edb icon indicating copy to clipboard operation
edb copied to clipboard

Published 20 hours ago verified publisher icon dylandreimerink

Need help for how to use `edb`

Open nevermosby opened this issue 3 years ago • 2 comments

Hi,

I am trying to give a shot for edb and this is my test eBPF program, which is a kprobe-type program to trace tcp connections.

I've loaded the eBPF program and set the breakpoint via edb, but i don't know how to make it run and hit the breakpoint. You can find the details below:

Could u pls offer more guide to show how to use edb?

nevermosby avatar Jan 29 '22 09:01 nevermosby

Sorry for the disappointing result. I really should mention more clearly in the readme that edb is still very much a work in progress. At some point I will write a comprehensive guide and a good navigable doc for the commands, at this point the tool is still changing so much that I want to hold of on that.

There are a few reasons why we are not able to debug this program at this point. First, edb doesn't actually load your eBPF program into the kernel, it attempts to run it using userspace emulation. Normally when you load a program the kernel invokes it with a number of parameters struct sock *sk and struct sockaddr *uaddr in your case. But because we execute the eBPF programs outside of the kernel we have to provide these ourselfs. The error you are seeing is because the program attempts to read from the R1 register which in your case doesn't contain a pointer to a context but just the value 0.

Loading a context can be done with the ctx load {context JSON file} command. So to run your program you would have to craft a context matching the data structures you are passing in. I have only done this for XDP program myself up to this point since the xdp_md struct is fairly simple https://github.com/dylandreimerink/edb/blob/c3aec6022385d0d4d7f895479ace4148ad11ca38/testdata/ctx.json.

At some point I want to be able to generate these context files by capturing the structures passed to actual loaded programs, but that is still going to be a while.

Secondly, your program puts map definitions in .maps.print and .maps.counter. The loader only recognizes maps defined in the .maps or maps ELF sections. Normally the debugger would tell you that your maps would be loaded.

Thirdly, the BPF_MAP_TYPE_RINGBUF and BPF_MAP_TYPE_HASH map types are not yet supported by the emulator. I am currently working on adding BPF_MAP_TYPE_HASH support, but the current master version only supports BPF_MAP_TYPE_ARRAY maps. Over time the emulator will be made more capable, but until then, not all eBPF features can be used.

Forth, you are using a number of helper functions which have not yet been added to the emulator yet, same as with point three. We first have to expand the capabilities of the emulator before we can debug programs using these features.

dylandreimerink avatar Jan 29 '22 12:01 dylandreimerink

Your comments are so great and worth looking at in detail.👍👍👍 @dylandreimerink

nevermosby avatar Jan 29 '22 13:01 nevermosby