| KSNOOP(8) | KSNOOP(8) |
KSNOOP - tool for tracing kernel function entry/return showing arguments/return values
OPTIONS := { { -V | --version } | { -h | --help } | { [-P | --pages] nr_pages} | { [-p | --pid] pid} | [{ -s | --stack }] | [{ -d | --debug }] }
COMMAND := { trace | info }
FUNC := { name | name(arg[,**arg]) }
ksnoop requires the kernel to provide BTF for itself, and if tracing of module data is required, module BTF must be present also. Check /sys/kernel/btf to see if BTF is present.
ksnoop requires CAP_BPF and CAP_TRACING capabilities.
# ksnoop info ip_send_skb
int ip_send_skb(struct net * net, struct sk_buff * skb);
Show function description.
# ksnoop trace ip_send_skb
TIME CPU PID FUNCTION/ARGS 78101668506811 1 2813 ip_send_skb(
net = *(0xffffffffb5959840)
(struct net){
.passive = (refcount_t){
.refs = (atomic_t){
.counter = (int)0x2,
},
},
.dev_base_seq = (unsigned int)0x18,
.ifindex = (int)0xf,
.list = (struct list_head){
.next = (struct list_head *)0xffff9895440dc120,
.prev = (struct list_head *)0xffffffffb595a8d0,
},
... 79561322965250 1 2813 ip_send_skb(
return =
(int)0x0
);
Show entry/return for ip_send_skb() with arguments, return values.
# ksnoop trace "ip_send_skb(skb)"
TIME CPU PID FUNCTION/ARGS 78142420834537 1 2813 ip_send_skb(
skb = *(0xffff989750797c00)
(struct sk_buff){
(union){
.sk = (struct sock *)0xffff98966ce19200,
.ip_defrag_offset = (int)0x6ce19200,
},
(union){
(struct){
._skb_refdst = (long unsigned int)0xffff98981dde2d80,
.destructor = (void (*)(struct sk_buff *))0xffffffffb3e1beb0,
},
...
Show entry argument skb.
# ksnoop trace "ip_send_skb(return)"
TIME CPU PID FUNCTION/ARGS 78178228354796 1 2813 ip_send_skb(
return =
(int)0x0
);
Show return value from ip_send_skb().
# ksnoop trace "ip_send_skb(skb->sk)"
TIME CPU PID FUNCTION/ARGS 78207649138829 2 2813 ip_send_skb(
skb->sk = *(0xffff98966ce19200)
(struct sock){
.__sk_common = (struct sock_common){
(union){
.skc_addrpair = (__addrpair)0x1701a8c017d38f8d,
(struct){
.skc_daddr = (__be32)0x17d38f8d,
.skc_rcv_saddr = (__be32)0x1701a8c0,
},
},
...
Trace member information associated with argument. Only one level of membership is supported.
# ksnoop -p 2813 "ip_rcv(dev)"
TIME CPU PID FUNCTION/ARGS 78254803164920 1 2813 ip_rcv(
dev = *(0xffff9895414cb000)
(struct net_device){
.name = (char[16])[
'l',
'o',
],
.name_node = (struct netdev_name_node *)0xffff989541515ec0,
.state = (long unsigned int)0x3,
...
Trace dev argument of ip_rcv(). Specify process id 2813 for events for that process only.
# ksnoop -s tcp_sendmsg __tcp_transmit_skb ip_output
TIME CPU PID FUNCTION/ARGS 71827770952903 1 4777 __tcp_transmit_skb(
sk = *(0xffff9852460a2300)
(struct sock){
.__sk_common = (struct sock_common){
(union){
.skc_addrpair = (__addrpair)0x61b2af0a35cbfe0a,
Trace entry/return of tcp_sendmsg, __tcp_transmit_skb and ip_output when tcp_sendmsg leads to a call to __tcp_transmit_skb and that in turn leads to a call to ip_output; i.e. with a call graph matching the order specified. The order does not have to be direct calls, i.e. function A can call another function that calls function B.
# ksnoop "ip_send_skb(skb->len > 100, skb)"
TIME CPU PID FUNCTION/ARGS 39267395709745 1 2955 ip_send_skb(
skb->len =
(unsigned int)0x89,
skb = *(0xffff89c8be81e500)
(struct sk_buff){
(union){
.sk = (struct sock *)0xffff89c6c59e5580,
.ip_defrag_offset = (int)0xc59e5580,
},
Trace ip_send_skb() skbs which have len > 100.