You can get the latest bpf following bpftrace/INSTALL.md at master · iovisor/bpftrace · GitHub <https://github.com/iovisor/bpftrace/blob/master/INSTALL.md> Specifically the docker portion is easier to follow. After I did that I get: sean@ubuntu:/tmp$ ~/output/bpftrace -V bpftrace v0.13.0
Copying bpftrace binary from docker As docker builds produce a bpftrace binary on every push to master, they also allow for a convenient way to distribute bpftrace binaries. The only software requirement to run bpftrace is a version of glibc that is the same or newer as what it was built at. For this reason, an older glibc - 2.23 is provided for all builds, it can be pulled with: docker pull quay.io/iovisor/bpftrace:master-vanilla_llvm_clang_glibc2.23 To copy the binary out of bpftrace in the current directory: $ docker run -v $(pwd):/output quay.io/iovisor/bpftrace:master-vanilla_llvm_clang_glibc2.23 \ /bin/bash -c "cp /usr/bin/bpftrace /output" $ ./bpftrace -V v0.9.4 bpftrace currently links to glibc 2.27 from Ubuntu Bionic by default, though this should be portably to any glibc-based OS, such as Fedora, Chromium OS, etc. On Sun, Oct 9, 2022 at 2:21 AM ^..^ <[email protected]> wrote: > If it only worked. > > * 27.9-425: syntax error, unexpected struct* > > I can't tell you what version of bpftrace it was, since there's no option > to print out the version (simply tried using the package manager under > "Debian GNU/Linux 10 (buster)".) > > I hope this won't turn out to be another Dtrace mess with it unable to > keep up with OS revisions (both OS & Dtrace almost inevitably undocumented > unless you want to read kernel source trees.) > > There's no documentation on UDP, ICMP, or anything but some minor TCP > examples - > > https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md > > If there is a better place to look I'd love to see it. Also none the *.bt > programs directly reference UDP/ICMP/whatever. > > But that said - 2000% better than it was - I've tried installing bpftrace > prior to your note, it was a nightmare. Using "apt" (whatever pkg manager) > is a wonderful step up. > > Having a working dtrace/bpftrace/WTFtrace that has such capabilities on > general (linux or other) systems would be truly great. > > Having something I can write a tool with and have it work the following > year isn't a dream, but a necessity to use it for anything useful. > > dan > > On Oct 3, 2022, at 7:10 PM, Sean Liu <[email protected]> wrote: > > Actually Bredan already had one written: > > https://raw.githubusercontent.com/brendangregg/bpf-perf-tools-book/master/exercises/Ch10_Networking/udplife.bt > With nslookup google.com, I get: > Attaching 8 probes... > PID COMM LADDR LPORT RADDR RPORT TX_B RX_B > MS > 3823 systemd-re 192.168.10.26 0 8.8.8.8 32927 39 110 > 27 > > I am not certain why RPORT is not 53 through. > > Sean > > > On Mon, Oct 3, 2022 at 5:06 PM Sean Liu <[email protected]> wrote: > >> Well what's hot nowadays in Linux is bpftrace which is built on top of >> eBPF. >> You probably can just 'apt install bpftrace' on your ubuntu18.04 which >> *may* be a bit outdated. >> Afterwards you can check out existing scripts, for example on my ubt >> 20.04: >> sean@ubuntu:/usr/sbin$ ls *bt >> bashreadline.bt capable.bt killsnoop.bt opensnoop.bt >> statsnoop.bt tcpconnect.bt threadsnoop.bt >> biolatency.bt cpuwalk.bt loads.bt pidpersec.bt swapin.bt >> tcpdrop.bt vfscount.bt >> biosnoop.bt dcsnoop.bt mdflush.bt runqlat.bt >> syncsnoop.bt tcplife.bt vfsstat.bt >> biostacks.bt execsnoop.bt naptime.bt runqlen.bt >> syscount.bt tcpretrans.bt writeback.bt >> bitesize.bt gethostlatency.bt oomkill.bt setuids.bt >> tcpaccept.bt tcpsynbl.bt xfsdist.bt >> >> There are some resemblance between bpftrace and dtrace scripts so you >> might be able to adapt what you need to bpftrace. >> >> Good luck, >> >> Sean >> >> On Mon, Oct 3, 2022 at 4:02 PM ch-and-dtrace.topicbox.com via >> dtrace-discuss <[email protected]> wrote: >> >>> Ok, I found perf (https://www.brendangregg.com/perf.html), and if I >>> knew what I was doing, I think I'd be able to write a one-liner that did >>> what I want. That's a big caveat, though. >>> >> *DTrace <https://dtrace.topicbox.com/latest>* / dtrace-discuss / see > discussions <https://dtrace.topicbox.com/groups/dtrace-discuss> + > participants <https://dtrace.topicbox.com/groups/dtrace-discuss/members> > + delivery options > <https://dtrace.topicbox.com/groups/dtrace-discuss/subscription> Permalink > <https://dtrace.topicbox.com/groups/dtrace-discuss/T345746b17158d294-M9792f99bb64b89e0b75a477d> > > > ------------------------------------------ DTrace: dtrace-discuss Permalink: https://dtrace.topicbox.com/groups/dtrace-discuss/T345746b17158d294-Mc89bc120abbd23f6e6996185 Delivery options: https://dtrace.topicbox.com/groups/dtrace-discuss/subscription
