The DTrace framework provides instrumentation points that are called probes. A DTrace user can use a probe to record and display relevant information about a kernel or user process. Each DTrace probe is activated by a specific behavior. This probe activation is referred to as firing. As an example, consider a probe that fires on entry into an arbitrary kernel function. This example probe can display the following information:
Any argument that is passed to the function
Any global variable in the kernel
A timestamp that indicates when the function was called
A stack trace that indicates the section of code that called the function
The process that was running at the time the function was called
The thread that made the function call
When a probe fires, you can specify a particular action for DTrace to take. A DTrace action usually records an interesting aspect of system behavior, such as a timestamp or a function argument.
Probes are implemented by providers. A probe provider is a kernel module that enables a given probe to fire. For example, the function boundary tracing provider fbt provides entry and return probes for almost every function in every kernel module.
DTrace has significant data management capabilities. These capabilities enable DTrace users to prune the data reported by probes, avoiding the overhead involved in generating and then filtering unwanted data. DTrace also provides mechanisms for tracing during the boot process and for retrieving data from a kernel crash dump. All of the instrumentation in DTrace is dynamic. Probes are enabled discretely at the time that the probes are used, and inactive probes present no instrumented code.
A DTrace consumer is any process that interacts with the DTrace framework. While dtrace(1M) is the primary DTrace consumer, other consumers exist. These additional consumers mostly consist of new versions of existing utilities such as lockstat(1M). The DTrace framework has no limit on the number of concurrent consumers.
The behavior of DTrace can be modified with the use of scripts that are written in the D language, which is structured similarly to C. The D language provides access to kernel C types and kernel static and kernel global variables. The D language supports ANSI C operators.