add killsnoop tool

cebe0724 · Brendan Gregg · 4bd1a36f · cebe0724 · cebe0724 · cebe0724
Commit cebe0724 authored Sep 15, 2018 by Brendan Gregg
Showing with 128 additions and 0 deletions

README.md README.md +1 -0

man/man8/killsnoop.8 man/man8/killsnoop.8 +65 -0

tools/killsnoop.bt tools/killsnoop.bt +41 -0

tools/killsnoop_example.txt tools/killsnoop_example.txt +21 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -153,6 +153,7 @@ bpftrace contains various tools, which also serve as examples of programming in
 - tools/[cpuwalk.bt](tools/cpuwalk.bt): Sample which CPUs are executing processes. [Examples](tools/cpuwalk_example.txt).
 - tools/[execsnoop.bt](tools/execsnoop.bt): Trace new processes via exec() syscalls. [Examples](tools/execsnoop_example.txt).
 - tools/[gethostlatency.bt](tools/gethostlatency.bt): Show latency for getaddrinfo/gethostbyname[2] calls. [Examples](tools/gethostlatency_example.txt).
+- tools/[killsnoop.bt](tools/killsnoop.bt): Trace signals issued by the kill() syscall. [Examples](tools/killsnoop_example.txt).
 - tools/[loads.bt](tools/loads.bt): Print load averages. [Examples](tools/loads_example.txt).
 - tools/[pidpersec.bt](tools/pidpersec.bt): Count new procesess (via fork). [Examples](tools/pidpersec_example.txt).
 - tools/[vfscount.bt](tools/vfscount.bt): Count VFS calls. [Examples](tools/vfscount_example.txt).

--- a/man/man8/killsnoop.8
+++ b/man/man8/killsnoop.8
+.TH killsnoop 8  "2018-09-07" "USER COMMANDS"
+.SH NAME
+killsnoop.bt \- Trace signals issued by the kill() syscall. Uses bpftrace/eBPF.
+.SH SYNOPSIS
+.B killsnoop.bt
+.SH DESCRIPTION
+killsnoop traces the kill() syscall, to show signals sent via this method. This
+may be useful to troubleshoot failing applications, where an unknown mechanism
+is sending signals.
+
+This works by tracing the kill() syscall tracepoints.
+
+Since this uses BPF, only the root user can use this tool.
+.SH REQUIREMENTS
+CONFIG_BPF and bpftrace.
+.SH EXAMPLES
+.TP
+Trace all kill() syscalls:
+#
+.B killsnoop.bt
+.SH FIELDS
+.TP
+TIME
+Time of the kill call.
+.TP
+PID
+Source process ID
+.TP
+COMM
+Source process name
+.TP
+SIG
+Signal number. See signal(7).
+.TP
+TPID
+Target process ID
+.TP
+RES
+Result. 0 == success, a negative value (of the error code) for failure.
+.SH OVERHEAD
+This traces the kernel kill function and prints output for each event. As the
+rate of this is generally expected to be low (< 100/s), the overhead is also
+expected to be negligible. If you have an application that is calling a very
+high rate of kill()s for some reason, then test and understand overhead before
+use.
+.SH SOURCE
+This is from bpftrace.
+.IP
+https://github.com/iovisor/bpftrace
+.PP
+Also look in the bpftrace distribution for a companion _examples.txt file containing
+example usage, output, and commentary for this tool.
+
+This is a bpftrace version of the bcc tool of the same name. The bcc tool
+may provide more options and customizations.
+.IP
+https://github.com/iovisor/bcc
+.SH OS
+Linux
+.SH STABILITY
+Unstable - in development.
+.SH AUTHOR
+Brendan Gregg
+.SH SEE ALSO
+opensnoop(8)
--- a/tools/killsnoop.bt
+++ b/tools/killsnoop.bt
+/*
+ * killsnoop	Trace signals issued by the kill() syscall.
+ *		For Linux, uses bpftrace and eBPF.
+ *
+ * USAGE: killsnoop.bt
+ *
+ * Also a basic example of bpftrace.
+ *
+ * This is a bpftrace version of the bcc tool of the same name.
+ *
+ * Copyright 2018 Netflix, Inc.
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ *
+ * 07-Sep-2018	Brendan Gregg	Created this.
+ */
+
+BEGIN
+{
+	printf("Tracing kill() signals... Hit Ctrl-C to end.\n");
+	printf("%-9s %-6s %-16s %-4s %-6s %s\n", "TIME", "PID", "COMM", "SIG",
+	    "TPID", "RESULT");
+}
+
+tracepoint:syscalls:sys_enter_kill
+{
+	$pid = *(ctx + 16);
+	$sig = *(ctx + 24);
+	@tpid[tid] = $pid;
+	@tsig[tid] = $sig;
+}
+
+tracepoint:syscalls:sys_exit_kill
+/@tpid[tid]/
+{
+	$ret = *(ctx + 16);
+	time("%H:%M:%S  ");
+	printf("%-6d %-16s %-4d %-6d %d\n", pid, comm, @tsig[tid], @tpid[tid],
+	    $ret);
+	delete(@tpid[tid]);
+	delete(@tsig[tid]);
+}
--- a/tools/killsnoop_example.txt
+++ b/tools/killsnoop_example.txt
+Demonstrations of killsnoop, the Linux bpftrace/eBPF version.
+
+
+This traces signals sent via the kill() syscall. For example:
+
+# bpftrace killsnoop.bt
+Attaching 3 probes...
+Tracing kill() signals... Hit Ctrl-C to end.
+TIME      PID    COMM             SIG  TPID   RESULT
+00:09:37  22485  bash             2    23856  0
+00:09:40  22485  bash             2    23856  -3
+00:09:31  22485  bash             15   23814  -3
+
+The first line showed a SIGINT (2) sent from PID 22485 (a bash shell) to
+PID 23856. The result, 0, means success. The next line shows the same signal
+sent, which resulted in -3, a failure (likely because the target process
+no longer existed).
+
+
+There is another version of this tool in bcc: https://github.com/iovisor/bcc
+The bcc version provides command line options to customize the output.