The following example DTrace script shows how to trace all SMB requests.
#!/usr/sbin/dtrace -s
#pragma D option quiet
dtrace:::BEGIN
{
printf(
"%39s/%-17s %-31s %8s %-10s %5s %9s %5s %6s %4s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"MID",
"PID",
"TID",
"FLAGS2",
"FLAGS");
}
dtrace:::END
{
printf(
"%39s/%-17s %-31s %8s %-10s %5s %9s %5s %6s %4s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"MID",
"PID",
"TID",
"FLAGS2",
"FLAGS");
}
smb:::op-Read-start,
smb:::op-ReadRaw-start,
smb:::op-ReadX-start,
smb:::op-LockAndRead-start,
smb:::op-Write-start,
smb:::op-WriteAndClose-start,
smb:::op-WriteAndUnlock-start,
smb:::op-WriteRaw-start,
smb:::op-WriteX-start,
smb:::op-CheckDirectory-start,
smb:::op-Close-start,
smb:::op-CloseAndTreeDisconnect-start,
smb:::op-ClosePrintFile-start,
smb:::op-Create-start,
smb:::op-CreateDirectory-start,
smb:::op-CreateNew-start,
smb:::op-CreateTemporary-start,
smb:::op-Delete-start,
smb:::op-DeleteDirectory-start,
smb:::op-Echo-start,
smb:::op-Find-start,
smb:::op-FindClose-start,
smb:::op-FindClose2-start,
smb:::op-FindUnique-start,
smb:::op-Flush-start,
smb:::op-GetPrintQueue-start,
smb:::op-Ioctl-start,
smb:::op-LockByteRange-start,
smb:::op-LockingX-start,
smb:::op-LogoffX-start,
smb:::op-Negotiate-start,
smb:::op-NtCancel-start,
smb:::op-NtCreateX-start,
smb:::op-NtTransact-start,
smb:::op-NtTransactSecondary-start,
smb:::op-NtRename-start,
smb:::op-Open-start,
smb:::op-OpenPrintFile-start,
smb:::op-WritePrintFile-start,
smb:::op-OpenX-start,
smb:::op-ProcessExit-start,
smb:::op-QueryInformation-start,
smb:::op-QueryInformation2-start,
smb:::op-QueryInformationDisk-start,
smb:::op-Rename-start,
smb:::op-Search-start,
smb:::op-Seek-start,
smb:::op-SessionSetupX-start,
smb:::op-SetInformation-start,
smb:::op-SetInformation2-start,
smb:::op-Transaction-start,
smb:::op-Transaction2-start,
smb:::op-Transaction2Secondary-start,
smb:::op-TransactionSecondary-start,
smb:::op-TreeConnect-start,
smb:::op-TreeConnectX-start,
smb:::op-TreeDisconnect-start,
smb:::op-UnlockByteRange-start
{
self->thread = curthread;
self->start = timestamp;
}
smb:::op-Read-done,
smb:::op-ReadRaw-done,
smb:::op-ReadX-done,
smb:::op-LockAndRead-done,
smb:::op-Write-done,
smb:::op-WriteAndClose-done,
smb:::op-WriteAndUnlock-done,
smb:::op-WriteRaw-done,
smb:::op-WriteX-done,
smb:::op-CheckDirectory-done,
smb:::op-Close-done,
smb:::op-CloseAndTreeDisconnect-done,
smb:::op-ClosePrintFile-done,
smb:::op-Create-done,
smb:::op-CreateDirectory-done,
smb:::op-CreateNew-done,
smb:::op-CreateTemporary-done,
smb:::op-Delete-done,
smb:::op-DeleteDirectory-done,
smb:::op-Echo-done,
smb:::op-Find-done,
smb:::op-FindClose-done,
smb:::op-FindClose2-done,
smb:::op-FindUnique-done,
smb:::op-Flush-done,
smb:::op-GetPrintQueue-done,
smb:::op-Ioctl-done,
smb:::op-LockByteRange-done,
smb:::op-LockingX-done,
smb:::op-LogoffX-done,
smb:::op-Negotiate-done,
smb:::op-NtCancel-done,
smb:::op-NtCreateX-done,
smb:::op-NtTransact-done,
smb:::op-NtTransactSecondary-done,
smb:::op-NtRename-done,
smb:::op-Open-done,
smb:::op-OpenPrintFile-done,
smb:::op-WritePrintFile-done,
smb:::op-OpenX-done,
smb:::op-ProcessExit-done,
smb:::op-QueryInformation-done,
smb:::op-QueryInformation2-done,
smb:::op-QueryInformationDisk-done,
smb:::op-Rename-done,
smb:::op-Search-done,
smb:::op-Seek-done,
smb:::op-SessionSetupX-done,
smb:::op-SetInformation-done,
smb:::op-Transaction-done,
smb:::op-SetInformation2-done,
smb:::op-Transaction2-done,
smb:::op-Transaction2Secondary-done,
smb:::op-TransactionSecondary-done,
smb:::op-TreeConnect-done,
smb:::op-TreeConnectX-done,
smb:::op-TreeDisconnect-done,
smb:::op-UnlockByteRange-done
/self->thread == curthread/
{
printf("%39s/%-17d %-31s %8d 0x%08x %5d %9d %5d 0x%04x 0x%02x\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[1]->soi_mid,
args[1]->soi_pid,
args[1]->soi_tid,
args[1]->soi_flags2,
args[1]->soi_flags);
}The following example DTrace script traces reads and writes, which shows how the third argument is passed to read and write probes.
#!/usr/sbin/dtrace -s
#pragma D option quiet
dtrace:::BEGIN
{
printf(
"%39s/%-17s %-31s %8s %-10s %-17s %-10s %s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"OFFSET",
"COUNT",
"FILE");
}
dtrace:::END
{
printf(
"%39s/%-17s %-31s %8s %-10s %-17s %-10s %s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"OFFSET",
"COUNT",
"FILE");
}
smb:::op-Read-start,
smb:::op-ReadRaw-start,
smb:::op-ReadX-start,
smb:::op-LockAndRead-start
{
self->thread = curthread;
self->start = timestamp;
}
/*
* The following action is executed if the field 'soi_curpath' is undefined (or
* NULL).
*/
smb:::op-Read-done,
smb:::op-ReadRaw-done,
smb:::op-ReadX-done,
smb:::op-LockAndRead-done
/self->thread == curthread && args[1]->soi_curpath == NULL/
{
printf("%39s/%-17d %-31s %8d 0x%08x 0x%016x 0x%08x %s\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[2]->soa_offset,
args[2]->soa_count,
"NULL");
}
/*
* The following action is executed if the field 'soi_curpath' is defined (or
* points to an actual file path).
*/
smb:::op-Read-done,
smb:::op-ReadRaw-done,
smb:::op-ReadX-done,
smb:::op-LockAndRead-done
/self->thread == curthread && args[1]->soi_curpath != NULL/
{
printf("%39s/%-17d %-31s %8d 0x%08x 0x%016x 0x%08x %s\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[2]->soa_offset,
args[2]->soa_count,
args[1]->soi_curpath);
}
smb:::op-Write-start,
smb:::op-WriteAndClose-start,
smb:::op-WriteAndUnlock-start,
smb:::op-WriteRaw-start,
smb:::op-WriteX-start
{
self->thread = curthread;
self->start = timestamp;
}
/*
* The following action is executed if the field 'soi_curpath' is undefined (or
* NULL).
*/
smb:::op-Write-done,
smb:::op-WriteAndClose-done,
smb:::op-WriteAndUnlock-done,
smb:::op-WriteRaw-done,
smb:::op-WriteX-done
/self->thread == curthread && args[1]->soi_curpath == NULL/
{
printf("%39s/%-17d %-31s %8d 0x%08x 0x%016x 0x%08x %s\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[2]->soa_offset,
args[2]->soa_count,
"NULL");
}
/*
* The following action is executed if the field 'soi_curpath' is defined (or
* points to an actual file path).
*/
smb:::op-Write-done,
smb:::op-WriteAndClose-done,
smb:::op-WriteAndUnlock-done,
smb:::op-WriteRaw-done,
smb:::op-WriteX-done
/self->thread == curthread && args[1]->soi_curpath != NULL/
{
printf("%39s/%-17d %-31s %8d 0x%08x 0x%016x 0x%08x %s\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[2]->soa_offset,
args[2]->soa_count,
args[1]->soi_curpath);
}
The following example DTrace script shows how to trace all SMB2 requests.
#!/usr/sbin/dtrace -s
#pragma D option quiet
dtrace:::BEGIN
{
printf(
"%39s/%-17s %-31s %8s %-10s %17s %9s %17s %4s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"MID",
"TID",
"ASYNCID",
"FLAGS");
}
dtrace:::END
{
printf(
"%39s/%-17s %-31s %8s %-10s %17s %9s %17s %4s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"MID",
"TID",
"ASYNCID",
"FLAGS");
}
smb2:::op-Negotiate-start,
smb2:::op-SessionSetup-start,
smb2:::op-Logoff-start,
smb2:::op-TreeConnect-start,
smb2:::op-TreeDisconnect-start,
smb2:::op-Create-start,
smb2:::op-Close-start,
smb2:::op-Flush-start,
smb2:::op-Read-start,
smb2:::op-Write-start,
smb2:::op-Lock-start,
smb2:::op-Ioctl-start,
smb2:::op-Cancel-start,
smb2:::op-Echo-start,
smb2:::op-QueryDirectory-start,
smb2:::op-ChangeNotify-start,
smb2:::op-QueryInfo-start,
smb2:::op-SetInfo-start,
smb2:::op-OplockBreak-start
{
self->thread = curthread;
self->start = timestamp;
}
smb2:::op-Negotiate-done,
smb2:::op-SessionSetup-done,
smb2:::op-Logoff-done,
smb2:::op-TreeConnect-done,
smb2:::op-TreeDisconnect-done,
smb2:::op-Create-done,
smb2:::op-Close-done,
smb2:::op-Flush-done,
smb2:::op-Read-done,
smb2:::op-Write-done,
smb2:::op-Lock-done,
smb2:::op-Ioctl-done,
smb2:::op-Cancel-done,
smb2:::op-Echo-done,
smb2:::op-QueryDirectory-done,
smb2:::op-ChangeNotify-done,
smb2:::op-QueryInfo-done,
smb2:::op-SetInfo-done,
smb2:::op-OplockBreak-done
/self->thread == curthread/
{
printf("%39s/%-17d %-31s %8d 0x%08x %17d %9d %17d 0x%08x\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[1]->soi_mid,
args[1]->soi_tid,
args[1]->soi_asyncid,
args[1]->soi_flags);
}
The following example DTrace script how to trace SMB2 reads and writes.
#!/usr/sbin/dtrace -s
#pragma D option quiet
dtrace:::BEGIN
{
printf(
"%39s/%-17s %-31s %8s %-10s %-17s %-10s %s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"OFFSET",
"COUNT",
"FILE");
}
dtrace:::END
{
printf(
"%39s/%-17s %-31s %8s %-10s %-17s %-10s %s\n",
"CLIENT",
"SESSION",
"REQUEST",
"TIME(us)",
"STATUS",
"OFFSET",
"COUNT",
"FILE");
}
smb2:::op-Read-start,
smb2:::op-Write-start
{
self->thread = curthread;
self->start = timestamp;
}
/*
* The following action is executed if the field 'soi_curpath' is undefined (or
* NULL).
*/
smb2:::op-Read-done,
smb2:::op-Write-done
/self->thread == curthread && args[1]->soi_curpath == NULL/
{
printf("%39s/%-17d %-31s %8d 0x%08x 0x%016x 0x%08x %s\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[2]->soa_offset,
args[2]->soa_count,
"NULL");
}
/*
* The following action is executed if the field 'soi_curpath' is defined (or
* points to an actual file path).
*/
smb2:::op-Read-done,
smb2:::op-Write-done
/self->thread == curthread && args[1]->soi_curpath != NULL/
{
printf("%39s/%-17d %-31s %8d 0x%08x 0x%016x 0x%08x %s\n",
args[0]->ci_remote,
args[1]->soi_sid,
probename,
(timestamp - self->start) / 1000,
args[1]->soi_status,
args[2]->soa_offset,
args[2]->soa_count,
args[1]->soi_curpath);
}