BPF Compiler Collection (BCC)

BCC is a toolkit for creating efficient kernel tracing and manipulation programs and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.

eBPF was described by Ingo Molnár as:

One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.

BCC makes BPF programs easier to write, with kernel instrumentation in C (and includes a C wrapper around LLVM), and front-ends in Python and Lua. It is suited for many tasks, including performance analysis and network traffic control.

Changelog v0.28

• Support for kernel up to 6.3.
• new libbpf tool: tcppktlat.
• bcc tool updates: funcslower, wakeuptime, profile, offcputime, deadlock, funccount, argdist, kvmexit, runqlen and cpuunclaimed.
• libbpf tool update: memleak, tcprtt, tcpconnlat, funclatency, syscount, cpufreq, biosnoop.
• support ringbuf_query for bcc tools.
• handle ‘[uprobes]’ memory mapped file properly during stack tracing.
• Fix maximum allowed index for print_linear_hist for bcc tools.
• add module kfunc/kretfunc support.
• clang rewriter: initialize only the requested parameters
• filter with available_filter_functions to make multi-functions kprobes more robust for both bcc and libbpf tools.
• doc update, other bug fixes and tools improvement

Installing

Tutorials

• docs/tutorial.md: Using bcc tools to solve performance, troubleshooting, and networking issues.
• docs/tutorial_bcc_python_developer.md: Developing new bcc programs using the Python interface.

Tools:

• tools/argdist: Display function parameter values as a histogram or frequency count. Examples.
• tools/bashreadline: Print entered bash commands system wide. Examples.
• tools/biolatency: Summarize block device I/O latency as a histogram. Examples.
• tools/biotop: Top for disks: Summarize block device I/O by process. Examples.
• tools/biosnoop: Trace block device I/O with PID and latency. Examples.
• tools/bitesize: Show per process I/O size histogram. Examples.
• tools/bpflist: Display processes with active BPF programs and maps. Examples.
• tools/btrfsdist: Summarize btrfs operation latency distribution as a histogram. Examples.
• tools/btrfsslower: Trace slow btrfs operations. Examples.
• tools/capable: Trace security capability checks. Examples.
• tools/cachestat: Trace page cache hit/miss ratio. Examples.
• tools/cachetop: Trace page cache hit/miss ratio by processes. Examples.
• tools/cpudist: Summarize on- and off-CPU time per task as a histogram. Examples
• tools/cpuunclaimed: Sample CPU run queues and calculate unclaimed idle CPU. Examples
• tools/dbslower: Trace MySQL/PostgreSQL queries slower than a threshold. Examples.
• tools/dbstat: Summarize MySQL/PostgreSQL query latency as a histogram. Examples.
• tools/dcsnoop: Trace directory entry cache (dcache) lookups. Examples.
• tools/dcstat: Directory entry cache (dcache) stats. Examples.
• tools/deadlock_detector: Detect potential deadlocks on a running process. Examples.
• tools/execsnoop: Trace new processes via exec() syscalls. Examples.
• tools/ext4dist: Summarize ext4 operation latency distribution as a histogram. Examples.
• tools/ext4slower: Trace slow ext4 operations. Examples.
• tools/filelife: Trace the lifespan of short-lived files. Examples.
• tools/fileslower: Trace slow synchronous file reads and writes. Examples.
• tools/filetop: File reads and writes by filename and process. Top for files. Examples.
• tools/funccount: Count kernel function calls. Examples.
• tools/funclatency: Time functions and show their latency distribution. Examples.
• tools/funcslower: Trace slow kernel or user function calls. Examples.
• tools/gethostlatency: Show latency for getaddrinfo/gethostbyname[2] calls. Examples.
• tools/hardirqs: Measure hard IRQ (hard interrupt) event time. Examples.
• tools/killsnoop: Trace signals issued by the kill() syscall. Examples.
• tools/llcstat: Summarize CPU cache references and misses by process. Examples.
• tools/mdflush: Trace md flush events. Examples.
• tools/mysqld_qslower: Trace MySQL server queries slower than a threshold. Examples.
• tools/memleak: Display outstanding memory allocations to find memory leaks. Examples.
• tools/nfsslower: Trace slow NFS operations. Examples.
• tools/nfsdist: Summarize NFS operation latency distribution as a histogram. Examples.
• tools/offcputime: Summarize off-CPU time by kernel stack trace. Examples.
• tools/offwaketime: Summarize blocked time by kernel off-CPU stack and waker stack. Examples.
• tools/oomkill: Trace the out-of-memory (OOM) killer. Examples.
• tools/opensnoop: Trace open() syscalls. Examples.
• tools/pidpersec: Count new processes (via fork). Examples.
• tools/profile: Profile CPU usage by sampling stack traces at a timed interval. Examples.
• tools/reset-trace: Reset the state of tracing. Maintenance tool only. Examples.
• tools/runqlat: Run queue (scheduler) latency as a histogram. Examples.
• tools/runqlen: Run queue length as a histogram. Examples.
• tools/slabratetop: Kernel SLAB/SLUB memory cache allocation rate top. Examples.
• tools/softirqs: Measure soft IRQ (soft interrupt) event time. Examples.
• tools/solisten: Trace TCP socket listen. Examples.
• tools/sslsniff: Sniff OpenSSL written and read data. Examples.
• tools/stackcount: Count kernel function calls and their stack traces. Examples.
• tools/syncsnoop: Trace sync() syscall. Examples.
• tools/syscount: Summarize syscall counts and latencies. Examples.
• tools/tcpaccept: Trace TCP passive connections (accept()). Examples.
• tools/tcpconnect: Trace TCP active connections (connect()). Examples.
• tools/tcpconnlat: Trace TCP active connection latency (connect()). Examples.
• tools/tcplife: Trace TCP sessions and summarize lifespan. Examples.
• tools/tcpretrans: Trace TCP retransmits and TLPs. Examples.
• tools/tcpsubnet: Summarize and aggregate TCP send by subnet. Examples.
• tools/tcptop: Summarize TCP send/recv throughput by host. Top for TCP. Examples.
• tools/tcptracer: Trace TCP established connections (connect(), accept(), close()). Examples.
• tools/tplist: Display kernel tracepoints or USDT probes and their formats. Examples.
• tools/trace: Trace arbitrary functions, with filters. Examples.
• tools/ttysnoop: Watch live output from a tty or pts device. Examples.
• tools/ucalls: Summarize method calls or Linux syscalls in high-level languages. Examples.
• tools/uflow: Print a method flow graph in high-level languages. Examples.
• tools/ugc: Trace garbage collection events in high-level languages. Examples.
• tools/uobjnew: Summarize object allocation events by object type and number of bytes allocated. Examples.
• tools/ustat: Collect events such as GCs, thread creations, object allocations, exceptions and more in high-level languages. Examples.
• tools/uthreads: Trace thread creation events in Java and raw pthreads. Examples.
• tools/vfscount tools/vfscount.c: Count VFS calls. Examples.
• tools/vfsstat tools/vfsstat.c: Count some VFS calls, with column output. Examples.
• tools/wakeuptime: Summarize sleep to wakeup time by waker kernel stack. Examples.
• tools/xfsdist: Summarize XFS operation latency distribution as a histogram. Examples.
• tools/xfsslower: Trace slow XFS operations. Examples.
• tools/zfsdist: Summarize ZFS operation latency distribution as a histogram. Examples.
• tools/zfsslower: Trace slow ZFS operations. Examples.

Copyright 2015 PLUMgrid

Source: https://github.com/iovisor/