20-24 September 2021
US/Pacific timezone

Pixie's eBPF Protocol Tracer

23 Sep 2021, 10:20
40m
Networking and BPF Summit/Virtual-Room (LPC Virtual)

Networking and BPF Summit/Virtual-Room

LPC Virtual

150
Networking & BPF Summit (Closed) BPF & Networking Summit

Speakers

Omid Azizi (Pixie Labs) Yaxiong Zhao (Pixie Labs) Ryan Cheng (Pixie Labs) John P Stevenson (Pixie Labs) Zain Asgar (Pixie Labs)

Description

We present Pixie’s protocol tracer, which uses eBPF to provide instant observability into application messaging without requiring code instrumentation. Pixie’s protocol tracer uses eBPF kprobes on networking-related system calls to capture communication data, which it then parses into protocol messages. The messages are inserted into structured data tables that are easily queried by application developers to help them gain insight into their application behavior.

We contrast our syscall tracing approach against other approaches (e.g. libpcap and uprobes), and discuss pros and cons. We share what worked well with our approach, and also the challenges we faced, including eBPF-related challenges of tracing syscalls that have a multitude of usage patterns.

Finally, we discuss the limitations of kprobe based tracing, in particular with respect to stateful protocols like HTTP/2 and encrypted connections like those that use TLS. We describe our complementary approach that uses eBPF uprobes on user-space libraries to capture the data in these scenarios.

We hope the technical details presented here will be of value to the eBPF community, and we are eager to hear from the eBPF community about potential improvements and suggestions for future directions.

I agree to abide by the anti-harassment policy I agree

Primary authors

Omid Azizi (Pixie Labs) Yaxiong Zhao (Pixie Labs) Ryan Cheng (Pixie Labs) John P Stevenson (Pixie Labs) Zain Asgar (Pixie Labs)

Presentation Materials