1trace(8) System Manager's Manual trace(8)
2
6 trace - Trace a function and print its arguments or return value, op‐
7 tionally evaluating a filter. Uses Linux eBPF/bcc.
8
10 trace [-h] [-b BUFFER_PAGES] [-p PID] [-L TID] [--uid UID] [-v] [-Z
11 STRING_SIZE] [-S] [-s SYM_FILE_LIST]
12 [-M MAX_EVENTS] [-t] [-u] [-T] [-C] [-K] [-U] [-a] [-I header]
13 [-A]
14 probe [probe ...]
15
17 trace probes functions you specify and displays trace messages if a
18 particular condition is met. You can control the message format to dis‐
19 play function arguments and return values.
20 Since this uses BPF, only the root user can use this tool.
22
24 CONFIG_BPF and bcc.
25
27 -h Print usage message.
28 -p PID Trace only functions in the process PID.
30 -L TID Trace only functions in the thread TID.
32 --uid UID
34 Trace only functions from user UID.
35 -v Display the generated BPF program, for debugging purposes.
37 -z STRING_SIZE
39 When collecting string arguments (of type char*), collect up to
40 STRING_SIZE characters. Longer strings will be truncated.
41 -s SYM_FILE_LIST
43 When collecting stack trace in build id format, use the comma
44 separated list for symbol resolution.
45 -S If set, trace messages from trace's own process. By default,
47 this is off to avoid tracing storms -- for example, if you trace
48 the write system call, and consider that trace is writing to the
49 standard output.
50 -M MAX_EVENTS
52 Print up to MAX_EVENTS trace messages and then exit.
53 -t Print times relative to the beginning of the trace (offsets), in
55 seconds.
56 -u Print UNIX timestamps instead of offsets from trace beginning,
58 requires -t.
59 -T Print the time column.
61 -C Print CPU id.
63 -c CGROUP_PATH
65 Trace only functions in processes under CGROUP_PATH hierarchy.
66 -n NAME
68 Only print process names containing this name.
69 -f MSG_FILTER
71 Only print message of event containing this string.
72 -B Treat argument of STRCMP helper as a binary value
74 -K Print the kernel stack for each event.
76 -U Print the user stack for each event.
78 -a Print virtual address in kernel and user stacks.
80 -I header
82 Additional header files to include in the BPF program. This is
83 needed if your filter or print expressions use types or data
84 structures that are not available in the standard headers. For
85 example: 'linux/mm.h'
86 -A Print aggregated amount of each trace. This should be used with
88 -M/--max-events together.
89 probe [probe ...]
91 One or more probes that attach to functions, filter conditions,
92 and print information. See PROBE SYNTAX below.
93
95 The general probe syntax is as follows:
96 [{p,r}]:[library]:function[+offset][(signature)] [(predicate)] ["format
98 string"[, arguments]]
99 {t:category:event,u:library:probe} [(predicate)] ["format string"[, ar‐
101 guments]]
102 {[{p,r}],t,u}
104 Probe type - "p" for function entry, "r" for function return,
105 "t" for kernel tracepoint, "u" for USDT probe. The default probe
106 type is "p".
107 [library]
109 Library containing the probe. Specify the full path to the .so
110 or executable file where the function to probe resides. Alterna‐
111 tively, you can specify just the lib name: for example, "c"
112 refers to libc. If no library name is specified, the kernel is
113 assumed. Also, you can specify an executable name (without a
114 full path) if it is in the PATH. For example, "bash".
115 category
117 The tracepoint category. For example, "sched" or "irq".
118 function
120 The function to probe. offset The offset after the address of
121 the function where the probe should injected. For example
122 "kfree_skb+56" in decimal or hexadecimal "kfree_skb+0x38" for‐
123 mat. Only works with kprobes and uprobes. Zero if omitted.
124 signature
126 The optional signature of the function to probe. This can make
127 it easier to access the function's arguments, instead of using
128 the "arg1", "arg2" etc. argument specifiers. For example,
129 "(struct timespec *ts)" in the signature position lets you use
130 "ts" in the filter or print expressions.
131 event The tracepoint event. For example, "block_rq_complete".
133 probe The USDT probe name. For example, "pthread_create".
135 [(predicate)]
137 The filter applied to the captured data. Only if the filter
138 evaluates as true, the trace message will be printed. The filter
139 can use any valid C expression that refers to the argument val‐
140 ues: arg1, arg2, etc., or to the return value retval in a return
141 probe. If necessary, use C cast operators to coerce the argu‐
142 ments to the desired type. For example, if arg1 is of type int,
143 use the expression ((int)arg1 < 0) to trace only invocations
144 where arg1 is negative. Note that only arg1-arg6 are supported,
145 and only if the function is using the standard x86_64 convention
146 where the first six arguments are in the RDI, RSI, RDX, RCX, R8,
147 R9 registers. If no predicate is specified, all function invoca‐
148 tions are traced.
149 The predicate expression may also use the STRCMP pseudo-function
151 to compare a predefined string to a string argument. For exam‐
152 ple: STRCMP("test", arg1). The order of arguments is important:
153 the first argument MUST be a quoted literal string, and the sec‐
154 ond argument can be a runtime string, most typically an argu‐
155 ment.
156 ["format string"[, arguments]]
158 A printf-style format string that will be used for the trace
159 message. You can use the following format specifiers: %s, %d,
160 %u, %lld, %llu, %hd, %hu, %c, %x, %llx -- with the same seman‐
161 tics as printf's. Make sure to pass the exact number of argu‐
162 ments as there are placeholders in the format string. The format
163 specifier replacements may be any C expressions, and may refer
164 to the same special keywords as in the predicate (arg1, arg2,
165 etc.).
166 In addition to the above format specifiers, you can also use %K
168 and %U when the expression is an address that potentially points
169 to executable code (i.e., a symbol). trace will resolve %K spec‐
170 ifiers to a kernel symbol, such as vfs__read, and will resolve
171 %U specifiers to a user-space symbol in that process, such as
172 sprintf.
173 In tracepoints, both the predicate and the arguments may refer
175 to the tracepoint format structure, which is stored in the spe‐
176 cial "args" variable. For example, the block:block_rq_complete
177 tracepoint can print or filter by args->nr_sector. To discover
178 the format of your tracepoint, use the tplist tool.
179 In USDT probes, the arg1, ..., argN variables refer to the
181 probe's arguments. To determine which arguments your probe has,
182 use the tplist tool.
183 The predicate expression and the format specifier replacements
185 for printing may also use the following special keywords: $pid,
186 $tgid to refer to the current process' pid and tgid; $uid, $gid
187 to refer to the current user's uid and gid; $cpu to refer to the
188 current processor number.
189
191 Trace all invocations of the open system call with the name of the file
192 (from userspace) being opened:
193 # trace '::do_sys_open "%s", arg2@user'
194 Trace all invocations of the read system call where the number of bytes
196 requested is greater than 20,000:
197 # trace '::sys_read (arg3 > 20000) "read %d bytes", arg3'
198 Trace all malloc calls and print the size of the requested allocation:
200 # trace ':c:malloc "size = %d", arg1'
201 Trace returns from the readline function in bash and print the return
203 value as a string:
204 # trace 'r:bash:readline "%s", retval'
205 Trace the block:block_rq_complete tracepoint and print the number of
207 sectors completed:
208 # trace 't:block:block_rq_complete "%d sectors", args->nr_sec‐
209 tor'
210 Trace the pthread_create USDT probe from the pthread library and print
212 the address of the thread's start function:
213 # trace 'u:pthread:pthread_create "start addr = %llx", arg3'
214 Trace the nanosleep system call and print the sleep duration in
216 nanoseconds:
217 # trace 'p::SyS_nanosleep(struct timespec *ts) sleep for %lld ns
218 , ts->tv_nsec'
219 Trace the inet_pton system call using build id mechanism and print the
221 stack
222 # trace -s /lib/x86_64-linux-gnu/libc.so.6,/bin/ping
223 'p:c:inet_pton' -U
224
226 This is from bcc.
227 https://github.com/iovisor/bcc
229 Also look in the bcc distribution for a companion _examples.txt file
231 containing example usage, output, and commentary for this tool.
232
234 Linux
235
237 Unstable - in development.
238
240 Sasha Goldshtein
241USER COMMANDS 2016-02-18 trace(8)