From 8d803a7fadea7370ea7f464802428d921673b536 Mon Sep 17 00:00:00 2001 From: Gray Liang Date: Fri, 27 Oct 2023 16:09:51 +0800 Subject: [PATCH] Find process using pid instead of tid Previously we use tid to find process, leading to misleading output under some situations. According to documentation, `bpf_get_current_pid_tgid` returns `current->tgid << 32 | current->pid`. Kernel's view of the pid in user space is usually presented as the thread ID, and kernel's tgid in user space is seen as pid. Signed-off-by: Zhichuan Liang --- bpf/kprobe_pwru.c | 2 +- internal/pwru/output.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bpf/kprobe_pwru.c b/bpf/kprobe_pwru.c index b6f6d205..ae0480ff 100644 --- a/bpf/kprobe_pwru.c +++ b/bpf/kprobe_pwru.c @@ -291,7 +291,7 @@ handle_everything(struct sk_buff *skb, void *ctx, struct event_t *event) { bpf_map_update_elem(&skb_addresses, &skb_addr, &TRUE, BPF_ANY); } - event->pid = bpf_get_current_pid_tgid(); + event->pid = bpf_get_current_pid_tgid() >> 32; event->ts = bpf_ktime_get_ns(); event->cpu_id = bpf_get_smp_processor_id(); diff --git a/internal/pwru/output.go b/internal/pwru/output.go index d6ea8873..d3c90332 100644 --- a/internal/pwru/output.go +++ b/internal/pwru/output.go @@ -97,9 +97,9 @@ func (o *output) Print(event *Event) { fmt.Fprintf(o.writer, "%12s ", time.Now().Format(absoluteTS)) } p, err := ps.FindProcess(int(event.PID)) - execName := "" + execName := fmt.Sprintf("(%d)", event.PID) if err == nil && p != nil { - execName = p.Executable() + execName = fmt.Sprintf("%s(%d)", p.Executable(), event.PID) } ts := event.Timestamp if o.flags.OutputTS == "relative" {