I wanted to share an idiom we've used when first developing our ebpf filter:
When having first developed our ebpf filter we heavily leaned on
`bpf_trace_printk` and `/sys/kernel/debug/tracing/trace_pipe` for
debugging.
With any load on the filter however the messages become difficult to
parse as they are interleaved with other executions & the pid in the
message may be not enough to discern a single run of the filter.
I found the following macros useful:
#define REQUEST_ID() bpf_get_prandom_u32()
#define DEBUG(id, x, ...) bpf_debug_printk("[%u]" x, id, ##__VA_ARGS__)
unsigned long long request_id = REQUEST_ID();
DEBUG(request_id, "starting filter.\n");
After that you can easily pipe the output of trace_pipe through grep.
Cheers,
Farid Zakaria
|