L4 expert Est. time · 45 min

eBPF systems instrumentation.

A self-paced lab. Attach a kprobe, allocate a ring buffer, stream events from kernel to user space. The sandbox is provisioned in your browser.

Current progress · 65%

Module 03 · hooking the kernel.

Step 3.1 · Attaching kprobe

Use the provided C snippet to attach a kprobe to the do_sys_openat2 kernel function. This will allow you to capture every file-opening operation in the system node.

SEC("kprobe/do_sys_openat2")
int BPF_KPROBE(do_sys_openat2, int dfd) {
  // Trace login activity
  ...
}

Step 3.2 · Map buffer allocation

Define a BPF_MAP_TYPE_RINGBUF to safely stream data from kernel space to user space without dropping high-frequency events.

info Technical insight

eBPF programs are verified at load time to ensure they cannot crash the kernel or access unauthorised memory. This surgical precision ensures system stability.

NODE_A_KPROBE

CPU · 12.4% MEM · 4.2GB

User space

Process 4201

Process 8922

sync_alt Syscall

Kernel space

eBPF prog

do_sys_openat2()

Live system trace Recording

[0.00021] Loading eBPF program 'trace_open' into kernel...

[0.00045] Verifier stage 1 · program is safe.

[0.00122] Program attached to kprobe:do_sys_openat2

[0.12455] EVENT · CPU 0 · PID 822 (nginx) opened /etc/nginx/nginx.conf

[0.12489] EVENT · CPU 1 · PID 192 (systemd) opened /var/log/syslog

[0.12501] EVENT · CPU 0 · PID 822 (nginx) opened /var/www/html/index.html

[[!]] TRIGGER · access to /etc/shadow by PID 102 (unauthorised)

[0.24411] EVENT · CPU 3 · PID 1912 (tracefox-agent) opened /proc/stat

arrow_back Previous · memory management

verified Step 3.1 syntax validated