skc_rcv_saddr = (__be32)0x1701a8c0,
134 },
135 },
136 ...
137 Trace member information associated with argument. Only one level of
139 membership is supported.
140 # ksnoop -p 2813 "ip_rcv(dev)"
142 TIME CPU PID FUNCTION/ARGS
144 78254803164920 1 2813 ip_rcv(
145 dev = *(0xffff9895414cb000)
146 (struct net_device){
147 .name = (char[16])[
148 'l',
149 'o',
150 ],
151 .name_node = (struct netdev_name_node *)0xffff989541515ec0,
152 .state = (long unsigned int)0x3,
153 ...
154 Trace dev argument of ip_rcv(). Specify process id 2813 for events for
156 that process only.
157 # ksnoop -s tcp_sendmsg __tcp_transmit_skb ip_output
159 TIME CPU PID FUNCTION/ARGS
161 71827770952903 1 4777 __tcp_transmit_skb(
162 sk = *(0xffff9852460a2300)
163 (struct sock){
164 .__sk_common = (struct sock_common){
165 (union){
166 .skc_addrpair = (__addrpair)0x61b2af0a35cbfe0a,
167 Trace entry/return of tcp_sendmsg, __tcp_transmit_skb and ip_output
169 when tcp_sendmsg leads to a call to __tcp_transmit_skb and that in turn
170 leads to a call to ip_output; i.e. with a call graph matching the order
171 specified. The order does not have to be direct calls, i.e. function A
172 can call another function that calls function B.
173 # ksnoop "ip_send_skb(skb->len > 100, skb)"
175 TIME CPU PID FUNCTION/ARGS
177 39267395709745 1 2955 ip_send_skb(
178 skb->len =
179 (unsigned int)0x89,
180 skb = *(0xffff89c8be81e500)
181 (struct sk_buff){
182 (union){
183 .sk = (struct sock *)0xffff89c6c59e5580,
184 .ip_defrag_offset = (int)0xc59e5580,
185 },
186 Trace ip_send_skb() skbs which have len > 100.
188
190 bpf(2),
191 KSNOOP(8)