1trace(8) System Manager's Manual trace(8)
2
6 trace - Trace a function and print its arguments or return value, op‐
7 tionally evaluating a filter. Uses Linux eBPF/bcc.
8
10 trace [-h] [-b BUFFER_PAGES] [-p PID] [-L TID] [--uid UID] [-v] [-Z
11 STRING_SIZE] [-S] [-s SYM_FILE_LIST]
12 [-M MAX_EVENTS] [-t] [-u] [-T] [-C] [-K] [-U] [-a] [-I header]
13 [-A]
14 probe [probe ...]
15
17 trace probes functions you specify and displays trace messages if a
18 particular condition is met. You can control the message format to dis‐
19 play function arguments and return values.
20 Since this uses BPF, only the root user can use this tool.
22
24 CONFIG_BPF and bcc.
25
27 -h Print usage message.
28 -p PID Trace only functions in the process PID.
30 -L TID Trace only functions in the thread TID.
32 --uid UID
34 Trace only functions from user UID.
35 -v Display the generated BPF program, for debugging purposes.
37 -z STRING_SIZE
39 When collecting string arguments (of type char*), collect up to
40 STRING_SIZE characters. Longer strings will be truncated.
41 -s SYM_FILE_LIST
43 When collecting stack trace in build id format, use the coma
44 separated list for symbol resolution.
45 -S If set, trace messages from trace's own process. By default,
47 this is off to avoid tracing storms -- for example, if you trace
48 the write system call, and consider that trace is writing to the
49 standard output.
50 -M MAX_EVENTS
52 Print up to MAX_EVENTS trace messages and then exit.
53 -t Print times relative to the beginning of the trace (offsets), in
55 seconds.
56 -u Print UNIX timestamps instead of offsets from trace beginning,
58 requires -t.
59 -T Print the time column.
61 -C Print CPU id.
63 -c CGROUP_PATH
65 Trace only functions in processes under CGROUP_PATH hierarchy.
66 -n NAME
68 Only print process names containing this name.
69 -f MSG_FILTER
71 Only print message of event containing this string.
72 -B Treat argument of STRCMP helper as a binary value
74 -K Print the kernel stack for each event.
76 -U Print the user stack for each event. -a Print virtual address
78 in kernel and user stacks.
79 -I header
81 Additional header files to include in the BPF program. This is
82 needed if your filter or print expressions use types or data
83 structures that are not available in the standard headers. For
84 example: 'linux/mm.h'
85 -A Print aggregated amount of each trace. This should be used with
87 -M/--max-events together.
88 probe [probe ...]
90 One or more probes that attach to functions, filter conditions,
91 and print information. See PROBE SYNTAX below.
92
94 The general probe syntax is as follows:
95 [{p,r}]:[library]:function[+offset][(signature)] [(predicate)] ["format
97 string"[, arguments]]
98 {t:category:event,u:library:probe} [(predicate)] ["format string"[, ar‐
100 guments]]
101 {[{p,r}],t,u}
103 Probe type - "p" for function entry, "r" for function return,
104 "t" for kernel tracepoint, "u" for USDT probe. The default probe
105 type is "p".
106 [library]
108 Library containing the probe. Specify the full path to the .so
109 or executable file where the function to probe resides. Alterna‐
110 tively, you can specify just the lib name: for example, "c"
111 refers to libc. If no library name is specified, the kernel is
112 assumed. Also, you can specify an executable name (without a
113 full path) if it is in the PATH. For example, "bash".
114 category
116 The tracepoint category. For example, "sched" or "irq".
117 function
119 The function to probe. offset The offset after the address of
120 the function where the probe should injected. For example
121 "kfree_skb+56" in decimal or hexadecimal "kfree_skb+0x38" for‐
122 mat. Only works with kprobes and uprobes. Zero if omitted.
123 signature
125 The optional signature of the function to probe. This can make
126 it easier to access the function's arguments, instead of using
127 the "arg1", "arg2" etc. argument specifiers. For example,
128 "(struct timespec *ts)" in the signature position lets you use
129 "ts" in the filter or print expressions.
130 event The tracepoint event. For example, "block_rq_complete".
132 probe The USDT probe name. For example, "pthread_create".
134 [(predicate)]
136 The filter applied to the captured data. Only if the filter
137 evaluates as true, the trace message will be printed. The filter
138 can use any valid C expression that refers to the argument val‐
139 ues: arg1, arg2, etc., or to the return value retval in a return
140 probe. If necessary, use C cast operators to coerce the argu‐
141 ments to the desired type. For example, if arg1 is of type int,
142 use the expression ((int)arg1 < 0) to trace only invocations
143 where arg1 is negative. Note that only arg1-arg6 are supported,
144 and only if the function is using the standard x86_64 convention
145 where the first six arguments are in the RDI, RSI, RDX, RCX, R8,
146 R9 registers. If no predicate is specified, all function invoca‐
147 tions are traced.
148 The predicate expression may also use the STRCMP pseudo-function
150 to compare a predefined string to a string argument. For exam‐
151 ple: STRCMP("test", arg1). The order of arguments is important:
152 the first argument MUST be a quoted literal string, and the sec‐
153 ond argument can be a runtime string, most typically an argu‐
154 ment.
155 ["format string"[, arguments]]
157 A printf-style format string that will be used for the trace
158 message. You can use the following format specifiers: %s, %d,
159 %u, %lld, %llu, %hd, %hu, %c, %x, %llx -- with the same seman‐
160 tics as printf's. Make sure to pass the exact number of argu‐
161 ments as there are placeholders in the format string. The format
162 specifier replacements may be any C expressions, and may refer
163 to the same special keywords as in the predicate (arg1, arg2,
164 etc.).
165 In addition to the above format specifiers, you can also use %K
167 and %U when the expression is an address that potentially points
168 to executable code (i.e., a symbol). trace will resolve %K spec‐
169 ifiers to a kernel symbol, such as vfs__read, and will resolve
170 %U specifiers to a user-space symbol in that process, such as
171 sprintf.
172 In tracepoints, both the predicate and the arguments may refer
174 to the tracepoint format structure, which is stored in the spe‐
175 cial "args" variable. For example, the block:block_rq_complete
176 tracepoint can print or filter by args->nr_sector. To discover
177 the format of your tracepoint, use the tplist tool.
178 In USDT probes, the arg1, ..., argN variables refer to the
180 probe's arguments. To determine which arguments your probe has,
181 use the tplist tool.
182 The predicate expression and the format specifier replacements
184 for printing may also use the following special keywords: $pid,
185 $tgid to refer to the current process' pid and tgid; $uid, $gid
186 to refer to the current user's uid and gid; $cpu to refer to the
187 current processor number.
188
190 Trace all invocations of the open system call with the name of the file
191 (from userspace) being opened:
192 # trace '::do_sys_open "%s", arg2@user'
193 Trace all invocations of the read system call where the number of bytes
195 requested is greater than 20,000:
196 # trace '::sys_read (arg3 > 20000) "read %d bytes", arg3'
197 Trace all malloc calls and print the size of the requested allocation:
199 # trace ':c:malloc "size = %d", arg1'
200 Trace returns from the readline function in bash and print the return
202 value as a string:
203 # trace 'r:bash:readline "%s", retval'
204 Trace the block:block_rq_complete tracepoint and print the number of
206 sectors completed:
207 # trace 't:block:block_rq_complete "%d sectors", args->nr_sec‐
208 tor'
209 Trace the pthread_create USDT probe from the pthread library and print
211 the address of the thread's start function:
212 # trace 'u:pthread:pthread_create "start addr = %llx", arg3'
213 Trace the nanosleep system call and print the sleep duration in
215 nanoseconds:
216 # trace 'p::SyS_nanosleep(struct timespec *ts) sleep for %lld ns
217 , ts->tv_nsec'
218 Trace the inet_pton system call using build id mechanism and print the
220 stack
221 # trace -s /lib/x86_64-linux-gnu/libc.so.6,/bin/ping
222 'p:c:inet_pton' -U
223
225 This is from bcc.
226 https://github.com/iovisor/bcc
228 Also look in the bcc distribution for a companion _examples.txt file
230 containing example usage, output, and commentary for this tool.
231
233 Linux
234
236 Unstable - in development.
237
239 Sasha Goldshtein
240USER COMMANDS 2016-02-18 trace(8)