Cool little Systemtap scriptlet

One of the things I’ve always found hard to do via ptrace is system-based state. Watching all processes across a system for a behaviour “trend”.  This is difficult as ptrace is not really designed for that. Frysk tried to address this in a different way. But Systemtap does it in a very scriptable way.

So  …. lately, I’ve been writing a series of articles around Systemtap, and I was hacking up a little script. I found this little tiny scriptlet very useful. It is so simple as well – and child’s play for the experienced Systemtap hackers out there. It simply watches every process for fork/clone and exec. It prints the name and pid for the processes involved. It also watches for a process exec and prints the process name, pid and executable to exec. The actual heavy lifting is done in 6 lines of code, which I find remarkable.

#! /usr/bin/env stap

probe begin {
print ("Tracking process creations .... \n\n")
}

probe process.create {
printf("%s (%d) created %d\n", execname(), pid(), new_pid)
}

probe process.exec {
printf("%s (%d) is exec'ing %s\n", execname(), pid(), filename)
}

probe end {
print("All done!\n")
}

Example output. During this script run, I run thunderbird for the gnome panel:

sudo ./stap -v ~/process_creation.stp 

Pass 1: parsed user script and 43 library script(s) in 220usr/10sys/223real ms.
Pass 2: analyzed script: 5 probe(s), 7 function(s), 1 embed(s), 0 global(s) in 220usr/60sys/294real ms.
Pass 3: using cached .systemtap/cache/dd/stap_dd2b93e5305e7a0f5b95894e9f0d798a_2825.c
Pass 4: using cached .systemtap/cache/dd/stap_dd2b93e5305e7a0f5b95894e9f0d798a_2825.ko
Pass 5: starting run.
Tracking process creations .... 

hald-runner (2128) created 21509
hald-runner (21509) is exec'ing /usr/lib64/hal/scripts/hal-system-killswitch-get-power
hal-system-kill (21509) created 21510
hal-system-kill (21510) is exec'ing /usr/bin/hal-is-caller-privileged
hal-system-kill (21509) created 21511
hal-system-kill (21511) is exec'ing /bin/basename
hal-system-kill (21509) is exec'ing /usr/lib64/hal/scripts/linux/hal-system-killswitch-get-power-linux
hal-system-kill (21509) created 21512
hal-system-kill (21512) is exec'ing /usr/libexec/hal-ipw-killswitch-linux
gnome-panel (3031) created 21513
gnome-panel (21513) created 21514
gnome-panel (21514) is exec'ing /usr/lib64/qt-3.3/bin/thunderbird
gnome-panel (21514) is exec'ing /usr/kerberos/bin/thunderbird
gnome-panel (21514) is exec'ing /usr/lib64/ccache/thunderbird
gnome-panel (21514) is exec'ing /usr/local/bin/thunderbird
gnome-panel (21514) is exec'ing /usr/bin/thunderbird
thunderbird (21514) created 21515
thunderbird (21515) is exec'ing /bin/uname
thunderbird (21514) is exec'ing /usr/lib64/thunderbird-2.0.0.14/thunderbird
thunderbird (21514) created 21516
thunderbird (21516) is exec'ing /usr/bin/dirname
thunderbird (21514) created 21517
thunderbird (21517) is exec'ing /bin/basename
thunderbird (21514) created 21518
thunderbird (21518) is exec'ing /usr/lib64/thunderbird-2.0.0.14/run-mozilla.sh
run-mozilla.sh (21518) created 21519
run-mozilla.sh (21519) is exec'ing /bin/basename
run-mozilla.sh (21518) created 21520
run-mozilla.sh (21520) is exec'ing /usr/bin/dirname
run-mozilla.sh (21518) created 21521
run-mozilla.sh (21521) created 21522
run-mozilla.sh (21522) is exec'ing /usr/bin/which
run-mozilla.sh (21518) created 21523
run-mozilla.sh (21523) is exec'ing /usr/lib64/thunderbird-2.0.0.14/thunderbird-bin

One single comment

  1. I create a comment each time I especially enjoy a post on a site or if I have something
    to add to the discussion. It’s caused by the fire communicated
    in the post I read. And on this post Cool little Systemtap scriptlet.
    I was moved enough to post a comment :-) I actually do have 2 questions for you
    if it’s okay. Could it be just me or does it appear like a few of the responses appear like coming from brain
    dead individuals? :-P And, if you are writing at other places, I’d like
    to keep up with everything fresh you have to post.
    Could you list every one of all your community sites like your Facebook page, twitter feed, or linkedin
    profile?

Post a comment

Copyright © Phil Muldoon

Built on Notes Blog Core
Powered by WordPress