1 .\" Copyright (c) 2014-2018 Devin Teske
2 .\" All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
13 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15 .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
16 .\" DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
17 .\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
18 .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
19 .\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
21 .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
22 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
23 .\" POSSIBILITY OF SUCH DAMAGE.
32 .Nd watch processes as they trigger a particular DTrace probe
35 .Op Fl 1defFmnPqRvVwxy
69 to display process info when a given DTrace probe point is triggered.
70 Only the root user or users with
72 access can run this command.
75 automates the process of generating DTrace scripts to coalesce trace output by
82 Output format without options is:
84 .Dl date/time uid.gid execname[pid]: psargs
91 .Dl INFO Watching 'dtrace:::BEGIN' ...
92 .Dl 2017 May 29 08:23:20 0.0 dtrace[60671]: dtrace -s /dev/stdin
98 to instead coalesce trace output by date/time,
102 Output format with the
106 .Dl date/time uid.gid execname[pid]: {->,<-, |} prov:mod:func:name ...
113 .Dl INFO Watching 'dtrace:::BEGIN' ...
114 .Dl 2017 May 29 21:34:41 0.0 dtrace[86593]: | dtrace:::BEGIN ...
120 to display a process tree containing the parent,
122 and ancestor process info.
124 Output format with the
128 .Dl date/time uid0.gid0 execname[pid0]: psargs0
129 .Dl " -+= pid3 uid3.gid3 psargs3"
130 .Dl " \e\\-+= pid2 uid2.gid2 psargs2"
131 .Dl " \e\\-+= pid1 uid1.gid1 psargs1"
132 .Dl " \e\\-+= pid0 uid0.guid0 psargs0"
139 .Dl INFO Watching 'dtrace:::BEGIN' ...
140 .Dl 2017 May 29 21:38:54 0.0 dtrace[86899]: dtrace -s /dev/stdin
141 .Dl " -+= 86855 604.604 -bash"
142 .Dl " \e\\-+= 86857 604.604 /bin/sh /usr/sbin/dwatch -R BEGIN"
143 .Dl " \e\\-+= 86897 0.0 sudo dtrace -s /dev/stdin"
144 .Dl " \e\\-+= 86899 0.0 dtrace -s /dev/stdin"
146 Of particular interest is the ability to filter using regular expressions.
154 options can be combined with
156 to match on parent process criteria as well as current process info.
163 options apply only to the current process even if
169 option gives the ability to customize probe-specific data.
173 .Dl dwatch -E 'printf("%s", copyinstr(arg0))' chdir
175 displays the path argument sent to
179 Profiles can be written for more complex routines and/or convenience.
180 To list available profiles use the
185 option to use a particular profile.
190 displays arguments sent to
195 argument does not contain colon
204 the probe argument is intelligently mapped to its most-likely value.
207 to see what probes will match a given name.
209 Multiple probes must be given as a single
212 separated by comma and/or whitespace.
213 Any/all arguments following said probes will be passed to
216 .Bl -tag -width "-c count"
218 Print one line per process/profile
219 .Pq Default; disables Ql Fl R .
221 Maximum number of arguments to display
227 script to stdout instead of executing.
229 Exit after compiling request but prior to enabling probes.
236 This allows customization of what is printed after date/time and process info.
238 the name and arguments of the program triggering the probe are shown.
239 Can be specified multiple times.
241 Enable probes matching the specified function names.
243 Coalesce trace output by probe.
246 Only show processes matching
251 regular expression to match a numerical gid.
254 Only show processes matching
258 Only show processes matching
260 Can also be of the format
271 Can be specified multiple times.
273 Maximum directory depth to display
276 List available probes on standard output and exit.
278 Enable probes matching the specified module names.
280 Load profile from DWATCH_PROFILES_PATH.
282 Enable probes matching the specified probe names.
287 .Pq Default 0 for disabled .
299 This can be any valid
302 The environment variables
306 are set for the given
310 Only show processes with matching
316 Enable probe matching the specified provider name.
319 Hide informational messages and all dtrace(1) errors.
321 List available profiles in DWATCH_PROFILES_PATH and exit.
324 Only show blocks matching
330 and ancestor of process.
336 Can be specified multiple times.
346 Only show processes matching
351 regular expression to match a numerical UID.
359 version on standard output and exit.
361 Permit destructive actions
362 .Pq copyout*, stop, panic, etc. .
367 when a probe is triggered.
369 Always treat stdout as console
370 .Pq enable colors/columns/etc. .
372 Only show processes matching
377 Profiles customize the data printed during events.
378 Profiles are loaded from a colon-separated list of directories in
379 .Ev DWATCH_PROFILES_PATH .
380 This is an incomplete list of profiles with basic descriptions:
381 .Bl -tag -width "vop_readdir"
383 Print mode and path from
388 Print non-zero errno results from system calls
390 Print disk I/O details provided by
393 Print IPv4 and IPv6 details provided by
396 Print signal and pid from
399 Print requested time from
406 Print process execution details provided by
409 Print process signal details provided by
412 Print buffer contents from
416 Print CPU scheduling details provided by
419 Print TCP address/port details provided by
422 Print TCP I/O details provided by
425 Print UDP I/O details provided by
428 Print filesystem paths being created by
431 Print filesystem paths being looked-up by
434 Print directory paths being created by
437 Print device node paths being created by
440 Print directory paths being read by
443 Print filesystem paths being removed by
446 Print filesystem paths being renamed by
449 Print directory paths being removed by
452 Print symlink paths being created by
456 These environment variables affect the execution of
458 .Bl -tag -width "DWATCH_PROFILES_PATH"
459 .It Ev DWATCH_PROFILES_PATH
461 .Ev DWATCH_PROFILES_PATH
464 searches for profiles in the colon-separated list of directories in that
465 variable instead of the default
466 .Ql Li /usr/libexec/dwatch:/usr/local/libexec/dwatch .
468 profiles are not loaded.
473 Watch processes entering system CPU scheduler.
474 .Bd -literal -offset indent
478 List available profiles,
479 one line per profile.
480 .Bd -literal -offset indent
486 but display script on stdout and exit.
487 .Bd -literal -offset indent
491 Compile and test but do not execute code generated with given probe.
492 .Bd -literal -offset indent
496 Print argument one being passed to each call of zfs_sync().
497 .Bd -literal -offset indent
498 dwatch -E 'printf("%i", arg1)' zfs_sync
501 Watch all functions named
503 .Bd -literal -offset indent
507 Watch all probe traversal.
508 .Bd -literal -offset indent
512 Watch syscall probe traversal.
513 .Bd -literal -offset indent
517 Display only processes belonging to wheel super-group.
518 .Bd -literal -offset indent
519 dwatch -g wheel execve
522 Display only processes belonging to groups
526 .Bd -literal -offset indent
527 dwatch -g '1|65534' execve
531 displaying only base system processes.
532 .Bd -literal -offset indent
536 Display only processes running inside the jail named
538 .Bd -literal -offset indent
539 dwatch -j myjail execve
542 Watch syscall traversal by ruby processes.
543 .Bd -literal -offset indent
544 dwatch -k 'ruby*' -F syscall
547 Watch syscall traversal by processes containing
550 .Bd -literal -offset indent
551 dwatch -k '*daemon*' -F syscall
554 Watch signals being passed to
556 .Bd -literal -offset indent
560 Watch signals being passed between
564 .Bd -literal -offset indent
565 dwatch -k bash -k vi -X kill
568 Display a list of unique functions available.
569 .Bd -literal -offset indent
573 List available probes for functions ending in
575 .Bd -literal -offset indent
579 List available probes ending in
581 .Bd -literal -offset indent
585 Display a list of unique providers.
586 .Bd -literal -offset indent
590 Watch paths being removed by
592 .Bd -literal -offset indent
598 instead of the function
602 selection algorithm will commonly favor the function named
604 when not given a type
605 .Pq using So Fl P Sc , So Fl m Sc , So Fl f Sc , or So Fl n Sc
606 because there are more probes matching the function named
611 .Bd -literal -offset indent
615 Display the first process to call
618 .Bd -literal -offset indent
622 Watch processes forked by pid 1234.
623 .Bd -literal -offset indent
624 dwatch -p 1234 execve
627 Watch processes forked by either pid 1234 or pid 5678.
628 .Bd -literal -offset indent
629 dwatch -p '1234|5678' execve
634 instead of the function
638 selection algorithm will commonly favor the function named
640 when not given a type
641 .Pq using So Fl P Sc , So Fl m Sc , So Fl f Sc , or So Fl n Sc
642 because there are more probes matching the function named
644 than probes matching the provider named
646 .Bd -literal -offset indent
650 Display available profiles matching
652 .Bd -literal -offset indent
660 .Bd -literal -offset indent
661 dwatch -r /lib/ -X vop_lookup
664 Show process tree for each command as it is executed.
665 .Bd -literal -offset indent
669 Watch processes forked by pid 1234 or children thereof.
670 .Bd -literal -offset indent
671 dwatch -R -p 1234 execve
674 Display processes calling
679 .Bd -literal -offset indent
680 dwatch -t 'arg2<10' -E 'printf("%d",arg2)' write
692 .Bd -literal -offset indent
693 dwatch -X write -t 'execname != "dtrace" && this->nbytes < 10'
698 for 5 minutes and exit.
699 .Bd -literal -offset indent
703 Display only processes belonging to the root super-user.
704 .Bd -literal -offset indent
705 dwatch -u root execve
708 Display only processes belonging to users
712 .Bd -literal -offset indent
713 dwatch -u '1|65534' execve
716 Print version and exit.
717 .Bd -literal -offset indent
721 View the first 100 scheduler preemptions.
722 .Bd -literal -offset indent
723 dwatch -y -N 100 preempt | less -R
726 Display processes matching either
730 .Bd -literal -offset indent
731 dwatch -z '(mk|rm)dir' execve
734 Run a command and watch network activity only while that command runs.
735 .Bd -literal -offset indent
736 dwatch -X tcp -- -c "nc -zvw10 google.com 22"
743 calls only while pid 1234 is active.
744 .Bd -literal -offset indent
745 dwatch -X open -- -p 1234
748 Watch probe traversal for a given command.
753 since it appears after the
756 .Bd -literal -offset indent
757 dwatch -F 'pid$target:::entry' -c true
766 .An Devin Teske Aq Mt dteske@FreeBSD.org