Home

dtrace_syscall



Purpose

dtrace_syscall is a wrapper script for dtrace to trace one or more functions from the syscall provider.


Back to top

License


# CDDL HEADER START
#
# The contents of this file and the script are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END

Back to top

History


Version
 Releasedate
          Description
v0.0.5
 17.10.2011 ####   17.10.2011 v0.0.5 /bs
####     added the parameter -K (add probe descriptions to the dtrace script)
v0.0.4
 04.10.2011 ####   05.10.2011 v0.0.4 /bs
####     code cleanup
v0.0.3
 04.10.2011
 ####   04.10.2011 v0.0.3 /bs
####     added code to support mixed functions (with and without arg0)
v0.0.2
 09/2011
 initial public release

Back to top

Operating system

Solaris 10 or newer

Back to top

Language / type

Kornshell Script using dtrace

Back to top

Prerequisites

the user must have the neccessary rights to use dtrace

Back to top

Usage


Note:

To enhance the dtrace script used you can either use the parameter -i and/or -d or use the parameter -k to keep the dtrace script created by dtrace_syscall. You can than edit and reuse with "dtrace -s".

#  /data/develop/scripts/dtrace_syscall -v -h                    
[17.10.2011 19:29:10] dtrace_syscall v0.0.5 started on Mon Oct 17 19:29:10 CEST 2011 
[17.10.2011 19:29:10] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
  dtrace_syscall v0.0.5 - dtrace one or more system calls

  Usage: dtrace_syscall [-v|+v] [-q|+q] [-h] [-l logfile|+l] [-y|+y] [-n|+n]
                    [-D|+D] [-a|+a] [-O|+O] [-f|+f] [-C] [-H] [-S n] [-V] [-T]

                    [-X] [-k|+k] [-K|+K] [-t n] [-p n] [-P|+P] [-c cmd] [-i clause]
                    [-L dtracelogfile] [-d drace_cmds] [-e|+e] [sysfunction1] [... [sysfunction#] ]

 

 Note: Use -{switch} or --{longswitch} to turn an option on;
       use +{switch} or ++{longswitch} to turn an option off

       The long format of the parameter (--parameter/++parameter) is not supported by all ksh implementations
      
      
    Parameter:

      -v|+v - turn verbose mode on/off; current value: y
              Long format: --verbose / ++verbose
      -q|+q - turn quiet mode on/off; current value: n
              Long format: --quiet / ++quiet
      -h    - show usage
              Long format: --help
      -X    - view examples
              Long format: --list_examples
      -l    - set the logfile
              current value: /var/tmp/dtrace_syscall.LOG
              Long format: --logfile     
      +l    - do not write a logfile
              Long format: ++logfile
      -y|+y - assume yes to all questions or not
              Long format: --yes / ++yes
      -n|+n - assume no to all questions or not
              Long format: --no /++no
      -D|+D - run main in single step mode (and turn colors on); current value: n
              Long format: --debug / ++debug
      -a|+a - turn colors on/off; current value: n
              Long format: --color / ++color
      -O|+O - overwrite existing files or not; current value: n
              Long format: --overwrite / ++overwrite
      -f|+f - force; do it anyway; current value: n
              Long format: --force / ++force
      -C    - write a default config file in the current directory and exit
              Long format: --writeconfigfile
      -H    - write extended usage to STDERR and exit
              Long format: --doc
      -S n  - print error/warning summaries:
              n = 0 no summariess, 1 = print error msgs,
              2 = print warning msgs, 3 = print error and warning mgs
              Current value: 0
              Long format: --summaries
      -V    - write version number to STDOUT and exit
              Long format: --version
      -T    - append STDOUT and STDERR to the file "/var/tmp/dtrace_syscall.21894.tee.log"
              Long format: --tee

      -k|+k - do/do not delete the drace script used; current value: n )
              Long format: --keep_dtrace_script / ++keep_dtrace_script
      -K|+K - do/do not add probe descriptions to the dtrace script; current value: n )
              Long format: --add_probe_desc
      -t n  - trace only n sec/min/hours; current value: 0;
              use 0 to trace until stopped with CTRL-C
              Long format: --time_to_trace
      -p n  - trace only the PID n; this parameter can be used more than one time
              current value:
              Long format: --pid
      -c cmd - trace only the command cmd
              current value:
              Long format: --cmd
              Note: Use either -p or -c but not both; for commands with parameter use a script
      -P|+P - print arg0 of the dtraced function(s); current value: y
              Long format: --printarg0
      -L logfile
            - log file for dtrace messages
              current value:
              Long format: --dtrace_logfile
      -i clause
            - add. clause for dtrace
              current value:
              Long format: --add_clause
      -d dtrace_commands
            - add. dtrace commands
              current value:
              Long format: --add_drace_cmds
      -e|+e - log endless
              current value: n
              Long format: --endless
      -X    - view examples and exit
              Long format: --list_examples

[17.10.2011 19:29:10] The log file used was "/tmp/dtrace_syscall.21894.TEMP" 
[17.10.2011 19:29:10] dtrace_syscall v0.0.5 ended on Mon Oct 17 19:29:10 CEST 2011.
[17.10.2011 19:29:10] The RC is 0.




Back to top

Examples

see also here

xtrnaw7@t61p:/data/download$  /data/www/myhomepage/htdocs/files/public/solaris/scripts/dtrace_syscall -X
[29.09.2011 12:09:43] dtrace_syscall v0.0.2 started on Thu Sep 29 12:09:43 CEST 2011 
[29.09.2011 12:09:43] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
 -----------------------------------------------------------------------------------------------------
                        dtrace_syscall v0.0.2
                       Documentation - Examples
 -----------------------------------------------------------------------------------------------------
 # Usage examples

 #
 # monitor which process changes the permissions of a file
 # (dtrace output goes to STDERR only)
 #
 #   ./dtrace_syscall chmod

 # monitor which process changes the permissions of a file or directory and
 # which process changes the owner of a file or directory
 # (the dtrace output goes to STDERR and into the logfile /var/tmp/monitor_file_changes.log)
 #
 #   ./dtrace_syscall -L /var/tmp/monitor_file_changes.log  chmod chown

 # monitor the chmod and chown syscall for 4 hours (-t4h)
 # Other examples for the parameter -t: : -t2s = monitor 2 seconds, -t40m = monitor 40 minutes, etc
 #
 #   ./dtrace_syscall -L /var/tmp/monitor_file_changes.log -t4h chmod chown

 # monitor chmod and chown system calls continiously (-e) and
 # do a log rotate of the logfile every 6 hours (-t6h)
 #
 #   ./dtrace_syscall -L /var/tmp/monitor_file_changes.log  -t6h -e  chmod chown

 # monitor which process is removing files or directories
 #
 #   ./dtrace_syscall -L /var/tmp/unlink.log -e -t6h unlink

 # monitor which process deletes the file /var/tmp/test2
 #
 #   ./dtrace_syscall -L /var/tmp/unlink.log -k -e -t6h -i 'copyinstr(arg0) == "/var/tmp/test2" || copyinstr(arg0) == "test2"  '  unlink


 # monitor the syscall of a binary (in this example ls, "-c ls")
 # Note: Use a shell script for the parameter -c if a command with parameter should be dtraced.
 #
 #   ./dtrace_syscall -L /var/tmp/ls_syscalls.log +P  -c ls "*"

 # monitor the syscalls of a running process (in this example the process with the PID 22839)
 #
 #   ./dtrace_syscall -L /var/tmp/shell_syscalls.log +P  -p 22839  "*"

 # monitor the syscalls of some processes
 #
 #   ./dtrace_syscall -p "22839 22747 22822 22748" -k +P  "*"

 # monitor the syscalls of a process and all of it's child processes (in this example
 # the process with the PID 22839 and it's child processes)
 #
 #   ./dtrace_syscall -L /var/tmp/shell_syscalls.log  -p 22839 -i "|| ppid == 22839" "*"


 # monitor the chmod syscall and print additional messages if found (parameter -d)
 #
 #   ./dtrace_syscall -L /var/tmp/shell_syscalls.log +P -k -d 'printf( "\n *** Parameter 0 is %16s \n", copyinstr(arg0) ); '  "chmod"

 # monitor the chmod syscall and print only userdefined messages if found (parameter +d)
 #
 #   ./dtrace_syscall -L /var/tmp/shell_syscalls.log +P -k +d 'printf( "\n *** Binary: %16s, Parameter 0: %16s \n", execname, copyinstr(arg0) ); '  "chmod"


 Trouble Shooting

 An error message like

 dtrace: error on enabled probe ID 150 (ID 7715: syscall::sigaction:entry): invalid address (0x0) in action #3 at DIF offset 28

 will be printed by dtrace if the parameter 0 of the function to dtrace is not from the type string.
 In this case you should use the parameter +P of the script to suppress printing the parameter 0.


[29.09.2011 12:09:43] The log file used was "/tmp/dtrace_syscall.1892.TEMP" 
[29.09.2011 12:09:43] dtrace_syscall v0.0.2 ended on Thu Sep 29 12:09:43 CEST 2011.
[29.09.2011 12:09:43] The RC is 0.



Back to top

Internas


see the documentation for the script template used for this script: scriptt.sh

Back to top

Notes


Back to top

Download


Download dtrace_syscall


Back to top