1syscount.bt(8) System Manager's Manual syscount.bt(8)
2
3
4
6 syscount.bt - Count system calls. Uses bpftrace/eBPF.
7
9 syscount.bt
10
12 This counts system calls (syscalls), printing a summary of the top ten
13 syscall IDs, and the top ten process names making syscalls. This can be
14 helpful for characterizing the kernel and resource workload, and find‐
15 ing applications who are using syscalls inefficiently.
16
17 This works by using the tracepoint:raw_syscalls:sys_enter tracepoint.
18
19 Since this uses BPF, only the root user can use this tool.
20
22 CONFIG_BPF and bpftrace.
23
25 Count system calls until Ctrl-C is hit:
26 # syscount.bt
27
29 Top 10 syscalls IDs:
30 This shows the syscall ID number (in @syscall[]) followed by a
31 count for this syscall during tracing. To see the syscall name
32 for that ID, you can use "ausyscall --dump", or the bcc version
33 of this tool that does translations.
34
35 Top 10 processes:
36 This shows the process name (in @process[]) followed by a count
37 of syscalls during tracing.
38
40 For most applications, the overhead should be manageable if they per‐
41 form 1000's or even 10,000's of syscalls per second. For higher rates,
42 the overhead may become considerable. For example, tracing a mi‐
43 crobenchmark loop of 4 million calls to geteuid(), slows it down by
44 2.4x. However, this represents tracing a workload that has a syscall
45 rate of over 4 million syscalls per second per CPU, which should not be
46 typical (in one large cloud production environment, rates of between
47 10k and 50k are typical, where the application overhead is expected to
48 be closer to 1%).
49
50 For comparison, strace(1) in its current ptrace-based implementation
51 (which it has had for decades) runs the same geteuid() workload 102x
52 slower (that's one hundred and two times slower).
53
55 This is from bpftrace.
56
57 https://github.com/iovisor/bpftrace
58
59 Also look in the bpftrace distribution for a companion _examples.txt
60 file containing example usage, output, and commentary for this tool.
61
62 This is a bpftrace version of the bcc tool of the same name. The bcc
63 version provides different command line options, and translates the
64 syscall IDs to their syscall names.
65
66 https://github.com/iovisor/bcc
67
69 Linux
70
72 Unstable - in development.
73
75 Brendan Gregg
76
78 strace(1)
79
80
81
82USER COMMANDS 2018-09-06 syscount.bt(8)