Example DTrace Usage

3 Example DTrace Usage

The following examples illustrate current functionality in DTrace v2.0. Examples assume that commands are run as root and /usr/sbin is in the PATH.

List probes:

# dtrace -l
DTrace 2.0.0 [Pre-Release with limited functionality]
ID   PROVIDER    MODULE                     FUNCTION NAME
1     dtrace                                        BEGIN
2     dtrace                                        END
3     dtrace                                        ERROR
4        fbt   vmlinux     trace_initcall_finish_cb entry
5        fbt   vmlinux     trace_initcall_finish_cb return
...

On this particular system, there were:

3 dtrace probes
87890 fbt probes (based on kprobes)
1262 sdt probes (based on Linux tracepoints)
666 syscall probes

Example script that uses the -S option, to output the compiled D code as an eBPF program, and that uses the -e option, to exit after compilation:

# dtrace -Sen 'write:entry { trace(1) }'
DTrace 2.0.0 [Pre-Release with limited functionality]

Disassembly of ::write:entry

DIFO 0x46af600 returns D type (integer) (size 8) [record 16 bytes]
INS OFF  OPCODE                  INSTRUCTION
000 000: 62 a 0 fef8 ffffffff    stw  [%fp-264], -1     ! = EPID
001 008: 62 a 0 fefc 00000000    stw  [%fp-260], 0
002 016: 7a a 0 ff00 00000000    stdw [%fp-256], 0
003 024: 7a a 0 ff08 00000000    stdw [%fp-248], 0
004 032: 7a a 0 ff10 00000000    stdw [%f
[...]

Example script:
```
# dtrace -n '
syscall::write:*
{       
    this->x = 3;                /* clause-local variables */
    this->y = 8;
    trace(this->x * this->y);
    trace(&`max_pfn);
}' 
```
In the example script:
- Probe all write() system call probes simultaneously using a wildcard;
- Probe with recording the address of a kernel identifier (max_pfn) and other data items;
- Associate several probes with a single action.
- Clause-local variables are used.
- The trace() action is used to report output.