Hi, I'm trying to access the packet content in tcp_transmit_skb using eBPF/BCC. I definedĀ kprobe____tcp_transmit_skb/kretprobe____tcp_transmit_skb functions. Since in kretprobe we cannot access the function arguments (I'm not sure), I stored skb(struct sk_buff *) in kprobe____tcp_transmit_skb by using the pid as the key.
u64 pid = bpf_get_current_pid_tgid(); curr_skb.update(&pid, &skb); However, the issue is that tcp_transmit_skb function can be called multiple times before kretprobe____tcp_transmit_skb is executed with the same pid. So I cannot correctly match between kprobe____tcp_transmit_skb and kretprobe____tcp_transmit_skb functions for the same skb. Is there any good way to match between kprobe and kretprobe for the same function call? Or is there any method that I can access the function arguments in kretprobe? Thanks, Youngbin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1592): https://lists.iovisor.org/g/iovisor-dev/message/1592 Mute This Topic: https://lists.iovisor.org/mt/30168470/21656 Group Owner: [email protected] Unsubscribe: https://lists.iovisor.org/g/iovisor-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
