https://besterry.com/tags/bpf/Recent content in Bpf on Besterry — Linux & DevOps NotesHugoen-usThu, 02 May 2024 00:00:00 +0000https://besterry.com/posts/bpftrace-oneliners/Thu, 02 May 2024 00:00:00 +0000https://besterry.com/posts/bpftrace-oneliners/<p>bpftrace makes the kernel event space accessible from a bash one-liner. Here are the scripts I keep reaching for.</p> <h2 id="count-syscalls-by-process">Count syscalls by process</h2> <pre><code>bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }' </code></pre> <h2 id="distribution-of-file-read-sizes">Distribution of file read sizes</h2> <pre><code>bpftrace -e 'tracepoint:syscalls:sys_enter_read { @ = hist(args-&gt;count); }' </code></pre> <h2 id="tcp-retransmissions-by-remote-address">TCP retransmissions by remote address</h2> <pre><code>bpftrace -e ' kprobe:tcp_retransmit_skb { $sk = (struct sock *)arg0; $daddr = $sk-&gt;__sk_common.skc_daddr; @[ntop($daddr)] = count(); }' </code></pre> <h2 id="process-creation-stream">Process creation stream</h2> <pre><code>bpftrace -e 'tracepoint:sched:sched_process_exec { printf(&quot;%s\n&quot;, str(args-&gt;filename)); }' </code></pre> <h2 id="when-to-use-bpftrace-vs-perf-vs-strace">When to use bpftrace vs perf vs strace</h2> <ul> <li>strace: simple, but adds significant overhead. Fine for debugging a single misbehaving process.</li> <li>perf: best for sampling-based profiling (CPU time, cache misses). Low overhead.</li> <li>bpftrace: best for event-driven tracing across the whole system. Tiny overhead if used sparingly.</li> </ul> <p>All three should be in your toolbox.</p>