# BCC — eBPF Tracing and Performance Analysis Tools for Linux > A toolkit for creating efficient kernel tracing and manipulation programs using eBPF. BCC includes over 100 ready-to-use tools for performance analysis, networking, and security observability on Linux systems. ## Install Save as a script file and run: # BCC — eBPF Tracing and Performance Analysis Tools for Linux ## Quick Use ```bash sudo apt-get install bpfcc-tools linux-headers-$(uname -r) sudo execsnoop-bpfcc # trace new process execution sudo opensnoop-bpfcc # trace file opens sudo biolatency-bpfcc # block I/O latency histogram ``` ## Introduction BCC (BPF Compiler Collection) makes eBPF programs accessible to systems engineers and SREs. Instead of writing raw eBPF bytecode, you use Python or Lua frontends that compile C tracing programs on the fly. Created by Brendan Gregg and the IOVisor project, BCC is the foundation of modern Linux observability. ## What BCC Does - Provides 100+ pre-built tools for CPU, memory, disk, network, and security tracing - Compiles eBPF C programs at runtime using LLVM/Clang and loads them into the kernel - Offers Python and Lua bindings for writing custom tracing and profiling scripts - Enables dynamic tracing of kernel functions (kprobes) and user-space functions (uprobes) - Powers histogram, stack trace, and latency analysis without modifying application code ## Architecture Overview BCC sits between user space and the Linux kernel's eBPF virtual machine. When you run a BCC tool, the Python frontend passes embedded C code to LLVM which compiles it to eBPF bytecode. The kernel verifier checks safety, then the program attaches to tracepoints, kprobes, or uprobes. Data flows from kernel to user space through eBPF maps (hash tables, ring buffers, arrays) which the Python layer reads and formats. ## Self-Hosting & Configuration - Install via package manager: `apt install bpfcc-tools` (Debian/Ubuntu) or `dnf install bcc-tools` (Fedora) - Requires Linux kernel 4.1+ with eBPF support (4.9+ recommended for full features) - Ensure `linux-headers` are installed matching the running kernel version - Tools are installed to `/usr/share/bcc/tools/` or available as `*-bpfcc` commands - No daemon or configuration files needed; each tool runs standalone as root ## Key Features - Zero-overhead when not active; near-zero overhead when tracing specific events - Pre-built tools cover common tasks: `execsnoop`, `opensnoop`, `tcplife`, `biolatency`, `funccount` - Custom scripts in Python give full access to kernel data structures and stack traces - Works on bare metal, VMs, and containers without kernel modules - Foundation for higher-level tools like `bpftrace`, Cilium, and Falco ## Comparison with Similar Tools - **bpftrace** — Higher-level one-liner language; BCC offers more programmatic control - **perf** — Kernel profiler with sampling; BCC provides event-driven tracing with richer data - **SystemTap** — Requires kernel modules; BCC uses in-kernel eBPF VM for safety - **DTrace** — Inspired BCC's design; DTrace on Linux is less mature than BCC - **Sysdig** — Container-focused observability; BCC is lower-level and more flexible ## FAQ **Q: Does BCC require a modified or custom kernel?** A: No. BCC works with standard Linux kernels 4.1+ that have eBPF enabled, which includes all major distributions. **Q: What is the performance impact of running BCC tools?** A: Minimal. eBPF programs run in a sandboxed kernel VM and only fire on traced events. Idle overhead is effectively zero. **Q: Can I use BCC inside Docker containers?** A: Yes, with `--privileged` or specific capabilities (`CAP_SYS_ADMIN`, `CAP_BPF`). The host kernel headers must be accessible. **Q: Should I use BCC or bpftrace?** A: Use bpftrace for quick ad-hoc one-liners. Use BCC when you need complex logic, custom data structures, or integration into larger Python scripts. ## Sources - https://github.com/iovisor/bcc - https://www.brendangregg.com/BPF/bpf-performance-tools-book.html --- Source: https://tokrepo.com/en/workflows/5abb7410-398f-11f1-9bc6-00163e2b0d79 Author: Script Depot