search

eBPF

hashtag
Hooks

eXpress Data Path (XDP) - network packet processing

kprobe - syscool processing

tracepoints - A TC program is similar to XDP. The main difference is that it runs a bit later in the networking stack. It also can run on packet ingress and egress. The benefit to running later in the networking stack is that it offers more context around the packet. This allows more data to be gathered about the packet and where it’s headed.

hashtag
vmlinux.h

You can create the vmlinux.h file using the bpftool, which is a necessary utility for eBPF tasks.

bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h

hashtag
tracepoint vs kprobe

To hook into syscall, we need to identify the eBPF hook point. This can be done using a tracepoint (i.e. a predefined event directly in the kernel), or a kprobe (a specific kernel function).

hashtag
Links

LogoIntroduction to eBPFCentre d'expertises en cybersécuritéchevron-right
LogoeBPF program creation in practice – PID concealment (Part 1)Centre d'expertises en cybersécuritéchevron-right
LogoeBPF in practice – PID concealment (Part 2)Centre d'expertises en cybersécuritéchevron-right
PreviousLinuxNextGitlab

Last updated