Home Posts Mastering strace, perf, and eBPF [2026 Cheat Sheet]
Developer Reference

Mastering strace, perf, and eBPF [2026 Cheat Sheet]

Mastering strace, perf, and eBPF [2026 Cheat Sheet]
Dillip Chowdary
Dillip Chowdary
Tech Entrepreneur & Innovator · April 22, 2026 · 12 min read

Bottom Line

Linux observability follows a hierarchy: use strace for deep syscall inspection, perf for CPU profiling, and eBPF for production-safe, system-wide monitoring with sub-1% overhead.

Key Takeaways

  • strace -c is the fastest way to generate a syscall summary to identify which kernel calls are bottlenecking your app.
  • perf record -g enables call-graph recording, essential for generating FlameGraphs to visualize CPU hotspots.
  • eBPF-top (bpftop) provides real-time visibility into kernel function latency without the 10x overhead of strace.
  • Always use strace -p on running processes rather than starting them under strace to avoid initialization noise.
  • Data hygiene is critical: use tools like the Data Masking Tool when sharing strace logs containing sensitive env vars.

Debugging Linux systems in 2026 requires a tiered approach: starting with high-level syscall tracing via strace, moving to sampling-based profiling with perf, and finally leveraging the near-zero overhead of eBPF. This cheat sheet provides a consolidated reference for the most effective CLI flags, keyboard shortcuts, and filtering strategies to diagnose bottlenecks in production environments without crashing your kernel or causing significant latency spikes.

Tool Selection Matrix

Choosing the wrong tool can slow down your application or provide misleading data. Use this matrix to select the right probe for your specific debugging scenario.

Capability strace perf eBPF / bpftop Edge
Overhead High (10x - 100x) Low (Sampling) Near Zero eBPF
Data Detail Every Syscall CPU Instructions Programmable strace
Production Safety Risky Safe Very Safe eBPF
Usage Ease Easy Moderate Expert strace

Bottom Line

Use strace for granular per-process logic validation (e.g., 'Why is this file not opening?'), perf for CPU-bound performance tuning, and eBPF for system-wide observability in high-traffic production clusters.

strace: The Syscall Surgeon

strace intercepts and records the system calls which are called by a process and the signals which are received by a process. It is the first tool to reach for when an application is behaving unexpectedly.

Essential Flags

  • -c: Count time, calls, and errors for each system call and report a summary on program exit.
  • -e trace=file: Trace only system calls that take a filename as an argument (e.g., open, stat, chmod).
  • -e trace=network: Trace all network-related system calls.
  • -p [PID]: Attach to a running process.
  • -f: Follow child processes created by fork and vfork.
  • -o [file]: Write the trace output to a file instead of stderr.
# Find out why a process is hanging
strace -p 1234 -T -tt -yy

# Summarize syscall overhead
strace -cp 1234

# Trace specific syscalls with timestamps
strace -e trace=open,connect -t -f ./my_app
Pro tip: When debugging logs that might contain sensitive customer IDs or API keys, pass your output through the Data Masking Tool before uploading to a shared Slack channel or GitHub issue.

perf: The Performance Profiler

perf is the standard Linux profiler. It interfaces with the Performance Monitoring Unit (PMU) in your CPU and kernel tracepoints to sample events.

Common Workflows

  • perf stat: Provides a quick overview of CPU performance counters (instructions per cycle, cache misses).
  • perf top: Real-time view of functions consuming the most CPU cycles across the entire system.
  • perf record: Samples the system and saves data to perf.data for later analysis.
  • perf report: Analyzes the perf.data file generated by perf record.
# Record CPU profile for 30 seconds across all CPUs with call graphs
perf record -F 99 -a -g -- sleep 30

# View the results interactively
perf report -n --stdio

# Check for L1 cache misses
perf stat -e L1-dcache-load-misses ./my_heavy_app

eBPF-top & bpftrace: Modern Observability

eBPF (Extended Berkeley Packet Filter) allows you to run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. Tools like bpftop (ebpf-top) leverage this for real-time monitoring.

bpftrace One-Liners

  1. Tracing file opens: bpftrace -e 'kprobe:do_sys_open { printf("%s: %s\n", comm, str(arg1)); }'
  2. Syscall count by process: bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
  3. Disk latency histogram: bpftrace -e 'kprobe:vfs_read { @start[tid] = nsecs; } kretprobe:vfs_read /@start[tid]/ { @ns = hist(nsecs - @start[tid]); delete(@start[tid]); }'
Watch out: While eBPF is low overhead, complex bpftrace scripts can still consume CPU cycles if they hook into high-frequency events like context-switch or every single packet-in on a 10Gbps link.

Essential Keyboard Shortcuts

Use these shortcuts while running perf top or bpftop to navigate the data effectively.

Shortcut Action (perf top) Action (bpftop)
h Display help menu Display help menu
E Expand/Collapse all nodes Sort by Event count
a Annotate symbol (shows assembly) Analyze program details
/ Filter symbols by string Filter programs
q Quit Quit

Advanced Filtering & Search

To find the needle in the haystack, you must master filtering. In strace, the -e flag is your best friend.

# Only show syscalls that took longer than 100ms
strace -T -e trace=all ./app 2>&1 | awk -F'<' '$2 > 0.1 {print $0}'

# Filter perf report to show only your application's shared library
perf report --dsos=libmymath.so

# Trace only write() calls that return an error (negative value)
strace -e trace=write -e fault=write:error=EACCES ./app

Frequently Asked Questions

Does strace slow down the application I am tracing? +
Yes, significantly. strace uses the ptrace system call, which forces a context switch for every single system call the target process makes. This can result in a 10x to 100x performance penalty, making it unsuitable for timing-sensitive production bugs.
How do I create a FlameGraph from perf data? +
First, record with stack traces: perf record -g -a. Then, use the FlameGraph scripts: perf script | stackcollapse-perf.pl | flamegraph.pl > output.svg. This allows you to visualize call paths and identify 'hot' functions visually.
What is the difference between kprobes and tracepoints in eBPF? +
kprobes (kernel probes) can be placed on almost any instruction in the kernel, but they are unstable and may change between kernel versions. tracepoints are static hooks placed by kernel developers; they are stable and guaranteed to work across versions, but there are fewer of them.
Can I use these tools inside a Docker container? +
Yes, but you usually need to run the container with --cap-add=SYS_PTRACE for strace or --cap-add=SYS_ADMIN for perf and eBPF. Alternatively, you can run the tools from the host machine using the process ID (PID) of the containerized process.

Get Engineering Deep-Dives in Your Inbox

Weekly breakdowns of architecture, security, and developer tooling — no fluff.

Found this useful? Share it.

Tweet Share

Related Deep-Dives

Cloud Infrastructure

Kernel Tuning for High-Throughput Microservices

Optimizing sysctl parameters for 100k+ RPS workloads.

 Security Deep-Dive

Using eBPF for Real-time Security Observability

How to detect rootkits and unauthorized file access with Falco and eBPF.