299 lines
8.5 KiB
Groff
299 lines
8.5 KiB
Groff
.\" Man page generated from reStructuredText.
|
|
.
|
|
.TH KSNOOP 8 "" "" ""
|
|
.SH NAME
|
|
KSNOOP \- tool for tracing kernel function entry/return showing arguments/return values
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.SH SYNOPSIS
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
\fBksnoop\fP [\fIOPTIONS\fP] { \fICOMMAND\fP \fIFUNC\fP | \fBhelp\fP }
|
|
.sp
|
|
\fIOPTIONS\fP := { { \fB\-V\fP | \fB\-\-version\fP } | { \fB\-h\fP | \fB\-\-help\fP }
|
|
| { [\fB\-P\fP | \fB\-\-pages\fP] nr_pages} | { [\fB\-p\fP | \fB\-\-pid\fP] pid} |
|
|
[{ \fB\-s\fP | \fB\-\-stack\fP }] | [{ \fB\-d\fP | \fB\-\-debug\fP }] }
|
|
.sp
|
|
\fICOMMAND\fP := { \fBtrace\fP | \fBinfo\fP }
|
|
.sp
|
|
\fIFUNC\fP := { \fBname\fP | \fBname\fP(\fBarg\fP[,**arg]) }
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH DESCRIPTION
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
\fIksnoop\fP allows for inspection of arguments and return values
|
|
associated with function entry/return.
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \fBksnoop info\fP \fIFUNC\fP
|
|
Show function description, arguments and return value types.
|
|
.TP
|
|
.B \fBksnoop trace\fP \fIFUNC\fP [\fIFUNC\fP]
|
|
Trace function entry and return, showing arguments and
|
|
return values. A function name can simply be specified,
|
|
or a function name along with named arguments, return values.
|
|
\fBreturn\fP is used to specify the return value.
|
|
.UNINDENT
|
|
.sp
|
|
\fIksnoop\fP requires the kernel to provide BTF for itself, and if
|
|
tracing of module data is required, module BTF must be present also.
|
|
Check /sys/kernel/btf to see if BTF is present.
|
|
.sp
|
|
\fBksnoop\fP requires \fICAP_BPF\fP and \fICAP_TRACING\fP capabilities.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH OPTIONS
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-h\fP,\fB \-\-help
|
|
Show help information
|
|
.TP
|
|
.B \-V\fP,\fB \-\-version
|
|
Show version.
|
|
.TP
|
|
.B \-d\fP,\fB \-\-debug
|
|
Show debug output.
|
|
.TP
|
|
.B \-p\fP,\fB \-\-pid
|
|
Filter events by pid.
|
|
.TP
|
|
.B \-P\fP,\fB \-\-pages
|
|
Specify number of pages used per\-CPU for perf event
|
|
collection. Default is 8.
|
|
.TP
|
|
.B \-s\fP,\fB \-\-stack
|
|
Specified set of functions are traced if and only
|
|
if they are encountered in the order specified.
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.SH EXAMPLES
|
|
.sp
|
|
\fB# ksnoop info ip_send_skb\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
int ip_send_skb(struct net * net, struct sk_buff * skb);
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Show function description.
|
|
.sp
|
|
\fB# ksnoop trace ip_send_skb\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
78101668506811 1 2813 ip_send_skb(
|
|
net = *(0xffffffffb5959840)
|
|
(struct net){
|
|
.passive = (refcount_t){
|
|
.refs = (atomic_t){
|
|
.counter = (int)0x2,
|
|
},
|
|
},
|
|
.dev_base_seq = (unsigned int)0x18,
|
|
.ifindex = (int)0xf,
|
|
.list = (struct list_head){
|
|
.next = (struct list_head *)0xffff9895440dc120,
|
|
.prev = (struct list_head *)0xffffffffb595a8d0,
|
|
},
|
|
...
|
|
|
|
79561322965250 1 2813 ip_send_skb(
|
|
return =
|
|
(int)0x0
|
|
);
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Show entry/return for ip_send_skb() with arguments, return values.
|
|
.sp
|
|
\fB# ksnoop trace "ip_send_skb(skb)"\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
78142420834537 1 2813 ip_send_skb(
|
|
skb = *(0xffff989750797c00)
|
|
(struct sk_buff){
|
|
(union){
|
|
.sk = (struct sock *)0xffff98966ce19200,
|
|
.ip_defrag_offset = (int)0x6ce19200,
|
|
},
|
|
(union){
|
|
(struct){
|
|
._skb_refdst = (long unsigned int)0xffff98981dde2d80,
|
|
.destructor = (void (*)(struct sk_buff *))0xffffffffb3e1beb0,
|
|
},
|
|
...
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Show entry argument \fBskb\fP\&.
|
|
.sp
|
|
\fB# ksnoop trace "ip_send_skb(return)"\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
78178228354796 1 2813 ip_send_skb(
|
|
return =
|
|
(int)0x0
|
|
);
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Show return value from ip_send_skb().
|
|
.sp
|
|
\fB# ksnoop trace "ip_send_skb(skb\->sk)"\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
78207649138829 2 2813 ip_send_skb(
|
|
skb\->sk = *(0xffff98966ce19200)
|
|
(struct sock){
|
|
.__sk_common = (struct sock_common){
|
|
(union){
|
|
.skc_addrpair = (__addrpair)0x1701a8c017d38f8d,
|
|
(struct){
|
|
.skc_daddr = (__be32)0x17d38f8d,
|
|
.skc_rcv_saddr = (__be32)0x1701a8c0,
|
|
},
|
|
},
|
|
...
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Trace member information associated with argument. Only one level of
|
|
membership is supported.
|
|
.sp
|
|
\fB# ksnoop \-p 2813 "ip_rcv(dev)"\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
78254803164920 1 2813 ip_rcv(
|
|
dev = *(0xffff9895414cb000)
|
|
(struct net_device){
|
|
.name = (char[16])[
|
|
\(aql\(aq,
|
|
\(aqo\(aq,
|
|
],
|
|
.name_node = (struct netdev_name_node *)0xffff989541515ec0,
|
|
.state = (long unsigned int)0x3,
|
|
...
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Trace \fBdev\fP argument of \fBip_rcv()\fP\&. Specify process id 2813 for events
|
|
for that process only.
|
|
.sp
|
|
\fB# ksnoop \-s tcp_sendmsg __tcp_transmit_skb ip_output\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
71827770952903 1 4777 __tcp_transmit_skb(
|
|
sk = *(0xffff9852460a2300)
|
|
(struct sock){
|
|
.__sk_common = (struct sock_common){
|
|
(union){
|
|
.skc_addrpair = (__addrpair)0x61b2af0a35cbfe0a,
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Trace entry/return of tcp_sendmsg, __tcp_transmit_skb and ip_output when
|
|
tcp_sendmsg leads to a call to __tcp_transmit_skb and that in turn
|
|
leads to a call to ip_output; i.e. with a call graph matching the order
|
|
specified. The order does not have to be direct calls, i.e. function A
|
|
can call another function that calls function B.
|
|
.sp
|
|
\fB# ksnoop "ip_send_skb(skb\->len > 100, skb)"\fP
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
.sp
|
|
.nf
|
|
.ft C
|
|
TIME CPU PID FUNCTION/ARGS
|
|
39267395709745 1 2955 ip_send_skb(
|
|
skb\->len =
|
|
(unsigned int)0x89,
|
|
skb = *(0xffff89c8be81e500)
|
|
(struct sk_buff){
|
|
(union){
|
|
.sk = (struct sock *)0xffff89c6c59e5580,
|
|
.ip_defrag_offset = (int)0xc59e5580,
|
|
},
|
|
.ft P
|
|
.fi
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.sp
|
|
Trace ip_send_skb() skbs which have len > 100.
|
|
.SH SEE ALSO
|
|
.INDENT 0.0
|
|
.INDENT 3.5
|
|
\fBbpf\fP(2),
|
|
.UNINDENT
|
|
.UNINDENT
|
|
.\" Generated by docutils manpage writer.
|
|
.
|