Article Categories
- All Categories
-
Data Structure
-
Networking
-
RDBMS
-
Operating System
-
Java
-
MS Excel
-
iOS
-
HTML
-
CSS
-
Android
-
Python
-
C Programming
-
C++
-
C#
-
MongoDB
-
MySQL
-
Javascript
-
PHP
-
Economics & Finance
BCC – Dynamic Tracing Tools for Linux Performance Monitoring, Networking and More
BCC (BPF Compiler Collection) is a powerful set of dynamic tracing tools built on top of eBPF (extended Berkeley Packet Filter) technology in the Linux kernel. BCC provides a simple yet effective way to monitor system performance, analyze networking behavior, and trace various system events without requiring kernel modifications or recompilation.
What are BCC Tools?
BCC tools are designed to provide a user-friendly interface for using eBPF to trace and analyze system events. eBPF is a virtual machine that runs inside the kernel, allowing for efficient and flexible tracing of system activities. BCC tools are written in Python and C, making them accessible for a wide range of monitoring tasks including system performance analysis, network diagnostics, and security monitoring.
Benefits of BCC Tools
| Benefit | Description |
|---|---|
| Low Overhead | Minimal impact on system performance using in-kernel eBPF execution |
| High Flexibility | Wide range of use cases from performance monitoring to security analysis |
| User-Friendly | Simple interface requiring no specialized kernel programming knowledge |
| Active Community | Continuously developed with regular updates and bug fixes |
Common BCC Tools
Installation
Before using BCC tools, install them using your distribution's package manager
# Ubuntu/Debian sudo apt-get install bpfcc-tools # CentOS/RHEL sudo yum install bcc-tools # For BPFtrace sudo apt-get install bpftrace
Essential BCC Tools
execsnoop Traces new process execution on the system
sudo execsnoop
PCOMM PID PPID RET ARGS bash 2341 2340 0 /usr/bin/ls -la grep 2342 2341 0 /usr/bin/grep myfile
opensnoop Traces file system open operations
sudo opensnoop
tcptracer Traces TCP connections and their associated ports
sudo tcptracer
BPFtrace Examples
BPFtrace provides a high-level tracing language for writing custom eBPF programs. Here's a simple example that traces process starts
tracepoint:syscalls:sys_enter_execve
{
printf("Process %s started by PID %d<br>", str(args->filename), pid);
}
Save this as process_trace.bt and run
sudo bpftrace process_trace.bt
Custom BCC Scripts
CPU Scheduler Monitoring
#!/usr/bin/env python3
from bcc import BPF
# BPF program to trace scheduler switches
bpf_text = """
#include <uapi/linux/ptrace.h>
int trace_sched_switch(struct pt_regs *ctx) {
u64 ts = bpf_ktime_get_ns();
u32 pid = bpf_get_current_pid_tgid() >> 32;
bpf_trace_printk("Scheduler switch: PID %d at %llu\<br>", pid, ts);
return 0;
}
"""
# Load BPF program
b = BPF(text=bpf_text)
# Attach to scheduler tracepoint
b.attach_tracepoint(tp="sched:sched_switch", fn_name="trace_sched_switch")
print("Tracing scheduler switches... Press Ctrl-C to stop")
try:
b.trace_print()
except KeyboardInterrupt:
print("Stopping trace")
Network Connection Tracking
#!/usr/bin/env python3
from bcc import BPF
bpf_text = """
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
int trace_tcp_connect(struct pt_regs *ctx, struct sock *sk) {
u32 pid = bpf_get_current_pid_tgid() >> 32;
u16 dport = sk->__sk_common.skc_dport;
bpf_trace_printk("TCP connect by PID %d to port %d\<br>", pid, ntohs(dport));
return 0;
}
"""
b = BPF(text=bpf_text)
b.attach_kprobe(event="tcp_v4_connect", fn_name="trace_tcp_connect")
print("Tracing TCP connections... Press Ctrl-C to stop")
try:
b.trace_print()
except KeyboardInterrupt:
print("Connection tracing stopped")
Additional BCC Tools
biosnoop Traces block I/O operations at the device level
funccount Counts function calls in the kernel or user programs
syncsnoop Traces sync system calls for filesystem analysis
tcpconnect Shows active TCP connections with detailed information
pidstat Provides per-process statistics using eBPF
Integration with Monitoring Systems
BCC tools can be integrated with monitoring platforms like Prometheus, Grafana, and Nagios to provide comprehensive system visibility. Custom BCC scripts can export metrics to these systems for long-term storage and alerting.
Conclusion
BCC tools provide powerful dynamic tracing capabilities for Linux systems with minimal overhead and maximum flexibility. They enable deep system insights through eBPF technology, making them essential for system administrators, developers, and security analysts. Whether monitoring performance, debugging network issues, or analyzing system behavior, BCC tools offer unparalleled visibility into Linux system operations.
797 Views
