2.1 Tracing Process Creation

The proc probes allow you to trace process creation and termination, execution of new program images, and signal processing on a system. See proc Provider in the Oracle Linux Dynamic Tracing Guide for a description of the proc probes and their arguments.

The following D program, execcalls.d, uses proc probes to monitor the system as it executes process images.

Example 2.1 execcalls.d: Monitor the system as it executes programs

/* execcalls.d -- Monitor the system as it executes programs */

proc::do_execve_common:exec
{
  trace(stringof(args[0]));
}

The args[0] argument to the exec probe is set to the path name of the program being executed. We use the stringof() function to convert the type from char * to the D type string.

Before using dtrace to run the script, load the sdt kernel module to enable the proc provider probes. (This is only necessary if the module has not already been loaded.)

# modprobe sdt

Enter the command dtrace -s execcalls.d to run the D program in one window. Then start different programs from another window, and observe the output from dtrace in the first window. To stop tracing after a few seconds have elapsed, type Ctrl-C in the window that is running dtrace.

# dtrace -s execcalls.d
dtrace: script 'execcalls.d' matched 1 probe
CPU     ID                FUNCTION:NAME
  0    600        do_execve_common:exec   /bin/uname                       
  0    600        do_execve_common:exec   /bin/mkdir                       
  0    600        do_execve_common:exec   /bin/sed                         
  0    600        do_execve_common:exec   /usr/bin/dirname                 
  1    600        do_execve_common:exec   /usr/local/bin/firefox           
  1    600        do_execve_common:exec   /usr/bin/firefox                 
  1    600        do_execve_common:exec   /bin/basename                    
  1    600        do_execve_common:exec   /bin/uname                       
  1    600        do_execve_common:exec   /usr/bin/mozilla-plugin-config   
  1    600        do_execve_common:exec   /usr/lib64/nspluginwrapper/plugin-config
  1    600        do_execve_common:exec   /bin/sed                         
  1    600        do_execve_common:exec   /usr/lib64/firefox-3.6/run-mozilla.sh
  1    600        do_execve_common:exec   /bin/basename                    
  1    600        do_execve_common:exec   /bin/uname                       
  1    600        do_execve_common:exec   /usr/lib64/firefox-3.6/firefox   
^C

The probe proc::do_execve_common:exec fires whenever the system executes a new program and the associated action uses trace() to display the path name of the program.