MAC OS 内核跟踪监视工具dtrace 使用示例说明
//
syscall
dtrace -ln 'syscall::write*:' //显示可使用的probe
dtrace -ln 'syscall::*read*:entry' //显示可使用的probe
dtrace -n 'syscall::write:entry {@dist[execname] = quantize(arg0)}' //之后CTRL+C
dtrace -n 'syscall::socket:entry {@dist[execname] = quantize(arg0)}' //之后CTRL+C
dtrace -n 'syscall:::entry { @sc[execname, probefunc] = count(); }' #dtrace -n 'syscall:::entry'
dtrace -n 'syscall::open:entry { printf("%s %s", execname, copyinstr(arg0)); }'
dtrace -n 'syscall::fork*: { trace(pid); }'
dtrace -n 'syscall::exec*: { trace(execname); }'
Showing Read Byte Distributions by Process
dtrace -n 'syscall::read:return { @[execname] = quantize(arg0); }'
一秒打印一次进程数
dtrace -n 'profile-997 { @[execname] = count(); } tick-1s { printa(@); trunc(@); }'
Most function calls will return from the same thread that they enter,6 so a thread- local variable can be used to associate these events. Here a time stamp is saved on the write(2) entry so that the time can be calculated on return:
dtrace -n 'syscall::write:entry { self->s = timestamp; } syscall::write:return /self->s/
syscall Provider
dtrace -n 'syscall:::entry { @[probefunc] = count(); }'
Which processes are executing the most system calls?
dtrace -n 'syscall:::entry { @[pid, execname] = count(); }'
What system calls are a given process name executing (for example, firefox-bin)?
dtrace -n 'syscall:::entry /execname == "firefox"/ { @[probefunc] = count(); }'
dtrace -qn 'syscall::read:entry,syscall::write:entry /fds[arg0].fi_fs == "sockfs"/ { @[probefunc] = sum(arg2); } tick-1sec { printa(@); trunc(@); }' #暂无打印
dtrace -n 'syscall::read:entry,syscall::write:entry /execname == "firefox" && fds[arg0].fi_fs == "sockfs"/ { @[execname,pid] = count(); }' #暂无打印
/
指定进程的MALLOC调用情况
dtrace -n 'pid$target::malloc:entry { @[ustack()] = quantize(arg0); }' -p 513
//
Disk I/O
dtrace -n 'io:::start { @[execname, pid] = count(); }'
bash-3.2# dtrace -qn 'syscall:::entry /execname == "firefox"/
{ @[pid, probefunc] = count(); } END { trunc(@, 10); printa(@); }'
dtrace -n 'syscall::pread*:entry,syscall::pwrite*:entry /execname == "java"/
{ @[fds[arg0].fi_fs] = count(); }'
dtrace -n 'syscall::pread*:entry,syscall::pwrite*:entry /execname == "java"/
{ @[fds[arg0].fi_pathname] = count(); }'
/
Memory
Tracking process user stack sizes:
Tracking which processes are growing their address space heap segment:
Tracking memory page faults by process name:
dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
Tracking pages paged in by process name:
dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'
Tracking pages paged out by process name:
dtrace -n 'vminfo:::pgpgout { @pg[execname] = sum(arg0); }'
sched Provider
dtrace -n 'sched:::on-cpu { @[pid, execname] = count(); }'
Tracking process user stack sizes:
dtrace -n 'sched:::on-cpu { @[execname] = max(curthread->t_procp->p_stksize);}'
Tracking which processes are growing their address space heap segment:
dtrace -n 'fbt::brk:entry { @mem[execname] = count(); }'
fbt Provider
Tracking which processes are growing their address space stack segment:
dtrace -n 'fbt::grow:entry { @mem[execname] = count(); }'
///
I/O
Which processes are executing common I/O system calls?
dtrace -n 'syscall::*read:entry,syscall::*write:entry { @rw[execname,probefunc] =
count(); }'
Which file system types are targeted for reads and writes?
dtrace -n 'syscall::*read:entry,syscall::*write:entry { @fs[execname, probefunc,fds[arg0].fi_fs] = count(); }'
Which files are being read, and by which processes?
dtrace -n 'syscall::*read:entry { @f[execname, fds[arg0].fi_pathname] = count(); }'
Which files are being written, and by which processes?
dtrace -n 'syscall::*write:entry { @f[execname, fds[arg0].fi_pathname] = count(); }'
Which processes are generating network I/O (Solaris)?
dtrace -n 'fbt:sockfs::entry { @[execname, probefunc] = count(); }' #暂时无法使用
What is the rate of disk I/O being issued?
dtrace -n 'io:::start { @io = count(); } tick-1sec { printa("Disk I/Os per second: %@d \n", @io); trunc(@io); }'