1Demonstrations of bpflist.
2
3
4bpflist displays information on running BPF programs and optionally also
5prints open kprobes and uprobes. It is used to understand which BPF programs
6are currently running on the system. For example:
7
8# bpflist
9PID    COMM             TYPE     COUNT
104058   fileslower       prog     4
114058   fileslower       map      2
124106   bashreadline     map      1
134106   bashreadline     prog     1
14
15From the output above, the fileslower and bashreadline tools are running.
16fileslower has installed 4 BPF programs (functions) and has opened 2 BPF maps
17(such as hashes, histograms, stack trace tables, and so on).
18
19In verbose mode, bpflist also counts the number of kprobes and uprobes opened
20by the process. This information is obtained heuristically: bcc-based tools
21include the process id in the name of the probe. For example:
22
23# bpflist -v
24PID    COMM             TYPE     COUNT
254058   fileslower       prog     4
264058   fileslower       kprobe   4
274058   fileslower       map      2
284106   bashreadline     uprobe   1
294106   bashreadline     prog     1
304106   bashreadline     map      1
31
32In double-verbose mode, the probe definitions are also displayed:
33
34# bpflist -vv
35open kprobes:
36p:kprobes/p___vfs_read_bcc_4058 __vfs_read
37r:kprobes/r___vfs_read_bcc_4058 __vfs_read
38p:kprobes/p___vfs_write_bcc_4058 __vfs_write
39r:kprobes/r___vfs_write_bcc_4058 __vfs_write
40
41open uprobes:
42r:uprobes/r__bin_bash_0xa4dd0_bcc_4106 /bin/bash:0x00000000000a4dd0
43
44PID    COMM             TYPE     COUNT
454058   fileslower       prog     4
464058   fileslower       kprobe   4
474058   fileslower       map      2
484106   bashreadline     uprobe   1
494106   bashreadline     prog     1
504106   bashreadline     map      1
51
52
53USAGE:
54# bpflist -h
55usage: bpflist.py [-h] [-v]
56
57Display processes currently using BPF programs and maps
58
59optional arguments:
60  -h, --help       show this help message and exit
61  -v, --verbosity  count and display kprobes/uprobes as well
62
63examples:
64    bpflist     # display all processes currently using BPF
65    bpflist -v  # also count kprobes/uprobes
66    bpflist -vv # display kprobes/uprobes and count them
67