Skills2026年4月16日·1 分钟阅读

BCC — eBPF Tracing and Performance Analysis Tools for Linux

A toolkit for creating efficient kernel tracing and manipulation programs using eBPF. BCC includes over 100 ready-to-use tools for performance analysis, networking, and security observability on Linux systems.

Agent 就绪

Agent 可直接安装

这个资产可安装;Agent 先选择当前运行时、检查安装计划,再运行匹配命令。

Native · 98/100策略:允许
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
BCC eBPF Tools
直接安装命令
npx -y tokrepo@latest install 5abb7410-398f-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run 确认安装计划,再运行此命令。

TL;DR
BCC is a toolkit of 100+ eBPF-based tracing tools for Linux performance analysis, networking, and security observability.
§01

What it is

BCC (BPF Compiler Collection) is a toolkit for creating and using eBPF tracing programs on Linux. It includes over 100 ready-to-use tools for performance analysis, networking debugging, and security observability: trace new process execution, monitor file opens, measure disk I/O latency, sniff DNS queries, and more. All without kernel module compilation or system restarts.

BCC targets SREs, performance engineers, kernel developers, and security teams who need deep visibility into Linux system behavior at the kernel level.

§02

How it saves time or tokens

Traditional Linux debugging involves combining strace, perf, tcpdump, and custom scripts. Each tool covers one dimension. BCC provides purpose-built tools that answer specific questions immediately: which processes are consuming the most disk I/O, what syscalls are failing, which TCP connections have high latency. One command gives you answers that would take multiple tools and post-processing scripts.

§03

How to use

  1. Install BCC tools:
sudo apt-get install bpfcc-tools linux-headers-$(uname -r)
  1. Run built-in tools (requires root):
sudo execsnoop-bpfcc          # Trace new process execution
sudo opensnoop-bpfcc          # Trace file opens
sudo biolatency-bpfcc         # Disk I/O latency histogram
sudo tcpconnect-bpfcc         # Trace TCP connections
  1. Each tool outputs real-time data. Use Ctrl+C to stop and see summaries.
§04

Example

# Find which processes are doing the most disk I/O
sudo biotop-bpfcc

# Trace DNS queries
sudo dnssnoop-bpfcc

# Measure function latency in a running process
sudo funclatency-bpfcc -p $(pidof myapp) 'malloc'

# Count syscalls by process
sudo syscount-bpfcc -p $(pidof nginx)

Each command provides kernel-level insights with minimal overhead.

§05

Related on TokRepo

§06

Common pitfalls

  • BCC tools require root access and kernel headers. Missing kernel headers is the most common installation failure. Ensure linux-headers-$(uname -r) is installed.
  • eBPF programs run in kernel space. A buggy custom eBPF program can impact system stability. Stick to the pre-built tools unless you understand eBPF verification.
  • BCC has higher startup overhead than bpftrace because it compiles BPF programs at runtime. For frequently run tools, consider pre-compiled alternatives.

常见问题

Does BCC work on all Linux distributions?+

BCC works on Linux kernels 4.1+ with eBPF support. Most modern distributions (Ubuntu 18.04+, RHEL 8+, Debian 10+) include eBPF support. Older kernels may lack required eBPF features.

What is the difference between BCC and bpftrace?+

BCC provides Python and Lua APIs for writing eBPF programs plus 100+ pre-built tools. bpftrace is a higher-level tracing language for one-liners. Use BCC tools for ready-made analysis; use bpftrace for custom ad-hoc queries.

Does BCC add performance overhead?+

eBPF programs add minimal overhead because they run in the kernel with JIT compilation. The overhead is typically less than 1% for most tracing tools. However, high-frequency tracepoints can add measurable cost.

Can I write custom BCC tools?+

Yes. BCC provides Python and C APIs for writing custom eBPF programs. You write the eBPF code in C (runs in kernel) and the control logic in Python (runs in userspace).

Is BCC safe for production?+

Yes. The pre-built BCC tools are widely used in production at major companies. The eBPF verifier in the kernel ensures programs cannot crash the system. Always test custom tools in staging first.

引用来源 (3)

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产