| Main index | Section 1 | Options |
dwatch automates the process of generating DTrace scripts to coalesce trace output by date/time, process info, and [optionally] probe-specific data.
Output format without options is:
date/time uid.gid execname[pid]: psargs
For example, the command ‘dwatch BEGIN’ produces:
INFO Watching 'dtrace:::BEGIN' ...
2017 May 29 08:23:20 0.0 dtrace[60671]: dtrace -s /dev/stdin
The
Output format with the
‘
date/time uid.gid execname[pid]: {->,<-, |} prov:mod:func:name ...
For example, the command ‘dwatch -F BEGIN’ produces:
INFO Watching 'dtrace:::BEGIN' ...
2017 May 29 21:34:41 0.0 dtrace[86593]: | dtrace:::BEGIN ...
The
Output format with the
‘
date/time uid0.gid0 execname[pid0]: psargs0
-+= pid3 uid3.gid3 psargs3
\\-+= pid2 uid2.gid2 psargs2
\\-+= pid1 uid1.gid1 psargs1
\\-+= pid0 uid0.guid0 psargs0
For example, the command ‘dwatch -R BEGIN’ produces:
INFO Watching 'dtrace:::BEGIN' ...
2017 May 29 21:38:54 0.0 dtrace[86899]: dtrace -s /dev/stdin
-+= 86855 604.604 -bash
\\-+= 86857 604.604 /bin/sh /usr/sbin/dwatch -R BEGIN
\\-+= 86897 0.0 sudo dtrace -s /dev/stdin
\\-+= 86899 0.0 dtrace -s /dev/stdin
Of particular interest is the ability to filter using regular expressions.
The
‘
In contrast,
the
‘
The
‘
dwatch -E 'printf("%s", copyinstr(arg0))' chdir
displays the path argument sent to chdir(2) calls.
Profiles can be written for more complex routines and/or convenience.
To list available profiles use the
‘
For example, the command ‘dwatch -X kill’ displays arguments sent to kill(2).
Multiple probes must be given as a single (quoted) argument, separated by comma and/or whitespace. Any/all arguments following said probes will be passed to dtrace(1) unmodified.
| | |
|
Print one line per process/profile
(Default; disables‘ | |
| | |
| Maximum number of arguments to display (Default 64). | |
| | |
| Debug. Send dtrace(1) script to stdout instead of executing. | |
| | |
| Exit after compiling request but prior to enabling probes. | |
| | |
| DTrace code for event details. If `-', read from stdin. This allows customization of what is printed after date/time and process info. By default, the name and arguments of the program triggering the probe are shown. Can be specified multiple times. | |
| | |
| Enable probes matching the specified function names. | |
| | |
| Coalesce trace output by probe. | |
| | |
| Group filter. Only show processes matching group name/gid. This can be an awk(1) regular expression to match a numerical gid. | |
| | |
| Jail filter. Only show processes matching jail name/jid. | |
| | |
| Only show processes matching name. Can also be of the format ‘name*’ to indicate "begins with", ‘*name’ to indicate "ends with", or ‘*name*’ to indicate "contains". Can be specified multiple times. | |
| | |
| Maximum directory depth to display (Default 64). | |
| | |
| List available probes on standard output and exit. | |
| | |
| Enable probes matching the specified module names. | |
| | |
| Load profile from DWATCH_PROFILES_PATH. | |
| | |
| Enable probes matching the specified probe names. | |
| | |
| Exit after count matching entries (Default 0 for disabled). | |
| | |
| Set output file. If ‘-’, the path ‘/dev/stdout’ is used. | |
| | |
| Execute cmd for each event. This can be any valid sh(1) command. The environment variables ‘$TAG’ and ‘$DETAILS’ are set for the given cmd. | |
| | |
| Process id filter. Only show processes with matching pid. This can be an awk(1) regular expression. | |
| | |
| Enable probe matching the specified provider name. | |
| | |
| Quiet. Hide informational messages and all dtrace(1) errors. | |
| | |
| List available profiles in DWATCH_PROFILES_PATH and exit. | |
| | |
| Filter. Only show blocks matching awk(1) regular expression. | |
| | |
| Show parent, grandparent, and ancestor of process. | |
| | |
| Test clause (predicate) to limit events (Default none). Can be specified multiple times. | |
| | |
| Timeout. The format is ‘#[smhd]’ or just ‘#’ for seconds. | |
| | |
| User filter. Only show processes matching user name/uid. This can be an awk(1) regular expression to match a numerical UID. | |
| | |
| Verbose. Show all errors from dtrace(1). | |
| | |
| Report dwatch version on standard output and exit. | |
| | |
| Permit destructive actions (copyout*, stop, panic, etc.). | |
| | |
| Trace. Print ‘<probe-id>’ when a probe is triggered. | |
| | |
| Always treat stdout as console (enable colors/columns/etc.). | |
| | |
| Only show processes matching awk(1) regular expression. | |
| chmod | Print mode and path from chmod(2), lchmod(2), fchmodat(2) |
| errno | Print non-zero errno results from system calls |
| io | Print disk I/O details provided by dtrace_io(4) |
| ip | Print IPv4 and IPv6 details provided by dtrace_ip(4) |
| kill | Print signal and pid from kill(2) |
| nanosleep | Print requested time from nanosleep(2) |
| open | Print path from open(2), openat(2) |
| proc | Print process execution details provided by dtrace_proc(4) |
| proc-signal | |
| Print process signal details provided by dtrace_proc(4) | |
| rw | Print buffer contents from read(2), write(2) |
| sched | Print CPU scheduling details provided by dtrace_sched(4) |
| tcp | Print TCP address/port details provided by dtrace_tcp(4) |
| tcp-io | Print TCP I/O details provided by dtrace_tcp(4) |
| udp | Print UDP I/O details provided by dtrace_udp(4) |
| vop_create | Print filesystem paths being created by VOP_CREATE(9) |
| vop_lookup | Print filesystem paths being looked-up by VOP_LOOKUP(9) |
| vop_mkdir | Print directory paths being created by VOP_MKDIR(9) |
| vop_mknod | Print device node paths being created by VOP_MKNOD(9) |
| vop_readdir | |
| Print directory paths being read by VOP_READDIR(9) | |
| vop_remove | Print filesystem paths being removed by VOP_REMOVE(9) |
| vop_rename | Print filesystem paths being renamed by VOP_RENAME(9) |
| vop_rmdir | Print directory paths being removed by VOP_RMDIR(9) |
| vop_symlink | |
| Print symlink paths being created by VOP_SYMLINK(9) | |
| DWATCH_PROFILES_PATH | |
| If DWATCH_PROFILES_PATH is set, dwatch searches for profiles in the colon-separated list of directories in that variable instead of the default ‘/usr/libexec/dwatch:/usr/local/libexec/dwatch’. If set to NULL, profiles are not loaded. | |
dwatch on-cpu
List available profiles, one line per profile.
dwatch -1 -Q
Do not execute dtrace(1) but display script on stdout and exit.
dwatch -d fsync
Compile and test but do not execute code generated with given probe.
dwatch -e test_probe
Print argument one being passed to each call of zfs_sync().
dwatch -E 'printf("%i", arg1)' zfs_sync
Watch all functions named ‘read’.
dwatch -f read
Watch all probe traversal.
dwatch -F :
Watch syscall probe traversal.
dwatch -F syscall
Display only processes belonging to wheel super-group.
dwatch -g wheel execve
Display only processes belonging to groups ‘daemon’ or ‘nobody’.
dwatch -g '1|65534' execve
Ignore jails, displaying only base system processes.
dwatch -j 0 execve
Display only processes running inside the jail named ‘myjail’.
dwatch -j myjail execve
Watch syscall traversal by ruby processes.
dwatch -k 'ruby*' -F syscall
Watch syscall traversal by processes containing ‘daemon’ in their name.
dwatch -k '*daemon*' -F syscall
Watch signals being passed to kill(2).
dwatch -X kill
Watch signals being passed between bash(1) and vi(1).
dwatch -k bash -k vi -X kill
Display a list of unique functions available.
dwatch -l -f
List available probes for functions ending in ‘read’.
dwatch -l -f '*read'
List available probes ending in "read".
dwatch -l -r 'read$'
Display a list of unique providers.
dwatch -l -P
Watch paths being removed by VOP_REMOVE(9).
dwatch -X vop_remove
Watch the name
‘read’
instead of the function
‘read’.
The
dwatch
selection algorithm will commonly favor the function named
‘read’
when not given a type
(using '
dwatch -n read
Display the first process to call kill(2) and then exit.
dwatch -N 1 kill
Watch processes forked by pid 1234.
dwatch -p 1234 execve
Watch processes forked by either pid 1234 or pid 5678.
dwatch -p '1234|5678' execve
Watch the provider
‘random’
instead of the function
‘random’.
The
dwatch
selection algorithm will commonly favor the function named
‘random’
when not given a type
(using '
dwatch -P random
Display available profiles matching ‘vop’.
dwatch -Q -r vop
Watch VOP_LOOKUP(9) paths containing ‘/lib/’.
dwatch -r /lib/ -X vop_lookup
Show process tree for each command as it is executed.
dwatch -R execve
Watch processes forked by pid 1234 or children thereof.
dwatch -R -p 1234 execve
Display processes calling write(2) with "nbytes" less than 10.
dwatch -t 'arg2<10' -E 'printf("%d",arg2)' write
Display write(2) buffer when "execname" is not ‘dtrace’ and "nbytes" is less than 10.
dwatch -X write -t 'execname != "dtrace" && this->nbytes < 10'
Watch ‘statfs’ for 5 minutes and exit.
dwatch -T 5m statfs
Display only processes belonging to the root super-user.
dwatch -u root execve
Display only processes belonging to users ‘daemon’ or ‘nobody’.
dwatch -u '1|65534' execve
Print version and exit.
dwatch -V
View the first 100 scheduler preemptions.
dwatch -y -N 100 preempt | less -R
Display processes matching either "mkdir" or "rmdir".
dwatch -z '(mk|rm)dir' execve
Run a command and watch network activity only while that command runs.
dwatch -X tcp -- -c "nc -zvw10 google.com 22"
Watch open(2) and openat(2) calls only while pid 1234 is active.
dwatch -X open -- -p 1234
Watch probe traversal for a given command. Note that "-c true" is passed to dtrace(1) since it appears after the dwatch probe argument.
dwatch -F 'pid$target:::entry' -c true
| DWATCH (1) | February 9, 2018 |
| Main index | Section 1 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
| “ | C is a language that combines all the elegance and power of assembly language with all the readability and maintainability of assembly language. | ” |