stacksnoop - Print kernel stack traces for kernel functions. Uses Linux
stacksnoop [-h] [-p PID] [-s] [-v] function
stacksnoop traces a given kernel function and for each call, prints the kernel
stack back trace for that call. This shows the ancestry of function calls, and
is a quick way to investigate low frequency kernel functions and their cause.
For high frequency kernel functions, see stackcount.
This tool only works on Linux 4.6+. Stack traces are obtained using the new
BPF_STACK_TRACE` APIs. For kernels older than 4.6, see the version under
CONFIG_BPF and bcc.
- Print usage message.
- Show address offsets.
- Print more fields.
- -p PID
- Trace this process ID only (filtered in-kernel).
- Kernel function name.
- Print kernel stack traces for each call to
- # stacksnoop ext4_sync_fs
- Also show the symbol offsets:
- # stacksnoop -s ext4_sync_fs
- Show extra columns:
- # stacksnoop -v ext4_sync_fs
- Only trace when PID 185 is on-CPU:
- # stacksnoop -p 185 ext4_sync_fs
- Time of the call, in seconds.
- Kernel stack trace. The first column shows "ip"
for instruction pointer, and "r#" for each return pointer in the
stack. The second column is the stack trace as hexadecimal. The third
column is the translated kernel symbol names.
This can have significant overhead if frequently called functions (> 1000/s)
are traced, and is only intended for low frequency function calls. This is
because details including the stack trace for every call is passed to user
space and processed. See stackcount for higher frequency calls, which performs
This is from bcc.
Also look in the bcc distribution for a companion _examples.txt file containing
example usage, output, and commentary for this tool.
Unstable - in development.