1.4.2 Loading DTrace Kernel Modules

Use the modprobe command to load the modules that support the DTrace probes that you want to use. For example, if you wanted to use the probes that the proc provider publishes, you would load the sdt module.

# modprobe sdt
Note

The fasttrap, profile, sdt, and systrace modules automatically load the dtrace module.

To display the probes that are provided by a provider such as proc, use the following form of the dtrace command:

# dtrace -l -P proc
   ID   PROVIDER            MODULE                          FUNCTION NAME
 3466       proc           vmlinux                     schedule_tail start
 3467       proc           vmlinux                     schedule_tail lwp-start
 3469       proc           vmlinux             get_signal_to_deliver signal-handle
 3474       proc           vmlinux                   do_sigtimedwait signal-clear
 3475       proc           vmlinux                           do_fork lwp-create
 3476       proc           vmlinux                           do_fork create
 3477       proc           vmlinux                           do_exit lwp-exit
 3478       proc           vmlinux                           do_exit exit
 3479       proc           vmlinux                  do_execve_common exec-failure
 3480       proc           vmlinux                  do_execve_common exec
 3481       proc           vmlinux                  do_execve_common exec-success
 3485       proc           vmlinux                     __send_signal signal-send
 3486       proc           vmlinux                     __send_signal signal-discard

The output shows the numeric identifier of the probe, the name of the probe provider, the name of the probe module, the name of the function that contains the probe, and the name of the probe itself.

The full name of a probe is PROVIDER:MODULE:FUNCTION:NAME, for example, proc:vmlinux:do_fork:create. If there is no ambiguity with other probes for the same provider, you can usually omit the MODULE and even the FUNCTION elements when specifying a probe. For example, you can refer to proc:vmlinux:do_fork:create as proc::do_fork:create or proc:::create. If several probes match your specified probe in a D program, the associated actions are performed for each probe.

These probes allow you to monitor how the system creates processes, executes programs, and handles signals.

Exercise 1.1: Enabling and listing DTrace probes

Try loading the systrace kernel module and listing the probes of the syscall provider. Notice that both entry and return probes are provided for each system call.

(Estimated completion time: less than 5 minutes)

Solution to Exercise 1.1

# modprobe systrace
# dtrace -l -P syscall
   ID   PROVIDER            MODULE                          FUNCTION NAME
    4    syscall           vmlinux                              read entry
    5    syscall           vmlinux                              read return
    6    syscall           vmlinux                             write entry
    7    syscall           vmlinux                             write return
    8    syscall           vmlinux                              open entry
    9    syscall           vmlinux                              open return
   10    syscall           vmlinux                             close entry
   11    syscall           vmlinux                             close return
...
  600    syscall           vmlinux                      finit_module entry
  601    syscall           vmlinux                      finit_module return
  602    syscall           vmlinux                            waitfd entry
  603    syscall           vmlinux                            waitfd return
Note

The probe IDs numbers might differ on your system, depending on what other providers you have loaded.

Copyright © 2013, 2017, Oracle and/or its affiliates. All rights reserved. Legal Notices