Understanding dtruss exit

Question

Understanding dtruss exit

Can someone point me to a link on how to understand / interpret the report issued by dtruss (mac) or dtrace?

I just tried dtruss with a simple program. For example, I got the following output:

PID/THRD SYSCALL(args) = return 250/0x103c: getattrlist("/Volumes/CORE/CORE.app\0", 0x7FFF5E8045D8, 0x7FFF5E804250) = 0 0 250/0x103c: geteuid(0x7FFF5E8045E0, 0x0, 0x7FFF5E804A18) = 501 0 250/0x103c: geteuid(0x7FFF5E805DF0, 0x0, 0x7FFF5E805E80) = 501 0 250/0x103c: geteuid(0x7FFF5E805540, 0x0, 0x7FFF5E805770) = 501 0 250/0x103c: getattrlist("/.vol/16777224/21\0", 0x7FFF5E8046D0, 0x7FFF5E803CF0) = 0 0 250/0x103c: geteuid(0x7FFF5E805950, 0x0, 0x7FFF5E8059C8) = 501 0 250/0x103c: __mac_syscall(0x7FFF8D22057C, 0x50, 0x7FFF5E805990) = 0 0 250/0x103c: geteuid(0x7FFF5E805950, 0x0, 0x7FFF5E8059C8) = 501 0 250/0x103c: __mac_syscall(0x7FFF8D22057C, 0x51, 0x7FFF5E8059A8) = -1 Err#30 250/0x103c: geteuid(0x7FFF5E8057D0, 0x0, 0x7FFF5E805848) = 501 0 250/0x103c: getattrlist("/.vol/16777224/21\0", 0x7FFF5E804960, 0x7FFF5E803F80) = 0 0 250/0x103c: open("/.vol/16777224/21\0", 0x0, 0x1FF) = 6 0 250/0x103c: geteuid(0x7FFF5E805790, 0x0, 0x7FFF5E805920) = 501 0

I see all these system calls with hexadecimal parameters. But how can I decode them? How do I know which file he is trying to open, for example?

+4

linux system-calls dtrace macos

Gary Oct 31 '12 at 13:47

source share

2 answers

Brendan gregg · Answer 1 · 2014-03-03T00:32:51+0000

In your example, the path for open () syscall ("/.vol/16777224/21") is output.

dtruss is a shell / DTrace script similar to the truss tool from Solaris (strace on Linux). These tools are coded to understand how to display arguments in a human-readable way. I coded some of them in the dtruss tool, but could be improved to understand more. You can make a copy of dtruss and configure it to add some, as this is a shell / DTrace script.

For system calls that display hexadecimal numbers, you can start by reading the manual page to find out what the arguments are. For example, geteuid () has no arguments, so the default behavior of dtruss printing 3 as hexidecimal is confusing. It should not print any and show the return value. For example, this can be done by changing the following section:

  /* print 0 arg output */ syscall::*fork:return /self->start/ {

in

  /* print 0 arg output */ syscall::*fork:return, syscall::geteuid:return /self->start/ {

PaulS · Answer 2 · 2013-02-11T06:42:27+0000

dtrace is a low-level but powerful tool that allows you to track many kernel-level events. What is being tracked or displayed is indicated in the dtrace script. These system calls are kernel-level functions called by a program that you control (not the user functions themselves).

dtrace allows you to control / quantify the processor, disk, memory, file system, network, etc. for each process or process groups.

One link Open the Solaris DTrace website , however there are many guides and guides for the web interface.

To find out which files are opened by processes, you should use:

 dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

Understanding dtruss exit

More articles: