BCC allows one to write BPF programs with front-ends in Python or Lua with kernel instrumentation written in C. The instrumentation code is built into sandboxed eBPF byte code and is executed in the kernel.
The BCC github project README file provides an excellent overview and description of BCC and the various available BCC tools. Building BCC from scratch can be a bit time consuming, however, the good news is that the BCC tools are now available as a snap and so BCC can be quickly and easily installed just using:
sudo snap install --devmode bcc
There are currently over 50 BCC tools in the snap, so let's have a quick look at a few:
cachetop allows one to view the top page cache hit/miss statistics. To run this use:
The funccount tool allows one to count the number of times specific functions get called. For example, to see how many kernel functions with the name starting with "do_" get called per second one can use:
sudo bcc.funccount "do_*" -i 1
To see how to use all the options in this tool, use the -h option:
sudo bcc.funccount -h
I've found the funccount tool to be especially useful to check on kernel activity by checking on hits on specific function names.
The slabratetop tool is useful to see the active kernel SLAB/SLUB memory allocation rates:
If you want to see which process is opening specific files, one can snoop on open system calls use the opensnoop tool:
sudo bcc.opensnoop -T
Hopefully this will give you a taste of the useful tools that are available in BCC (I have barely scratched the surface in this article). I recommend installing the snap and giving it a try.
As it stands,BCC provides a useful mechanism to develop BPF tracing tools and I look forward to regularly updating the BCC snap as more tools are added to BCC. Kudos to Brendan Gregg for BCC!