hino 258 oil capacity
Enterprise

Ebpf debugging

tiny whoop flight controller

A hand ringing a receptionist bell held by a robot hand

Jun 22, 2013 · Head of Research @nextronsystems #DFIR #YARA #Sigma | Detection Engineer | Creator of @thor_scanner, Aurora Agent, Sigma, LOKI, yarGen, Valhalla, Raccine.

happy scribe test results

eBPF Instruction Set; eBPF verifier; libbpf; BPF Type Format (BTF) Frequently asked questions (FAQ) Syscall API; Helper functions; BPF Kernel Functions (kfuncs) Program Types; eBPF. To move beyond the status quo, dynamic debugging and troubleshooting are essential service performance tools. In this article, we’ll discuss how to use eBPF technology to improve the profiling feature in SkyWalking and analyze the performance impact in the service mesh. Trace Profiling in SkyWalking. runtime. solana really earns the mainnet-beta designation once you get into runtime constraints. every instruction has fixed compute budgets which cannot be exceeded. there are hardcoded limits on ebpf instructions, log messages, stack size, call depth, and number of cross-program invokes. reentrancy is banned except for self-reentrancy. you get 32kb of heap and no free or realloc. eBPF Updates #4: In-Memory Loads Detection, Debugging QUIC, Local CI Runs, MTU Checks, but No Pancakes. By eBPF February 23, 2021 No Comments. In several parts of the globe,.

Perf has also a BPF interface that can be used to load eBPF objects into kernel. eBPF tracing: User space to kernel space flow. BPF system call and BPF maps are two useful entities that can interact with the eBPF kernel. BPF system call. A user can interact with the eBPF kernel using a bpf() system call whose prototype is:. The answer is - debugging information. Debugging information is generated by the compiler together with the machine code. It is a representation of the relationship between the executable program and the original source code. This information is encoded into a pre-defined format and stored alongside the machine code.

This instructor-led course focuses on the important tools used for debugging and monitoring the kernel, and how security features are implemented and controlled. 4.0/5 Stars . ... - Labs eBPF - BPF - eBPF - Installation - bcc Tools - bpftrace - Labs Crash - Crash - Main Commands - Labs kexec - kexec - Kernel Configuration - kexec-tools - Using. Which is the best alternative to ebpf? Based on common mentions it is: Goss, Wails, Go-flutter, Goebpf, Bpf-docs, Ebpf-beginners, Libbpfgo or Parca-agent. Request BTF debug information. BTF is the default debugging format for the eBPF target. On other targets, like x86, BTF debug information can be generated along with DWARF debug information when both of the debug formats are enabled explicitly via their respective command line options. -gctf-gctflevel. eBPF talks. You are invited to submit talks describing how you're using eBPF and eBPF-based open source projects to solve real world problems. To be clear, you do not have to be writing raw eBPF programs yourself to speak - we expect many speakers to be leveraging eBPF via derivative projects (such as are listed here).. We're now accepting submissions for lightning. . Once this ebpf program is loaded into the kernel, it will be called once whenever the execve system call is executed, and we will see the corresponding log output in /sys/kernel/debug/tracing/trace_pipe. 3.1. Converting ebpf core state programs to Go code using bpf2go.

for the containers and kubernetes specific case, it’s used with networking projects like cilium or calico, debugging solutions like bcc, kubectl-trace and inspektor gadget, and security-related projects like tracee and falco. ebpf is a very fast evolving technology: each new kernel release includes new features, and different linux distributions.

Jun 22, 2013 · Head of Research @nextronsystems #DFIR #YARA #Sigma | Detection Engineer | Creator of @thor_scanner, Aurora Agent, Sigma, LOKI, yarGen, Valhalla, Raccine. Request BTF debug information. BTF is the default debugging format for the eBPF target. On other targets, like x86, BTF debug information can be generated along with DWARF debug information when both of the debug formats are enabled explicitly via their respective command line options. -gctf-gctflevel.

eBPF is what enables Brendan to build performant tracing tools for Linux . In the case of opensnoop, he registers an eBPF program that is “attached” to the open (2) syscall and logs each one to an “eBPF map.”. The userland code is able to read (or write!) the contents of the eBPF map via a file descriptor.

eBPF is what enables Brendan to build performant tracing tools for Linux . In the case of opensnoop, he registers an eBPF program that is “attached” to the open (2) syscall and logs each one to an “eBPF map.”. The userland code is able to read (or write!) the contents of the eBPF map via a file descriptor. For more eBPF projects, check out: Part 1: Debugging Go function arguments in prod; Part 2: Full body HTTP request/response tracing; Tracing with BPF. BPF can be used to interrupt the execution of a program at virtually any point—much like how one can set a breakpoint in an application using a debugger.

veeam surebackup test scripts

Prepare a eBPF program. In Debian 9.1 we install a custome kernel (4.9.208). Go to the samples/bpf, and make (first need to isntall clang and llvm). Add a test_bpf.c in samples/bpf directory. Add one line in samples/bpf/Makefile right place. Then type ‘make’ to compile this bpf program. Now we get a ‘test_bpf.o’ file. Aug 09, 2016 · It also inspired me to share a full gdb debugging example, with output and every step involved, including dead ends. This isn't a particularly interesting or exotic issue, it's just a routine gdb debugging session. But it covers the basics and could serve as a tutorial of sorts, bearing in mind there's a lot more to gdb than I used here.. There’s a whole other world of testing, debugging, and optimization that you haven’t even touched yet. To help you more safely step into that complex phase of making your. eBPF talks. You are invited to submit talks describing how you're using eBPF and eBPF-based open source projects to solve real world problems. To be clear, you do not have to be writing raw eBPF programs yourself to speak - we expect many speakers to be leveraging eBPF via derivative projects (such as are listed here).. We're now accepting submissions for lightning.

eBPF Tooling and Debugging Infrastructure. By Quentin Monnet, Netronome. eBPF, in particular with its driver-level hook XDP, has increased in importance over the past few years. As a result, the ability to rapidly debug and diagnose problems is becoming more relevant. This session will cover common issues faced and techniques to diagnose them.

eBPF is an extended and enhanced version of the BPF Linux observability system. Think of it as BPF on steroids. With eBPF one can attach custom sandboxed bytecode to virtually every function exported via kernel symbol table without the fear of breaking the kernel. In fact, eBPF emphasizes the importance of safety when crossing user space. With "ebpf_exporter" we can generate all manner of detailed metrics. It is very powerful and saved us on many occasions. ... Then, our SRE team is maintaining ever-growing list of BCC scripts useful for debugging. It feels like Linux stopped developing new API's and all the new features are implemented as eBPF hooks and helpers. This is fine.

Nov 18, 2021 1 min read eBPF eBPF is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and is intended to be used in long running processes. asm contains a basic assembler link allows attaching eBPF to various hooks perf allows reading from a PERF_EVENT_ARRAY. eBPF which stands for “extended Berkeley Packet Filter”, is an in-kernel virtual machine that allows userspace programs to be executed in the kernel directly after they succeeded several checks. It can be used to achieve network performance improvements, SDN, security improvements and to have a better kernel debugging/tracing on your systems.

Phoronix: GNU Debugger Adding eBPF Debugging Support The GNU Debugger (GDB) has merged initial support for debugging of eBPF code that is traditionally consumed by the Linux kernel as part of this in-kernel special purpose virtual machine. Since the eBPF program is completely empty, this is not particularly useful. We need to actually access the arguments passed to the system call. In order to do this, we have to introduce the concept of “context.” Each eBPF program, upon start, gets passed a pointer to a context in the R1 register. The context is basically a structure that.

labcorp testosterone free and total

In this context, eBPF has been playing nicely with service meshes for years. Kubernetes's gift to the world is a composable platform with clear boundaries between layers, and the relationship between eBPF and service meshes fits right into that model: the CNI is responsible for L3/L4 traffic, and the service mesh for L7. 2 And the service mesh is great for platform owners. DebuggingatRuntimewithPerfEvents Also,supportfor"perfeventarrays",moreefficient Example:dumpdatafrompacket struct bpf_map_def SEC("maps") pa =. Your eBPF program will still be able to run but each instruction will be interpreted rather than compiled. This could work depending on your requirements. This can be set to either 1 or 2 to enable JIT compilation, but most of the time you'll want to set it to 1. 2 enables debugging kernel logs ( dmesg) intended for kernel JIT developers. eBPF gives us a programmable Linux Kernel that only runs safe code, and delivers endless possibilities for tools to be created. Here's a look at four that have recently emerged. ... Inspektor Gadget is a cool tool developed by Kinvolk to help with debugging, tracing, and observing applications inside of Kubernetes. It is essentially a map for debuggers to navigate the cold binary world. These debug symbols enable us to directly reference any data types, field names, functions, and global/static variables by names in a Ylang program. Ylang will map those names to numbers in the emitted analyzers for Stap+, eBPF, GDB, etc. 1.

Mar 30, 2016 # linux # tracing # ebpf # bcc. TL;DR: Using eBPF in recent (>=4.4) Linux kernel, you can turn any kernel function call into a user land event with arbitrary data. This is made easy by bcc. The probe is written in C while the data is handled by python. If you are not familiar with eBPF or linux tracing, you really should read the.

In order to access eBPF maps from user space beyond tc (8) setup lifetime, the ownership can be transferred to an eBPF agent via Unix domain sockets. There are two possibilities for. For example, eBPF execution paths must be fully known and verified before safely executing in the Kernel. eBPF programs cannot have arbitrary loops where the verifier will not know when the program will stop execution. In short, eBPF is Turing incomplete. ... Debugging these features and behaviors also becomes demanding. We need to figure out a.

Delve and gdb are typically used for debugging GO applications, but not in production. eBPF is a clean way to capture function arguments in production with l. Introduced in Linux 4.10, cgroup-bpf allows attaching eBPF programs to cgroups. Once attached, the program is executed for all packets entering or exiting any process in the. eBPF is a register-based Virtual Machine using a custom 64 bit RISC instruction set capable of running Just-in-Time native-compiled "BPF programs" inside the Linux kernel with access to a subset of kernel functions and memory. It is a full VM implementation, not to be confused with the Kernel-based VM (KVM) which is a module enabling Linux to. 1 I am learning about eBPF and I understand that I can attach my eBPF programs to kprobes, uprobes, tracepoints and more. I see that there is a list of for tracepoints under /sys/kernel/debug/tracing/events/ where I can attach eBPF programs to. However, how do I find which kprobe functions I can break into, say TCP related ones?. To move beyond the status quo, dynamic debugging and troubleshooting are essential service performance tools. In this article, we'll discuss how to use eBPF technology to improve the profiling feature in SkyWalking and analyze the performance impact in the service mesh. Trace Profiling in SkyWalking.

eBPF. eBPF is an emerging Linux kernel technology that allows for user-supplied programs to run inside of the kernel. This enables a bunch of interesting usecases, particularly efficient CPU. With "ebpf_exporter" we can generate all manner of detailed metrics. It is very powerful and saved us on many occasions. ... Then, our SRE team is maintaining ever-growing list of BCC scripts useful for debugging. It feels like Linux stopped developing new API's and all the new features are implemented as eBPF hooks and helpers. This is fine.

eBPF debugging tool eBPF As a powerful subsystem of Linux kernel debugging, there are many corresponding application level debugging tools, such as bpftool/bpftrace , and provides Lua and Python Debugging interface bcc ; Open source tools for kernel information collection and performance analysis SystemTap The eBPF function of the kernel is a. Webinar: eBPF Tooling and Debugging Infrastructure. Oct 9, 2018 - 11:00 a.m. EDT, Registration required. Watch the Replay Now Presented by Quentin Monnet eBPF, in.

amish stores in kansas

Because "normal eBPF" runs in the Linux kernel, a kernel-user context switch happens every time eBPF instruments a user process. This can be expensive for debugging. The goal of our talk is not just to show “yet another iotop like tool”, but to highlight the versatility of eBPF VM in the linux kernel that now allows developing targeted, plug and play tools to gather precise data about a system’s activity for security and performance debugging. To this end, we will explain in-depth what actually.

Because "normal eBPF" runs in the Linux kernel, a kernel-user context switch happens every time eBPF instruments a user process. This can be expensive for debugging. Request BTF debug information. BTF is the default debugging format for the eBPF target. On other targets, like x86, BTF debug information can be generated along with DWARF debug information when both of the debug formats are enabled explicitly via their respective command line options. -gctf-gctflevel. eBPF Instruction Set; eBPF verifier; libbpf; BPF Type Format (BTF) Frequently asked questions (FAQ) Syscall API; Helper functions; BPF Kernel Functions (kfuncs) Program Types; eBPF maps; Running BPF programs from userspace; Classic BPF vs eBPF; BPF licensing; Testing and debugging BPF. BPF drgn tools; Testing BPF on s390; Other; USB support. Back by popular demand, we’re excited to announce that the call for papers is now open for the eBPF Summit 2022, a virtual event, targeted at DevOps, platform architects, security teams, and developers.. eBPF is one of the most talked about technologies in our industry - enabling a new generation of networking, observability and security tools.

how to program honda accord key to start car

eBPF gives us a programmable Linux Kernel that only runs safe code, and delivers endless possibilities for tools to be created. Here's a look at four that have recently emerged. ... Inspektor Gadget is a cool tool developed by Kinvolk to help with debugging, tracing, and observing applications inside of Kubernetes. GNU Debugger 10.1 Released With BPF Debugging, Debuginfod Support GNU : 2020-10-24: Amazon's Bottlerocket Hits GA As Linux Distribution Optimized For Containers Operating Systems : 2020-09-01: GNU Debugger Adding eBPF Debugging Support GNU : 2020-08-05: Facebook Engineer Improving BPF "User Programs" Support Linux Kernel : 2020-08-02. Let's turn on the return mode for more granularity when debugging Firefox's behavior. cd /etc/netdata # Replace this path with your Netdata config directory sudo ./edit-config ebpf.d.conf Replace entry with return: [global] ebpf load mode = return disable apps = no [ebpf programs] process = yes network viewer = yes. Microsoft on Monday launched an open source project to make a Linux kernel tool known as eBPF, short for Extended Berkeley Packet Filter, work on Windows. Inspired by network packet filtering and capture software dubbed Berkeley Packet Filter, eBPF is a register-based virtual machine designed to run custom 64-bit RISC-like architecture via just.

Aug 09, 2016 · It also inspired me to share a full gdb debugging example, with output and every step involved, including dead ends. This isn't a particularly interesting or exotic issue, it's just a routine gdb debugging session. But it covers the basics and could serve as a tutorial of sorts, bearing in mind there's a lot more to gdb than I used here..

Clang and LLVM, used to compile from C to eBPF, got support for eBPF assembly in version 6.0. Let's have a look at it. Clang and LLVM, used to compile from C to eBPF, got support for eBPF assembly in version 6.0. ... LLVM is able to embed debug symbols so they can be dumped for inspection. Concretely, we can have the C instructions at the same. There are also performance improvements gained by doing certain tasks directly in the kernel compared to a pure user mode program. eBPF programs are used to do a myriad of things.

So there you go. With bpftrace you define what events to trace, and what should happen in response. Bpftrace compiles your high-level-bpftrace-language program to eBPF.

subaru fb20 timing chain replacement

lightning crotch period
weather forcast orlando florida
how to lubricate vw t5 sliding door

Aug 09, 2016 · It also inspired me to share a full gdb debugging example, with output and every step involved, including dead ends. This isn't a particularly interesting or exotic issue, it's just a routine gdb debugging session. But it covers the basics and could serve as a tutorial of sorts, bearing in mind there's a lot more to gdb than I used here..

2. Debugging a buggy eBPF program Let's start with the droppacket_unsafe.c program, which is compiled as part of building eBPF for Windows, as it is used in the unit tests. Step 1) Let's first.

Here comes eBPF • Debug symbol servers and remote GDB sessions • Booting rootfs over the network • Special protocols for diagnostics/log/trace • Debug vs Release images, “developer mode” • Random hacks like not loading video drivers to preseve splash screen Wait a minute Embedded-eBPF sounds like a solution in search of a problem... Wait a minute. Tracing a packet journey using Linux tracepoints, perf and eBPF. I've been looking for a low level Linux network debugging tool for quite some time. Linux allows to build complex networks running directly on the host, using a combination of virtual interfaces and network namespaces. When something goes wrong, troubleshooting is rather tedious. eBPF Instruction Set¶ Registers and calling convention¶ eBPF has 10 general purpose registers and a read-only frame pointer register, all of which are 64-bits wide. The eBPF calling convention is defined as:. The seccomp() mechanism allows a process to load a BPF program to restrict its future use of system calls; it is a simple but flexible sandboxing mechanism that is widely used. Those filter programs, though, run on the "classic" BPF virtual machine, rather than the extended BPF (eBPF) machine used elsewhere in the kernel. Moving seccomp() to eBPF has been an. With "ebpf_exporter" we can generate all manner of detailed metrics. It is very powerful and saved us on many occasions. ... Then, our SRE team is maintaining ever-growing list of BCC scripts useful for debugging. It feels like Linux stopped developing new API's and all the new features are implemented as eBPF hooks and helpers. This is fine.

eBPF allows software developers to write programs that are executed in the kernel without requiring recompi-lation and system restart. These programs can collect critical performance metrics or. Clang and LLVM, used to compile from C to eBPF, got support for eBPF assembly in version 6.0. Let's have a look at it. Clang and LLVM, used to compile from C to eBPF, got support for eBPF assembly in version 6.0. ... LLVM is able to embed debug symbols so they can be dumped for inspection. Concretely, we can have the C instructions at the same. While working with eBPF it can happen that after successfully compiling your program you find yourself in a situation where the program can't be loaded in th.

radio knob covers

Phoronix: GNU Debugger Adding eBPF Debugging Support The GNU Debugger (GDB) has merged initial support for debugging of eBPF code that is traditionally consumed by the Linux kernel as part of this in-kernel special purpose virtual machine. Linux debugging tools you'll love. This is a zine about some of my favorite Linux debugging tools, especially tools that I don’t think are as well-known as they should be. It covers strace, opensnoop/eBPF, and dstat! netcat, netstat, tcpdump, wireshark, and ngrep! And there’s a whole section on perf because perf is the best. Back by popular demand, we’re excited to announce that the call for papers is now open for the eBPF Summit 2022, a virtual event, targeted at DevOps, platform architects, security teams, and developers.. eBPF is one of the most talked about technologies in our industry - enabling a new generation of networking, observability and security tools.

system are broken into blocks, with corresponding eBPF tracepoints, corresponding to helper functions. These helper functions are im-plemented to interact with the system in kernel or user space. The helper functions can be used to print debugging messages, to interact with eBPF maps, or to manipulate network packets.

eBPF can move packet processing from the kernel-space and into the user-space. Likewise, eBPF is a just-in-time (JIT) compiler. After the bytecode is compiled, eBPF is invoked rather than a new interpretation of the bytecode for every method. Low intrusiveness. When leveraged as a debugger, eBPF doesn’t need to stop a program to observe its. Debugging of eBPF. Let's verify that running these tools really uses eBPF for execution. RHEL-7.6 comes with bpftool which can be used to list and dump eBPF programs.

GNU Debugger 10.1 Released With BPF Debugging, Debuginfod Support GNU : 2020-10-24: Amazon's Bottlerocket Hits GA As Linux Distribution Optimized For Containers Operating Systems : 2020-09-01: GNU Debugger Adding eBPF Debugging Support GNU : 2020-08-05: Facebook Engineer Improving BPF "User Programs" Support Linux Kernel : 2020-08-02.

GNU Debugger 10.1 Released With BPF Debugging, Debuginfod Support GNU : 2020-10-24: Amazon's Bottlerocket Hits GA As Linux Distribution Optimized For Containers Operating Systems : 2020-09-01: GNU Debugger Adding eBPF Debugging Support GNU : 2020-08-05: Facebook Engineer Improving BPF "User Programs" Support Linux Kernel : 2020-08-02.

eBPF (extended Berkeley Packet Filter), in particular with its driver-level hook XDP (eXpress Data Path), has increased in importance over the past few years. As a result, the ability to rapidly debug and diagnose problems is becoming more relevant.

While eBPF is not a silver bullet and should not be abused, I think it is a very powerful tool for network debugging and it deserves attention. I am sure it will play a really important role in the future of networks. Download Red Hat Enterprise Linux 8 and try eBPF. Additional Resources. Articles on Open vSwitch; Articles on Open Virtual Network.

eBPF Go Library offers tools that load, compile and debug eBPF programs. libbpf contains an eBPF loader to process Low-Level Virtual Machine-generated (LLVM) eBPF files for loading into the kernel. LLVM creates eBPF programs in C. There are also several projects that involve or offer eBPF programs and projects:.

eBPF is a mechanism for Linux applications to execute code in Linux kernel space. eBPF has already been used to create programs for networking, debugging, tracing, firewalls,.

Since the eBPF program is completely empty, this is not particularly useful. We need to actually access the arguments passed to the system call. In order to do this, we have to introduce the concept of “context.” Each eBPF program, upon start, gets passed a pointer to a context in the R1 register. The context is basically a structure that.

Linux Extended BPF (eBPF) Tracing Tools. This page shows examples of performance analysis tools using enhancements to BPF (Berkeley Packet Filter) which were added to the Linux 4.x series kernels, allowing BPF to do much more than just filtering packets. These enhancements allow custom analysis programs to be executed on Linux dynamic tracing.

Apr 7, 2022. Tracee is a Linux-based Runtime Security and Forensics application. It uses Linux eBPF technology to track your system and programmes in real time, then analyses the data to look for suspicious trends. It comes as a Docker image that monitors the OS and looks for suspicious behaviour based on a pre-defined set of patterns. DebuggingatRuntimewithPerfEvents Also,supportfor"perfeventarrays",moreefficient Example:dumpdatafrompacket struct bpf_map_def SEC("maps") pa =. Back by popular demand, we’re excited to announce that the call for papers is now open for the eBPF Summit 2022, a virtual event, targeted at DevOps, platform architects, security teams, and developers.. eBPF is one of the most talked about technologies in our industry - enabling a new generation of networking, observability and security tools.

active noise cancellation vs environmental noise cancellation
union supply direct 2022 catalog
Policy

strap anchor plate

bench press progression and regression

A kprobe is commonly used for debugging or monitoring production systems. After showing us how to do this with the bcc library, Liz then demonstrated how to store this data in an eBPF map, which creates a more scalable solution, as well as how to retrieve that data from a user space application.

bone marrow harvest protocol

DEC Alpha Options.

Aug 02, 2022 · Boot time optimization; Debugging; Develop Kernel Code for GKI; Android Kernel File System Support; Extending the kernel with eBPF; Using DebugFS in Android 12. Linux has layers of abstraction that can be difficult to debug, and applications must connect to the Linux kernel from the user space, which is slower and provides less insight into.

thuja occidentalis for warts how to tell if water pump is bad on washing machine
batch script if else multiple lines
in fdisk utility which command is used to print the partition table

Unlocking eBPF power. My first steps with eBPF. In this article I'm describing how I used bluetooth tracing with eBPF to handle locking of my laptop. I heard “eBPF” so many times in recent days that I’ve decided to give it a try. I have very limited knowledge about kernel tracing so I thought it is good opportunity to learn something new. program and then debug it with eBPF. eBPF Observability 29 Tracepoints Perf Events •Allows you to instrument (pre-defined) tracepoints in kernel code. •Can have higher performance than kprobes •Allows you instrument software and hardware performance events. Collecting statistics and deep-dive debugging of the kernel are two useful ways in which eBPF can be used for observability. eBPF programs can be attached to a number of different functions in the kernel, providing access to data that a function is processing while also allowing that data to be modified. ... (speed) and expense. If eBPF is very. Because "normal eBPF" runs in the Linux kernel, a kernel-user context switch happens every time eBPF instruments a user process. This can be expensive for debugging performance critical userspace code (perhaps the userspace eBPF VM project can be used to avoid this switch cost?). This context switch is much cheaper than what a normal debugger. With eBPF ability to have shared maps across instances, we can do dynamic taint analysis which has a minimal overhead. This will increase ability to track and stop malware and security breaches. Similarly, with the ability to keep state, it will be trivial to. Linux Extended BPF (eBPF) Tracing Tools. This page shows examples of performance analysis tools using enhancements to BPF (Berkeley Packet Filter) which were added to the Linux 4.x.

hisd kindergarten age

mega clean throw up

Modifying the system with eBPF eBPF can write to userspace memory with the bpf_probe_write_user function. int bpf_probe_write_user(void *dst, const void *src, u32 len) This only works for userspace memory that already has write permissions in place. So no writing to the .text segment with eBPF.

Write an eBPF program in eBPF bytecode, from scratch. This is perfectly doable, but can be long and tedious, and absolutely not user-friendly. And to remain compatible with tools like tc, the program has to be turned into an object file anyway, which adds an. eBPF was broken in pixel 3a 4.9 at my time of testing (kprobe was working but no output in BCC) so I need a newer kernel (4.9+). bpftool is a must have to debug eBPF related.