Demonstrations of threadsnoop, the Linux BCC/eBPF version.


Tracing new threads via phtread_create():

# ./threadsnoop
Attaching 2 probes...
TIME(ms)   PID    COMM             FUNC
1938       28549  dockerd          threadentry
1939       28549  dockerd          threadentry
1939       28549  dockerd          threadentry
1940       28549  dockerd          threadentry
1949       28549  dockerd          threadentry
1958       28549  dockerd          threadentry
1939       28549  dockerd          threadentry
1950       28549  dockerd          threadentry
2013       28579  docker-containe  0x562f30f2e710L
2036       28549  dockerd          threadentry
2083       28579  docker-containe  0x562f30f2e710L
2116       629    systemd-journal  0x7fb7114955c0L
2116       629    systemd-journal  0x7fb7114955c0L
[...]

The output shows a dockerd process creating several threads with the start
routine threadentry(), and docker-containe (truncated) and systemd-journal
also starting threads: in their cases, the function had no symbol information
available, so their addresses are printed in hex.