问题
I'm new to dtrace and trying to write some a basic dtrace scripting. I found a example to catch read(2) and write(2) syscall on seperate terminal as following,
syscall::read:entry,
syscall::write:entry
/pid==4217/
{
}
The specified pid number is from the other terminal's pid id. When I saw the example, it supposed to show some read and write syscall if I run this script with dtrace. But I only observed read syscall but not write syscall.
So if I understand correctly, on the terminal I observe (pid 4217), if I type something on that terminal, kernel will read its character so read syscall suppose to be occurred. If I type something like "ls" and hit enter, kernel will read and execute it, and write some output to the terminal, thus write syscall suppose to be called. But I don't see any write syscall somehow. Why is that?
回答1:
I agree with @PaulFox, this is probably a mistaken pid value. When the terminal is paused before you press enter, the terminal is in the middle of a read syscall. However, when it prints the terminal prompt (after you press enter and ls runs), it does that by making a write syscall. Note that the output from ls is NOT where the write syscall is coming from! That pid would be the process id of the running ls command.
To test that the write syscall actually is working, run this:
# dtrace -n 'syscall::write:entry {printf("hello")}'
Then try it with your terminal (replace 'bash' with whatever you're using) as the target:
# dtrace -n 'syscall::write:entry /pid==$target/ {printf("hello")}' -c 'bash'
And post back if one of those fails to show any writes while you type stuff into your terminal.
Also note there are several versions of the write syscall that your shell might be using (although I would be surprised if it used something other than the ordinary write):
# dtrace -ln 'syscall::*write*:entry'
ID PROVIDER MODULE FUNCTION NAME
147 syscall write entry
381 syscall writev entry
447 syscall pwrite entry
777 syscall aio_write entry
933 syscall write_nocancel entry
963 syscall writev_nocancel entry
969 syscall pwrite_nocancel entry
回答2:
I would first validate write() works for any other process, e.g. a simple test case. In your example, its possible that (a) its the wrong pid, or its the child doing the writing, or (b) the write call is not used, but could be, e.g. writev() or some other call (try validating with strace maybe).
来源:https://stackoverflow.com/questions/16051417/dtrace-doesnt-catch-any-write-sys-call