1#!/usr/bin/python 2# 3# strlen_count Trace strlen() and print a frequency count of strings. 4# For Linux, uses BCC, eBPF. Embedded C. 5# 6# Written as a basic example of BCC and uprobes. 7# 8# Also see strlensnoop. 9# 10# Copyright 2016 Netflix, Inc. 11# Licensed under the Apache License, Version 2.0 (the "License") 12 13from __future__ import print_function 14from bcc import BPF 15from time import sleep 16 17# load BPF program 18b = BPF(text=""" 19#include <uapi/linux/ptrace.h> 20 21struct key_t { 22 char c[80]; 23}; 24BPF_HASH(counts, struct key_t); 25 26int count(struct pt_regs *ctx) { 27 if (!PT_REGS_PARM1(ctx)) 28 return 0; 29 30 struct key_t key = {}; 31 u64 zero = 0, *val; 32 33 bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx)); 34 // could also use `counts.increment(key)` 35 val = counts.lookup_or_init(&key, &zero); 36 (*val)++; 37 return 0; 38}; 39""") 40b.attach_uprobe(name="c", sym="strlen", fn_name="count") 41 42# header 43print("Tracing strlen()... Hit Ctrl-C to end.") 44 45# sleep until Ctrl-C 46try: 47 sleep(99999999) 48except KeyboardInterrupt: 49 pass 50 51# print output 52print("%10s %s" % ("COUNT", "STRING")) 53counts = b.get_table("counts") 54for k, v in sorted(counts.items(), key=lambda counts: counts[1].value): 55 print("%10d \"%s\"" % (v.value, k.c.encode('string-escape'))) 56