A quick start (beginners guide) on system tap and its usage!!

Yes, instead of pointing to urls which slowly conclude the things, I will give a quick start here:

Why a quick start/read:? 

At times it is not a good choice for some people  to go and read all the document and get it done, rather they would  like to know the basic syntax/usage and a quick overview, so the post 🙂

The system tap scripts mainly composed with below notation:

probe <event> <handler>

Probes may be broadly classified into “synchronous” and “asynchronous”.  A “synchronous” event is deemed to occur when any processor exe‐
cutes an instruction matched by the specification.  This gives these probes a reference point (instruction address) from which more  con‐
textual data may be available.  Other families of probe points refer to “asynchronous” events such as timers/counters rolling over, where
there is no fixed reference point that is related.  Each probe point specification may match multiple locations (for example, using wild‐
cards  or  aliases),  and  all them are then probed.  A probe declaration may also contain several comma-separated specifications, all of
which are probed.

EVENT can be any of the following type..
kernel.function or kernel.statement
(tapset) aliases


filtering/conditionals ( if.. next)
control structures (foreach, while)
Helper functions: pid,execname, log

Below are examples of ‘valid’ probe points..

              kernel.function(“no_such_function”) ?
              module(“awol”).function(“no_such_function”) !
              signal.*? if (switch)

For ex:

     To trace entry and exit from a function, use a pair of probes:
              probe kernel.function(“sys_mkdir”) { println (“enter”) }
              probe kernel.function(“sys_mkdir”).return { println (“exit”) }

Note, expressions like ‘*’, ‘?’ ..etc , those are totally valid and much helpful in certain scenarios.

SystemTap scripts are run through the command ‘stap’. stap can run SystemTap scripts from standard input or from file. System tap have 5 level of execution.

Below is a list of commonly used stap options:

Makes the output of the SystemTap session more verbose. You can repeat this option (for example, stap -vvv script.stp) to provide more details on the script’s execution. This option is particularly useful if you encounter any errors in running the script.

-o filename
Sends the standard output to file (filename).
-S size,count
Limit files to size megabytes and limit the the number of files kept around to count. The file names will have a sequence number suffix. This option implements logrotate operations for SystemTap.

-x process ID
Sets the SystemTap handler function target() to the specified process ID. For more information about target(), refer to SystemTap Functions.

-c ‘command’
Sets the SystemTap handler function target() to the specified command and runs the SystemTap instrumentation for the duration of the specified command. For more information about target(), refer to SystemTap Functions.

-e ‘script’
Use script string rather than a file as input for systemtap translator.

Use SystemTap’s Flight recorder mode and make the script a background process. For more information about flight recorder mode, refer to Section 2.3.1, “SystemTap Flight Recorder Mode”.

stap -e “script” -c “target program”
stap script.stp -c “target program”

Using “-p4” you can create a system tap module as shown below;

        $ stap -p4 -e ‘probe begin { printf(“Hello World!\n”); exit() }’

Run staprun with the pathname to the module as an argument.

        $ staprun /home/user/.systemtap/cache/stap_8553d83f78c_265.ko
Hello World!

Now if you want to know more , please refer #


Leave a Reply

Your email address will not be published. Required fields are marked *