From: Mark Wielaard <mjw@redhat.com>
To: "Bruno G. Sousa" <brgsousa@gmail.com>
Cc: systemtap@sourceware.org
Subject: Re: monitoring files opened/closed by a process
Date: Sat, 27 Jun 2009 21:29:00 -0000 [thread overview]
Message-ID: <1246138142.2583.154.camel@hermans.wildebeest.org> (raw)
In-Reply-To: <24230120.post@talk.nabble.com>
Hi Bruno,
On Fri, 2009-06-26 at 20:20 -0700, Bruno G. Sousa wrote:
> now I need to monitor strings that are being written to files by certain
> process.
> [...]
> probe syscall.write.return
> {
> if (pid() == target()) {
> printf("%s(%d) wrote %s\n", execname(),pid(),"something")
> }
> }
So the syscall.write probe (like all syscall probes) also makes
available the variable 'argstr'. This contains a string representation
of the syscall arguments (it also, as all other syscall probes, defines
the variable name, which is the name of the syscall). So you can get
most information about such a syscall you can do something like:
probe syscall.write
{
if (pid() == target())
{
printf("%s(%d) %s: %s\n", execname(), pid(), name, argstr)
}
}
You want this at the syscall.write.return. return does make available
the retstr, which gives you are string representation of the return
value. Since you don't have the argstr (nor the buf_uaddr) that the
syscall call probe defines, you will have to construct something
yourself. Look in tapset/syscalls2.stp, where you can see syscall.write
makes available buf_uaddr (a pointer to a buffer into user space), that
is then used with (see string.stp) the user_string() function, which
fetches the string (up to a MAXSTRINGLEN), and the text_str() function,
which escapes any non-printable characters. You can do the same in the
return probe. But you will have to use the source variable name $buf.
You can use the special return probe value $return to get the number of
bytes written:
probe syscall.write.return
{
if (pid() == target())
{
printf("%s(%d) wrote %s\n", execname(), pid(),
text_str(user_string_n($buf, $return)));
}
}
(Sidenote, the $buf variable is actually read at the syscall entry call,
and then cached for use in the return probe. This doesn't matter in this
case, but might surprise you if the variable used is changed in the
function you probe. At least it surprised me.)
Hope that helps,
Mark
next prev parent reply other threads:[~2009-06-27 21:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-26 21:12 Bruno G. Sousa
2009-06-26 22:23 ` Malte Nuhn
2009-06-27 3:20 ` Bruno G. Sousa
2009-06-27 21:29 ` Mark Wielaard [this message]
[not found] ` <068101c9f85f$534d3480$f9e79d80$@ac.cn>
2009-06-29 6:04 ` 答复: " Mark Wielaard
2009-06-29 7:54 ` 答复: " tgh
2009-06-29 8:00 ` Mark Wielaard
2009-06-29 11:34 ` question about resource usage for each process tgh
2009-07-02 13:21 ` question about cache miss tgh
2009-07-06 19:16 ` William Cohen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1246138142.2583.154.camel@hermans.wildebeest.org \
--to=mjw@redhat.com \
--cc=brgsousa@gmail.com \
--cc=systemtap@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).