Skip to main content

bpftrace

bpftrace is a high-level tracing language and tooling environment for Linux eBPF that supports dynamic, programmable observability of kernel and user-space behavior.

  • High-level DTrace-like language for defining eBPF tracing programs (observability)
  • Attaches to kernel and user-space probes, tracepoints, and performance events (systems monitoring)
  • Runtime compilation of trace scripts into eBPF bytecode executed in the kernel (eBPF tooling)
  • Interactive Command-Line Interface (CLI) with one-liners and script execution (developer tooling)
  • Supports metrics aggregation, histograms, stack traces, and argument inspection for live systems analysis (performance diagnostics)

More About bpftrace

bpftrace is a tracing language and toolset built on top of eBPF (extended Berkeley Packet Filter) (observability), designed for inspecting and understanding the behavior of Linux systems in production and development environments. It targets the problem space of low-overhead, programmable observability by allowing users to write short, expressive scripts that are compiled to eBPF programs and run safely in the Linux kernel.

The bpftrace language (developer tooling) is inspired by DTrace and uses an AWK-like syntax focused on event-driven tracing. Scripts consist of probes, actions, and optional predicates. Probes bind to events such as kprobes and kretprobes for kernel function entry and exit, uprobes and uretprobes for user-space binaries, tracepoints for kernel-instrumented events, and hardware or software performance counters (systems monitoring). When events fire, bpftrace executes user-defined actions, such as printing arguments, collecting stack traces, or aggregating metrics in maps.

Under the hood, bpftrace relies on the Linux eBPF subsystem (kernel observability) to load and execute programs inside the kernel with verification and safety checks. It uses BPF maps to maintain state, counters, and histograms. Common built-in functions and helpers support tasks such as reading kernel or user memory, formatting output, and computing latency or frequency distributions. Users can run bpftrace one-liners directly from the command line for ad hoc analysis, or manage larger scripts stored as files for repeatable diagnostics workflows.

In enterprise environments, bpftrace is used by site reliability engineers, platform teams, and performance engineers (operations tooling) to investigate latency, Central Processing Unit (CPU) usage, I/O patterns, and application behavior without requiring code changes or restarts. Because eBPF programs run in the kernel with controlled overhead, bpftrace can observe live systems with a focus on safety compared with ad hoc kernel instrumentation. It is commonly used alongside existing logging and metrics systems to fill gaps where traditional observability tools lack detail, for example by tracing specific functions, syscalls, or stack paths.

bpftrace integrates with the broader eBPF ecosystem (Linux tooling), relying on standard kernel facilities such as BPF system calls, BPF Type Format (BTF) for type information when available, and existing probe mechanisms for attaching to events. Its scriptability and event coverage make it applicable across domains including performance tuning, debugging, capacity analysis, and security-oriented auditing. Within a technical directory, bpftrace is categorized as eBPF-based observability and tracing software for Linux, providing a programmable interface for kernel and user-space analysis.