1BPFTRACE(8)                 System Manager's Manual                BPFTRACE(8)
2
3
4

NAME

6       bpftrace - the eBPF tracing language & frontend
7

SYNOPSIS

9       bpftrace [OPTIONS] FILE
10       bpftrace [OPTIONS] -e 'program code'
11

DESCRIPTION

13       bpftrace  is  a high-level tracing language for Linux enhanced Berkeley
14       Packet Filter (eBPF) available in recent Linux kernels (4.x).
15
16       bpftrace uses:
17
18LLVM as a backend to compile scripts to BPF-bytecode
19
20BCC for interacting with the Linux BPF system
21
22
23
24       As well as the existing Linux tracing capabilities:
25
26       ┌─────────┬─────────────┬──────────────┐
27       │         │   kernel    │   userland   │
28       ├─────────┼─────────────┼──────────────┤
29       │ static  │ tracepointsUSDT* probes │
30       ├─────────┼─────────────┼──────────────┤
31       │ dynamic │   kprobesuprobes
32       └─────────┴─────────────┴──────────────┘
33       *USDT = user-level statically defined tracing
34
35       The bpftrace language is inspired by awk and C, and predecessor tracers
36       such as DTrace and SystemTap.
37
38       See EXAMPLES and ONELINERS if you are impatient.
39       See  PROBE  TYPES  and  BUILTINS (variables/functions) for the bpftrace
40       language elements.
41

OPTIONS

43       -B MODE
44              The buffering mode to be used for output ('full', 'none').
45
46       -c CMD Helper to run CMD. Equivalent to manually running CMD  and  then
47              giving  passing  the  PID to -p. This is useful to ensure you've
48              traced at least the duration CMD's execution.
49
50       -d     Debug info dry run.
51
52       -dd    Verbose Debug info dry run.
53
54       -e 'PROGRAM'
55              Execute PROGRAM.
56
57       -f FORMAT
58              The format to be used for output ('text'. 'json').
59
60       -h | --help
61              Show help message.
62
63       -I DIR Add the directory to the INCLUDE search path.
64
65       --include FILE
66              Add a #include file before preprocessing.
67
68       --info Print information about kernel BPF support.
69
70       -k     Emit a warning when a bpf helper returns an error  (except  read
71              functions).
72
73       -kk    Check all bpf helper functions.
74
75       -l [searchterm]
76              List probes.
77
78       -o FILE
79              Redirect bpftrace output to file.
80
81       -p PID Enable USDT probes on PID. Will terminate bpftrace on PID termi‐
82              nation. Note this is not a global PID filter on probes.
83
84       --unsafe
85              Enable unsafe builtin functions. By default,  bpftrace  runs  in
86              safe mode. Safe mode ensure programs cannot modify system state.
87              Unsafe builtin functions are marked as such in  BUILTINS  (func‐
88              tions).
89
90       --usdt-file-activation
91              Activate usdt semaphores based on file path..
92
93       -v     Verbose messages.
94
95       -V | --version
96              Print version of bpftrace.
97

EXAMPLES

99       bpftrace -l '*sleep*'
100              List probes containing "sleep".
101
102       bpftrace -e 'kprobe:do_nanosleep { printf("PID %d sleeping\n", pid); }'
103              Trace processes calling sleep.
104
105       bpftrace  -c  'sleep 5' -e 'kprobe:do_nanosleep { printf("PID %d sleep‐
106       ing\n", pid); }'
107              run "sleep 5" in a new process and then trace processes  calling
108              sleep.
109
110       bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm]=count(); }'
111              Count syscalls by process name.
112

ONELINERS

114       For brevity, just the the actual BPF code is shown below.
115       Usage: bpftrace -e 'bpf-code'
116
117       New processes with arguments:
118              tracepoint:syscalls:sys_enter_execve { join(args->argv); }
119
120       Files opened by process:
121              tracepoint:syscalls:sys_enter_open  {  printf("%s  %s\n",  comm,
122              str(args->filename)); }
123
124       Syscall count by program:
125              tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }
126
127       Syscall count by syscall:
128              tracepoint:syscalls:sys_enter_* { @[probe] = count(); }
129
130       Syscall count by process:
131              tracepoint:raw_syscalls:sys_enter { @[pid, comm] = count(); }
132
133       Read bytes by process:
134              tracepoint:syscalls:sys_exit_read  /args->ret/   {   @[comm]   =
135              sum(args->ret); }
136
137       Read size distribution by process:
138              tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }
139
140       Disk size by process:
141              tracepoint:block:block_rq_issue  {  printf("%d  %s  %d\n",  pid,
142              comm, args->bytes); }
143
144       Pages paged in by process:
145              software:major-faults:1 { @[comm] = count(); }
146
147       Page faults by process:
148              software:faults:1 { @[comm] = count(); }
149
150       Profile user-level stacks at 99 Hertz, for PID 189:
151              profile:hz:99 /pid == 189/ { @[ustack] = count(); }
152

PROBE TYPES

154   KPROBES
155       Attach a bpftrace script to a kernel function, to be executed when that
156       function is called:
157
158       kprobe:vfs_read { ... }
159
160   UPROBES
161       Attach script to a userland function:
162
163       uprobe:/bin/bash:readline { ... }
164
165   TRACEPOINTS
166       Attach script to a statically defined tracepoint in the kernel:
167
168       tracepoint:sched:sched_switch { ... }
169
170       Tracepoints are guaranteed to be stable between kernel versions, unlike
171       kprobes.
172
173   SOFTWARE
174       Attach script to kernel software events, executing once every  provided
175       count or use a default:
176
177       software:faults:100 software:faults:
178
179   HARDWARE
180       Attach  script to hardware events (PMCs), executing once every provided
181       count or use a default:
182
183       hardware:cache-references:1000000 hardware:cache-references:
184
185   PROFILE
186       Run the script on all CPUs at specified time intervals:
187
188       profile:hz:99 { ... }
189
190       profile:s:1 { ... }
191
192       profile:ms:20 { ... }
193
194       profile:us:1500 { ... }
195
196   INTERVAL
197       Run the script once per interval, for printing interval output:
198
199       interval:s:1 { ... }
200
201       interval:ms:20 { ... }
202
203   MULTIPLE ATTACHMENT POINTS
204       A single probe can be attached to multiple events:
205
206       kprobe:vfs_read,kprobe:vfs_write { ... }
207
208   WILDCARDS
209       Some probe types allow wildcards to be used when attaching a probe:
210
211       kprobe:vfs_* { ... }
212
213   PREDICATES
214       Define conditions for which a probe should be executed:
215
216       kprobe:sys_open / uid == 0 / { ... }
217

BUILTINS

219       The following variables and functions are available for use in bpftrace
220       scripts:
221
222   VARIABLES
223       pid    Process ID (kernel tgid)
224
225       tid    Thread ID (kernel pid)
226
227       cgroup Cgroup ID of the current process
228
229       uid    User ID
230
231       gid    Group ID
232
233       nsecs  Nanosecond timestamp
234
235       elapsed
236              Nanoseconds since bpftrace initialization
237
238       cpu    Processor ID
239
240       comm   Process name
241
242       kstack Kernel stack trace
243
244       ustack User stack trace
245
246       arg0, arg1, ... etc.
247              Arguments to the function being traced
248
249       retval Return value from function being traced
250
251       func   Name of the function currently being traced
252
253       probe  Full name of the probe
254
255       curtask
256              Current task_struct as a u64.
257
258       rand   Random number of type u32.
259
260   FUNCTIONS
261       hist(int n)
262              Produce a log2 histogram of values of n
263
264       lhist(int n, int min, int max, int step)
265              Produce a linear histogram of values of n
266
267       count()
268              Count the number of times this function is called
269
270       sum(int n)
271              Sum this value
272
273       min(int n)
274              Record the minimum value seen
275
276       max(int n)
277              Record the maximum value seen
278
279       avg(int n)
280              Average this value
281
282       stats(int n)
283              Return the count, average, and total for this value
284
285       delete(@x)
286              Delete the map element passed in as an argument
287
288       str(char *s)
289              Returns the string pointed to by s
290
291       printf(char *fmt, ...)
292              Print formatted to stdout
293
294       print(@x[, int top [, int div]])
295              Print a map, with optional top entry count and divisor
296
297       clear(@x)
298              Delete all key/values from a map
299
300       ksym(void *p)
301              Resolve kernel address
302
303       usym(void *p)
304              Resolve user space address
305
306       kaddr(char *name)
307              Resolve kernel symbol name
308
309       uaddr(char *name)
310              Resolve user space symbol name
311
312       reg(char *name)
313              Returns the value stored in the named register
314
315       join(char *arr[])
316              Prints the string array
317
318       time(char *fmt)
319              Print the current time
320
321       cat(char *filename)
322              Print file content
323
324       ntop([int af, ]int|char[4|16] addr)
325              Convert IP address data to text
326
327       system(char *fmt) (unsafe)
328              Execute shell command
329
330       exit() Quit bpftrace
331
332       kstack([StackMode mode, ][int level])
333              Kernel stack trace
334
335       ustack([StackMode mode, ][int level])
336              User stack trace
337

FURTHER READING

339       The official documentation can be found here:
340       https://github.com/iovisor/bpftrace/blob/master/docs
341

HISTORY

343       The first official talk by Alastair on bpftrace happened at the Tracing
344       Summit in Edinburgh, Oct 25th 2018.
345

AUTHOR

347       Created by Alastair Robertson.
348       Manpage by Stephan Schuberth.
349

SEE ALSO

351       man -k bcc,  after  having  installed  the  bpfcc-tools  package  under
352       Ubuntu.
353

CONTRIBUTING

355       Prior to contributing new tools, read the official checklist at:
356       https://github.com/iovisor/bpftrace/blob/master/CONTRIBUTING-TOOLS.md
357
358
359
360                                 October 2018                      BPFTRACE(8)
Impressum