From: Valentin Grigorev via lttng-dev <lttng-dev@lists.lttng.org> To: lttng-dev <lttng-dev@lists.lttng.org> Subject: Payload of syscall_entry_execve Date: Thu, 9 Jul 2020 14:19:25 +0300 [thread overview] Message-ID: <CABhb4uu6dxo_5pVUTXaz3qkGS41Ame77Bp5ePWT42cJ2PANFvA@mail.gmail.com> (raw) [-- Attachment #1.1: Type: text/plain, Size: 1198 bytes --] Hello! Currently, I'm developing a process monitor on the base of LTTng, and I face the challenge of accessing command-line arguments passed to execve syscall. I'm using LTTng live session and Babeltrace 2 C API to analyze events in online mode. syscall_entry_execve event has 3 payload fields: filename, argv, and envp. The first one is a normal C-string, the second and the third semantically are `char *const *`, but provided by LTTng as simple unsigned integers (the corresponding fields in Babaltrace2 event payload have type BT_FIELD_CLASS_TYPE_UNSIGNED_INTEGER, while I expect BT_FIELD_CLASS_TYPE_DYNAMIC_ARRAY). As far as I understand, these integers are argv and envp pointers casted to uint64_t. But in the majority of cases, events produced by LTTng are analyzed by another process and often even offline, so these pointers became completely unuseful. Could you say, if there are some configuration parameters that enable to pass argv and envp content in syscall_entry_execve payload? Or some other ways to get this information from LTTng. P.S. I consider getting this information from /proc/pid/cmdline, but it is not looking like a clean solution. Best regards. Valentin Grigorev [-- Attachment #1.2: Type: text/html, Size: 1556 bytes --] [-- Attachment #2: Type: text/plain, Size: 156 bytes --] _______________________________________________ lttng-dev mailing list lttng-dev@lists.lttng.org https://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
WARNING: multiple messages have this Message-ID (diff)
From: Valentin Grigorev via lttng-dev <lttng-dev@lists.lttng.org> To: lttng-dev <lttng-dev@lists.lttng.org> Subject: [lttng-dev] Payload of syscall_entry_execve Date: Thu, 9 Jul 2020 14:19:25 +0300 [thread overview] Message-ID: <CABhb4uu6dxo_5pVUTXaz3qkGS41Ame77Bp5ePWT42cJ2PANFvA@mail.gmail.com> (raw) Message-ID: <20200709111925.-Ta69xFOFLSnoZix_4os9WfUYn8U1nCLQt7k3EgcoEI@z> (raw) [-- Attachment #1.1: Type: text/plain, Size: 1198 bytes --] Hello! Currently, I'm developing a process monitor on the base of LTTng, and I face the challenge of accessing command-line arguments passed to execve syscall. I'm using LTTng live session and Babeltrace 2 C API to analyze events in online mode. syscall_entry_execve event has 3 payload fields: filename, argv, and envp. The first one is a normal C-string, the second and the third semantically are `char *const *`, but provided by LTTng as simple unsigned integers (the corresponding fields in Babaltrace2 event payload have type BT_FIELD_CLASS_TYPE_UNSIGNED_INTEGER, while I expect BT_FIELD_CLASS_TYPE_DYNAMIC_ARRAY). As far as I understand, these integers are argv and envp pointers casted to uint64_t. But in the majority of cases, events produced by LTTng are analyzed by another process and often even offline, so these pointers became completely unuseful. Could you say, if there are some configuration parameters that enable to pass argv and envp content in syscall_entry_execve payload? Or some other ways to get this information from LTTng. P.S. I consider getting this information from /proc/pid/cmdline, but it is not looking like a clean solution. Best regards. Valentin Grigorev [-- Attachment #1.2: Type: text/html, Size: 1556 bytes --] [-- Attachment #2: Type: text/plain, Size: 156 bytes --] _______________________________________________ lttng-dev mailing list lttng-dev@lists.lttng.org https://lists.lttng.org/cgi-bin/mailman/listinfo/lttng-dev
next reply other threads:[~2020-07-09 11:19 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-09 11:19 Valentin Grigorev via lttng-dev [this message] 2020-07-09 11:19 ` [lttng-dev] Payload of syscall_entry_execve Valentin Grigorev via lttng-dev 2020-07-09 13:15 ` Mathieu Desnoyers via lttng-dev 2020-07-09 13:15 ` [lttng-dev] " Mathieu Desnoyers via lttng-dev 2020-07-09 13:22 ` Valentin Grigorev via lttng-dev 2020-07-09 13:22 ` [lttng-dev] " Valentin Grigorev via lttng-dev
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CABhb4uu6dxo_5pVUTXaz3qkGS41Ame77Bp5ePWT42cJ2PANFvA@mail.gmail.com \ --to=lttng-dev@lists.lttng.org \ --cc=valentin.grigorev@jetbrains.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).