`kprobe` programs compared to `raw_syscall` type bpf program

[tahsinrahman]

Hi, i'm new to ebpf and exploring how sysdig is using bpf. Sysdig is using raw_tracepoint type bpf programs to collect arguments and return values of different syscall functions. My understanding is, raw_tracepoint programs are faster because we can skip argument processing and get raw access to the arguments.

We can also collect these data using kprobe and kretprobe. My understanding is, these programs will be slower compared to raw_tracepoint programs as the are executed later in kernel and arguments are further processed.

My question is, even if we use raw_tracepoint programs, the kernel will eventually process the arguments and pass them to syscall functions, so kprobe programs should not be slower than raw_tracepoint programs, right?

Thanks!

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.