strace is known to add significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will by default intercept all syscalls made by the observed processes, involving several context switches per syscall. Since strace v5.3, the --seccomp-bpf option allows reducing this overhead, by stopping observed processes only at syscalls of interest. This option relies on seccomp-bpf and inherits a few of its limitations. In this talk, we will describe the ...