DOKK / manpages / debian 11 / bpfcc-tools / dcsnoop-bpfcc.8.en
dcsnoop(8) System Manager's Manual dcsnoop(8)

dcsnoop - Trace directory entry cache (dcache) lookups. Uses Linux eBPF/bcc.

dcsnoop [-h] [-a]

By default, this traces every failed dcache lookup (cache miss), and shows the process performing the lookup and the filename requested. A -a option can be used to show all lookups, not just failed ones.

The output of this tool can be verbose, and is intended for further investigations of dcache performance beyond dcstat(8), which prints per-second summaries.

This uses kernel dynamic tracing of the d_lookup() function, and will need and will need updating to match any changes to this function.

Since this uses BPF, only the root user can use this tool.

CONFIG_BPF and bcc.

Print usage message.
Trace references, not just failed lookups.

# dcsnoop
# dcsnoop -a

Time of lookup, in seconds.
Process ID.
Process name.
Type: R == reference (only visible with -a), M == miss. A miss will print two lines, one for the reference, and one for the miss.
The file name component that was being looked up. This contains trailing pathname components (after '/'), which will be the subject of subsequent lookups.

File name lookups can be frequent (depending on the workload), and this tool prints a line for each failed lookup, and with -a, each reference as well. The output may be verbose, and the incurred overhead, while optimized to some extent, may still be from noticeable to significant. This is only really intended for deeper investigations beyond dcstat(8), when absolutely necessary. Measure and quantify the overhead in a test environment before use.

This is from bcc.

https://github.com/iovisor/bcc

Also look in the bcc distribution for a companion _examples.txt file containing example usage, output, and commentary for this tool.

Linux

Unstable - in development.

Brendan Gregg

dcstat(1)

2016-02-10 USER COMMANDS