Scribd
Upload
6 views

011 Using EBPF Tools To Diagnose System and Application Behavior Part 2 Study Guide

011 Using EBPF Tools to Diagnose System and Application Behavior Part 2 Study Guide

Uploaded by

fqchina
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

011 Using EBPF Tools To Diagnose System and Application Behavior Part 2 Study Guide

011 Using EBPF Tools to Diagnose System and Application Behavior Part 2 Study Guide

Uploaded by

fqchina
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Using eBPF Tools to Diagnose

System and Application Behavior

Mike Bunch
LINUX TRAINING ARCHITECT
USING EBPF TOOLS TO DIAGNOSE SYSTEM AND APPLICATION BEHAVIOR

Lesson Objectives and Overview

Lesson Objective

Review tools found in the bcc-tools package, how they work with the extended Berkeley Packet Filter
(eBPF) kernel technology, and how to use them to monitor and review system performance.

Lesson Notes
What Are the extended Berkeley Packet Filter (eBPF Technologies?
eBPF technology provides functionality for dynamic kernel tracing functionality without requiring
special kernel modules (e.g., SystemTap) or kernel recompile and system reboot (e.g., debug
kernel).

What Are the bcc-tools?

A large collection of dynamic kernel tracing tools designed to work with the eBPF technologies
and provide details about system performance.

Collects a wide variety of information such as realtime kernel data, system latency, application
performance, and language performance monitoring.
USING EBPF TOOLS TO DIAGNOSE SYSTEM AND APPLICATION BEHAVIOR

Command Examples From the Lesson

# Install the bcc-tools package:


sudo yum install bcc-tools

# Change to the tools directory:


cd /usr/share/bcc/tools

# Trace exec() system calls:


sudo ./execsnoop

# Trace exec() system calls, adding timestamp and user ID:


sudo ./execsnoop -TU

# Trace exec() system calls, filtering for the ls command:


sudo ./execsnoop -TU -n ls
USING EBPF TOOLS TO DIAGNOSE SYSTEM AND APPLICATION BEHAVIOR

Command Examples From the Lesson

# Trace open() system calls:


sudo ./opensnoop

# Trace open() system calls, adding UserID column:


sudo ./opensnoop -U

# Trace open() system calls for a specific user:


sudo ./opensnoop -U -u UID

# Monitor pts device output:


sudo ./ttysnoop DEVICE#

# Trace TCP session life spans:


sudo ./tcplife
USING EBPF TOOLS TO DIAGNOSE SYSTEM AND APPLICATION BEHAVIOR

Command Examples From the Lesson

# Trace TCP session life spans for a specific port:


sudo ./tcplife -L 8000

# Trace TCP session life spans for a specific PID:


sudo ./tcplife -p PID

# Format tcplife output to CSV:


sudo ./tcplife -sT

# Trace kill() system calls:


sudo ./killsnoop

# Display getaddrinfo/gethostbyname latency:


sudo ./gethostlatency
USING EBPF TOOLS TO DIAGNOSE SYSTEM AND APPLICATION BEHAVIOR

Command Examples From the Lesson

# Trace block device I/O by top processes:


sudo ./biotop

# Trace block device I/O by top processes, no screen refresh:


sudo ./biotop -C

# Trace block device I/O by top processes, 5 second cycle, repeat 10 times:
sudo ./biotop -C 5 10

You might also like