Hacker News new | past | comments | ask | show | jobs | submit login

I've been looking for a while for a way to capture all file opens and network ops to profile unknown production workloads similar to proc. explorer on Windows, which I believe is implemented using ETW. Unfortunately strace seems to be out of the question purely because of the performance impact. Is the performance impact due to strace or ptrace itself?



It's ptrace itself: every traced syscall requires at least one (but usually 3-4) ptrace(2) calls, plus scattered wait(2)/waitpid(2) calls depending on the operation.

If you want to capture events like file opens and network traffic, I'd take a look at eBPF or the Linux Audit Framework.


I recommend bpftrace as an entry point to working with bpf

https://github.com/iovisor/bpftrace


This is really cool. Unfortunately the 4.x kernel requirement wouldn't work for the majority of my work since RHEL is still on 3 :|


If you have RHEL 7.6 or later, you have bpf




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: