mirror of
https://github.com/varun-r-mallya/Python-BPF.git
synced 2025-12-31 21:06:25 +00:00
50 lines
1.1 KiB
Python
50 lines
1.1 KiB
Python
from pythonbpf import *
|
|
from pylibbpf import *
|
|
import sys
|
|
from ctypes import c_void_p, c_int64, c_uint64
|
|
|
|
@bpf
|
|
@map
|
|
def last() -> HashMap:
|
|
return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
|
|
|
|
@bpf
|
|
@section("tracepoint/syscalls/sys_enter_clone")
|
|
def do_trace(ctx: c_void_p) -> c_int64:
|
|
key = 0
|
|
tsp = last().lookup(key)
|
|
if tsp:
|
|
kt = ktime()
|
|
delta = (kt - tsp)
|
|
if delta < 1000000000:
|
|
time_ms = (delta // 1000000)
|
|
print(f"Clone syscall entered within last second, last {time_ms} ms ago")
|
|
last().delete(key)
|
|
else:
|
|
kt = ktime()
|
|
last().update(key, kt)
|
|
return c_int64(0)
|
|
|
|
@bpf
|
|
@bpfglobal
|
|
def LICENSE() -> str:
|
|
return "GPL"
|
|
|
|
b = BPF()
|
|
# autoattaches tracepoints
|
|
b.load_and_attach()
|
|
|
|
def main():
|
|
try:
|
|
with open("/sys/kernel/debug/tracing/trace_pipe", "r") as f:
|
|
for line in f:
|
|
sys.stdout.write(line)
|
|
sys.stdout.flush()
|
|
except KeyboardInterrupt:
|
|
pass
|
|
except PermissionError:
|
|
sys.stderr.write("Need root privileges to read trace_pipe\n")
|
|
|
|
if __name__ == "__main__":
|
|
main()
|