DTrace
List all the hookable syscall entries
| dtrace -l -n syscall:::entry |
Grepping per process and show executable program name
| dtrace -n 'syscall:::entry /execname == "dtrace"/ {trace(execname)}' |
Showing backtrace while handling an event
| dtrace -n 'syscall:::entry /pid == 18947/ { trace(execname); ustack(); }' |
Using the pid provider
| dtrace -n 'pid610::XPending::entry { trace(pid); }' |
Use "#pragma D option flowindent" to indent the tracing output
Printeffing
| dtrace -n 'syscall:::entry {printf("%x %x", arg0,arg1); ustack()} |
Script example
#!/usr/sbin/dtrace -s
syscall::mmap:entry
/execname == "Xsun"/
{
self->interested = 1;
}
sched:::wakeup
/self->interested/
{
@[args[1]->pr->fname] = count();
self->interested = 0;
}
|
furthermoar
System Calls Count by Application
$ dtrace -n 'syscall:::entry{@[execname] = count();}'
System Calls Count by Application and Process
$ dtrace -n 'syscall:::entry{@[execname,pid] = count();}'
How many times a file has been opened
$ dtrace -n 'syscall::open:entry{@[copyinstr(arg0)] = count();}'
Files Opened by process
$ dtrace -qn 'syscall::open*:entry{ printf("%s %s\n",execname,copyinstr(arg0)); }'
Read Bytes by process
$ dtrace -n 'sysinfo:::readch{ @[execname] = sum(arg0);}'
Write Bytes by process
$ dtrace -n 'sysinfo:::writech{ @[execname] = sum(arg0);}'
How big a read is
$ dtrace -n 'syscall::read:entry{@[execname] = quantize(arg2);}'
How big a write is
$ dtrace -n 'syscall::write:entry{@[execname] = quantize(arg2);}'
Disk size by process
$ dtrace -qn 'io:::start{printf("%d %s %d\n",pid,execname,args[0]->b_bcount); }'
High system time
$ dtrace -n profile-501'{@[stack()] = count()}END{trunc(@, 25)}'
What processes are using fork
$ dtrace -n 'syscall::fork*:entry{printf("%s %d",execname,pid);}'
My application is doing nothing
$ dtrace -n sched:::off-cpu'{@[ustack()] = count()}' -p pid
|
|