statsnoop revision 1
3e14f97f673e8a630f076077de35afdd43dc1587Roger A. Faulkner#!/usr/bin/sh
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# statsnoop - snoop file stats as they occur.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# Written using DTrace (Solaris 10 3/05).
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# $Id: statsnoop 65 2007-10-04 11:09:40Z brendan $
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# USAGE: statsnoop [-a|-A|-ceghlsvxZ] [-f pathname] [-t syscall]
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# [-n name] [-p PID]
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# statsnoop # default output
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -a # print most data
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -A # dump all data, space delimited
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -c # print cwd of process
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -e # print errno value
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -g # print command arguments
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -l # print syscall type
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -s # print start time, us
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -v # print start time, string
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -x # only print failed stats
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -Z # print zonename
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -f pathname # file pathname to snoop
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -n name # command name to snoop
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -p PID # process ID to snoop
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# -t syscall # stat syscall to trace
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# eg,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# statsnoop -v # human readable timestamps
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# statsnoop -S # syscall type
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# statsnoop -e # see error codes
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# statsnoop -f /etc/passwd # snoop this file only
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# FIELDS:
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# ZONE Zone name
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# UID User ID
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# PID Process ID
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# PPID Parent Process ID
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# FD file descriptor (-1 for error)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# ERR errno value (see /usr/include/sys/errno.h)
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# TYPE syscall type
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# CWD current working directory of process
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# PATH pathname for file stat
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# COMM command name for the process
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# ARGS argument listing for the process
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# TIME timestamp for the stat event, us
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# STRTIME timestamp for the stat event, string
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# SEE ALSO: truss, BSM auditing.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# COPYRIGHT: Copyright (c) 2007 Brendan Gregg.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# CDDL HEADER START
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# The contents of this file are subject to the terms of the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# Common Development and Distribution License, Version 1.0 only
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# (the "License"). You may not use this file except in compliance
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# with the License.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# You can obtain a copy of the license at Docs/cddl1.txt
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# or http://www.opensolaris.org/os/licensing.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# See the License for the specific language governing permissions
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# and limitations under the License.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# CDDL HEADER END
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# Author: Brendan Gregg [Sydney, Australia]
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# 09-Sep-2007 Brendan Gregg Created this.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin##############################
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin# --- Process Arguments ---
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin#
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin### Default variables
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinopt_dump=0; opt_file=0; opt_time=0; opt_timestr=0; opt_args=0
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinopt_zone=0; opt_cwd=0; opt_failonly=0; opt_err=0; filter=0; pathname=.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinopt_name=0; opt_pid=0; opt_type=0; opt_trace=0; pname=.; pid=0; trace=.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin### Process options
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinwhile getopts aAcef:ghln:p:st:vxZ name
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chindo
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin case $name in
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin a) opt_time=1; opt_timestr=1; opt_args=1; opt_err=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin A) opt_dump=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin c) opt_cwd=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin e) opt_err=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin g) opt_args=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin f) opt_file=1; pathname=$OPTARG ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin l) opt_type=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin n) opt_name=1; pname=$OPTARG ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin p) opt_pid=1; pid=$OPTARG ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin s) opt_time=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin t) opt_trace=1; trace=$OPTARG ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin v) opt_timestr=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin x) opt_failonly=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin Z) opt_zone=1 ;;
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin h|?) cat <<-END >&2
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin USAGE: statsnoop [-a|-A|-ceghlsvxZ] [-f pathname] [-t syscall]
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin [-n execname] [-p PID]
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin statsnoop # default output
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -a # print most data
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -A # dump all data, space delimited
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -c # print cwd of process
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -e # print errno value
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -g # print command arguments
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -l # print syscall type
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -s # print start time, us
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -v # print start time, string
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -x # only print failed stats
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -Z # print zonename
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -f pathname # pathname name to snoop
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -n name # process name to snoop
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -p PID # process ID to snoop
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -t syscall # stat syscall to trace
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin eg,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin statsnoop -v # human readable timestamps
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin statsnoop -e # see error codes
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin statsnoop -f /etc/motd # snoop this file only
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin END
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin exit 1
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin esac
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chindone
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin### Option logic
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinif [ $opt_dump -eq 1 ]; then
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin opt_zone=0; opt_cwd=0; opt_time=0; opt_timestr=0; opt_type=0
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin opt_args=2
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinfi
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinif [ $opt_name -eq 1 -o $opt_pid -eq 1 -o $opt_trace -eq 1 ]; then
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin filter=1
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chinfi
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin
#################################
# --- Main Program, DTrace ---
#
/usr/sbin/dtrace -n '
/*
* Command line arguments
*/
inline int OPT_dump = '$opt_dump';
inline int OPT_file = '$opt_file';
inline int OPT_args = '$opt_args';
inline int OPT_cwd = '$opt_cwd';
inline int OPT_err = '$opt_err';
inline int OPT_zone = '$opt_zone';
inline int OPT_time = '$opt_time';
inline int OPT_timestr = '$opt_timestr';
inline int OPT_type = '$opt_type';
inline int OPT_failonly = '$opt_failonly';
inline int OPT_pid = '$opt_pid';
inline int OPT_name = '$opt_name';
inline int OPT_trace = '$opt_trace';
inline int FILTER = '$filter';
inline int PID = '$pid';
inline string PATHNAME = "'$pathname'";
inline string NAME = "'$pname'";
inline string TRACE = "'$trace'";
/*
* Manifest constants
*/
inline uint_t AT_FDCWD = 0xffd19553;
inline uint_t SLASH = 0x2f; /* '/' */
#pragma D option quiet
#pragma D option switchrate=10hz
/*
* Print header
*/
dtrace:::BEGIN
{
/* print optional headers */
OPT_time ? printf("%-14s ", "TIME") : 1;
OPT_timestr ? printf("%-20s ", "STRTIME") : 1;
OPT_zone ? printf("%-10s ", "ZONE") : 1;
/* print dump headers */
OPT_dump ? printf("%s %s %s %s %s %s %s %s %s %s %s", "ZONE",
"TIME", "UID", "PID", "PPID", "COMM", "FD", "ERR", "CWD",
"PATH", "ARGS") : printf("%5s %6s ","UID","PID");
/* print main headers */
OPT_args == 0 ? printf("%-12s ", "COMM") : 1;
OPT_dump == 0 ? printf("%3s ", "FD") : 1;
OPT_err ? printf("%3s ", "ERR") : 1;
OPT_cwd ? printf("%-20s ", "CWD") : 1;
OPT_type ? printf("%-8s ", "TYPE") : 1;
OPT_dump == 0 ? printf("%-20s ", "PATH") : 1;
OPT_args == 1 ? printf("%s", "ARGS") : 1;
printf("\n");
}
/*
* Print stat event
*/
syscall::fstatat:entry, syscall::fstatat64:entry
{
/* default is to trace unless filtering */
self->ok = FILTER ? 0 : 1;
/* check each filter */
(OPT_name == 1 && NAME == execname) ? self->ok = 1 : 1;
(OPT_pid == 1 && PID == pid) ? self->ok = 1 : 1;
(OPT_trace == 1 && TRACE == probefunc) ? self->ok = 1 : 1;
}
syscall::fstatat:entry, syscall::fstatat64:entry
/self->ok/
{
self->dfd = (uint_t)arg0; /* may be AT_FDCWD */
self->pathp = arg1; /* may be 0 (for fstat) */
}
syscall::fstatat:return, syscall::fstatat64:return
/self->ok && self->pathp != 0/ /* stat, lstat */
{
self->rpath = copyinstr(self->pathp);
self->dir = *self->rpath == SLASH? "" : /* it is a full pathname */
(self->dfd == AT_FDCWD? cwd : /* it is relative to cwd */
fds[self->dfd].fi_pathname); /* it is relative to dfd */
self->join = *self->rpath == SLASH? "" : "/";
self->path = strjoin(strjoin(self->dir, self->join), self->rpath);
/* cleanup */
self->join = 0;
self->dir = 0;
self->rpath = 0;
}
syscall::fstatat:return, syscall::fstatat64:return
/self->ok && self->pathp == 0/ /* fstat */
{
self->path = fds[self->dfd].fi_pathname;
}
syscall::fstatat:return, syscall::fstatat64:return
/self->ok && (!OPT_failonly || (int)arg0 < 0) &&
(OPT_file == 0 || (OPT_file == 1 && PATHNAME == self->path))/
{
/* print optional fields */
OPT_time ? printf("%-14d ", timestamp/1000) : 1;
OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
OPT_zone ? printf("%-10s ", zonename) : 1;
/* print dump fields */
OPT_dump ? printf("%s %d %d %d %d %s %d %d %s %s %S", zonename,
timestamp/1000, uid, pid, ppid, execname, (int)arg0, errno,
cwd, self->path, curpsinfo->pr_psargs) :
printf("%5d %6d ", uid, pid);
/* print main fields */
OPT_args == 0 ? printf("%-12.12s ", execname) : 1;
OPT_dump == 0 ? printf("%3d ", (int)arg0) : 1;
OPT_err ? printf("%3d ", errno) : 1;
OPT_cwd ? printf("%-20s ", cwd) : 1;
OPT_type ? printf("%-8s ", probefunc) : 1;
OPT_dump == 0 ? printf("%-20s ", self->path) : 1;
OPT_args == 1 ? printf("%S", curpsinfo->pr_psargs) : 1;
printf("\n");
}
/*
* Cleanup
*/
syscall::fstatat:return, syscall::fstatat64:return
/self->ok/
{
self->dfd = 0;
self->pathp = 0;
self->path = 0;
self->ok = 0;
}
'