13.7 DTrace Command Examples

Display the probes that are available with the proc provider.

 # dtrace -l -P proc
   ID   PROVIDER            MODULE                          FUNCTION NAME
 4066       proc           vmlinux                     schedule_tail start
 4067       proc           vmlinux                     schedule_tail lwp-start
 4069       proc           vmlinux             get_signal_to_deliver signal-handle
 4074       proc           vmlinux                   do_sigtimedwait signal-clear
 4075       proc           vmlinux                           do_fork lwp-create
 4076       proc           vmlinux                           do_fork create
 4077       proc           vmlinux                           do_exit lwp-exit
 4078       proc           vmlinux                           do_exit exit
 4079       proc           vmlinux                  do_execve_common exec-failure
 4080       proc           vmlinux                  do_execve_common exec
 4081       proc           vmlinux                  do_execve_common exec-success
 4085       proc           vmlinux                     __send_signal signal-send
 4086       proc           vmlinux                     __send_signal signal-discard

Monitor the system as it loads and executes process images.

# dtrace -n 'proc::do_execve_common:exec { trace(stringof(arg0)); }'
dtrace: description 'proc:::exec' matched 1 probe
CPU     ID                FUNCTION:NAME
  0    600        do_execve_common:exec   /bin/uname                       
  0    600        do_execve_common:exec   /bin/mkdir                       
  0    600        do_execve_common:exec   /bin/sed                         
  0    600        do_execve_common:exec   /usr/bin/dirname                 
  1    600        do_execve_common:exec   /usr/lib64/qt-3.3/bin/firefox    
  1    600        do_execve_common:exec   /usr/local/bin/firefox           
  1    600        do_execve_common:exec   /usr/bin/firefox                 
  1    600        do_execve_common:exec   /bin/basename                    
  1    600        do_execve_common:exec   /bin/uname                       
  1    600        do_execve_common:exec   /usr/bin/mozilla-plugin-config   
  1    600        do_execve_common:exec   /usr/lib64/nspluginwrapper/plugin-config
  1    600        do_execve_common:exec   /usr/lib64//xulrunner-1.9.2/mozilla-xremote-client
  1    600        do_execve_common:exec   /bin/sed                         
  1    600        do_execve_common:exec   /usr/lib64/firefox-3.6/run-mozilla.sh
  1    600        do_execve_common:exec   /bin/basename                    
  1    600        do_execve_common:exec   /bin/uname                       
  1    600        do_execve_common:exec   /usr/lib64/firefox-3.6/firefox   

Display the names of commands that invoke the open() system call and the name of the file being opened.

# dtrace -q -n 'syscall::open:entry { printf("%-16s %-16s\n",execname,copyinstr(arg0)); }'
udisks-daemon    /dev/sr0               
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/present
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/energy_now
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/voltage_max_design
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/voltage_min_design
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/status
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/current_now
devkit-power-da  /sys/devices/LNXSYSTM:00/.../PNP0C0A:00/power_supply/BAT0/voltage_now     
VBoxService      /var/run/utmp         
firefox          /home/guest/.mozilla/firefox/qeaojiol.default/sessionstore.js
firefox          /home/guest/.mozilla/firefox/qeaojiol.default/sessionstore-1.js
firefox          /home/guest/.mozilla/firefox/qeaojiol.default/sessionstore-1.js    
^C 

Display the system calls invoked by the process with ID 3007 and the number of times that it invoked each system call.

# dtrace -p 3007 -n 'syscall:::entry { @num[probefunc] = count(); }'
dtrace: description 'syscall:::entry ' matched 296 probes
^C

  getuid                                                            1
  ptrace                                                            1
  socket                                                            1
  waitid                                                            1
  lseek                                                             3
  statfs                                                            3
  access                                                            4
  write                                                             6
  munmap                                                           15
  newfstat                                                         16
  newstat                                                          17
  mmap                                                             19
  fcntl                                                            20
  close                                                            24
  alarm                                                            30
  inotify_add_watch                                                30
  open                                                             32
  rt_sigaction                                                     50
  nanosleep                                                        52
  rt_sigprocmask                                                   64
  ioctl                                                           117
  futex                                                           311
  clock_gettime                                                   579
  rt_sigreturn                                                    744
  gettimeofday                                                   1461
  setitimer                                                      2093
  select                                                         2530
  writev                                                         3162
  poll                                                           4720
  read                                                          10552

Display the distribution of the sizes specified to read() calls invoked by running firefox.

# dtrace -n 'syscall::read:entry /execname=="firefox"/{@dist["firefox"]=quantize(arg2);}'
dtrace: description 'syscall::read:entry ' matched 1 probe
^C

  firefox                                           
           value  ------------- Distribution ------------- count    
               0 |                                         0        
               1 |@                                        566      
               2 |                                         0        
               4 |                                         0        
               8 |                                         7        
              16 |                                         4        
              32 |                                         0        
              64 |                                         0        
             128 |                                         8        
             256 |@                                        436      
             512 |                                         8        
            1024 |@@                                       959      
            2048 |@                                        230      
            4096 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@       13785    
            8192 |                                         3        
           16384 |                                         4        
           32768 |                                         0        
           65536 |                                         0        
          131072 |                                         73       
          262144 |                                         0

Run the syscalls.d script to examine which system calls PID 5178 is using and the number of times that it invoked each system call.

# ls -l syscalls.d
-rwxr-xr-x. 1 root root 85 Aug 14 14:48 syscalls.d

# cat syscalls.d
#!/usr/sbin/dtrace -qs
syscall:::entry
/pid == $1/
{
  @num[probefunc] = count();
}

# ./syscalls.d 5178
^C

  ftruncate                                                         1
  newuname                                                          1
  clone                                                             5
  close                                                             5
  sched_setscheduler                                                5
  newlstat                                                          6
  access                                                            7
  open                                                              7
  newfstat                                                          9
  sched_get_priority_max                                           10
  sched_get_priority_min                                           10
  fcntl                                                            12
  lseek                                                            73
  newstat                                                         100
  write                                                           155
  futex                                                           752
  writev                                                         1437
  poll                                                           4423
  read                                                           5397
  gettimeofday                                                   9292