probex-0.1.15 is not a library.
Probex - eBPF Process Tracing Tool
Flow Overview
1. STARTUP
probex -- sleep 1
│
▼
┌─────────────────────────────────────┐
│ Load eBPF bytecode into kernel │
│ (embedded at compile time) │
└─────────────────────────────────────┘
│
▼
2. SPAWN TARGET PROCESS
┌─────────────────────────────────────┐
│ fork() child with pre_exec hook │
│ that calls raise(SIGSTOP) │
│ Child stops before exec() │
└─────────────────────────────────────┘
│
▼
3. SETUP TRACING
┌─────────────────────────────────────┐
│ Insert child PID into TRACED_PIDS │
│ HashMap in kernel │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Attach tracepoint handlers: │
│ - sched:sched_switch │
│ - sched:sched_process_fork │
│ - sched:sched_process_exit │
│ - exceptions:page_fault_user │
│ - syscalls:sys_enter/exit_read │
│ - syscalls:sys_enter/exit_write │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Send SIGCONT to resume child │
│ Child now exec()s target program │
└─────────────────────────────────────┘
│
▼
4. EVENT LOOP
┌──────────────────────────────────────────────────────────┐
│ KERNEL (eBPF) │ USERSPACE (probex) │
│ │ │
│ Tracepoint fires ──────────┼──► Ring buffer poll │
│ │ │ │ │
│ ▼ │ ▼ │
│ Check TRACED_PIDS map │ Parse event struct │
│ │ │ │ │
│ ▼ │ ▼ │
│ If PID tracked: │ Buffer events in batch │
│ Write event to ring buffer │ │ │
│ │ ▼ │
│ (Fork events also add │ Write batch to Parquet │
│ child PID to map) │ when batch is full │
└──────────────────────────────────────────────────────────┘
│
▼
5. TERMINATION
┌─────────────────────────────────────┐
│ On process_exit for target PID │
│ or Ctrl-C: exit event loop │
└─────────────────────────────────────┘
Key Components
- TRACED_PIDS: HashMap<u32, u8> in kernel - tracks which PIDs to trace
- EVENTS: RingBuf (2MB) - kernel→userspace event transfer
- SIGSTOP/SIGCONT: Ensures probes attach before target executes
Event Types
| Event | Tracepoint | Data |
|---|---|---|
| sched_switch | sched:sched_switch | prev_pid, next_pid, prev_state |
| process_fork | sched:sched_process_fork | parent_pid, child_pid |
| process_exit | sched:sched_process_exit | exit_code |
| page_fault | exceptions:page_fault_user | address, error_code |
| syscall_read_enter | syscalls:sys_enter_read | fd, count |
| syscall_read_exit | syscalls:sys_exit_read | ret |
| syscall_write_enter | syscalls:sys_enter_write | fd, count |
| syscall_write_exit | syscalls:sys_exit_write | ret |
| syscall_mmap_enter | syscalls:sys_enter_mmap | address, count(len) |
| syscall_mmap_exit | syscalls:sys_exit_mmap | ret |
| syscall_munmap_enter | syscalls:sys_enter_munmap | address, count(len) |
| syscall_munmap_exit | syscalls:sys_exit_munmap | ret |
| syscall_brk_enter | syscalls:sys_enter_brk | address |
| syscall_brk_exit | syscalls:sys_exit_brk | ret |
| syscall_io_uring_setup_enter | syscalls:sys_enter_io_uring_setup | entries, params_ptr |
| syscall_io_uring_setup_exit | syscalls:sys_exit_io_uring_setup | ret |
| syscall_io_uring_enter_enter | syscalls:sys_enter_io_uring_enter | fd, to_submit |
| syscall_io_uring_enter_exit | syscalls:sys_exit_io_uring_enter | ret |
| syscall_io_uring_register_enter | syscalls:sys_enter_io_uring_register | fd, opcode |
| syscall_io_uring_register_exit | syscalls:sys_exit_io_uring_register | ret |
| syscall_fsync_enter | syscalls:sys_enter_fsync | fd |
| syscall_fsync_exit | syscalls:sys_exit_fsync | ret |
| syscall_fdatasync_enter | syscalls:sys_enter_fdatasync | fd |
| syscall_fdatasync_exit | syscalls:sys_exit_fdatasync | ret |
| cpu_sample | perf_event (cpu clock) | stack sample |