Examples for using dtrace_syscall

Last update: 29.09.2011/bs


  1. Examples
  2. Trouble Shooting

Examples


# monitor which process changes the permissions of a file
#  (dtrace output goes to STDERR only)
#

[Thu Sep 29 10:29:58 root@rtdev02 ~]
# /applications/tools/jwm/tools/scripts/dtrace_syscall chmod
[29.09.2011 10:29:59] dtrace_syscall v0.0.2 started on Thu Sep 29 10:29:59 MEST 2011
[29.09.2011 10:29:59] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:29:59] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:30:01] Tracing the functions " chmod"
[29.09.2011 10:30:01] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:30:03] Starting dtrace ...
[29.09.2011 10:30:03] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.359.10022.TEMP1"
*** Tracing started at 2011 Sep 29 10:30:04
###      chmod Binary:            chmod Parameter:            test2 (pwd:      /root)  UID:      0 PID:    419  PPID:  29989  Time: 2011 Sep 29 10:30:08
###     Parent Binary:               sh, Parent Parameter:             bash, Parent UID:      0
*** Tracing ended at 2011 Sep 29 10:30:50

[29.09.2011 10:30:50] ERROR: Script aborted by the user via signal BREAK (CTRL-C)
[29.09.2011 10:30:50] The log file used was "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:30:50] dtrace_syscall v0.0.2 ended on Thu Sep 29 10:30:50 MEST 2011.
[29.09.2011 10:30:50] The RC is 0.


# monitor which process changes the permissions of a file or directory and
# which process changes the owner of a file or directory
# (the dtrace output goes to STDERR and into the logfile /var/tmp/monitor_file_changes.log)
#
[Thu Sep 29 10:32:26 root@rtdev02 ~]
# /applications/tools/jwm/tools/scripts/dtrace_syscall -L /var/tmp/monitor_file_changes.log  chmod  chown
[29.09.2011 10:32:39] dtrace_syscall v0.0.2 started on Thu Sep 29 10:32:39 MEST 2011
[29.09.2011 10:32:39] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:32:39] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:32:40] Tracing the functions " chmod chown"
[29.09.2011 10:32:40] The dtrace output will be logged to the file "/var/tmp/monitor_file_changes.log"
[29.09.2011 10:32:40] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:32:42] Compressing the log file "/var/tmp/monitor_file_changes.log" to "/var/tmp/monitor_file_changes.log.10.gz" ...
[29.09.2011 10:32:42] Starting dtrace ...
[29.09.2011 10:32:42] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.634.9797.TEMP1" 2>&1 | tee "/var/tmp/monitor_file_changes.log"
*** Tracing started at 2011 Sep 29 10:32:43
###      chown Binary:            chown Parameter:            test2 (pwd:      /root)  UID:      0 PID:    704  PPID:  29989  Time: 2011 Sep 29 10:32:46
###     Parent Binary:               sh, Parent Parameter:             bash, Parent UID:      0
###      chmod Binary:            chmod Parameter:            test2 (pwd:      /root)  UID:      0 PID:    705  PPID:  29989  Time: 2011 Sep 29 10:32:48
###     Parent Binary:               sh, Parent Parameter:             bash, Parent UID:      0
^C[29.09.2011 10:32:51] ERROR: Script aborted by the user via signal BREAK (CTRL-C)
[29.09.2011 10:32:51] The dtrace output will be logged to the file "/var/tmp/monitor_file_changes.log"
[29.09.2011 10:32:51] The log file used was "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:32:51] dtrace_syscall v0.0.2 ended on Thu Sep 29 10:32:51 MEST 2011.
[29.09.2011 10:32:51] The RC is 0.
[Thu Sep 29 10:32:51 root@rtdev02 ~]


# monitor the chmod and chown syscall for 4 hours (-t4h)
# Other examples for the parameter -t: : -t2s = monitor 2 seconds, -t40m = monitor 40 minutes, etc
#
[Thu Sep 29 10:33:21 root@rtdev02 ~]
# /applications/tools/jwm/tools/scripts/dtrace_syscall  -L /var/tmp/monitor_file_changes.log  -t4h chmod chown
[29.09.2011 10:33:26] dtrace_syscall v0.0.2 started on Thu Sep 29 10:33:26 MEST 2011
[29.09.2011 10:33:26] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:33:26] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:33:28] Tracing the functions " chmod chown"
[29.09.2011 10:33:28] The tracing will be stopped after 4h.
[29.09.2011 10:33:28] The dtrace output will be logged to the file "/var/tmp/monitor_file_changes.log"
[29.09.2011 10:33:28] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:33:29] Compressing the log file "/var/tmp/monitor_file_changes.log" to "/var/tmp/monitor_file_changes.log.12.gz" ...
[29.09.2011 10:33:29] Starting dtrace ...
[29.09.2011 10:33:29] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.731.1020.TEMP1" 2>&1 | tee "/var/tmp/monitor_file_changes.log"
*** Tracing started at 2011 Sep 29 10:33:31



# monitor chmod and chown system calls continiously (-e) and
# do a log rotate for of the logfile every 6 hours (-t6h)
#
[Thu Sep 29 10:33:52 root@rtdev02 ~]
# /applications/tools/jwm/tools/scripts/dtrace_syscall  -L /var/tmp/monitor_file_changes.log  -t6h -e  chmod chown
[29.09.2011 10:33:58] dtrace_syscall v0.0.2 started on Thu Sep 29 10:33:58 MEST 2011
[29.09.2011 10:33:58] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:33:59] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:34:00] Tracing the functions " chmod chown"
[29.09.2011 10:34:00] The dtrace script will run endless (use CTRL_C to abort )
[29.09.2011 10:34:00] The log intervall for endless dtracing is 6h.
[29.09.2011 10:34:00] The dtrace output will be logged to the file "/var/tmp/monitor_file_changes.log"
[29.09.2011 10:34:00] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:34:02] Compressing the log file "/var/tmp/monitor_file_changes.log" to "/var/tmp/monitor_file_changes.log.14.gz" ...
[29.09.2011 10:34:02] Starting dtrace ...
[29.09.2011 10:34:02] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.837.12372.TEMP1" 2>&1 | tee "/var/tmp/monitor_file_changes.log"
*** Tracing started at 2011 Sep 29 10:34:03

# monitor which process is removing files or directories
#
[Thu Sep 29 10:35:00 root@rtdev02 ~]
# /var/tmp/dtrace_syscall -L /var/tmp/unlink.log -e -t6h unlink
[29.09.2011 10:35:01] dtrace_syscall v0.0.2 started on Thu Sep 29 10:35:01 MEST 2011
[29.09.2011 10:35:01] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:35:01] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:35:03] Tracing the functions " unlink"
[29.09.2011 10:35:03] The dtrace script will run endless (use CTRL_C to abort )
[29.09.2011 10:35:03] The log intervall for endless dtracing is 6h.
[29.09.2011 10:35:03] The dtrace output will be logged to the file "/var/tmp/unlink.log"
[29.09.2011 10:35:03] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:35:05] Compressing the log file "/var/tmp/unlink.log" to "/var/tmp/unlink.log.34.gz" ...
[29.09.2011 10:35:05] Starting dtrace ...
[29.09.2011 10:35:05] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.937.21227.TEMP1" 2>&1 | tee "/var/tmp/unlink.log"
*** Tracing started at 2011 Sep 29 10:35:06
###     unlink Binary:               rm Parameter:       mytempfile (pwd: /home/support)  UID:    500 PID:   1025  PPID:   1023  Time: 2011 Sep 29 10:36:25
###     Parent Binary:              ksh, Parent Parameter:             bash, Parent UID:    500



# monitor which process deletes the file /var/tmp/test2
# Other examples for the parameter -t :
#
# -t 5s - rotate the logfile every 5 seconds
# -t 40m - rotate the logfile every 40 minutes
#
[Thu Sep 29 10:37:03 root@rtdev02 ~]
# /var/tmp/dtrace_syscall -L /var/tmp/unlink.log -k -e -t6h -i 'copyinstr(arg0) == "/var/tmp/test2" || copyinstr(arg0) == "test2"  '  unlink
[29.09.2011 10:37:08] dtrace_syscall v0.0.2 started on Thu Sep 29 10:37:08 MEST 2011
[29.09.2011 10:37:08] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:37:08] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:37:08] The dtrace script used is "/var/tmp/dtrace_syscall.1054.d" (The script will NOT be deleted at script end!)
[29.09.2011 10:37:09] Tracing the functions " unlink"
[29.09.2011 10:37:09] Additional dtrace clause is " copyinstr(arg0) == "/var/tmp/test2" || copyinstr(arg0) == "test2"  "
[29.09.2011 10:37:09] The dtrace script will run endless (use CTRL_C to abort )
[29.09.2011 10:37:09] The log intervall for endless dtracing is 6h.
[29.09.2011 10:37:09] The dtrace output will be logged to the file "/var/tmp/unlink.log"
[29.09.2011 10:37:09] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:37:11] Compressing the log file "/var/tmp/unlink.log" to "/var/tmp/unlink.log.36.gz" ...
[29.09.2011 10:37:11] Starting dtrace ...
[29.09.2011 10:37:11] /usr/sbin/dtrace -q -s "/var/tmp/dtrace_syscall.1054.d" 2>&1 | tee "/var/tmp/unlink.log"
*** Tracing started at 2011 Sep 29 10:37:12
###     unlink Binary:               rm Parameter:   /var/tmp/test2 (pwd: /home/support)  UID:    500 PID:   1132  PPID:   1023  Time: 2011 Sep 29 10:37:38
###     Parent Binary:              ksh, Parent Parameter:             bash, Parent UID:    500

###     unlink Binary:               rm Parameter:            test2 (pwd:   /var/tmp)  UID:    500 PID:   1136  PPID:   1023  Time: 2011 Sep 29 10:37:55
###     Parent Binary:              ksh, Parent Parameter:             bash, Parent UID:    500


# monitor the syscall of a binary (in this example ls, "-c ls")
# Note: Use a shell script for the parameter -c if a command with parameter should be dtraced.
#
[Thu Sep 29 10:38:34 root@rtdev02 ~]
# /var/tmp/dtrace_syscall -L /var/tmp/ls_syscalls.log +P  -c ls "*"
[29.09.2011 10:38:35] dtrace_syscall v0.0.2 started on Thu Sep 29 10:38:35 MEST 2011
[29.09.2011 10:38:35] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:38:35] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:38:36] Tracing the functions " *"
[29.09.2011 10:38:36] Tracing the command ls
[29.09.2011 10:38:36] The dtrace output will be logged to the file "/var/tmp/ls_syscalls.log"
[29.09.2011 10:38:36] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:38:38] Compressing the log file "/var/tmp/ls_syscalls.log" to "/var/tmp/ls_syscalls.log.12.gz" ...
[29.09.2011 10:38:38] Starting dtrace ...
[29.09.2011 10:38:38] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.1163.16991.TEMP1" -c ls 2>&1 | tee "/var/tmp/ls_syscalls.log"
*** Tracing started at 2011 Sep 29 10:38:40
###       mmap Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###     munmap Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
### setcontext Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###  getrlimit Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###     getpid Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
### setcontext Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
Downloads
MINTCoreCE_11.3.0.0014.tar
arc_summary.pl
firefox-3.6.8.en-US.solaris-10-fcs-sparc.tar.bz2
fireftp-1.0.9-fx.xpi
getfile
inq.sol64
list_enabled_dtrace_probes
mytempfile
osol0chime-sparc-1.5.pkg.gz
p12314960_7011_SOLARIS64.zip
socketsnoop.d
sol-10-u9-ga-sparc-dvd-iso.zip
sunvts
test.sh
test2
testit
###        brk Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###        brk Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###       stat Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
### resolvepath Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###       open Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###       mmap Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###     munmap Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      close Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      gtime Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      ioctl Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###        brk Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###        brk Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###    lstat64 Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###       fsat Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      fcntl Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###    fstat64 Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
### getdents64 Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
### getdents64 Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      close Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      ioctl Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###    fstat64 Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###    fstat64 Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      write Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
###      rexit Binary:               ls (pwd:      /root)  UID:      0  PID:   1233  PPID:   1231  Time: 2011 Sep 29 10:38:40
###     Parent Binary:   dtrace_syscall, Parent Parameter: /usr/sbin/dtrace -q -s /tmp/dtrace_syscall.1163.16991.TEMP1 -c ls, Parent UID:      0
*** Tracing ended at 2011 Sep 29 10:38:40

[29.09.2011 10:38:40] The dtrace output will be logged to the file "/var/tmp/ls_syscalls.log"
[29.09.2011 10:38:40] The log file used was "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:38:40] dtrace_syscall v0.0.2 ended on Thu Sep 29 10:38:40 MEST 2011.
[29.09.2011 10:38:40] The RC is 0.
[Thu Sep 29 10:38:40 root@rtdev02 ~]



# monitor the syscalls of a running process (in this example the process with the PID 29989)
#
[Thu Sep 29 10:39:48 root@rtdev02 ~]
# /var/tmp/dtrace_syscall -L /var/tmp/shell_syscalls.log +P  -p 29989  "*"
[29.09.2011 10:39:56] dtrace_syscall v0.0.2 started on Thu Sep 29 10:39:56 MEST 2011
[29.09.2011 10:39:56] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:39:56] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:39:58] Tracing the functions " *"
[29.09.2011 10:39:58] Tracing the PIDs  29989
[29.09.2011 10:39:58] The dtrace output will be logged to the file "/var/tmp/shell_syscalls.log"
[29.09.2011 10:39:58] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:39:59] Compressing the log file "/var/tmp/shell_syscalls.log" to "/var/tmp/shell_syscalls.log.30.gz" ...
[29.09.2011 10:39:59] Starting dtrace ...
[29.09.2011 10:39:59] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.1353.30539.TEMP1" 2>&1 | tee "/var/tmp/shell_syscalls.log"
*** Tracing started at 2011 Sep 29 10:40:01
###      write Binary:             bash (pwd:      /root)  UID:      0  PID:  29989  PPID:  29979  Time: 2011 Sep 29 10:40:04
###     Parent Binary:             sshd, Parent Parameter:              -sh, Parent UID:      0
### lwp_sigmask Binary:             bash (pwd:      /root)  UID:      0  PID:  29989  PPID:  29979  Time: 2011 Sep 29 10:40:04
###     Parent Binary:             sshd, Parent Parameter:              -sh, Parent UID:      0
###      ioctl Binary:             bash (pwd:      /root)  UID:      0  PID:  29989  PPID:  29979  Time: 2011 Sep 29 10:40:04
###     Parent Binary:             sshd, Parent Parameter:              -sh, Parent UID:      0
### lwp_sigmask Binary:             bash (pwd:      /root)  UID:      0  PID:  29989  PPID:  29979  Time: 2011 Sep 29 10:40:04


# monitor the syscalls of some processes
#
[Mon Sep 26 19:51:01 root@rtdev02 ~]
#   /var/tmp/dtrace_syscall -p "22839 22747 22822 22748" -k +P  "*"
[26.09.2011 19:51:31] dtrace_syscall v0.0.2 started on Mon Sep 26 19:51:31 MEST 2011
[26.09.2011 19:51:31] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[26.09.2011 19:51:31] Using the log file "/var/tmp/dtrace_syscall.LOG"
[26.09.2011 19:51:31] The dtrace script used is "/var/tmp/dtrace_syscall.27558.d" (The scrip will NOT be deleted at script end!)
[26.09.2011 19:51:33] Tracing the functions " *"
[26.09.2011 19:51:33] Tracing the PIDs  22839 22747 22822 22748
[26.09.2011 19:51:33] Checking the syntax of the dynamically created dtrace script ...
[26.09.2011 19:51:34] Starting dtrace ...
[26.09.2011 19:51:34] /usr/sbin/dtrace -q -s "/var/tmp/dtrace_syscall.27558.d"
*** Tracing started at 2011 Sep 26 19:51:36


# monitor the syscalls of all java processes
#
[Mon Sep 26 19:51:01 root@rtdev02 ~]
#   /var/tmp/dtrace_syscall -p "$( pgrep java)" -k +P  "*"


# monitor the syscalls of the process with the PID 22839 and all it's child processes
#
[Mon Sep 26 18:45:02 root@rtdev02 ~]
#   /var/tmp/dtrace_syscall -L /var/tmp/shell_syscalls.log  -p 22839 -i "|| ppid == 22839" "*"
[26.09.2011 18:45:08] dtrace_syscall v0.0.1 started on Mon Sep 26 18:45:08 MEST 2011
[26.09.2011 18:45:08] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[26.09.2011 18:45:08] Using the log file "/var/tmp/dtrace_syscall.LOG"
[26.09.2011 18:45:10] Tracing the functions " *"
[26.09.2011 18:45:10] Additional dtrace clause is " || ppid == 22839"
[26.09.2011 18:45:10] Tracing the PIDs  22839
[26.09.2011 18:45:10] The dtrace output will be logged to the file "/var/tmp/shell_syscalls.log"
[26.09.2011 18:45:10] Compressing the log file "/var/tmp/shell_syscalls.log" to "/var/tmp/shell_syscalls.log.8.gz" ...
[26.09.2011 18:45:10] Starting dtrace ...
[26.09.2011 18:45:10] /usr/sbin/dtrace -q -s "/tmp/dtrace_syscall.24467.17517.TEMP1" 2>&1 | tee "/var/tmp/shell_syscalls.log"
*** Tracing started at 2011 Sep 26 18:45:12


# monitor the chmod syscall and print additional messages if found (parameter -d)
# (see dtrace printf examples)
#
[Thu Sep 29 10:41:32 root@rtdev02 ~]
# /var/tmp/dtrace_syscall -L /var/tmp/shell_syscalls.log +P -k -d 'printf( "\n *** Parameter 0 is %16s \n", copyinstr(arg0) ); '  "chmod"
[29.09.2011 10:41:33] dtrace_syscall v0.0.2 started on Thu Sep 29 10:41:33 MEST 2011
[29.09.2011 10:41:33] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:41:33] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:41:33] The dtrace script used is "/var/tmp/dtrace_syscall.1448.d" (The script will NOT be deleted at script end!)
[29.09.2011 10:41:34] Tracing the functions " chmod"
[29.09.2011 10:41:34] The dtrace output will be logged to the file "/var/tmp/shell_syscalls.log"
[29.09.2011 10:41:34] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:41:36] Compressing the log file "/var/tmp/shell_syscalls.log" to "/var/tmp/shell_syscalls.log.32.gz" ...
[29.09.2011 10:41:36] Starting dtrace ...
[29.09.2011 10:41:36] /usr/sbin/dtrace -q -s "/var/tmp/dtrace_syscall.1448.d" 2>&1 | tee "/var/tmp/shell_syscalls.log"
*** Tracing started at 2011 Sep 29 10:41:38
###      chmod Binary:            chmod (pwd:      /root)  UID:      0  PID:   1518  PPID:  29989  Time: 2011 Sep 29 10:41:41
###     Parent Binary:               sh, Parent Parameter:             bash, Parent UID:      0

 *** Parameter 0 is            test2
^C[29.09.2011 10:42:01] ERROR: Script aborted by the user via signal BREAK (CTRL-C)
[29.09.2011 10:42:01] The dtrace script used is "/var/tmp/dtrace_syscall.1448.d"
[29.09.2011 10:42:01] The dtrace output will be logged to the file "/var/tmp/shell_syscalls.log"
[29.09.2011 10:42:01] The log file used was "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:42:01] dtrace_syscall v0.0.2 ended on Thu Sep 29 10:42:01 MEST 2011.
[29.09.2011 10:42:01] The RC is 0.
[Thu Sep 29 10:42:01 root@rtdev02 ~]

 
# monitor the chmod syscall and print only userdefined messages if found (parameter +d)
# (see dtrace printf examples)
#
[Thu Sep 29 10:42:12 root@rtdev02 ~]
# /var/tmp/dtrace_syscall -L /var/tmp/shell_syscalls.log +P -k +d 'printf( "\n *** Binary: %16s, Parameter 0: %16s \n", execname, copyinstr(arg0) ); '  "chmod"
[29.09.2011 10:42:13] dtrace_syscall v0.0.2 started on Thu Sep 29 10:42:13 MEST 2011
[29.09.2011 10:42:13] No config file ("dtrace_syscall.conf") found (use -C to create a default config file)
[29.09.2011 10:42:13] Using the log file "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:42:13] The dtrace script used is "/var/tmp/dtrace_syscall.1545.d" (The script will NOT be deleted at script end!)
[29.09.2011 10:42:14] Tracing the functions " chmod"
[29.09.2011 10:42:14] The dtrace output will be logged to the file "/var/tmp/shell_syscalls.log"
[29.09.2011 10:42:14] Checking the syntax of the dynamically created dtrace script ...
[29.09.2011 10:42:16] Compressing the log file "/var/tmp/shell_syscalls.log" to "/var/tmp/shell_syscalls.log.34.gz" ...
[29.09.2011 10:42:16] Starting dtrace ...
[29.09.2011 10:42:16] /usr/sbin/dtrace -q -s "/var/tmp/dtrace_syscall.1545.d" 2>&1 | tee "/var/tmp/shell_syscalls.log"
*** Tracing started at 2011 Sep 29 10:42:17

 *** Binary:            chmod, Parameter 0:            test2
^C[29.09.2011 10:42:25] ERROR: Script aborted by the user via signal BREAK (CTRL-C)
[29.09.2011 10:42:25] The dtrace script used is "/var/tmp/dtrace_syscall.1545.d"
[29.09.2011 10:42:25] The dtrace output will be logged to the file "/var/tmp/shell_syscalls.log"
[29.09.2011 10:42:25] The log file used was "/var/tmp/dtrace_syscall.LOG"
[29.09.2011 10:42:25] dtrace_syscall v0.0.2 ended on Thu Sep 29 10:42:25 MEST 2011.
[29.09.2011 10:42:25] The RC is 0.
[Thu Sep 29 10:42:25 root@rtdev02 ~]


Trouble Shooting


 An error message like

 dtrace: error on enabled probe ID 150 (ID 7715: syscall::sigaction:entry): invalid address (0x0) in action #3 at DIF offset 28

 will be printed by dtrace if the parameter 0 of the function to dtrace is not from the type string.
 In this case you should use the parameter +P of the script to suppress printing the parameter 0.

back to top