tools: killsnoop: support target PID filter

Support '-T'/'--tpid' to filter the target PID to avoid message flood, ignore other processes we don't care. Signed-off-by: zhenwei pi <[email protected]>
weibang6liu · Oct 8, 2022 · d5b6d24 · d5b6d24
1 parent cc44177
commit d5b6d24
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 7 deletions.
diff --git a/man/man8/killsnoop.8 b/man/man8/killsnoop.8
@@ -2,7 +2,7 @@
 .SH NAME
 killsnoop \- Trace signals issued by the kill() syscall. Uses Linux eBPF/bcc.
 .SH SYNOPSIS
-.B killsnoop [\-h] [\-x] [-p PID]
+.B killsnoop [\-h] [\-x] [-p PID] [-T PID]
 .SH DESCRIPTION
 killsnoop traces the kill() syscall, to show signals sent via this method. This
 may be useful to troubleshoot failing applications, where an unknown mechanism
@@ -27,7 +27,10 @@ Print usage message.
 Only print failed kill() syscalls.
 .TP
 \-p PID
-Trace this process ID only (filtered in-kernel).
+Trace this process ID only which is the sender of signal (filtered in-kernel).
+.TP
+\-T PID
+Trace this target process ID only which is the receiver of signal (filtered in-kernel).
 .TP
 \-s SIGNAL
 Trace this signal only (filtered in-kernel).
@@ -45,6 +48,10 @@ Trace PID 181 only:
 #
 .B killsnoop \-p 181
 .TP
+Trace target PID 189 only:
+#
+.B killsnoop \-T 189
+.TP
 Trace signal 9 only:
 #
 .B killsnoop \-s 9

diff --git a/tools/killsnoop.py b/tools/killsnoop.py
@@ -4,7 +4,7 @@
 # killsnoop Trace signals issued by the kill() syscall.
 # For Linux, uses BCC, eBPF. Embedded C.
 #
-# USAGE: killsnoop [-h] [-x] [-p PID]
+# USAGE: killsnoop [-h] [-x] [-p PID] [-T PID]
 #
 # Copyright (c) 2015 Brendan Gregg.
 # Licensed under the Apache License, Version 2.0 (the "License")
@@ -23,6 +23,7 @@
  ./killsnoop # trace all kill() signals
  ./killsnoop -x # only show failed kills
  ./killsnoop -p 181 # only trace PID 181
+ ./killsnoop -T 189 # only trace target PID 189
  ./killsnoop -s 9 # only trace signal 9
 """
 parser = argparse.ArgumentParser(
@@ -32,7 +33,9 @@
 parser.add_argument("-x", "--failed", action="store_true",
  help="only show failed kill syscalls")
 parser.add_argument("-p", "--pid",
- help="trace this PID only")
+ help="trace this PID only which is the sender of signal")
+parser.add_argument("-T", "--tpid",
+ help="trace this target PID only which is the receiver of signal")
 parser.add_argument("-s", "--signal",
  help="trace this signal only")
 parser.add_argument("--ebpf", action="store_true",
@@ -69,6 +72,7 @@
  u32 pid = pid_tgid >> 32;
  u32 tid = (u32)pid_tgid;
 
+ TPID_FILTER
  PID_FILTER
  SIGNAL_FILTER
 
@@ -108,16 +112,25 @@
  return 0;
 }
 """
+
+if args.tpid:
+ bpf_text = bpf_text.replace('TPID_FILTER',
+ 'if (tpid != %s) { return 0; }' % args.tpid)
+else:
+ bpf_text = bpf_text.replace('TPID_FILTER', '')
+
 if args.pid:
  bpf_text = bpf_text.replace('PID_FILTER',
  'if (pid != %s) { return 0; }' % args.pid)
 else:
  bpf_text = bpf_text.replace('PID_FILTER', '')
+
 if args.signal:
  bpf_text = bpf_text.replace('SIGNAL_FILTER',
  'if (sig != %s) { return 0; }' % args.signal)
 else:
  bpf_text = bpf_text.replace('SIGNAL_FILTER', '')
+
 if debug or args.ebpf:
  print(bpf_text)
  if args.ebpf:

diff --git a/tools/killsnoop_example.txt b/tools/killsnoop_example.txt
@@ -24,14 +24,17 @@ usage: killsnoop [-h] [-x] [-p PID]
 Trace signals issued by the kill() syscall
 
 optional arguments:
- -h, --help show this help message and exit
- -x, --failed only show failed kill syscalls
- -p PID, --pid PID trace this PID only
+ -h, --help show this help message and exit
+ -x, --failed only show failed kill syscalls
+ -p PID, --pid PID trace this PID only which is the sender of signal
+ -T TPID, --tpid TPID trace this target PID only which is the receiver of
+ signal
  -s SIGNAL, --signal SIGNAL
  trace this signal only
 
 examples:
  ./killsnoop # trace all kill() signals
  ./killsnoop -x # only show failed kills
  ./killsnoop -p 181 # only trace PID 181
+ ./killsnoop -T 189 # only trace target PID 189
  ./killsnoop -s 9 # only trace signal 9