Site Navigation

Date:      Fri, 5 Dec 2014 16:39:16 -0800
From:      <dteske@FreeBSD.org>
To:        <freebsd-dtrace@freebsd.org>
Cc:        dteske@FreeBSD.org, 'Julian Elischer' <julian@freebsd.org>, 'Michael Dexter' <editor@callfortesting.org>
Subject:   DTrace script to trace process execution
Message-ID:  <064f01d010ed$11445990$33cd0cb0$@FreeBSD.org>

---

next in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Someone asked me about having a DTrace script that displays
"ps axwww"-like info each time a process is executed.

Well, I'm actually more of a fan of "pstree"-like layout, so I
wrote a DTrace script that produces output similar to
sysutils/pstree each/everytime a process is executed.

Sample output of attached "watch_execve.d":

2014 Dec  5 13:31:30 bash[40851]: ls -A
 -+= 00809 0.0 /usr/sbin/sshd
  \-+= 40829 0.0 sshd: support@pts/0
    \-+= 40851 0.0 -bash
      \-+= 27188 0.0 ls -A

If you don't want the pstree style info, you can simply run:

watch_execve.d | grep -v '^[[:space:]]'
-- 
Cheers,
Devin

[-- Attachment #2 --]
#!/usr/sbin/dtrace -s
/* -
 * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org>
 * All rights reserved.
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $Title: dtrace(1) script to log process(es) entering vfs::vop_remove $
 */

#pragma D option quiet
#pragma D option dynvarsize=16m
#pragma D option switchrate=10hz

/*********************************************************/

syscall::execve:entry /* probe ID 1 */
{
	this->caller_execname = execname;
}

/*********************************************************/

syscall::execve:return /execname != this->caller_execname/ /* probe ID 2 */
{
	/*
	 * Examine process, parent process, and grandparent process details
	 */

	/******************* CURPROC *******************/

	this->proc = curthread->td_proc;
	this->pid0 = this->proc->p_pid;
	this->uid0 = this->proc->p_ucred->cr_uid;
	this->gid0 = this->proc->p_ucred->cr_rgid;
	this->p_args = this->proc->p_args;
	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);

	this->arg0_0 = this->ar_length > 0 ?
		this->ar_args : stringof(this->proc->p_comm);
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg0_1 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg0_2 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg0_3 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg0_4 = this->ar_length > 0 ? "..." : "";

	/******************* PPARENT *******************/

	this->proc = this->proc->p_pptr;
	this->pid1 = this->proc->p_pid;
	this->uid1 = this->proc->p_ucred->cr_uid;
	this->gid1 = this->proc->p_ucred->cr_rgid;
	this->p_args = this->proc ? this->proc->p_args : 0;
	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);

	this->arg1_0 = this->ar_length > 0 ?
		this->ar_args : stringof(this->proc->p_comm);
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg1_1 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg1_2 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg1_3 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg1_4 = this->ar_length > 0 ? "..." : "";

	/******************* GPARENT *******************/

	this->proc = this->proc->p_pptr;
	this->pid2 = this->proc->p_pid;
	this->uid2 = this->proc->p_ucred->cr_uid;
	this->gid2 = this->proc->p_ucred->cr_rgid;
	this->p_args = this->proc ? this->proc->p_args : 0;
	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);

	this->arg2_0 = this->ar_length > 0 ?
		this->ar_args : stringof(this->proc->p_comm);
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg2_1 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg2_2 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg2_3 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg2_4 = this->ar_length > 0 ? "..." : "";

	/******************* APARENT *******************/

	this->proc = this->proc->p_pptr;
	this->pid3 = this->proc->p_pid;
	this->uid3 = this->proc->p_ucred->cr_uid;
	this->gid3 = this->proc->p_ucred->cr_rgid;
	this->p_args = this->proc ? this->proc->p_args : 0;
	this->ar_length = this->p_args ? this->p_args->ar_length : 0;
	this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0);

	this->arg3_0 = this->ar_length > 0 ?
		this->ar_args : stringof(this->proc->p_comm);
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg3_1 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg3_2 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg3_3 = this->ar_length > 0 ? this->ar_args : "";
	this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0;
	this->ar_args += this->len;
	this->ar_length -= this->len;

	this->arg3_4 = this->ar_length > 0 ? "..." : "";

	/***********************************************/

	/*
	 * Print process, parent, and grandparent details
	 */

	printf("%Y %s[%d]: ", timestamp + 1406598400000000000,
		this->caller_execname, this->pid1);
	printf("%s", this->arg0_0);
	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
	printf("\n");

	printf(" -+= %05d %d.%d %s",
		this->pid3, this->uid3, this->gid3, this->arg3_0);
	printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1);
	printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2);
	printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3);
	printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4);
	printf("%s", this->arg3_0 != "" ? "\n" : "");

	printf("  \-+= %05d %d.%d %s",
		this->pid2, this->uid2, this->gid2, this->arg2_0);
	printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1);
	printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2);
	printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3);
	printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4);
	printf("%s", this->arg2_0 != "" ? "\n" : "");

	printf("    \-+= %05d %d.%d %s",
		this->pid1, this->uid1, this->gid1, this->arg1_0);
	printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1);
	printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2);
	printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3);
	printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4);
	printf("%s", this->arg1_0 != "" ? "\n" : "");

	printf("      \-+= %05d %d.%d %s",
		this->pid0, this->uid0, this->gid0, this->arg0_0);
	printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1);
	printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2);
	printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3);
	printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4);
	printf("%s", this->arg0_0 != "" ? "\n" : "");
}

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?064f01d010ed$11445990$33cd0cb0$>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact