@@ -235,4 +235,5 @@ SEE ALSO
**bpftool-cgroup**\ (8),
**bpftool-feature**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8)
@@ -164,5 +164,6 @@ SEE ALSO
**bpftool-map**\ (8),
**bpftool-feature**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8),
**bpftool-btf**\ (8)
@@ -86,5 +86,6 @@ SEE ALSO
**bpftool-map**\ (8),
**bpftool-cgroup**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8),
**bpftool-btf**\ (8)
@@ -271,5 +271,6 @@ SEE ALSO
**bpftool-cgroup**\ (8),
**bpftool-feature**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8),
**bpftool-btf**\ (8)
@@ -198,5 +198,6 @@ SEE ALSO
**bpftool-map**\ (8),
**bpftool-cgroup**\ (8),
**bpftool-feature**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8),
**bpftool-btf**\ (8)
new file mode 100644
@@ -0,0 +1,119 @@
+================
+bpftool-pcap
+================
+-------------------------------------------------------------------------------
+tool for inspection and simple manipulation of eBPF progs
+-------------------------------------------------------------------------------
+
+:Manual section: 8
+
+SYNOPSIS
+========
+
+ **bpftool** [*OPTIONS*] **pcap** *COMMAND*
+
+ *OPTIONS* := { { **-j** | **--json** } [{ **-p** | **--pretty** }] | { **-f** | **--bpffs** } }
+
+ *COMMANDS* :=
+ { **prog** | **trace** | **help** }
+
+PCAP COMMANDS
+=============
+
+| **bpftool** **pcap** **prog ** *PROG* [{**data_out** *FILE* | **proto** *PROTOCOL* | **len** *MAXLEN* | **pages** *NUMPAGES*}]
+| **bpftool** **pcap** **trace** [*OBJ*] *TRACE* [{**data_out** *FILE* | **proto** *PROTOCOL* | **len** *MAXLEN* | **dev** *DEVNAME* | **pages** *NUMPAGES*}]
+| **bpftool** **pcap help**
+|
+| *PROG* := { **id** *PROG_ID* | **pinned** *FILE* | **tag** *PROG_TAG* }
+| *PROTOCOL* := {
+| **eth** | **ip** | **ieee_80211** | ... }
+| *TRACE* := {
+| **kprobe**|**tracepoint**:*probename*[:arg{1-4}] }
+
+
+DESCRIPTION
+===========
+ **bpftool pcap prog [*PROG*] *PROG* [{**data_out** *FILE* | **proto** *PROTOCOL* | **len** *MAXLEN* | **pages** *NUMPAGES*}]
+
+ Capture packet data from perf event map associated with
+ program specified. By default capture data is displayed on
+ stdout, but if a capture file is preferred the data_out FILE
+ option can be used. The link type (termed DLT_TYPE in
+ libpcap) is assumed to be Ethernet if not explicitly
+ specified via the **proto** option.
+
+ Maximum capture length can be adjusted via the **len**
+ option.
+
+ To work with bpftool pcap, the associated BPF program must
+ at least define a perf event map, but if config options
+ (protocol, max len) are to be supported it should also
+ provide an array map with a single value of at least
+ *struct bpf_pcap_conf* size.
+
+ **bpftool** **pcap** **trace** [*OBJ*] *TRACE* [{**data_out** *FILE* | **proto** *PROTOCOL* | **len** *MAXLEN* | **dev** *DEV* | **pages** *NUMPAGES*}]
+
+ Attach the specified program in *OBJ* or load a
+ pre-existing BPF kprobe/tracepoint program capable
+ of capturing packets.
+
+ Trace specification is of the form
+
+ trace_type:probe[:arg]
+
+ For example tracepoint:iwlwifi_dev_tx_tb:arg2 will
+ capture packet data from the second argument to the
+ iwlwifi_dev_tx_tb tracepoint. *DEV* can be used to
+ limit capture to a specific incoming interface.
+
+ **bpftool prog help**
+ Print short help message.
+
+OPTIONS
+=======
+ -h, --help
+ Print short generic help message (similar to **bpftool help**).
+
+ -V, --version
+ Print version number (similar to **bpftool version**).
+
+ -j, --json
+ Generate JSON output. For commands that cannot produce JSON, this
+ option has no effect.
+
+ -p, --pretty
+ Generate human-readable JSON output. Implies **-j**.
+
+ -f, --bpffs
+ When showing BPF programs, show file names of pinned
+ programs.
+
+ -m, --mapcompat
+ Allow loading maps with unknown map definitions.
+
+ -n, --nomount
+ Do not automatically attempt to mount any virtual file system
+ (such as tracefs or BPF virtual file system) when necessary.
+
+ -d, --debug
+ Print all logs available, even debug-level information. This
+ includes logs from libbpf as well as from the verifier, when
+ attempting to load programs.
+
+EXAMPLES
+========
+**# bpftool pcap trace tracepoint:net_dev_xmit:arg1 proto eth | tcpdump -r -**
+reading from file -, link-type EN10MB (Ethernet)
+00:16:49.150880 IP 10.11.12.13 > 10.11.12.14: ICMP echo reply, id 10519, seq 1, length 64
+
+SEE ALSO
+========
+ **bpf**\ (2),
+ **bpf-helpers**\ (7),
+ **bpftool**\ (8),
+ **bpftool-map**\ (8),
+ **bpftool-cgroup**\ (8),
+ **bpftool-feature**\ (8),
+ **bpftool-net**\ (8),
+ **bpftool-perf**\ (8),
+ **bpftool-btf**\ (8)
@@ -90,4 +90,5 @@ SEE ALSO
**bpftool-cgroup**\ (8),
**bpftool-feature**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-btf**\ (8)
@@ -311,5 +311,6 @@ SEE ALSO
**bpftool-cgroup**\ (8),
**bpftool-feature**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8),
**bpftool-btf**\ (8)
@@ -80,5 +80,6 @@ SEE ALSO
**bpftool-cgroup**\ (8),
**bpftool-feature**\ (8),
**bpftool-net**\ (8),
+ **bpftool-pcap**\ (8),
**bpftool-perf**\ (8),
**bpftool-btf**\ (8)
Document supported "bpf pcap" subcommands. "prog" is used to capture packets from already-loaded programs. "trace" loads/atttaches tracing programs to capture packets. Signed-off-by: Alan Maguire <alan.maguire@oracle.com> --- tools/bpf/bpftool/Documentation/bpftool-btf.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-cgroup.rst | 1 + .../bpf/bpftool/Documentation/bpftool-feature.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-map.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-net.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-pcap.rst | 119 +++++++++++++++++++++ tools/bpf/bpftool/Documentation/bpftool-perf.rst | 1 + tools/bpf/bpftool/Documentation/bpftool-prog.rst | 1 + tools/bpf/bpftool/Documentation/bpftool.rst | 1 + 9 files changed, 127 insertions(+) create mode 100644 tools/bpf/bpftool/Documentation/bpftool-pcap.rst