BCC Tools أوامر
BCC (BPF Compiler Collection) هي مجموعة أدوات لإنشاء برامج فعالة لتتبع النواة والتعامل معها باستخدام eBPF. تتضمن أكثر من 100 أداة جاهزة للاستخدام في تحليل الأداء والشبكات والأمان.
التثبيت
Linux/Ubuntu
# Ubuntu 22.04+
sudo apt install bpfcc-tools linux-headers-$(uname -r)
# Fedora
sudo dnf install bcc-tools
# On Ubuntu, tools are installed with -bpfcc suffix
# e.g., execsnoop-bpfcc, opensnoop-bpfcc
# On Fedora/RHEL, tools are in /usr/share/bcc/tools/
# Verify installation
sudo execsnoop-bpfcc --help 2>&1 | head -5تتبع العمليات
execsnoop — تتبع العمليات الجديدة
# Trace all new process executions
sudo execsnoop-bpfcc
# Include timestamps
sudo execsnoop-bpfcc -T
# Include failed exec calls
sudo execsnoop-bpfcc -x
# Filter by process name
sudo execsnoop-bpfcc -n nginx
# Trace for a specific UID
sudo execsnoop-bpfcc -u 1000
# Show environment variables
sudo execsnoop-bpfcc --max-args 20opensnoop — تتبع فتح الملفات
# Trace all open() calls system-wide
sudo opensnoop-bpfcc
# Trace opens for a specific PID
sudo opensnoop-bpfcc -p 1234
# Show only failed opens
sudo opensnoop-bpfcc -x
# Filter by filename
sudo opensnoop-bpfcc -f /etc/passwd
# Include timestamps
sudo opensnoop-bpfcc -T
# Trace a specific duration (seconds)
sudo opensnoop-bpfcc -d 30pidstat (BCC) — Process Resource الاستخدام
# Trace process resource stats
sudo pidstat-bpfcc
# Monitor specific PID
sudo pidstat-bpfcc -p 1234تحليل القرص والإدخال/الإخراج
biolatency — كمون الإدخال/الإخراج الكتلي
# Show block I/O latency as histogram
sudo biolatency-bpfcc
# Show per-disk histograms
sudo biolatency-bpfcc -D
# Include timestamps
sudo biolatency-bpfcc -T
# Show latency in milliseconds
sudo biolatency-bpfcc -m
# Output every 5 seconds
sudo biolatency-bpfcc 5
# Show 10 intervals then exit
sudo biolatency-bpfcc 5 10
# Queued time only (not service time)
sudo biolatency-bpfcc -Qext4slower — تتبع عمليات ext4 البطيئة
# Show ext4 operations slower than 10ms (default)
sudo ext4slower-bpfcc
# Custom threshold in milliseconds
sudo ext4slower-bpfcc 1
# Show all operations (threshold 0)
sudo ext4slower-bpfcc 0
# Include timestamps
sudo ext4slower-bpfcc -Tbiosnoop — تتبع الإدخال/الإخراج الكتلي
# Trace every block I/O with latency
sudo biosnoop-bpfcc
# Include queue time
sudo biosnoop-bpfcc -Q
# Filter by disk
sudo biosnoop-bpfcc -d sdaالمعالج والجدولة
profile — محلل أداء المعالج
# Profile kernel stacks at 49 Hz for 10 seconds
sudo profile-bpfcc -f 49 10
# Profile user-space stacks only
sudo profile-bpfcc -U
# Profile kernel stacks only
sudo profile-bpfcc -K
# Profile a specific PID
sudo profile-bpfcc -p 1234
# Output folded format (for flame graphs)
sudo profile-bpfcc -f 99 30 > out.foldedrunqlat — كمون قائمة انتظار تشغيل المجدول
# Show run queue latency as histogram
sudo runqlat-bpfcc
# Per-PID histograms
sudo runqlat-bpfcc -P
# Show in milliseconds
sudo runqlat-bpfcc -m
# Output every 5 seconds
sudo runqlat-bpfcc 5
# Include timestamps
sudo runqlat-bpfcc -Tsoftirqs — وقت المقاطعة الناعمة
# Show soft IRQ event time as histograms
sudo softirqs-bpfcc
# Show distribution over time
sudo softirqs-bpfcc -T
# Output every 5 seconds
sudo softirqs-bpfcc 5
# Show counts only (not time)
sudo softirqs-bpfcc -Nhardirqs — وقت المقاطعة الصلبة
# Show hard IRQ event time as histograms
sudo hardirqs-bpfcc
# Output every 5 seconds
sudo hardirqs-bpfcc 5
# Show counts only
sudo hardirqs-bpfcc -N
# Include timestamps
sudo hardirqs-bpfcc -Tتحليل الشبكة
tcplife — تتبع جلسات TCP
# Trace TCP sessions with duration and throughput
sudo tcplife-bpfcc
# Show timestamps
sudo tcplife-bpfcc -T
# Filter by local port
sudo tcplife-bpfcc -L 80
# Filter by remote port
sudo tcplife-bpfcc -D 443
# Filter by PID
sudo tcplife-bpfcc -p 1234
# Wide output (full addresses)
sudo tcplife-bpfcc -wtcpconnect — تتبع الاتصالات الصادرة
# Trace all TCP connect() calls
sudo tcpconnect-bpfcc
# Include timestamps
sudo tcpconnect-bpfcc -T
# Include UID
sudo tcpconnect-bpfcc -U
# Filter by destination port
sudo tcpconnect-bpfcc -P 443
# Count connections by destination
sudo tcpconnect-bpfcc -ctcpaccept — تتبع الاتصالات الواردة
# Trace all TCP accept() calls
sudo tcpaccept-bpfcc
# Include timestamps
sudo tcpaccept-bpfcc -T
# Filter by port
sudo tcpaccept-bpfcc -P 80تتبع الدوال
funccount — حساب استدعاءات الدوال
# Count kernel function calls matching a pattern
sudo funccount-bpfcc 'tcp_send*'
# Count calls over 5-second intervals
sudo funccount-bpfcc -i 5 'vfs_*'
# Count user-space function calls
sudo funccount-bpfcc 'c:malloc'
# Count for a specific PID
sudo funccount-bpfcc -p 1234 'c:malloc'
# Count with timestamps
sudo funccount-bpfcc -T 'tcp_*'trace — تتبع الأحداث المرن
# Trace a kernel function with return value
sudo trace-bpfcc 'do_sys_openat2 "%s", arg2'
# Trace with a filter
sudo trace-bpfcc 'sys_read (arg3 > 1024) "read %d bytes", arg3'
# Trace a user-space function
sudo trace-bpfcc 'r:c:malloc "size=%d, ret=%p", arg1, retval'
# Trace multiple events
sudo trace-bpfcc 'sys_open "%s", arg2' 'sys_read "fd=%d size=%d", arg1, arg3'argdist — توزيع المعاملات
# Histogram of read() return values
sudo argdist-bpfcc -H 'r::__x64_sys_read():int:$retval'
# Count malloc sizes as a histogram
sudo argdist-bpfcc -H 'p:c:malloc(size_t size):size_t:size'
# Frequency count of returned values
sudo argdist-bpfcc -C 'r::__x64_sys_read():int:$retval'
# Filter by PID
sudo argdist-bpfcc -p 1234 -H 'r::__x64_sys_read():int:$retval'الذاكرة والتخزين المؤقت
cachestat — إصابة/إخطاء ذاكرة التخزين المؤقت للصفحات
# Show page cache hit ratio every second
sudo cachestat-bpfcc
# Custom interval (5 seconds)
sudo cachestat-bpfcc 5
# Include timestamps
sudo cachestat-bpfcc -Tmemleak — كاشف تسريبات الذاكرة
# Detect memory leaks in a process
sudo memleak-bpfcc -p 1234
# Sample every 5 seconds, show top 10
sudo memleak-bpfcc -p 1234 5 10
# Trace kernel memory leaks
sudo memleak-bpfcc
# Include stack traces (depth 8)
sudo memleak-bpfcc -p 1234 -d 8الدمج مع مخططات اللهب
# Generate CPU flame graph with BCC profile
sudo profile-bpfcc -f 99 30 > out.folded
./flamegraph.pl out.folded > cpu_flamegraph.svg
# Generate off-CPU flame graph
sudo offcputime-bpfcc -f 30 > offcpu.folded
./flamegraph.pl --color=io --countname=us offcpu.folded > offcpu_flamegraph.svgمرجع سريع
| Tool | Purpose |
|---|---|
execsnoop | Trace new processes |
opensnoop | Trace file opens |
biolatency | Block I/O latency histograms |
biosnoop | Per-event block I/O tracing |
ext4slower | Slow ext4 filesystem operations |
tcplife | TCP session summaries |
tcpconnect | Trace outbound TCP connections |
tcpaccept | Trace inbound TCP connections |
profile | CPU stack sampling profiler |
runqlat | CPU scheduler run queue latency |
funccount | Count kernel/user function calls |
softirqs | Soft IRQ time distribution |
hardirqs | Hard IRQ time distribution |
cachestat | Page cache hit/miss statistics |
memleak | Memory leak detector |