PickYourTechPickYourTech home
bpftrace logo

bpftrace

Powerful, scriptable eBPF tracing for Linux with awk-like syntax

Distributed Tracing

bpftrace offers an awk‑style language to write eBPF one‑liners and scripts that probe kernel and user‑space events on Linux.

bpftrace banner

Overview

Overview

bpftrace provides a high‑level, awk‑inspired scripting language that compiles to eBPF bytecode, enabling developers, sysadmins, and performance engineers to instrument both kernel and user‑space code with minimal overhead.

Capabilities

Using libbpf and bcc under the hood, bpftrace supports kprobes, uprobes, tracepoints, raw syscalls, hardware counters, and interval timers. Its built‑in aggregation functions—count, sum, hist, and more—let you create concise one‑liners or full scripts for tasks such as syscall latency histograms, cache‑miss tracking, or per‑process I/O monitoring. The language’s C‑like syntax and standard library simplify complex tracing scenarios without requiring deep eBPF expertise.

Deployment and Community

bpftrace runs on any modern Linux distribution with a recent kernel that includes eBPF support. Installation is straightforward via package managers or source builds. The project is Apache‑2.0 licensed, actively maintained, and offers editor plugins for Emacs, Vim, VS Code, and Bash completion, fostering a vibrant community of contributors and users.

Highlights

Awk‑style syntax compiled to efficient eBPF bytecode
Supports kprobes, uprobes, tracepoints, raw syscalls, and hardware counters
Built‑in aggregation functions and interval timers for on‑the‑fly analysis
Editor plugins for Emacs, Vim, VS Code, and Bash completion

Pros

  • Low‑overhead tracing suitable for production systems
  • Expressive language reduces boilerplate for common tasks
  • Wide coverage of kernel and user‑space probe types
  • Active open‑source community and extensive documentation

Considerations

  • Requires a recent Linux kernel with eBPF support
  • Steeper learning curve for complex multi‑probe scripts
  • Limited to Linux; no native Windows support
  • Debugging eBPF programs can be challenging without tooling

Managed products teams compare with

When teams consider bpftrace, these hosted platforms usually appear on the same shortlist.

AWS X-Ray logo

AWS X-Ray

Trace requests through distributed and serverless apps on AWS.

Better Stack Tracing logo

Better Stack Tracing

Tracing correlated with logs and metrics for faster debugging.

Grafana Cloud Traces logo

Grafana Cloud Traces

Managed distributed tracing powered by Grafana Tempo.

Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.

Fit guide

Great for

  • Linux system administrators needing quick diagnostics
  • Performance engineers optimizing kernel or application latency
  • Developers debugging user‑space programs with dynamic probes
  • Security analysts auditing system calls and file access

Not ideal when

  • Environments that run only on Windows or non‑Linux OSes
  • Users preferring graphical tracing interfaces over CLI
  • Very low‑resource embedded devices lacking eBPF capabilities
  • Teams requiring long‑term script versioning without additional tooling

How teams use it

Identify high‑latency syscalls per process

Generate per‑process histograms of syscall durations to pinpoint bottlenecks.

Monitor cache‑miss rates for performance tuning

Count hardware cache‑miss events per thread, enabling CPU cache optimization.

Audit file access in a specific cgroup

List filenames opened by processes within a cgroup, supporting security audits.

Profile user‑space stack traces at custom frequency

Collect stack samples for a target PID at 99 Hz, revealing hot paths in applications.

Tech snapshot

C++69%
C25%
CMake2%
Python1%
Yacc1%
Lex1%

Tags

ebpfuprobesbpfkprobestracepointstracingusdtbcc

Frequently asked questions

What languages does bpftrace's syntax resemble?

It draws inspiration from awk, C, DTrace, and SystemTap, offering a familiar, concise scripting style.

Which kernel features does bpftrace rely on?

It compiles scripts to eBPF bytecode and uses libbpf and bcc to interact with kprobes, uprobes, tracepoints, and hardware counters.

How can I extend editor support?

Plugins are available for Emacs, Vim, VS Code, and Bash completion, enabling syntax highlighting and command completion.

Is bpftrace suitable for production monitoring?

Yes, its low‑overhead eBPF backend makes it safe for live systems, though scripts should be tested to avoid excessive data collection.

What license governs bpftrace?

The project is released under the Apache‑2.0 license.

Project at a glance

Active
Visit siteView repo
Stars
9,899
Watchers
9,899
Forks
1,431
LicenseApache-2.0
Repo age7 years old
Last commit22 hours ago
Primary languageC++

Last synced 3 hours ago