BPFTRACE(8) | System Manager's Manual | BPFTRACE(8) |
BPFtrace - the eBPF tracing language & frontend
bpftrace [OPTIONS] FILE
bpftrace [OPTIONS] -e ´program code´
BPFtrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x).
BPFtrace uses:
As well as the existing Linux tracing capabilities:
kernel | userland | |
static | tracepoints | USDT* probes |
dynamic | kprobes | uprobes |
*USDT = user-level statically defined tracing
The BPFtrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap.
See EXAMPLES and ONELINERS if you are impatient.
See PROBE TYPES and BUILTINS (variables/functions) for the
bpftrace language elements.
For brevity, just the the actual BPF code is shown below.
Usage: bpftrace -e ´bpf-code´
Attach a BPFtrace script to a kernel function, to be executed when that function is called:
kprobe:vfs_read { ... }
Attach script to a userland function:
uprobe:/bin/bash:readline { ... }
Attach script to a statically defined tracepoint in the kernel:
tracepoint:sched:sched_switch { ... }
Tracepoints are guaranteed to be stable between kernel versions, unlike kprobes.
Attach script to kernel software events, executing once every provided count or use a default:
software:faults:100 software:faults:
Attach script to hardware events (PMCs), executing once every provided count or use a default:
hardware:cache-references:1000000 hardware:cache-references:
Run the script on all CPUs at specified time intervals:
profile:hz:99 { ... }
profile:s:1 { ... }
profile:ms:20 { ... }
profile:us:1500 { ... }
Run the script once per interval, for printing interval output:
interval:s:1 { ... }
interval:ms:20 { ... }
A single probe can be attached to multiple events:
kprobe:vfs_read,kprobe:vfs_write { ... }
Some probe types allow wildcards to be used when attaching a probe:
kprobe:vfs_* { ... }
Define conditions for which a probe should be executed:
kprobe:sys_open / uid == 0 / { ... }
The following variables and functions are available for use in bpftrace scripts:
The official documentation can be found here:
https://github.com/iovisor/bpftrace/blob/master/docs
The first official talk by Alastair on bpftrace happened at the Tracing Summit in Edinburgh, Oct 25th 2018.
Created by Alastair Robertson.
Manpage by Stephan Schuberth.
man -k bcc, after having installed the bpfcc-tools package under Ubuntu.
Prior to contributing new tools, read the official checklist at:
https://github.com/iovisor/bpftrace/blob/master/CONTRIBUTING-TOOLS.md
October 2018 |