← Back to context

Comment by deemkeen

3 months ago

it uses the os independant fsnotify lib, it surely has its limits. eBPF is great, but linux only, yeah

6 comments

deemkeen

Reply
westurner  3 months ago

On MacOS:

  sudo dtrace -n 'vfs::*:entry { printf("%-16s %-6d %s", execname, pid, probefunc); }'

  sudo dtrace -n 'vfs:lookup:entry { printf("%-16s %-6d %s", execname, pid, copyinstr(arg1)); }'

TIL Dtrace is included in recent builds of Windows 11 and Server 2025: https://learn.microsoft.com/en-us/windows-hardware/drivers/d... ;

  # Must be run as Administrator
  dtrace -n "syscall::NtCreateFile:entry, syscall::NtReadFile:entry, syscall::NtWriteFile:entry { printf(\"%s (%d) - %s\", execname, pid, probefunc); }"

It's possible to trace file system calls in Windows with procmon.exe by saving a .pmc config file and then loading it from the CLI:

  procmon.exe
  # uncheck everything except "Show File System Activity"
  # Filter > Drop Filtered Events
  # File > Export Configuration...

  # Must be run as Administrator
  procmon.exe /AcceptEula /Quiet /Minimized /LoadConfig C:\Tools\fs-only.pmc /BackingFile C:\Logs\FileSystemTrace.pml

It's also possible to trace lower level file system calls in Windows with logman.exe but it's necessary to parse the traces that it generates.

Then with just bpftrace on Linux:

  sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%-6d %-16s %s\n", pid, comm, str(args.filename)); }'

  sudo bpftrace -e 'kprobe:vfs_read, kprobe:vfs_write, kprobe:vfs_open { printf("%-16s %-6d %s\n", comm, pid, probefunc); }'

... According to 2.5pro on the cli strs

strace, dtrace, and bpftrace could have a --diff-fs-syscall-files option.

  • deemkeen  3 months ago

    great insights, i'll read up on it and see if it can be useful, thx

    • westurner  3 months ago

      np. there's a diagram, "Linux bcc/BPF tracing tools" [-1] in the bcc readme [0] that's also in [1] which explains ebpf and bcc and bpftrace.

      filetop, dirtop, and vfsstat use bpf to trace the VFS layer. [4]

      [-1] "Linux bcc/BPF tracing tools" https://www.brendangregg.com/BPF/bcc_tracing_tools_early2019...

      [0] iovisor/bcc: https://github.com/iovisor/bcc

      [1] "Linux Extended BPF (eBPF) Tracing Tools", Dtrace book: https://www.brendangregg.com/ebpf.html

      If running an AI agent in a container --- with devcontainers and e.g. vscode,

      Good container policy prevents granting a container the CAP_SYS_ADMIN capability; the least-privileges thing to do is to grant limited capabilities to the container like CAP_BPF and (CAP_PERFMON, CAP_NET_RAW, CAP_SYS_PTRACE) [,3].

      [3] https://medium.com/@techdevguides/using-bpftrace-with-limite...

      [4] bpfcc-tools manpages: https://manpages.debian.org/unstable/bpfcc-tools/index.html

      though ripgrep wins, vscode fails at monitoring large workspaces due to inotify limits too; so some way to parse fs events from bcc and libdtrace with python would be great

      prompt 1: Create a python project named idk dbpftrace with a pyproject.toml and a README and sphinx /docs, with bcc and python-dtrace as dependencies to, then in dbpftrace/,

      parse pid and descendents' fs syscall events from bcc (ebpf) or python-dtrace (dtrace), depending on which os we're running

      Edit:

      Prompt 1B: Create a Go package named dbpftrace with a README and docs,

      parse pid and descendents' fs syscall events from bpftrace or dtrace stdout, depending on which os we're running

      3 replies →