Examples & Use Cases

Table of Contents

• Examples \& Use Cases
• Table of Contents
• minimal examples
• Tracing the system
  • Tracing userspace functions with uprobe
  • tracing all syscalls with tracepoints
  • bpftrace
  • Use bpftime to trace SPDK
• BPF Features Demos
• GPU/CUDA/ROCm Tracing
• Hotpatching Applications
• Error injections
• XDP in Userspace
• Advanced Examples
  • Attach Implementation
  • Using bpftime as a Library
• Nginx eBPF module
• Use DPDK with userspace eBPF to run XDP seamlessly
• Use the vm only(No runtime, No uprobe) as a library

minimal examples

See example/minimal for basic examples demonstrating core bpftime features:

• uprobe: Basic uprobe example
• syscall: Syscall tracing example
• uprobe-override: Demonstrates using bpf_override_return to change function return values
• usdt_minimal: User Statically Defined Tracing (USDT) example

The bpftime supports the following types of eBPF programs:

• uprobe/uretprobe: trace userspace functions at start or end.
• syscall tracepoints: trace the specific syscall types.
• USDT: trace the userspace functions with USDT.

You may use bpf_override_return to change the control flow of the program.

See documents/available-features.md for more details.

Tracing the system

Tracing userspace functions with uprobe

Attach uprobe, uretprobe or all syscall tracepoints(currently x86 only) eBPF programs to a process or a group of processes

• malloc: count the malloc calls in libc by pid. demonstrate how to use the userspace uprobe with basic hashmap.
• bashreadline: Print entered bash commands from running shells.
• sslsniff: Trace and print all SSL/TLS connections and raw traffic data.
• funclatency: Measure function latency distribution.
• goroutine: Trace Go runtime goroutine operations.

tracing all syscalls with tracepoints

• opensnoop: trace file open or close syscalls in a process. demonstrate how to use the userspace syscall tracepoint with ring buffer output.
• opensnoop_ring_buf: Alternative implementation using ring buffer for output.
• statsnoop: Trace stat() syscalls system-wide.
• syscount: Count system calls by type and process.
• mountsnoop: Trace mount and umount system calls.
• sigsnoop: Trace signals sent to processes.

More bcc/libbpf-tools style examples can be found in example/tracing.

bpftrace

You can also run bpftime with bpftrace, we've test it on this commit.

It should be able to work with the bpftrace from the package manager of your distribution, for example:

sudo apt install bpftrace

Or you can build the latest bpftrace from source.

More details about how to run bpftrace in userspace, can be found in example/tracing/bpftrace.

Use bpftime to trace SPDK

See https://github.com/eunomia-bpf/bpftime/wiki/Benchmark-of-SPDK for how to use bpftime to trace SPDK.

BPF Features Demos

The example/bpf_features directory contains demonstrations of various BPF map types and features:

• bloom_filter_demo: Demonstrates the use of BPF bloom filter maps for efficient set membership testing.
• get_stack_id_example: Shows how to capture and use stack traces with bpf_get_stackid.
• lpm_trie_demo: Demonstrates Longest Prefix Match (LPM) trie maps for IP address matching.
• queue_demo: Examples of using BPF queue and stack maps for FIFO/LIFO data structures.
• tailcall_minimal: Minimal example of BPF tail calls for program chaining.

GPU/CUDA/ROCm Tracing

The example/gpu directory contains examples for tracing GPU kernels:

• cuda-counter: Basic CUDA kernel tracing example
• kernelretsnoop: Per-thread exit timestamp tracer for CUDA kernels
• threadhist: Thread execution count histogram
• launchlate: Kernel launch latency profiler
• mem_trace: Memory access pattern tracing
• directly_run_on_gpu: Run eBPF programs directly on GPU
• rocm-counter: AMD ROCm GPU kernel tracing

Hotpatching Applications

The example/hotpatch directory shows how to dynamically modify application behavior:

• redis: Hotpatch Redis server behavior without modifying source code
• vim: Example of hotpatching Vim editor

Error injections

• error-injection: Inject errors into userspace functions or syscalls to test its error handling capabilities.

XDP in Userspace

• xdp-counter: Example of running XDP programs in userspace for packet processing

Advanced Examples

Attach Implementation

The example/attach_implementation directory contains a complete example of implementing a high-performance nginx request filter using bpftime, including benchmarks comparing different filtering approaches (eBPF, WASM, LuaJIT, RLBox, etc.).

Using bpftime as a Library

• libbpftime_example: Example of using bpftime's shared memory and runtime features as a library

Nginx eBPF module

A nginx eBPF module is implemented with bpftime, which can be used to extend nginx with eBPF programs.

See https://github.com/eunomia-bpf/Nginx-eBPF-module

Use DPDK with userspace eBPF to run XDP seamlessly

See https://github.com/eunomia-bpf/XDP-eBPF-in-DPDK

We can run the same eBPF XDP program in both kernel and userspace, and the userspace eBPF program can be used to run XDP programs seamlessly. Unlike ubpf in DPDK, we don't need to modify the eBPF program, and can support eBPF maps

Use the vm only(No runtime, No uprobe) as a library

The LLVM JIT or AOT can be used as a library, without the runtime and uprobe.

See the examples:

1. Cli: https://github.com/eunomia-bpf/bpftime/tree/master/vm/cli
2. Simple example: https://github.com/eunomia-bpf/bpftime/tree/master/vm/example

Share on Share on