#!/bin/sh
#
# rwsnoop - snoop read/write events.
# Originally written using DTrace (Solaris 10 3/05).
#
# This is measuring reads and writes at the application level. This matches
# the syscalls read, and write.
#
# $Id: rwsnoop,v 1.1.1.1 2015/09/30 22:01:06 christos Exp $
#
# USAGE: rwsnoop [-jPtvZ] [-n name] [-p pid]
#
# rwsnoop # default output
#
# -P # print parent process ID
# -t # print timestamp, us
# -v # print time, string
# -J # print jail ID
# -n name # this process name only
# -p PID # this PID only
# eg,
# rwsnoop -J # print jail ID
# rwsnoop -n bash # monitor processes named "bash"
# rwsnoop > out.txt # recommended
#
# NOTE:
# rwsnoop usually prints plenty of output, which itself will cause
# more output. It can be better to redirect the output of rwsnoop
# to a file to prevent this.
#
# FIELDS:
# TIME Timestamp, us
# TIMESTR Time, string
# JAIL JAIL ID
# UID User ID
# PID Process ID
# PPID Parent Process ID
# CMD Process name
# D Direction, Read or Write
# BYTES Total bytes during sample, -1 for error
# FILE Filename, if file based
#
# Reads and writes that are not file based, for example with sockets, will
# print "<unknown>" as the filename.
#
# SEE ALSO: rwtop
#
# COPYRIGHT: Copyright (c) 2005 Brendan Gregg.
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License"). You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at Docs/cddl1.txt
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# CDDL HEADER END
#
# TODO:
# Track readv and writev.
#
# Author: Brendan Gregg [Sydney, Australia]
#
# 24-Jul-2005 Brendan Gregg Created this.
# 17-Sep-2005 " " Increased switchrate.
# 17-Sep-2005 " " Last update.
# 26-Jul-2014 George Neville-Neil Port to FreeBSD
#
##############################
# --- Process Arguments ---
#
### default variables
opt_name=0; opt_pid=0; opt_jailid=0; opt_time=0; opt_timestr=0
opt_bytes=1; filter=0; pname=.; pid=0; opt_ppid=0;
### process options
while getopts n:Pp:jtvZ name
do
case $name in
n) opt_name=1; pname=$OPTARG ;;
p) opt_pid=1; pid=$OPTARG ;;
P) opt_ppid=1 ;;
t) opt_time=1 ;;
v) opt_timestr=1 ;;
J) opt_jailid=1 ;;
h|?) cat <<-END >&2
USAGE: rwsnoop [-jPtvZ] [-n name] [-p pid]
-P # print parent process ID
-t # print timestamp, us
-v # print time, string
-J # print jail ID
-n name # this process name only
-p PID # this PID only
eg,
rwsnoop # default output
rwsnoop -J # print jail ID
rwsnoop -n bash # monitor processes named "bash"
END
exit 1
esac
done
shift $(( $OPTIND - 1 ))
### option logic
if [ $opt_name -ne 0 ]; then
filter=1
fi
if [ $opt_pid -ne 0 ]; then
filter=1
fi
#################################
# --- Main Program, DTrace ---
#
/usr/sbin/dtrace -n '
/*
* Command line arguments
*/
inline int OPT_jailid = '$opt_jailid';
inline int OPT_bytes = '$opt_bytes';
inline int OPT_name = '$opt_name';
inline int OPT_ppid = '$opt_ppid';
inline int OPT_pid = '$opt_pid';
inline int OPT_time = '$opt_time';
inline int OPT_timestr = '$opt_timestr';
inline int FILTER = '$filter';
inline int PID = '$pid';
inline string NAME = "'$pname'";
#pragma D option quiet
#pragma D option switchrate=10hz
/*
* Print header
*/
dtrace:::BEGIN
{
/* print header */
OPT_time ? printf("%-14s ", "TIME") : 1;
OPT_timestr ? printf("%-20s ", "TIMESTR") : 1;
OPT_jailid ? printf("%5s ", "JAILID") : 1;
OPT_ppid ? printf("%6s ", "PPID") : 1;
printf("%5s %6s %-12s %4s %1s %7s\n",
"UID", "PID", "CMD", "FD", "D", "BYTES");
}
/*
* Check event is being traced
*/
syscall::*read:entry,
syscall::*write:entry
/pid != $pid/
{
/* default is to trace unless filtering, */
self->ok = FILTER ? 0 : 1;
/* check each filter, */
(OPT_name == 1 && NAME == execname)? self->ok = 1 : 1;
(OPT_pid == 1 && PID == pid) ? self->ok = 1 : 1;
/* save file descriptor */
self->fd = self->ok ? arg0 : 0;
}
/*
* Save read details
*/
syscall::*read:return
/self->ok/
{
self->rw = "R";
self->size = arg0;
}
/*
* Save write details
*/
syscall::*write:entry
/self->ok/
{
self->rw = "W";
self->size = arg2;
}
/*
* Process event
*/
syscall::*read:return,
syscall::*write:entry
/self->ok/
{
/*
* Fetch filename
* XXX Not yet implemented.
*/
/*
this->filistp = curthread->t_procp->p_user.u_finfo.fi_list;
this->ufentryp = (uf_entry_t *)((uint64_t)this->filistp +
(uint64_t)self->fd * (uint64_t)sizeof(uf_entry_t));
this->filep = this->ufentryp->uf_file;
this->vnodep = this->filep != 0 ? this->filep->f_vnode : 0;
self->vpath = this->vnodep ? (this->vnodep->v_path != 0 ?
cleanpath(this->vnodep->v_path) : "<unknown>") : "<unknown>";
*/
/*
* Print details
*/
OPT_time ? printf("%-14d ", timestamp / 1000) : 1;
OPT_timestr ? printf("%-20Y ", walltimestamp) : 1;
OPT_jailid ? printf("%5d ", curpsinfo->pr_jailid) : 1;
OPT_ppid ? printf("%6d ", ppid) : 1;
printf("%5d %6d %-12.12s %4d %1s %7d\n",
uid, pid, execname, self->fd, self->rw, (int)self->size);
self->ok = 0;
self->fd = 0;
self->rw = 0;
self->size = 0;
self->vpath = 0;
}
'