From: Valentin Grigorev via lttng-dev <lttng-dev@lists.lttng.org>
To: lttng-dev <lttng-dev@lists.lttng.org>
Subject: Payload of syscall_entry_execve
Date: Thu, 9 Jul 2020 14:19:25 +0300 [thread overview]
Message-ID: <CABhb4uu6dxo_5pVUTXaz3qkGS41Ame77Bp5ePWT42cJ2PANFvA@mail.gmail.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1198 bytes --]
Hello!
Currently, I'm developing a process monitor on the base of LTTng, and I
face the challenge of accessing command-line arguments passed to execve
syscall.
I'm using LTTng live session and Babeltrace 2 C API to analyze events in
online mode.
syscall_entry_execve event has 3 payload fields: filename, argv, and envp.
The first one is a normal C-string, the second and the third
semantically are `char *const *`,
but provided by LTTng as simple unsigned integers (the corresponding fields
in Babaltrace2 event payload have type BT_FIELD_CLASS_TYPE_UNSIGNED_INTEGER,
while I expect BT_FIELD_CLASS_TYPE_DYNAMIC_ARRAY). As far as I understand,
these integers are argv and envp pointers casted to uint64_t. But in the
majority of
cases, events produced by LTTng are analyzed by another process and often
even offline, so these pointers became completely unuseful.
Could you say, if there are some configuration parameters that enable to
pass argv and envp content in syscall_entry_execve payload? Or some other
ways to get this
information from LTTng.
P.S. I consider getting this information from /proc/pid/cmdline, but it is
not looking like a clean solution.
Best regards.
Valentin Grigorev
[-- Attachment #1.2: Type: text/html, Size: 1556 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
lttng-dev mailing list
lttng-dev@lists.lttng.org
https://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
WARNING: multiple messages have this Message-ID (diff)
From: Valentin Grigorev via lttng-dev <lttng-dev@lists.lttng.org>
To: lttng-dev <lttng-dev@lists.lttng.org>
Subject: [lttng-dev] Payload of syscall_entry_execve
Date: Thu, 9 Jul 2020 14:19:25 +0300 [thread overview]
Message-ID: <CABhb4uu6dxo_5pVUTXaz3qkGS41Ame77Bp5ePWT42cJ2PANFvA@mail.gmail.com> (raw)
Message-ID: <20200709111925.-Ta69xFOFLSnoZix_4os9WfUYn8U1nCLQt7k3EgcoEI@z> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 1198 bytes --]
Hello!
Currently, I'm developing a process monitor on the base of LTTng, and I
face the challenge of accessing command-line arguments passed to execve
syscall.
I'm using LTTng live session and Babeltrace 2 C API to analyze events in
online mode.
syscall_entry_execve event has 3 payload fields: filename, argv, and envp.
The first one is a normal C-string, the second and the third
semantically are `char *const *`,
but provided by LTTng as simple unsigned integers (the corresponding fields
in Babaltrace2 event payload have type BT_FIELD_CLASS_TYPE_UNSIGNED_INTEGER,
while I expect BT_FIELD_CLASS_TYPE_DYNAMIC_ARRAY). As far as I understand,
these integers are argv and envp pointers casted to uint64_t. But in the
majority of
cases, events produced by LTTng are analyzed by another process and often
even offline, so these pointers became completely unuseful.
Could you say, if there are some configuration parameters that enable to
pass argv and envp content in syscall_entry_execve payload? Or some other
ways to get this
information from LTTng.
P.S. I consider getting this information from /proc/pid/cmdline, but it is
not looking like a clean solution.
Best regards.
Valentin Grigorev
[-- Attachment #1.2: Type: text/html, Size: 1556 bytes --]
[-- Attachment #2: Type: text/plain, Size: 156 bytes --]
_______________________________________________
lttng-dev mailing list
lttng-dev@lists.lttng.org
https://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
next reply other threads:[~2020-07-09 11:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 11:19 Valentin Grigorev via lttng-dev [this message]
2020-07-09 11:19 ` [lttng-dev] Payload of syscall_entry_execve Valentin Grigorev via lttng-dev
2020-07-09 13:15 ` Mathieu Desnoyers via lttng-dev
2020-07-09 13:15 ` [lttng-dev] " Mathieu Desnoyers via lttng-dev
2020-07-09 13:22 ` Valentin Grigorev via lttng-dev
2020-07-09 13:22 ` [lttng-dev] " Valentin Grigorev via lttng-dev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABhb4uu6dxo_5pVUTXaz3qkGS41Ame77Bp5ePWT42cJ2PANFvA@mail.gmail.com \
--to=lttng-dev@lists.lttng.org \
--cc=valentin.grigorev@jetbrains.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).