Demonstrations of threadsnoop, the Linux bpftrace/eBPF version.
Tracing new threads via phtread_create():
# ./threadsnoop.bt
Attaching 2 probes...
TIME PID COMM FUNC
10:20:31.938572 28549 dockerd threadentry
10:20:31.939213 28549 dockerd threadentry
10:20:31.939405 28549 dockerd threadentry
10:20:31.940642 28549 dockerd threadentry
10:20:31.949060 28549 dockerd threadentry
10:20:31.958319 28549 dockerd threadentry
10:20:31.939152 28549 dockerd threadentry
10:20:31.950978 28549 dockerd threadentry
10:20:32.013269 28579 docker-containe 0x562f30f2e710
10:20:32.036764 28549 dockerd threadentry
10:20:32.083780 28579 docker-containe 0x562f30f2e710
10:20:32.116738 629 systemd-journal 0x7fb7114955c0
10:20:32.116844 629 systemd-journal 0x7fb7114955c0
[...]
The output shows a dockerd process creating several threads with the start
routine threadentry(), and docker-containe (truncated) and systemd-journal
also starting threads: in their cases, the function had no symbol information
available, so their addresses are printed in hex.
|