Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

argdist: print process name COMM #4633

Merged
merged 3 commits into from
Jun 21, 2023
Merged

argdist: print process name COMM #4633

merged 3 commits into from
Jun 21, 2023

Conversation

tariromukute
Copy link
Contributor

Hi,

Thank you for this project.

I would want to use argdist but instead of getting the PID I need the process name. The reason being I have short lived processes, and I want to inspect the sockets created by the processes if they are non-blocking. To make it easier to identify the process I want the tool to print the process name, supporting something like argdist -c -C 't:syscalls:sys_enter_accept4():int,char*,int:args->fd,$COMM,args->flags&00004000'. I managed to make some code changes in this PR but I am facing an issue with the output, see below

t:syscalls:sys_enter_accept4():int,char*,int:args->fd,$COMM,args->flags&00004000
	COUNT      EVENT
	2          args->fd = 9, $COMM = b'nrf', args->flags&00004000 = 2048
	4          args->fd = 9, $COMM = b'nrf', args->flags&00004000 = 2048
	4          args->fd = 9, $COMM = b'nrf', args->flags&00004000 = 2048
	4          args->fd = 9, $COMM = b'nrf', args->flags&00004000 = 2048

Although the COMM is successfully extracted, it results in what should be the same count being separate. I am assuming this is due to the pointer to the COMM being saved in the BPF_HASH map. I would appreciate pointers to resolving this.

Thanks,

@yonghong-song
Copy link
Collaborator

The tool itself is argdist (argument distribution) and 'comm' is not part of the argument, so we probably should not add 'comm' in it. You can have a customized private version for that purpose.
You can use option '--ebpf' to dump the generated code to debug your issue.

@tariromukute
Copy link
Contributor Author

Thanks @yonghong-song for the pointer. I found what was causing the misbehavior leveraging the --ebpf flag.

When the key was being created bpf_probe_read_kernel(&__key.v0.s, sizeof(__key.v0.s), (void *)&val.name); the size of the v0 variable is equivalent to sizeof(struct __string_t). I had set the size of the process name (val.name) to TASK_COMM_LEN = 16. This mismatch was causing the difference in the key even when the process name was the same. Changing the size of val.name to sizeof(struct __string_t) resolved the issue.

I am using this customised version for my work, however I updated the tool's documentation for the PR to merged. I think other users might find the flexibility useful.

Thanks.

@yonghong-song yonghong-song merged commit 963e4a6 into iovisor:master Jun 21, 2023
@tariromukute tariromukute deleted the argdist_comm branch June 21, 2023 09:34
captain5050 pushed a commit to captain5050/bcc that referenced this pull request Oct 12, 2023
@tariromukute @captain5050
argdist: print process name COMM (iovisor#4633)
70f30b9 
* Print expression to print process name
* Update documentation to add usage of COMM agrument
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brendangregg brendangregg Awaiting requested review from brendangregg brendangregg is a code owner

@goldshtn goldshtn Awaiting requested review from goldshtn goldshtn is a code owner

@davemarchevsky davemarchevsky Awaiting requested review from davemarchevsky davemarchevsky is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tariromukute @yonghong-song