Frequently Asked Question
What is bpftrace and how is it different from raw eBPF?
Writing eBPF directly is painful: you write restricted C, compile with
clang, load with libbpf, and attach with verbose API calls. bpftrace is a
high-level tracing language inspired by DTrace and awk that hides almost
all of that. You write one-liners or short scripts in a domain-specific
language; bpftrace compiles them to eBPF, loads, attaches, runs, and
prints the results when you press Ctrl+C.
A flavour of it: bpftrace -e 'tracepoint:syscalls:sys_enter_openat { @[comm] = count(); }' prints a histogram of which programs called
openat while it ran. bpftrace -e 'kprobe:vfs_read { @bytes = hist(arg2); }' plots a histogram of read sizes. The
tools/ directory of the bpftrace source has fifty production-grade
scripts, biolatency.bt, tcplife.bt, runqlat.bt, xfsslower.bt;
that double as both useful tools and excellent worked examples for
learning the language.