System Call Tracking without ptrace,strace,etc.

System Call Tracking Without ptrace (eBPF and DTrace)

Traditionally, tools like strace used ptrace to monitor system calls. While effective, ptrace is slow because it stops the process for every single call. In modern Linux, we have much faster alternatives.

The Modern Standard: eBPF and bpftrace

eBPF (Extended Berkeley Packet Filter) allows you to run sandboxed programs in the kernel without changing kernel source code.

• bpftrace: A high-level tracing language for eBPF.
  bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s ", comm); }'
• Performance: Unlike strace, eBPF has near-zero overhead, making it safe to use in production environments.

Linux Observability in 2026

• perf: The perf tool remains the go-to for CPU-level profiling, but for system calls, eBPF has taken over.
• Cilium & Security: In 2026, eBPF isn’t just for debugging; it’s the foundation of modern cloud-native networking and security (e.g., Cilium). It allows security tools to monitor and block malicious system calls in real-time without ever touching the application code.