-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathUsefull_dtrace_scripts
More file actions
120 lines (99 loc) · 5.72 KB
/
Usefull_dtrace_scripts
File metadata and controls
120 lines (99 loc) · 5.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Files opened by process. Very useful when reversing:
dtrace -n 'syscall::open*:entry { printf("%s %s", execname, copyinstr(arg0)); }'
# Syscall count by program:
dtrace -n 'syscall:::entry { @num[execname] = count(); }'
# Syscall count by syscall:
dtrace -n 'syscall:::entry { @num[probefunc] = count(); }'
# Syscall count by PID:
dtrace -n 'syscall:::entry { @num[pid,execname] = count(); }'
# Read bytes by process:
dtrace -n 'syscall::read:entry { @bytes[execname] = sum(arg0); }'
# Periodic breakdown of written bytes by process:
dtrace -n 'syscall::write:* { @bytes[execname] = sum(arg0); } tick-5sec { printa(@bytes); trunc(@bytes); }'
# Read size distribution by process:
dtrace -n 'syscall::read:entry { @dist[execname] = quantize(arg0); }'
# Write size distribution by process:
dtrace -n 'syscall::write:entry { @dist[execname] = quantize(arg0); }'
# Disk size (in blocks) by process:
dtrace -n 'io:::start { printf("%d %s %d", pid, execname, args[0]->b_bcount); }'
# Pages paged in by process:
dtrace -n 'vminfo::vm_fault_enter:pgin { @pg[execname] = sum(arg0); }'
# Minor faults by process:
dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
# Interrupts by CPU:
dtrace -n 'sdt:::interrupt-start { @num[cpu] = count(); }'
# New processes with arguments and time:
dtrace -qn 'syscall::exec*:return { printf("%Y %s\n",walltimestamp,curpsinfo->pr_psargs); }'
# Successful signal details:
dtrace -n 'proc:::signal-send /pid/ { printf("%s -%d %d",execname,args[2],args[1]->pr_pid); }'
# System call breakdown for the process with PID 31337:
dtrace -n syscall:::entry'/pid == 31337/{ @syscalls[probefunc] = count(); }'
# Tracking memory page faults for process:
dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
# iOS Intruments-like malloc size distribution plot:
dtrace -n 'pid$target::malloc:entry { @ = quantize(arg0); }' -p PID
# Memory allocation via malloc by stack trace and requested size:
dtrace -n 'pid$target::malloc:entry { @[ustack()] = sum(arg0); }' -p PID
# Rate of disk I/O:
dtrace -n 'io:::start { @io = count(); } tick-1sec { printa("Disk I/Os per second: %@d\n", @io); trunc(@io); }'
Examples
Files opened by process:
$ sudo dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
dyld: DYLD_ environment variables being ignored because main executable (/usr/bin/sudo) is setuid or setgid
dtrace: description 'syscall::open*:entry ' matched 4 probes
CPU ID FUNCTION:NAME
4 149 open:entry iTerm /Users/mfukar/Library/Saved Application State/com.googlecode.iterm2.savedState/window_1.data
4 149 open:entry iTerm /Users/mfukar/Library/Saved Application State/com.googlecode.iterm2.savedState/window_2.data
2 149 open:entry mdworker /Users/mfukar/Library/Saved Application State/com.googlecode.iterm2.savedState/data.data
2 149 open:entry mds .
3 149 open:entry mds .
3 149 open:entry mdworker /Users/mfukar/Library/Saved Application State/com.googlecode.iterm2.savedState/windows.plist
4 149 open:entry iTerm /Users/mfukar/Library/Saved Application State/com.googlecode.iterm2.savedState/data.data
Read bytes by process:
# dtrace -n 'syscall::read:entry { @bytes[execname] = sum(arg0); }'
dtrace: description 'syscall::read:entry ' matched 1 probe
^C
syslogd 8
vim 14
iTerm 42
launchd 91
NetworkBrowserA 204
SystemUIServer 204
mdworker 294
gpg-agent 568
fseventsd 1328
mds 2317
configd 3350
UserEventAgent 5966
plugin-containe 45379
firefox 371532
Write size distribution by process:
# dtrace -n 'syscall::write:entry { @dist[execname] = quantize(arg0); }'
<snip>
firefox
value ------------- Distribution ------------- count
2 | 0
4 |@@@@@@@@@@@@ 4582
8 |@@@@@@ 2266
16 |@@@@ 1450
32 |@@ 895
64 |@@@@@@@@@@@@@@@ 5665
128 | 0
Interrupts by CPU:
The below does not work on OS X, unfortunately:
# dtrace -n 'sdt:::interrupt-start { @num[cpu] = count(); }'
dtrace: description 'sdt:::interrupt-start ' matched 1 probe
^C
513 2
515 4
3 39
2 39
Rate of disk I/O:
# sudo dtrace -n 'io:::start { @io = count(); } tick-1sec { printa("Disk I/Os per second: %@d", @io); trunc(@io); }' -p 428
dtrace: description 'io:::start ' matched 2 probes
CPU ID FUNCTION:NAME
6 183582 :tick-1sec
6 183582 :tick-1sec
6 183582 :tick-1sec Disk I/Os per second: 5
6 183582 :tick-1sec Disk I/Os per second: 2
6 183582 :tick-1sec