2.1.1 Example: Monitoring the System as Programs Are Executed (execcalls.d)

The following example shows the D program, execcalls.d, which uses proc probes to monitor the system as it executes process images:

/* execcalls.d -- Monitor the system as it executes programs */

proc::do_execveat_common:exec
{
  trace(stringof(args[0]));
}

The args[0] argument to the exec probe is set to the path name of the program that is being executed. You use the stringof() function to convert the type from char * to the D type string.

Note

The sdt kernel module, which enables the proc provider probes, is most likely already loaded on the test system. Or, if not already loaded, the sdt kernel module will automatically load if you did not manually load a DTrace module since booting the system. See Section 1.4.2, “Manually Loading DTrace Modules” for details. In the following example, the sdt kernel module needs to be manually loaded or it must be able to automatically load for proper functionality.

Type the dtrace -s execcalls.d command to run the D program in one window. Then start different programs from another window, while observing the output from dtrace in the first window. To stop tracing after a few seconds have elapsed, type Ctrl-C in the window that is running dtrace.

# dtrace -s execcalls.d
dtrace: script 'execcalls.d' matched 1 probe
CPU     ID                    FUNCTION:NAME
  1   1185          do_execveat_common:exec /usr/sbin/sshd
  0   1185          do_execveat_common:exec /usr/sbin/unix_chkpwd
  0   1185          do_execveat_common:exec /bin/bash
  0   1185          do_execveat_common:exec /usr/bin/id
  0   1185          do_execveat_common:exec /usr/bin/hostname
  0   1185          do_execveat_common:exec /usr/bin/id
  0   1185          do_execveat_common:exec /usr/bin/id
  0   1185          do_execveat_common:exec /usr/bin/grep
  0   1185          do_execveat_common:exec /usr/bin/tty
  0   1185          do_execveat_common:exec /usr/bin/tput
  0   1185          do_execveat_common:exec /usr/bin/grep
  1   1185          do_execveat_common:exec /usr/sbin/unix_chkpwd
  1   1185          do_execveat_common:exec /usr/libexec/grepconf.sh
  1   1185          do_execveat_common:exec /usr/bin/dircolors
  0   1185          do_execveat_common:exec /usr/bin/ls
^C 

The activity here shows a login to the same system (from another terminal) while the script is running.

The probe proc::do_execveat_common:exec fires whenever the system executes a new program and the associated action uses trace() to display the path name of the program.