MCPtrace: AI-Powered Kernel Debugging with bpftrace

Enable AI assistants to debug Linux kernel issues through natural language using bpftrace MCP server. No eBPF expertise required.

A minimal MCP (Model Context Protocol) server that provides AI assistants with access to bpftrace kernel tracing capabilities.

GitHub Repository: https://github.com/eunomia-bpf/MCPtrace ⭐

Now implemented in Rust using the rmcp crate for better performance and type safety. The Python implementation is still available in the git history.

bpftrace MCP Server Demo

Features

AI-Powered Kernel Debugging: Enable AI assistants to help you debug complex Linux kernel issues through natural language - no eBPF expertise required
Discover System Trace Points: Browse and search through thousands of kernel probes to find exactly what you need to monitor - from system calls to network packets
Rich Context and Examples: Access a curated collection of production-ready bpftrace scripts for common debugging scenarios like performance bottlenecks, security monitoring, and system troubleshooting
Secure Execution Model: Run kernel traces safely without giving AI direct root access - MCPtrace acts as a secure gateway with proper authentication
Asynchronous Operation: Start long-running traces and retrieve results later - perfect for monitoring production issues that occur intermittently
System Capability Detection: Automatically discover what tracing features your kernel supports, including available helpers, map types, and probe types

Why MCPtrace?

Debugging kernel issues traditionally requires deep eBPF expertise. MCPtrace changes that.

By bridging AI assistants with bpftrace (the perfect eBPF tracing language), MCPtrace lets you debug complex system issues through natural conversation. Just describe what you want to observe - "show me which processes are opening files" or "trace slow disk operations" - and let AI generate the appropriate kernel traces.

AI never gets root access. MCPtrace acts as a secure gateway, and with its rich collection of example scripts and probe information, AI has everything needed to help you understand what's happening inside your kernel. No eBPF expertise required.

Installation

Prerequisites

Install Rust (if not already installed):

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Ensure bpftrace is installed:

sudo apt-get install bpftrace  # Ubuntu/Debian
# or
sudo dnf install bpftrace      # Fedora

Install from crates.io (Recommended)

cargo install bpftrace-mcp-server

This will install the bpftrace-mcp-server binary to your Cargo bin directory (usually ~/.cargo/bin/).

Build from Source

Alternatively, you can build from source:

git clone https://github.com/yunwei37/MCPtrace
cd MCPtrace
cargo build --release

The binary will be available at ./target/release/bpftrace-mcp-server.

Quick Setup

Use our automated setup scripts:

Claude Desktop: ./setup/setup_claude.sh
Claude Code: ./setup/setup_claude_code.sh

For detailed setup instructions and manual configuration, see setup/SETUP.md.

Running the Server

If installed via cargo install

bpftrace-mcp-server

If built from source

./target/release/bpftrace-mcp-server

Development mode (from source)

cargo run --release

Manual Configuration

For manual setup instructions for Claude Desktop or Claude Code, see setup/SETUP.md.

Usage Examples

List System Call Probes

await list_probes(filter="syscalls:*read*")

Get BPF System Information

info = await bpf_info()
# Returns system info, kernel helpers, features, map types, and probe types

Execute a Simple Trace

result = await exec_program(
    'tracepointsys_enter_open { printf("%s\\n", comm); }',
    timeout=10
)
exec_id = result["execution_id"]

Get Results

output = await get_result(exec_id)
print(output["output"])

Security Notes

The server requires sudo access for bpftrace
Password Handling: Create a .env file with your sudo password:
```
echo "BPFTRACE_PASSWD=your_sudo_password" > .env
```

Alternative: Configure passwordless sudo for bpftrace:

sudo visudo
# Add: your_username ALL=(ALL) NOPASSWD: /usr/bin/bpftrace

No script validation - trust the AI client to generate safe scripts
Resource limits: 60s max execution, 10k lines buffer
See SECURITY.md for detailed security configuration

Architecture

The Rust server uses:

Tokio async runtime for concurrent operations
Subprocess management for bpftrace execution
DashMap for thread-safe in-memory buffering
Automatic cleanup of old buffers
rmcp crate for MCP protocol implementation

Limitations

No real-time streaming (use get_result to poll)
Simple password handling (improve for production)
No persistent storage of executions
Basic error handling

Documentation

Setup Guide - Detailed installation and configuration
Claude Code Setup - Claude Code specific instructions
CLAUDE.md - Development guidance for AI assistants
Design Document - Architecture and design details

Future Enhancements

Add SSE transport for real-time streaming
Implement proper authentication
Add script validation and sandboxing
Support for saving/loading trace sessions
Integration with eBPF programs

Continue exploring

Back to index

eBPF × AI/LLMs: The Convergence of System Observability and Artificial Intelligence

The convergence of Artificial Intelligence and eBPF is rapidly defining the next frontier in system software, creating a paradigm shift in both how we build and manage complex applications. As Large Language Models (LLMs

AgentSight: Zero-Instrumentation LLM Agent Observability with eBPF

![License: MIT](https://opensource.org/licenses/MIT) ![Build Status](https://github.com/eunomia-bpf/agentsight)

GPTtrace Documentation

Generate and run eBPF programs using natural language and AI. Trace your Linux system with GPT-powered automation and intelligent analysis.

Last updated: Oct 1, 2025
First published: Aug 23, 2025
Contributors: yunwei37, github-actions[bot]

Edit this page Share on X Share on Facebook Join discussion RSS feed

Was this page helpful?