You can count system calls per process name by specifying the
execname
variable as the key to an
aggregation and saving it in a file named
writesbycmd.d
:
syscall::write:entry { @counts[execname] = count(); }
The following example output shows the result of running this
command, waiting a few seconds, and then pressing
Ctrl-C
:
#dtrace -s writesbycmd.d
dtrace: script 'writesbycmd.d' matched 1 probe^C
dirname 1 dtrace 1 gnome-panel 1 mozilla-xremote 1 ps 1 avahi-daemon 2 basename 2 gconfd-2 2 java 2 master 2 pickup 2 qmgr 2 sed 2 dbus-daemon 3 rtkit-daemon 3 uname 3 w 5 bash 9 cat 9 gnome-session 9 Xorg 21 firefox 149 gnome-terminal 9421 #
Alternatively, you might want to further examine writes that are
organized by both executable name and file descriptor. The file
descriptor is the first argument to write()
.
The following example uses a key that is a tuple, which consists
of both execname
and arg0
:
syscall::write:entry { @counts[execname, arg0] = count(); }
Running this command results in a table with both executable name and file descriptor, as shown in the following example:
#dtrace -s writesbycmdfd.d
dtrace: script 'writesbycmdfd.d' matched 1 probe^C
basename 1 1 dbus-daemon 70 1 dircolors 1 1 dtrace 1 1 gnome-panel 35 1 gnome-terminal 16 1 gnome-terminal 18 1 init 4 1 master 89 1 ps 1 1 pulseaudio 20 1 tput 1 1 Xorg 2 2 #
A limited set of actions can be used as aggregation keys.
Consider the following use of the mod()
and
stack()
actions:
profile-10 { @hotmod[mod(arg0)] = count(); @hotstack[stack()] = count(); }
Here, the hotmod
aggregation counts probe
firings by module, using the profile
probe's
arg0
to determine the kernel program counter.
The hotstack
aggregation counts probe firings
by stack. The aggregation output reveals which modules and
kernel call stacks are the hottest.