Playground for bpftrace and other eBPF/bcc learnings
# via https://github.com/iovisor/bpftrace/issues/642
# - need to install snap with --devmode otherwise cannot read files
sudo snap install --devmode bpftrace
# via https://snapcraft.io/bpftrace
sudo snap connect bpftrace:system-trace
- AWK-like syntax
- attaches probes to code blocks, via optional filters like /pid=12345/, /arg2 > 16/
- build in variables:
- comm: process name
- pid/tid/uid/gid/retval: what you'd expect
- cgroup: cgroup id of process
- cpu: cpu id
- $1..$N: positional params of bpftrace program
- full list
- can also access C Struct vars using '->' notation
- eg 'str(args->filename)'
- see (eg) /sys/kernel/debug/tracing/events/syscalls/sys_enter_open/format for the available vars for a given syscall
- reference guide on this
- Lots of probes in distinct categories
- probe categories
- 'pbfprobe -l' to list all
- some are 'paired', with call entry and return, eg kprobe, kretprobe.
- Has global (@) and scratch ($) variables, and global maps (@name[key])
- 'thread local' variables provided by using map on 'tid', eg @start[tid]
- reference guide on variables
- Bunch of useful bpftrace tools in bpftrace github repo