jim3ma · December 19, 2022 05:57 · Dec 19, 2022 · Dec 19, 2022
diff --git a/ioctlsnoop.bt b/ioctlsnoop.bt
@@ -5,8 +5,6 @@
  *
  * USAGE: ioctlsnoop.bt
  *
- * This is a bpftrace version of the bcc tool of the same name.
- *
  * Copyright 2022 Jim Ma.
  * Licensed under the Apache License, Version 2.0 (the "License")
  *

diff --git a/ioctlsnoop.bt b/ioctlsnoop.bt
@@ -0,0 +1,66 @@
+#!/usr/bin/env bpftrace
+/*
+ * ioctlsnoop	Trace ioctl() syscalls.
+ *		For Linux, uses bpftrace and eBPF.
+ *
+ * USAGE: ioctlsnoop.bt
+ *
+ * This is a bpftrace version of the bcc tool of the same name.
+ *
+ * Copyright 2022 Jim Ma.
+ * Licensed under the Apache License, Version 2.0 (the "License")
+ *
+ * 18-Dec-2022	Jim Ma	Created this.
+ */
+
+BEGIN
+{
+	printf("Tracing ioctl syscalls... Hit Ctrl-C to end.\n");
+	printf("%-6s %-16s %4s %3s %s %s\n", "PID", "COMM", "FD", "ERR", "CMD", "PATH");
+}
+
+tracepoint:syscalls:sys_enter_open,
+tracepoint:syscalls:sys_enter_openat
+{
+	@filename[tid] = args->filename;
+}
+
+tracepoint:syscalls:sys_exit_open,
+tracepoint:syscalls:sys_exit_openat
+//@filename[tid]
+//@fd2filename[fd]
+{
+	$ret = args->ret;
+	$fd = $ret > 0 ? $ret : -1;
+	@fd2filename[$fd] = @filename[tid];
+	delete(@filename[tid]);
+}
+
+tracepoint:syscalls:sys_enter_ioctl
+{
+        // save args
+	@fds[tid] = args->fd;
+	@cmd[tid] = args->cmd;
+}
+
+tracepoint:syscalls:sys_exit_ioctl
+//@fds[tid]
+//@cmd[tid]
+{
+	$ret = args->ret;
+	$fd = @fds[tid];
+	$errno = $ret > 0 ? 0 : - $ret;
+
+	printf("%-6d %-16s %4d 0x%x %3d %s\n", pid, comm, $fd,
+	    @cmd[tid], $errno, str(@fd2filename[$fd]));
+	delete(@fds[tid]);
+	delete(@cmd[tid]);
+}
+
+END
+{
+	clear(@filename);
+	clear(@fd2filename);
+	clear(@fds);
+	clear(@cmd);
+}
No results found