From mboxrd@z Thu Jan 1 00:00:00 1970 From: cwarlich@gmx.de (Christof Warlich) Date: Wed, 14 Feb 2018 19:39:31 +0100 Subject: ftrace events: parameter tracing Message-ID: <2936b31c-5842-0438-dd5a-79cc49ad7f45@gmx.de> To: kernelnewbies@lists.kernelnewbies.org List-Id: kernelnewbies.lists.kernelnewbies.org Hi all, using ftrace events to trace the sys_open*() system calls seems to be a rather quick way to determine which files were used when running a program. E.g., recording the the start and the end of any open* system call while running ls /: # trace-cmd record --stderr? -e syscalls:sys_enter_open* -e syscalls:sys_exit_open* -c -F ls / 2>/dev/null Printing the recorded trace yields:: # trace-cmd report bin ?? dev??? home??? ??? initrd.img.old? lib32? lost+found mnt? proc? run??? snap? sys? usr??? vmlinuz etc??? initrd.img? lib??? ??? ??? lib64? media?????? opt? root sbin??? srv?? tmp? var??? vmlinuz.old version = 6 CPU 0 is empty CPU 1 is empty CPU 3 is empty CPU 4 is empty CPU 5 is empty CPU 6 is empty CPU 7 is empty cpus=8 ????????????? ls-8307? [002] 15379.397993: sys_enter_open: filename: 0x7f471c8e9271, flags: 0x00080000, mode: 0x00000001 ????????????? ls-8307? [002] 15379.398000: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398012: sys_enter_open: filename: 0x7f471caf0d60, flags: 0x00080000, mode: 0x7f471caf0168 ????????????? ls-8307? [002] 15379.398013: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398043: sys_enter_open: filename: 0x7f471cad14c8, flags: 0x00080000, mode: 0x7f471caf0168 ????????????? ls-8307? [002] 15379.398045: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398070: sys_enter_open: filename: 0x7f471cad19a8, flags: 0x00080000, mode: 0x7f471cad1000 ????????????? ls-8307? [002] 15379.398071: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398092: sys_enter_open: filename: 0x7f471cad1e98, flags: 0x00080000, mode: 0x7f471cad1000 ????????????? ls-8307? [002] 15379.398094: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398113: sys_enter_open: filename: 0x7f471cad0548, flags: 0x00080000, mode: 0x7f471cad19d0 ????????????? ls-8307? [002] 15379.398115: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398326: sys_enter_open: filename: 0x7f471c6bfc15, flags: 0x00000000, mode: 0x000001b6 ????????????? ls-8307? [002] 15379.398331: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398375: sys_enter_open: filename: 0x7f471c470760, flags: 0x00080000, mode: 0x00000000 ????????????? ls-8307? [002] 15379.398380: sys_exit_open: 0x3 ????????????? ls-8307? [002] 15379.398428: sys_enter_open: filename: 0x01c97cc0, flags: 0x00090800, mode: 0x00000000 ????????????? ls-8307? [002] 15379.398430: sys_exit_open: 0x3 Unfortunately, although ftrace prints the filename's address for each file being opened, I could not seen any way to obtain the filenames themselves. Any ideas on how to get hold of the filenames would be great, thanks. Cheers, Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: