0

I'm working on some eBPF and Redis-related tasks. However, I've run into some difficulties. When I attach a uprobe to the processCommand function in Redis, I want to retrieve some values from the parameters of the processCommand function. This parameter is a pointer to a structure (client* c) that contains many fields. I'm only interested in certain fields from this structure.

Is there a way in an eBPF program to retrieve just a specific field's value from the structure without copying the entire client structure definition from Redis? The client structure also includes other structures, and copying its definition seems very complicated.

Improve this question
3
  • 1
    Yes, you would have to know the offset of the field, or better yet copy the struct declaration into eBPF. You can manipulate the pointer before you read from user memory. bpf_probe_read_user(&val, sizeof(val), c.some.field) Commented Sep 3, 2024 at 7:48
  • @DylanReimerink I'd upvote if you made this comment into a proper answer :) Commented Sep 3, 2024 at 9:52
  • I will do it properly :) Commented Sep 3, 2024 at 12:49

1 Answer 1

Reset to default
2

Is there a way in an eBPF program to retrieve just a specific field's value from the structure without copying the entire client structure definition from Redis?

Yes, you would have to know the offset of the field, or better yet copy the struct declaration into eBPF. You can manipulate the pointer before you read from user memory. bpf_probe_read_user(&val, sizeof(val), c.some.field)

The client structure also includes other structures, and copying its definition seems very complicated.

While complex, it is likely the best way to go. Like I mentioned, if you know the offset of the data into the structure you can also make it work. bpf_probe_read_user(&val, sizeof(val), ((void *) c) + 123) But now you are doing the work that a compiler would normally do for you, figuring out that offset requires you to know how the compiler would layout the struct in memory.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your answer, it solved my problem

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.