IO Tracer uses eBPF/BPF technology to intercept kernel functions and collect various types of I/O events. The tracer is composed of multiple real-time trace types and snapshot types that provide system context.
| # | Trace Type | Description | Output |
|---|---|---|---|
| 1 | VFS Events | File system operations at the VFS layer | fs/fs_*.csv |
| 2 | Block I/O Events | Block-level device I/O operations | ds/ds_*.csv |
| 3 | Page Cache Events | Page cache hits, misses, writebacks, evictions | cache/cache_*.csv |
| 4 | Network Events | Network send/receive with protocol details | nw/nw_*.csv |
| 4a | Connection Lifecycle | Socket creation, bind, listen, accept, connect, shutdown | nw_conn/nw_conn_*.csv |
| 4b | Epoll/Multiplexing | I/O multiplexing (epoll, poll, select) | nw_epoll/nw_epoll_*.csv |
| 4c | Socket Configuration | Socket option changes (setsockopt/getsockopt) | nw_sockopt/nw_sockopt_*.csv |
| 4d | Network Drops | TCP retransmissions | nw_drop/nw_drop_*.csv |
| 5 | Page Fault Events | File-backed page faults from mmap access | pagefault/pagefault_*.csv |
| # | Snapshot Type | Description | Output |
|---|---|---|---|
| 1 | Filesystem Snapshot | Filesystem state (paths, sizes, timestamps) | filesystem_snap.csv.gz |
| 2 | Process Snapshot | Running process information | process_snap.csv |
| 3 | System Snapshot | Hardware and software specifications | device_spec.txt |
┌─────────────────────────────────────────────────────────────────┐
│ IO Tracer │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ │
│ │ eBPF Program │ ◄── Kernel probes (kprobes/kretprobes) │
│ │ (prober.c) │ │
│ └────────┬────────┘ │
│ │ Perf buffer │
│ ┌────────▼────────┐ ┌─────────────────────────────────┐ │
│ │ IOTracer.py │───►│ Event Callbacks │ │
│ │ │ │ - _print_event (VFS) │ │
│ │ Trace Types: │ │ - _print_event_block (Block) │ │
│ │ • VFS Events │ │ - _print_event_cache (Cache) │ │
│ │ • Block Events │ │ - _print_event_net (Network) │ │
│ │ • Cache Events │ │ - _print_event_pagefault (Fault) │ │
│ │ • Net Events │ └─────────────────────────────────┘ │
│ │ • Page Faults │ │
│ └────────┬────────┘ │
│ │ │
│ ┌────────▼────────┐ ┌─────────────────────────────────┐ │
│ │ Snapper Classes │ │ Snapshots │ │
│ │ │ │ - FilesystemSnapper │ │
│ │ Snapshots: │ │ - ProcessSnapper │ │
│ │ • Filesystem │ │ - SystemSnapper │ │
│ │ • Process │ └─────────────────────────────────┘ │
│ │ • System │ │
│ └────────┬────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ WriterManager │ Output: │
│ │ │ • fs/*.csv (VFS events) │ │
│ │ │ • ds/*.csv (block events) │ │
│ │ │ • cache/*.csv (cache events) │ │
│ │ │ • nw/*.csv (network events) │ │
│ │ │ • pagefault/*.csv (page faults) │ │
│ │ │ • filesystem_snapshot/*.csv.gz │ │
│ │ │ • process/*.csv │ │
│ │ │ • system_spec/* │ │
│ └──────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
- VFS tracing has moderate overhead as it captures every file operation
- Block tracing is essential for understanding physical I/O patterns
- Cache tracing can generate high event rates; use sampling for long traces
- Network tracing captures connection metadata, not payload contents
- Snapshots are lightweight and only captured at trace start (except periodic process snapshots)