cddl/contrib/dtracetoolkit/Examples/oneliners_examples.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307

#
#   DTrace OneLiners Examples
#

### New processes with arguments,
  
# dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'
dtrace: description 'proc:::exec-success ' matched 1 probe
CPU     ID                    FUNCTION:NAME
  0   3297         exec_common:exec-success   man ls
  0   3297         exec_common:exec-success   sh -c cd /usr/share/man; tbl /usr/share/man/man1/ls.1 |neqn /usr/share/lib/pub/
  0   3297         exec_common:exec-success   tbl /usr/share/man/man1/ls.1
  0   3297         exec_common:exec-success   neqn /usr/share/lib/pub/eqnchar -
  0   3297         exec_common:exec-success   nroff -u0 -Tlp -man -
  0   3297         exec_common:exec-success   col -x
  0   3297         exec_common:exec-success   sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpzIaOZF /usr/share/man/cat1/ls.1 2> /d
  0   3297         exec_common:exec-success   /usr/bin/mv -f /tmp/mpzIaOZF /usr/share/man/cat1/ls.1
  0   3297         exec_common:exec-success   sh -c more -s /tmp/mpzIaOZF
  0   3297         exec_common:exec-success   more -s /tmp/mpzIaOZF


### Files opened by process,
 
# dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
dtrace: description 'syscall::open*:entry ' matched 2 probes
CPU     ID                    FUNCTION:NAME
  0     14                       open:entry gnome-netstatus- /dev/kstat
  0     14                       open:entry man /var/ld/ld.config
  0     14                       open:entry man /lib/libc.so.1
  0     14                       open:entry man /usr/share/man/man.cf
  0     14                       open:entry man /usr/share/man/windex
  0     14                       open:entry man /usr/share/man/man1/ls.1
  0     14                       open:entry man /usr/share/man/man1/ls.1
  0     14                       open:entry man /tmp/mpqea4RF
  0     14                       open:entry sh /var/ld/ld.config
  0     14                       open:entry sh /lib/libc.so.1
  0     14                       open:entry neqn /var/ld/ld.config
  0     14                       open:entry neqn /lib/libc.so.1
  0     14                       open:entry neqn /usr/share/lib/pub/eqnchar
  0     14                       open:entry tbl /var/ld/ld.config
  0     14                       open:entry tbl /lib/libc.so.1
  0     14                       open:entry tbl /usr/share/man/man1/ls.1
  0     14                       open:entry nroff /var/ld/ld.config
[...]


### Syscall count by program,
 
# dtrace -n 'syscall:::entry { @num[execname] = count(); }'
dtrace: description 'syscall:::entry ' matched 228 probes
^C
  snmpd                                                             1
  utmpd                                                             2
  inetd                                                             2
  nscd                                                              7
  svc.startd                                                       11
  sendmail                                                         31
  poold                                                           133
  dtrace                                                         1720


### Syscall count by syscall,
 
# dtrace -n 'syscall:::entry { @num[probefunc] = count(); }'
dtrace: description 'syscall:::entry ' matched 228 probes
^C
  fstat                                                             1
  setcontext                                                        1
  lwp_park                                                          1
  schedctl                                                          1
  mmap                                                              1
  sigaction                                                         2
  pset                                                              2
  lwp_sigmask                                                       2
  gtime                                                             3
  sysconfig                                                         3
  write                                                             4
  brk                                                               6
  pollsys                                                           7
  p_online                                                        558
  ioctl                                                           579


### Syscall count by process,
 
# dtrace -n 'syscall:::entry { @num[pid,execname] = count(); }'
dtrace: description 'syscall:::entry ' matched 228 probes
^C
     1109  svc.startd                                                        1
     4588  svc.startd                                                        2
        7  svc.startd                                                        2
     3950  svc.startd                                                        2
     1626  nscd                                                              2
      870  svc.startd                                                        2
       82  nscd                                                              6
     5011  sendmail                                                         10
     6010  poold                                                            74
     8707  dtrace                                                         1720


### Read bytes by process,
  
# dtrace -n 'sysinfo:::readch { @bytes[execname] = sum(arg0); }'
dtrace: description 'sysinfo:::readch ' matched 4 probes
^C
 
  mozilla-bin                                                      16
  gnome-smproxy                                                    64
  metacity                                                         64
  dsdm                                                             64
  wnck-applet                                                      64
  xscreensaver                                                     96
  gnome-terminal                                                  900
  ttymon                                                         5952
  Xorg                                                          17544
 

### Write bytes by process,
 
# dtrace -n 'sysinfo:::writech { @bytes[execname] = sum(arg0); }'
dtrace: description 'sysinfo:::writech ' matched 4 probes
^C

  dtrace                                                            1
  gnome-settings-d                                                  8
  xscreensaver                                                      8
  gnome-panel                                                       8
  nautilus                                                          8
  date                                                             29
  wnck-applet                                                     120
  bash                                                            210
  mozilla-bin                                                    1497
  ls                                                             1947
  metacity                                                       3172
  Xorg                                                           7424
  gnome-terminal                                                51955


### Read size distribution by process,
 
# dtrace -n 'sysinfo:::readch { @dist[execname] = quantize(arg0); }'
dtrace: description 'sysinfo:::readch ' matched 4 probes
^C
[...]
  gnome-terminal
           value  ------------- Distribution ------------- count
              16 |                                         0
              32 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@   15
              64 |@@@                                      1
             128 |                                         0
 
  Xorg
           value  ------------- Distribution ------------- count
              -1 |                                         0
               0 |@@@@@@@@@@@@@@@@@@@                      26
               1 |                                         0
               2 |                                         0
               4 |                                         0
               8 |@@@@                                     6
              16 |@                                        2
              32 |@                                        2
              64 |                                         0
             128 |@@@@@@@@                                 11
             256 |@@@                                      4
             512 |                                         0


### Write size distribution by process,
 
# dtrace -n 'sysinfo:::writech { @dist[execname] = quantize(arg0); }'
dtrace: description 'sysinfo:::writech ' matched 4 probes
^C
[...]
  Xorg
           value  ------------- Distribution ------------- count
              16 |                                         0
              32 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@       169
              64 |@@@                                      16
             128 |@@                                       10
             256 |                                         0
 
  gnome-terminal
           value  ------------- Distribution ------------- count
               0 |                                         0
               1 |@@                                       6
               2 |                                         0
               4 |                                         0
               8 |                                         1
              16 |@                                        2
              32 |@@@                                      7
              64 |                                         0
             128 |@@@@@@@@@@@@@@@@@@@@@@@                  63
             256 |@@@@                                     10
             512 |                                         1
            1024 |@@@@@                                    13
            2048 |@                                        2
            4096 |@@@                                      7


### Disk size by process,
  
# dtrace -n 'io:::start { printf("%d %s %d",pid,execname,args[0]->b_bcount); }'
  0   3271              bdev_strategy:start 16459 tar 1024
  0   3271              bdev_strategy:start 16459 tar 1024
  0   3271              bdev_strategy:start 16459 tar 2048
  0   3271              bdev_strategy:start 16459 tar 1024
  0   3271              bdev_strategy:start 16459 tar 1024
  0   3271              bdev_strategy:start 16459 tar 1024
  0   3271              bdev_strategy:start 16459 tar 8192
  0   3271              bdev_strategy:start 16459 tar 8192
  0   3271              bdev_strategy:start 16459 tar 16384
  0   3271              bdev_strategy:start 16459 tar 2048
  0   3271              bdev_strategy:start 16459 tar 1024
  0   3271              bdev_strategy:start 16459 tar 1024


### Pages paged in by process,
 
# dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'
dtrace: description 'vminfo:::pgpgin ' matched 1 probe
^C
 
  ttymon                                                            1
  bash                                                              1
  mozilla-bin                                                      36
  tar                                                            6661


### Minor faults by process,
  
# dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
dtrace: description 'vminfo:::as_fault ' matched 1 probe
^C
 
  mozilla-bin                                                      18
  dtrace                                                           57
  find                                                             64
  bash                                                            150
  tar                                                             501


### Interrupts by CPU,
 
# dtrace -n 'sdt:::interrupt-start { @num[cpu] = count(); }'
dtrace: description 'sdt:::interrupt-start ' matched 1 probe
^C
 
      513                2
      515                4
        3               39
        2               39


### New processes with arguments and time,
 
# dtrace -qn 'syscall::exec*:return { printf("%Y %s\n",walltimestamp,curpsinfo->pr_psargs); }'
2005 Apr 25 19:15:09 man ls
2005 Apr 25 19:15:09 sh -c cd /usr/share/man; tbl /usr/share/man/man1/ls.1 |...
2005 Apr 25 19:15:09 neqn /usr/share/lib/pub/eqnchar -
2005 Apr 25 19:15:09 tbl /usr/share/man/man1/ls.1
2005 Apr 25 19:15:09 nroff -u0 -Tlp -man -
2005 Apr 25 19:15:09 col -x
2005 Apr 25 19:15:10 sh -c trap '' 1 15; /usr/bin/mv -f /tmp/mpRZaqTF /usr/s...
2005 Apr 25 19:15:10 /usr/bin/mv -f /tmp/mpRZaqTF /usr/share/man/cat1/ls.1
2005 Apr 25 19:15:10 sh -c more -s /tmp/mpRZaqTF
2005 Apr 25 19:15:10 more -s /tmp/mpRZaqTF
[...]


### Successful signal details,
  
# dtrace -n 'proc:::signal-send /pid/ { printf("%s -%d %d",execname,args[2],args[1]->pr_pid); }'
dtrace: description 'proc:::signal-send ' matched 1 probe
CPU     ID                    FUNCTION:NAME
  0   3303            sigtoproc:signal-send bash -15 16442
  0   3303            sigtoproc:signal-send bash -9 16443
^C


### Kernel function calls by module,

# dtrace -n 'fbt:::entry { @calls[probemod] = count(); }'
dtrace: description 'fbt:::entry ' matched 18437 probes
^C

  devfs                                                             2
  ptm                                                               2
  ipf                                                               5
  pts                                                               5
  ttcompat                                                          9
  ptem                                                              9
  ldterm                                                           23
  ipgpc                                                            24
  ufs                                                              24
  ata                                                              25
  sockfs                                                           27
  gld                                                              32
  rtls                                                             34
  flowacct                                                         38
  specfs                                                           50
  ip                                                               84
  TS                                                               92
  uhci                                                            101
  uppc                                                           1758
  unix                                                           6347
  genunix                                                       10023