dtrace a user process which will run in future
There is a user process-1 which can 'exec' a second process-2. Can I dtrace this second process-2 when I don't know when it might be created. I can't use both '-p' and '-c' option with dtrace script without knowing the pid and don't want to exec the process manually.
Using the PID provider I get a namespace error (function not belonging to the process 1). I tried "::functio_name:entry /execname == "process-2"/ {}, but this doesn't compile for userspace programs.
Thanks for any pointers.
I think this post can help you. You need 2 DTrace scripts:
(1) The first script is used to track when the process-2 is started. Once it begins to run, start another script to trace process-2:
# cat followfork.d
proc:::start
/ppid == $target/
{
stop();
printf("fork %d\\n", pid);
system("dtrace -qs child.d -p %d", pid);
}
(2) The second script traces focused functions:
# cat child.d
pid$target::function_name:entry
{
......
}
You can also refer related discussions on DTrace mailing list:
How to trace libc module of both parent andchild processes?
When a process is stopped by stop() action, when and how does the process is restarted?
BTW, you can also refer Sergey Klyaus's Dynamic Tracing with DTrace & SystemTap to check which probes should be used in process creation:
- Why iosnoop (IO snooping files on disk) returns paths with question marks?
- How is my binary able to write to the stdout without a system call recorded by dtruss?
- How to generate flamegraphs from macOS process samples?
- DTrace on Ubuntu, how-to?
- How can I get dtrace to run the traced command with non-root priviledges?
- How to trace java application in "dtrace style"?
- No output from iosnoop (dtrace) until application is killed
- DTrace report uncorrect value when I tracing "malloc:return" in MacOS
- dtrace errors out with incorrect type for thread_t on macOS 12.2.1
- recording `open` syscalls on mac
- How to supply multi line command to subprocess.Popen?
- DTraceAsmProfiler of JMH fails with '[sudo: a password is required' on Mac
- Mac OSX: Using dtruss?
- Getting BPF programs working with USDT probes (Dtrace) in Linux
- Can you compare values across probes in a multi-CPU safe way in DTrace?
- Compiling erlang with systemtap but require dtrace
- Is it possible to conceal a OS X app from DTrace?
- How to get memory usage high water mark on OSX
- Java method direct invocation vs single element loop invocation
- iosnoop, iotop, opensnoop, execsnoop, opensnoop, dtruss and other dtrace based commands don't work on osx El capitan, macOS Sierra
- DTrace: how to print out memory buffers
- macOS & dyld: Symbol not found: _usdt_create_provider
- Why are there not any execve calls in my dtruss trace?
- how to use Dtrace to check malloc on Solaris 10?
- How does `dtrace` probe memory allocations (Mac OS)
- Cannot change permissions for dtrace on MacOS
- Interpret dtruss output like “psynch_cvwait(...) = -1 Err#316”
- Difficulty showing TCP information with dtrace on osx
- Dtruss not showing mmap/sbrk calls?
- How to learn about kernel variables for DTrace?