On Mon, Sep 29, 2008 at 05:26:43PM -0700, Paul Macknee wrote:
> Just out of curiosity, I did a
>
> dtrace -n 'syscall:::entry { @num[execname, probefunc] = count(); }'
>
> and looked at the entries produced by 'rm'.
>
> I see everything that rm did, *except* the unlinkat - which is unfortunate
> because I want to trace which processes have deleted which files.
>
> So - does dtrace contain unlinkat as a probe for a system call?
Unfortunately, and for anacronistic reasons, the *at system calls were all
implemented as subcodes of the fsat system call:
http://cvs.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/syscall/fsat.c
Accordingly, you can use the syscall::fsat:entry probe with a predicate on
arg0 to sniff out the calls to unlinkat(2).
> Also - how could you integrate the output of something like ptree into the
> above call for dtrace, so instead of showing just the pid for the process
> doing the system call, you could show the process stack (and if necessary the
> arguments to each level in the stack)?
You can't do it from probe context, but you can use the system() action to
run arbitrary commands. Just remember that those commands run some time after
the probe has fired so you may want to stop() the process:
syscall::fsat:entry
/arg0 == 5/
{
stop();
system("ptree %d", pid);
system("prun %d", pid);
}
Adam
--
Adam Leventhal, Fishworks http://blogs.sun.com/ahl
_______________________________________________
dtrace-discuss mailing list
[email protected]
