This article refers to the following blog posts:
This article introduces the use of bcc/ebpf
to understand eBPF and the use of eBPF (super detailed)
Introduction to bcc program of ebpf
Thanks!
The full name of BCC (sometimes written as bcc) is BPF Compiler Collection, which is the BPF compiler collection. BCC is an open source project containing a compiler framework and libraries for building BPF software. It is the main front-end project for BPF (eBPF, the same below), supported by BPF developers, and is usually where the latest kernel tracing BPF plugins are first used. BCC also contains more than 70 ready-made BPF performance analysis and troubleshooting tools.
When talking about BCC, we cannot fail to mention ePBF. eBPF is part of the linux trace framework (for an introduction to trace, please refer to the introduction to using linux tracers). The trace framework allows us to add hooks to kernel mode/user mode code and defines some preset hook functions to implement some basic Debugging capabilities. For situations that require more flexible processing, ebpf can be used, allowing users to customize hook functions for processing such as information filtering, statistics, and calculations.
BCC's github address is: https://github.com/iovisor/bcc .
The main page looks like this:
Let’s take a look at the introduction to BCC on the official website:
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, including some useful tools and examples. It uses Extended BPF (Berkeley Packet Filter), officially known as eBPF, a new feature first added in Linux 3.15. Most everything used by BCC requires Linux 4.1 and above.
BCC makes BPF programs easier to write, using C for the kernel (including LLVM's C wrapper) and Python and lua for the front end. It is suitable for many tasks, including performance analysis and network traffic control.
The overall overview diagram of BCC is as follows:
