wk DTrace list find blog view edit


List all the hookable syscall entries

dtrace -l -n syscall:::entry

Grepping per process and show executable program name

dtrace -n 'syscall:::entry /execname == "dtrace"/ {trace(execname)}'

Showing backtrace while handling an event

dtrace -n 'syscall:::entry /pid == 18947/ { trace(execname); ustack(); }'

Using the pid provider

dtrace -n 'pid610::XPending::entry { trace(pid); }'

Use "#pragma D option flowindent" to indent the tracing output


dtrace -n 'syscall:::entry {printf("%x %x", arg0,arg1); ustack()}

Script example

#!/usr/sbin/dtrace -s
/execname == "Xsun"/
  self->interested = 1;

  @[args[1]->pr->fname] = count();
  self->interested = 0;


System Calls Count by Application
 $ dtrace -n 'syscall:::entry{@[execname] = count();}'

System Calls Count by Application and Process
 $ dtrace -n 'syscall:::entry{@[execname,pid] = count();}'

How many times a file has been opened
 $ dtrace -n 'syscall::open:entry{@[copyinstr(arg0)] = count();}'

Files Opened by process
 $ dtrace -qn 'syscall::open*:entry{ printf("%s %s\n",execname,copyinstr(arg0)); }'

Read Bytes by process
 $ dtrace -n 'sysinfo:::readch{ @[execname] = sum(arg0);}'

Write Bytes by process
 $ dtrace -n 'sysinfo:::writech{ @[execname] = sum(arg0);}'

How big a read is
 $ dtrace -n 'syscall::read:entry{@[execname] = quantize(arg2);}'

How big a write is
 $ dtrace -n 'syscall::write:entry{@[execname] = quantize(arg2);}'

Disk size by process
 $ dtrace -qn 'io:::start{printf("%d %s %d\n",pid,execname,args[0]->b_bcount); }'

High system time
 $ dtrace -n profile-501'{@[stack()] = count()}END{trunc(@, 25)}'

What processes are using fork
 $ dtrace -n 'syscall::fork*:entry{printf("%s %d",execname,pid);}'

My application is doing nothing
 $ dtrace -n sched:::off-cpu'{@[ustack()] = count()}' -p pid