Would be nice if probe unloading was faster

Question

Would be nice if probe unloading was faster

deliciouslytyped opened this issue a year ago · 6 comments

Thank you so much for writing this awesome tool, it has made learning, using, and debugging the Linux network stack not just so much easier, but feasible at all for me. I used to have so much trouble figuring out why something wasn't working. (Significant kudos to kernel devs as well for enabling this with probing functionality.)

Is there any way to make attaching and detaching probes faster? Detaching probes seems to go a few times slower than attaching for me.

I guess maybe #99 isn't implemented for unloading?

Answer 1 · 2023-10-23T09:39:43.000Z

Thanks for the issue (and feedback)!

Could you provide the following?

Which kernel (uname -a)
Params for pwru
The first log lines before Listening for events

Answer 2 · 2023-10-23T13:11:53.000Z

Why not attach/detach kprobes concurrently?

It seems a little better to attach/detach kprobes concurrently.

# ./pwru --backend kprobe --output-meta --output-tuple icmp
2023/10/23 13:19:47 Attaching kprobes (via kprobe)...
1462 / 1462 [----------------------------------------------------------------------------------------------------] 100.00% 348 p/s
2023/10/23 13:19:52 Attached (ignored 0)
2023/10/23 13:19:52 Listening for events..
               SKB    CPU          PROCESS                     FUNC
^C2023/10/23 13:19:53 Received signal, exiting program..
2023/10/23 13:19:53 Detaching kprobes...
1462 / 1462 [-----------------------------------------------------------------------------------------------------] 100.00% 34 p/s

VS

# ./pwru --backend kprobe --output-meta --output-tuple icmp
2023/10/23 13:14:55 Attaching kprobes (via kprobe)...
1462 / 1462 [----------------------------------------------------------------------------------------------------] 100.00% 282 p/s
2023/10/23 13:15:01 Attached (ignored 0)
2023/10/23 13:15:01 Listening for events..
               SKB    CPU          PROCESS                     FUNC
^C2023/10/23 13:15:02 Received signal, exiting program..
2023/10/23 13:15:02 Detaching kprobes...
1462 / 1462 [-----------------------------------------------------------------------------------------------------] 100.00% 19 p/s

Answer 3 · 2024-02-26T18:37:04.000Z

Cool!

I haven't tested, but it looks like detach is still an order of magnitude (p/s) slower? (This is not significant for my usecase.)

Answer 4 · 2024-02-27T08:27:47.000Z

I think we could detach in batches too.

Answer 5 · 2024-02-27T09:30:51.000Z

I think we could detach in batches too.

It does detach in batches: DetachKprobes()

Answer 6 · 2024-02-27T09:40:43.000Z

Oops, my bad.