kbuffer_alloc - Man Page

Creating of kbuffer element to parse the Linux kernel tracing ring buffer


#include <kbuffer.h>

enum kbuffer_endian {

enum kbuffer_long_size {

struct kbuffer;
struct tep_handle;

struct kbuffer *kbuffer_alloc(enum kbuffer_long_size size, enum kbuffer_endian endian);
void kbuffer_free(struct kbuffer *kbuf);
int kbuffer_load_subbuffer(struct kbuffer *kbuf, void *subbuffer);
int kbuffer_subbuffer_size(struct kbuffer *kbuf);
int kbuffer_start_of_data(struct kbuffer *_kbuf);


These functions create a kbuffer handle that can be used to parse the raw sub buffers of the Linux kernel tracing ring buffer. The ring buffer is found in the tracefs directory, and can be retrieved by tracefs_instance_get_file(3) at per_cpu/cpuX/trace_pipe_raw where X is replaced by the per CPU number of the specified ring buffer. The ring buffer inside the kernel is split up per CPU, such that the raw ring buffer must be retrieved per CPU as well.

The kbuffer_alloc() will create a descriptor that can be used to manage a sub buffer read by the ring buffer. The size parameter denotes what the word size is for the given buffer (note, this works from reading raw data from machines other than the machine that is calling this function). The endian denotes the endian for the machine.

If endian is set to KBUFFER_ENDIAN_SAME_AS_HOST the endian will be set to the same as the host endianess, which is useful when the application is reading the ring buffer data directly from the same machine it is running on.

If size is set to KBUFFER_LSIZE_SAME_AS_HOST, if the word size is 8, it will set the kbuffer descriptor to long size of 8. But if the size is 4, then it will then perform a uname(2) call, and if the machine field has the string "64" in it, it will be set to 8 byte long size and not 4 byte. This is because the ring buffer long size is dependent on the kernel and not user space.

The kbuffer_free() function will free the resources created by kbuffer_alloc().

The kbuffer_load_subbuffer() will take a subbuffer which is a raw data blob from the tracefs trace_pipe_raw file. The Linux tracing ring buffer is broken up into sub buffers. Each sub buffer is as stand alone data segment that has all the information to split out the individual events and time stamps. This sub buffer is what kbuffer uses to walk the events.

The kbuffer_subbuffer_size() returns the location of the end of the last event on the sub-buffer. It does not return the size of the sub-buffer itself.

The kbuffer_start_of_data() function returns the offset of where the actual data load of the sub-buffer begins.

Return Value

kbuffer_alloc() returns an allocated kbuffer descriptor or NULL on error. The returned descriptor must be freed with kbuffer_free()

kbuffer_load_subbuffer() returns 0 on success and -1 on error.

kbuffer_subbuffer_size() returns the index on the subbuffer where the end of the last event is located.

kbuffer_start_of_data() returns the offset of where the data begins on the sub-buffer loaded in kbuf.


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>

#include <kbuffer.h>

int main (int argc, char **argv)
        unsigned long long ts;
        struct kbuffer *kbuf;
        struct stat st;
        char *buf;
        void *event;
        int ret;
        int fd;
        int i = 0;

        if (argc < 2) {
                printf("usage: %s raw-subbuffer-page\n", argv[0]);
                printf(" Try: dd count=1 bs=4096 if=/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw of=/tmp/file\n");

        if (stat(argv[1], &st) < 0) {

        buf = malloc(st.st_size);
        if (!buf) {
                perror("Allocating buffer");

        fd = open(argv[1], O_RDONLY);
        if (fd < 0) {

        ret = read(fd, buf, st.st_size);
        if (ret < 0) {
                perror("Reading buffer");

        kbuf = kbuffer_alloc(KBUFFER_ENDIAN_SAME_AS_HOST,
        if (!kbuf) {
                perror("Creating kbuffer");
        ret = kbuffer_load_subbuffer(kbuf, buf);
        if (ret < 0) {
                perror("Loading sub bufer");

        if (kbuffer_subbuffer_size(kbuf) > st.st_size) {
                fprintf(stderr, "kbuffer is bigger than raw size %d > %ld\n",
                        kbuffer_subbuffer_size(kbuf), st.st_size);

        printf("Kbuffer data starts at %d\n", kbuffer_start_of_data(kbuf));
        do {
                event = kbuffer_read_event(kbuf, &ts);
                if (event) {
                        printf(" event %3d ts:%lld\n", i++, ts);
                        event = kbuffer_next_event(kbuf, NULL);
        } while (event);

        if (!event)
                printf("Finished sub buffer\n");


        return 0;


        Header file to include in order to have access to the library APIs.
        Linker switch to add when building a program that uses the library.

See Also

libtraceevent(3), trace-cmd(1)


Steven Rostedt <rostedt@goodmis.org[1]>, author of libtraceevent.

Reporting Bugs

Report bugs to <linux-trace-devel@vger.kernel.org[2]>


libtraceevent is Free Software licensed under the GNU LGPL 2.1




  1. rostedt@goodmis.org
  2. linux-trace-devel@vger.kernel.org

Referenced By

The man pages kbuffer_free(3), kbuffer_load_subbuffer(3), kbuffer_start_of_data(3) and kbuffer_subbuffer_size(3) are aliases of kbuffer_alloc(3).

04/05/2023 libtraceevent 1.7.2 libtraceevent Manual