Hi, i'm new to ebpf and exploring how sysdig is using bpf. Sysdig is using raw_tracepoint type bpf programs to collect arguments and return values of different syscall functions. My understanding is, raw_tracepoint programs are faster because we can skip argument processing and get raw access to the arguments.
We can also collect these data using kprobe and kretprobe. My understanding is, these programs will be slower compared to raw_tracepoint programs as the are executed later in kernel and arguments are further processed.
My question is, even if we use raw_tracepoint programs, the kernel will eventually process the arguments and pass them to syscall functions, so kprobe programs should not be slower than raw_tracepoint programs, right?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Hi, i'm new to ebpf and exploring how sysdig is using bpf. Sysdig is using
raw_tracepoint
type bpf programs to collect arguments and return values of different syscall functions. My understanding is,raw_tracepoint
programs are faster because we can skip argument processing and get raw access to the arguments.We can also collect these data using
kprobe
andkretprobe
. My understanding is, these programs will be slower compared toraw_tracepoint
programs as the are executed later in kernel and arguments are further processed.My question is, even if we use
raw_tracepoint
programs, the kernel will eventually process the arguments and pass them to syscall functions, sokprobe
programs should not be slower thanraw_tracepoint
programs, right?Thanks!