OUR EXPERT
Mihalis Tsoukalos is a systems engineer and a technical writer. You can reach him at @mactsouk.
We’re continuing our dive into the notoriously complex Extended Berkeley Packet Filter (eBPF) feature of the Linux kernel. In this part we’ll be tackling processor monitoring and everything that involves. Bear in mind that you should read part one of this eBPF tutorial from the previous issue to learn how to enable eBPF and install the tools of the BCC project. Additionally, all commands discussed here need root privileges to be executed, which makes perfect sense because we’re working in kernel space.
We’ll be using the term observability in this series of tutorials, so let’s define it. Observability is about understanding a system by observing it, rather than modifying it, using sampling tools to trace it. So, in this tutorial we’ll observe the CPU and its cores. We’ll begin this tutorial by presenting a generic eBPF utility: bpftool.
Task listing
Let’s see how you can use bpftool for tracing active (loaded) BPF objects. This tool isn’t connected to just CPU observability, but if you’re using eBPF a lot then it provides a handy way of knowing how you’re making use of eBPF on your Linux machine.
Running bpftool without any command line arguments displays a help screen. Here you can see the supported object types: prog, map, cgroup, perf, net, feature and btf. You can get a help screen for each one of themcommand line utility as well as the output of bpftool prog help . Each command can have subcommands. This section is going to use the prog object type only, which enables you to print the BPF commands of a eBPF program.
