monitoring files opened/closed by a process

I am trying to write a stap script that:
list the activities of opening and closing files made by a given process (showing time and files being open/close)

How it should be?

Have looked at http://sourceware.org/systemtap/examples/io/ 
iostats.stp ??

I guess it nearly does what you Need.


Greets, malte



Am 26.06.2009 um 23:12 schrieb "Bruno G. Sousa" <brgsousa@...>:

thanks!
i got it working!

now I need to monitor strings that are being written to files by certain process.
wrote this till now:
probe begin
{
  printf("STARTEDn")
}

probe syscall.write.return
{
  if (pid() == target()) {
    printf("%s(%d) wrote %s\n", execname(),pid(),"something")
  }
}

Malte Nuhn wrote:

Have looked at http://sourceware.org/systemtap/examples/io/ 
iostats.stp ??

I guess it nearly does what you Need.


Greets, malte



Am 26.06.2009 um 23:12 schrieb "Bruno G. Sousa" <brgsousa@gmail.com>:

>
> I am trying to write a stap script that:
> list the activities of opening and closing files made by a given  
> process
> (showing time and files being open/close)
>
> How it should be?
> --
> View this message in context: http://www.nabble.com/monitoring-files-opened-closed-by-a-process-tp24227355p24227355.html
> Sent from the Sourceware - systemtap mailing list archive at Nabble.com
> .
>

Hi Bruno,

On Fri, 2009-06-26 at 20:20 -0700, Bruno G. Sousa wrote:
> now I need to monitor strings that are being written to files by certain
> process.
> [...]
> probe syscall.write.return
> {
>   if (pid() == target()) {
>     printf("%s(%d) wrote %s\n", execname(),pid(),"something")
>   }
> }

So the syscall.write probe (like all syscall probes) also makes
available the variable 'argstr'. This contains a string representation
of the syscall arguments (it also, as all other syscall probes, defines
the variable name, which is the name of the syscall). So you can get
most information about such a syscall you can do something like:

probe syscall.write
{
  if (pid() == target())
    {
      printf("%s(%d) %s: %s\n", execname(), pid(), name, argstr)
    }
}

You want this at the syscall.write.return. return does make available
the retstr, which gives you are string representation of the return
value. Since you don't have the argstr (nor the buf_uaddr) that the
syscall call probe defines, you will have to construct something
yourself. Look in tapset/syscalls2.stp, where you can see syscall.write
makes available buf_uaddr (a pointer to a buffer into user space), that
is then used with (see string.stp) the user_string() function, which
fetches the string (up to a MAXSTRINGLEN), and the text_str() function,
which escapes any non-printable characters. You can do the same in the
return probe. But you will have to use the source variable name $buf.
You can use the special return probe value $return to get the number of
bytes written:

probe syscall.write.return
{
  if (pid() == target())
    {
      printf("%s(%d) wrote %s\n", execname(), pid(),
             text_str(user_string_n($buf, $return)));
    }
}

(Sidenote, the $buf variable is actually read at the syscall entry call,
and then cached for use in the return probe. This doesn't matter in this
case, but might surprise you if the variable used is changed in the
function you probe. At least it surprised me.)

Hope that helps,

Mark

On Mon, 2009-06-29 at 10:14 +0800, tgh wrote:
> What is version of kernal do you use for this scripts,

2.6.29.5-191.fc11.x86_64

> I try it , error

What is the error you are seeing?

I have subcribe systemtap mail list, but I can only receive mail, could not send mail to list, what is the reason ,


-----邮件原件-----
发件人: Mark Wielaard [mailto:mjw@...]
发送时间: 2009年6月29日 14:04
收件人: tgh
抄送: 'Bruno G. Sousa'; systemtap@...
主题: Re: 答复: monitoring files opened/closed by a process

On Mon, 2009-06-29 at 10:14 +0800, tgh wrote:
> What is version of kernal do you use for this scripts,

2.6.29.5-191.fc11.x86_64

> I try it , error

What is the error you are seeing?

On Mon, 2009-06-29 at 15:54 +0800, tgh wrote:
> I have subcribe systemtap mail list, but I can only receive mail,
> could not send mail to list, what is the reason ,

This message did get through to the list.

You previous message had:
> Content-type: text/plain; charset="gb2312"
> Content-language: zh-cn
That might have confused the mailinglist software.
It might only expect English language messages.

Cheers,

Mark

Hi
        I hear that linux2.6 has support to get the information about each process resource usage information, e.g., cpu usage or memory usage,
        I want to know how to get this information with systemtap, could some one give me an example, or where is example for it,

        Could you help me

Thank you in advance

Hi
        Does systemtap support cache miss instrumentation ? how to get it

thanks

tgh wrote:
> Hi
> Does systemtap support cache miss instrumentation ? how to get it
>
> thanks
>

You mean the processor's L1/L2/L3 cache? SystemTap doesn't have access to the
performance monitoring hardware on the processors. You might look at the
Performance Counters for Linux (PCL) which has been pulled into the 2.6.31 kernel:

http://lwn.net/Articles/324775/
http://www.h-online.com/open/Kernel-Log-Main-development-phase-of-Linux-2-6-31-completed--/news/113614

The current PCL implementation doesn't have a interface available for the kernel
calls. This makes it a bit difficult for SystemTap to use it.

If you are talking about software caches in the kernel, you might be able to
find the appropriate functions to probe to allow systemtap to observe those
events. Something similar to the the vm.pagefault probe.

-Will