Identify the Most Time‑Consuming Process Functions with eBPF

Part 1: Basic Concepts

Dynamic tracing (Dynamic Tracing) is an advanced kernel debugging technique that lets you observe which operations the kernel is executing and which events occur. By attaching probes, the kernel can collect data about these operations with minimal performance overhead.

Because the overhead is low, rich runtime information can be gathered quickly, enabling fast analysis, troubleshooting, and problem discovery.

Performance Counters

The perf_event_open() system call creates a performance monitoring counter. By configuring different parameters, the counter can be set to track various software or hardware events. Each time the specified event occurs, the counter increments automatically.

After N events, the counter generates an overflow interrupt. The interrupt handler records information such as the instruction address and the current process ID into a buffer; this collection is called a sample .

The overflow callback function overflow_handler is invoked, and in this example the callback is an eBPF program attached to the counter. The eBPF program processes each sample to determine which process and which function consumed the most time.

Part 2: Video Explanation

A video walkthrough is provided for further clarification. Viewers with questions can contact the author.