• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

bpftrace Command Examples in Linux

by admin

bpftrace is a command-line utility in Linux that is used to write and execute eBPF (enhanced Berkeley Packet Filter) programs for tracing and performance analysis. BPF is a powerful and flexible feature in the Linux kernel that allows you to apply custom filters to network traffic and perform various actions based on the contents of the packets.

bpftrace Command Examples

1. Display bpftrace version:

# bpftrace -V

2. List all available probes:

# bpftrace -l

3. Run a one-liner program (e.g. syscall count by program):

# bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'

4. Run a program from a file:

# bpftrace path/to/file

5. Trace a program by PID:

# bpftrace -e 'tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); }'

6. Do a dry run and display the output in eBPF format:

# bpftrace -d -e 'one_line_program'

One-liners

The following one-liners demonstrate different capabilities:

1. Files opened by process:

# bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); }'

2. Syscall count by program:

# bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'

3. Read bytes by process:

# bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); }'

4. Read size distribution by process:

# bpftrace -e 'tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }'

5. Show per-second syscall rates:

# bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @ = count(); } interval:s:1 { print(@); clear(@); }'

6. Trace disk size by process:

# bpftrace -e 'tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); }'

7. Count page faults by process:

# bpftrace -e 'software:faults:1 { @[comm] = count(); }'

8. Count LLC cache misses by process name and PID (uses PMCs):

# bpftrace -e 'hardware:cache-misses:1000000 { @[comm, pid] = count(); }'

9. Profile user-level stacks at 99 Hertz, for PID 189:

# bpftrace -e 'profile:hz:99 /pid == 189/ { @[ustack] = count(); }'

10. Files opened, for processes in the root cgroup-v2:

# bpftrace -e 'tracepoint:syscalls:sys_enter_openat /cgroup == cgroupid("/sys/fs/cgroup/unified/mycg")/ { printf("%s\n", str(args->filename)); }'

Filed Under: Linux

Some more articles you might also be interested in …

  1. How To Create An Almost Root Equivalent Users But Not Root Identical User in Linux
  2. mktemp: command not found
  3. “passwd: Module is unknown” – error while changing the password in CentOS/RHEL 6
  4. “No space left on device” – kdump generation issue (CentOS/RHEL)
  5. How To Disable Weak Cipher And Insecure HMAC Algorithms In SSH Services In CentOS/RHEL 8
  6. goldeneye.py Command Examples in Linux
  7. How to install and configure Samba in CentOS / RHEL
  8. Understanding rsyslog Filter Options
  9. CentOS / RHEL : How to extend Physical Volume in LVM by extending the Disk Partition used
  10. iperf Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • powertop Command Examples in Linux
  • powertop: command not found
  • powerstat: command not found
  • powerstat Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright