BCC — eBPF Tracing and Performance Analysis Tools for Linux

Introduction

BCC (BPF Compiler Collection) makes eBPF programs accessible to systems engineers and SREs. Instead of writing raw eBPF bytecode, you use Python or Lua frontends that compile C tracing programs on the fly. Created by Brendan Gregg and the IOVisor project, BCC is the foundation of modern Linux observability.

What BCC Does

• Provides 100+ pre-built tools for CPU, memory, disk, network, and security tracing
• Compiles eBPF C programs at runtime using LLVM/Clang and loads them into the kernel
• Offers Python and Lua bindings for writing custom tracing and profiling scripts
• Enables dynamic tracing of kernel functions (kprobes) and user-space functions (uprobes)
• Powers histogram, stack trace, and latency analysis without modifying application code

Architecture Overview

BCC sits between user space and the Linux kernel's eBPF virtual machine. When you run a BCC tool, the Python frontend passes embedded C code to LLVM which compiles it to eBPF bytecode. The kernel verifier checks safety, then the program attaches to tracepoints, kprobes, or uprobes. Data flows from kernel to user space through eBPF maps (hash tables, ring buffers, arrays) which the Python layer reads and formats.

Self-Hosting & Configuration

• Install via package manager: apt install bpfcc-tools (Debian/Ubuntu) or dnf install bcc-tools (Fedora)
• Requires Linux kernel 4.1+ with eBPF support (4.9+ recommended for full features)
• Ensure linux-headers are installed matching the running kernel version
• Tools are installed to /usr/share/bcc/tools/ or available as *-bpfcc commands
• No daemon or configuration files needed; each tool runs standalone as root

Key Features

• Zero-overhead when not active; near-zero overhead when tracing specific events
• Pre-built tools cover common tasks: execsnoop, opensnoop, tcplife, biolatency, funccount
• Custom scripts in Python give full access to kernel data structures and stack traces
• Works on bare metal, VMs, and containers without kernel modules
• Foundation for higher-level tools like bpftrace, Cilium, and Falco

Comparison with Similar Tools

• bpftrace — Higher-level one-liner language; BCC offers more programmatic control
• perf — Kernel profiler with sampling; BCC provides event-driven tracing with richer data
• SystemTap — Requires kernel modules; BCC uses in-kernel eBPF VM for safety
• DTrace — Inspired BCC's design; DTrace on Linux is less mature than BCC
• Sysdig — Container-focused observability; BCC is lower-level and more flexible

FAQ

Q: Does BCC require a modified or custom kernel? A: No. BCC works with standard Linux kernels 4.1+ that have eBPF enabled, which includes all major distributions.

Q: What is the performance impact of running BCC tools? A: Minimal. eBPF programs run in a sandboxed kernel VM and only fire on traced events. Idle overhead is effectively zero.

Q: Can I use BCC inside Docker containers? A: Yes, with --privileged or specific capabilities (CAP_SYS_ADMIN, CAP_BPF). The host kernel headers must be accessible.

Q: Should I use BCC or bpftrace? A: Use bpftrace for quick ad-hoc one-liners. Use BCC when you need complex logic, custom data structures, or integration into larger Python scripts.

Sources

• https://github.com/iovisor/bcc
• https://www.brendangregg.com/BPF/bpf-performance-tools-book.html