Linux Comm Bpftrace
Linux bpftrace Command | \n\n[ Linux Command Encyclopaedia](#)\n\n* * *\n\nbpftrace is an advanced tracing tool based on eBPF (Extended Berkeley Packet Filter), which allows developers to dynamically observe and analyze the running state of Linux systems without modifying the kernel code.\n\neBPF is a revolutionary technology in the Linux kernel that provides a secure virtual machine environment for running user-defined code in the kernel. bpftrace is built on top of eBPF, providing a simpler and higher-level abstraction layer.\n\n* * *\n\n## Core Advantages of bpftrace\n\n### Real-time System Observation\n\n* No need to restart the system or applications\n* Extremely low performance overhead\n* Can observe both kernel and user-space programs\n\n### Flexible Probe Capabilities\n\n* Supports multiple probe point types: function entry/exit, timers, hardware events, etc.\n* Can trace system calls, network events, disk I/O, etc.\n\n### Simple Scripting Language\n\n* AWK-like syntax with a gentle learning curve\n* Rich built-in functions and variables\n* Supports conditional filtering and aggregation statistics\n\n* * *\n\n## bpftrace Installation and Configuration\n\n### Installation Methods\n\n## Examples\n\n# Ubuntu/Debian\n\nsudo apt install bpftrace\n\n# CentOS/RHEL\n\nsudo yum install bpftrace\n\n# Compile from source\n\ngit clone https://github.com/iovisor/bpftrace.git\n\nmkdir bpftrace/build && cd bpftrace/build\n\n cmake ..\n\nmake\n\nsudo make install\n\n### Verify Installation\n\nsudo bpftrace -e 'BEGIN { printf("Hello, bpftrace!n"); }'\n\n* * *\n\n## bpftrace Basic Syntax\n\nA bpftrace program consists of probes and associated actions, with the basic structure as follows:\n\nprobe /filter/ { action }\n\n### Probe Point Types\n\n| Probe Point Type | Description | Example |\n| --- | --- | --- |\n| `kprobe` | Kernel function entry | `kprobe:vfs_read` |\n| `kretprobe` | Kernel function return | `kretprobe:vfs_read` |\n| `uprobe` | User-space function entry | `uprobe:/bin/bash:readline` |\n| `tracepoint` | Kernel static tracing point | `tracepoint:syscalls:sys_enter_open` |\n| `interval` | Timer trigger | `interval:s:5` |\n| `software` | Software events | `software:faults:major` |\n\n### Common Built-in Variables\n\n* `pid`: Current process ID\n* `tid`: Current thread ID\n* `comm`: Current process name\n* `nsecs`: Nanosecond timestamp\n* `arg0`-`argN`: Function arguments\n* `retval`: Function return value\n\n* * *\n\n## bpftrace Practical Examples\n\n### 1. Tracing System Calls\n\n## Examples\n\n# Count the number of open system calls\n\nsudo bpftrace -e'tracepoint:syscalls:sys_enter_open { @ = count(); }'\n\n### 2. Analyzing Function Execution Time\n\n## Examples\n\n# Measure vfs_read execution time\n\nsudo bpftrace -e'\n\n kprobe:vfs_read { @start = nsecs; }\n\n kretprobe:vfs_read /@start/{ \n\n @times = hist(nsecs - @start); \n\n delete(@start); \n\n }'\n\n### 3. Monitoring Process File Access\n\n## Examples\n\n# Track files opened by a specific process\n\nsudo bpftrace -e'tracepoint:syscalls:sys_enter_openat /pid == 1234/ { printf("%s -> %sn", comm, str(args->filename)); }'\n\n### 4. Counting TCP Connections\n\n## Examples\n\n# Count TCP connections by process\n\nsudo bpftrace -e'kprobe:tcp_connect { @ = count(); }'\n\n* * *\n\n## bpftrace Advanced Features\n\n### 1. Map Functionality\n\nbpftrace provides various built-in map types for data aggregation:\n\n## Examples\n\n# Histogram statistics\n\n@hist = hist(nsecs);\n\n# Calculate average\n\n@avg = avg(nsecs);\n\n# Count unique values\n\n@unique = count();\n\n### 2. Conditional Filtering\n\n## Examples\n\n# Only trace read calls for a specific process\n\n tracepoint:syscalls:sys_enter_read /pid == 1234/{\n\nprintf("PID %d reading %d bytesn", pid, args->count);\n\n}\n\n### 3. Multiple Probe Combination\n\n## Examples\n\n# Trace the entire process from socket creation to connection\n\n kprobe:sock_alloc {\n\n@socket = 1;\n\n}\n\nkprobe:tcp_connect /@socket/{\n\nprintf("socket %d connecting to %s:%dn", args->sock->__sk_common.skc_dport, \n\nntop(args->sock->__sk_common.skc_daddr), \n\nargs->sock->__sk_common.skc_dport);\n\n delete(@socket);\n\n}\n\n* * *\n\n## bpftrace Best Practices\n\n1. **Limit Tracing Scope**: Use PID or command name filtering to reduce system overhead\n2. **Avoid Excessive Printing**: Too many printf statements will affect performance\n3. **Use Aggregation**: Try to use aggregation functions like count(), sum(), etc.\n4. **Clean Up Resources**: Regularly clean map data for long-running scripts\n5. **Security Considerations**: bpftrace requires root privileges, be cautious when running unknown scripts\n\n* * *\n\n## Comparison of bpftrace with Other Tools\n\n| Tool | Advantages | Disadvantages |\n| --- | --- | --- |\n| **bpftrace** | Flexible, high performance, easy to use | Requires root privileges |\n| **strace** | Simple, no compilation needed | High performance overhead |\n| **perf** | Full-featured, low overhead | Steep learning curve |\n| **SystemTap** | Powerful | Requires compilation, complex configuration |\n\n* * *\n\n## Recommended Learning Resources\n\n1. (https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md)\n2. (https://github.com/iovisor/bpftrace/blob/master/docs/tutorial_one_liners.md)\n3. (https://github.com/iovisor/bpftrace/tree/master/tools)\n\nbpftrace is a powerful tool for system performance analysis and troubleshooting. By practicing these examples and mastering its core concepts, you will be able to understand and optimize the running behavior of Linux systems more deeply.\n\n* * Linux Command Encyclopaedia](#)
YouTip