While bcc still requires writing BPF programs, bpftrace is a higher-level tool that reuses features offered by bcc in order to provide a simple command-line tool for tracing with BPF.
The reference guide for bpftrace provides exhaustive documentation about the syntax of the tool and the built-in functions and variables.
List all probes supported by bpftrace.
# bpftrace -l | less
Note the software perf_events, the hardware counters, the tracepoints, the kprobes. Obviously bpftrace is not aware of all possible user probes, and does not list any.
List the probes related to BPF tracepoints in the kernel.
# bpftrace -l "tracepoint:bpf*"
Launch the bpftrace version of opensnoop.
# bpftrace -e 'kprobe:do_sys_open { printf("%d - %s: %s\n", pid, comm, str(arg1)) }'
Edit the previous command to print only when open() is used on file
/etc/shadow.
Trace all processes executed by a non-root user.
Beside the reference guide, there is a tutorial for one-liners with bpftrace, that provides additional commands to try. Totally worth a read. Let's draw histograms!