This article explains the technical principles behind Linux kernel tracing, covering static tracepoints and dynamic kprobes, demonstrating their use with ftrace and perf, and detailing the underlying macro implementations and low‑level mechanisms that make kernel source tracking possible.
This article explains how to locate and monitor kernel execution using IDE navigation, Linux tracing tools such as ftrace, perf, tracepoints, and kprobes, and dives into the underlying implementation details of static and dynamic tracing mechanisms.
This article analyzes eBPF tracing hook mechanisms—kprobe, tracepoint/raw_tp, and fentry—explaining their implementation, performance trade‑offs, kernel version support, and benchmark results, to guide developers in choosing the most efficient hook for production workloads.
This guide explains how to leverage eBPF’s Kprobe, Tracepoint, and LSM features to audit file read/write activity, extract process and file details, and optionally block operations using helpers like bpf_send_signal or bpf_override_return, with complete code examples and configuration steps.
This tutorial walks through installing the required toolchain, writing a minimal eBPF program, compiling it with eunomia‑bpf or cilium/ebpf, loading it from user space, attaching it to a tracepoint, and observing kernel‑level output, while explaining each step and the underlying concepts.
This article explains Linux kernel tracing tools—including kprobes, kretprobes, uprobes, tracepoints, ftrace, perf, and eBPF—detailing how probe handlers are injected, how events are recorded via TraceFS, and which technique best fits different debugging and performance‑analysis scenarios.
The article explains Android’s emerging eBPF support, detailing how to write, compile, load, attach, and debug BPF programs—including map handling, permission controls, perf‑event reporting, and practical debugging steps—while highlighting its current preliminary status and vast potential for kernel‑level monitoring on mobile devices.
