| olsajiri | b511422 | 2018-11-16 23:23:37 +0100 | [diff] [blame] | 1 | Demonstrations of sofdsnoop, the Linux eBPF/bcc version. |
| 2 | |
| 3 | sofdsnoop traces FDs passed through unix sockets |
| 4 | |
| 5 | # ./sofdsnoop.py |
| 6 | ACTION TID COMM SOCKET FD NAME |
| 7 | SEND 2576 Web Content 24:socket:[39763] 51 /dev/shm/org.mozilla.ipc.2576.23874 |
| 8 | RECV 2576 Web Content 49:socket:[809997] 51 |
| 9 | SEND 2576 Web Content 24:socket:[39763] 58 N/A |
| 10 | RECV 2464 Gecko_IOThread 75:socket:[39753] 55 |
| 11 | |
| 12 | Every file descriptor that is passed via unix sockets os displayed |
| 13 | on separate line together with process info (TID/COMM columns), |
| 14 | ACTION details (SEND/RECV), file descriptor number (FD) and its |
| 15 | translation to file if available (NAME). |
| 16 | |
| 17 | The file descriptor (fd) value is bound to a process. The SEND |
| 18 | lines display the fd value within the sending process. The RECV |
| 19 | lines display the fd value of the sending process. That's why |
| 20 | there's translation to name only on SEND lines, where we are |
| 21 | able to find it in task proc records. |
| 22 | |
| 23 | This works by tracing sendmsg/recvmsg system calls to provide |
| 24 | the socket fds, and scm_send_entry/scm_detach_fds to provide |
| 25 | the file descriptor details. |
| 26 | |
| 27 | A -T option can be used to include a timestamp column, |
| 28 | and a -n option to match on a command name. Regular |
| 29 | expressions are allowed. For example, matching commands |
| 30 | containing "server" with timestamps: |
| 31 | |
| 32 | # ./sofdsnoop.py -T -n Web |
| 33 | TIME(s) ACTION TID COMM SOCKET FD NAME |
| 34 | 0.000000000 SEND 2576 Web Content 24:socket:[39763] 51 /dev/shm/org.mozilla.ipc.2576.25404 (deleted) |
| 35 | 0.000413000 RECV 2576 Web Content 49:/dev/shm/org.mozilla.ipc.2576.25404 (deleted) 51 |
| 36 | 0.000558000 SEND 2576 Web Content 24:socket:[39763] 58 N/A |
| 37 | 0.000952000 SEND 2576 Web Content 24:socket:[39763] 58 socket:[817962] |
| 38 | |
| 39 | |
| 40 | A -p option can be used to trace only selected process: |
| 41 | |
| 42 | # ./sofdsnoop.py -p 2576 -T |
| 43 | TIME(s) ACTION TID COMM SOCKET FD NAME |
| 44 | 0.000000000 SEND 2576 Web Content 24:socket:[39763] 51 N/A |
| 45 | 0.000138000 RECV 2576 Web Content 49:N/A 5 |
| 46 | 0.000191000 SEND 2576 Web Content 24:socket:[39763] 58 N/A |
| 47 | 0.000424000 RECV 2576 Web Content 51:/dev/shm/org.mozilla.ipc.2576.25319 (deleted) 49 |
| 48 | |
| 49 | USAGE message: |
| 50 | usage: sofdsnoop.py [-h] [-T] [-p PID] [-t TID] [-n NAME] [-d DURATION] |
| 51 | |
| 52 | Trace file descriptors passed via socket |
| 53 | |
| 54 | optional arguments: |
| 55 | -h, --help show this help message and exit |
| 56 | -T, --timestamp include timestamp on output |
| 57 | -p PID, --pid PID trace this PID only |
| 58 | -t TID, --tid TID trace this TID only |
| 59 | -n NAME, --name NAME only print process names containing this name |
| 60 | -d DURATION, --duration DURATION |
| 61 | total duration of trace in seconds |
| 62 | |
| 63 | examples: |
| Jerome Marchand | 33c9c57 | 2019-07-29 15:57:03 +0200 | [diff] [blame] | 64 | ./sofdsnoop # trace passed file descriptors |
| olsajiri | b511422 | 2018-11-16 23:23:37 +0100 | [diff] [blame] | 65 | ./sofdsnoop -T # include timestamps |
| 66 | ./sofdsnoop -p 181 # only trace PID 181 |
| 67 | ./sofdsnoop -t 123 # only trace TID 123 |
| 68 | ./sofdsnoop -d 10 # trace for 10 seconds only |
| 69 | ./sofdsnoop -n main # only print process names containing "main" |