Commit 765dfe26 authored by KarimAllah Ahmed's avatar KarimAllah Ahmed

opensnoop: Introduce process name filtering

Signed-off-by: default avatarKarimAllah Ahmed <karim.allah.ahmed@gmail.com>
parent a17d1e8e
...@@ -2,11 +2,11 @@ ...@@ -2,11 +2,11 @@
.SH NAME .SH NAME
opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc. opensnoop \- Trace open() syscalls. Uses Linux eBPF/bcc.
.SH SYNOPSIS .SH SYNOPSIS
.B opensnoop [\-h] [\-t] [\-x] [\-p PID] .B opensnoop [\-h] [\-t] [\-x] [\-p PID] [\-n name]
.SH DESCRIPTION .SH DESCRIPTION
opensnoop traces the open() syscall, showing which processes are attempting opensnoop traces the open() syscall, showing which processes are attempting
to open which files. This can be useful for determining the location of config to open which files. This can be useful for determining the location of config
and log files, or for troubleshooting applications that are failing, especially and log files, or for troubleshooting applications that are failing, specially
on startup. on startup.
This works by tracing the kernel sys_open() function using dynamic tracing, and This works by tracing the kernel sys_open() function using dynamic tracing, and
...@@ -32,6 +32,9 @@ Only print failed opens. ...@@ -32,6 +32,9 @@ Only print failed opens.
.TP .TP
\-p PID \-p PID
Trace this process ID only (filtered in-kernel). Trace this process ID only (filtered in-kernel).
.TP
\-n name
Only print processes where its name partially matches 'name'
.SH EXAMPLES .SH EXAMPLES
.TP .TP
Trace all open() syscalls: Trace all open() syscalls:
...@@ -49,6 +52,10 @@ Trace only open() syscalls that failed: ...@@ -49,6 +52,10 @@ Trace only open() syscalls that failed:
Trace PID 181 only: Trace PID 181 only:
# #
.B opensnoop \-p 181 .B opensnoop \-p 181
.TP
Trace all open() syscalls from processes where its name partially matches 'ed':
#
.B opensnoop \-n ed
.SH FIELDS .SH FIELDS
.TP .TP
TIME(s) TIME(s)
......
...@@ -23,6 +23,7 @@ examples = """examples: ...@@ -23,6 +23,7 @@ examples = """examples:
./opensnoop -t # include timestamps ./opensnoop -t # include timestamps
./opensnoop -x # only show failed opens ./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181 ./opensnoop -p 181 # only trace PID 181
./opensnoop -n main # only print process names containing "main"
""" """
parser = argparse.ArgumentParser( parser = argparse.ArgumentParser(
description="Trace open() syscalls", description="Trace open() syscalls",
...@@ -34,6 +35,8 @@ parser.add_argument("-x", "--failed", action="store_true", ...@@ -34,6 +35,8 @@ parser.add_argument("-x", "--failed", action="store_true",
help="only show failed opens") help="only show failed opens")
parser.add_argument("-p", "--pid", parser.add_argument("-p", "--pid",
help="trace this PID only") help="trace this PID only")
parser.add_argument("-n", "--name",
help="only print process names containing this name")
args = parser.parse_args() args = parser.parse_args()
debug = 0 debug = 0
...@@ -155,6 +158,9 @@ def print_event(cpu, data, size): ...@@ -155,6 +158,9 @@ def print_event(cpu, data, size):
if args.failed and (event.ret >= 0): if args.failed and (event.ret >= 0):
return return
if args.name and args.name not in event.comm:
return
if args.timestamp: if args.timestamp:
delta = event.ts - initial_ts delta = event.ts - initial_ts
print("%-14.9f" % (float(delta) / 1000000), end="") print("%-14.9f" % (float(delta) / 1000000), end="")
......
...@@ -89,6 +89,37 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such ...@@ -89,6 +89,37 @@ The ERR column is the system error number. Error number 2 is ENOENT: no such
file or directory. file or directory.
The -n option can be used to filter on process name using partial matches:
# ./opensnoop -n ed
PID COMM FD ERR PATH
2679 sed 3 0 /etc/ld.so.cache
2679 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
2679 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
2679 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
2679 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2679 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
2679 sed 3 0 /proc/filesystems
2679 sed 3 0 /usr/lib/locale/locale-archive
2679 sed -1 2
2679 sed 3 0 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
2679 sed 3 0 /dev/null
2680 sed 3 0 /etc/ld.so.cache
2680 sed 3 0 /lib/x86_64-linux-gnu/libselinux.so.1
2680 sed 3 0 /lib/x86_64-linux-gnu/libc.so.6
2680 sed 3 0 /lib/x86_64-linux-gnu/libpcre.so.3
2680 sed 3 0 /lib/x86_64-linux-gnu/libdl.so.2
2680 sed 3 0 /lib/x86_64-linux-gnu/libpthread.so.0
2680 sed 3 0 /proc/filesystems
2680 sed 3 0 /usr/lib/locale/locale-archive
2680 sed -1 2
^C
This caught the 'sed' command because it partially matches 'ed' that's passed
to the '-n' option.
USAGE message: USAGE message:
# ./opensnoop -h # ./opensnoop -h
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment