I'm working on some eBPF and Redis-related tasks. However, I've run into some difficulties. When I attach a uprobe to the processCommand function in Redis, I want to retrieve some values from the parameters of the processCommand function. This parameter is a pointer to a structure (client* c) that contains many fields. I'm only interested in certain fields from this structure.
Is there a way in an eBPF program to retrieve just a specific field's value from the structure without copying the entire client structure definition from Redis? The client structure also includes other structures, and copying its definition seems very complicated.
Is there a way in an eBPF program to retrieve just a specific field's value from the structure without copying the entire client structure definition from Redis?
Yes, you would have to know the offset of the field, or better yet copy the struct declaration into eBPF. You can manipulate the pointer before you read from user memory. bpf_probe_read_user(&val, sizeof(val), c.some.field)
The client structure also includes other structures, and copying its definition seems very complicated.
While complex, it is likely the best way to go. Like I mentioned, if you know the offset of the data into the structure you can also make it work. bpf_probe_read_user(&val, sizeof(val), ((void *) c) + 123) But now you are doing the work that a compiler would normally do for you, figuring out that offset requires you to know how the compiler would layout the struct in memory.