#!/bin/sh # # rwsnoop - snoop read/write events. # Originally written using DTrace (Solaris 10 3/05). # # This is measuring reads and writes at the application level. This matches # the syscalls read, and write. # # $Id: rwsnoop,v 1.1.1.1 2015/09/30 22:01:06 christos Exp $ # # USAGE: rwsnoop [-jPtvZ] [-n name] [-p pid] # # rwsnoop # default output # # -P # print parent process ID # -t # print timestamp, us # -v # print time, string # -J # print jail ID # -n name # this process name only # -p PID # this PID only # eg, # rwsnoop -J # print jail ID # rwsnoop -n bash # monitor processes named "bash" # rwsnoop > out.txt # recommended # # NOTE: # rwsnoop usually prints plenty of output, which itself will cause # more output. It can be better to redirect the output of rwsnoop # to a file to prevent this. # # FIELDS: # TIME Timestamp, us # TIMESTR Time, string # JAIL JAIL ID # UID User ID # PID Process ID # PPID Parent Process ID # CMD Process name # D Direction, Read or Write # BYTES Total bytes during sample, -1 for error # FILE Filename, if file based # # Reads and writes that are not file based, for example with sockets, will # print "" as the filename. # # SEE ALSO: rwtop # # COPYRIGHT: Copyright (c) 2005 Brendan Gregg. # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License, Version 1.0 only # (the "License"). You may not use this file except in compliance # with the License. # # You can obtain a copy of the license at Docs/cddl1.txt # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # CDDL HEADER END # # TODO: # Track readv and writev. # # Author: Brendan Gregg [Sydney, Australia] # # 24-Jul-2005 Brendan Gregg Created this. # 17-Sep-2005 " " Increased switchrate. # 17-Sep-2005 " " Last update. # 26-Jul-2014 George Neville-Neil Port to FreeBSD # ############################## # --- Process Arguments --- # ### default variables opt_name=0; opt_pid=0; opt_jailid=0; opt_time=0; opt_timestr=0 opt_bytes=1; filter=0; pname=.; pid=0; opt_ppid=0; ### process options while getopts n:Pp:jtvZ name do case $name in n) opt_name=1; pname=$OPTARG ;; p) opt_pid=1; pid=$OPTARG ;; P) opt_ppid=1 ;; t) opt_time=1 ;; v) opt_timestr=1 ;; J) opt_jailid=1 ;; h|?) cat <<-END >&2 USAGE: rwsnoop [-jPtvZ] [-n name] [-p pid] -P # print parent process ID -t # print timestamp, us -v # print time, string -J # print jail ID -n name # this process name only -p PID # this PID only eg, rwsnoop # default output rwsnoop -J # print jail ID rwsnoop -n bash # monitor processes named "bash" END exit 1 esac done shift $(( $OPTIND - 1 )) ### option logic if [ $opt_name -ne 0 ]; then filter=1 fi if [ $opt_pid -ne 0 ]; then filter=1 fi ################################# # --- Main Program, DTrace --- # /usr/sbin/dtrace -n ' /* * Command line arguments */ inline int OPT_jailid = '$opt_jailid'; inline int OPT_bytes = '$opt_bytes'; inline int OPT_name = '$opt_name'; inline int OPT_ppid = '$opt_ppid'; inline int OPT_pid = '$opt_pid'; inline int OPT_time = '$opt_time'; inline int OPT_timestr = '$opt_timestr'; inline int FILTER = '$filter'; inline int PID = '$pid'; inline string NAME = "'$pname'"; #pragma D option quiet #pragma D option switchrate=10hz /* * Print header */ dtrace:::BEGIN { /* print header */ OPT_time ? printf("%-14s ", "TIME") : 1; OPT_timestr ? printf("%-20s ", "TIMESTR") : 1; OPT_jailid ? printf("%5s ", "JAILID") : 1; OPT_ppid ? printf("%6s ", "PPID") : 1; printf("%5s %6s %-12s %4s %1s %7s\n", "UID", "PID", "CMD", "FD", "D", "BYTES"); } /* * Check event is being traced */ syscall::*read:entry, syscall::*write:entry /pid != $pid/ { /* default is to trace unless filtering, */ self->ok = FILTER ? 0 : 1; /* check each filter, */ (OPT_name == 1 && NAME == execname)? self->ok = 1 : 1; (OPT_pid == 1 && PID == pid) ? self->ok = 1 : 1; /* save file descriptor */ self->fd = self->ok ? arg0 : 0; } /* * Save read details */ syscall::*read:return /self->ok/ { self->rw = "R"; self->size = arg0; } /* * Save write details */ syscall::*write:entry /self->ok/ { self->rw = "W"; self->size = arg2; } /* * Process event */ syscall::*read:return, syscall::*write:entry /self->ok/ { /* * Fetch filename * XXX Not yet implemented. */ /* this->filistp = curthread->t_procp->p_user.u_finfo.fi_list; this->ufentryp = (uf_entry_t *)((uint64_t)this->filistp + (uint64_t)self->fd * (uint64_t)sizeof(uf_entry_t)); this->filep = this->ufentryp->uf_file; this->vnodep = this->filep != 0 ? this->filep->f_vnode : 0; self->vpath = this->vnodep ? (this->vnodep->v_path != 0 ? cleanpath(this->vnodep->v_path) : "") : ""; */ /* * Print details */ OPT_time ? printf("%-14d ", timestamp / 1000) : 1; OPT_timestr ? printf("%-20Y ", walltimestamp) : 1; OPT_jailid ? printf("%5d ", curpsinfo->pr_jailid) : 1; OPT_ppid ? printf("%6d ", ppid) : 1; printf("%5d %6d %-12.12s %4d %1s %7d\n", uid, pid, execname, self->fd, self->rw, (int)self->size); self->ok = 0; self->fd = 0; self->rw = 0; self->size = 0; self->vpath = 0; } '