| Brendan Gregg | ad341c9 | 2016-02-09 00:31:24 -0800 | [diff] [blame] | 1 | Demonstrations of statsnoop, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | statsnoop traces the different stat() syscalls system-wide, and prints various |
| 5 | details. Example output: |
| 6 | |
| 7 | # ./statsnoop |
| 8 | PID COMM FD ERR PATH |
| 9 | 31126 bash 0 0 . |
| 10 | 31126 bash -1 2 /usr/local/sbin/iconfig |
| 11 | 31126 bash -1 2 /usr/local/bin/iconfig |
| 12 | 31126 bash -1 2 /usr/sbin/iconfig |
| 13 | 31126 bash -1 2 /usr/bin/iconfig |
| 14 | 31126 bash -1 2 /sbin/iconfig |
| 15 | 31126 bash -1 2 /bin/iconfig |
| 16 | 31126 bash -1 2 /usr/games/iconfig |
| 17 | 31126 bash -1 2 /usr/local/games/iconfig |
| 18 | 31126 bash -1 2 /apps/python/bin/iconfig |
| 19 | 31126 bash -1 2 /mnt/src/llvm/build/bin/iconfig |
| 20 | 8902 command-not-fou -1 2 /usr/bin/Modules/Setup |
| 21 | 8902 command-not-fou -1 2 /usr/bin/lib/python3.4/os.py |
| 22 | 8902 command-not-fou -1 2 /usr/bin/lib/python3.4/os.pyc |
| 23 | 8902 command-not-fou 0 0 /usr/lib/python3.4/os.py |
| 24 | 8902 command-not-fou -1 2 /usr/bin/pybuilddir.txt |
| 25 | 8902 command-not-fou -1 2 /usr/bin/lib/python3.4/lib-dynload |
| 26 | 8902 command-not-fou 0 0 /usr/lib/python3.4/lib-dynload |
| 27 | 8902 command-not-fou 0 0 /apps/python/lib/python2.7/site-packages |
| 28 | 8902 command-not-fou 0 0 /apps/python/lib/python2.7/site-packages |
| 29 | 8902 command-not-fou 0 0 /apps/python/lib/python2.7/site-packages |
| 30 | 8902 command-not-fou 0 0 /usr/lib/python3.4/ |
| 31 | 8902 command-not-fou 0 0 /usr/lib/python3.4/ |
| 32 | [...] |
| 33 | |
| 34 | This output has caught me mistyping a command in another shell, "iconfig" |
| 35 | instead of "ifconfig". The first several lines show the bash shell searching |
| 36 | the $PATH, and failing to find it (ERR == 2 is file not found). Then, a |
| 37 | "command-not-found" program executes (the name is truncated to 16 characters |
| 38 | in the COMM field), which begins the process of searching for and suggesting |
| 39 | a package. ie, this: |
| 40 | |
| 41 | # iconfig |
| 42 | No command 'iconfig' found, did you mean: |
| 43 | Command 'vconfig' from package 'vlan' (main) |
| 44 | Command 'fconfig' from package 'redboot-tools' (universe) |
| 45 | Command 'mconfig' from package 'mono-devel' (main) |
| 46 | Command 'iwconfig' from package 'wireless-tools' (main) |
| 47 | Command 'zconfig' from package 'python-zconfig' (universe) |
| 48 | Command 'ifconfig' from package 'net-tools' (main) |
| 49 | iconfig: command not found |
| 50 | |
| 51 | statsnoop can be used for general debugging, to see what file information has |
| 52 | been requested, and whether those files exist. It can be used as a companion |
| 53 | to opensnoop, which shows what files were actually opened. |
| 54 | |
| 55 | |
| 56 | USAGE message: |
| 57 | |
| 58 | # ./statsnoop -h |
| 59 | usage: statsnoop [-h] [-t] [-x] [-p PID] |
| 60 | |
| 61 | Trace stat() syscalls |
| 62 | |
| 63 | optional arguments: |
| 64 | -h, --help show this help message and exit |
| 65 | -t, --timestamp include timestamp on output |
| 66 | -x, --failed only show failed stats |
| 67 | -p PID, --pid PID trace this PID only |
| 68 | |
| 69 | examples: |
| 70 | ./statsnoop # trace all stat() syscalls |
| 71 | ./statsnoop -t # include timestamps |
| 72 | ./statsnoop -x # only show failed stats |
| 73 | ./statsnoop -p 181 # only trace PID 181 |