Processing Traced Data in DTrace

This section describes the processing of traced data. The dtrace_recdesc_t structure describes a record that contains data stored by DTrace.

typedef struct dtrace_recdesc {
        dtrace_actkind_t dtrd_action;           /* kind of action */
        uint32_t dtrd_size;                     /* size of record */
        uint32_t dtrd_offset;                   /* offset in ECB's data */
        uint16_t dtrd_alignment;                /* required alignment */
        uint16_t dtrd_format;                   /* format, if any */
        uint64_t dtrd_arg;                      /* action argument */
        uint64_t dtrd_uarg;                     /* user argument */} dtrace_recdesc_t;

For simple values, the size of the type is stored in the dtrd_size member. If you have a pointer to the ECB data and a pointer to the record description, you can extract the value for the dtrace_recdesc_t record, as shown in the following example:

uint64_t val;
        /* _base_ is a pointer to the ECB data */
        /* _rdp_ is a pointer to the record description */

	void *record = _base_+_rdp_->dtrd_offset;  
	switch (rdp->dtrd_size) {
	case sizeof (uint64_t):
		val = *((uint64_t *)(record));
		break;
	case sizeof (uint32_t):
		val = *((uint32_t *)(record));
		break;
	case sizeof (uint16_t):
		val = *((uint16_t *)(record));
		break;
	case sizeof (uint8_t):
		val = *((uint8_t *)(record));
		break;
	default:
		break;
	}

The values for some actions might require further processing. If dtrd_action is either DTRACEACT_SYM or DTRACEACT_MOD, the 64-bit value represents an address in kernel space that needs to be resolved to a symbol or module by using the dtrace_lookup_by_addr() function.