Dear dtrace Experts, I have seen some dtrace utilities like opensnoop and execsnoop etc. My interest is to write a simple script that can snoop the files which uses the 3 syscalls like open,create,unlink. I have gone through dtrace oneliners that can do the same : dtrace -n ''syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0));}'' dtrace -n ''syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0));}'' dtrace -n ''syscall::unlink*:entry { printf("%s %s",execname,copyinstr(arg0));}'' But how to write a single script that can snoop & list the files that uses the above 3 syscalls along with their timestamps . Please do let me know regarding the same. Thanks, Partha This message posted from opensolaris.org
Put the 3 1-liners into 1 1-liner :-) dtrace -n ''syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); trace(timestamp);}'' \ -n ''syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0)); trace(timestamp);}'' \ -n ''syscall::unlink*:entry { printf("%s %s",execname,copyinstr(arg0)); trace(timestamp);}'' HTH. Parthasarathy J wrote:> Dear dtrace Experts, > > I have seen some dtrace utilities like opensnoop and execsnoop etc. > > My interest is to write a simple script that can snoop the files which > uses the 3 syscalls like open,create,unlink. > > I have gone through dtrace oneliners that can do the same : > > dtrace -n ''syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0));}'' > dtrace -n ''syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0));}'' > dtrace -n ''syscall::unlink*:entry { printf("%s %s",execname,copyinstr(arg0));}'' > > But how to write a single script that can snoop & list the files that > uses the above 3 syscalls along with their timestamps . > > > Please do let me know regarding the same. > > Thanks, > Partha > > > This message posted from opensolaris.org > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss at opensolaris.org-- http://blogs.sun.com/sprakki
> Put the 3 1-liners into 1 1-liner :-) > > dtrace -n ''syscall::open*:entry { printf("%s > %s",execname,copyinstr(arg0)); trace(timestamp);}'' \ > -n ''syscall::creat*:entry { printf("%s > %s",execname,copyinstr(arg0)); > ace(timestamp);}'' \ > -n ''syscall::unlink*:entry { printf("%s > ",execname,copyinstr(arg0)); trace(timestamp);}''And since you use the same block for all of the probes, you could just use: dtrace -n '' syscall::open*:entry, syscall::creat*:entry, syscall::unlink*:entry { printf("%s %s",execname,copyinstr(arg0)); trace(timestamp); }'' Trond This message posted from opensolaris.org