github twitter email rss
0001 Jun 1
2 minutes read




  • probe - object in code that being traced
  • provider - virtual entity that provides probs
  • module - kernel, lib or program

How works ?

user space

  • dtrace(1) - CLI
  • libdtrace works trough /dev/dtrace
  • libproc - only used by provider

    kernel space

  • DTrace

  • Providers

    • dtrace:
    • profile:
    • syscall:
    • many more that not implemented everythere


  • command line frontend
  • shows availabel probes/providers
  • enables probs, attach to processes
  • d lang compiler

Tracing application

  • pid provider
    • unstable
  • USDT (Userland Statically Defined Traces)

Available probes

dtrace -l

probes by provider

dtrace -l -n 'dtrace:::

D program structure


example program

    syscall::open:entry { 
        printf("%s\t%s\n", execname, copyinstr(arg0)); 
    profile:::tick-1s { 

Built-in variables

args pid probeprov errno probefunc timestamp execname probemod vtimestamp


run program and trace all function calls

    dtrace -n 'pid$target:::entry' -c '/pth/to/bin/program --parameters'

attach to process and trace all function calls

    dtrace -n 'pid$target:::entry' -p $PID

statistic on which functions are called how often

    dtrace -n 'pid$target:::entry { @[probefunc] = count(); }' -c ls

Files opened by process,

    dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

new processes

sudo dtrace -n 'proc:::exec-success{trace(execname)}' 

new processes with arguments

sudo dtrace -n 'proc:::exec-success{trace(curpsinfo->pr_psargs)}' 

deleted files

sudo dtrace -n 'syscall::unlink:entry{printf("%d %s %s",pid,execname,copyinstr(arg0))}' 

opened files

sudo dtrace -n 'syscall::open*:entry{printf("%d %s %s",pid,execname,copyinstr(arg0))}' 

opened files in simpler format

sudo dtrace -qn 'syscall::open*:entry/arg1&3/{printf("%d %s %s\n",pid,execname,copyinstr(arg0))}' 

files opened by processes named mdworker

sudo dtrace -n 'syscall::open*:entry/execname=="mdworker"/{printf("%s",copyinstr(arg0))}' 

cause a kernel panic (-w allows destructive actions)

sudo dtrace -w -n 'BEGIN{panic()}' 

number of bytes downloaded by each process

sudo dtrace -n 'syscall::recvfrom:return{@[pid,execname]=sum(arg0)}' 

number of bytes uploaded by each process

sudo dtrace -n 'syscall::sendto:return{@[pid,execname]=sum(arg0)}' 

signals sent to processes

sudo kill.d 

signals sent to processes

sudo dtrace -n 'proc:::signal-send/pid/{printf("%s %d %d",execname,args[2],args[1]->pr_pid)}' 

list dtrace scripts

man -k dtrace 
man -a \*.d
man -a $(man -k dtrace|sed 's/\([^ ]*\)(\([^)]*\).*/\2 \1/')

opened files

sudo opensnoop

new processes

sudo execsnoop 

I/O events

sudo iosnoop 

read and write events

sudo rwsnoop 

processes with highest I/O use

sudo iotop 

syscall failures

sudo errinfo 

show I/O event size distribution for each process

sudo bitesize.d 

Indent code

put this in test.d

    #!/usr/sbin/dtrace -s
    #pragma D option flowindent
    pid$target:::entry {}
    pid$target:::return {}


dtrace -s test.d -c ls

Back to posts

comments powered by Disqus