2023-01-23 07:57 UTC+0000 ~ Christophe Leroy <christophe.leroy@xxxxxxxxxx>
>
>
> Le 17/01/2023 à 16:42, Quentin Monnet a écrit :
>>
>> In the meantime, you could disable the use of skeletons in bpftool, by
>> removing "clang-bpf-co-re" from FEATURE_TESTS from the Makefile. You
>> should get a functional binary, which would only miss a few features
>> (namely, printing the pids of programs holding references to BPF
>> programs, and the "bpftool prog profile" command).
>
> Ok, with "clang-bpf-co-re" removed, bpftool doesn't complain.
>
> However, does it work at all ?
Yes it does.
>
> I started a 'tcpdump', I confirmed with ' bpf_jit_enable == 2' that a
> BPF jitted program is created by tcpdump.
>
> 'bptool prog show' and 'bpftool prog list' returns no result.
Bpftool works with eBPF, not with the older "classic" BPF (cBPF) used by
tcpdump. You should see programs listed if you load anything eBPF, for
example by using BCC tools, bpftrace, or load an eBPF program any other
way from user space:
$ echo "int main(void) {return 0;}" | \
clang -O2 -target bpf -c -o foo.o -x c -
# bpftool prog load foo.o /sys/fs/bpf/foo type xdp
# bpftool prog list
# bpftool prog dump jited name main
# rm /sys/fs/bpf/foo
I know tcpdump itself can show the cBPF bytecode for its programs, but I
don't know of another way to dump the JIT-ed image for cBPF programs.
Drgn could probably do it, with kernel debug symbols.
Quentin
