This repository contains a collection of eBPF-based tracing utilities for Linux, written in Rust. It is inspired by the tools from bcc.
jtracing provides a suite of command-line tools to trace and analyze various system and application events, such as file opens, process executions, function calls, and more. It leverages the power of eBPF (extended Berkeley Packet Filter) to safely and efficiently collect this data from the Linux kernel.
The following tracing tools are included:
opensnoop: Traceopen()syscalls.execsnoop: Traceexec()syscalls, showing process executions. Two versions are provided (execsnoop_pbusing perf buffer andexecsnoop_rbusing a ring buffer).funccount: Count calls to specified kernel or user-space functions.eglswapbuffers: TraceeglSwapBufferscalls, useful for graphics performance analysis.profile: A simple CPU profiler.bash_readline: Trace commands executed inbash.malloc_free: Tracemalloc()andfree()calls to debug memory usage.packet_count: Count network packets on a specified interface.segfault_analyzer: Monitor and analyze segmentation faults with detailed fault information, stack traces, and register states.
- Rust (latest stable version recommended)
libbpfand its dependencies (libelf,zlib). The project is configured to buildlibbpffrom source via a git submodule.- Linux kernel with eBPF support.
To build all the tracing tools, you can use Cargo:
cargo build --releaseThe compiled binaries will be located in the target/release/ directory.
Each tool is a standalone executable. You typically need to run them with sudo to grant the necessary eBPF permissions.
For example, to trace file open calls:
sudo ./target/release/opensnoopEach tool may have its own set of command-line arguments. Use the --help flag to see the available options for a specific tool.
./target/release/opensnoop --helpThis project is licensed under the GPL-2.0 License. See the LICENSE file for details.