1.2 Providers and Probes

In the preceding examples, you learned how to use two simple probes named BEGIN and END. DTrace probes come in sets that are called providers, each of which performs a particular kind of instrumentation to create probes. When you use DTrace, each provider is given an opportunity to publish the probes that it can provide to the DTrace framework. You can then enable and bind your tracing actions to any of the probes that have been published.

You can list all of the available probes on your system by typing the following command:

# dtrace -l 
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
    4    syscall           vmlinux                              read entry
    5    syscall           vmlinux                              read return
    6    syscall           vmlinux                             write entry
    7    syscall           vmlinux                             write return
    ...

Note that it might take some time for all of the output to be displayed.

To count all of the probes, type the following command:

# dtrace -l | wc -l
4097

Note that you might observe a different total on your system, as the number of probes can vary, depending on the following: your operating platform, the software you have installed, and the provider modules you have loaded. Note also that this output is not the complete list. As will be described later, some providers offer the ability to create new probes on-the-fly, based on your tracing requests, which makes the actual number of DTrace probes virtually unlimited. Notice that each probe has the two names previously mentioned: an integer ID and a human-readable name. The human-readable name is composed of four parts that are displayed as separate columns in the dtrace output and are as follows:

provider

A name of the DTrace provider that is publishing this probe.

module

If this probe corresponds to a specific program location, the name of the kernel module, library, or user-space program in which the probe is located.

function

If this probe corresponds to a specific program location, the name of the program function in which the probe is located.

name

A name that provides some idea of the probe's semantic meaning, such as BEGIN or END.

When writing the full human-readable name of a probe, write all four parts of the name separated by colons like this:

provider:module:function:name

Notice that some of the probes in the list do not have a module and function, such as the BEGIN and END probes that were used previously. Some probes leave these two fields blank because these probes do not correspond to any specific instrumented program function or location. Instead, these probes refer to a more abstract concept, such as the idea of the end of your tracing request.

By convention, if you do not specify all of the fields of a probe name, DTrace matches your request to all of the probes with matching values in the parts of the name that you do specify. In other words, when you used the probe name BEGIN in the previous exercise, you were actually directing DTrace to match any probe with the name field BEGIN, regardless of the value of the provider, module, and function fields. Because there is only one probe matching that description, the result is the same. You now know that the true name of the BEGIN probe is dtrace:::BEGIN, which indicates that this probe is provided by the DTrace framework itself and is not specific to any function. Therefore, the hello.d program could be written as follows and would produce the same result:

dtrace:::BEGIN
{
  trace("hello, world");
  exit(0);
}