Provided by: bpftrace_0.9.4-1_amd64
NAME
bpftrace - the eBPF tracing language & frontend
SYNOPSIS
bpftrace [OPTIONS] FILE bpftrace [OPTIONS] -e ´program code´
DESCRIPTION
bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses: • LLVM as a backend to compile scripts to BPF-bytecode • BCC for interacting with the Linux BPF system As well as the existing Linux tracing capabilities: ┌─────────┬─────────────┬──────────────┐ │ │ kernel │ userland │ ├─────────┼─────────────┼──────────────┤ │ static │ tracepoints │ USDT* probes │ ├─────────┼─────────────┼──────────────┤ │ dynamic │ kprobes │ uprobes │ └─────────┴─────────────┴──────────────┘ *USDT = user-level statically defined tracing The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. See EXAMPLES and ONELINERS if you are impatient. See PROBE TYPES and BUILTINS (variables/functions) for the bpftrace language elements.
OPTIONS
-l [searchterm] List probes. -e ´PROGRAM´ Execute PROGRAM. -p PID Enable USDT probes on PID. Will terminate bpftrace on PID termination. Note this is not a global PID filter on probes. -c CMD Helper to run CMD. Equivalent to manually running CMD and then giving passing the PID to -p. This is useful to ensure you've traced at least the duration CMD's execution. --unsafe Enable unsafe builtin functions. By default, bpftrace runs in safe mode. Safe mode ensure programs cannot modify system state. Unsafe builtin functions are marked as such in BUILTINS (functions). --btf Force BTF data processing if it's available. By default it's enabled only if the user does not specify any types/includes. -v Verbose messages. -d Debug info on dry run. -dd Verbose debug info on dry run.
EXAMPLES
bpftrace -l ´*sleep*´ List probes containing "sleep". bpftrace -e ´kprobe:do_nanosleep { printf("PID %d sleeping\n", pid); }´ Trace processes calling sleep. bpftrace -c ´sleep 5´ -e ´kprobe:do_nanosleep { printf("PID %d sleeping\n", pid); }´ run "sleep 5" in a new process and then trace processes calling sleep. bpftrace -e ´tracepoint:raw_syscalls:sys_enter { @[comm]=count(); }´ Count syscalls by process name.
ONELINERS
For brevity, just the the actual BPF code is shown below. Usage: bpftrace -e ´bpf-code´ New processes with arguments: tracepoint:syscalls:sys_enter_execve { join(args->argv); } Files opened by process: tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); } Syscall count by program: tracepoint:raw_syscalls:sys_enter { @[comm] = count(); } Syscall count by syscall: tracepoint:syscalls:sys_enter_* { @[probe] = count(); } Syscall count by process: tracepoint:raw_syscalls:sys_enter { @[pid, comm] = count(); } Read bytes by process: tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); } Read size distribution by process: tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); } Disk size by process: tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); } Pages paged in by process: software:major-faults:1 { @[comm] = count(); } Page faults by process: software:faults:1 { @[comm] = count(); } Profile user-level stacks at 99 Hertz, for PID 189: profile:hz:99 /pid == 189/ { @[ustack] = count(); }
PROBE TYPES
KPROBES Attach a bpftrace script to a kernel function, to be executed when that function is called: kprobe:vfs_read { ... } UPROBES Attach script to a userland function: uprobe:/bin/bash:readline { ... } TRACEPOINTS Attach script to a statically defined tracepoint in the kernel: tracepoint:sched:sched_switch { ... } Tracepoints are guaranteed to be stable between kernel versions, unlike kprobes. SOFTWARE Attach script to kernel software events, executing once every provided count or use a default: software:faults:100 software:faults: HARDWARE Attach script to hardware events (PMCs), executing once every provided count or use a default: hardware:cache-references:1000000 hardware:cache-references: PROFILE Run the script on all CPUs at specified time intervals: profile:hz:99 { ... } profile:s:1 { ... } profile:ms:20 { ... } profile:us:1500 { ... } INTERVAL Run the script once per interval, for printing interval output: interval:s:1 { ... } interval:ms:20 { ... } MULTIPLE ATTACHMENT POINTS A single probe can be attached to multiple events: kprobe:vfs_read,kprobe:vfs_write { ... } WILDCARDS Some probe types allow wildcards to be used when attaching a probe: kprobe:vfs_* { ... } PREDICATES Define conditions for which a probe should be executed: kprobe:sys_open / uid == 0 / { ... }
BUILTINS
The following variables and functions are available for use in bpftrace scripts: VARIABLES pid Process ID (kernel tgid) tid Thread ID (kernel pid) cgroup Cgroup ID of the current process uid User ID gid Group ID nsecs Nanosecond timestamp cpu Processor ID comm Process name kstack Kernel stack trace ustack User stack trace arg0, arg1, ... etc. Arguments to the function being traced retval Return value from function being traced func Name of the function currently being traced probe Full name of the probe curtask Current task_struct as a u64. rand Random number of type u32. FUNCTIONS hist(int n) Produce a log2 histogram of values of n lhist(int n, int min, int max, int step) Produce a linear histogram of values of n count() Count the number of times this function is called sum(int n) Sum this value min(int n) Record the minimum value seen max(int n) Record the maximum value seen avg(int n) Average this value stats(int n) Return the count, average, and total for this value delete(@x) Delete the map element passed in as an argument str(char *s) Returns the string pointed to by s printf(char *fmt, ...) Print formatted to stdout print(@x[, int top [, int div]]) Print a map, with optional top entry count and divisor clear(@x) Delete all key/values from a map sym(void *p) Resolve kernel address usym(void *p) Resolve user space address kaddr(char *name) Resolve kernel symbol name uaddr(char *name) Resolve user space symbol name reg(char *name) Returns the value stored in the named register join(char *arr[]) Prints the string array time(char *fmt) Print the current time cat(char *filename) Print file content ntop([int af, ]int|char[4|16] addr) Convert IP address data to text system(char *fmt) (unsafe) Execute shell command exit() Quit bpftrace kstack([StackMode mode, ][int level]) Kernel stack trace ustack([StackMode mode, ][int level]) User stack trace
FURTHER READING
The official documentation can be found here: https://github.com/iovisor/bpftrace/blob/master/docs
HISTORY
The first official talk by Alastair on bpftrace happened at the Tracing Summit in Edinburgh, Oct 25th 2018.
AUTHOR
Created by Alastair Robertson. Manpage by Stephan Schuberth.
SEE ALSO
man -k bcc, after having installed the bpfcc-tools package under Ubuntu.
CONTRIBUTING
Prior to contributing new tools, read the official checklist at: https://github.com/iovisor/bpftrace/blob/master/CONTRIBUTING-TOOLS.md October 2018 BPFTRACE(8)