Useful bpftrace One-Liners for System Debugging

bpftrace makes the kernel event space accessible from a bash one-liner. Here are the scripts I keep reaching for.

Count syscalls by process

bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'

Distribution of file read sizes

bpftrace -e 'tracepoint:syscalls:sys_enter_read { @ = hist(args->count); }'

TCP retransmissions by remote address

bpftrace -e '
kprobe:tcp_retransmit_skb {
    $sk = (struct sock *)arg0;
    $daddr = $sk->__sk_common.skc_daddr;
    @[ntop($daddr)] = count();
}'

Process creation stream

bpftrace -e 'tracepoint:sched:sched_process_exec { printf("%s\n", str(args->filename)); }'

When to use bpftrace vs perf vs strace

• strace: simple, but adds significant overhead. Fine for debugging a single misbehaving process.
• perf: best for sampling-based profiling (CPU time, cache misses). Low overhead.
• bpftrace: best for event-driven tracing across the whole system. Tiny overhead if used sparingly.

All three should be in your toolbox.