Hacker News new | past | comments | ask | show | jobs | submit login

(don't have access to a linux box I can test this on at the moment, so sorry for the stupid question)

In DTrace, you can specify a probe like

  syscall::*open*:entry / / { }
to grab open(2), openat(2), etc. Does eBPF allow wildcards in probe specifications?



You can do

    bpftrace -e 'tracepoint:syscalls:sys_enter_open* { printf("%d\n", pid); }'
but then you can't access the arguments of the different probes uniformly, i.e.

    bpftrace -e 'tracepoint:syscalls:sys_enter_open* { printf("%d %s\n", pid, str(args->filename)); }'
does not work.

You can do it like this:

    bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%d %s\n", pid, str(args->filename)); } tracepoint:syscalls:sys_enter_openat { printf("%d %s\n", pid, str(args->filename)); }'
This is a bit awkward, but it seems that this will be fixed: https://github.com/iovisor/bpftrace/issues/132




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: