BCC is a toolkit for creating efficient kernel tracing and manipulation
BCC is a toolkit for creating efficient kernel tracing and manipulation
programs, and includes several useful tools and examples. It makes use of eBPF
programs, and includes several useful tools and examples. It makes use of
(Extended Berkeley Packet Filters), a new feature that was first added to
extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature
Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.
that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1
and above.
eBPF was [described by](https://lkml.org/lkml/2015/4/14/232) Ingo Molnár as:
eBPF was [described by](https://lkml.org/lkml/2015/4/14/232) Ingo Molnár as:
> One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.
> One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.
BCC makes eBPF programs easier to write, with kernel instrumentation in C
BCC makes BPF programs easier to write, with kernel instrumentation in C
and a front-end in Python. It is suited for many tasks, including performance
(and includes a C wrapper around LLVM), and front-ends in Python and lua.
analysis and network traffic control.
It is suited for many tasks, including performance analysis and network
traffic control.
## Screenshot
## Screenshot
...
@@ -170,46 +172,10 @@ The features of this toolkit include:
...
@@ -170,46 +172,10 @@ The features of this toolkit include:
In the future, more bindings besides python will likely be supported. Feel free
In the future, more bindings besides python will likely be supported. Feel free
to add support for the language of your choice and send a pull request!
to add support for the language of your choice and send a pull request!
## Tutorial
## Tutorials
The BCC toolchain is currently composed of two parts: a C wrapper around LLVM,
-[docs/tutorial.md](docs/tutorial.md): Using bcc tools to solve performance, troubleshooting, and networking issues.
and a Python API to interact with the running program. Later, we will go into
-[docs/tutorial_bcc_python_developer.md](docs/tutorial_bcc_python_developer.md): Developing new bcc programs using the Python interface.
more detail of how this all works.
### Hello, World
First, we should include the BPF class from the bpf module:
```python
frombccimportBPF
```
Since the C code is so short, we will embed it inside the python script.
The BPF program always takes at least one argument, which is a pointer to the
context for this type of program. Different program types have different calling
conventions, but for this one we don't care so `void *` is fine.