How to Capture the unlink System Call with eBPF kprobe: A Step‑by‑Step Guide

This article explains how to use Linux eBPF kprobe (and kretprobe) to dynamically instrument the unlink system call, covering the underlying concepts, required kernel headers, full eBPF source code, compilation with both eunomia‑bpf and cilium/ebpf, and a detailed comparison with tracepoint probes.

KprobeLinuxeBPF

0 likes · 17 min read

How to Capture the unlink System Call with eBPF kprobe: A Step‑by‑Step Guide