Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
B
bcc
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
bcc
Commits
01992b8e
Commit
01992b8e
authored
Sep 10, 2016
by
Brendan Gregg
Committed by
GitHub
Sep 10, 2016
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #688 from KarimAllah/opensnoop-re
minor cleanup + process partial name matching
parents
63656c26
765dfe26
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
53 additions
and
24 deletions
+53
-24
man/man8/opensnoop.8
man/man8/opensnoop.8
+9
-2
tools/opensnoop.py
tools/opensnoop.py
+13
-22
tools/opensnoop_example.txt
tools/opensnoop_example.txt
+31
-0
No files found.
man/man8/opensnoop.8
View file @
01992b8e
...
@@ -2,11 +2,11 @@
...
@@ -2,11 +2,11 @@
.SH NAME
.SH NAME
opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
.SH SYNOPSIS
.SH SYNOPSIS
.B opensnoop [\-h] [\-t] [\-x] [\-p PID]
.B opensnoop [\-h] [\-t] [\-x] [\-p PID]
[\-n name]
.SH DESCRIPTION
.SH DESCRIPTION
opensnoop traces the open() syscall, showing which processes are attempting
opensnoop traces the open() syscall, showing which processes are attempting
to open which files. This can be useful for determining the location of config
to open which files. This can be useful for determining the location of config
and log files, or for troubleshooting applications that are failing,
e
specially
and log files, or for troubleshooting applications that are failing, specially
on startup.
on startup.
This works by tracing the kernel sys_open() function using dynamic tracing, and
This works by tracing the kernel sys_open() function using dynamic tracing, and
...
@@ -32,6 +32,9 @@ Only print failed opens.
...
@@ -32,6 +32,9 @@ Only print failed opens.
.TP
.TP
\-p PID
\-p PID
Trace this process ID only (filtered in-kernel).
Trace this process ID only (filtered in-kernel).
.TP
\-n name
Only print processes where its name partially matches 'name'
.SH EXAMPLES
.SH EXAMPLES
.TP
.TP
Trace all open() syscalls:
Trace all open() syscalls:
...
@@ -49,6 +52,10 @@ Trace only open() syscalls that failed:
...
@@ -49,6 +52,10 @@ Trace only open() syscalls that failed:
Trace PID 181 only:
Trace PID 181 only:
#
#
.B opensnoop \-p 181
.B opensnoop \-p 181
.TP
Trace all open() syscalls from processes where its name partially matches 'ed':
#
.B opensnoop \-n ed
.SH FIELDS
.SH FIELDS
.TP
.TP
TIME(s)
TIME(s)
...
...
tools/opensnoop.py
View file @
01992b8e
...
@@ -23,6 +23,7 @@ examples = """examples:
...
@@ -23,6 +23,7 @@ examples = """examples:
./opensnoop -t # include timestamps
./opensnoop -t # include timestamps
./opensnoop -x # only show failed opens
./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181
./opensnoop -p 181 # only trace PID 181
./opensnoop -n main # only print process names containing "main"
"""
"""
parser
=
argparse
.
ArgumentParser
(
parser
=
argparse
.
ArgumentParser
(
description
=
"Trace open() syscalls"
,
description
=
"Trace open() syscalls"
,
...
@@ -34,6 +35,8 @@ parser.add_argument("-x", "--failed", action="store_true",
...
@@ -34,6 +35,8 @@ parser.add_argument("-x", "--failed", action="store_true",
help
=
"only show failed opens"
)
help
=
"only show failed opens"
)
parser
.
add_argument
(
"-p"
,
"--pid"
,
parser
.
add_argument
(
"-p"
,
"--pid"
,
help
=
"trace this PID only"
)
help
=
"trace this PID only"
)
parser
.
add_argument
(
"-n"
,
"--name"
,
help
=
"only print process names containing this name"
)
args
=
parser
.
parse_args
()
args
=
parser
.
parse_args
()
debug
=
0
debug
=
0
...
@@ -53,7 +56,6 @@ struct val_t {
...
@@ -53,7 +56,6 @@ struct val_t {
struct data_t {
struct data_t {
u32 pid;
u32 pid;
u64 ts;
u64 ts;
u64 delta;
int ret;
int ret;
char comm[TASK_COMM_LEN];
char comm[TASK_COMM_LEN];
char fname[NAME_MAX];
char fname[NAME_MAX];
...
@@ -95,7 +97,6 @@ int trace_return(struct pt_regs *ctx)
...
@@ -95,7 +97,6 @@ int trace_return(struct pt_regs *ctx)
bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
bpf_probe_read(&data.comm, sizeof(data.comm), valp->comm);
bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
bpf_probe_read(&data.fname, sizeof(data.fname), (void *)valp->fname);
data.pid = valp->pid;
data.pid = valp->pid;
data.delta = tsp - valp->ts;
data.ts = tsp / 1000;
data.ts = tsp / 1000;
data.ret = PT_REGS_RC(ctx);
data.ret = PT_REGS_RC(ctx);
...
@@ -126,15 +127,12 @@ class Data(ct.Structure):
...
@@ -126,15 +127,12 @@ class Data(ct.Structure):
_fields_
=
[
_fields_
=
[
(
"pid"
,
ct
.
c_ulonglong
),
(
"pid"
,
ct
.
c_ulonglong
),
(
"ts"
,
ct
.
c_ulonglong
),
(
"ts"
,
ct
.
c_ulonglong
),
(
"delta"
,
ct
.
c_ulonglong
),
(
"ret"
,
ct
.
c_int
),
(
"ret"
,
ct
.
c_int
),
(
"comm"
,
ct
.
c_char
*
TASK_COMM_LEN
),
(
"comm"
,
ct
.
c_char
*
TASK_COMM_LEN
),
(
"fname"
,
ct
.
c_char
*
NAME_MAX
)
(
"fname"
,
ct
.
c_char
*
NAME_MAX
)
]
]
start_ts
=
0
initial_ts
=
0
prev_ts
=
0
delta
=
0
# header
# header
if
args
.
timestamp
:
if
args
.
timestamp
:
...
@@ -144,10 +142,7 @@ print("%-6s %-16s %4s %3s %s" % ("PID", "COMM", "FD", "ERR", "PATH"))
...
@@ -144,10 +142,7 @@ print("%-6s %-16s %4s %3s %s" % ("PID", "COMM", "FD", "ERR", "PATH"))
# process event
# process event
def
print_event
(
cpu
,
data
,
size
):
def
print_event
(
cpu
,
data
,
size
):
event
=
ct
.
cast
(
data
,
ct
.
POINTER
(
Data
)).
contents
event
=
ct
.
cast
(
data
,
ct
.
POINTER
(
Data
)).
contents
global
start_ts
global
initial_ts
global
prev_ts
global
delta
global
cont
# split return value into FD and errno columns
# split return value into FD and errno columns
if
event
.
ret
>=
0
:
if
event
.
ret
>=
0
:
...
@@ -157,26 +152,22 @@ def print_event(cpu, data, size):
...
@@ -157,26 +152,22 @@ def print_event(cpu, data, size):
fd_s
=
-
1
fd_s
=
-
1
err
=
-
event
.
ret
err
=
-
event
.
ret
if
start_ts
==
0
:
if
not
initial_ts
:
prev_ts
=
start_
ts
initial_ts
=
event
.
ts
if
start_ts
==
1
:
if
args
.
failed
and
(
event
.
ret
>=
0
)
:
delta
=
float
(
delta
)
+
(
event
.
ts
-
prev_ts
)
return
if
(
args
.
failed
and
(
event
.
ret
>=
0
)):
if
args
.
name
and
args
.
name
not
in
event
.
comm
:
start_ts
=
1
prev_ts
=
event
.
ts
return
return
if
args
.
timestamp
:
if
args
.
timestamp
:
print
(
"%-14.9f"
%
(
delta
/
1000000
),
end
=
""
)
delta
=
event
.
ts
-
initial_ts
print
(
"%-14.9f"
%
(
float
(
delta
)
/
1000000
),
end
=
""
)
print
(
"%-6d %-16s %4d %3d %s"
%
(
event
.
pid
,
event
.
comm
,
print
(
"%-6d %-16s %4d %3d %s"
%
(
event
.
pid
,
event
.
comm
,
fd_s
,
err
,
event
.
fname
))
fd_s
,
err
,
event
.
fname
))
prev_ts
=
event
.
ts
start_ts
=
1
# loop with callback to print_event
# loop with callback to print_event
b
[
"events"
].
open_perf_buffer
(
print_event
)
b
[
"events"
].
open_perf_buffer
(
print_event
)
while
1
:
while
1
:
...
...
tools/opensnoop_example.txt
View file @
01992b8e
...
@@ -89,6 +89,37 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
...
@@ -89,6 +89,37 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
file or directory.
file or directory.
The -n option can be used to filter on process name using partial matches:
# ./opensnoop -n ed
PID COMM FD ERR PATH
2679 sed 3 0 /etc/ld.so.cache
2679 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
2679 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
2679 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
2679 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2679 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
2679 sed 3 0 /proc/filesystems
2679 sed 3 0 /usr/lib/locale/locale-archive
2679 sed -1 2
2679 sed 3 0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
2679 sed 3 0 /dev/null
2680 sed 3 0 /etc/ld.so.cache
2680 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
2680 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
2680 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
2680 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2680 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
2680 sed 3 0 /proc/filesystems
2680 sed 3 0 /usr/lib/locale/locale-archive
2680 sed -1 2
^C
This caught the 'sed' command because it partially matches 'ed' that's passed
to the '-n' option.
USAGE message:
USAGE message:
# ./opensnoop -h
# ./opensnoop -h
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment