⚡ bpftrace One-Liners
Powerful one-liners for instant system investigation using bpftrace. These commands provide immediate insights without writing full scripts.
🔍 Process and System Call Monitoring
Basic Process Tracking
| # Track all process executions
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%-6d %-16s %s\n", pid, comm, str(args->argv[0])); }'
# Monitor process exits with exit codes
sudo bpftrace -e 'tracepoint:syscalls:sys_exit_exit,tracepoint:syscalls:sys_exit_exit_group { printf("%-6d %-16s exited with code %d\n", pid, comm, args->error_code); }'
# Count syscalls by process (top 10 every 5 seconds)
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_* { @calls[comm] = count(); } interval:s:5 { print(@calls); clear(@calls); }'
|
File System Activity
| # Monitor all file opens
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_open,tracepoint:syscalls:sys_enter_openat { printf("%-6d %-16s opened %s\n", pid, comm, str(args->filename)); }'
# Track file reads/writes with size
sudo bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret > 0/ { @reads[comm] = hist(args->ret); } tracepoint:syscalls:sys_exit_write /args->ret > 0/ { @writes[comm] = hist(args->ret); }'
# Monitor suspicious file access (e.g., /etc/passwd)
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { if (strncmp(str(args->filename), "/etc/passwd", 11) == 0) { printf("ALERT: %-6d %-16s accessed /etc/passwd\n", pid, comm); } }'
|
🌐 Network Monitoring
TCP Connection Tracking
| # Monitor TCP connections
sudo bpftrace -e 'kprobe:tcp_v4_connect { printf("TCP CONNECT: %-6d %-16s to %d.%d.%d.%d:%d\n", pid, comm, ((args->uaddr->sin_addr.s_addr >> 0) & 0xFF), ((args->uaddr->sin_addr.s_addr >> 8) & 0xFF), ((args->uaddr->sin_addr.s_addr >> 16) & 0xFF), ((args->uaddr->sin_addr.s_addr >> 24) & 0xFF), args->uaddr->sin_port); }'
# Track network send/receive bytes
sudo bpftrace -e 'kprobe:tcp_sendmsg { @sent[comm] = sum(args->size); } kprobe:tcp_recvmsg { @received[comm] = sum(args->size); } interval:s:10 { print(@sent); print(@received); clear(@sent); clear(@received); }'
|
DNS Query Monitoring
| # Monitor DNS queries (UDP port 53)
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_sendto /args->usid->sin_port == 13568/ { printf("DNS QUERY: %-6d %-16s\n", pid, comm); }'
|
💾 Memory and Resource Usage
Memory Allocation Tracking
| # Monitor kmalloc/kfree calls
sudo bpftrace -e 'kprobe:kmalloc { @allocs[comm] = sum(args->size); } kretprobe:kmalloc { @live[comm] += retval; } interval:s:5 { print(@allocs); clear(@allocs); }'
# Track page faults
sudo bpftrace -e 'tracepoint:exceptions:page_fault_user { @faults[comm] = count(); } interval:s:10 { print(@faults); clear(@faults); }'
|
CPU Usage Analysis
| # Monitor CPU time by process
sudo bpftrace -e 'profile:hz:99 { @cpu[comm] = count(); } interval:s:5 { print(@cpu); clear(@cpu); }'
# Track context switches
sudo bpftrace -e 'tracepoint:sched:sched_switch { @switches[args->prev_comm] = count(); } interval:s:10 { print(@switches); clear(@switches); }'
|
🔒 Security and Audit
Privilege Escalation Monitoring
| # Monitor setuid/setgid calls
sudo bpftrace -e 'kprobe:sys_setuid { printf("SETUID: %-6d %-16s UID=%d\n", pid, comm, args->uid); } kprobe:sys_setgid { printf("SETGID: %-6d %-16s GID=%d\n", pid, comm, args->gid); }'
# Track capability changes
sudo bpftrace -e 'kprobe:cap_capable { printf("CAPABILITY: %-6d %-16s CAP=%d\n", pid, comm, args->cap); }'
|
File Permission Changes
| # Monitor chmod/chown system calls
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_chmod { printf("CHMOD: %-6d %-16s %s\n", pid, comm, str(args->filename)); } tracepoint:syscalls:sys_enter_chown { printf("CHOWN: %-6d %-16s %s\n", pid, comm, str(args->filename)); }'
|
Latency Analysis
| # Measure syscall latency
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_open { @start[tid] = nsecs; } tracepoint:syscalls:sys_exit_open /@start[tid]/ { @latency = hist(nsecs - @start[tid]); delete(@start[tid]); }'
# File I/O latency
sudo bpftrace -e 'tracepoint:block:block_rq_issue { @start[args->dev, args->sector] = nsecs; } tracepoint:block:block_rq_complete /@start[args->dev, args->sector]/ { @latency = hist(nsecs - @start[args->dev, args->sector]); delete(@start[args->dev, args->sector]); }'
|
Resource Contention
| # Monitor lock contention
sudo bpftrace -e 'kprobe:mutex_lock { @locks[comm, func] = count(); } interval:s:5 { print(@locks); clear(@locks); }'
|
📊 Advanced One-Liners
Custom Metrics Collection
| # Count specific error codes
sudo bpftrace -e 'tracepoint:syscalls:sys_exit_open /args->ret < 0/ { @errors[-args->ret] = count(); } interval:s:30 { print(@errors); clear(@errors); }'
# Histogram of file sizes read
sudo bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret > 0/ { @filesize = hist(args->ret); } interval:s:60 { print(@filesize); clear(@filesize); }'
|
Process Relationship Tracking
| # Monitor fork/exec patterns
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_fork { printf("FORK: %-6d %-16s\n", pid, comm); } tracepoint:syscalls:sys_enter_execve { printf("EXEC: %-6d %-16s %s\n", pid, comm, str(args->argv[0])); }'
|
🛠️ Practical Usage Examples
Investigating High CPU Usage
| # Run for 30 seconds to identify CPU-intensive processes
sudo bpftrace -e 'profile:hz:99 { @cpu[comm] = count(); } interval:s:30 { print(@cpu); exit(); }'
|
Finding Slow File Operations
| # Monitor file open latency for 60 seconds
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_open { @start[tid] = nsecs; } tracepoint:syscalls:sys_exit_open /@start[tid] && (nsecs - @start[tid]) > 1000000/ { printf("Slow open (%.2f ms): %s\n", (nsecs - @start[tid]) / 1000000.0, str(((struct pt_regs *)args)->di)); delete(@start[tid]); } interval:s:60 { exit(); }'
|
Security Audit Quick Check
| # Quick security audit for 5 minutes
sudo bpftrace -e 'kprobe:sys_setuid { printf("[%s] SETUID by %s (%d)\n", strftime("%H:%M:%S", nsecs), comm, pid); } kprobe:tcp_v4_connect { printf("[%s] TCP CONNECT by %s (%d)\n", strftime("%H:%M:%S", nsecs), comm, pid); } interval:s:300 { exit(); }'
|
🧾 Summary
✅ Instant insights without writing full scripts
✅ Minimal performance impact on production systems
✅ Rich observability across system components
✅ Security monitoring capabilities
✅ Performance troubleshooting tools
🧾 See Also