Closed joelcisnerosss closed 2 years ago
Nope.
It's true that you can't call programs directly. You wouldn't want to either, as in an interrupts-disabled context you'd quickly wedge the system. You could have the user-space component of a bcc tool launch other bcc tools, triggered by instrumented events. If you are new to eBPF you probably don't want to go down this path for a while -- just start with the existing tools.
I am new to the concept of eBPF and how to write eBPF programs and I was wondering if I could call and capture the output of bcc/tools inside a eBPF program, e.g opensnoop or biosnoop. If so, could someone share a quick example of how to?