tldr/pages/linux/bpftrace.md

# bpftrace

> High-level tracing language for Linux eBPF.
> More information: <https://github.com/bpftrace/bpftrace/blob/master/man/adoc/bpftrace.adoc>.

- Display bpftrace version:

`bpftrace {{[-V|--version]}}`

- List all available probes:

`sudo bpftrace -l`

- Run a one-liner program (e.g. syscall count by program):

`sudo bpftrace -e '{{tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }}}'`

- Run a program from a file:

`sudo bpftrace {{path/to/file}}`

- Trace a program by PID:

`sudo bpftrace -e '{{tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); }}}'`

- Do a dry run and display the output in eBPF format:

`sudo bpftrace -d -e '{{one_line_program}}'`
bpftrace: add page (#4702) 2020-10-17 16:47:18 -03:00			`# bpftrace`

			`> High-level tracing language for Linux eBPF.`
linux*: refresh old pages part 3 (#16264) 2025-04-27 10:57:41 +03:00			`> More information: <https://github.com/bpftrace/bpftrace/blob/master/man/adoc/bpftrace.adoc>.`
bpftrace: add page (#4702) 2020-10-17 16:47:18 -03:00
			`- Display bpftrace version:`

linux*: refresh old pages part 3 (#16264) 2025-04-27 10:57:41 +03:00			`bpftrace {{[-V\|--version]}}`
bpftrace: add page (#4702) 2020-10-17 16:47:18 -03:00
			`- List all available probes:`

			`sudo bpftrace -l`

*: fix errors reported by languagetool (#6069) 2021-08-15 19:59:09 +02:00			`- Run a one-liner program (e.g. syscall count by program):`
bpftrace: add page (#4702) 2020-10-17 16:47:18 -03:00
			`sudo bpftrace -e '{{tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }}}'`

			`- Run a program from a file:`

			`sudo bpftrace {{path/to/file}}`

			`- Trace a program by PID:`

			`sudo bpftrace -e '{{tracepoint:raw_syscalls:sys_enter /pid == 123/ { @[comm] = count(); }}}'`

			`- Do a dry run and display the output in eBPF format:`

			`sudo bpftrace -d -e '{{one_line_program}}'`