1threadsnoop.bt(8) System Manager's Manual threadsnoop.bt(8)
2
3
4
6 threadsnoop.bt - Trace thread creation via pthread_create(). Uses bpf‐
7 trace/eBPF.
8
10 threadsnoop.bt
11
13 threadsnoop traces calls to pthread_create(), showing this path of
14 thread creation. This can be used for workload characterization and
15 discovery, and is a companion to execsnoop.bt(8) which traces ex‐
16 ecve(2).
17
18 This works by tracing the pthread_create() from libpthread.so.0. The
19 path to this library may need adjusting in the tool source to match
20 your system.
21
22 Since this uses BPF, only the root user can use this tool.
23
25 CONFIG_BPF and bpftrace.
26
28 Trace calls pthread_create():
29 # threadsnoop.bt
30
32 TIME(ms)
33 Elapsed time since the tool began tracing (in milliseconds).
34
35 PID The process ID.
36
37 COMM The process (thread) name.
38
39 FUNC The name of the start routine, if the symbol is available, else
40 a hex address for the start routine address.
41
43 Thread creation is expected to be low (<< 1000/s), so the overhead of
44 this tool is expected to be negligible.
45
47 This tool originated from the book "BPF Performance Tools", published
48 by Addison Wesley (2019):
49
50 http://www.brendangregg.com/bpf-performance-tools-book.html
51
52 See the book for more documentation on this tool.
53
54 This version is in the bpftrace repository:
55
56 https://github.com/iovisor/bpftrace
57
58 Also look in the bpftrace distribution for a companion _examples.txt
59 file containing example usage, output, and commentary for this tool.
60
62 Linux
63
65 Unstable - in development.
66
68 Brendan Gregg
69
71 execsnoop.bt(8)
72
73
74
75USER COMMANDS 2019-07-02 threadsnoop.bt(8)