Using eBPF to record your programs dying breathes| Discover the Performance Engineer in you. | Polar Signals
一个 XDP 练习程序:作为 TCP 的 server 端,用 XDP 实现所有的 TCP 端口都接受 TCP 建立连接。(只是能够建立连接而已,无法支持后续的 TCP 数据传输,所以不具有实际意义,纯粹好玩。)| www.kawabangga.com
Interactive list of eBPF research papers from top conferences according to CSRankings. The list can be filtered according to types of publications (ex., improving, using) and areas (ex., networking, verifier, offload, security).| pchaigno
I feel the need, the need for speed.| Más Bandwidth
In the conclusions to my last post, “Modifying System Call Arguments With ptrace”, I mentioned that one of the main drawbacks of the explained approach for modifying system call arguments was that there is a process switch for each system call performed by the tracee. I also suggested a possible approach to overcome that issue … Continue reading "Filter and Modify System Calls with seccomp and ptrace"| Alfonso Sánchez-Beato's blog
Is it even possible? Turns out it's a lot closer than you may think.| Más Bandwidth
Learn how you can use XDP/eBPF to get maximum bandwidth for your applications.| Más Bandwidth
One of my first contributions to the eBPF ecosystem was to list the available resources about eBPF, to help people get started with the topic (and, let’s be honest, so I could remember where to find these resources myself when I needed them). Since then, eBPF has gained in notoriety, and we now have many more available resources, from books to tutorials, a variety of blog posts, better kernel documentation, and a lot more. The website https://ebpf.io is an excellent starting point to learn ...| Whirl Offload
The journeyBees, and more bees Bee smokers Hannah the Honeyguide At last, bpftool has a logo! But finding the right one was a long process. The journey I have thought about a logo for bpftool for a while. Something that would accurately represent the tool, and its relationship with BPF objects. I’m decently creative, and I don’t lack ideas; I’ve just been struggling to find the idea, the one that passes the bar that I mentally set. And I know how to fiddle with Inkscape, but I’ve got ...| Whirl Offload
This post was left aside as a draft for a long time. Most of it was written in August 2022, but it should still be accurate as of its publication. Networking eBPF programs take a pointer ctx to a struct __sk_buff (or a struct xdp_md) as their only argument. This struct is a lighter version of the socket buffer, SKB (or an XDP equivalent), that contains some metadata about the packet to process. In particular, it contains 32-bit long unsigned integers (__u32), ctx->data and ctx->data_end, poin...| Whirl Offload
Gearing up with open-source components Taking marks Picking a direction The road ahead The journey is just starting This article was initially published in June 2021 on LWN.net. Extended BPF (eBPF), the general-purpose execution engine inside of the Linux kernel, has proved helpful for tracing and monitoring the system, for processing network packets, or generally for extending the behavior of the kernel. So helpful, in fact, that developers working on other operating systems have been watchi...| Whirl Offload
This explanation on eBPF program size limit was initially published in February 2021 by the Cilium community as part of the eBPF Updates #4 on ebpf.io. Do you know what the maximum size of an eBPF program is? You may have heard of programs limited to 4k instructions, but this has changed some time ago. One particularity of eBPF programs, enforced at load time by the kernel verifier, is that they must run and eventually terminate within a relatively short delay. Allowing for long runs would sl...| Whirl Offload
This brief description of the eBPF virtual filesystem was initially published in January 2021 by the Cilium community as part of the eBPF Updates #3 on ebpf.io. eBPF objects, such as a program or a map, reside in kernel memory until they are no longer needed. Internally, the kernel uses reference counters to keep track of the number of “handles” pointing to such objects. When the number of references comes down to zero, the program or the map is destroyed. The references to a program woul...| Whirl Offload
This brief description of CO-RE was initially published in December 2020 by the Cilium community as part of the eBPF Updates #2 on ebpf.io. CO-RE (Compile Once, Run Everywhere) is a mechanism used with eBPF to ensure portability of the programs, mainly those intended for tracing. It addresses the issue that arises when a given structure is modified between two kernel versions. Tracing programs may attempt to access a field from a given structure by reading at a specific offset in that structu...| Whirl Offload
“Hi, I have the pleasure to announce the availability of a mirror for bpftool on GitHub, at the following URL: https://github.com/libbpf/bpftool This mirror is similar in spirit to the one for libbpf, and its creation was lead by the following motivations. The first goal is to provide a simpler way to build bpftool. So far, building a binary would require downloading the entire kernel repository. By contrast, the code in the GitHub mirror is mostly self-sufficient (it still requires libelf ...| Whirl Offload
Working with eBPF? Discover how bpftool can help you load, inspect, update your eBPF programs, maps, and more.| qmonnet.github.io
By default, Zeek is configured to capture all the network traffic, both IP and Non-IP...| #Threat Hunting Tails
Most software writes to disk at some point but in some cases nothing cleans up the stale data that won’t ever be read again. Engineers working with large scale infrastructure might be familiar with the situation where an engineer, by pure chance, finds out they had several petabytes of old logs that were not deleted.| Javier Honduvilla Coto
Modern systems are complicated beasts with lots of interdependent activities between threads, programs and kernels. Figuring out some problems is nearly impossible without building some time machin…| domas mituzas
The problem.| Josef Bacik’s Blog