Linux command
bpftrace 命令
安全
权限或系统影响较大,执行前请核对目标。
常用示例
Example
sudo bpftrace -l
Example
sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
Example
sudo bpftrace [path/to/file]
Example
sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); }'
Trace a child
sudo bpftrace -c '[command]' -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
Dry run
sudo bpftrace --dry-run -e '[one_line_program]'
Write output
sudo bpftrace -o [output.txt] -e '[one_line_program]'
Example
bpftrace -V
说明
bpftrace is a high-level tracing language for Linux eBPF. It provides a powerful scripting interface for kernel and userspace tracing, similar to DTrace on other Unix systems. Programs can attach to tracepoints, kprobes, uprobes, and other probe types to collect and aggregate data about system behavior in real-time.
参数
- -l _SEARCH_
- List probes matching a search pattern (supports wildcards)
- -e _program_
- Execute a one-liner program
- -d _STAGE_
- Produce debug output for a given compilation stage (ast, codegen, dis, verifier, etc.)
- --dry-run
- Validate and compile the program without attaching probes
- -p _PID_
- Attach to process or filter actions by PID
- -c _COMMAND_
- Run command as a child process; bpftrace exits when it terminates
- -o _FILENAME_
- Write tracing output to file instead of stdout
- -f _FORMAT_
- Output format: `text` (default) or `json`
- -B _MODE_
- Buffer mode for output: `none`, `line` (default), or `full`
- -I _DIR_
- Add directory to the C header search path (repeatable)
- -v
- Verbose output
- -q
- Quiet mode; suppress non-error messages
- -V, --version
- Display version information
- --unsafe
- Allow unsafe operations like `system()` calls
- --info
- Print information about kernel features and bpftrace build
FAQ
What is the bpftrace command used for?
bpftrace is a high-level tracing language for Linux eBPF. It provides a powerful scripting interface for kernel and userspace tracing, similar to DTrace on other Unix systems. Programs can attach to tracepoints, kprobes, uprobes, and other probe types to collect and aggregate data about system behavior in real-time.
How do I run a basic bpftrace example?
Run `sudo bpftrace -l` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -l _SEARCH_ do in bpftrace?
List probes matching a search pattern (supports wildcards)