1trace(8) System Manager's Manual trace(8)
2
6 trace - Trace a function and print its arguments or return value,
7 optionally evaluating a filter. Uses Linux eBPF/bcc.
8
10 trace [-h] [-b BUFFER_PAGES] [-p PID] [-L TID] [-v] [-Z STRING_SIZE]
11 [-S] [-s SYM_FILE_LIST]
12 [-M MAX_EVENTS] [-t] [-u] [-T] [-C] [-K] [-U] [-a] [-I header]
13 probe [probe ...]
14
16 trace probes functions you specify and displays trace messages if a
17 particular condition is met. You can control the message format to dis‐
18 play function arguments and return values.
19 Since this uses BPF, only the root user can use this tool.
21
23 CONFIG_BPF and bcc.
24
26 -h Print usage message.
27 -p PID Trace only functions in the process PID.
29 -L TID Trace only functions in the thread TID.
31 -v Display the generated BPF program, for debugging purposes.
33 -z STRING_SIZE
35 When collecting string arguments (of type char*), collect up to
36 STRING_SIZE characters. Longer strings will be truncated.
37 -s SYM_FILE_LIST
39 When collecting stack trace in build id format, use the coma
40 separated list for symbol resolution.
41 -S If set, trace messages from trace's own process. By default,
43 this is off to avoid tracing storms -- for example, if you trace
44 the write system call, and consider that trace is writing to the
45 standard output.
46 -M MAX_EVENTS
48 Print up to MAX_EVENTS trace messages and then exit.
49 -t Print times relative to the beginning of the trace (offsets), in
51 seconds.
52 -u Print UNIX timestamps instead of offsets from trace beginning,
54 requires -t.
55 -T Print the time column.
57 -C Print CPU id.
59 -c CGROUP_PATH
61 Trace only functions in processes under CGROUP_PATH hierarchy.
62 -n NAME
64 Only print process names containing this name.
65 -f MSG_FILTER
67 Only print message of event containing this string.
68 -B Treat argument of STRCMP helper as a binary value
70 -K Print the kernel stack for each event.
72 -U Print the user stack for each event. -a Print virtual address
74 in kernel and user stacks.
75 -I header
77 Additional header files to include in the BPF program. This is
78 needed if your filter or print expressions use types or data
79 structures that are not available in the standard headers. For
80 example: 'linux/mm.h'
81 probe [probe ...]
83 One or more probes that attach to functions, filter conditions,
84 and print information. See PROBE SYNTAX below.
85
87 The general probe syntax is as follows:
88 [{p,r}]:[library]:function[(signature)] [(predicate)] ["format
90 string"[, arguments]]
91 {t:category:event,u:library:probe} [(predicate)] ["format string"[,
93 arguments]]
94 {[{p,r}],t,u}
96 Probe type - "p" for function entry, "r" for function return,
97 "t" for kernel tracepoint, "u" for USDT probe. The default probe
98 type is "p".
99 [library]
101 Library containing the probe. Specify the full path to the .so
102 or executable file where the function to probe resides. Alterna‐
103 tively, you can specify just the lib name: for example, "c"
104 refers to libc. If no library name is specified, the kernel is
105 assumed. Also, you can specify an executable name (without a
106 full path) if it is in the PATH. For example, "bash".
107 category
109 The tracepoint category. For example, "sched" or "irq".
110 function
112 The function to probe.
113 signature
115 The optional signature of the function to probe. This can make
116 it easier to access the function's arguments, instead of using
117 the "arg1", "arg2" etc. argument specifiers. For example,
118 "(struct timespec *ts)" in the signature position lets you use
119 "ts" in the filter or print expressions.
120 event The tracepoint event. For example, "block_rq_complete".
122 probe The USDT probe name. For example, "pthread_create".
124 [(predicate)]
126 The filter applied to the captured data. Only if the filter
127 evaluates as true, the trace message will be printed. The filter
128 can use any valid C expression that refers to the argument val‐
129 ues: arg1, arg2, etc., or to the return value retval in a return
130 probe. If necessary, use C cast operators to coerce the argu‐
131 ments to the desired type. For example, if arg1 is of type int,
132 use the expression ((int)arg1 < 0) to trace only invocations
133 where arg1 is negative. Note that only arg1-arg6 are supported,
134 and only if the function is using the standard x86_64 convention
135 where the first six arguments are in the RDI, RSI, RDX, RCX, R8,
136 R9 registers. If no predicate is specified, all function invoca‐
137 tions are traced.
138 The predicate expression may also use the STRCMP pseudo-function
140 to compare a predefined string to a string argument. For exam‐
141 ple: STRCMP("test", arg1). The order of arguments is important:
142 the first argument MUST be a quoted literal string, and the sec‐
143 ond argument can be a runtime string, most typically an argu‐
144 ment.
145 ["format string"[, arguments]]
147 A printf-style format string that will be used for the trace
148 message. You can use the following format specifiers: %s, %d,
149 %u, %lld, %llu, %hd, %hu, %c, %x, %llx -- with the same seman‐
150 tics as printf's. Make sure to pass the exact number of argu‐
151 ments as there are placeholders in the format string. The format
152 specifier replacements may be any C expressions, and may refer
153 to the same special keywords as in the predicate (arg1, arg2,
154 etc.).
155 In addition to the above format specifiers, you can also use %K
157 and %U when the expression is an address that potentially points
158 to executable code (i.e., a symbol). trace will resolve %K spec‐
159 ifiers to a kernel symbol, such as vfs__read, and will resolve
160 %U specifiers to a user-space symbol in that process, such as
161 sprintf.
162 In tracepoints, both the predicate and the arguments may refer
164 to the tracepoint format structure, which is stored in the spe‐
165 cial "args" variable. For example, the block:block_rq_complete
166 tracepoint can print or filter by args->nr_sector. To discover
167 the format of your tracepoint, use the tplist tool.
168 In USDT probes, the arg1, ..., argN variables refer to the
170 probe's arguments. To determine which arguments your probe has,
171 use the tplist tool.
172 The predicate expression and the format specifier replacements
174 for printing may also use the following special keywords: $pid,
175 $tgid to refer to the current process' pid and tgid; $uid, $gid
176 to refer to the current user's uid and gid; $cpu to refer to the
177 current processor number.
178
180 Trace all invocations of the open system call with the name of the file
181 being opened:
182 # trace '::do_sys_open "%s", arg2'
183 Trace all invocations of the read system call where the number of bytes
185 requested is greater than 20,000:
186 # trace '::sys_read (arg3 > 20000) "read %d bytes", arg3'
187 Trace all malloc calls and print the size of the requested allocation:
189 # trace ':c:malloc "size = %d", arg1'
190 Trace returns from the readline function in bash and print the return
192 value as a string:
193 # trace 'r:bash:readline "%s", retval'
194 Trace the block:block_rq_complete tracepoint and print the number of
196 sectors completed:
197 # trace 't:block:block_rq_complete "%d sectors", args->nr_sec‐
198 tor'
199 Trace the pthread_create USDT probe from the pthread library and print
201 the address of the thread's start function:
202 # trace 'u:pthread:pthread_create "start addr = %llx", arg3'
203 Trace the nanosleep system call and print the sleep duration in
205 nanoseconds:
206 # trace 'p::SyS_nanosleep(struct timespec *ts) sleep for %lld ns
207 , ts->tv_nsec'
208 Trace the inet_pton system call using build id mechanism and print the
210 stack
211 # trace -s /lib/x86_64-linux-gnu/libc.so.6,/bin/ping
212 'p:c:inet_pton' -U
213
215 This is from bcc.
216 https://github.com/iovisor/bcc
218 Also look in the bcc distribution for a companion _examples.txt file
220 containing example usage, output, and commentary for this tool.
221
223 Linux
224
226 Unstable - in development.
227
229 Sasha Goldshtein
230USER COMMANDS 2016-02-18 trace(8)