BCC Tools コマンド
BCC(BPF Compiler Collection)はeBPFを使用した効率的なカーネルトレーシングおよび操作プログラムを作成するためのツールキットです。パフォーマンス分析、ネットワーキング、セキュリティのための100以上のすぐに使えるツールが含まれています。
インストール
Linux/Ubuntu
# Ubuntu 22.04+
sudo apt install bpfcc-tools linux-headers-$(uname -r)
# Fedora
sudo dnf install bcc-tools
# On Ubuntu, tools are installed with -bpfcc suffix
# e.g., execsnoop-bpfcc, opensnoop-bpfcc
# On Fedora/RHEL, tools are in /usr/share/bcc/tools/
# Verify installation
sudo execsnoop-bpfcc --help 2>&1 | head -5プロセスの追跡
execsnoop — Trace New Processes
# Trace all new process executions
sudo execsnoop-bpfcc
# Include timestamps
sudo execsnoop-bpfcc -T
# Include failed exec calls
sudo execsnoop-bpfcc -x
# Filter by process name
sudo execsnoop-bpfcc -n nginx
# Trace for a specific UID
sudo execsnoop-bpfcc -u 1000
# Show environment variables
sudo execsnoop-bpfcc --max-args 20opensnoop — Trace File Opens
# Trace all open() calls system-wide
sudo opensnoop-bpfcc
# Trace opens for a specific PID
sudo opensnoop-bpfcc -p 1234
# Show only failed opens
sudo opensnoop-bpfcc -x
# Filter by filename
sudo opensnoop-bpfcc -f /etc/passwd
# Include timestamps
sudo opensnoop-bpfcc -T
# Trace a specific duration (seconds)
sudo opensnoop-bpfcc -d 30pidstat (BCC) — Process Resource Usage
# Trace process resource stats
sudo pidstat-bpfcc
# Monitor specific PID
sudo pidstat-bpfcc -p 1234ディスクとI/O分析
biolatency — Block I/O Latency
# Show block I/O latency as histogram
sudo biolatency-bpfcc
# Show per-disk histograms
sudo biolatency-bpfcc -D
# Include timestamps
sudo biolatency-bpfcc -T
# Show latency in milliseconds
sudo biolatency-bpfcc -m
# Output every 5 seconds
sudo biolatency-bpfcc 5
# Show 10 intervals then exit
sudo biolatency-bpfcc 5 10
# Queued time only (not service time)
sudo biolatency-bpfcc -Qext4slower — Trace Slow ext4 Operations
# Show ext4 operations slower than 10ms (default)
sudo ext4slower-bpfcc
# Custom threshold in milliseconds
sudo ext4slower-bpfcc 1
# Show all operations (threshold 0)
sudo ext4slower-bpfcc 0
# Include timestamps
sudo ext4slower-bpfcc -Tbiosnoop — Block I/O Tracing
# Trace every block I/O with latency
sudo biosnoop-bpfcc
# Include queue time
sudo biosnoop-bpfcc -Q
# Filter by disk
sudo biosnoop-bpfcc -d sdaCPUとスケジューリング
profile — CPU Profiler
# Profile kernel stacks at 49 Hz for 10 seconds
sudo profile-bpfcc -f 49 10
# Profile user-space stacks only
sudo profile-bpfcc -U
# Profile kernel stacks only
sudo profile-bpfcc -K
# Profile a specific PID
sudo profile-bpfcc -p 1234
# Output folded format (for flame graphs)
sudo profile-bpfcc -f 99 30 > out.foldedrunqlat — Scheduler Run Queue Latency
# Show run queue latency as histogram
sudo runqlat-bpfcc
# Per-PID histograms
sudo runqlat-bpfcc -P
# Show in milliseconds
sudo runqlat-bpfcc -m
# Output every 5 seconds
sudo runqlat-bpfcc 5
# Include timestamps
sudo runqlat-bpfcc -Tsoftirqs — Soft Interrupt Time
# Show soft IRQ event time as histograms
sudo softirqs-bpfcc
# Show distribution over time
sudo softirqs-bpfcc -T
# Output every 5 seconds
sudo softirqs-bpfcc 5
# Show counts only (not time)
sudo softirqs-bpfcc -Nhardirqs — Hard Interrupt Time
# Show hard IRQ event time as histograms
sudo hardirqs-bpfcc
# Output every 5 seconds
sudo hardirqs-bpfcc 5
# Show counts only
sudo hardirqs-bpfcc -N
# Include timestamps
sudo hardirqs-bpfcc -Tネットワーク分析
tcplife — TCP Session Tracking
# Trace TCP sessions with duration and throughput
sudo tcplife-bpfcc
# Show timestamps
sudo tcplife-bpfcc -T
# Filter by local port
sudo tcplife-bpfcc -L 80
# Filter by remote port
sudo tcplife-bpfcc -D 443
# Filter by PID
sudo tcplife-bpfcc -p 1234
# Wide output (full addresses)
sudo tcplife-bpfcc -wtcpconnect — Trace Outbound Connections
# Trace all TCP connect() calls
sudo tcpconnect-bpfcc
# Include timestamps
sudo tcpconnect-bpfcc -T
# Include UID
sudo tcpconnect-bpfcc -U
# Filter by destination port
sudo tcpconnect-bpfcc -P 443
# Count connections by destination
sudo tcpconnect-bpfcc -ctcpaccept — Trace Inbound Connections
# Trace all TCP accept() calls
sudo tcpaccept-bpfcc
# Include timestamps
sudo tcpaccept-bpfcc -T
# Filter by port
sudo tcpaccept-bpfcc -P 80関数のトレース
funccount — Count Function Calls
# Count kernel function calls matching a pattern
sudo funccount-bpfcc 'tcp_send*'
# Count calls over 5-second intervals
sudo funccount-bpfcc -i 5 'vfs_*'
# Count user-space function calls
sudo funccount-bpfcc 'c:malloc'
# Count for a specific PID
sudo funccount-bpfcc -p 1234 'c:malloc'
# Count with timestamps
sudo funccount-bpfcc -T 'tcp_*'trace — Flexible Event Tracing
# Trace a kernel function with return value
sudo trace-bpfcc 'do_sys_openat2 "%s", arg2'
# Trace with a filter
sudo trace-bpfcc 'sys_read (arg3 > 1024) "read %d bytes", arg3'
# Trace a user-space function
sudo trace-bpfcc 'r:c:malloc "size=%d, ret=%p", arg1, retval'
# Trace multiple events
sudo trace-bpfcc 'sys_open "%s", arg2' 'sys_read "fd=%d size=%d", arg1, arg3'argdist — Argument Distribution
# Histogram of read() return values
sudo argdist-bpfcc -H 'r::__x64_sys_read():int:$retval'
# Count malloc sizes as a histogram
sudo argdist-bpfcc -H 'p:c:malloc(size_t size):size_t:size'
# Frequency count of returned values
sudo argdist-bpfcc -C 'r::__x64_sys_read():int:$retval'
# Filter by PID
sudo argdist-bpfcc -p 1234 -H 'r::__x64_sys_read():int:$retval'メモリとキャッシュ
cachestat — Page Cache Hit/Miss
# Show page cache hit ratio every second
sudo cachestat-bpfcc
# Custom interval (5 seconds)
sudo cachestat-bpfcc 5
# Include timestamps
sudo cachestat-bpfcc -Tmemleak — Memory Leak Detector
# Detect memory leaks in a process
sudo memleak-bpfcc -p 1234
# Sample every 5 seconds, show top 10
sudo memleak-bpfcc -p 1234 5 10
# Trace kernel memory leaks
sudo memleak-bpfcc
# Include stack traces (depth 8)
sudo memleak-bpfcc -p 1234 -d 8フレームグラフとの連携
# Generate CPU flame graph with BCC profile
sudo profile-bpfcc -f 99 30 > out.folded
./flamegraph.pl out.folded > cpu_flamegraph.svg
# Generate off-CPU flame graph
sudo offcputime-bpfcc -f 30 > offcpu.folded
./flamegraph.pl --color=io --countname=us offcpu.folded > offcpu_flamegraph.svgクイックリファレンス
| Tool | Purpose |
|---|---|
execsnoop | Trace new processes |
opensnoop | Trace file opens |
biolatency | Block I/O latency histograms |
biosnoop | Per-event block I/O tracing |
ext4slower | Slow ext4 filesystem operations |
tcplife | TCP session summaries |
tcpconnect | Trace outbound TCP connections |
tcpaccept | Trace inbound TCP connections |
profile | CPU stack sampling profiler |
runqlat | CPU scheduler run queue latency |
funccount | Count kernel/user function calls |
softirqs | Soft IRQ time distribution |
hardirqs | Hard IRQ time distribution |
cachestat | Page cache hit/miss statistics |
memleak | Memory leak detector |