BPF Compiler Collection (BCC)

BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.

eBPF was described by Ingo Molnár as:

One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.

BCC makes BPF programs easier to write, with kernel instrumentation in C (and includes a C wrapper around LLVM), and front-ends in Python and lua. It is suited for many tasks, including performance analysis and network traffic control.

Screenshot

This example traces a disk I/O kernel function, and populates an in-kernel power-of-2 histogram of the I/O size. For efficiency, only the histogram summary is returned to user-level.

# ./bitehist.py
Tracing... Hit Ctrl-C to end.
^C
     kbytes          : count     distribution
       0 -> 1        : 3        |                                      |
       2 -> 3        : 0        |                                      |
       4 -> 7        : 211      |**********                            |
       8 -> 15       : 0        |                                      |
      16 -> 31       : 0        |                                      |
      32 -> 63       : 0        |                                      |
      64 -> 127      : 1        |                                      |
     128 -> 255      : 800      |**************************************|

The above output shows a bimodal distribution, where the largest mode of 800 I/O was between 128 and 255 Kbytes in size.

See the source: bitehist.py. What this traces, what this stores, and how the data is presented, can be entirely customized. This shows only some of many possible capabilities.

Installing

See INSTALL.md for installation steps on your platform.

FAQ

See FAQ.txt for the most common troubleshoot questions.

Reference guide

See docs/reference_guide.md for the reference guide to the bcc and bcc/BPF APIs.

Contents

Some of these are single files that contain both C and Python, others have a pair of .c and .py files, and some are directories of files.

Tracing

Examples

• examples/tracing/bitehist.py: Block I/O size histogram. Examples.
• examples/tracing/disksnoop.py: Trace block device I/O latency. Examples.
• examples/hello_world.py: Prints "Hello, World!" for new processes.
• examples/tracing/mysqld_query.py: Trace MySQL server queries using USDT probes. Examples.
• examples/tracing/nodejs_http_server.py: Trace Node.js HTTP server requests using USDT probes. Examples.
• examples/tracing/stacksnoop: Trace a kernel function and print all kernel stack traces. Examples.
• tools/statsnoop: Trace stat() syscalls. Examples.
• examples/tracing/task_switch.py: Count task switches with from and to PIDs.
• examples/tracing/tcpv4connect.py: Trace TCP IPv4 active connections. Examples.
• examples/tracing/trace_fields.py: Simple example of printing fields from traced events.
• examples/tracing/undump.py: Dump UNIX socket packets. Examples
• examples/tracing/urandomread.py: A kernel tracepoint example, which traces random:urandom_read. Examples.
• examples/tracing/vfsreadlat.py examples/tracing/vfsreadlat.c: VFS read latency distribution. Examples.
• examples/tracing/kvm_hypercall.py: Conditional static kernel tracepoints for KVM entry, exit and hypercall Examples.

Tools

<center><a href="images/bcc_tracing_tools_2019.png"><img src="images/bcc_tracing_tools_2019.png" border=0 width=700></a></center>

• tools/argdist: Display function parameter values as a histogram or frequency count. Examples.
• tools/bashreadline: Print entered bash commands system wide. Examples.
• tools/bpflist: Display processes with active BPF programs and maps. Examples.
• tools/capable: Trace security capability checks. Examples.
• tools/compactsnoop: Trace compact zone events with PID and latency. Examples.
• tools/criticalstat: Trace and report long atomic critical sections in the kernel. Examples
• tools/deadlock: Detect potential deadlocks on a running process. Examples.
• tools/drsnoop: Trace direct reclaim events with PID and latency. Examples.
• tools/funccount: Count kernel function calls. Examples.
• tools/inject: Targeted error injection with call chain and predicates Examples.
• tools/klockstat: Traces kernel mutex lock events and display locks statistics. Examples.
• tools/opensnoop: Trace open() syscalls. Examples.
• tools/readahead: Show performance of read-ahead cache Examples.
• tools/reset-trace: Reset the state of tracing. Maintenance tool only. Examples.
• tools/stackcount: Count kernel function calls and their stack traces. Examples.
• tools/syncsnoop: Trace sync() syscall. Examples.
• tools/threadsnoop: List new thread creation. Examples.
• tools/tplist: Display kernel tracepoints or USDT probes and their formats. Examples.
• tools/trace: Trace arbitrary functions, with filters. Examples.
• tools/ttysnoop: Watch live output from a tty or pts device. Examples.
• tools/ucalls: Summarize method calls or Linux syscalls in high-level languages. Examples.
• tools/uflow: Print a method flow graph in high-level languages. Examples.
• tools/ugc: Trace garbage collection events in high-level languages. Examples.
• tools/uobjnew: Summarize object allocation events by object type and number of bytes allocated. Examples.
• tools/ustat: Collect events such as GCs, thread creations, object allocations, exceptions and more in high-level languages. Examples.
• tools/uthreads: Trace thread creation events in Java and raw pthreads. Examples.

Memory and Process Tools

• tools/execsnoop: Trace new processes via exec() syscalls. Examples.
• tools/exitsnoop: Trace process termination (exit and fatal signals). Examples.
• tools/killsnoop: Trace signals issued by the kill() syscall. Examples.
• tools/kvmexit: Display the exit_reason and its statistics of each vm exit. Examples.
• tools/memleak: Display outstanding memory allocations to find memory leaks. Examples.
• tools/numasched: Track the migration of processes between NUMAs. Examples.
• tools/oomkill: Trace the out-of-memory (OOM) killer. Examples.
• tools/pidpersec: Count new processes (via fork). Examples.
• tools/rdmaucma: Trace RDMA Userspace Connection Manager Access events. Examples.
• tools/shmsnoop: Trace System V shared memory syscalls. Examples.
• tools/slabratetop: Kernel SLAB/SLUB memory cache allocation rate top. Examples.

Performance and Time Tools

• tools/dbslower: Trace MySQL/PostgreSQL queries slower than a threshold. [Exa