bpftrace/tools/syscount.bt at master · sushink70/bpftrace · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/usr/bin/env bpftrace
// syscount.bt	Count system calls.
// 		For Linux, uses bpftrace, eBPF.
//
// USAGE: syscount.bt -- [--sysname]
//
// Example of usage:
//
// # ./syscount.bt
// Attaching 3 probes...
// Counting syscalls... Hit Ctrl-C to end.
// ^C
// Top 10 syscalls IDs:
// @syscall[6]: 36862
// @syscall[21]: 42189
// @syscall[13]: 44532
// @syscall[12]: 58456
// @syscall[9]: 82113
// @syscall[8]: 95575
// @syscall[5]: 147658
// @syscall[3]: 163269
// @syscall[2]: 270801
// @syscall[4]: 326333
//
// Top 10 processes:
// @process[rm]: 14360
// @process[tail]: 16011
// @process[objtool]: 20767
// @process[fixdep]: 28489
// @process[as]: 48982
// @process[gcc]: 90652
// @process[command-not-fou]: 172874
// @process[sh]: 270515
// @process[cc1]: 482888
// @process[make]: 1404065
//
// # ./syscount.bt -- --sysname
// Attached 3 probes
// Counting syscalls... Hit Ctrl-C to end.
// ^C
// Top 10 syscalls NAMEs:
// @syscallname[mprotect]: 110
// @syscallname[epoll_pwait]: 120
// @syscallname[recvmsg]: 135
// @syscallname[ioctl]: 167
// @syscallname[write]: 216
// @syscallname[gettid]: 243
// @syscallname[ppoll]: 339
// @syscallname[epoll_wait]: 420
// @syscallname[read]: 667
// @syscallname[futex]: 762
//
// Top 10 processes:
// @process[chrome]: 65
// @process[terminator]: 85
// @process[systemd-oomd]: 164
// @process[KMS thread]: 168
// @process[gdbus]: 184
// @process[containerd]: 242
// @process[Mutter Input Th]: 484
// @process[VizCompositorTh]: 558
// @process[gnome-shell]: 684
// @process[systemd-logind]: 714
//
// The above output was traced during a Linux kernel build, and the process name
// with the most syscalls was "make" with 1,404,065 syscalls while tracing. The
// highest syscall ID was 4, which is stat().
//
// This is a bpftrace version of the bcc tool of the same name.
// The bcc versions translates syscall IDs to their names, and this version
// currently does not. Syscall IDs can be listed by "ausyscall --dump".
// The bcc version provides different command line options.
//
// Copyright 2018 Netflix, Inc.
//
// 13-Sep-2018	Brendan Gregg	Created this.

BEGIN
{
  printf("Counting syscalls... Hit Ctrl-C to end.\n"); // ausyscall --dump | awk 'NR > 1 { printf("\t@sysname[%d] = \"%s\";\n", $1, $2); }'
}

tracepoint:raw_syscalls:sys_enter
{
  $sysname = getopt("sysname");

  if $sysname {
    @syscallname[syscall_name(args.id)] = count();
  } else {
    @syscall[args.id] = count();
  }
  @process[comm] = count();
}

macro display_map(description, @map)
{
  printf(description);
  print(@map, 10);
  clear(@map);
}

END
{
  $sysname = getopt("sysname");

  if $sysname {
    display_map("\nTop 10 syscalls NAMEs:\n", @syscallname);
  } else {
    display_map("\nTop 10 syscalls IDs:\n", @syscall);
  }

  display_map("\nTop 10 processes:\n", @process);
}