bpftrace

bpftrace is kind of awesome. It lets you basically run event-driven logic at various “attachment points” in Linux, either in kernel or user space (depending on what your kernel was built with support for).

Resources:

Collection of bpftrace one-liners
bpftrace cheat sheet
bpftrace reference guide
My own blog which includes bpftrace basics

Glossary:

tracepoint - a stabilized (will not change between kernel versions) point of instrumentation within the kernel
kprobe - an unstable (can change between kernel versions) point of instrumentation within the kernel, typically a function name.
uprobe - an instrumentation point within a userspace application. Typically requires debug symbols to be present

Check your kernel config to see what’s supported:

1grep -E '^(# )?CONFIG_(UPROBE_EVENTS|KPROBE_EVENTS|TRACEPOINTS|TRACING|FTRACE|EVENT_TRACING)(=| is not set)' /boot/config-$(uname -r)

List kprobes, uprobes, tracepoints:

1sudo bpftrace -l 'kprobe:*' | wc -l
2sudo bpftrace -l 'tracepoint:*' | wc -l
3sudo bpftrace -l 'uprobe:/bin/bash:*' | wc -l

bash

Common Traits

Codex

Matt Oswalt

Title here

bpftrace