fche changed the topic of #systemtap to: http://sourceware.org/systemtap; email systemtap@sourceware.org if answers here not timely, conversations may be logged
irker418 has joined #systemtap
<irker418> systemtap: scox systemtap.git:refs/heads/scox/https * release-3.2-103-g11cfa17 / systemtap.spec: Add undefine __brp_mangle_shebangs http://tinyurl.com/ycjyk55p
<irker418> systemtap: scox systemtap.git:refs/heads/scox/https * release-3.2-106-g913080c / : Merge branch 'master' of ssh://sourceware.org/git/systemtap http://tinyurl.com/y8o53at8
<irker418> systemtap: scox systemtap.git:refs/heads/scox/https * release-3.2-160-gc9bce69 / : Merge branch 'master' of ssh://sourceware.org/git/systemtap http://tinyurl.com/yaqokeur
introom has joined #systemtap
<introom> hi. how to show all the kernel fucnitons invoked by a syscall ?
<irker418> systemtap: scox systemtap.git:refs/heads/scox/https * release-3.2-161-g3796558 / : Add preliminary https support http://tinyurl.com/y7zm6sfn
irker418 has quit [Quit: transmission timeout]
eklitzke has quit [Quit: bye]
eklitzke has joined #systemtap
eklitzke has quit [Client Quit]
eklitzke has joined #systemtap
scox has quit [Ping timeout: 240 seconds]
sanoj has joined #systemtap
orivej has joined #systemtap
orivej has quit [Ping timeout: 276 seconds]
sanoj has quit [Ping timeout: 256 seconds]
sanoj has joined #systemtap
sanoj has quit [Ping timeout: 268 seconds]
orivej has joined #systemtap
hpt has joined #systemtap
hpt has quit [Ping timeout: 256 seconds]
mjw has joined #systemtap
mjw has quit [Quit: Leaving]
orivej has quit [Ping timeout: 264 seconds]
hpt has joined #systemtap
sanoj has joined #systemtap
sanoj has quit [Ping timeout: 276 seconds]
orivej has joined #systemtap
orivej has quit [Ping timeout: 240 seconds]
hpt has quit [Ping timeout: 256 seconds]
sanoj has joined #systemtap
orivej has joined #systemtap
sanoj has quit [Ping timeout: 260 seconds]
ciupicri has joined #systemtap
<ciupicri> can systemtap be used to trace what iptables is doing and how long it takes?
<fche> hi ciupicri
<fche> a couple of possibilities
<fche> first, stap can itself hook into the netfilter processing chain, and be as though it were an iptables-like module, and can observe traffic before or after the other modules
<fche> second, stap could probe iptable module internals, monitor their function calls, that sort of thing
pviktori has quit [Quit: No Ping reply in 180 seconds.]
pviktori has joined #systemtap
<ciupicri> how would I know what function to trace? I mean what function are in iptables?
<fche> you'd need to figure that out to some extent, probably by looking at the kernel sources
<fche> I assume if you want to know module internals, you have looked at them in source form :)
<fche> so those functions, whatever you saw, can probably be traced reasonably easily
<ciupicri> that's the thing, I haven't looked at the source code :-) I'm talking a black box route from the outside instead of going from the inside
<fche> need to peel at least one layer of the onion, at a time, to do that efficiently
<ciupicri> :-)
<fche> so something like stap -L 'module("ipt*").function("*").call' or nf_* or nft*
<ciupicri> it shows me some functions alright
<fche> right, so those same wildcards can be fed to parametrized scripts like para-callgraph.stp
<ciupicri> what's strange is that I see iptable_nat, iptable_mangle, iptable_raw etc, but not filter
orivej has quit [Ping timeout: 256 seconds]
<ciupicri> fche: is the sample program from https://sourceware.org/systemtap/SystemTap_Beginners_Guide/paracallgraph.html still valid? I'm getting "WARNING: function files_maxfiles_init is in blacklisted section: keyword at /opt/exp/para-callgraph.stp:22:1 source: probe $1.call { trace(1, $$parms) } "
hpt has joined #systemtap
<fche> that's okay
<fche> the kernel prohibits us from probing parts of itself
<ciupicri> so what should I do?
<fche> ignore that warning, that's why it's only a warning :)
<fche> did you get any useful info so far?
<ciupicri> no
<ciupicri> it gets stuck at a warning
<ciupicri> never mind
<fche> I bet it's not stuck, it's running, just hasn't had to print anything
<ciupicri> I had to be more patient
<ciupicri> stap -L 'module("*").function("*").call' should give me a list of all the function right? Because I don't see ip_packet_match ( https://github.com/torvalds/linux/blob/master/net/ipv4/netfilter/ip_tables.c#L47 )
<ciupicri> my kernel is 4.15.13-300.fc27.x86_64
<fche> functions -within modules-. Anything compiled into the core kernel would show up as kernel.function("*").call (not-inlined)
<ciupicri> CONFIG_NETFILTER=y, CONFIG_NETFILTER_ADVANCED=y so it looks like they're in the core indeed
<ciupicri> I've found this: kernel.function("ip_packet_match@net/ipv4/netfilter/ip_tables.c:47") , but running para-callgraph.stp 'kernel.function("ip_packet_match@net/ipv4/netfilter/ip_tables.c")' fails with "semantic error: while resolving probe point: identifier 'kernel' at"
<fche> the rest of the message probably helps explain
<fche> here it says ... "WARNING: cannot probe .return of 1 inlined functions ip_packet_match"
<ciupicri> I see it too
<ciupicri> so I have to find another function that isn't inlined
<fche> yeah. or not use para-callgraph
<fche> if you just probe kernel.function("ip_packet_match") { println($$parms) } you should get something for inlined fns too
<ciupicri> you mean it's possible to analyze even inlined functions?
<fche> yes, and statements within them
<ciupicri> ip=0xffff951ea88c404e ip=0xffff951ea88c404e ip=0xffff951ea88c404e isfrag=0x0 ... I'm seeing ip multiple times because stap is smart enough to figure out the length of the ip array and print all of it?
<fche> nope, I suspect it's an inlining artifact :)
<fche> if you want it pretty-printed, try println($ip$)
<ciupicri> thanks. It doesn't look bad.