README: update examples

Kill all references to syscall tracing. They are not portable across architectures, the symbol names keep changing, etc. This is very confusing for new users. Let's bring those back when there's a proper syscall provider in place.
wkz · Apr 22, 2020 · 6dbcc1e · 6dbcc1e
1 parent 57e2daf
commit 6dbcc1e
Showing 1 changed file with 12 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -38,50 +38,38 @@ userspace recipient to give you the full six degrees of freedom.
 Examples
 --------
 
-### Syscall Tracing
+Here are some one-liner examples to show the kinds of questions that
+`ply` can help answer.
 
-**`read()` return size, summarized as a power-of-2 histogram:**
+**What is the distribution of the returned sizes from `read(2)`s to the VFS?**
 ```
-ply 'kretprobe:SyS_read { @["size"] = quantize(retval); }'
+ply 'kretprobe:vfs_read { @["size"] = quantize(retval); }'
 ```
 
-**`read()` request size, as a power-of-2 histogram, for reads > 1 kB, grouped by pid:**
+**Which processes are receiving errors when reading from the VFS?**
 ```
-ply 'kprobe:SyS_read / arg2 > 1024 / { @[pid] = quantize(arg2); }'
+ply 'kretprobe:vfs_read if (retval < 0) { @[pid, comm, retval] = count(); }'
 ```
 
-**`open()` Print process name, pid and the file that was opened:**
+**Which files are being opened, by who?**
 ```
-ply 'kprobe:do_sys_open { printf("%v(%v): %s\n", comm, pid, str(arg1)); }'
+ply 'kprobe:do_sys_open { printf("%v(%v): %s\n", comm, uid, str(arg1)); }'
 ```
 
-**Count all system calls by syscall type:**
+**When sending packets, where are we coming from?**
 ```
-ply 'kprobe:SyS_* { @[caller] = count(); }'
+ply 'kprobe:dev_queue_xmit { @[stack] = count(); }'
 ```
 
-**Count all system calls by process name and pid:**
-```
-ply 'kprobe:SyS_* { @[comm, pid] = count(); }'
-```
-
-### Stack Traces
-
-**Frequency count all different paths to `schedule`:**
-```
-ply 'kprobe:schedule { @[stack] = count(); }'
-```
-
-### Tracepoints
-
-**Monitor all incoming TCP resets:**
+**From which hosts and ports are we receiving TCP resets?**
 ```
 ply 'tracepoint:tcp/tcp_receive_reset {
 	printf("saddr:%v port:%v->%v\n",
 		data->saddr, data->sport, data->dport);
 }'
 ```
 
+
 Build and Installation
 ----------------------