Have you ever gotten an -EINVAL from kernel syscall and had no idea why? Even with the kernel source code at hand, it often is hard to understand exactly where such errors originate and under which conditions. Retsnoop is a BPF-based tool built to make tracking down the source of such errors possible and (sometimes) easy. No kernel modification, printk()’s and rebuilds required. Retsnoop can do more than that, though, and over time has grown into a general-purpose kernel tracing and introspection tool. In this talk we’ll go over retsnoop’s functionality and see how it can be applied flexibly in practice when debugging kernel issues and just discovering kernel’s inner workings.
Andrii NAKRYIKO